Академический Документы
Профессиональный Документы
Культура Документы
V100R001
Administrator Guide
Issue 04
Date 2015-07-30
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Website: http://e.huawei.com
Related Version
The following table lists the product versions related to this document.
Intended Audience
This document describes the features, configuration guide, and troubleshooting guide of the
NGFW in detail. This document focuses on how to manage the device on the Web UI, but
provides information on how to manage the device on the CLI to meet different user preferences.
This document is intended for administrators who configure and manage NGFW. The
administrators must have good Ethernet knowledge and network management experience.
Feature Conventions
The following features may involve collecting users' communication contents. Huawei alone is
unable to collect or save the content of users' communications. It is suggested that you activate
the user data-related functions based on the applicable laws and regulations in terms of purpose
and scope of usage. You are obligated to take considerable measures to ensure that the content
of users' communications is fully protected when the content is being used and saved.
l The content security features such as antivirus, IPS, file blocking, data filtering, application
behavior control, mail filtering and URL filtering, may involve the collection of users'
communication contents such as the browsed websites and transmitted files. You are
advised to clear unnecessary sensitive information in a timely manner.
l Antivirus and IPS support packet capture to analyze data packets for viruses or intrusions.
However, the packet capture process may involve the collection of user's communication
content. The device provides dedicated audit administrators to obtain captured packets.
Other administrators do not have such permissions. Please keep the audit administrator
account safe and clear the packet capture history in time.
l The audit function is used to record online behaviors, including the collection or storage
of browsed web pages, BBS or microblog posts, HTTP/FTP file transfer, email receiving
and sending, and IM login and logout. The device provides dedicated audit administrators
to configure audit policies and view audit logs. Other administrators do not have such
permissions. Please keep the audit administrator account safe.
l Port mirroring and NetStream are vital to fault diagnosis and traffic statistics and analysis,
but may involve the collection of user's communication content. The product provides
permission control over such functions. You are advised to clear traffic records after fault
diagnosis and traffic analysis.
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Symbol Description
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention Description
&<1-n> The parameter before the & sign can be repeated 1 to n times.
GUI Conventions
The GUI conventions that may be found in this document are defined as follows.
Convention Description
Update History
Updates between document issues are cumulative. Therefore, the latest document issue contains
all updates made in previous issues.
– Added Web Example for Configuring Branches to Use Different IDs and Pre-
shared Keys to Establish IPSec VPNs with the Headquarters.
– Added reverse route injection to DSVPN. The reverse route injection function can send
the private network address of a branch or cascade headquarters in an NHRP message
to the headquarters. The headquarters analyzes the NHRP message to obtain the private
network address of the branch or cascade headquarters and adds a static route to the
private subnet. For details, see Configuring Branches Using the Web UI, Configuring
the Headquarters Using the Web UI, Configuring Cascade Headquarters Using
the Web UI, Setting Route Parameters Using the CLI, and Example for
Configuring DSVPN in the Universal Application Scenario (Using Reverse Route
Injection for Route Advertisement and Learning).
– Added the Dialer interface and the interface obtaining IP addresses through DHCP to
the local interfaces for IPSec intelligent link selection. For details, see Configuring
IPSec Intelligent Link Selection Profiles.
l Security Protection
– Supported the configuration of DDoS attack defense using the CLI. For details, see
Configuring DDoS Attack Defense Using the CLI.
– Supported the query of blacklist logs on the web UI for fault locating. For details, see
Configuring the Blacklist Using the Web UI.
l Monitoring
– Added Restrictions and Precautions of Port Mirroring.
– Supported the configuration of packet capture on the web UI based on packet directions
and categories, enriching quintuple packet capture configuration means. For details, see
Configuring Quintuple Packet Capture Using the Web UI.
– Added OS login password check in the host check function. The NGFW checks whether
the terminal has set a login password. If not, terminal fails the rule check. For
configuration details, see Configuring the Host Check.
– Added the settings of the SSL version, encryption suite, and timeout duration and life
cycle of SSL sessions entries on the web UI. For configuration details, see Configuring
SSL.
l Security defense
– Added the ping proxy function. For configuration details, see Configuring Ping Proxy
Using the Web UI.
l Monitoring
Supported the display of system incremental statistics. For details, see Checking System
Statistics Using the Web UI and Displaying Global System Statistics Using the CLI.
– Added the function of specifying source addresses for DNS query packets. When the
NGFW initiates a DNS request to the DNS server, the NGFW can set the source address
or port of the DNS packet to prevent the DNS server from failing to respond to the query
due to route lookup failure. For details, see DNS Configuration Using the Web UI or
Configuring DNS Proxy Using the CLI.
– Added inner-VLAN proxy ARP to enable isolated PCs or routers in one VLAN to
communicate. For details, see Configuring Inner-VLAN Proxy ARP and Example
for Configuring Inner-VLAN Proxy ARP.
l User and User Authentication
– Added the function of RADIUS SSO. The NGFW identifies and analyzes key packets
(accounting start packets, accounting update packets, and accounting end packets)
between users and the RADIUS server to obtain user authentication result and user-IP
address binding and implement access behavior control based on users, requiring no
second authentication. For details, see Configuring SSO Using the Web UI,
Configuring SSO Using the CLI, or Example for Configuring RADIUS SSO for
Internet Access Users.
– Added the function of security group-based user authentication and management. The
security groups on the AD and AD LDAP servers as well as the static/dynamic groups
on the Sun ONE LDAP server are usually used to control and manage the access of the
users in these groups to the resources and objects, such as networking sharing locations,
files, directories, and printers. The security group defined on the NGFW is a collective
name of the security groups on the AD and AD LDAP servers as well as the static/
dynamic groups on the Sun ONE LDAP server. The security group concept is introduced
as a horizontal organizational structure. Based on the horizontal organizational
structure, users with different organizational structures can be categorized into the same
security group for management. For details, see Creating Security Groups Using the
Web UI or Creating Security Groups Using the CLI, Importing Security Groups
from a CSV File Using the Web UI or Importing Security Groups from a CSV File
Using the CLI, and Importing Users, User Groups or Security Groups from a
Server Using the Web UI or Importing Users, User Groups or Security Groups
from a Server Using the CLI.
– Added the connection to Sun ONE LDAP servers. The Sun ONE LDAP server can
function as a third-party authentication server or an import server. You can import user
information on the Sun ONE LDAP server to the NGFW. For details, see Configuring
an LDAP Server Using the Web UI or Configuring an LDAP Server Using the
CLI.
– Separated the authentication server from the import server, breaking the limit that the
authentication server and import server must be the same type of servers. server is an
AD or AD LDAP server, the import server can be an AD, AD LDAP, or Sun ONE
LDAP server. If the authentication server is a Sun ONE LDAP server, the import server
can be another Sun ONE LDAP server. For details, see Authentication Server or
Example for Managing and Authenticating Internet Access Users Through Sun
ONE LDAP Server Import and AD Server Authentication.
– Added the function of customizing the authentication page title and link and the function
of switching languages (English and Chinese) on the authentication page. For details,
see Customizing an Authentication Web Page Using the Web UI or Customizing
an Authentication Web Page Using the CLI.
– Added a new action for processing authentication conflicts. When the NGFW does not
permit an account for multi-IP login and the account is discovered to have logged in at
another IP address, the NGFW forcibly logs out the user that has logged in and permits
the user at the current IP address to log in with the same account. For details, see Setting
Global Parameters Using the Web UI or Setting Global Parameters Using the
CLI.
– Added the function of setting multi-IP login attributes for users in user groups and their
subgroups. That is, the NGFW can permit and deny multi-IP login from users in a user
group and its subgroups in a batch. For details, see Creating Users and User Groups
Using the Web UI or Creating Users and User Groups Using the CLI.
– The number of local users supported by the USG6650/6660/6670 and NGFW Module
is increased from 50,000 to 80,000. For details, see Specifications.
– Added the support of configuring domain group as the matching condition in an
authentication policy. For details, see Configuring an Authentication Policy Using
the Web UI or Configuring an Authentication Policy Using the CLI.
– Canceled the limitation that the AD SSO service program (ADSSO_Setup.exe) can be
installed only on the AD domain controller. In the new version, ADSSO_Setup.exe can
be installed on any PC in the AD domain, including the AD domain controller. For
details, see Configuring SSO Using the Web UI, Configuring SSO Using the CLI,
or Example for Configuring AD SSO for Internet Access Users (Plug-In Mode).
l Security Policy and Content Security
– Security policy: Added Example for Configuring Security Policies Based on IP
Addresses and Ports (Web) and Example for Configuring Security Policies Based
on IP Addresses and Ports (CLI).
– URL filtering: Added the configuration of domain name rules in blacklist, whitelist,
user-defined categories, and predefined categories. For details, see Configuring URL
Categories and Configuring URL Filtering.
– URL filtering: Added the configuration of URL filtering action mode to the strict or
loose mode. For details, see Configuring URL Filtering.
– File blocking: Added the configuration of the maximum number of decompression
layers and maximum file size in the global configuration of file blocking as well as the
actions in case the thresholds are exceeded. For details, see Global Configuration of
File Blocking.
– Application behavior control: Added the function of controlling the HTTP POST
operation content size. For details, see Configuring Application Behavior Control.
l Proxy Policy
Expanded the SSL decryption policies to proxy policies. Proxy policies support the
functions of the existing SSL decryption policies through policy actions and add the TCP
proxy function. For details, see Proxy Policy.
l PBR
Added the support of configuring domain group as the matching condition in a PBR rule.
For details, see Configuring PBR Using the Web UI, Configuring PBR Using the
CLI, and Example for Configuring Domain Name-Specific PBR.
l Bandwidth Management
– Added a command to set the maximum number of upstream, downstream, and all
connections. For details, see Configuring a Traffic Profile Using the CLI.
– Added the dynamic equal distribution of bandwidth for each IP address based on the
global maximum bandwidth and number of online IP addresses. For details, see
Contents
2 Getting Started.............................................................................................................................94
2.1 Overview of the Next Generation Firewall..................................................................................................................94
2.1.1 Traditional Firewall...................................................................................................................................................94
2.1.2 Next Generation Firewall..........................................................................................................................................95
2.1.3 User............................................................................................................................................................................97
2.1.4 Policy.......................................................................................................................................................................103
2.1.5 Visualized Management and Maintenance..............................................................................................................108
2.1.6 IPv6..........................................................................................................................................................................112
2.1.7 More Information....................................................................................................................................................112
2.1.7.1 Packet Transfer Process........................................................................................................................................112
2.1.7.2 CLI........................................................................................................................................................................119
2.2 Deployment Scenario.................................................................................................................................................123
2.2.1 Scenario A: Layer-3 Gateway (Routing Mode).......................................................................................................125
2.2.2 Scenario B: Layer-2 Switch (Transparent Mode)....................................................................................................126
2.2.3 Scenario C: Hot Standby.........................................................................................................................................128
2.3 Logging In to the Web UI...........................................................................................................................................130
2.4 Web UI Basics............................................................................................................................................................132
2.5 Initial Configuration of Scenario A (Layer-3 Gateway).............................................................................................136
2.5.1 Data Collection........................................................................................................................................................136
2.5.2 The Startup Wizard..................................................................................................................................................138
2.5.3 Testing the Network Connection.............................................................................................................................142
2.6 Initial Configuration of Scenario B (Layer-2 Switch)................................................................................................143
2.6.1 Obtaining Data.........................................................................................................................................................143
2.6.2 Configuring Layer-2 Interfaces and VLANs...........................................................................................................145
2.6.3 Testing the Network Connection.............................................................................................................................148
2.7 Initial Configuration of Scenario C (Hot Standby)....................................................................................................148
2.7.1 Data Collection........................................................................................................................................................148
2.7.2 Hot Standby Configuration......................................................................................................................................151
2.7.3 Verifying the Network Connection and Active/Standby Switchovers....................................................................155
2.8 Registering an Account and Activating the License File...........................................................................................156
2.9 Updating the Signature Database...............................................................................................................................157
2.10 Configuring Security Services..................................................................................................................................158
2.10.1 Determining Security Service Scenarios...............................................................................................................158
2.10.2 Configuring Security Zones...................................................................................................................................162
2.10.3 Managing Intranet Users.......................................................................................................................................163
2.10.4 Configuring a NAT Policy....................................................................................................................................167
2.10.5 Configuring a Security Policy...............................................................................................................................171
2.11 Advanced Configuration...........................................................................................................................................176
2.11.1 Configure Policy-based Routing...........................................................................................................................177
2.11.2 Configuring VPN ..................................................................................................................................................177
3 Wizard..........................................................................................................................................190
3.1 Startup Wizard............................................................................................................................................................190
4 Dashboard...................................................................................................................................196
4.1 Setting the Status Windows........................................................................................................................................196
4.2 Device Information.....................................................................................................................................................196
4.3 System Resource.........................................................................................................................................................198
4.4 System Information....................................................................................................................................................199
4.5 Traffic History............................................................................................................................................................201
4.6 License Information....................................................................................................................................................201
4.7 Alarm Information......................................................................................................................................................202
4.8 System Log List..........................................................................................................................................................202
4.9 Threat Log List...........................................................................................................................................................203
4.10 Log Storage Details..................................................................................................................................................203
4.11 Visual Management..................................................................................................................................................204
5 System..........................................................................................................................................208
5.1 Logging In to the Device for the First Time...............................................................................................................208
5.1.1 Logging In to the CLI Through the Console Port...................................................................................................208
5.1.2 Logging In to the Web UI Using HTTPS................................................................................................................212
5.2 Administrators............................................................................................................................................................214
5.2.1 Overview.................................................................................................................................................................214
5.2.1.1 Administrator Overview.......................................................................................................................................214
5.2.1.2 Administrator Interfaces Overview......................................................................................................................233
5.2.2 Configuring an Administrator Using the Web UI...................................................................................................235
5.2.2.1 (Optional) Creating an Administrator Role..........................................................................................................236
5.2.2.2 Creating an Administrator Account......................................................................................................................237
5.2.2.3 Configuring Device Services................................................................................................................................240
5.2.3 Configuring an Administrator Using the CLI..........................................................................................................242
5.2.3.1 (Optional) Creating an Administrator Role..........................................................................................................242
5.2.3.2 Creating an Administrator Account (Local Authentication)................................................................................243
5.2.3.3 Creating an Administrator Account (Server Authentication)...............................................................................245
5.2.3.4 (Optional) Configuring the Web UI.....................................................................................................................250
5.2.3.5 (Optional) Managing a CLI Administrator Interface............................................................................................252
5.2.3.6 Maintaining CLI Administrator Interfaces and Administrator Accounts.............................................................256
5.16.5.2 Automatically Upgrading System Software and Configuration File (A Configuration File Available on the
NGFW).............................................................................................................................................................................492
5.16.6 Feature History......................................................................................................................................................493
5.17 NQA..........................................................................................................................................................................493
5.17.1 Overview...............................................................................................................................................................493
5.17.1.1 Introduction to NQA...........................................................................................................................................493
5.17.1.2 NQA Server and NQA Client.............................................................................................................................494
5.17.2 Mechanism.............................................................................................................................................................495
5.17.3 Setting ICMP Test Parameters..............................................................................................................................501
5.17.4 Setting DHCP Test Parameters..............................................................................................................................503
5.17.5 Setting the FTP Download Test Parameters..........................................................................................................504
5.17.6 Setting the FTP Upload Test Parameters...............................................................................................................506
5.17.7 Setting HTTP Test Parameters..............................................................................................................................508
5.17.8 Setting the DNS Test Parameters..........................................................................................................................510
5.17.9 Setting Traceroute Test Parameters.......................................................................................................................511
5.17.10 Setting the SNMP Query Test Parameters..........................................................................................................513
5.17.11 Configuring the TCP Test....................................................................................................................................514
5.17.11.1 Configuring the TCP Server.............................................................................................................................514
5.17.11.2 Configuring the TCP Client..............................................................................................................................514
5.17.12 Configuring the UDP Test...................................................................................................................................516
5.17.12.1 Configuring the UDP Server............................................................................................................................516
5.17.12.2 Configuring the UDP Client.............................................................................................................................517
5.17.13 Configuring the Jitter Test...................................................................................................................................518
5.17.13.1 Configuring the NQA Server for the Jitter Test...............................................................................................518
5.17.13.2 Configuring the NQA Client for the Jitter Test................................................................................................519
5.17.14 Setting the Parameters for an LSP Ping Test in the LDP Tunnel........................................................................521
5.17.15 Creating an NQA Test Group..............................................................................................................................523
5.17.16 Setting General NQA Test Parameters................................................................................................................525
5.17.17 Setting Round-Trip Delay Thresholds.................................................................................................................526
5.17.18 Setting the Unidirectional Delay Threshold........................................................................................................527
5.17.19 Configuring the Trap Function............................................................................................................................528
5.17.19.1 Sending Trap Messages When Tests Failed.....................................................................................................528
5.17.19.2 Sending Trap Messages When Probes Failed...................................................................................................528
5.17.19.3 Sending Trap Messages When Probes Are Complete......................................................................................529
5.17.19.4 Sending Trap Messages When the Transmission Delay Exceeds the Threshold.............................................529
5.17.20 Maintaining NQA................................................................................................................................................529
5.17.20.1 Restarting an NQA Test Instance.....................................................................................................................529
5.17.20.2 Clearing NQA Statistics...................................................................................................................................530
5.17.20.3 Debugging NQA...............................................................................................................................................530
5.17.21 Configuration Examples......................................................................................................................................531
5.17.21.1 Example for Performing an ICMP Test............................................................................................................531
5.17.21.2 Example for Performing a DHCP Test.............................................................................................................532
6 High Availability.......................................................................................................................659
6.1 Hot Standby................................................................................................................................................................659
6.1.1 Overview.................................................................................................................................................................659
6.1.2 Application Scenario...............................................................................................................................................660
6.1.9.5 Service Interface of the Active Firewall Does not Change Its Status Because the Standby Firewall Is Faulty
..........................................................................................................................................................................................762
6.1.9.6 Active/Standby Switchover Occurs when a VRRP Group Is Added ..................................................................763
6.1.9.7 Active/Standby Switchover Fails Because of Incorrect HRP Track Configuration ............................................765
6.1.9.8 Services Are Temporarily Interrupted After Preemption Because an Interface on a Switch Cannot Forward Packets
Immediately After Recovery............................................................................................................................................766
6.1.9.9 Packet Loss Occurs Due to VRID Conflict..........................................................................................................768
6.1.9.10 The NAT Traffic Is Interrupted After Active/Standby Switchover....................................................................768
6.1.9.11 Services Are Interrupted After the Upstream Switch Restarts Because the Preemption Delay Is Too Short
..........................................................................................................................................................................................770
6.1.10 Reference...............................................................................................................................................................771
6.1.10.1 Commands and Status Information That Can Be Synchronized........................................................................771
6.1.10.2 Feature History...................................................................................................................................................773
6.1.10.3 Standards and Protocols......................................................................................................................................774
6.1.11 Hot Standby FAQ..................................................................................................................................................774
6.1.11.1 FAQs on Failures................................................................................................................................................774
6.1.11.2 FAQs on Configurations.....................................................................................................................................777
6.1.11.3 FAQs on Mechanism..........................................................................................................................................778
6.1.11.4 FAQs on Specifications......................................................................................................................................780
6.1.11.5 FAQs on Miscellaneous Issues...........................................................................................................................781
6.2 Bypass.........................................................................................................................................................................782
6.2.1 Overview.................................................................................................................................................................782
6.2.2 Restrictions and Precautions....................................................................................................................................783
6.2.3 Bypass Function of the Electrical Interface.............................................................................................................783
6.2.3.1 Configuring the Electrical Bypass Using the Web...............................................................................................783
6.2.3.2 Configuring the Electrical Bypass Using the CLI................................................................................................785
6.2.4 Feature History........................................................................................................................................................786
6.3 Link-group..................................................................................................................................................................786
6.3.1 Introduction.............................................................................................................................................................786
6.3.2 Configuring Link-group..........................................................................................................................................787
6.3.3 Feature History........................................................................................................................................................788
6.4 IP-link.........................................................................................................................................................................788
6.4.1 Introduction.............................................................................................................................................................788
6.4.2 Application Scenario...............................................................................................................................................788
6.4.3 Configuring IP-Link................................................................................................................................................790
6.4.4 Configuring the Interworking Between IP-Link and Other Function.....................................................................791
6.4.4.1 Configuring the Interworking Between IP-Link and Dual-system Hot Backup..................................................791
6.4.4.2 Configuring the Interworking Between IP-Link and Static Routes.....................................................................793
6.4.4.3 Configuring the Interworking between PBR and IP-Link....................................................................................793
6.4.4.4 Configuring the Interworking between DHCP and IP-Link.................................................................................794
6.4.5 Maintaining IP-Link................................................................................................................................................795
6.4.6 Configuration Examples..........................................................................................................................................796
6.4.6.1 Example for Configuring the Interworking Between IP-Link and Dual-system Hot Backup.............................796
6.4.6.2 Example for Configuring the Interworking between Static Route and IP-Link...................................................802
6.4.6.3 Example for Configuring the Interworking between PBR and IP-Link...............................................................805
6.4.6.4 Example for Configuring the Interworking between DHCP and IP-Link............................................................810
6.4.7 Feature History........................................................................................................................................................813
6.5 BFD............................................................................................................................................................................814
6.5.1 Introduction.............................................................................................................................................................814
6.5.2 Application Scenario...............................................................................................................................................814
6.5.2.1 Interworking Between BFD and OSPF................................................................................................................814
6.5.2.2 Interworking Between BFD and Static Routes.....................................................................................................816
6.5.2.3 Interworking Between BFD and FRR..................................................................................................................817
6.5.2.4 Interworking Between BFD and DHCP...............................................................................................................818
6.5.2.5 Interworking Between BFD and PBR..................................................................................................................819
6.5.2.6 Interworking Between BFD and Hot Standby......................................................................................................820
6.5.3 Mechanism...............................................................................................................................................................821
6.5.3.1 BFD Packet...........................................................................................................................................................821
6.5.3.2 BFD Mechanism...................................................................................................................................................825
6.5.3.3 BFD Session Management...................................................................................................................................828
6.5.4 Manually Configuring a Static BFD Session..........................................................................................................831
6.5.4.1 Creating a Static BFD Session..............................................................................................................................831
6.5.4.2 (Optional) Adjusting Session Detection Parameters............................................................................................834
6.5.4.3 (Optional) Configuring Auto-negotiation of Static Discriminators.....................................................................837
6.5.4.4 (Optional) Configuring the Session Demand Mode.............................................................................................839
6.5.4.5 (Optional) Configuring Session Descriptions.......................................................................................................840
6.5.4.6 (Optional) Configuring the Priority for Sending BFD Packets............................................................................842
6.5.4.7 (Optional) Configuring the BFD WTR Time.......................................................................................................843
6.5.5 Adjusting BFD Global Parameters..........................................................................................................................844
6.5.5.1 Delaying the Up State Change of the BFD Session.............................................................................................844
6.5.5.2 Configuring the Default Multicast Address for One-hop BFD............................................................................845
6.5.5.3 Enabling Passive Echo..........................................................................................................................................846
6.5.6 Configuring the Interworking Between BFD and Other Function..........................................................................847
6.5.6.1 Configuring BFD-OSPF Interworking.................................................................................................................847
6.5.6.2 Configuring the Interworking between BFD and Static Routes...........................................................................849
6.5.6.3 Configuring BFD-FRR Interworking...................................................................................................................850
6.5.6.4 Configuring BFD-DHCP Interworking................................................................................................................851
6.5.6.5 Configuring BFD-PBR Interworking...................................................................................................................852
6.5.6.6 Configuring the Interworking between BFD and Hot Standby............................................................................854
6.5.7 Maintaining BFD.....................................................................................................................................................855
6.5.8 Configuration Examples..........................................................................................................................................857
6.5.8.1 Example for Configuring BFD-OSPF Interworking............................................................................................857
6.5.8.2 Example for Configuring Interworking Between BFD and Static Routes...........................................................863
7 Virtual System............................................................................................................................888
7.1 Overview....................................................................................................................................................................888
7.2 Application Scenarios.................................................................................................................................................888
7.3 Mechanism..................................................................................................................................................................890
7.3.1 Virtual System and Administrator...........................................................................................................................890
7.3.2 Virtual System Resource Allocation.......................................................................................................................892
7.3.3 Virtual System Traffic Sorting................................................................................................................................894
7.3.4 Communication Between Virtual Systems..............................................................................................................896
7.4 Restrictions and Precautions.......................................................................................................................................901
7.5 Deploying a Virtual System Using the Web UI.........................................................................................................903
7.5.1 Enabling the Virtual System Function.....................................................................................................................903
7.5.2 Configuring a Resource Class.................................................................................................................................904
7.5.3 Creating a Virtual System and Allocating Resources.............................................................................................906
7.5.4 Enabling Communication Between a Virtual System and the Root System...........................................................908
7.5.5 Enabling Communication Between Virtual Systems..............................................................................................910
7.5.6 Creating a Virtual System Administrator................................................................................................................914
7.6 Deploying a Virtual System Using the CLI................................................................................................................917
7.6.1 Enabling the Virtual System Function.....................................................................................................................917
7.6.2 Configuring a Resource Class.................................................................................................................................917
7.6.3 Creating a Virtual System and Allocating Resources.............................................................................................920
7.6.4 Enabling Communication Between a Virtual System and the Root System...........................................................921
7.6.5 Enabling Communication Between Virtual Systems..............................................................................................923
7.6.6 Creating a Virtual System Administrator................................................................................................................925
7.7 Configuring Virtual System Services.........................................................................................................................928
7.8 Configuration Examples.............................................................................................................................................931
7.8.1 Web Example for Configuring Virtual Systems to Isolate Enterprise Departments (Layer-3 Access, Virtual Systems
Sharing the WAN Interface of the Root System).............................................................................................................932
7.8.2 Web Example for Configuring Virtual Systems to Isolate Enterprise Departments (Layer-3 Access, Virtual Systems
Having Independent WAN Interfaces).............................................................................................................................946
7.8.3 Web Example for Configuring Virtual Systems to Isolate Enterprise Departments (Layer-2 Access)..................956
7.8.4 Web Example for Configuring Virtual Systems on a Cloud Computing Gateway.................................................967
7.9 References..................................................................................................................................................................979
7.9.1 Specifications...........................................................................................................................................................979
7.9.2 Function Availability for Virtual Systems...............................................................................................................979
7.9.3 Feature History........................................................................................................................................................984
8 Networks.....................................................................................................................................985
8.1 Interface and Interface Pair.........................................................................................................................................985
8.1.1 Overview.................................................................................................................................................................985
8.1.2 Configuring Interfaces and Interface Pairs Using the Web UI................................................................................997
8.1.2.1 Configuring a Layer 3 Ethernet Interface.............................................................................................................997
8.1.2.2 Configuring a Layer 2 Ethernet Interface...........................................................................................................1005
8.1.2.3 Configuring a Layer 3 Ethernet Subinterface.....................................................................................................1009
8.1.2.4 Configuring a Layer 2 Ethernet Subinterface.....................................................................................................1016
8.1.2.5 Configuring a VLAN Interface...........................................................................................................................1018
8.1.2.6 Configuring an Eth-Trunk Interface...................................................................................................................1025
8.1.2.7 Configuring a Loopback Interface......................................................................................................................1035
8.1.2.8 Configuring the Tunnel Interface.......................................................................................................................1036
8.1.2.9 Configuring an Interface Pair.............................................................................................................................1039
8.1.3 Configuring Interfaces and Interface Pairs Using the CLI....................................................................................1039
8.1.3.1 Configuring a Layer 3 Ethernet Interface...........................................................................................................1040
8.1.3.2 Configuring a Layer 2 Ethernet Interface...........................................................................................................1044
8.1.3.3 Configuring a Layer 3 Ethernet Subinterface.....................................................................................................1047
8.1.3.4 Configuring a Layer 2 Ethernet Subinterface.....................................................................................................1049
8.1.3.5 Configuring a VLAN Interface...........................................................................................................................1050
8.1.3.6 Configuring an Eth-Trunk Interface...................................................................................................................1053
8.1.3.7 Configuring the Combo Interface.......................................................................................................................1056
8.1.3.8 Configuring a Loopback Interface......................................................................................................................1057
8.1.3.9 Configuring a Null Interface...............................................................................................................................1058
8.1.3.10 Configuring an Interface Pair...........................................................................................................................1059
8.1.3.11 Maintaining Interfaces......................................................................................................................................1059
8.1.4 Configuration Examples........................................................................................................................................1060
8.1.4.1 Example for Accessing the Internet Using a Static IPv4 Address......................................................................1060
8.1.4.2 Example for Accessing the Internet Using DHCP.............................................................................................1063
8.1.4.3 Example for Accessing the Internet Using IPv4 PPPoE....................................................................................1067
8.1.4.4 Example for Configuring Static IPv6 Addresses for Devices to Communicate.................................................1071
8.1.4.5 Example for Configuring VLAN Interfaces to Allow VLANs to Communicate...............................................1073
8.1.4.6 Example for Configuring VLANs on Layer 3 Subinterfaces to Allow the VLANs to Communicate...............1077
8.1.4.7 Example for Configuring VLAN Trunk Interfaces to Enable VLANs on Different Network Segments to
Communicate..................................................................................................................................................................1080
8.1.5 Troubleshooting for Interface Faults.....................................................................................................................1083
8.1.5.1 Physical Status of an Electronic Ethernet Interface Cannot Be Up....................................................................1083
8.1.5.2 Physical Status of an Optical Interface Cannot Be Up.......................................................................................1087
8.1.6 Feature History......................................................................................................................................................1093
8.2 Security Zones..........................................................................................................................................................1093
8.2.1 Overview...............................................................................................................................................................1093
8.2.2 Mechanism.............................................................................................................................................................1094
8.2.3 Zone Configuration Using the Web UI.................................................................................................................1096
10 Router.......................................................................................................................................1540
10.1 Routing Basics........................................................................................................................................................1540
10.1.1 Overview.............................................................................................................................................................1540
10.1.2 Checking the Routing Table Using the Web UI..................................................................................................1544
10.1.3 Route Basic Configuration-CLI...........................................................................................................................1545
10.1.3.1 Configuring the Global Router ID....................................................................................................................1545
10.9.2 Mechanism...........................................................................................................................................................1903
10.9.3 OSPFv3 Configuration Using the Web UI..........................................................................................................1907
10.9.4 OSPFv3 Configuration Using the CLI................................................................................................................1912
10.9.4.1 Configuration Flow...........................................................................................................................................1912
10.9.4.2 Configuring Basic OSPFv3 Functions.............................................................................................................1913
10.9.4.3 Configuring OSPFv3 Areas..............................................................................................................................1915
10.9.4.4 Controlling OSPFv3 Routing Information.......................................................................................................1917
10.9.4.5 Adjusting and Optimizing OSPFv3 Networks.................................................................................................1921
10.9.4.6 Maintaining OSPFv3........................................................................................................................................1928
10.9.5 Example for Configuring OSPFv3 to Connect Network Devices.......................................................................1930
10.9.6 Feature Reference................................................................................................................................................1946
10.9.6.1 Feature History.................................................................................................................................................1946
10.9.6.2 Reference Standards and Protocols..................................................................................................................1946
10.10 BGP4+..................................................................................................................................................................1947
10.10.1 Overview...........................................................................................................................................................1947
10.10.2 BGP4+ Configuration Flow...............................................................................................................................1947
10.10.3 Configuring the Basic Functions of BGP4+......................................................................................................1949
10.10.4 Controlling BGP4+ Routing Information..........................................................................................................1951
10.10.4.1 Configuring BGP4+ to Advertise Local IPv6 Routes....................................................................................1951
10.10.4.2 Configuring BGP4+ to Import and Filter External Routes.............................................................................1953
10.10.4.3 Configuring to Send the Default Route to the Peer........................................................................................1954
10.10.4.4 Configuring the Advertisement Policy of Routing Information.....................................................................1956
10.10.4.5 Configuring the Receiving Policy of Routing Information............................................................................1957
10.10.4.6 Configuring BGP4+ Route Dampening.........................................................................................................1959
10.10.5 Configuring the Routing Attributes of BGP4+..................................................................................................1960
10.10.5.1 Configuring the Priority of BGP4+................................................................................................................1960
10.10.5.2 Setting the Preferred Value of BGP4+ Routing Information.........................................................................1961
10.10.5.3 Set the Default Local_Pref Attribute Value of the Local Host.......................................................................1963
10.10.5.4 Configuring the MED Attribute.....................................................................................................................1964
10.10.5.5 Configuring the Next_Hop Attribute..............................................................................................................1965
10.10.5.6 Configuring the AS_Path Attribute................................................................................................................1967
10.10.5.7 Configuring the BGP4+ Community..............................................................................................................1969
10.10.6 Adjusting and Optimizing BGP4+....................................................................................................................1971
10.10.6.1 Configuring the Timer of the Peer..................................................................................................................1971
10.10.6.2 Setting the Sending Interval of Update Packets.............................................................................................1973
10.10.6.3 Setting the Maximum Number of Equal-Cost Routes of BGP4+..................................................................1974
10.10.6.4 Configuring the BGP4+ Soft Reset................................................................................................................1976
10.10.6.5 Configuring the BGP4+ Peer Group..............................................................................................................1977
10.10.6.6 Configuring the BGP4+ Router Reflector......................................................................................................1980
10.10.6.7 Configuring the BGP4+ Confederation..........................................................................................................1982
10.10.7 Maintaining BGP4+...........................................................................................................................................1984
11.9.3 Users Who Are Authenticated Using TSM SSO Cannot Access Network Resources........................................2353
11.10 Reference..............................................................................................................................................................2354
11.10.1 Specifications.....................................................................................................................................................2354
11.10.2 Feature History..................................................................................................................................................2356
11.10.3 Standards and Protocols.....................................................................................................................................2358
12 Object.......................................................................................................................................2360
12.1 Address and Address Group...................................................................................................................................2360
12.1.1 Overview.............................................................................................................................................................2360
12.1.2 Configuring an Address and Address Group Using the Web UI........................................................................2361
12.1.3 Configuring an Address and Address Group Using the CLI...............................................................................2362
12.1.4 Reference.............................................................................................................................................................2363
12.1.4.1 Specifications....................................................................................................................................................2363
12.1.4.2 Feature History.................................................................................................................................................2364
12.2 Domain Group........................................................................................................................................................2364
12.2.1 Overview.............................................................................................................................................................2364
12.2.2 Configuring Domain Groups Using the Web UI.................................................................................................2365
12.2.3 Configuring Domain Groups Using the CLI.......................................................................................................2366
12.2.4 Reference.............................................................................................................................................................2366
12.2.4.1 Specifications....................................................................................................................................................2366
12.2.4.2 Feature History.................................................................................................................................................2367
12.3 Region and Region Group......................................................................................................................................2367
12.3.1 Overview.............................................................................................................................................................2367
12.3.2 Restrictions and Precautions................................................................................................................................2369
12.3.3 Configuring Regions and Region Groups Using the Web UI.............................................................................2370
12.3.3.1 Modifying a Predefined Region.......................................................................................................................2370
12.3.3.2 Creating a User-Defined Region......................................................................................................................2370
12.3.3.3 Creating a Region Group..................................................................................................................................2371
12.3.4 Configuring Regions and Region Groups Using the CLI....................................................................................2372
12.3.4.1 Modifying a Predefined Region.......................................................................................................................2372
12.3.4.2 Creating a User-Defined Region......................................................................................................................2373
12.3.4.3 Creating a Region Group..................................................................................................................................2374
12.3.5 Reference.............................................................................................................................................................2375
12.3.5.1 Specifications....................................................................................................................................................2375
12.3.5.2 Feature History.................................................................................................................................................2376
12.4 Service and Service Group.....................................................................................................................................2376
12.4.1 Overview.............................................................................................................................................................2376
12.4.2 Configure a Service Object and Service Group Using the Web UI....................................................................2377
12.4.3 Configuring a Service Object and Service Group Using the CLI.......................................................................2379
12.4.4 Reference.............................................................................................................................................................2380
12.4.4.1 Specifications....................................................................................................................................................2380
12.4.4.2 Feature History.................................................................................................................................................2381
12.7.6.1 Web Example for Using SCEP to Apply For a Certificate Online..................................................................2436
12.7.6.2 CLI Example for Using SCEP to Apply For a Certificate Online....................................................................2439
12.7.6.3 Web Example for Applying For a Certificate Offline......................................................................................2448
12.7.6.4 CLI Example for Applying For a Certificate Offline.......................................................................................2452
12.7.7 Reference.............................................................................................................................................................2459
12.7.7.1 Specifications....................................................................................................................................................2459
12.7.7.2 Feature History.................................................................................................................................................2459
12.7.7.3 Standards and Protocols....................................................................................................................................2459
12.8 Schedule..................................................................................................................................................................2459
12.8.1 Overview.............................................................................................................................................................2460
12.8.2 Configuring a Schedule Using the Web UI.........................................................................................................2461
12.8.3 Configuring a Schedule Using the CLI...............................................................................................................2462
12.8.4 Maintaining Schedules........................................................................................................................................2463
12.8.5 Feature History....................................................................................................................................................2463
12.9 ACL........................................................................................................................................................................2463
12.9.1 Overview.............................................................................................................................................................2463
12.9.2 Mechanism...........................................................................................................................................................2463
12.9.3 Configuring ACLs...............................................................................................................................................2465
12.9.3.1 Creating a Basic ACL.......................................................................................................................................2465
12.9.3.2 Creating an Advanced ACL.............................................................................................................................2467
12.9.3.3 Creating a MAC Address-based ACL..............................................................................................................2470
12.9.4 Maintaining ACLs...............................................................................................................................................2472
12.9.5 Feature History....................................................................................................................................................2473
12.10 IPv6 ACL..............................................................................................................................................................2473
12.10.1 IPv6 ACL Overview..........................................................................................................................................2473
12.10.2 Mechanism.........................................................................................................................................................2473
12.10.3 Configuring IPv6 ACLs.....................................................................................................................................2475
12.10.3.1 Creating a Basic IPv6 ACL............................................................................................................................2475
12.10.3.2 Creating an Advanced IPv6 ACL...................................................................................................................2476
12.10.4 Maintaining IPv6 ACLs.....................................................................................................................................2478
12.10.5 Feature History..................................................................................................................................................2479
14 Proxy Policy............................................................................................................................2751
14.1 TCP Proxy..............................................................................................................................................................2751
14.1.1 Overview.............................................................................................................................................................2751
14.1.2 Restrictions and Precautions................................................................................................................................2751
14.1.3 Configuring Proxy Policies - TCP Proxy............................................................................................................2753
14.1.4 Example for Configuring TCP Proxy..................................................................................................................2755
14.1.5 Reference.............................................................................................................................................................2758
14.1.5.1 Feature History.................................................................................................................................................2758
14.1.5.2 Standards and Protocols....................................................................................................................................2759
14.2 SSL Decryption......................................................................................................................................................2759
14.2.1 Overview.............................................................................................................................................................2759
14.2.2 Mechanism...........................................................................................................................................................2760
14.2.3 Restrictions and Precautions................................................................................................................................2764
14.2.4 Configuring SSL Decryption...............................................................................................................................2766
14.2.4.1 Configuring SSL Decryption Certificates........................................................................................................2766
14.2.4.2 Configuring Proxy Policies - SSL Decryption.................................................................................................2769
14.2.4.3 Configuring an SSL Host Name Whitelist.......................................................................................................2772
14.2.5 Example for Configuring SSL Decryption..........................................................................................................2773
14.2.6 Reference.............................................................................................................................................................2779
14.2.6.1 Feature History.................................................................................................................................................2779
14.2.6.2 Standards and Protocols....................................................................................................................................2780
16 NAT Policy..............................................................................................................................2795
16.1 Overview................................................................................................................................................................2795
16.2 Application Scenario..............................................................................................................................................2796
16.2.1 Intranet Users Access the Internet.......................................................................................................................2797
16.2.2 Internet Users Access Intranet Servers................................................................................................................2797
16.2.3 Intranet Users Access an Intranet Server Using the Server's Public IP Address.................................................2798
16.2.4 Mobile Terminals Access Wireless Networks.....................................................................................................2799
16.3 Mechanism..............................................................................................................................................................2799
16.3.1 NAT Workflow....................................................................................................................................................2800
16.3.2 Source NAT.........................................................................................................................................................2802
16.3.3 Server Mapping...................................................................................................................................................2805
16.3.4 Destination NAT..................................................................................................................................................2807
16.3.5 NAT ALG............................................................................................................................................................2808
16.4 Restrictions and Precautions...................................................................................................................................2810
16.5 Configuring NAT Policy Using the Web UI..........................................................................................................2810
16.5.1 Configuring Source NAT....................................................................................................................................2811
16.5.2 Configuring Server Mapping...............................................................................................................................2815
16.6 Configuring NAT Policy Using the CLI................................................................................................................2821
16.6.1 Configuring Source NAT....................................................................................................................................2821
16.6.2 Configuring Static Mapping................................................................................................................................2825
16.6.3 Configuring Server Load Balancing....................................................................................................................2832
16.6.4 Configuring Destination NAT.............................................................................................................................2835
16.6.5 Configuring a NAT ALG....................................................................................................................................2837
16.6.6 Maintaining NAT................................................................................................................................................2838
16.7 Configuration Examples.........................................................................................................................................2840
16.7.1 Web Example for Configuring a Source NAT Policy in Address Pool Mode on a NGFW That Connects Intranet
Users to the Internet........................................................................................................................................................2840
16.7.2 CLI Example for Configuring a Source NAT Policy in Address Pool Mode on a NGFW That Connects Intranet
Users to the Internet........................................................................................................................................................2847
16.7.3 Web Example for Configuring a Source NAT Policy in Outbound Interface Mode on a NGFW That Connects
Intranet Users to the Internet..........................................................................................................................................2852
16.7.4 CLI Example for Configuring a Source NAT Policy in Outbound Interface Mode on a NGFW That Connects Intranet
Users to the Internet........................................................................................................................................................2857
16.7.5 Web Example for Configuring Static Mapping on a NGFW That Connects Internet Users to Intranet Servers
........................................................................................................................................................................................2860
16.7.6 CLI Example for Configuring Static Mapping on a NGFW That Connects Internet Users to Intranet Servers
........................................................................................................................................................................................2867
16.7.7 Web Example for Configuring Static Mapping on a NGFW That Connects Internet Users to Intranet Servers
(Bidirectional NAT).......................................................................................................................................................2870
16.7.8 CLI Example for Configuring Static Mapping on a NGFW That Connects Internet Users to Intranet Servers
(Bidirectional NAT).......................................................................................................................................................2878
16.7.9 Web Example for Configuring Static Mapping on a NGFW That Connects Internet Users to Intranet Servers (Sticky
Load Balancing).............................................................................................................................................................2882
16.7.10 CLI Example for Configuring Static Mapping on a NGFW That Connects Internet Users to Intranet Servers (Sticky
Load Balancing).............................................................................................................................................................2888
16.7.11 Web Example for Configuring a NGFW to Allow Intranet Users to Access an Intranet Server Using a Public IP
Address...........................................................................................................................................................................2892
16.7.12 CLI Example for Configuring a NGFW to Allow Intranet Users to Access an Intranet Server Using a Public IP
Address...........................................................................................................................................................................2900
16.7.13 Web Example for Configuring Server Load Balancing....................................................................................2905
16.7.14 CLI Example for Configuring Server Load Balancing......................................................................................2910
16.7.15 CLI Example for Configuring Interface-based Static Server Mapping and DDNS..........................................2914
16.7.16 Web Example for Configuring Transparent NAT.............................................................................................2918
16.7.17 CLI Example for Configuring Transparent NAT..............................................................................................2924
16.7.18 CLI: Example for Configuring Source NAT in a Load Balancing Scenario (Active and Standby Devices Share
One Address Pool)..........................................................................................................................................................2928
16.7.19 CLI: Example for Configuring Source NAT in a Load Balancing Scenario (Active and Standby Devices Use
Different Address Pools)................................................................................................................................................2936
16.8 Troubleshooting NAT Policy.................................................................................................................................2946
16.8.1 Intranet Users Cannot Access the Internet After a Source NAT Policy Is Configured on a NGFW..................2946
16.8.2 Internet Users Cannot Access Intranet Servers After Static Mapping Is Configured on a NGFW.....................2949
16.9 Feature Reference...................................................................................................................................................2952
16.9.1 Feature History....................................................................................................................................................2952
16.9.2 Standards and Protocols.......................................................................................................................................2952
16.10 NAT FAQs...........................................................................................................................................................2953
17 PBR...........................................................................................................................................2957
17.1 Overview................................................................................................................................................................2957
17.2 Restrictions and Precautions...................................................................................................................................2958
17.3 Mechanism..............................................................................................................................................................2958
17.4 Configuring PBR Using the Web UI......................................................................................................................2960
17.5 Configuring PBR Using the CLI............................................................................................................................2969
17.6 Configuration Examples.........................................................................................................................................2974
17.6.1 Web Example for Configuring User-Specific PBR.............................................................................................2974
17.6.2 CLI Example for Configuring User-Specific PBR..............................................................................................2978
17.6.3 Web Example for Configuring Protocol-Specific PBR.......................................................................................2981
17.6.4 CLI Example for Configuring Protocol-Specific PBR........................................................................................2984
17.6.5 Web Example for Configuring Source IP Address-Specific PBR......................................................................2987
17.6.6 CLI Example for Configuring Source IP Address-Specific PBR........................................................................2991
17.6.7 Web Example for Configuring Domain Name-Specific PBR.............................................................................2993
17.6.8 Web Example for Configuring IPv6-to-IPv4 Policy-based Routing...................................................................2999
17.6.9 CLI Example for Configuring IPv6-to-IPv4 Policy-based Routing....................................................................3009
17.6.10 Web Example for Configuring ISP Address Library Intelligent Uplink Selection...........................................3013
18 Bandwidth Management......................................................................................................3023
18.1 Overview................................................................................................................................................................3023
18.2 Application Scenarios.............................................................................................................................................3024
18.3 Mechanism..............................................................................................................................................................3026
18.3.1 Process.................................................................................................................................................................3026
18.3.2 Traffic Profile......................................................................................................................................................3027
18.3.3 Traffic Policy.......................................................................................................................................................3029
18.3.4 Interface Bandwidth............................................................................................................................................3031
18.4 Restrictions and Precautions...................................................................................................................................3031
18.5 Configuring Bandwidth Management Using the Web UI......................................................................................3032
18.5.1 Configuring a Traffic Profile...............................................................................................................................3032
18.5.2 Configuring a Traffic Policy................................................................................................................................3035
18.6 Configuring Bandwidth Management Using the CLI............................................................................................3040
18.6.1 Configuring a Traffic Profile...............................................................................................................................3040
18.6.2 Configuring a Traffic Policy................................................................................................................................3043
18.6.3 Enabling the Log Function..................................................................................................................................3047
18.6.4 Maintaining the Bandwidth Management Function............................................................................................3047
18.7 Configuration Examples.........................................................................................................................................3048
18.7.1 Web Example for Implementing Bandwidth Management on a NGFW on the Intranet Border........................3048
18.7.2 Example for Implementing Bandwidth Management on a NGFW on the Intranet Border.................................3058
18.7.3 Web Example for Implementing Bandwidth Management on a NGFW Within an Intranet..............................3067
18.7.4 Example for Implementing Bandwidth Management on a NGFW Within an Intranet.......................................3075
18.7.5 Web Example for Implementing Bandwidth Management on a NGFW on the IDC Border..............................3083
18.7.6 Example for Implementing Bandwidth Management on a NGFW on the IDC Border......................................3088
18.8 References..............................................................................................................................................................3092
18.8.1 Feature History....................................................................................................................................................3092
18.8.2 Standards and Protocols.......................................................................................................................................3093
20 VPN..........................................................................................................................................3109
20.1 VPN Overview.......................................................................................................................................................3109
20.1.1 Introduction.........................................................................................................................................................3109
20.1.2 Application Scenarios..........................................................................................................................................3111
20.2 IPSec.......................................................................................................................................................................3117
20.2.1 Overview.............................................................................................................................................................3117
20.2.2 Application Scenario...........................................................................................................................................3118
20.2.2.1 Connection of LANs Through VPN.................................................................................................................3118
20.2.2.2 Remote VPN Access of Mobile Users.............................................................................................................3123
20.2.2.3 IPSec Redundancy Design................................................................................................................................3124
20.2.2.4 Application of IPSec Multiple Instances..........................................................................................................3129
20.2.3 IPSec Framework................................................................................................................................................3130
20.2.3.1 Overview of the Protocol Framework..............................................................................................................3130
20.2.3.2 Encapsulation Mode.........................................................................................................................................3131
20.2.3.3 Security Protocol..............................................................................................................................................3134
20.2.3.4 Encryption........................................................................................................................................................3136
20.2.3.5 Verification.......................................................................................................................................................3138
20.2.3.6 Key Exchange...................................................................................................................................................3140
20.2.4 IPSec Security Association..................................................................................................................................3141
20.2.4.1 SA Overview....................................................................................................................................................3141
20.2.4.2 IKEv1 SA Negotiation......................................................................................................................................3143
20.2.4.3 IKEv2 SA Negotiation Process........................................................................................................................3148
20.2.5 IPSec Extension Mechanism...............................................................................................................................3151
20.2.5.1 L2TP over IPSec Mechanism...........................................................................................................................3151
20.2.5.2 GRE over IPSec Mechanism............................................................................................................................3153
20.2.5.3 Application and Mechanism of IPSec on Transitioning Networks..................................................................3153
20.2.6 Restrictions and Precautions................................................................................................................................3156
20.2.7 Configuring IPSec Using the Web UI.................................................................................................................3157
20.2.7.1 Configuring an IPSec Policy in Site-to-Site VPN............................................................................................3157
20.2.7.2 Configuring an IPSec Policy in Site-to-Multisite VPN....................................................................................3166
20.2.7.3 Configuring IPSec Intelligent Link Selection..................................................................................................3176
20.2.7.4 Monitoring IPSec Tunnels................................................................................................................................3187
20.2.8 Configuring IKE-Enabled IPSec Using the CLI.................................................................................................3188
20.2.8.1 Configuration Flow...........................................................................................................................................3188
20.2.8.2 Defining Data Flows to Be Protected...............................................................................................................3189
20.2.8.3 Configuring an IKE Proposal...........................................................................................................................3193
20.2.8.4 Configuring IKE Peers.....................................................................................................................................3195
20.2.8.5 (Recommended) Configuring IKE Peer Detection...........................................................................................3204
20.2.8.6 Configuring an IPSec Proposal.........................................................................................................................3207
20.2.8.7 Configuring IPSec Intelligent Link Selection Profiles.....................................................................................3208
20.2.8.8 Configure an IKE-based IPSec Policy..............................................................................................................3211
20.2.12.5.1 IPSec Tunnel Negotiation Cannot Be Triggered Because the Post-NAT Address Does Not Match the ACL
When IPSec and NAT Are Deployed on One NGFW...................................................................................................3669
20.2.12.5.2 IPSec VPN Negotiation Fails Because the Secondary Address Cannot Trigger the IKE Peer...................3671
20.2.12.5.3 IPSec SA Negotiation Fails.........................................................................................................................3672
20.2.12.5.4 After One Endpoint Restarts, the Other Endpoint Does Not Delete the Original Tunnel and Consequently
Cannot Communicate Through the Tunnel....................................................................................................................3675
20.2.12.5.5 IPSec VPN Fails due to ACL Mismatch on Both Endpoints......................................................................3676
20.2.12.5.6 A New Tunnel Replaces an Existing Tunnel...............................................................................................3678
20.2.12.5.7 File Downloading Through IPSec Tunnel Fails Because Fragments Cannot Be Processed.......................3682
20.2.12.5.8 A Branch Office Fails to Communicate With the Headquarters Because of ACL Rule Mismatch............3685
20.2.12.5.9 Unavailable VPN Because Data Flows Match the Reverse Session on the NAT Server............................3687
20.2.12.5.10 Unavailable VPN Because the Carrier Blocks IPSec Packets...................................................................3688
20.2.12.5.11 TC0210: Troubleshooting an IPSec Failure Using the Diagnosis Center.................................................3689
20.2.12.5.12 TC0212: Mobile PCs Fail to Negotiate IPSec Tunnels in IKEv2 Mode ..................................................3692
20.2.13 Reference...........................................................................................................................................................3701
20.2.13.1 Specifications..................................................................................................................................................3701
20.2.13.2 Feature History...............................................................................................................................................3702
20.2.13.3 Standards and Protocols..................................................................................................................................3704
20.2.14 IPSec FAQ.........................................................................................................................................................3705
20.3 L2TP.......................................................................................................................................................................3707
20.3.1 Overview.............................................................................................................................................................3707
20.3.2 Application Scenarios..........................................................................................................................................3709
20.3.2.1 NAS-Initiated VPN...........................................................................................................................................3709
20.3.2.2 Automatic LAC Dial-up...................................................................................................................................3711
20.3.2.3 Client-Initiated VPN.........................................................................................................................................3711
20.3.3 Mechanism...........................................................................................................................................................3712
20.3.3.1 Tunnel and Session Establishment...................................................................................................................3712
20.3.3.2 Packet Encapsulation........................................................................................................................................3719
20.3.3.3 Authentication Modes.......................................................................................................................................3722
20.3.4 Restrictions and Precautions................................................................................................................................3723
20.3.5 Configuring L2TP Using the Web UI.................................................................................................................3723
20.3.5.1 Configuring a LAC...........................................................................................................................................3723
20.3.5.2 Configuring an LNS.........................................................................................................................................3727
20.3.5.3 Monitoring L2TP..............................................................................................................................................3730
20.3.6 Configuring L2TP Using the CLI........................................................................................................................3731
20.3.6.1 Configuration Flow...........................................................................................................................................3731
20.3.6.2 Configuring a LAC...........................................................................................................................................3734
20.3.6.3 Configuring an LNS.........................................................................................................................................3739
20.3.6.4 Maintaining L2TP.............................................................................................................................................3746
20.3.7 Configuration Examples......................................................................................................................................3748
20.3.7.1 Example for Configuring a NAS-Initiated L2TP VPN....................................................................................3748
20.3.7.2 Example for Configuring an Automatic LAC Dial-up L2TP Tunnel...............................................................3757
21 SSL VPN..................................................................................................................................3999
21.1 Overview................................................................................................................................................................3999
21.2 Application Scenario..............................................................................................................................................4000
21.3 Mechanism..............................................................................................................................................................4002
21.3.1 Overall Flow........................................................................................................................................................4002
21.3.2 Local Certificate Authentication..........................................................................................................................4003
21.3.3 User Authentication.............................................................................................................................................4005
21.3.4 Web Proxy...........................................................................................................................................................4010
21.3.5 File Sharing..........................................................................................................................................................4013
21.3.6 Port Forwarding...................................................................................................................................................4013
21.3.7 Network Extension..............................................................................................................................................4014
21.4 Restrictions and Precautions...................................................................................................................................4016
21.5 Configuring SSL VPN............................................................................................................................................4016
21.5.1 Preparing for Configuration.................................................................................................................................4017
21.5.2 Using the SSL VPN Configuration Guide...........................................................................................................4019
21.5.2.1 Creating a Virtual Gateway..............................................................................................................................4020
21.5.2.2 Configuring SSL...............................................................................................................................................4024
21.5.2.3 Configuring Web Proxy....................................................................................................................................4025
21.5.2.4 Configuring File Sharing..................................................................................................................................4027
21.5.2.5 Configuring Port Forwarding...........................................................................................................................4028
21.5.2.6 Configuring Network Extension.......................................................................................................................4030
21.5.2.7 Configuring the Host Check.............................................................................................................................4031
21.5.2.8 Configuring Role Authorization/Users.............................................................................................................4038
21.5.3 Configuring the Cache Clearing..........................................................................................................................4039
21.5.4 Configuring Certificate Filtering.........................................................................................................................4042
21.5.5 Customizing Virtual Gateway Login UI.............................................................................................................4044
21.6 Logging In to the SSL VPN Gateway....................................................................................................................4045
21.7 Monitoring SSL VPN Services...............................................................................................................................4049
21.8 Configuration Examples.........................................................................................................................................4051
21.8.1 Example for Enabling Employees on the Move to Remotely Access Intranet Servers Through a NGFW Enabled
with the Web Proxy Service...........................................................................................................................................4051
21.8.2 Example for Enabling Partners to Remotely Access Intranet Files Through a NGFW Enabled with the File Sharing
Service............................................................................................................................................................................4055
21.8.3 Example for Enabling Employees at Customer Service Centers to Remotely Access Intranet Servers Through a
NGFW Enabled with the Port Forwarding Service........................................................................................................4059
21.8.4 Example for Enabling Employees Working at Home to Remotely Access Intranet Resources Through a NGFW
Enabled with the Network Extension Service................................................................................................................4063
21.9 Troubleshooting SSL VPN Services......................................................................................................................4067
21.9.1 A Message "The Web page cannot be displayed" Appears When a PC Attempts to Log In to the SSL VPN Gateway
on a NGFW.....................................................................................................................................................................4067
21.9.2 A PC Displays a Message "Invalid user, incorrect password or the user is locked." After a User Enters a User Name
and Password Before Logging In to an SSL VPN Gateway..........................................................................................4068
21.9.3 The Prompt "Your Certificate Is Invalid. Please Provide a Valid Certificate!" Is Displayed.............................4069
21.9.4 A User Cannot Access a Web Proxy Resource Even Though the Resource Is Displayed on the Web UI for an SSL
VPN Gateway.................................................................................................................................................................4072
21.9.5 Failed to Enable the Network Extension Function..............................................................................................4073
21.9.6 An Internet User Cannot Access Intranet Resources After the Network Extension Service Is Enabled............4075
21.9.7 A User Cannot Access Intranet Resources Through a NGFW Enabled with the Port Forwarding Service.......4077
21.9.8 A User Fails to Access a File Sharing Resource.................................................................................................4078
21.10 Feature Reference.................................................................................................................................................4080
21.10.1 Specifications.....................................................................................................................................................4080
21.10.2 Feature History..................................................................................................................................................4086
21.10.3 Standards and Protocols.....................................................................................................................................4087
21.11 SSL VPN FAQ.....................................................................................................................................................4087
22 Security Protection................................................................................................................4090
22.1 Attack Defense.......................................................................................................................................................4090
22.1.1 Overview.............................................................................................................................................................4090
22.1.2 Application Scenario...........................................................................................................................................4091
22.1.3 Mechanism...........................................................................................................................................................4092
22.1.3.1 DDoS Attack Defense......................................................................................................................................4092
22.1.3.2 DDoS Attack Defense Threshold.....................................................................................................................4103
22.1.3.3 Single-Packet Attack Defense..........................................................................................................................4103
22.1.4 Configuring Attack Defense Using the Web UI..................................................................................................4112
22.1.4.1 Configuring Anti-DDoS...................................................................................................................................4112
22.1.4.2 Configuring the Defense Against Single-Packet Attacks.................................................................................4115
22.1.5 Configuring the Defense Against Attacks Using the CLI...................................................................................4117
22.1.5.1 Configuring DDoS Attack Defense..................................................................................................................4117
22.1.5.1.1 Setting DDoS Attack Defense Parameters....................................................................................................4117
22.1.5.1.2 Configuring SYN Flood Attack Defense.......................................................................................................4118
22.1.5.1.3 Configuring UDP Flood Attack Defense.......................................................................................................4119
22.1.5.1.4 Configuring ICMP Flood Attack Defense.....................................................................................................4121
22.1.5.1.5 Configuring HTTP Flood Attack Defense.....................................................................................................4121
22.1.5.1.6 Configuring HTTPS Flood Attack Defense..................................................................................................4122
22.1.5.1.7 Configuring DNS Request Flood Attack Defense.........................................................................................4123
22.1.5.1.8 Configuring DNS Reply Flood Attack Defense............................................................................................4123
22.1.5.1.9 Configuring SIP Flood Attack Defense.........................................................................................................4124
22.1.5.1.10 Configuring ARP Flood Attack Defense.....................................................................................................4125
22.1.5.1.11 Configuring Threshold Learning.................................................................................................................4125
22.1.5.2 Configuring Single-Packet Attack Defense......................................................................................................4126
22.1.5.2.1 Configuring IP Address Sweep Attack Defense............................................................................................4127
22.5.1 Overview.............................................................................................................................................................4164
22.5.2 Mechanism...........................................................................................................................................................4164
22.5.3 Configuring ASPF Using the Web UI.................................................................................................................4168
22.5.4 Configuring ASPF Using the CLI.......................................................................................................................4169
22.5.5 Example for Configuring ASPF..........................................................................................................................4171
22.5.6 Feature History....................................................................................................................................................4174
22.6 Configuring MAC Address-based Packet Filtering................................................................................................4175
22.7 URPF......................................................................................................................................................................4176
22.7.1 Overview.............................................................................................................................................................4176
22.7.2 Mechanism...........................................................................................................................................................4177
22.7.3 Configuring URPF on an Interface......................................................................................................................4180
22.7.4 Example for Configuring URPF..........................................................................................................................4181
22.7.5 Feature History....................................................................................................................................................4183
22.8 GTP.........................................................................................................................................................................4184
22.8.1 Overview.............................................................................................................................................................4184
22.8.2 Configuration Procedures....................................................................................................................................4187
22.8.3 Configuring a GTP Policy...................................................................................................................................4188
22.8.3.1 Creating a GTP Policy......................................................................................................................................4188
22.8.3.2 Configuring the GTP Content Filtering............................................................................................................4189
22.8.3.3 Configuring the GTP Type Filtering................................................................................................................4190
22.8.3.4 Configuring the GTP Length Filtering.............................................................................................................4192
22.8.3.5 Configuring the GTP IE Filtering.....................................................................................................................4193
22.8.3.6 Configuring the Extension Header-based Filtering of GTP Messages.............................................................4196
22.8.3.7 Configuring the GTP Packet Log Function......................................................................................................4196
22.8.3.8 Applying the GTP Policy.................................................................................................................................4198
22.8.4 Configuring the Defense Against GTP Overbilling Attacks...............................................................................4199
22.8.5 Configuring the GTP-in-GTP Filtering Function................................................................................................4201
22.8.6 Configuring the GTP Limitation Function..........................................................................................................4201
22.8.7 Managing GTP....................................................................................................................................................4202
22.8.7.1 Configuring the GTP Status Check Function...................................................................................................4202
22.8.7.2 Setting the GTP Aging Time............................................................................................................................4203
22.8.7.3 Configuring the GTP Tunnel Log Function.....................................................................................................4204
22.8.7.4 Configuring the GTP Statistics Function..........................................................................................................4204
22.8.7.5 Setting the Digits of the MNC..........................................................................................................................4205
22.8.8 Configuration Examples......................................................................................................................................4205
22.8.8.1 Example for Configuring the GTP Policy........................................................................................................4205
22.8.8.2 Example for Configuring the Defense Against GTP Overbilling Attacks.......................................................4208
22.8.9 Feature History....................................................................................................................................................4214
22.9 IDS Interworking....................................................................................................................................................4214
22.9.1 Overview.............................................................................................................................................................4214
22.9.2 Configuring the Interworking with IDS Using the Web UI................................................................................4215
23 IP Multicast.............................................................................................................................4320
23.1 Guide for Configuring Multicast............................................................................................................................4320
23.2 IP Multicast Overview............................................................................................................................................4323
23.2.1 Introduction to IP Multicast.................................................................................................................................4323
23.2.1.1 Basic Concepts of IP Multicast........................................................................................................................4324
23.2.1.2 Advantages and Applications of IP Multicast..................................................................................................4325
23.2.1.3 Models of IP Multicast.....................................................................................................................................4327
23.2.2 Implementation Mechanism of IP Multicast.......................................................................................................4327
23.2.2.1 Basic Architecture of IP Multicast...................................................................................................................4327
23.2.2.2 Multicast Addresses..........................................................................................................................................4328
23.2.2.3 Multicast Protocols...........................................................................................................................................4330
23.3 IGMP Snooping Configuration..............................................................................................................................4332
23.3.1 Introduction to IGMP Snooping..........................................................................................................................4332
25 Monitoring..............................................................................................................................4703
25.1 Logs and Reports....................................................................................................................................................4703
25.1.1 Overview.............................................................................................................................................................4703
25.1.2 Restrictions and Precautions................................................................................................................................4705
25.1.3 Viewing Logs......................................................................................................................................................4705
25.1.3.1 Traffic Logs......................................................................................................................................................4705
25.1.3.2 Threat Logs.......................................................................................................................................................4708
25.1.3.3 URL Logs.........................................................................................................................................................4712
25.1.3.4 Content Logs.....................................................................................................................................................4715
25.1.3.5 Operation Logs.................................................................................................................................................4718
25.1.3.6 System Logs.....................................................................................................................................................4720
25.1.3.7 User Activity Logs............................................................................................................................................4721
25.1.3.8 Policy Matching Logs.......................................................................................................................................4723
25.1.3.9 Mail Filtering Logs...........................................................................................................................................4725
25.1.3.10 Audit Logs......................................................................................................................................................4729
25.1.4 Viewing Reports..................................................................................................................................................4732
25.1.4.1 Customizing Reports........................................................................................................................................4733
25.1.4.2 Report Subscription..........................................................................................................................................4733
25.1.4.3 Traffic Reports..................................................................................................................................................4734
25.1.4.4 Threat Reports..................................................................................................................................................4738
25.1.4.5 URL Reports.....................................................................................................................................................4741
25.1.4.6 Policy Matching Reports..................................................................................................................................4742
25.1.4.7 File Blocking Reports.......................................................................................................................................4744
25.1.4.8 Data Filtering Reports......................................................................................................................................4745
25.1.5 Configuration Examples......................................................................................................................................4746
25.1.5.1 Example of Configuring Report Subscription..................................................................................................4747
25.1.6 Reference.............................................................................................................................................................4752
25.1.6.1 Feature History.................................................................................................................................................4752
25.1.6.2 Standards and Protocols....................................................................................................................................4752
25.2 Traffic Map.............................................................................................................................................................4752
25.3 Threat Map.............................................................................................................................................................4755
25.4 Session Table and Persistent Connection...............................................................................................................4756
25.4.1 Overview.............................................................................................................................................................4757
25.4.2 Mechanism...........................................................................................................................................................4757
25.4.3 Checking the Session Table Using the Web UI..................................................................................................4762
Hardware
l Changed the matching power adapter of the USG6320 from 60 W to 36 W.
l Changed the BOM code of the 10GE optical module with an 80 km transmission distance
from 02310JFE to 02310SNN, and the corresponding external model from
LE2MXSC80FF0 to SFP-10G-ZR.
System
l Administrators: Added the device module to the object permission control items of
administrator roles on the NGFW.
High Availability
l Added the support for automatic backup of static routes.
Virtual System
l Added the function for configuring the DHCP server and DHCP relay in virtual systems.
l Added DHCP Dynamic Address Lease and DHCP Static Address Lease in the resource
items that the root system administrator allocates to each virtual system.
l Added DHCP Server in Popedom of new administrator roles in virtual systems.
Networks
l DNS: Supported the configuration of the secondary DNS server for domain names to which
DNS transparent proxy does not apply. After the primary and secondary DNS server
addresses are specified for domain names to which DNS transparent proxy does not apply,
DNS requests are forwarded to the primary DNS server. If this server is down, DNS requests
are forwarded to the secondary DNS server. DNS requests will not be forwarded to the
DNS server set on the client.
Object
l Devices and Device Groups: Added the device and device group objects. Devices or device
groups can be referenced in security policies for the control of a specific type of TSM SSO
devices.
Bandwidth Management
l Added the public IP address matching function. Bandwidth can be limited for post-Source
NAT and pre-NAT Server public IP addresses.
l Changed the product implementation. When traffic is forwarded from the outbound
interface, the traffic exceeding the guaranteed bandwidth but below the maximum
bandwidth is limited by the interface bandwidth, but the traffic within the guaranteed
bandwidth is not limited by interface bandwidth.
VPN
l IPSec: Added the Dialer interface and the interface obtaining IP addresses through DHCP
to the local interfaces for IPSec intelligent link selection.
l DSVPN: Added reverse route injection to DSVPN. The reverse route injection function
can send the private network address of a branch or cascade headquarters in an NHRP
message to the headquarters. The headquarters analyzes the NHRP message to obtain the
private network address of the branch or cascade headquarters and adds a static route to
the private subnet.
Security Protection
l Attack Defense: Supported the configuration of DDoS attack defense using the CLI.
l Blacklist: Supported the query of blacklist logs on the web UI for fault locating.
Monitoring
l Quintuple Packet Capture: Supported the configuration of packet capture on the web UI
based on packet directions and categories, enriching quintuple packet capture configuration
means.
Hardware
l Added the USG6306/6308 and USG6507.
System
l Admin: Added northbound API configurations. The client calls the northbound API of the
NGFW to communicate with the NGFW through HTTP/HTTPS.
l License Management: Added the support of License trial use. The system provides a two-
month trial license that provides such functions as antivirus, intrusion prevention, and URL
remote query.
l Update Center: Added the location signature database. Users can download the location
signature database at https://sec.huawei.com for local upgrade to enhance the NGFW's
capability in locations of IP addresses.
l Update Center: The Web UI provides the causes and solutions of signature database update
failures.
l Information Push Configuration: The method for configuring push information changes.
Originally, you can edit and modify push information on the Web UI. Now, you must first
export the push information template, edit push information in the template, and import the
template to the device.
Networks
l Smart DNS: Added the round robin- and weighted round robin-based smart DNS functions.
Proxy Policy
l TCP Proxy: Added the support of importing users from AD or AD LDAP servers as the
matching condition.
l SSL Decryption: Added the support of deleting domain names in predefined SSL domain
name whitelist.
l SSL Decryption: Added the support of deleting domain names in predefined SSL domain
name whitelist.
Bandwidth Management
l Traffic Policy: Added the support of importing users from AD or AD LDAP servers as the
matching condition.
VPN
l Added IPSec intelligent link selection.
l Added the IKE user table. This table lists the mappings between remote IKE peer IDs and
pre-shared keys. In point-to-multi-point scenarios, when you configure IPSec for the
headquarters and the IKE peer has referenced the IKE user table, the NGFW will search
the IKE user table for the pre-shared key based on the peer ID during IKE negotiation to
complete the authentication. In this way, each branch can use different IDs and pre-shared
keys.
l Added the static RRI function for configuring IPSec policies in IKE mode. In the IPSec
point-to-multipoint application scenario, after the static RRI function is enabled in the
branch office, routes destined to the private network of the headquarter will be
automatically generated.
l Changed the default value of traffic volume-based lifetime for IPSec SA from 1843200 KB
to 200000000 KB.
SSL VPN
l Added the support for Windows 8.1 and Windows 2012 by the host check function.
l Added OS login password check in the host check function. The NGFW checks whether
the terminal has set a login password. If not, terminal fails the rule check.
l Added the settings of the SSL version, encryption suite, and timeout duration and life cycle
of SSL sessions entries on the web UI.
Security Protection
l Ping Proxy: Added the ping proxy function. The NGFW can respond to massive ping
requests in the place of the server to ease the burden of the server.
Monitoring
l System Statistics: Supported the display of system incremental statistics.
Hardware
l The AC power module of the USG6680 is increased from 350 W to 700 W, which greatly
improves the power load capability for interface expansion.
l The 1 U device
(USG6306/6308/6330/6350/6360/6370/6380/6390/6507/6530/6550/6570/6620/6630)
and 3 U device (USG6650/6660/6670/6680) can be mounted in a 19-inch standard cabinet
through adjustable guide rails.
System
l Administrators: When the administrator accounts and passwords are not on the NGFW, but
on a third-party authentication server, the NGFW employs domain authentication to
authenticate this type of administrators. After the administrators are authenticated, they can
manage the NGFW based on the permission that the authentication server specifies.
l Log output: Added the function of sending syslogs of the specified module to the specified
log server, enhancing log storage flexibility.
l Log output: Added the function of sending session logs in syslog format to a syslog server.
When a syslog server and a binary log server are both specified on the NGFW, session logs
are sent both in binary and syslog formats to the respective log servers.
l Upgrade through USB: Added automatic upgrade through USB. As a result, the
administrators do not need to repeatedly run the upgrade command on the NGFW to
upgrade one or multiple NGFWs. Using USB simplifies the upgrade process and improves
the NGFW version upgrade efficiency.
l System upgrade: Added SSL VPN client patch loading to the NGFW. By loading client
patch files on the NGFW, you can update SSL VPN client components such as the separate
client installation package, client management program installation package, client Internet
Explorer control, and client certificate filtering plug-in. When the updated client accesses
the virtual gateway, the virtual gateway automatically updates the installed components on
the client.
High Availability
l Hot standby: Added the function of configuration consistency auto-check between active
and standby devices and check result logging.
Virtual System
l Added Security Group in the resource items that the root system administrator allocates
to each virtual system. Limiting the security group number of each virtual system prevents
a virtual system from preempting too much resources from other virtual systems.
l The NGFW identifies the administrators of different authentication domains and virtual
systems based on the fact whether the accounts that the administrators use to log in to the
NGFW carry an @ sign. To distinguish authentication domains and virtual systems, the
NGFW determines that the account with one @ sign belongs to the administrator of an
authentication domain, and the account with two @ signs belongs to the administrator of
a virtual system. For example, username@domainname@@vsysname stands for user
username that is authenticated by the domainname domain in virtual system vsysname.
Therefore, when you create a virtual system administrator, the administrator@virtual
system name format is changed to the administrator@@virtual system name format.
Networks
l Interface: Added virtual MAC enabling for subinterfaces. In this way, you do not need to
manually enable or disable subinterfaces because the MAC addresses of the upstream and
downstream switches are not refreshed after active/standby switchover.
l DNS: Added the function of specifying source addresses for DNS query packets. When the
NGFW initiates a DNS request to the DNS server, the NGFW can set the source address
or port of the DNS packet to prevent the DNS server from failing to respond to the query
due to route lookup failure.
l ARP: Added inner-VLAN proxy ARP to enable isolated PCs or routers in one VLAN to
communicate.
Proxy Policy
Expanded the SSL decryption policies to proxy policies. Proxy policies support the functions of
the existing SSL decryption policies through policy actions and add the TCP proxy function.
l When the policy action is SSL decryption, the NGFW decrypts the SSL traffic meeting the
specified policy and implements content security checks and audit on the decrypted traffic.
l When the policy action is TCP proxy, the NGFW functions as a TCP proxy for the traffic
matching the specified policy. The NGFW isolates the networks on both sides at the TCP
layer, blocks the direct access between both sides, and can effectively block illegitimate
access and malicious attacks.
l When the policy action is no proxy, the NGFW neither functions as a TCP proxy nor
decrypts the traffic.
PBR
Added the support of configuring domain group as the matching condition in a PBR rule.
Bandwidth Management
l Added a command to set the maximum number of upstream, downstream, and all
connections.
l Added the dynamic equal distribution of bandwidth for each IP address based on the global
maximum bandwidth and number of online IP addresses.
VPN
l IPSec: An IKE or template security policy group can be applied to two interfaces that have
routes with different priorities. At a time, only one interface can establish an IPSec tunnel
with the peer. Otherwise, services may fail.
l IPSec: Added the function of copying IPSec policies on the web UI. You can copy an IPSec
policy and change the name, local port, peer address, local address, and data flow to be
encrypted to simplify policy configurations and improve usability.
SSL VPN
l Added the support for Internet Explorer 10/11 by SSL VPN.
l Added the support for TLS 1.1 and TLS 1.2 regarding SSL VPN.
l Added the support for 64–bit Internet Explorer running SSL VPN.
Security Protection
l IP-MAC binding: Added the support of IP-MAC binding checks for only the packets that
match a given ACL and are permitted by the ACL. You can configure this function only
on the CLI.
Monitoring
l Audit logs: You can obtain information about bank reminder behaviors from audit logs.
l Quintuple packet capture: Added the function of exporting quintuple packet capture
contents in CSV format to an administrator PC.
Network
The root system supports a maximum of 100 security zones which is changed from the maximum
of 32.
SSL Decryption
Added the SSL certificate whitelist function.
l Added the function of importing the organizational structure of new TSM SSO users from
a server to the NGFW.
l Added the function of preferentially using the server organizational structure for policy
management when new TSM SSO users are temporary.
Hardware
Based on V100R001C20, V100R001C20SPC100 provides the following hardware model
extensions:
l Added the desktop USG6310.
l Added the 1 U models of the USG6330, USG6350, USG6360, USG6530, USG6620, and
USG6630.
Refer to hardware for more details on the hardware models of V100R001C20SPC100.
System
l Added SecurID two-factor authentication of administrators. The password comprises a
static PIN code and a dynamic Token serial number.
l Deleted the original license deactivation function. Before you update a license file, run the
license revoke command to restore the original license file to the trial use state and obtain
a revoke code. Then use the revoke code to apply for a new license.
l Deleted intranet update from signature database upgrade and added signature database
upgrade through a proxy server.
Network
l Added interface off-line detection configuration on the interface configuration page on the
web UI. After you enable the off-line detection mode, the NGFW will implement content
security checks on the packets received from the interface and discard the packets after
checking.
l Added the function of creating Tunnel interfaces that use IPSec for encapsulation on the
interface configuration page on the web UI to implement IPSec tunneling.
l Added the DNS transparent proxy function. On a multi-ISP network, the NGFW changes
the destination addresses of DNS requests and forwards the DNS requests to different ISPs
to implement traffic load balancing.
l Added the smart DNS function. When an enterprise deploys a server for external users to
access and the DNS server is also deployed on the intranet, the NGFW modifies the DNS
reply packets so that the users of each ISP can have the corresponding ISP address.
SSL Decryption
Added SSL decryption policies to decrypt the SSL traffic that matches a specific decryption
policy and implement content security checks on the decrypted traffic. The NGFW supports
content security checks only for HTTPS.
Bandwidth Management
l Expanded the levels of hierarchical policies from 2 to 4.
l Added the per-IP and per-user guaranteed bandwidth.
l Added the dynamic even allocation of bandwidth for each IP address based on the global
guaranteed bandwidth and number of online IP addresses.
l Changed the web UI for configuring interface bandwidth to Network > Interface, which
is more intuitive.
SSL VPN
l Added the functions of port forwarding, file sharing, and terminal security.
l Changed group-specific permission control to role-based permission control, added users/
groups to roles, and associated accessible resources.
Security Protection
Added the IDS interworking function. Then the IDS device notifies the NGFW to block the
detected intrusion behaviors if any.
Added the ATIC interworking function. After detecting any DDoS attacks, the NGFW reports
traffic anomaly logs to the ATIC server.
Monitoring
Added traffic policy-specific reports in the traffic reports to guide administrators through traffic
policy optimization.
System
Add the agile network function. Connecting the NGFW to the Controller and the configurations
delivered by the controller.
Virtual System
l Added New Session Rate in the resource items that the root system administrator allocates
to each virtual system. The new session rate indicates the number of new sessions a virtual
system can create in one second. Limiting the new session rate of each virtual system
prevents a virtual system from preempting too much resources from other virtual systems.
Object
l Domain group: A domain group is a collection of domain names. Currently, domain groups
are used only as the matching conditions of traffic policies.
l Schedule: A schedule can be accurate to seconds.
Bandwidth Management
l Added object domain group matching conditions of traffic policies. After you configure
domain groups, the NGFW can limit the bandwidth of the traffic from or to the IP addresses
corresponding to the domain names in the domain group.
Security Protection
l Attack defense: Adding the traffic limiting for the defense against UDP flood attacks. The
NGFW uses the traffic limiting technology to limit the UDP packets to the same destination
address within a threshold. It directly discards excess UDP packets to avoid network
congestion.
l Attack defense: Added the advanced source detection for the defense against HTTP flood
attacks. After advanced source detection HTTP flood attack defense is enabled, users are
prompted to enter verification codes when they use browsers to access HTTP resources.
On botnets, verification codes fail to be entered. Therefore, advanced source detection is
more effective in attack defense than the basic mode. However, users must enter verification
codes manually, which affects users' Internet access experience.
l Attack defense: Added the illegitimate access attack defense function. If a packet matches
the security policy and is blocked by the content security check, the packet is considered
as an illegitimate access attack. When the number of illegitimate access packets from a
specific source IP address reaches the threshold in a period of time, the NGFW blocks the
packets and blacklists the IP address. All follow-up packets from this IP address are
discarded to achieve better security defense effects and improve the performance of the
intelligent awareness engine.
l Blacklist: Added the Illegitimate Aaccess attack type in the dynamic blacklist.
Monitoring
l Session table: Added the support of session ID or security policy-based session table
checking and clearing.
Hardware
Based on V100R001C00, V100R001C10 provides the following hardware model extensions:
Refer to 1.9.1 Hardware for more details on the hardware models of V100R001C10.
System
l For hard disk-supported models, an alarm threshold can be newly set for log storage, which
means an alarm log will be generated upon a log storage excess.
l For hard disk-supported models, the way of processing logs upon full storage can be newly
configured so that the logs are overwritten (default) or discarded.
l Across-Layer-3 MAC address identification is newly supported. When a Layer-3 network
device is between the NGFW and intranet PCs, the NGFW can still learn the MAC address
of the intranet PCs, which enable the NGFW to identify network traffic of users control
network behaviors and permissions by MAC addresses.
High availability
l Hot standby: Hot standby for IPv6 is newly provided; hot standby is newly supported for
DHCP servers and DHCP relays.
l IP-Link: IP-Link for IPv6 is newly provided.
Virtual System
l A virtual system administrator can newly log in to the CLI by means of Telnet and STelnet.
V100R001C00 allows only login on the Web UI.
l Certain functions can be newly virtualized, including user and authentication, bandwidth
policy, audit policy, policy-based routing (PBR), application and application group, region
and region group, SSL VPN, IP-Link, IP-MAC binding, blacklist, DHCP, and content
security. Refer to 7.9.2 Function Availability for Virtual Systems for the functions
supported by virtual systems.
Network
l Sub-interface: Layer 2 Ethernet sub-interfaces and Eth-Trunk sub-interfaces are newly
supported.
l Layer 2 interface pair: Layer 2 interface pairs are newly supported and each pair has two
Layer 2 interfaces. Packets come in from one interface and go out from the paired one,
without the need to search the MAC forwarding table. Interface pairs are mainly used for
connecting NGFW modules and switches through Layer 2 interfaces.
Object
l Region and region group: This feature is newly provided to combine IP addresses by
location. Region and region groups are used to control policies and view log reports by
location.
Security policies, audit policies, bandwidth policies, and authentication policies can be
configured by location.
l Certificate: Users can online apply for certificates on the Web UI. V100R001C00 allows
only offline certification application on the Web UI.
l File blocking: Filtering by encrypted file types like DOC_ENC and PPT_ENC is newly
provided.
l IPv6 content security: Content security detection is newly provided for IPv6 traffic.
Audit policy
Auditing on QQ login/logout events is newly provided.
VPN
l IPSec
– IPSec is newly applicable in load balancing of hot standby. V100R001C00 allows IPSec
only in backup of hot standby.
– IPSec is newly applicable to IPv6 networks.
– IPSec is newly applicable to IPv6 over IPv4 and IPv4 over IPv6.
– RSA digital envelop authentication (rsa-de) is newly provided for authentication-
method of the IKE security proposal.
– Several encryption and authentication algorithms, instead of one, can be newly selected.
When several encryption and authentication algorithms are selected, the system
automatically negotiates with the peer to select one. The SHA2 authentication algorithm
is newly provided. Refer to 20.2 IPSec for details.
– Three new groups are added for DH Group of the IKE security proposal and PFS of the
IPSec security policies, that is, group14, group15, and group16.
– The IPSec configuration process is optimized to simplify configurations by the system
administrator.
– The IPSec configuration Web UI is re-designed. On the new Web UI, IPSec can be
configured for point-to-point or point-to-multipoint application, and the auto-
negotiation function is provided to simplify configurations.
– A new IKEv1 exchange mode is newly provided for IKE peers, that is, auto in
exchange-mode { main | aggressive | auto }. When the device works as a sender,
the main mode applies; when the device works as a receiver, both main and
aggressive modes apply.
– A new packet encapsulation mode is newly provided for the IPSec security proposal,
that is, auto in encapsulation-mode { transport | tunnel | auto }. When the device
works as a sender, the tunnel mode applies; when the device works as a receiver,
both the transport and tunnel modes apply.
– When IPSec security policies are configured using a template, the reverse-route
enable function is newly available, which generates static routes leading to branch
nodes on the HQ device.
– When IPSec security policies are configured using a template, the security acl
public-ip-transparent function is newly available, which eliminates the need to
specify data flows to be protected.
l DSVPN
Dynamic smart virtual private network (DSVPN) is newly provided to dynamically create
tunnels between branch nodes. Without DSVPN, accesses between branch nodes have to
be transferred by HQ.
l SSL VPN
– An SSL VPN configuration wizard is provided on the Web UI to simplify configurations
by the system administrator.
– Several virtual gateways, instead of one, are newly supported. Services are independent
among the virtual gateways.
– An independent network extension client is newly provided to enable access to Intranet
by installing a VPN Agent, without any need of configurations. Terminal users can log
in on the virtual gateway UI, download and install the client.
– The virtual gateway UI can be newly customized for terminal users, addressing
individual needs.
IPv6
Hot standby, IP-Link, IPSec, and content security are newly applicable to IPv6.
Monitoring
l Log report
– Email subscription to reports is newly provided.
– File blocking and data filtering reports are newly provided.
– More report types are provided for customizing reports.
l Traffic and threat map
Traffic and threat maps are newly provided to display global distribution of traffic and
threats, according to which the system administrator can take control measures.
l System diagnosis
Packet capture and discarded packet statistics based on quintuple (source and destination
IP addresses, source and destination port numbers, and protocol number) are newly
provided on the Web UI.
l Session table
Session tables can be newly viewed by source and destination security zones.
l Traffic statistics
The display all-traffic function is newly provided to display the total traffic at all physical
interfaces from the time of system start or traffic clearance to the time of statistics.
1.9.1 Hardware
Version USG6000 Series NGFW Module
1.9.2 System
Device Management
Feature USG6310 USG6306 USG6650 NGFW
USG6320 USG6308 USG6660 Modulea
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
a: The NGFW module supports redirecting to its console port through a switch.
System Time
Feature USG6310 USG6306 USG6650 NGFW
USG6320 USG6308 USG6660 Module
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
License Management
Feature USG6310 USG6306 USG6650 NGFW
USG6320 USG6308 USG6660 Module
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
SNMP/LLDP
Feature USG6310 USG6306 USG6650 NGFW
USG6320 USG6308 USG6660 Module
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Mail Service
Feature USG6310 USG6306 USG6650 NGFW
USG6320 USG6308 USG6660 Module
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
File System
Feature USG6310 USG6306 USG6650 NGFW
USG6320 USG6308 USG6660 Module
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
EUSB No No No Yes
Update Center
Feature USG6310 USG6306 USG6650 NGFW
USG6320 USG6308 USG6660 Module
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
NQA
Feature USG6310 USG6306 USG6650 NGFW
USG6320 USG6308 USG6660 Module
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
PMTU
Feature USG6310 USG6306 USG6650 NGFW
USG6320 USG6308 USG6660 Module
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
NetStream
Feature USG6310 USG6306 USG6650 NGFW
USG6320 USG6308 USG6660 Module
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
IP-link
BFD
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
NOTE
Refer to 7.9.2 Function Availability for Virtual Systems for the list of virtual system functions.
1.9.5 Networks
Interface
Feature USG6310 USG6306 USG6650 NGFW
USG6320 USG6308 USG6660 Module
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Security Zone
Feature USG6310 USG6306 USG6650 NGFW
USG6320 USG6308 USG6660 Module
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
DNS
Feature USG6310 USG6306 USG6650 NGFW
USG6320 USG6308 USG6660 Module
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
DHCP
Feature USG6310 USG6306 USG6650 NGFW
USG6320 USG6308 USG6660 Module
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
DHCP Snooping
Feature USG6310 USG6306 USG6650 NGFW
USG6320 USG6308 USG6660 Module
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Link Aggregation
Feature USG6310 USG6306 USG6650 NGFW
USG6320 USG6308 USG6660 Module
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
PPP
Feature USG6310 USG6306 USG6650 NGFW
USG6320 USG6308 USG6660 Module
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
PPPoE
Feature USG6310 USG6306 USG6650 NGFW
USG6320 USG6308 USG6660 Module
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
ARP
Feature USG6310 USG6306 USG6650 NGFW
USG6320 USG6308 USG6660 Module
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
VLAN
Feature USG6310 USG6306 USG6650 NGFW
USG6320 USG6308 USG6660 Module
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
IP Performance
Feature USG6310 USG6306 USG6650 NGFW
USG6320 USG6308 USG6660 Module
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
1.9.7 Router
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Authentication Server
Feature USG6310 USG6306 USG6650 NGFW
USG6320 USG6308 USG6660 Module
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
1.9.9 Object
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Domain Group
Feature USG6310 USG6306 USG6650 NGFW
USG6320 USG6308 USG6660 Module
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Schedule
Feature USG6310 USG6306 USG6650 NGFW
USG6320 USG6308 USG6660 Module
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Certificate
Feature USG6310 USG6306 USG6650 NGFW
USG6320 USG6308 USG6660 Module
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
ACL
Feature USG6310 USG6306 USG6650 NGFW
USG6320 USG6308 USG6660 Module
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Security Policy
Feature USG6310 USG6306 USG6650 NGFW
USG6320 USG6308 USG6660 Module
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Antivirus
Feature USG6310 USG6306 USG6650 NGFW
USG6320 USG6308 USG6660 Module
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Intrusion Prevention
Feature USG6310 USG6306 USG6650 NGFW
USG6320 USG6308 USG6660 Module
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
URL Filtering
Feature USG6310 USG6306 USG6650 NGFW
USG6320 USG6308 USG6660 Module
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
File Blocking
Feature USG6310 USG6306 USG6650 NGFW
USG6320 USG6308 USG6660 Module
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Data Filtering
Feature USG6310 USG6306 USG6650 NGFW
USG6320 USG6308 USG6660 Module
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Mail Filtering
Feature USG6310 USG6306 USG6650 NGFW
USG6320 USG6308 USG6660 Module
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
1.9.14 PBR
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
1.9.17 VPN
IPSec
Feature USG6310 USG6306 USG6650 NGFW
USG6320 USG6308 USG6660 Module
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
L2TP
Feature USG6310 USG6306 USG6650 NGFW
USG6320 USG6308 USG6660 Module
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
GRE
Feature USG6310 USG6306 USG6650 NGFW
USG6320 USG6308 USG6660 Module
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
DSVPN
Feature USG6310 USG6306 USG6650 NGFW
USG6320 USG6308 USG6660 Module
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
BGP/MPLS IP VPN
Feature USG6310 USG6306 USG6650 NGFW
USG6320 USG6308 USG6660 Module
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
User Authentication
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Attack Defense
Feature USG6310 USG6306 USG6650 NGFW
USG6320 USG6308 USG6660 Module
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Anti-DDoS
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Other
Ping Proxy
Feature USG6310 USG6306 USG6650 NGFW
USG6320 USG6308 USG6660 Module
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Blacklist
Feature USG6320 USG6306 USG6650 NGFW
USG6308 USG6660 Module
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
IP-MAC Binding
Feature USG6320 USG6306 USG6650 NGFW
USG6308 USG6660 Module
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
URPF
Feature USG6320 USG6306 USG6650 NGFW
USG6308 USG6660 Module
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
GTP
Feature USG6320 USG6306 USG6650 NGFW
USG6308 USG6660 Module
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
1.9.20 IP Multicast
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Log Report
Feature USG6310 USG6306 USG6650 NGFW
USG6320 USG6308 USG6660 Module
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Map
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
System Statistics
Feature USG6310 USG6306 USG6650 NGFW
USG6320 USG6308 USG6660 Module
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
System Diagnosis
Feature USG6310 USG6306 USG6650 NGFW
USG6320 USG6308 USG6660 Module
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
2 Getting Started
As network security devices, traditional firewalls are usually deployed at network borders. These
firewalls use the following mechanisms to filter and forward packets:
l Determine the services of packets based on the protocol and source or destination port. For
example, the service of the TCP packet that uses port 21 is FTP service, and that of the
TCP packet that uses port 80 is HTTP service. Traditional firewalls control packets by port
to enable or disable certain network services.
l Check the validity of packets based on the IP addresses to determine whether to forward
or drop the packets.
l Use the 5-tuple (source and destination IP addresses, source and destination ports, and
protocol) to define a data flow. Deeming that all packets of a data flow have the same
security level, a traditional firewall checks the validity of only the first packet of a data
flow. If the first packet passes the validity check, the firewall establishes a session and
forwards the subsequent packets based on the session.
However, traditional firewalls are no longer capable of resolving the following problems that
emerge on networks.
– Control illegitimate online behaviors under the cover of a legitimate service. For
example, a hacker exploits the vulnerabilities of a web browser to break into a computer.
l IP-based traffic control cannot:
– Defend networks against distributed denial of service (DDoS) attacks that are launched
using zombie hosts.
– Prevent network spoofing and permission interception carried out by forging source IP
addresses.
– Control the permissions of users who use varied IP addresses, such as mobile workers
and teleworkers.
l Flow-based validity check on the first packet cannot:
– Continuously protect the network, for example, by blocking the worms, viruses, or
Trojan horses that are unintentionally downloaded during network access.
– Detect and manage application-layer protocols, for example, by controlling file transfer
to prevent information leaks.
Overview
To help enterprises tackle security problems that emerge during network development, Huawei
launches the next generation firewall, the USG6000 series (NGFW for short).
For current networks, a port and protocol can no longer represent an application. Catering to this
trend, Huawei NGFW implements in-depth detection on applications and contents to provide
enhanced security defense capabilities. Though the first packet is secure, subsequent packets
may not be. To resolve this problem and improve detection efficiency, the NGFW provides the
one-time scanning and real-time detection mechanisms.
l In one-time scanning, the NGFW uses Intelligent Awareness Engine (IAE) for all security
functions to scan the packets once and extract all necessary data, including the application,
content, and potential threats contained in the traffic. Even with all security functions
enabled, the device performance will not deteriorate significantly.
l In real-time detection, the NGFW uses high-performance Intelligent Awareness Engine
(IAE) to inspect all data packets in real time. The NGFW constantly discovers and blocks
risks to secure the network.
The NGFW identifies thousands of applications and defends networks against application-layer
network intrusions, worms, viruses, Trojan horses, and other attacks. The NGFW uses only one
policy to implement all security functions on every data flow. You can reference the following
security profiles in a security policy.
Security Description
Profile
Antivirus The NGFW scans files transmitted over the network for viruses and
generates alarms or blocks the virus-infected files based on the action
specified in the antivirus profile.
Security Description
Profile
Intrusion The NGFW monitors or analyzes system events to detect and take specific
Prevention actions on intrusions in real time.
URL Filtering The NGFW controls access to URLs to regulate users' online behaviors.
Data Filtering The NGFW blocks the traffic that contains sensitive and confidential
information to prevent information leaks and disclosure.
File Blocking The NGFW blocks the specified types of files to prevent information leaks
and reduce the risk of malicious code execution and virus infection over
an intranet.
Application The NGFW controls common HTTP and FTP behaviors, such as HTTP
Behavior or FTP file upload and download, HTTP POST, web browsing, and
Control Internet access using an HTTP proxy.
Mail Filtering The NGFW filters spam mail, and filters emails based on the addresses of
the email senders and receivers, as well as the size and number of email
attachments.
For existing networks, traffic control by IP address alone is not accurate. To accurately control
traffic, the NGFW provides authentication management over users and uses the 7-tuple-based
security policies. (7-tuple refers to the source and destination IP addresses, source and destination
ports, service, application, and user.)
l A single NGFW provides sufficient firewall functionality for you to create, manage, and
authenticate intranet users and implement permission control and security checks. If an
intranet already has a user management system, such as an Active Directory (AD) server,
RADIUS server, HWTACACS server, LDAP server, or SecurID server, the NGFW can
synchronize user information from that system. The NGFW can also synchronize users'
online information with an AD, LDAP, or TSM server in real time. For details on user
authentication, see 2.1.3 User.
l With its user management and application identification capabilities, the NGFW uses 7-
tuple-based security policies to implement packet filtering and content security monitoring
on specific traffic of specific users, which helps enterprises adapt to changing networks
and meet the requirements of networks with varied IP addresses, such as mobile office
networks. For details on security policies, see 2.1.4 Policy.
How to Deploy the Next Generation Firewall Using the Administrator Guide
For optimum understanding, read this Administrator Guide in the order illustrated in the
following figure, which is also the order to deploy the NGFW.
2.1.3 User
The concept of user has been introduced into the next generation firewall which implements
traffic security defense and traffic management by user to improve the flexibility and accuracy
of security functions.
l Because employees and network devices can change frequently, using static IP addresses
compromises management efficiency. Using IP addresses that are dynamically assigned
through DHCP resolves this problem, but this solution does not ensure the unique mapping
between employees and IP addresses and cannot control traffic based on IP addresses.
l Mobile working and teleworking have become popular. In such cases, IP addresses of
employees become random.
l Network applications, such as the remote desktop, require a network device to implement
different security policies. For example, on a public server, different security policies must
be applied to grant different permissions to employees A and B for them to access the
enterprise server.
Because of these limitations, employees are required to enter their user names and passwords to
log in to a network device. After they are authenticated, they are granted network permissions
based on their user groups. This has become a common way for enterprises to manage their
networks.
a host and is authenticated, the NGFW deems the traffic from and to the host to belong to
that employee.
Usually, all members of a department or team have the same network access permissions.
You can create user groups and grant network permissions based on user groups for user
management efficiency.
Sometimes, one user belongs to multiple teams. On the NGFW, you can add a user to a
maximum of three user groups. In the Figure 2-1 example, employee C belongs to product
teams 1 and 2.
l Parent group, and child group
An enterprise usually has a hierarchical organizational structure, and a department has
multiple subordinate entities. To ensure that subordinates have the basic network access
permissions of the department, the NGFW supports user group embedding. The subordinate
user group is called a child group, and the user group that contains a child group is called
a parent group. Parent and child groups are relative concepts. In Figure 2-1, the /default
group is the parent group of the marketing department and R&D department, and the R&D
department is a child group of the /default group. The R&D department is also the parent
group of product teams 1 and 2.
When you configure users and user groups on the NGFW, the NGFW can grant network access
permissions to a host based on a user or its user group. A certain policy is applied on the user
and user group to grant permission.
The following table describes the phases and schemes of user-based authentication and
permission control shown in Figure 2-2.
Phase one: A user A-1: If the user If an AD or TSM server has been deployed
enters his or her user connects directly to on the intranet to authenticate users, users
name and password. the intranet, the must enter their user names and passwords to
The user enters the NGFW uses single log in to the Windows system or TSM client.
user name and sign-on (SSO) and You can enable SSO on the NGFW for the
password. The the active directory system to use the information about these
NGFW compares the (AD) or TSM server users.
user name and to synchronize user
password with the information.
records on the
A-2: Push a Web The user connects directly to the intranet but
NGFW.
login page. SSO is not used. When the user accesses a
web page for the first time, the NGFW pushes
a Web login page, requiring the user to enter
a user name and password.
B: The NGFW uses The user enters a user name and password on
the user information the virtual gateway page to access the intranet
provided in SSL through SSL VPN. The NGFW can use the
VPN. user information directly.
C-1: The NGFW The user enters a user name and password to
uses the user connect to the intranet through L2TP VPN.
information The NGFW can use the user information
provided in L2TP directly.
VPN.
Phase two: The A: AD or TSM If you use scheme A-1 in phase one and the
NGFW verifies user synchronization: user is authenticated using the AD or TSM
information. synchronizes user server, the NGFW can synchronize the
The NGFW verifies information with the authentication result from the AD or TSM
the obtained user AD or TSM server in server. No further authentication is required.
information to real time.
determine whether
B: Local You can create users and save their
the user is legitimate
authentication: The information to the local database. After a user
and whether to allow
NGFW compares enters user information, the NGFW compares
the user to access the
user information the information with the records in the
intranet.
with records on the database.
NGFW.
Phase three: The A: Security policy Security policies control network access
NGFW allows the permissions of users and secure their network
user to access the access. You can apply security policies to
network and applies control resources, such as IP addresses, ports,
policies on and applications accessible to a user, as well
subsequent traffic. as to detect and protect the user's network
The column to the traffic.
right lists the user-
based policies. For B: Traffic policy Traffic policies control users' network
details on these bandwidths and the number of connections.
policies, see 2.1.4 You can allocate bandwidth and control the
Policy. number of connections by user level to avoid
network congestion and ensure positive user
A user that provides
experience on the network.
correct login
information is C: Policy-based PBR specifies the interface that forwards user
legitimate and is routing (PBR) traffic. You can enable PBR for the traffic of
granted network a specified user to flow to a specified
access permission. network. PBR takes priority over the routing
You can configure table.
different policies for
users and user groups D: Audit policy Audit policies are used for the NGFW to audit
to control the users' online behaviors. You can apply audit
accessible network policies according to the local laws and
resources, security regulations or the regulations of your
measures to take, and company to record network behaviors. For
bandwidths. details on user privacy declaration, see About
This Document.
Figure 2-3 shows the process for authenticating users based on the authentication policy and
authentication domain.
Internet Authentication
access user server
Authentication
RADIUS complete.
server
HWTACACS
server Secondary
authentication
Access Server No
AD server ?
user authentication
Yes
Trigger for an
LDAP server
authentication
SecurID
Authentication server
domain
2.1.4 Policy
As an important configuration item for the next generation firewall, a policy maps the traffic
matching conditions with the actions to take for the matched traffic, which facilitates device
configuration and management.
Overview
The NGFW supports the policies listed in the following table.
Policy Description
Security policy Security policies control the accessible resources, such as IP addresses,
ports, and applications for users or hosts as well as detect and protect the
network traffic.
After you classify network traffic in security policies once, you can enable
different security functions for each traffic class to simplify the
configuration.
NAT policy NAT policies translate the source IP addresses or ports and destination IP
addresses or ports according to certain rules to alleviate the lack of IPv4
addresses.
Policy-based PBR enables the traffic of a specific user to flow to a specific network.
routing (PBR) PBR takes priority over the routing table and provides guidance for
accurate traffic forwarding.
Traffic policy Traffic policies control bandwidths for a network or host. You can allocate
bandwidths and control the connection numbers of different traffic to avoid
network congestion and ensure positive user experience.
Quota Control Quota control policies control the Internet access traffic and duration of
Policy users to prevent bandwidth abuse and productivity reduction arising from
the long Internet access duration.
Proxy policy The NGFW supports TCP and SSL proxy functions. When the action of a
proxy policy is set to TCP proxy, the NGFW will implement TCP proxy
for the traffic matching the policy. If the action of a proxy policy is set to
SSL decryption, the NGFW will implement SSL proxy for the traffic
matching the policy and then decrypt the SSL traffic.
Audit policy Audit policies monitor users' online behaviors. You can apply audit
policies according to local laws and regulations or your company
regulations to record user's online behaviors.
A policy contains multiple rules. Each rule contains multiple data items that are classified as
condition, action, or option. The following figure uses the security policy as an example.
Policy A
Condition Action Option
Source
Source zone Content
address / Enable the
rule1 Destination
Destination
User Application Service Schedule Action security
zone profile log function.
address
rule2 …
l Condition
Conditions are used to filter packets. For example, source IP addresses or destination IP
addresses of packets, users who send packets, and applications of the packets can all be
specified as conditions. A packet matches a rule only when the packet matches all
conditions in the rule. Then the NGFW processes the packet based on the action or option
specified in the rule.
Items in a condition are existing data objects on the NGFW. You can define objects, such
as IP address ranges, users, and applications in advance on the NGFW and reference them
in policies to avoid duplicate configurations.
You can specify multiple objects for each condition.
NOTE
The items specified in a condition are logically ANDed. A packet matches a rule only when the packet
attributes match all items in the rule. The objects specified for one item in a condition are logically
ORed. A packet attribute matches the item as long as the packet attribute matches one object. For
example, three IP address ranges are defined in advance as objects A, B, and C. If A, B, and C are
applied to item source IP address in a condition, a packet matches the condition as long as the source
IP address of the packet matches any address among A, B, and C.
l Action
The NGFW takes an action on the packets that match the conditions. The action can be
allow, block, or content security checks. Actions vary with policies.
l Option
You can configure additional options for a rule, such as whether to enable the log function
and whether to apply this rule.
If a policy contains multiple rules, packets are matched to the rules in the list from top to bottom
on the Web UI. If the packets match all conditions of a rule, the NGFW implements the rule's
action and option on the packets. To make packet matching more efficient and precise, configure
policy rules from the most specific to the most general.
Object
An object is a set of data items that are defined in advance and can be referenced in policies or
features. You can define objects in a centralized data plan to simplify configurations.
The following table lists the most common and most important objects used on the NGFW.
Object Description
Object Description
Schedule Object schedule is a set of time ranges. Schedule controls the valid time
ranges of a policy or feature. Therefore, the NGFW can apply different
policies at different time. Object schedule has two types:.
l Periodic schedule: specifies a fixed time range within a week that
repeats in one-week intervals. You can configure periodic schedules
for policies that take effect periodically, such as the policies that take
effect on work days or non-work days.
l One-time schedule: specifies a single time range with specific start and
end times. You can configure one-time schedules for policies that take
effect temporarily or at a specified time, such as a policy that takes
effect on holidays.
Security profile Security profile is a special object for security policies. This object is a
set of content security check and protection rules. You can use a security
profile to define the threats for a security function to identify, as well as
the countermeasures. Each security function has respective security
profiles. You can configure a security policy and reference multiple
security profiles for one traffic flow to implement multi-dimensional
content security checks and protection for this data flow. For details on
security policies and security profiles, see 2.1.2 Next Generation
Firewall.
The following figure illustrates the policy execution sequence and packet forwarding process
on the NGFW.
Therefore, when you configure policy-based routing and authentication, security, and bandwidth
management policy rules, you need to specify the pre-source NAT IP address as the source IP
address and the mapped inside IP address of the server as the destination IP address.
For details on the policy execution sequence and packet forwarding process, see 2.1.7.1 Packet
Transfer Process.
Wizards
The system provides the Startup Wizard to guide a beginner through initiating the device quickly
to access the Internet.
With Startup Wizard, you can set the device name, administrator password, system time, Internet
access parameters, and LAN parameters. For details about how to use Startup Wizard, see 3.1
Startup Wizard.
Log Description
Traffic log Records overall network traffic information by user or application, current
network bandwidth usage, and effective security policies.
Threat log Records detection and defense of network threats, such as AV, worms,
Trojan horses, spyware, and DDoS attacks.
The threat log helps administrators learn about network threat events and
adjust security policies or take defensive measures in a timely manner.
URL log URL logs provide statistics on requested URLs. You can view URL logs
to check why access to some URLs is allowed, blocked or allowed with
an alert record.
Log Description
Content log Records alarms and blocks related to file blocking, content filtering, and
application behavior control, such as alarms generated when intranet users
transfer files and send or receive emails, and blocks for denying access to
websites.
The content log helps administrators learn about content-related activities
of intranet users and causes of alarms and blocks.
Operate log Records login, logout, and configuration operations performed by all
administrators.
The operate log helps administrators learn about system management
history.
User activity log Records user online information, such as the login time, the IP address and
MAC address used to log in, and online duration.
The user activity log helps administrators learn about online user activities
and take actions for risky user logins or network access.
Policy matching Records the traffic that triggers the policies defined in the system.
log The policy matching log helps administrators optimize policies and locate
faults.
Mail filtering Records the protocol types used by users to send and receive emails, size
log of a single attachment in an email, number of attachments in an email, and
reasons why valid emails are blocked.
The mail filtering logs help you locate faults in email services.
Audit log Records the Internet access behaviors defined in audit policies.
Report Description
Traffic report Provides network traffic information based on analysis of the flow log.
The flow report helps administrators learn about the current network traffic
and make traffic management policies.
Threat report Provides network threat information based on analysis of the threat log.
The threat report offers information about the top threat activities,
attackers, and victims and helps administrators take preventive measures.
Report Description
URL report Provides information about access to URLs from intranet users based on
analysis of the URL log.
The URL report helps administrators locate the top users who have
unauthorized URL access activities and the URLs or sites that are
frequently accessed by intranet users. Based on these information,
administrators can make URL filtering policies.
File blocking Provides information based on analysis of the file blocking report. The file
report blocking report generates a vivid report with multiple dimensions and
helps administrators know commonly transferred file types on the network.
Based on these information, administrators can make file blocking
policies.
Data filtering Provides information based on analysis of the data filtering report. The
report data filtering report generates a vivid report with multiple dimensions and
helps administrators know commonly used key words in files and
applications. Based on these information, administrators can make data
filtering policies.
Policy matching Provides policy matching information based on analysis of the policy
report matching log.
The policy matching report helps administrators find out policy
configuration issues and optimize policies in a timely manner.
Visualized Diagnosis
The visualized diagnosis function helps implement quick fault location when a network fault
occurs or the system is not running properly. The visualized diagnosis function incorporates
comprehensive cases for the same type of faults, helping administrators quickly locate the fault
from all possible causes. The visualized diagnosis function also provides diagnosis results and
troubleshooting suggestions.
Diagnosis Description
Web page The administrator enters the IP address of an intranet terminal and the URL
diagnosis to be accessed. The system simulates an access request, traces the whole
access process, and identifies the access failure.
Packet tracing The system traces the transmission of packets based on the data flow
conditions specified by the administrator and identifies the transmission
failure.
Ping The system pings the specified destination IP address based on the ping
packet setting and returns the ping operation result. This diagnosis verifies
whether the destination IP address is reachable.
Tracert The system pings the routing devices along the route to the specified
destination IP address in sequence based on the Tracert setting and returns
the ping operation results. This diagnosis helps determine the location
where a network fault occurs.
Diagnosis info The system allows administrators to collect various information, such as
the clock, version, and configuration information, by simply clicking the
mouse. The collected information can be saved as a .txt file, exported, and
transferred to technical support engineers for fault diagnosis.
Quintuple The system captures packet header information in specified data flows for
packet capture fault location and analysis based on packet capture parameters configured
by administrators.
Quintuple The system calculates number of packets in data flows matching 5-tuple
packet parameters configured by administrators, including number of received or
discarding discarded fragments, number of received or discarded non-fragments, and
statistics number of forwarded packets. This diagnosis locates faults and checks
whether the device forwards or discard packets. If the device discards
packets, you have to use other methods to further analyze the reason of
packet discarding.
2.1.6 IPv6
Internet Protocol version 6 (IPv6), which resolves problems such as IPv4 running out of
addresses, will be the mainstream Internet protocol used on future networks. This section
describes the issues involved in deploying IPv6 networks and the support for IPv6 offered by
the NGFW.
l With the use of IPv6 addresses, various IP protocols need to be upgraded to ensure
communication between IPv6 hosts and to eliminate the congenital efficiency and security
defects of IPv4 networks.
l Technologies need to be provided to smooth the transition of IPv4 toward IPv6. Seamless
transition is required to ensure communication of IPv6 hosts over IPv4 networks or
communication between IPv6 and IPv4 hosts.
The NGFW supports IPv4, IPv6, a series of IPv6-related protocols, and security detection for
IPv6 traffic, which resolves the issue above. The supported IPv6 protocols and functions are as
follows:
l Protocols used to construct IPv6 LANs, such as ICMPv6 (see 8.14.3 Improving IPv6
Performance), DNSv6 (see 8.3 DNS), DHCPv6 (see 8.5 DHCPv6), and PPPoEv6 (see
8.8 PPPoE)
l IPv6 routing protocols, such as IPv6 static routing protocols (see 10.2 IP Static Route),
RIPng (see 10.8 RIPng), OSPFv3 (see 10.9 OSPFv3), BGP4+ (see 10.10 BGP4+), and
PBR (see 17 PBR)
l IPv4-to-IPv6 transition protocols, such as IPv6 over IPv4 (see 24.2 IPv6 over IPv4
Tunnel), IPv4 over IPv6 (see 24.3 IPv4 over IPv6 Tunnel), and NAT64 (see 24.1
NAT64)
l IPv6 network deployment technologies, such as IPv6 hot standby (see 6.1 Hot Standby)
and IPv6 IPSec (see 20.2 IPSec)
l IPv6 common object, such as IPv6 address object (see 12.1 Address and Address
Group) and IPv6 ACL (see 12.10 IPv6 ACL)
l Security detection technologies for IPv6 traffic, such as IPv6 traffic application
identification (see 12.5 Application and Application Group), IPv6 security policies and
content security detection (see 13 Security Policy and Content Security), and IPv6 anti-
DDoS (see 22 Security Protection)
l IPv6 bandwidth management (see 18 Bandwidth Management) for IPv6 traffic
management and control
No Yes
Will a session be
established?
No
Source NAT
Online user list policy matching User redirection
Server load
balancing
Establish a
session.
VPN
Outgoing interface
Bandwidth Security policy Source NAT bandwidth
policy processing processing IPSec
threshold
L2TP
Forward the
Virus Intrusion packet.
prevention prevention URL filtering
GRE
Content Application
File filtering filtering activity control
SSL
During the packet transfer process, some fields in a packet need to be changed to implement
certain features. For example, the NGFW changes the source or destination IP address carried
in an IP packet in the network address translation (NAT) process. While in the security policy
matching or routing table query process, the NGFW selects policies based on the IP address.
Server address mapping is performed before security policy matching and routing table query,
and source NAT is performed after security policy matching and routing table query, as shown
in Figure 2-6. If an Internet user wants to access an intranet server, two NATs are performed
for the access request:
l During server address mapping, the NGFW changes the destination IP address carried in
the packet to the private IP address of the server to be accessed.
l During source NAT, the NGFW changes the source IP address to a private IP address that
belongs to the same network segment as the server.
Then, the NGFW queries the routing table for the route to the next-hop interface based on the
private IP address. When configuring security policies, you must configure the source IP address
as a public IP address for the Internet user and configure the destination IP address as the real
private IP address of the server.
During the packet transfer process, packet processing varies depending on the packet type and
data configuration. Not all packets will be processed in the same way as illustrated in Figure
2-6. The whole process can be divided into three phases:
l If it is a layer 3 interface, the NGFW queries the routing table based on the destination IP
address carried in the packet and determines the next-hop interface. After the packet is
resolved and the header information is removed from the packet, the packet is forwarded
to the next hop for processing.
l If it is a layer 2 interface, the NGFW first determines whether the packet needs to be
forwarded over different VLANs. If the packet does not need to be forwarded over different
VLANs, the NGFW queries the next-hop interface in the MAC address table based on the
destination MAC address carried in the packet. If the packet needs to be forwarded over
different VLANs, the NGFW obtains the VLAN ID and then obtains the sub interface or
VLAN-IF interface based on the VLAN ID. The sub interface or VLAN-IF interface is a
virtual layer 3 interface. Then, the NGFW queries the routing table based on the destination
address carried in the packet and determines the next-hop interface.
After the required information is obtained and the header information is removed from the
packet, the packet is forwarded to the next hop for processing.
Feature Description
MAC address Filters packets based on the source and destination MAC addresses carried
filtering in the frame header.
Feature Description
VLAN Prevents flood of Ethernet frames over local area networks (LANs).
IP/MAC Verifies packets based on the IP address and MAC address carried in
address packets, filters out invalid packets, and prevents IP spoofing and ARP
binding attacks.
Incoming Discards packets when the bandwidth usage over the interface exceeds the
interface specified threshold.
bandwidth
threshold
Single-packet Performs packet validity and security checks based on the single-packet
attack defense attack defense types after obtaining the packet header information and
filters out attack packets.
1. The NGFW triggers the stateful inspection mechanism to verify whether the packet
meets the conditions for establishing a session.
2. If yes, the NGFW obtains information, such as the user and application type of the
flow, which cannot be obtained from the packet header.
NOTE
The information about the user and application type of a flow cannot be obtained by analyzing
a single packet.
To obtain multiple packets of this flow, the NGFW identifies the users who need authentication
but have not logged in based on authentication policies and pushes the authentication page to
the users. If the authentication is successful for a user, the NGFW analyzes the packets sent
from the user and obtains the application type of the flow.
During the analysis process, the NGFW establishes a session with empty application
information based on the first packet. After the analysis is complete, the NGFW updates the
session entries and adds the application type to the packet. After the application type is
determined, the policies matching the flow may change, which in turn affects the further
processing of the packet.
Figure 2-6 shows the basic packet processing sequence and is for reference only.
3. The NGFW queries the routing table based on the destination address carried in the
packet and obtains the next-hop interface information. Then, the NGFW obtains the
destination security zone information based on the next-hop interface information.
4. After obtaining the source and destination address information, the NGFW performs
an authentication for the user.
5. If the authentication is successful, the NGFW searches for security policies based on
the user information and source and destination address information. If a match is
found, the NGFW proceeds according to the matched security policy.
If a session is allowed, the NGFW labels the flow based on the content security profile
associated with the security policy. If a session is not allowed, the NGFW discards
the packet.
6. If the number of sessions does not reach the threshold, the NGFW establishes a session
for this packet. The packet will be processed by the transfer module, and the
subsequent packets of this flow will be processed in a way as described in the Matched
Session Entries Exist section.
l Matched Session Entries Exist
If matched session entries are found, a session will be established for the first packet after
a series of route query and security checks are performed. Subsequent packets that match
the session entries will skip over the process through which the first packet goes. This
mechanism increases the processing efficiency of the NGFW.
The subsequent packets will trigger the update of the online user list to keep the users who
have flows online.
Then, the packets will go through flow-based attack defense and stateful inspection, and
be processed by the transfer module.
A secure first packet does not indicate that subsequent packets are also secure; therefore,
the NGFW performs constant security checks for a flow. During this process, session entries
will be updated if application information is identified, the user goes offline or online,
security risks are detected in content security checks, or system configuration is modified.
Once the session entries are updated, the NGFW will recheck the flow and take related
processing. However, only the features that determine the packet processing methods are
involved in the recheck process. The recheck process is still simpler than the processing of
the first packet. In addition, updates of session entries do not frequently occur. This
mechanism ensures constant protection of flows while avoiding serious impact on
processing efficiency.
Table 2-8 Features involved in first packet processing and subsequent packet processing
Feature Description
Stateful For TCP and ICMP protocol packets, only the first packets trigger the
inspection session establishment.
mechanism
Blacklist Rapidly filters packets based on the source or destination IP address and
user information carried in the packets.
Server-map An important entry for server mapping and multi-channel protocol data
forwarding.
Feature Description
Online user list Records online user information, such as the mapping between users and
IP addresses, the time when a session is established, and online duration.
Routing table Records routing information, which determines the interface through
which a packet is forwarded.
Authentication Determines whether to perform authentication for a flow and obtain the
policy user information based on the IP address and security zone information
carried in a packet.
First packet Pushes the authentication page to users who need authentication.
processing
Security policy Allows flows to be filtered based on the security policies specified.
Source NAT Looks up the source NAT policy, and records the address translation
policy information in the session table, but does not translate the IP address of
the packets.
Limit on the Controls the number of concurrent sessions supported by the system.
number of
connections
Server load Distributes the packets addressed to the same destination to different
balancing servers for processing based on the bandwidth usage. Therefore, during
subsequent packet processing, the server load balancing configuration is
also an important factor for determining the next-hop interface.
Packet Forwarding
In this phase, the NGFW provides constant security protection for flows and ensures that packets
are forwarded to the destination.
1. The NGFW checks the bandwidth usage and determines whether to forward or discard the
packet based on bandwidth policies.
2. The NGFW performs content security filtering based on the content security profile
associated with the security policies.
3. The NGFW translates the source IP address based on NAT policies.
4. The NGFW determines whether to forward the packet to a VPN tunnel based on VPN
configuration. If yes, the NGFW determines the VPN tunnel and encrypts and encapsulates
the packet to be forwarded.
5. The NGFW determines the next-hop interface based on the results obtained from the MAC
address table or routing table. The NGFW adjusts the traffic rate based on the bandwidth
threshold specified for the interface.
6. The NGFW sends the packet to the interface.
Table 2-9 describes the features used in this phase.
Feature Description
Security policy Checks packets for security risks and performs filtering in real time.
Source NAT Translates the source IP addresses of the packets so that intranet users can
policy access the Internet.
VPN Implements secure connection between private networks over the Internet.
The NGFW supports various VPN technologies, such as L2TP, IPSec, and
SSL, to meet different requirements.
Outgoing Enables packets to be discarded when the bandwidth usage over the
interface outgoing interface exceeds the specified threshold.
bandwidth
threshold
2.1.7.2 CLI
The command-line interface (CLI) can be used to implement certain advanced functions that
cannot be implemented through the Web UI. This section describes the CLI of the NGFW and
basic skills of using the CLI.
Username:admin
Password:
<sysname>
<sysname> system-view
00:33:32 2012/05/20
Enter system view, return user view with Ctrl+Z.
[sysname] interface GigabitEthernet 1/0/1
00:33:35 2012/05/20
[sysname-GigabitEthernet1/0/1] ip address 10.1.1.1 24
00:33:37 2012/05/20
[sysname-GigabitEthernet1/0/1] quit
00:33:38 2012/05/20
[sysname] quit
00:33:39 2012/05/20
<sysname> quit
Login authentication
Username:
Different views have different command prompts, which help administrators determine the
current view. For example, after you enter the system view, the command prompts change from
angle brackets (<>) to square brackets ([]). After you enter the Ethernet interface view, the
command prompt contains the name of the interface to be configured, for example, [sysname-
GigabitEthernet1/0/1].
All the commands are defined with user authority. Administrators of different levels can run
different commands. For example, level 1 administrators can only enter the user view and query
system status and information. They cannot run the system-view command to enter the system
view or configure data.
To quit the current view, run the quit command.
This section describes only the basic knowledge of command lines. For more information, see
the Command Reference and the configuration of each feature (sections ended with "-CLI") in
the Administrator Guide.
Method Description
Log in to the When the NGFW fails to start or fails to connect to the network, you can
CLI through the log in to the CLI only through the Console port to rectify faults. This is the
Console port most secure way to log in to the CLI.
To log in to the CLI through the Console port, perform the following steps:
1. Use a serial cable to connect a serial port on the administrator's PC and
the Console port on the main control board of the NGFW.
2. Start HyperTerminal on the PC (which runs Windows) or any other
third-party program that supports Console.
3. Select the serial port used, and set parameters as follows to set up a
connection:
l Bits per second: 9600
l Data bits: 8
l Parity: None
l Stop bits: 1
l Flow control: None
4. Click OK.
The copyright information is displayed in the HyperTerminal.
5. Enter the user name and password, modify the default password as
prompted to log in to the CLI.
The default user name is admin, and the default password is
Admin@123.
For more information, see 5.1.1 Logging In to the CLI Through the
Console Port.
Log in to the Telnet allows you to remotely log in to a CLI through an Ethernet port.
CLI using For more information, see 5.2.4.3 Example for Logging in to the CLI
Telnet using the Telnet.
NOTICE
During Telnet login, data and passwords are transmitted in plaintext mode, causing
security risks. To secure data transmission, use STelnet instead.
Log in to the STelnet also allows you to remotely log in to a CLI through an Ethernet
CLI using port. However, STelnet offers higher security than Telnet because STelnet
STelnet uses encrypted packets. For details about how to use STelnet to log in to
the CLI, see 5.2.4.5 Example for Logging In to the CLI Using STelnet
(RSA Authentication).
Method Description
Log in to the Log in to the Web UI, and click CLI Console on the lower right of the
CLI through the page. Then, click any place in the black background to log in to the CLI.
CLI console on For details about how to log in to the Web UI, see 2.3 Logging In to the
the Web UI Web UI.
Basic Skills
Table 2-11 describes the basic skills that help you efficiently run commands on the CLI.
Skill Description
Obtaining help To obtain help information about a command line, enter ? on the CLI.
information l To obtain information about all the commands that can be executed on
about a a view, enter ? on the current view.
command line <sysname> ?
User view commands:
backup-configuration Indicate backup configuration file
for system startup
cd Change current directory
clock Specify the system clock
---- More ----
l To obtain information about all the keywords that start with a letter or
a character string in a command, enter ? after the letter or character
string.
<sysname> display f?
fastfeeling fib file-block file-
detect
firewall fragment-reassemble ftp-server ftp-users
Command-line Command-line completion allows you to type the first few characters of a
completion command and press Tab to fill in the rest of the item. If there are multiple
matches and the current completion is not correct, you can press Tab
repeatedly till the correct keyword is displayed.
<sysname> display f #Press Tab.#
<sysname> display firewall #Press Tab.#
<sysname> display fib #Press Tab.#
<sysname> display fragment-reassemble #After the correct
keyword is displayed, press the space bar, and enter the next
keyword.#
Skill Description
Error messages If the command line entered contains incorrect keywords, the system
displays an error information and stops executing the command after you
press Enter.
The common error messages are as follows:
l Unrecognized command: The command line does not exist. It may
contain incorrect commands or keywords.
l Wrong parameter: The parameter type is invalid, for example, the
parameter value exceeds the value range or a character string is entered
for a numeral parameter.
l Incomplete command: The command is incomplete.
l Too many parameters: The command contains unnecessary
parameters.
l Ambiguous command: Multiple commands match the information
entered. This error message is always displayed when a shortened
version of a command that has more than one interpretation was
specified on the command line.
Shortcut keys l Ctrl+C: stops displaying information on the screen. When you locate
for screen the required information from a long list that cannot be displayed on a
display single screen, you can press Ctrl+C to stop displaying the subsequent
information and return to the previous view.
l Space bar: displays the next screen.
l Return key: displays the next line.
Shortcut keys The system stores ten latest historical commands for each administrator
for invoking who has logged in to the CLI. The following shortcut keys can be used to
historical invoke historical commands:
commands l Up arrow key or Ctrl+P: invokes the previous command.
l Down arrow key or Ctrl+N: invokes the next command.
You can search from the ten historical commands by pressing the shortcut
keys multiple times.
The initial configuration varies depending on the deployment scenario. Determine the
deployment scenario before initial configuration. Table 2-12 describes different deployment
scenarios:
The existing network has no Deploy one NGFW as the 2.2.1 Scenario A: Layer-3
gateways. gateway. Gateway (Routing Mode)
The existing network has one Deploy one NGFW to 2.2.1 Scenario A: Layer-3
gateway. replace the existing gateway. Gateway (Routing Mode)
The existing network has one Deploy one NGFW as the hot 2.2.3 Scenario C: Hot
NGFW. backup of the existing Standby
NGFW to improve
reliability.
Marketing Server
Server department
Intranet
R&D
Intranet department
Egress
NGFW
NGFW gateway
Egress gateway
Scenario C: dual-system
hot backup
Legend:
NGFW_A Subnet
Intranet
NGFW_B
VLAN
In this scenario, the IP address of each service interface is generally used as the default gateway
address for all the PCs on the subnet. Therefore, when deploying a NGFW as a Layer-3 gateway,
you may need to change the original network topology, routing data, and gateway configurations
on the PCs. When deploying a NGFW to replace the existing gateway, you are advised to use
the original gateway configurations related to the network layer protocols, such as IP addresses,
routing protocols, and DHCP. This eliminates the need to change the configurations of adjacent
devices.
When deployed as a Layer-3 gateway between the intranet and the Internet as shown in Figure
2-9, the NGFW also needs to translate between private addresses on the intranet and public
addresses on the Internet. When dealing with traditional firewalls, the deployment is often
referred to as NAT mode. The NGFW implements routing and NAT if the service interfaces
work at Layer 3, and implements transparent transmission if the service interfaces work at Layer
2.
The NGFW can be configured with both Layer-3 interfaces to implement Layer-3 gateway
functions and Layer-2 interfaces to implement Layer-2 bridging functions.
When deployed as a Layer-3 gateway, the NGFW provides more functions, improved packet
processing mechanisms, and enhanced security defense capabilities. The initial configuration
procedure is based on the deployment in Figure 2-9.
DMZ
Server
10.2.0.0/24
Administrator
192.168.0.2/24
2 2.4 Web UI Become familiar with the web-based configuration basics before
Basics performing the initial configuration on the Web UI.
3 2.5 Initial Configure basic Internet access using the Startup Wizard.
Configuration
of Scenario A
(Layer-3
Gateway)
5 2.9 Updating Update the embedded signature database to obtain the latest
the Signature content security defense capabilities.
Database
7 2.11 Advanced Perform advanced configurations for the NGFW. You can
Configuration configure functions based on site requirements.
When deployed as a Layer-2 switch, the NGFW transparently connects to the network without
changing the network topology and configurations of adjacent devices and implements MAC
address-based traffic control for subnets. However, if all interfaces work at Layer 2, the device
cannot access extranets and cannot implement database updates. Therefore, reserve some
Layer-3 interfaces. For example, reserve the management interface as a Layer-3 interface to
allow the administrator to log in to the device. The initial configuration procedure is based on
the deployment in Figure 2-10.
Trust Untrust
Marketing
department
10.3.0.2 to
10.3.0.99
Intranet
10.3.0.0/24 GE1/0/2
VLAN100 NGFW
R&D GE1/0/3
department VLAN200
10.3.0.100 to GE1/0/1 10.3.0.1/24
10.3.0.253 VLAN100
GE0/0/0
VLAN200
192.168.0.1/24
Administrator
192.168.0.2/24
2 2.4 Web UI Become familiar with the web-based configuration basics before
Basics performing the initial configuration on the Web UI.
3 2.6 Initial Set the interface working mode and configure Layer-2 services,
Configuration such as VLAN.
of Scenario B
(Layer-2
Switch)
5 2.9 Updating Update the embedded signature database to obtain the latest
the Signature content security defense capabilities.
Database
7 2.11 Advanced Perform advanced configurations for the NGFW. You can
Configuration configure required functions based on site requirements.
In this deployment, two NGFWs working in hot backup mode are deployed to enhance system
availability. If one NGFW fails, the other takes over service processing, ensuring service
continuity.
l Active/Standby mode: Only one NGFW works at a time. If the active NGFW fails, the standby
NGFW becomes active and forwards all traffic.
l Load-balancing mode: Two NGFWs work at the same time. If one NGFW fails, the other forwards all
traffic.
This section describes the most common deployment scenario in which service interfaces work
at Layer 3, upstream and downstream devices are routers, and the two NGFWs work in load-
balancing mode. The initial configuration procedure is based on the deployment in Figure
2-11. For details about other scenarios, see 6.1 Hot Standby.
GE1/0/3 GE1/0/1
10.3.0.1/24 10.2.0.1/24
GE1/0/7
NGFW_A
10.10.0.1/30
Intranet
GE1/0/7
10.10.0.2/30 NGFW_B
GE1/0/3 GE1/0/1
10.3.1.1/24 10.2.1.1/24
GE0/0/0
192.168.0.254/24
Administrator
192.168.0.2/24
2 2.4 Web UI Become familiar with the web-based configuration basics before
Basics performing the initial configuration on the Web UI.
3 2.7 Initial Plan and configure hot standby. You need to complete only the
Configuration initial configuration on both NGFWs. Subsequent service
of Scenario C configurations are performed on one NGFW and are
(Hot Standby) automatically synchronized to the other NGFW.
5 2.9 Updating Update the embedded signature database to obtain the latest
the Signature content security defense capabilities. In hot standby networking,
Database you must update the signature databases of both NGFWs.
7 2.11 Advanced Perform advanced configurations for the NGFW. You can
Configuration configure required functions based on site requirements.
Prerequisites
The browser on the administrator PC must meet any of the following requirements:
When using Internet Explorer, you are advised to version 7.0 or later.
Procedure
Step 1 Connect the network interface of the administrator PC to management interface GigabitEthernet
0/0/0 using network cables or layer-2 switches.
NOTE
The USG6310/6320 does not have any management interface. You need to connect GigabitEthernet 0/0/0 to the
network interface of the PC.
Step 2 Set the IP address of the administrator PC, within a range from 192.168.0.2 to 192.168.0.254.
Step 3 Open the browser on the administrator PC. In the address box, enter the default IP address of
the GigabitEthernet 0/0/0 (https://192.168.0.1:8443).
NOTE
If the address is http://192.168.0.1, the device automatically uses the more secure HTTPS to access the
web UI.
If the browser displays a notification for an insecure certificate, you can continue the browsing. For security,
you are advised to configure the specified certificate after logging in to the device. For details, refer to
5.2.4.2 Example for Logging In to the Web UI Using HTTPS (Specified Certificate).
Click Open Source Software Notice in the web login page, you can check the related information about
the open source software notice.
Step 4 On the login page, enter the default user name admin and password Admin@123 of the system
administrator. Click Login.
NOTE
You can also use default audit administrator account audit-admin (password Admin@123) to log in to
the device.
After three consecutive login failures, the web UI is automatically locked out for 10 minutes to forbid any
user login.
Step 5 Changing the password of the default administrator account. Click OK to access the web UI.
NOTE
To enhance security, a password must meet the minimum strength requirements, that is, the password needs
to contain at least three types of the following characters: uppercase letters (A to Z), lowercase letters (a
to z), digits (0 to 9), and special characters, such as exclamation points (!), at signs (@), number signs (#),
dollar signs ($), and percent (%).
Please keep the new password you entered safe for your next login.
----End
Follow-up Procedure
Use HTTPS to log in to the web UI for management and configuration. You can also create more
administrators. For details, refer to 5.2 Administrators.
Functional Areas
The NGFW Web UI is divided into five functional areas:
Tabs Buttons
Operation
area
Navigation
tree CLI console
Area Description
Tabs Based on the deployment roadmap laid out in 2.1.2 Next Generation
Firewall, the NGFW is divided into six modules:
l System: used to configure the basic information about the NGFW to
enable the NGFW to work.
l Network: used to configure network layer protocols to ensure Internet
access.
l Object: used to create common objects that can be referenced by
multiple policies to simplify policy configuration.
l Policy: used to configure multiple service policies to control traffic
forwarding and prevent network threats, ensuring network security.
l Monitor: used to display system logs and reports which provide
visibility into the device and network status and facilitate policy
making and configuration adjustment.
l Dashboard: used to display system information in real time and
monitors whether the system is running properly.
Navigation tree After you click a tab, the corresponding menus are displayed in the
navigation tree. You can click a menu to configure functions.
Area Description
Operation area After you choose a menu, the configuration page is displayed in the
operation area.
CLI console The Web UI provides a CLI console for you to configure advanced
functions. To use the CLI console, perform the following operations:
l To display the CLI, click CLI Console on the lower right corner.
l To start command configuration, click the black background of the
CLI.
l To minimize the CLI, click the title bar of the CLI.
To the upper right of the CLI are three buttons, which have the following
functions:
l : disconnects from the CLI and releases related system session
resources. After disconnection, you can click the black background to
reconnect to the CLI.
l : clears the information displayed on the current CLI without
disconnecting the CLI.
l : minimizes the CLI. You can also click the title bar to minimize the
CLI.
Entry area
Area Description
Icons You can use the following icons to manage table entries:
l Add: creates a configuration entry.
Click Add to access the configuration page of the function. After an
entry is created, it is displayed in the table.
l Delete: deletes one or more entries.
Select one or more entries and click Delete to delete them.
To select all entries, select the check box to the left of the table header.
NOTICE
Deleting certain entries may adversely affect traffic. Therefore exercise caution
when you delete entries.
Referenced entries can be deleted only after you remove their references from
other features.
Predefined entries cannot be deleted, which ensures system and network
security. These entries have low priorities and therefore do not affect user-
defined entries.
l Copy: clones an existing entry.
Select an entry, click Copy, and change certain parameters, such as
name, to differentiate the new entry from the original.
l Move: adjusts entry priorities. Entries in certain tables are prioritized
and displayed in descending order of priority. Once an entry is matched,
the traffic matching process ends.
Select an entry and click Move to move it above or below another entry.
l Insert: adds a new entry above the current entry.
Select an entry and click Insert to insert a new entry above the selected
entry. The new entry takes priority over the selected entry.
l Enable: batch enabled the selected entries.
l Disable: batch disabled the selected entries.
Query area The search function helps rapidly locate an entry to be modified among
multiple entries. Tables generally provide two search methods:
l Search: Enter or select search conditions (generally the entry name)
and click Search. The system filters entries based on the search
conditions.
l Advanced Search: Click Advanced Search and set the search
conditions in the dialog box that is displayed to precisely filter entries.
Entry area The entry area displays all existing entries. Each entry is displayed in
columns for easy search and comparison.
An edit button is displayed to the right of each entry for entry
modification. To modify an entry that has grayed out parameters, clone
the entry, change the parameters, save the entry, and delete the original
entry.
Area Description
Page navigation The page navigation toolbar allows you to switch to another page and set
toolbar the number of entries per page.
Number of
Previous page Total Last page
entries per page
Selecting the check box to the left of the table header selects only the entries
on the current page. Therefore, the page locating area is useful when you
delete entries.
Context
Before starting the initial configuration, collect and record the configuration data required for
the network plan. The example values given in the following tables are based on the networking
in 2.2.1 Scenario A: Layer-3 Gateway (Routing Mode).
Procedure
Step 1 Plan the IP addresses and security zones of the WAN, DMZ, and LAN interfaces as follows:
----End
Context
This section uses the networking data in 2.2.1 Scenario A: Layer-3 Gateway (Routing
Mode) and planned data in 2.5.1 Data Collection to describe how to use the Startup Wizard.
The actual data may vary with site configuration.
Procedure
Step 1 The system displays the Startup Wizard upon your first login. If the Startup Wizard is not
displayed, choose System > Wizard > Startup Wizard.
Step 3 Set the host name, change the administrator password, and click Next.
Step 6 Select a WAN interface, set its IP address, and set the IP addresses of the default gateway and
DNS servers. Then click Next.
Step 7 Set the IP address of the LAN interface and click Next.
Step 8 Enable DHCP for the LAN, use the default IP address range, and click Next. This IP address
range is the subnet where the LAN interface resides.
Step 9 Confirm the configured information, select Do not display this page upon the next login at
the lower left corner, and click Apply.
Step 10 Click Finish after a message is displayed indicating that the initial configuration is complete.
----End
Follow-up Procedure
By default, the wizard enables a security policy for the interzone between the Trust zone and
Untrust zone. This policy allows all Intranet users to access the Internet. For security, you are
recommended to configure a security policy to strictly control data flows accessing the Internet.
For details see 2.10.5 Configuring a Security Policy.
Procedure
Step 1 Choose Monitor > Diagnosis Center to verify whether the NGFW is connected to the Internet.
Step 3 In Host Name or IP Address, enter a URL, for example, www.example.com, and click Ping.
l The NGFW is connected to the Internet if information similar to the following is displayed:
PING www.example.com (192.0.43.10): 56 data bytes, press CTRL_C to
break
Reply from 192.0.43.10: bytes=56 Sequence=1 ttl=239 time=392
ms
Reply from 192.0.43.10: bytes=56 Sequence=2 ttl=239 time=367
ms
Reply from 192.0.43.10: bytes=56 Sequence=3 ttl=239 time=499
ms
Reply from 192.0.43.10: bytes=56 Sequence=4 ttl=239 time=358
ms
Reply from 192.0.43.10: bytes=56 Sequence=5 ttl=239 time=345
ms
l If the NGFW is not connected to the Internet, troubleshoot the fault based on the errors as
follows:
Error Description
Error: Ping: unknown host This error message indicates that the domain name is
www.example.com not correctly resolved. This indicates that the DNS
server is not configured or incorrectly configured.
Therefore, the NGFW cannot communicate with the
DNS server.
Obtain the correct DNS server address from the ISP.
Choose Network > DNS > DNS to configure the
DNS server. For details, see 8.3 DNS.
Step 4 After the NGFW is connected to the Internet, try to access a website from a host on the intranet
to check whether the intranet is connected to the Internet.
l If yes, the intranet is connected to the Internet. The initial configuration is complete.
l If no, choose Monitor > Diagnosis Center, click Web Page Diagnosis, enter the IP address
of the intranet host and the URL to be accessed, and click Diagnose. Troubleshoot faults
based on the diagnosis information.
----End
Context
Before starting the initial configuration, collect and record the configuration data based on the
network plan. The example values given in the following tables are based on the networking in
2.2.2 Scenario B: Layer-2 Switch (Transparent Mode).
Procedure
Step 1 Plan the IP addresses and security zones of the WAN, DMZ, and LAN interfaces as follows:
----End
Context
This section uses the networking data in 2.2.2 Scenario B: Layer-2 Switch (Transparent
Mode) and planned data in 2.6.1 Obtaining Data as examples to describe how to use the Startup
Wizard. The actual data may vary with site configuration.
Procedure
Step 1 Log in to the web page.
NOTE
The system displays the Startup Wizard upon your first login. Layer-2 access cannot be configured using the
Startup Wizard. Therefore, select Do not display this page upon the next login in the lower left corner in the
Startup Wizard and click Cancel to exit the Startup Wizard.
Step 3 In the interface list, click for GE1/0/1 and set the following parameters of GE1/0/1. Retain
the default values for other parameters.
Zone untrust
Mode Switching
Default VLAN ID 1
Step 5 Refer to steps 3 and 4 to set the following parameters of the GE1/0/2 interface.
Zone trust
Mode Switching
Step 6 Refer to steps 3 and 4 to set the following parameters of the GE1/0/3 interface.
Zone trust
Mode Switching
Step 8 Click Add. Based on the following parameters, create an address object to specify the IP address
segment for the M&S department
Name address_marketing
Step 10 Click Add. Based on the following parameters, create an address object to specify the IP address
segment for the R&D department. Then, click OK.
Name address_research
Step 12 Click Add. Based on the following parameters, create a security policy to allow for the
communication between the M&S department host and the egress gateway.
Name policy_sec_marketing
Action Permit
Step 14 Click Add. Based on the following parameters, create a security policy to allow for the
communication between the R&D department host and the egress gateway. Then, click OK.
Name policy_sec_research
Action Permit
----End
Follow-up Procedure
To enable the communication between hosts on a VLAN and between different VLANs, you
must set the required VLAN parameters on the egress gateway connected to the NGFW. For the
parameter setting procedure, refer to the document matching the egress gateway that you use.
When you set the parameters, meet the following requirements:
1. The interface for connecting the egress gateway to the NGFW must support access from
VLAN100 and VLAN200. To enable this, use either of the following methods based on
the site requirement:
l If a Layer-2 interface is used, set its working mode to Trunk mode to allow for the access
from VLAN100 and VLAN200.
l If a Layer-3 interface is used, create two subinterfaces on it and add the subinterfaces
to VLAN100 and VLAN200 separately.
2. Set the IP addresses and routing information of the Vlanif interfaces for VLAN100 and
VLAN200 so VLAN100 and VLAN200 can communicate with each other.
Procedure
Step 1 Verify that the NGFW is properly connected to the Internet.
No IP address can be set for an interface that is switched to Layer 2. If all the interfaces of the
NGFW work at Layer 2, the NGFW cannot communicate with other IP addresses. To test whether
the NGFW has been initialized successfully, you can test whether the hosts on the intranet can
properly connect to the Internet. If they can properly connect to the Internet, the NGFW has
been initialized successfully.
Step 2 Verify that the egress gateways connected to the NGFW are correctly connected to the Internet.
Then, check whether you can visit a website from a host on the intranet.
l If yes, the intranet is connected to the Internet, and the initial configuration is complete.
l If no, choose Monitor > Diagnosis Center and click Web Page Diagnosis. Enter the IP
address of the host and the URL to the website. Then, click Diagnose. Troubleshoot the
problem based on the diagnosis results until the host can properly connect to the Internet.
----End
Context
Before starting the initial configuration, collect and record the configuration data based on the
network plan. The example values given in the following tables are based on the networking in
2.2.3 Scenario C: Hot Standby.
Procedure
Step 1 Plan the IP addresses and security zones of the WAN, DMZ, and LAN interfaces as follows:
NOTE
In hot standby scenarios, you must apply for a license for each NGFW.
----End
Context
This section uses the networking data in 2.2.3 Scenario C: Hot Standby and planned data in
2.7.1 Data Collection to describe how to configure hot standby. The actual data may vary with
site configuration.
3. Configure service data only on the active NGFW. The standby NGFW automatically
synchronizes service configurations with the active NGFW.
The configuration procedures on both NGFWs must use the same port number. The tables in
this section list the parameters of both NGFWs for comparison.
Procedure
Step 1 The system automatically displays the Startup Wizard upon your first login. The Startup
Wizard does not apply to hot standby scenarios. Select Do not display this page upon the next
login at the lower left corner and click Cancel to exit the Startup Wizard.
2. In the interface list, click for GE1/0/1, and set the following parameters of GE1/0/1.
Retain the default values for the other parameters.
IPv4
3. Click OK.
4. Repeat Step 2.1 to Step 2.3 to set the following parameters of the GE1/0/3 interface.
IPv4
5. Repeat Step 2.1 to Step 2.3 to set the following parameters of the GE1/0/7 interface.
IPv4
6. Change the default IP address of the management interface on NGFW_B to avoid IP address
conflicts. This setting allows you to log in to both NGFWs at the same time. Repeat the
preceding steps to change the following parameters of the GE0/0/0 interface on
NGFW_B.
NOTICE
Changing the IP address of the management interface disconnects you from the Web UI.
Therefore, after changing the IP address, access http://192.168.0.254 again to log in to
NGFW_B.
Parameter NGFW_B
Zone trust
Mode Route
IPv4
IP Address 192.168.0.254/24
Step 3 Configure OSPF routes to enable active/standby switchovers and route adjustment in the event
of network failures.
1. Choose Network > Router > OSPF.
2. Click Add to configure OSPF processes using the following parameters. Retain the default
values for the other parameters.
Process ID 1 1
3. Click OK.
Area 0 0
7. Click OK.
8. Repeat Step 3.1 to Step 3.7 to add downstream subnets in Area 0 of Process 1 using the
following parameters.
Area 0 0
3. Click OK.
----End
Follow-up Procedure
To facilitate rapid identification of network faults and traffic switchover, configure OSPF for
the upstream and downstream routers of the NGFW. For details, see the router documentation.
1. Create OSPF process 1 on the four routers that are connected to the NGFWs.
2. In area 0 of OSPF process 1, add the subnets directly connected to the routers. For example,
add subnets 1 and 2 on router A, subnets 2 and 3 on router B, subnets 4 and 5 on router C,
and subnets 5 and 6 on router D.
D A
6 1
NGFW_A
Intranet 5 2
NGFW_B
4 3
C B
Procedure
Step 1 Log in to NGFW_A and NGFW_B. Choose System > High Availability > Dual-System Hot
Backup, and check whether the two NGFWs are set to work in active/standby mode or load-
balancing mode.
In Monitored Item, if Current Working Mode is Load Balancing, hot standby is configured
correctly.
Step 2 Verify that the NGFWs are properly connected to the Internet.
Step 3 Verify that the egress gateways connected to the NGFWs are correctly connected to the Internet.
Then, check whether you can access a website from a host on the intranet.
l If yes, the intranet is connected to the Internet. The initial configuration is complete.
l If no, choose Monitor > Diagnosis Center, click Web Page Diagnosis, enter the IP address
of the intranet host and the URL to be accessed, and click Diagnose. Troubleshoot faults
based on the diagnosis information.
Step 4 Disable the service interface on one NGFW, for example, GE1/0/1 on NGFW_A. Check whether
the active/standby switchover is successful.
1. Log in to NGFW_A. Choose Network > Interface.
2. Deselect Enable for GE1/0/1 to disable GE1/0/1.
3. Choose System > High Availability > Dual-System Hot Backup. In Monitored Item of
NGFW_A, ensure that Current State is Standby.
4. Log in to NGFW_B. Check its status in the same way. Ensure that Current State is
Active.
5. Enable the GE1/0/1 interface of NGFW_A. Verify that the state of NGFW_A changes to
Active and that of NGFW_B changes to Standby.
If the states of both NGFWs are normal, the active/standby switchover is successful.
Step 5 Restart one NGFW, and check whether the active/standby switchover can be performed
successfully.
1. Log in to NGFW_A. Choose System > Setup > Restart. Enter the administrator's password
and click Save and Restart to restart NGFW_A.
2. When NGFW_A is being restarted, log in to NGFW_B, and check its status. Under normal
conditions, the status is Active.
3. After NGFW_A restarts, verify that the state of NGFW_A changes to Active and that of
NGFW_B changes to Standby.
If the states of both NGFWs are normal, the active/standby switchover is successful.
----End
Context
After registering an account with the Huawei support website, you can obtain more information
about technical support and software updates.
For details about how to obtain the activation password and ESN of the NGFW, see Data
Collection in the initialization process.
Procedure
Step 1 Register an account with Huawei support website.
1. Enter http://support.huawei.com/enterprise in the address box of the browser.
2. Click Register at the upper right corner.
3. Enter the registration information. All information is mandatory. The system checks the
registration information and provides real-time feedback.
4. Select I understand and agree to comply with Huawei terms and conditions. and click
Register.
Step 2 After the registration is complete, the system sends an email to the registered mail box. Click
the activation link in the email to activate the account. After that, you can obtain documents and
software updates from the website.
To implement online automatic activation, you need to configure the DNS server and enable the DNS
service.
Step 4 After an activation success message is displayed, check whether the license authorization
information is correct. If you have any problem, contact Huawei technical support.
----End
Context
You can update the signature database with any of the following methods:
l Scheduled Update: The system automatically connects to the update server and updates the
signature database at a specified time.
l Update Immediately: The system performs a signature database update immediately after
it connects to the update server.
l Update Locally: Download a signature database file from the security center https://
sec.huawei.com to the administrator PC. Then upload the file to the NGFW to update the
signature database. This method applies when the NGFW cannot directly connect to the
Internet.
You are advised to perform an immediate update of the signature database when you initially
begin using the NGFW. After that, enable scheduled update.
Procedure
Step 1 Choose System > Update Center.
Step 2 Click Update Immediately for each signature database, and click OK in the dialog box
displayed to perform an immediate signature database update.
Step 3 After the immediate update is complete, click Server IP Address:sec.huawei.com to the right
of the Update Center List, and set the time for the scheduled update. You are advised to perform
scheduled update at off-peak hours.
----End
You can determine the functions to be configured based on the position and defense methods of
the NGFW and the protected objects. This section describes four typical security service
scenarios for your reference.
Network Intranet Border Deploy the NGFW as a gateway at the network egress
egress PCs protection to protect the traffic between the Internet and intranet
for large- PCs or small servers against intrusions, attacks, and
and other threats to the intranet.
medium- Server
sized
enterprise
s DMZ
Intranet
Trust Untrust
Hacker
Server
Headquarters
Branch
office
Inside the Intranet Intranet Deploy the NGFW at the convergence of different
network hosts control subnets to prevent the spread of security threats, such
and as worms and viruses, over the intranet. In addition,
security the NGFW controls traffic between subnets to avoid
isolation information leaks.
Marketing
department
Marketing
R&D
department
1
Egress gateway
R&D
department
2
Research Untrust
Context
A security zone is a set of the networks connected by interfaces. Dividing the networks connected
by interfaces into different security zones simplifies configurations, minimizes security checks,
and enhances system processing efficiency.
When you configure security policies between interfaces or subnets, the number of security
policies increases with the number of interfaces. However, the traffic between certain interfaces
does not require security policies.
Therefore, assign networks of the same security level to the same security zone and configure
security policies between security zones to minimize the number of security policies needed.
In most cases, the intranet is defined as the Trust zone, the server farm as the DMZ, and the
Internet as the Untrust zone in descending order of priority. If the intranet has multiple subnets
of different security levels, you can create more security zones to isolate them.
Procedure
Step 1 Choose Network > Zone.
Parameter Description
Step 4 Select the required interface in the Un-Added Interface list, and click to add the interface
to the Added Interface list.
NOTE
An interface can be assigned to only one security zone. Therefore, the Un-Added Interface list
displays only interfaces that are not assigned to any security zone. To change the security zone
an interface is assigned to, choose Network > Interface and change the Zone parameter.
----End
Context
The following table describes the process for authenticating intranet users and the configuration
to be performed for each procedure.
2 For data flows that need to be Perform the following steps to save user
authenticated, the NGFW pushes an authentication information locally:
authentication web page to the browser 1. Configure users and user groups and
on the user's computer, asking the user save user information locally.
to enter the user name and password. The
NGFW verifies the entered user name 2. Configure an authentication domain
and password against the records saved and set NONE for the authentication
locally or on a third-party authentication server. Then, the locally saved user
server. information is used for user
authentication.
Perform the following steps to save user
authentication information on a third-
party authentication server:
1. Configure information about the
third-party authentication server.
2. Configure users and user groups and
import user information from the
server to the NGFW. The purpose of
the import operation is to save the
user organizational structure on the
NGFW, which helps configure
security policies in the future.
3. Configure an authentication domain
and bind user groups with the
authentication server. The NGFW
forwards the user names and
passwords provided by users to the
authentication server. The
authentication server verifies the user
names and passwords, and the
NGFW only receives the user
authentication result sent from the
authentication server.
Procedure
Step 1 Configure an authentication policy.
1. Choose Policy > Authentication Policy.
2. Click Add.
3. Set the name and description of a authentication policy based on the parameters described
in the following table.
4. Configure information about data flows that need to be controlled based on the parameters
described in the following table.
Source Zone Select the source security zone for a data flow. If there are no
constraints on security zones, select any for this parameter.
Destination Zone Select the destination security zone for a data flow. If there
are no constraints on security zones, select any for this
parameter.
Supported authentication servers include RADIUS, HWTACACS, AD, LDAP, SecurID and
TSM servers. Choose Object > Authentication Server. On the page that is displayed, add an
authentication server based on the site requirements. For details, see 11.5.6 Configuring an
Authentication Server.
The first two methods save all user information (including user names and passwords) and the
organizational structure of user groups on the NGFW, while the third method saves user names
and the organizational structure of user groups, but not user passwords. Choose Object >
User > User/Group. On the page that is displayed, create a user and user group based on the
site requirements. For details, see 11.5.3 Configuring Users, User Groups or Security
Groups.
Access Control l Allow VPN Access: If you select Allow VPN Access,
clients on remote networks can use user information of
this authentication domain to connect to the intranet
through L2TP over IPSec VPNs or SSL VPNs or IPSec
VPNs with EAP authentication.
l Allow Policy-Specific User Control: If you select Allow
Policy-Specific User Control, the authentication domain
can be used to implement authentication on Internet
access users.
l Allow Administrator Access: If you select Allow
Administrator Access, the authentication domain can be
used to implement authentication on administrators.
4. Select users and user groups as well as the authentication server based on the parameters
described in the following table.
Authentication Server Select an authentication server from the drop-down list box.
Users and user groups that you have selected in
Authentication User/Group are authenticated using this
authentication server. If users and user groups are imported
from a third-party authentication server, select the third-party
authentication server. If local authentication is to be
implemented, select NONE.
5. Click OK.
----End
Context
If the NGFW functions as an egress gateway, NAT is generally configured on it to translate
between public and private IP addresses. As a result, numerous hosts in a private network can
use a small number of public IP addresses to securely access the Internet. Server mapping (also
called NAT Server) is also configured when users outside a private network need to access
servers inside the private network.
Private IP addresses are translated into public IP addresses using either of the following modes:
l Address pool mode: This mode is used when multiple public IP addresses are available for
use. In this mode, a NAT address pool must be created to delimit the range of usable public
IP addresses.
l Outbound interface address mode: This mode is used when only the public IP address of
the public network interface on the NGFW is available for use. (The public network
interface refers to the interface connecting to the Internet.) All hosts in a private network
directly use this public IP address to securely access the Internet. This mode is preferred
when the IP address of the public network interface is dynamically assigned, but not a static
IP address.
Procedure
Step 1 Optional: Configure a NAT address pool.
1. Choose Policy > NAT Policy > Source NAT > NAT Address Pool.
2. Click Add.
3. Configure basic information about the NAT address pool based on the parameters described
in the following table.
If you select Allow PAT, the source IP address and source port number for packets are
both translated during the IP address translation process so that more hosts in a private
network can use the same public IP addresses to securely access the Internet.
5. Click OK.
Source Zone Select the security zone where hosts in a private network
reside.
Destination Type Select the desired destination type for the traffic that needs
NAT. Two options are available:
l Destination Zone. If you select Destination Zone, all
traffic flowing from the source zone to the destination
zone is translated using NAT. Note that you also need to
select a destination zone from the Destination Zone drop-
down list box at the lower area.
l Outbound Interface: If you select Outbound
Interface, all traffic flowing from the source zone to the
outbound interface is translated using NAT. Note that you
also need to select an interface from the Outbound
Interface drop-down list box at the lower area.
5. Configure an address translation rule based on the parameters described in the following
table.
Before NAT
Source Address Enter or select the source IP address or MAC address of the
traffic that needs NAT, that is, the private IP address or MAC
address of a host in a private network.
Destination Address Enter or select the public IP address or MAC address that the
host in the private network needs to access.
After NAT
6. Click OK.
4. Configure a Static Mapping rule based on the parameters described in the following table.
Public IP Address Enter the start IP address of a usable public IP address range.
Intranet servers are one-to-one mapped to public IP
addresses; therefore, the number of intranet servers
determines the end IP addresses.
Private IP Address Enter the start and end IP addresses of the private IP address
segment for the intranet servers that need to be mapped. If
only one intranet server is available, you do not need to enter
the end IP address.
Intranet Server List Click Add. In the dialog box that is displayed, add an intranet
server, including its private IP address, weight, and whether
to check its health, and click Weight Value.
6. Click OK.
----End
Context
Security policies are the core security function of the NGFW and must be properly planned.
Security policies are deployed based on traffic. Therefore, you need to classify traffic based on
the created security zones and users before deploying security policies. Traffic is generally
classified into the following types:
l Traffic generated when private network employees from different departments in the Trust
zone access the Internet in the Untrust zone. You can configure a security policy for each
department.
l Traffic generated when private network employees from different departments in the Trust
zone access intranet servers in the DMZ zone. You can configure a security policy for each
department.
l Traffic generated when common Internet users in the Untrust zone access an enterprise's
intranet servers in the DMZ zone. You can configure a security policy for each intranet
server.
l Traffic generated when employees on the move or at branches use VPN technology to
access intranet resources in Trust and DMZ zones. Such traffic can be isolated from
common Internet user traffic based on the private IP addresses or user accounts assigned
to employees on the move or at branches. You can configure a security policy for each user
group or branch.
Each security policy may use different security profiles depending on network topologies and
management requirements. For details, see 2.10.1 Determining Security Service Scenarios.
The following example describes how to configure a default security policy that uses all profiles
in order to control the Internet access rights of a private network user group named research.
The research user group has been created during 2.10.3 Managing Intranet Users. For details
about security policies, see 13.1.6 Configuring a Security Policy.
NOTE
The device has default security policy templates for common office scenarios. You can select an exiting
template when creating a security policy (choose Policy > Security Policy > Security Policy > Add), and
the device automatically configures settings, such as application category, time range, action, and content
security measures.
Procedure
Step 1 Configure an antivirus profile.
1. Choose Object > Security Profiles > Anti-Virus.
2. Click the default antivirus profile named default and verify its details. If you have no special
requirements, directly select it.
3. Click OK.
Name default
3. Click OK.
Name rule1
Application all
File Type Select Document File, Compressed File, and Code File.
Direction Upload
Action Block
4. Click OK.
5. In File Blocking Rule, click Add again. In the dialog box that is displayed, create a rule
that forbids users to download executable files, compressed files, or audio and video files.
See the following table for the parameters related to creating this rule.
Name rule2
Application all
File Type Select Executable File, Compressed File, and Video and
Audio File.
Direction Download
Action Block
Name rule1
Application all
Direction Upload
Action Alert
Name default
3. Click OK.
Action Block
4. Click OK.
5. Choose Object > Security Profiles > Mail Filtering > Mail Content Filtering.
6. Click Add. In the dialog box that is displayed, set parameters based on the following table.
Use the default values for other parameters.
Name default
7. Click OK.
Step 8 Configure a security policy and associate security configurations with data flows.
1. Choose Policy > Security Policy > Security Policy.
2. Click Add. In the dialog box that is displayed, set parameters based on the following table.
Use the default values for other parameters.
Name policy_sec_research
User research
Service any
Application any
Schedule any
Action Permit
Content Security
Anti-Virus default
3. Click OK.
----End
Most network devices determine how to forward packets based on routing tables (that is, a
routing table mechanism). In the routing table mechanism, the destination IP address is a primary
criterion that indicates the destination to which packets will be forwarded.
As a mechanism used to make routing decisions based on the defined policies, PBR provides
more factors that determine how to forward packets, thereby controlling packet forwarding more
flexibly. These factors include the inbound interface, source and destination security zones,
source and destination IP addresses, users, services, and applications. PBR takes precedence
over but does not replace the routing table mechanism. PBR helps forward traffic of some special
services.
As shown in Figure 2-14, an enterprise connects to the Internet through two ISP links. An
administrator can configure PBR to properly use the two links as follows:
l User or IP address-based routing: allows certain users or IP addresses to use only specified
ISP link. For example, departments that require high access speed connect to the Internet
through ISP1 (higher bandwidth), and other departments connect to the Internet through
ISP2 (lower bandwidth).
l Application or protocol-based routing: allows service traffic of certain applications or
protocols to pass only through the specified ISP link. For example, the traffic of voice and
video applications passes through ISP1, and the traffic of data applications passes through
ISP2.
ISP1
Intranet
ISP2
To add a piece of PBR, choose Network > Router > Intelligent Uplink Selection and click the
Policy Route tab. For details, see 17 PBR.
Many enterprises have dispersed branches and want to securely connect them together. Using
traditional leased-lines is costly and inflexible. As such, VPN was proposed to resolve this branch
interconnection issue facing enterprises.
VPN technology securely connects different private networks across the Internet, eliminating
the need to deploy dedicated networks and therefore reducing deployment costs. VPN
technology has the following characteristics:
l Private: VPN users feel no difference in using VPNs or traditional private networks. The
resources in a VPN are separated from the resources in the underlying bearer network and
cannot be used by users in other VPNs. VPNs also offer sufficient security measures to
ensure that internal information is free from external interference.
l Virtual: Users in a VPN communicate with each other through public networks (often called
VPN backbone networks). These public networks are used by other non-VPN users at the
same time. As such, VPN users actually obtain a logical private network.
VPN is also easy to deploy and therefore supports mobile workstyle requirements in new network
buildouts.
Different VPN networks are built, depending on network environments and communications
requirements. VPN networks are generally classified into the following two types:
l Site-to-site VPN
VPN tunnel
Network 1 Network 2
A site-to-site VPN has a VPN tunnel established between two LANs (for example, networks
1 and 2 in the figure above). Networks 1 and 2 use fixed gateways to connect to the Internet.
They can send access requests to each other. Site-to-site VPNs apply to chain supermarkets,
government agencies, and banks.
Site-to-site VPNs often use the following technologies:
– IPSec: implements tunnel encryption and protects data security.
– L2TP: implements user authentication. However, tunnel encryption is not supported.
– L2TP over IPSec: combines L2TP with IPSec and therefore implements both tunnel
encryption and user authentication.
– GRE over IPSec: encapsulates and encrypts multicast data. Multicast data is
encapsulated using GRE and then IPSec, because IPSec cannot directly encapsulate
multicast data.
– DSVPN: establishes tunnels dynamically between branches to implement direct
communication between branch users.
l Client-to-site VPN
VPN tunnel
Intranet
A client-to-site VPN has a VPN tunnel established between the client and the intranet. The
IP address of the client is fixed, and access requests are sent only from the client to the
intranet, but not from the intranet to the client. Client-to-site VPNs apply to employees on
the move or at branches who use smartphones or laptops to access the headquarters.
Client-to-site VPNs often use the following technologies:
– SSL VPN: uses a web browser to access VPNs, eliminating the need to install a client.
SSL VPNs feature easy and flexible usage and refined rights control.
– IPSec (IKEv2): implements tunnel encryption and user authentication. The client must
support the Internet Key Exchange (IKEv2) protocol.
– L2TP: implements user authentication. However, tunnel encryption is not supported.
– L2TP over IPSec: combines L2TP with IPSec and therefore implements both tunnel
encryption and user authentication.
User experience will be seriously affected if bandwidth is not available on the network.
Therefore, it is important to control the bandwidth and number of connections over the network.
Bandwidth usage increases as the P2P traffic and number of intranet users rise. Increasing
demands for bandwidth, however, cannot be satisfied by adding network bandwidth unlimitedly.
Proper bandwidth allocation and control are required to ensure optimal user experience.
You can configure bandwidth policies to perform bandwidth management on network devices.
Bandwidth management includes the following means:
l Guaranteed bandwidth
Sufficient bandwidth is reserved for key services. When the traffic is heavy, the system
discards the packets for non-critical services based on the available bandwidth and system
processing capability.
l Bandwidth limit
The bandwidth for non-critical services is limited to prevent non-critical services from
using too much bandwidth.
l Connection limit
The maximum number of service connections can be set to ensure efficient use of session
resources and prevent a specific service from overusing bandwidth resources.
l Controls the guaranteed bandwidth and maximum bandwidth in the upstream and
downstream directions of a flow.
l Controls the maximum bandwidth for each IP address or user involved in a flow.
l Controls the maximum number of concurrent connections for a flow.
l Controls the maximum number of concurrent connections for each IP address or user
involved in a flow.
l Reprioritizes the packets in a flow to enable the next hop to process the flow based on the
priorities.
l Controls the maximum receive bandwidth and transmit bandwidth of an interface.
Prerequisites
You have downloaded the latest system software from http://support.huawei.com/
enterprise to the administrator PC.
Context
The system restarts after the upgrade. Therefore, upgrade the system software only in off-peak
hours.
Each officially released system software version has a set of release documents, which describe
the updates in the new version, upgrade procedures, and precautions. Download the release
documents when you download the system software, and read them carefully before the upgrade.
The upgrade operations described in this section are general operations. During the system
upgrade, follow the operations described in the upgrade guide for the system software that you
use.
Procedure
Step 1 Choose System > System Upgrade.
Step 3 Click Export to export the log information, alarm information, and profiles to the administrator
PC for a backup.
Step 4 Click Browse, and locate the latest system software file on the administrator PC.
The system uploads the system software and sets it as the next startup software. When the setting
is complete, the system restarts.
----End
Context
The system has the following default roles:
l System-admin
The system-admin role has full system rights. The administrator of this type can create
other administrators and perform advanced operations such as changing passwords. The
system-admin administrator cannot be deleted.
The default user admin is a system-admin administrator and has full system rights. The
initial password of admin is Admin@123. You are advised to change this password during
the initial configuration.
l device-admin
The device-admin role has fewer rights than the system-admin role. The device-admin role
can perform most of the system operations except advanced operations such as creating
administrators. For the sake of security, you are advised to create a device-admin
administrator to perform feature configuration and service maintenance.
l device-admin (monitor)
The device-admin (monitor) administrator can only query system configuration
information and running status. You can create an administrator of this type to query logs
and reports and perform routine maintenance.
l audit-admin
The audit-admin administrator can only perform traffic auditing.
The system-admin administrator can define roles. For more information about administrators
and roles, see 5.2 Administrators.
Procedure
Step 1 Choose System > Admin > Administrator.
Step 2 Click Add, and create a device-admin administrator based on the following data.
Password Admin_device@123
Role device-admin
Step 4 Click Add, and create a device-admin (monitor) administrator based on the following data.
Password Admin_read@123
Step 5 Click Add, and create an audit-admin administrator based on the following data.
Password Admin_audit@123
Role audit-admin
----End
An attacker uses zombie hosts to send a large number of malicious attack packets to a target.
When the network links to the target are congested and system resources are exhausted, the target
fails to provide services to its intended users.
The servers (DNS servers and web servers) deployed in large and midsize enterprises and data
centers are exposed to DDoS attacks, such as SSYN flood, UDP flood, ICMP flood, HTTP flood,
HTTPS flood, DNS flood, and SIP flood. The NGFW provides the following mechanisms to
defend against DDoS attacks:
l Threshold-based control
A DDoS attack is successful when the attack traffic volume exceeds the server processing
capability. With traffic thresholds specified, the NGFW discards packets when the traffic
volume has reached the thresholds, ensuring that the traffic to be processed is within the
server's capability (for details, see 22.1.4.1 Configuring Anti-DDoS).
l Packet validity check
To avoid checks, DDoS attackers always construct packets and use forged IP addresses.
The NGFW checks the authenticity and validity of received packets and filters out invalid
packets. This helps decrease the traffic volume while ensuring continuous transmission of
valid packets.
The NGFW performs packet validity checks when the traffic volume has reached the
threshold. For details about how the checks work for each type of attack, see 22.1.3.1 DDoS
Attack Defense.
It is important to set appropriate thresholds during the deployment of the DDoS attack defense.
To help you deploy the DDoS attack defense, the NGFW provides the threshold learning function
in addition to default thresholds. With the threshold learning function, the NGFW automatically
calculates an appropriate threshold based on the traffic data in normal conditions. The beginners
can use this function to determine the thresholds. For details about the threshold learning
function, see 22.1.3.2 DDoS Attack Defense Threshold.
In addition to DDoS attack defense, the NGFW provides defense against traditional single-
packet attacks and scanning attacks. However, these types of attacks can be easily prevented as
the server OS security has been enhanced. Therefore, you do not need to deploy defense against
single-packet attacks or scanning attacks on the NGFW. For details about mechanisms of the
single-packet attack defense and scanning attack defense, see 22.1.3.3 Single-Packet Attack
Defense. For details about how to configure these defenses, see 22.1.4.2 Configuring the
Defense Against Single-Packet Attacks.
Blacklist
The blacklist feature allows the packets from the listed entries to be discarded. Compared with
policy-based packet filtering, the blacklist feature is simpler and easier to use. It can be used to
rapidly filter out packets from specific users or IP address.
The blacklist feature allows simple matching conditions and helps increase processing
efficiency. Used in the initial phase of the packet processing process, the blacklist feature filters
out a large number of risky packets in the early stage, increasing the processing efficiency.
Generally, traditional firewalls perform packet filtering only based on source IP addresses. The
NGFW offers packet filtering based on users, source IP addresses, or destination IP addresses.
For details about the blacklist feature, see 22.3 Blacklist. For details about how to configure this
feature, see 22.3.2 Configuring the Blacklist Using the Web UI.
IP-MAC Binding
The IP-MAC binding feature applies to layer-2 networking. It prevents users from changing the
host IP addresses. If this feature is enabled, the NGFW checks the mapping between the source
IP address and source MAC address carried in a packet. The NGFW will discard the packet if
the check fails. For details about the IP-MAC binding feature, see 22.4 IP-MAC Binding.
22.7 URPF The Unicast Reverse Path Forwarding (URPF) feature prevents
source address proofing.
22.8 GTP The GPRS Tunneling Protocol (GTP) feature implements secure
packet data transmission over the General Packet Radio Service
(GPRS) network.
The logs and reports of each service module help administrators learn about user activities,
maintain system security, monitor network running in real time, diagnose network faults, and
identify potential security risks so that administrators can prepare appropriate control policies.
The following table lists various types of logs and how they guide administrators through system
security maintenance.
Traffic log Source and destination IP If detecting any source users, source and
addresses, source users, destination IP addresses, and applications for
applications and protocols, which heavy traffic is generated, administrators
and whether security and can take the following measures:
bandwidth policies take l Add the source users and source and
effect destination IP addresses to the blacklist.
l Change security policies for the related
users.
l Change the matching conditions and actions
for security or bandwidth policies.
Threat log Threat types and names, IP Administrators can take the following
addresses of attackers and measures as required:
victims, users, applications l Add attackers' IP addresses and users to the
and protocols, and matched blacklist.
security policies and profiles
l Change security policies or modify the
content defined in security profiles.
URL log Visited URLs, URL Administrators can take the following
categories, matched security measures as required:
policies, and URL filter l If detecting that some users or source IP
profiles addresses visit non-work-related websites,
add the source IP addresses to the blacklist
or change these users' security policies.
l If detecting that certain URLs are blocked
by mistake, change security policies or
modify the content defined in security
profiles.
Content log Names and types of files Administrators can take the following
transmitted by users, and measures based on the alarms generated during
security policies and profiles transmission, blocked files and data, and user
matching the transmitted behaviors:
files and data l Add the related source and destination IP
addresses to the blacklist or change these
users' security policies.
l Change security policies or modify the
content defined in security profiles.
System log System alarms, user logins This type of log helps administrators know
and logouts, system running, about device running status and locate faults if
and blacklist information any.
User Active users and their home This type of log helps administrators monitor
activity log groups, IP and MAC user activities and login exceptions on the
addresses for user logins, current network and analyze the reasons for
users' authentication and failed user activities so administrators can
access modes, users' online modify user settings or take other measures.
and lockout durations, and
users' activities and results
Policy Traffic attributes, such as This type of log helps administrators know
matching source and destination IP about which users and applications generate
log addresses, source users, traffic and status of matched policies so that
applications, and protocols, administrators can determine whether these
and matched security policies are correct and change any
policies inappropriate policies.
Mail Type and filtering type of This type of log helps administrators know
filtering log mail filtering. Traffic about which status of mail filtering so that
attributes, such as source administrators can determine whether these
and destination zone, source policies are correct and change any
addresses, destination users, inappropriate policies.
source port and destination
port.
The following table lists various types of reports and how they guide administrators through
system security maintenance.
Traffic Traffic trends and rankings By viewing traffic logs and reports,
report in terms of the following administrators can know about which users,
dimensions: Source applications, and source and destination IP
Address, Destination addresses have generated excessive traffic
Address, User, within a specified period, and matched security
Application, Application and bandwidth policies. This information helps
Category, and Application administrators prepare appropriate traffic
Sub Category management policies.
Threat Threat count trends and By viewing threat logs and reports,
report rankings in terms of the administrators can know about the most
following dimensions: common threat categories, application
Threat Type, Application, categories, and regular network attackers and
User, Attacker, Victim, victims. This information helps administrators
Threat Name, Virus take appropriate security measures.
Name, and Attack Defense
URL report URL access count trends By viewing URL logs and reports,
and rankings in terms of the administrators can know about the URLs
following dimensions: URL frequently visited by intranet users and
Category, Website, User, categories of these URLs. This information
Source Address, and helps administrators prepare appropriate URL
Destination Address filter policies.
File File blocking match count By viewing file blocking logs and reports,
blocking trends and rankings in terms administrators can know about commonly
report of the File Type dimension. transferred file types on the network and make
file blocking policies.
Data Data filtering match count By viewing data filtering logs and reports,
filtering trends and rankings in terms administrators can know about commonly used
report of the Keyword Group key words in files and applications and make
dimension. data filtering policies.
Policy Policy matching count By viewing policy matching logs and reports,
matching trends and rankings in terms administrators can know about the match count
report of Security Policy of the policies. This information helps
administrators analyze whether policies take
effect so they can formulate better policies
based on analysis results. If a fault occurs, an
administrator can observe the match count of
each policy. If the match count of a policy
increases, this policy matches the traffic so that
the administrator can locate incorrect settings.
Related Documentation
Obtain the related documentation from the http://support.huawei.com/enterprise. The
following table lists the related documentation.
Documentation Description
Quick Start This document describes how to quickly install and initialize the
NGFW and applies to the initial device deployment.
Documentation Description
Hardware Guide This document describes product hardware and how to install and
maintain it.
Troubleshooting This document describes how to locate and troubleshoot the common
faults that may occur during device running.
Command This document describes all the commands that the NGFW supports
Reference and how to use them to configure and maintain the NGFW.
Log Reference This document describes all the logs that may be generated for the
NGFW, including log meanings, log parameter descriptions, generation
reasons, and handling suggestions. Logs help administrators track
device running, analyze network status, and locate fault causes,
providing a sound basis for fault diagnosis and device maintenance.
Alarm Reference This document describes all the alarms related to the NGFW, including
alarm meanings, attributes, parameters, influence on the system,
possible causes, handling methods, clearance methods, and references.
Debugging This document describes the methods for using common debugging
Reference commands and provides sample debugging output as well as solutions.
The debugging commands are used to track service running status and
functions as important tools for maintaining the NGFW and locating
faults.
Glossary This document lists all the terms, acronyms, and abbreviations used in
all the related documentation.
Online Help
When using the NGFW, you can click Help in the upper right corner on the web interface to
obtain the entire online help or click the question mark in the upper right corner in the dialog
box to obtain the help topic for the current page. The online help provides common procedures
and parameter descriptions for the current page.
To quickly browse and toggle between help topics, use the help tree.
To quickly locate the desired task in the current help topic, click the link for the task under the
help topic.
Technical Support
If you have encountered any problems that you cannot resolve by referring to the related
documentation, contact technical support personnel in the local branch offices of Huawei.
For contacts in the local branch offices of Huawei, visit the following website: http://
support.huawei.com/enterprise
3 Wizard
By default, the Welcome to Startup Wizard page is displayed after the successful login. If you do not want to
enter the Startup Wizard page after login, select Do not display this page upon the next login on the lower
left of the page. Upon the next login, the Dashboard page is directly displayed.
----End
Basic Configuration
Step 1 In Basic Configuration, enter or select parameters listed in Table 3-1.
Parameter Description
Host Name Indicates the name of the device. The host name appears in the
command prompt, and can be modified as required.
Parameter Description
Old Password Enters the old password. After you select Change
Administrator Password, Old Password becomes available.
New Password Enters the new password. After you select Change
Administrator Password, New Password becomes available.
Confirm Enters the new password again. Ensure that the new passwords
you entered twice are consistent. After you select Change
Administrator Password, Confirm becomes available.
----End
Time Settings
Step 1 In Time Settings, enter or select parameters listed in Table 3-2.
Parameter Description
Time Zone Selects the time zone in which the device is located from the
drop-down list.
Automatically adjust After this item is selected, the system automatically adjusts the
clock for daylight saving clock for the DST.
time (DST)
Start Time Indicates the start time of the DST. This item is displayed after
Automatically adjust clock for daylight saving time (DST) is
selected.
End Time Indicates the end time of the DST. This item is displayed after
Automatically adjust clock for daylight saving time (DST) is
selected.
Parameter Description
Offset Time Indicates the offset time of the system in the DST mechanism.
This item is displayed after Automatically adjust clock for
daylight saving time (DST) is selected.
For example, set the Start Time to 08:00:00 on the first Monday
in August, End Time to 10:00:00 on the first Monday in October,
and Offset Time to 01:00:00. At 08:00:00 on the first Monday
in August, the system time is automatically changed to 09:00:00.
At 10:00:01 on the first Monday in October, the system time is
automatically changed to 09:00:01.
----End
WAN Mode
Select the Internet access mode based on the information supplied by the network service
provider. Internet access parameters vary with different access modes.
Step 1 In WAN Mode, select the Internet access mode, as shown in Table 3-3.
Parameter Description
PPPoE Applies if you obtain a user name and password from the network
service provider.
----End
WAN Settings
Step 1 Enter or select parameters according to the Internet access mode.
l Table 3-4 shows parameters for access to the Internet through a static IP address.
Parameter Description
Parameter Description
Subnet Mask Indicates the subnet mask of the interface for accessing the
Internet.
The value is supplied by the network service provider and is
in 255.x.x.x format.
Default Gateway Indicates the IP address of the default gateway on the interface
for accessing the Internet. The packets of intranet users' access
to the Internet are sent to the default gateway through the
interface for accessing the Internet. Then the default gateway
forwards such packets.
The value is supplied by the network service provider and is
in dotted decimal notation (for example, 1.1.1.254).
Primary DNS Server Indicates the IP address of the primary DNS server. Generally,
LAN hosts require to access the Web site by using domain
names. Therefore, you need to specify the IP address of the
DNS server.
The value is supplied by the network service provider.
Secondary DNS Server Indicates the IP address of the secondary DNS server. When
the primary DNS server is faulty, the device accesses the
secondary DNS server for domain name resolution.
The value is supplied by the network service provider.
l Table 3-5 shows parameters for access to the Internet through DHCP.
Parameter Description
Interface The interface for accessing the Internet serves as the DHCP
client and attempts to obtain an IP address from the network
service provider (DHCP server).
l Table 3-6 shows parameters for access to the Internet through PPPoE.
Parameter Description
Parameter Description
User Name Indicates the user name used by identity authentication for
access in PPPoE mode.
The value is supplied by the network service provider.
Obtain an IP Address Indicates that the interface for accessing the Internet
Automatically automatically obtains an IP address from the network service
provider.
Use the Following IP Manually sets the IP address of the interface for accessing the
Address Internet.
----End
LAN Settings
Step 1 In LAN Settings, enter or select parameters listed in Table 3-7.
Parameter Description
Subnet Mask Indicates the subnet mask of the interface connecting to the LAN.
----End
Table 3-8 Parameter description of configuring the DHCP service on the LAN
Parameter Description
Enable DHCP Server on After the DHCP service on the LAN is enabled, users on the LAN
LAN can automatically obtain IP addresses ranging from the start IP
address to the end IP address.
Start IP Address Indicates the start IP address of the IP addresses assigned to the
DHCP client.
By default, the system takes the IP address mask range for the
interface as the assignable IP address range. For example, the IP
address of an interface is 192.168.1.5 255.255.255.0. When you
create a DHCP server on the interface, the system regards Start
IP Address as 192.168.1.1, and End IP Address to
192.168.1.254 by default. Because 192.168.1.5 is the IP address
of the interface, it will not be assigned. When assignable IP
address range is different from the default value, you can directly
specify the Start IP Address and End IP Address.
End IP Address Indicates the end IP address of the IP addresses assigned to the
DHCP client.
----End
Summary
Summary displays configuration information in the previous steps, including:
Step 1 Check configuration information in Summary. After confirming the information, click
Apply.
Step 2 Wait a period of time. If the configuration information is successfully delivered, the Startup
Wizard Complete page is displayed.
----End
4 Dashboard
You can move a status window to a desired position and set an interval for refreshing the window.
1. Click Dashboard.
2. Click Device Information.
If the Device Information option button in the navigation list is gray, the Device
Information window is already displayed on the Dashboard tab page.
3. Repeat the preceding steps to set other status windows.
l Set the automatic refresh interval.
1. Click Dashboard.
2. Click Refresh Interval.
3. Select a refresh interval from the drop-down list.
l Move a status window.
1. Click Dashboard.
2. Move the cursor over a status window, hold down the left mouse button, and drag the
window to a desired position.
l Interface icons
Table 4-1 describes the meanings of different colors for interface physical status icons.
Table 4-1 Meanings of different colors for interface physical status icons
Color Description
Green The physical status of an interface is Up, and the interface is working in
full duplex mode.
Yellow The physical status of an interface is Up, and the interface is working in
half duplex mode.
To view interface information, move the cursor over a status icon. Table 4-2 describes the
interface operating information.
Parameter Description
Interface Interface name, in the format of interface type + interface number, for
Name example, GE0/0/0.
l Indicator
Table 4-3 shows the indicator description.
Indicator Meaning
USB0 and USB1 Steady on: A USB device is inserted in to USB0 or USB1
interface indicator interface.
(green) Off: No USB device is inserted in to USB0 or USB1 interface.
ETH, GE interface Steady on: Links are connected and the interface is Up.
indicator (green) Off: Links are not connected and the interface is Down.
Parameter Description
CPU Usage When you move the pointer to the CPU resource icon, the CPU usage of the
data plane
at the time is displayed.
CF Card Usage When you move the pointer to the CF card resource icon, detailed
information is displayed, including:
l CF card usage in percentage.
l Used indicates the used CF card capacity.
l CF card capacity indicates the total capacity of the CF card.
Parameter Description
Disk Usage Move the cursor over the disk meter to view the following information:
l Percentage of hard disk resources used.
– Disk Usage: amount of hard disk resources used, in percentage
– Used: amount of hard disk resources used, in MB
– Size: total hard disk capacity, in MB
l When using dual disks for the first time or implementing capacity
expansion after using a single disk for a period of time, back up disk data
in a timely manner. The USG6650/6660/6670/6680 supports dual disks.
The disk backup procedure is as follows:
Click Disk Backup. In the window that is displayed, select the current
disk as the active disk and click OK.
If the backup progress is 100% and the current disk usage is displayed,
the disk data backup is complete.
NOTICE
After disk data backup starts, data in the active disk will be synchronized to the
backup disk and the original data on the backup disk will be overwritten.
Therefore, before starting disk data backup, correctly select the active disk.
Parameter Description
SN Serial number that uniquely identifies a NGFW. You must provide the serial
number of the NGFW when you apply for a license or before you send the
NGFW for repair.
Version Current software version. To upgrade the current version, click Upgrade
on the System Information window to open the System Upgrade tab page.
For detailed upgrade procedure, see 5.13.1 Upgrading the System Using
the Web UI.
Parameter Description
Ambient Current ambient temperature of the NGFW, click Details on the System
Temperature Information window.
CPU Subcard Status of each CPU subcard. For more information, click Details on the
Status System Information window.
Parameter Description
Power Power (W) of the NGFW. For more information, click Details on the
System Information window.
Number of For more information, click Details on the System Information window.
Online In the Details dialog box, you can select one or more administrators to force
Administrator them to logout.
s NOTE
Only system administrators have the permission to view the number of online
administrators and to force them to logout.
The interfaces collect statistics on the inbound and outbound traffic and display the statistical
results in curve charts. With the curve charts, you can view traffic distribution regularities, such
as the peak and off-peak traffic hours and traffic rate to facilitate your network condition analysis.
Select an interface or all interfaces from the Interface drop-down list. You can collect traffic
statistics on the specified interface or all interfaces. Click the Time Range drop-down list. You
can collect traffic statistics on the interfaces in the past 60 minutes, 24 hours, or 30 days. Click
. You can view more detailed interface traffic statistics, including packet transmission rate,
bandwidth, and traffic.
Parameter Description
Click to view more information about alarms. Table 4-7 describes the alarm parameters.
Parameter Description
By viewing system logs, you can learn about the operating and hardware-related events. System
logs facilitate fault analysis and locating during troubleshooting.
System logs record system alarms, user login or logout, system operation, and blacklists.Table
4-8 describes the system log parameters.
Parameter Description
Time Date and time when a system log message was generated
Click to view more information about system logs. For more detailed information about
system logs, see System Logs.
Table 4-9 shows the parameters of the threat log information window.
Parameter Description
Time Date and time when a threat log message was generated
Click to view more information about threat logs. For more detailed information about threat
logs, see Threat Logs.
Parameter Description
Parameter Description
Maximum Storage Maximum storage space for a specific type of service logs, in G.
Space
When the percentage of disk space used by a type of logs or reports exceeds the configured alarm
threshold, the icon blinks and a log is generated. In this case, access the report page and export
the report for backup. For details, see Viewing Reports. For details about the configuration of
hard disk alarm threshold, see Configuring Hard Disk Alarming Threshold.
The visual management center allows you to select an interface, internal server, or IPSec service
to configure them, check the network topology, view the network status from the topology, and
check and diagnose the device.
Prerequisites
The network planning has been complete.
You have familiarized yourself with the neighboring devices, service models, traffic directions,
inside and outside interfaces, and IP addresses, if the networking and service configuration have
been complete.
Networking
The networking diagram is the basis of the visual management center, which allows you to select
an interface, internal server, or IPSec service to configure them or check the network topology.
3
2
5
4
Quick Configuration
As shown in Figure 4-1, you can complete basic configurations, change intranet and Internet
interfaces, and create servers on the networking diagram. When the device or service is abnormal,
you can collect information for diagnosis. For the corresponding area information, see Figure
4-1.
Item Description
Startup Helps you complete the basic device configuration and WAN access.
Wizard For details, see Startup Wizard.
Update Describes how to upgrade the signature database. For details, see
Center Update Center.
License Describes how to manage and activate a license. For details, see License
Management Management.
Item Description
l Server mapping
Move the pointer to area 2, click Set, and access the Server Mapping List page. View the
mapping information of the NAT server or click Add. Configure the server mapping. For
details, see Configuring Server Mappings
l Intranet interface/Internet interface
Move the pointer to area 1 or 3, click Set, and access the interface configuration page. For
details, see Configuring Interfaces.
Health Check
After networking planning and device configuration are complete, move the cursor to area 6 in
Figure 4-1 to perform device health check.
1. Click this area. The message "Do you want to check device health?" is displayed. Click
OK to start the check. The check result is displayed after the check is complete.
NOTE
The health index is the weighting coefficient multiplying by the average value of four-dimension
scores. The weighting coefficient is determined by the lowest score. That is, the weighting coefficient
is 1 for 100 points, 0.9 for 80 to 99 points, 0.8 for 60 to 79 points, and 0.7 for 59 points and less.
The total health index score is calculated using this formula: S = (S1 + S2 + S3 + S4)/4 x W. In this
formula, S indicates the total score; Si (i = 1, 2, 3, or 4) indicates the score of each dimension. W
indicates the weighting coefficient of the dimension with the lowest score.
2. Click View Details to query detailed information and suggestion about the use of the
hardware, network, services, and resources as well as signature database updates, and you
can optimize the device according to the suggestion.
3. You can click Re-check to perform the health check again.
5 System
Context
Figure 5-1 shows the networking diagram for the login to the NGFW through the console port.
Figure 5-1 Cabling between the PC and the Console port of the NGFW
COM Console
RS-232
PC NGFW
Procedure
Step 1 Connect the console cable.
1. Shut down the NGFW and power off the configuration terminal.
2. Connect the RS-232 serial port of the configuration terminal to the configuration interface
of the NGFW with a cable.
3. After checking the installation, power on the configuration terminal.
Step 2 Configure the terminal. The following examples describe terminal configurations in the
Windows XP and Windows 7 operating systems.
Windows XP
1. Run the terminal emulation program (such as the HyperTerminal on Windows XP) on the
PC. Choose Start > All programs > Accessories > Communications > Hyper
Terminal. The Connection Description dialog box is displayed.
2. In Name, enter the name (for example, COMM1) of the connection between the PC and
the NGFW. Then, select an icon in Icon, as shown in Figure 5-2.
7. Click OK.
Windows 7
1. Download the PuTTY software to the local device and double-click it to run the software.
2. Choose Session, set the Connection type to Serial.
3. Set the parameters for connecting the serial port to the device.
Figure 5-5 shows detailed parameter settings.
Figure 5-5 Setting the PuTTY parameters for connecting the serial port to the NGFW
4. Click Open.
Step 3 Click Enter and enter account admin and password Admin@123.
NOTE
After three consecutive login failures through the console port, the system automatically locks out the
console port (prohibiting administrators login) for 10 minutes.
Step 4 Change the default administrator password and access the CLI interface.
NOTE
To enhance security, a password must meet the minimum strength requirements, that is, the password needs
to contain at least three types of the following characters: uppercase letters (A to Z), lowercase letters (a
to z), digits (0 to 9), and special characters, such as exclamation points (!), at signs (@), number signs (#),
dollar signs ($), and percent (%).
Please keep the new password you entered safe for your next login.
Please input new password:**********
Please confirm new password:**********
<NGFW>
----End
Follow-up Procedure
Log in to the device through the console port for management and configuration. You can also
create more administrators or establish the Telnet, STelnet, and web login environment. For
details, refer to 5.2 Administrators.
Prerequisites
The browser on the administrator PC must meet any of the following requirements:
When using Internet Explorer, you are advised to version 7.0 or later.
Procedure
Step 1 Connect the network interface of the administrator PC to management interface GigabitEthernet
0/0/0 using network cables or layer-2 switches.
NOTE
The USG6310/6320 does not have any management interface. You need to connect GigabitEthernet 0/0/0 to the
network interface of the PC.
Step 2 Set the IP address of the administrator PC, within a range from 192.168.0.2 to 192.168.0.254.
Step 3 Open the browser on the administrator PC. In the address box, enter the default IP address of
the GigabitEthernet 0/0/0 (https://192.168.0.1:8443).
NOTE
If the address is http://192.168.0.1, the device automatically uses the more secure HTTPS to access the
web UI.
If the browser displays a notification for an insecure certificate, you can continue the browsing. For security,
you are advised to configure the specified certificate after logging in to the device. For details, refer to
5.2.4.2 Example for Logging In to the Web UI Using HTTPS (Specified Certificate).
Click Open Source Software Notice in the web login page, you can check the related information about
the open source software notice.
Step 4 On the login page, enter the default user name admin and password Admin@123 of the system
administrator. Click Login.
NOTE
You can also use default audit administrator account audit-admin (password Admin@123) to log in to
the device.
After three consecutive login failures, the web UI is automatically locked out for 10 minutes to forbid any
user login.
Step 5 Changing the password of the default administrator account. Click OK to access the web UI.
NOTE
To enhance security, a password must meet the minimum strength requirements, that is, the password needs
to contain at least three types of the following characters: uppercase letters (A to Z), lowercase letters (a
to z), digits (0 to 9), and special characters, such as exclamation points (!), at signs (@), number signs (#),
dollar signs ($), and percent (%).
Please keep the new password you entered safe for your next login.
----End
Follow-up Procedure
Use HTTPS to log in to the web UI for management and configuration. You can also create more
administrators. For details, refer to 5.2 Administrators.
5.2 Administrators
This section describes how to configure administrators, including configuring administrator
accounts, administrator interfaces, and services.
5.2.1 Overview
The NGFW provides an administrator mechanism consisting of administrators and administrator
interfaces. The administrator interface is a unified management page over configuration UIs and
administrators using a login method.
CLI Cons Console is the basis of Console port The default account and
ole other CLI login methods. password are admin and
Only one administrator can Admin@123. For details,
operate at the same time. refer to 5.1.1 Logging In to
Console is used in the the CLI Through the
following scenarios: Console Port.
l An administrator logs
in to the CLI for the first
time.
l If an administrator
cannot log in to the
device remotely, the
administrator can log in
locally through the
console port.
l If a device cannot start
normally, the
administrator can
access the BootROM
menu through the
console port to load the
system software.
Teln This method applies to Any Ethernet Direct login is not enabled
et remote management and port reachable to by default. You must
maintenance. Multiple the login PC and configure the Telnet
administrators can operate device works. service. For details, refer to
at the same time. You are advised 5.2.4.3 Example for
to select Logging in to the CLI
management using the Telnet.
interface NOTICE
GigabitEthernet During Telnet login, data and
0/0/0 passwords are transmitted in
GigabitEthernet plaintext mode, causing
security risks. To secure data
0/0/0for login.
transmission, use STelnet
instead.
l Binding the administrator role: The NGFW controls administrator permissions based on
the web-based configuration page. This method applies to web administrators.
l Specifying the administrator level: The NGFW controls administrator permissions based
on executable command levels. This method applies to CLI administrators.
The NGFW classifies roles based on permissions on web configuration items. The NGFW
assigns a role read-write permission, read-only permission, or none permission on a web
configuration item.
NOTICE
l The CLI structure differs from the web UI menu. Therefore, the CLI permission control of
a role is not the same as the previous operations on the web UI.
l On the administrator Web UI, the configuration rights are read-write, read-only, and none;
on the CLI, the rights are read-write and none. The read-only right on the Web UI is treated
as the none right on the CLI. If the configuration right of a user is read-only on the Web UI,
the user can view configurations on the Web UI, but cannot view the configurations on the
CLI.
Table 5-2 lists the default administrator roles of the NGFW. The NGFW also supports user-
defined administrator roles.
– NAT Policy
– Bandwidth
Managemen
t
– Quota
Control
Policy
– Proxy
Policy
– Authenticati
on Policy
– Security
Protection
– ASPF
Configurati
on
l Object module,
including the
following
submodules:
– Certificates
– Address
– Region
– Service
– Application
– User
– Device
– Authenticati
on Server
– Schedule
– URL
Categories
– Keyword
Groups
– Email
Address
Group
– Signature
– Link Health
Check
– Security
Profiles
– Anti-
Virus
– Intrusio
n
Preventi
on
– URL
Filtering
– File
Blockin
g
– Data
Filtering
– Applicat
ion
Behavio
r Control
– Mail
Filtering
l Network
module,
including the
following
submodules:
– Interface
– Interface
Pair
– Zone
– DNS
– DHCP
Server
– Router
– IPSec
– L2TP
– GRE
– DSVPN
– SSL VPN
– TSM
Interworkin
g
l System
module,
including the
following
submodules:
– Setup
– Admin
– Virtual
System
– High
Availability
– Agile
Network
Configurati
on
– Set Mail
Service
– Log
Configurati
on
– License
Managemen
t
– Update
Center
– System
Upgrade
– Configurati
on file
Managemen
t
l Other
– Email Managemen
Address t
Group – Audit Log
– Signature Password
Managemen
– Link Health
t
Check
– Security
Profiles
– Anti-
Virus
– Intrusio
n
Preventi
on
– URL
Filtering
– File
Blockin
g
– Data
Filtering
– Applicat
ion
Behavio
r Control
– Mail
Filtering
l Network
module,
including the
following
submodules:
– Interface
– Interface
Pair
– Zone
– DNS
– DHCP
Server
– Router
– IPSec
– L2TP
– GRE
– DSVPN
– SSL VPN
– TSM
Interworkin
g
l System:
– High
Availability
– Log
Configurati
on
l Other
– Policy – Setup
Matching – Admin
Log
– Virtual
– Mail System
Filtering
– High
Log
Availability
l Policy module,
– Agile
including the
Network
following
Configurati
submodules:
on
– Security
– Set Mail
Policy
Service
– NAT Policy – License
– Bandwidth Managemen
Managemen t
t – Update
– Quota Center
Control – System
Policy Upgrade
– Proxy – Configurati
Policy on File
– Authenticati Managemen
on Policy t
– Audit Log
– Security
Password
Protection
Managemen
– ASPF t
Configurati
on
l Object module,
including the
following
submodules:
– Certificates
– Address
– Region
– Service
– Application
– User
– Device
– Authenticati
on Server
– Schedule
– URL
Categories
– Keyword
Groups
– Email
Address
Group
– Signature
– Link Health
Check
– Security
Profiles
– Anti-
Virus
– Intrusio
n
Preventi
on
– URL
Filtering
– File
Blockin
g
– Data
Filtering
– Applicat
ion
Behavio
r Control
– Mail
Filtering
l Network
module,
including the
following
submodules:
– Interface
– Interface
Pair
– Zone
– DNS
– DHCP
Server
– Router
– IPSec
– L2TP
– GRE
– DSVPN
– SSL VPN
– TSM
Interworkin
g
l System:
l Log
configuration
– Application
– User
– Device
– Authenticati
on Server
– Schedule
– URL
Categories
– Keyword
Groups
– Email
Address
Group
– Signature
– Link Health
Check
– Security
Profiles
– Anti-
Virus
– Intrusio
n
Preventi
on
– URL
Filtering
– File
Blockin
g
– Data
Filtering
– Applicat
ion
Behavio
r Control
– Mail
Filtering
l Network
module,
including the
following
submodules:
– Interface
– Interface
Pair
– Zone
– DNS
– DHCP
Server
– Router
– IPSec
– L2TP
– GRE
– DSVPN
– SSL VPN
– TSM
Interworkin
g
l System
module,
including the
following
submodules:
– Setup
– Admin
– Virtual
System
– High
Availability
– Agile
Network
Configurati
on
– Set Mail
Service
– Log
Configurati
on
– License
Managemen
t
– Update
Center
– System
Upgrade
– Configurati
on file
Managemen
t
NOTICE
l If an administrator account is bound to a specific role, the level of the administrator role takes
precedence over the administrator level.
l If an administrator account is bound to a specific role, the level of the administrator role takes
precedence over the server authorization.
l Even if an administrator account is not bound to a specific role, the administrator role and
level have the following default mapping:
l 1: Monitoring level corresponds to Configuration administrator (monitoring).
l 2: Configuration level corresponds to Configuration administrator.
l 3: Management level to the 15th level correspond to System administrator.
Configuration administrator (monitoring) does not have the read-write permission of
some functions. Therefore, the administrators of 1: Monitoring level cannot execute come
commands of 1: Monitoring level.
Besides roles, the NGFW uses command lines to manage administrators hierarchically.
Administrator levels range from 1 to 15. An administrator can execute only commands with
lower levels than or same levels as the administrator level, as shown in Table 5-3. Command
lines have four levels. For details, refer to the NGFW - Command Reference.
l Local authentication
Both the administrator account and password are stored on the NGFW.
NOTE
When a northbound API is used for login, only local authentication is supported.
l Server authentication:
– If the administrator does not use domain authentication, the administrator account must
be created on the NGFW, and the password is saved on the authentication server.
Currently, the NGFW supports four server authentication modes: AD, LDAP, RADIUS,
SecurID and HWTACACS.
– If the administrator uses domain authentication, the administrator account and password
must be created and saved on the domain authentication server. No user information
needs to be configured on the NGFW. Currently, the NGFW supports RADIUS server
authentication mode.
l Server and local authentication
The NGFW performs server authentication first. The NGFW performs local authentication
only if it fails to connect to the authentication server.
NGFW. For example, user username on virtual system vsys with domain (domainname)
authentication uses user name username@domainname@@vsys to log in to and manage the
NGFW.
Administrator Accounts
Table 5-4 shows the default administrators of the NGFW.
To secure NGFW, you are advised to follow the minimum authorization principle and plan
administrator accounts with different permissions to avoid administrator account sharing. If
default roles cannot meet requirements, you can create new administrator roles.
When an administrator logs in, the device automatically assigns the administrator an idle
administrator interface with the minimum number by login method. The administrator interface
configurations control the login process.
Table 5-5 shows the relationship between administrator interfaces and login methods.
Web Web-based Controls the web login behaviors, such as setting timeout
administrator period after login and account lockout upon the failed
interface login.
Consol CLI Console Controls console login behaviors. There is only one
e admini interface console interface because only one administrator can log
strator in to the device through the console port at one time.
interfac
Telnet/ e Virtual Controls Telnet or STelnet login behaviors. By default, the
STelne Type service supports five VTY interfaces. A maximum of 15
t Terminal interfaces can be supported. The number of VTY interfaces
(VTY) determines the maximum number of concurrent Telnet or
interface STelnet administrators.
If an administrator logs in, the device automatically assigns
an idle VTY interface to the administrator in order.
NOTICE
During Telnet login, data and passwords are transmitted in
plaintext mode, causing security risks. To secure data
transmission, use STelnet instead.
Web WCON Controls the CLI console login behaviors on the web. The
consol interface device supports a maximum of five WCON interfaces.
e The WCON interface is an auxiliary tool for web
administrators and cannot be customized.
l Relative numbers
The same type of administrator interfaces uses relative numbers, which are in the format
of type + number.
Relative numbers apply to administrator interfaces of the same type.
l Absolute numbers
Absolute numbers apply to all types of administrator interfaces on a NGFW.
Table 5-6 lists relative and absolute numbers of the console, VTY, and WCON interfaces on a
NGFW.
Table 5-6 Relative and absolute numbers of the console, VTY, and WCON interfaces
Console 0 CON0
NOTE
You can run the display user-interface command on a NGFW to display the numbers of CLI administrator
interfaces.
If the CLI administrator interface uses AAA domain authentication, the administrator account level is prior
to the administrator interface level. The administrator interface level takes effect only when the
administrator account level is not set.
If the operation is successful, a new administrator role is displayed in the Administrator Role
List page.
Parameter Description
Permission Control Permission for modules. Select one of the following options:
Modules l Read-write: Indicates the access and control permission on
the selected content.
l Read-only: Indicates only the access permission on the
selected content.
l None: Indicates no access or control permission on the
selected content. This is the default permission.
NOTE
l Only the default role system-admin has the Read-write permission
to SNMP module, even though the Read-write permission to
System > Setup has been configured when a role is created.
l Only the system administrator has the Read-write permission to the
information collection function. Other roles do not have the
permission even if you assign the permission on Monitor >
Diagnosis Center when creating them.
----End
Parameter Description
Parameter Description
Trusted Host IP address range of the hosts that can log in to the NGFW. The
value is in the format of IP address/mask. For example,
10.1.1.1/24 or 10.1.1.1/255.255.255.0 can be entered.
To add an address range, click and enter the range. A
maximum of 10 IP addresses ranges can be specified.
Advanced
Service Type Specify the login method, which can be web, Telnet, STelnet,
Console, API, FTP and SFTP.
NOTE
l You can configure the FTP or SFTP service type only after you bind
the user to a system administrator role.A default FTP directory
(hda1: ) is delivered to the new administrator when the FTP mode is
specified.
l There are security risks if the service type is configured to be Telnet
or FTP. So it is suggested to configure the service type to be STelnet
or SFTP.
l If administrator service types are changed, the service types of online
administrators are not changed, but for the administrators logging in
after service types are changed, the new service types take effect.
Parameter Description
SSH Authentication Specify SSH as the login method. SSH authentication methods
include:
l RSA
l PASSWORD-RSA: allows the NGFW to use both the
Revist-Shamir-Adleman (RSA) algorithm and a password to
authenticate an administrator.
l PASSWORD
l ANY: allows the NGFW to use either RSA or password
authentication to authenticate an administrator.
This item is required when you create an SSH authentication
account. The default authentication method is PASSWORD.
NOTE
By default, an administrator created using the web UI can log in to the device from a web page.
Interface access control, administrator service type, and enabled service on the device determine the login
method. For example, if an administrator wants to log in using HTTPS through the management interface,
the management interface must enable the HTTPS access control, the administrator account must support
HTTPS, and the device must enable HTTPS. For detailed configuration process, see Configuration
Examples.
----End
Follow-up Procedure
Modify administrator parameters. You can click of the administrator whose parameters need
to be modified.
NOTE
To change the password of an administrator, enter the current administrator account password in the Please
input the administrator current password dialog box that is displayed and then click Confirm.
l If HTTP or HTTPS is used for logins to the NGFW, do not disable the HTTP or HTTPS service for
normal service running.
l Before changing the HTTP or HTTPS port number, disable the HTTP or HTTPS service.
----End
NOTICE
During Telnet login, data and passwords are transmitted in plaintext mode, causing security
risks. To secure data transmission, use STelnet instead.
Telnet is a NGFW function as a server. Telnet on the NGFW provides access services.
SSH FTP (SFTP) is a secure FTP service. A NGFW functions as an FTP server. It authenticates
FTP clients and encrypts data exchanged between the FTP server and clients. SFTP on the
NGFW provides secure file transfer services.
Parameter Description
Authentication Timeout Timeout period (seconds) for SSH user authentication. If an SSH
client fails to be authenticated within the specified authentication
timeout period, the SSH client must re-initiate an SSH
connection.
Key Generation Interval Interval (hours) at which a NGFW SSH server generates a key.
SSH User Level Level of an administrator that uses SSH to log in to a NGFW.
A larger value indicates a higher level.
----End
The northbound interfaces use HTTP or HTTPS to communicate with third-party clients. For
details on environment construction and service configuration using a northbound API, refer to
the Northbound API Secondary Development Guide.
The default HTTP port is 8448, and the default HTTPS port is 8447.
Session Timeout: If no operation is performed in the specified duration and you attempt to
perform an operation again, you are prompted with a login timeout message and required to re-
log in.
You are advised to use the default timeout duration, which is 90 seconds.
----End
Procedure
Step 1 Access the system view.
system-view
Step 3 Create an administrator role and access the administrator role view.
role role-name
Operation Command
Grant permission for the dashboard module. dashboard { none | read-only | read-
write }
Grant permission for the monitor module. monitor [ feature-name &<1–17> ] { none |
read-only | read-write }
Grant permission for the network module. network [ feature-name &<1-13> ] { none |
read-only | read-write }
Grant permission for the object module. object [ feature-name &<1-21> ] { none |
read-only | read-write }
Grant permission for the policy module. policy [ feature-name &<1-8> ] { none |
read-only | read-write }
Grant permission for the system module. system [ feature-name &<1-11> ] { none |
read-only | read-write }
----End
Procedure
Step 1 Set the authentication mode to AAA for the administrator UI.
1. Run the system-view command to access the system view.
2. Run the user-interface [ ui-type ] first-ui-number [ last-ui-number ] command to access
the administrator user interface view.
3. Run the authentication-mode aaa command to set the authentication mode to AAA.
4. Run quit to return to the system view.
4. Run the service-type { api | { ftp | ssh | telnet | terminal | web } * } to set the service type
for the administrator account.
By default, no service type is specified for an administrator created using the CLI.
NOTE
You can configure the FTP serve type only after you bind the user to a system administrator role
(administrator of level-3 or above).
There are security risks if the service type is configured to be Telnet or FTP. So it is suggested to
configure the service type to be SSH.
Interface access control, administrator service type, and enabled service on the device determine the
login method. For example, if an administrator wants to log in using HTTPS through the management
interface, the management interface must enable the HTTPS access control, the administrator account
must support HTTPS, and the device must enable HTTPS. For detailed configuration process, see
Configuration Examples.
If administrator service types are changed, the service types of online administrators are not changed,
but for the administrators logging in after service types are changed, the new service types take effect.
5. Run the password cipher cipher-password command to set a password for the
administrator account.
NOTE
To enhance security, a password must meet the minimum strength requirements, that is, the password
needs to contain at least three types of the following characters: uppercase letters (A to Z), lowercase
letters (a to z), digits (0 to 9), and special characters, such as exclamation points (!), at signs (@),
number signs (#), dollar signs ($), and percent (%).
6. Run the quit command to return to the AAA view.
Step 5 Configure the permission and other attributes for the administrator account.
1. Control the administrator permission based on the administrator role.
NOTE
The administrator role is prior to the administrator level. If an administrator is bound to a role, the
administrator level does not take effect.
In the AAA view, run the bind manager-user manager-name role role-name command
to bind the administrator account to a role.
2. Optional: Enable the function of locking out the administrators that fail the authentication.
This function is invalid to the system administrator admin and console administrators.
After an administrator account is locked, using the account to log in fails even if the IP
address is changed or another mode (except the console port mode) is used. The
administrator account is unlocked only after the lockout duration expires.
Operation Command
Configure the validity period for the user password valid-days days
password.
----End
Procedure
Step 1 Set the authentication mode to AAA for the administrator UI.
1. Run the system-view command to access the system view.
2. Run the user-interface [ ui-type ] first-ui-number [ last-ui-number ] command to access
the administrator user interface view.
3. Run the authentication-mode aaa command to configure the AAA authentication mode.
4. Run the quit command to return the system view.
NOTE
HWTACACS command-based authorization is independent from authorization
modes (authorization-mode) and authentication modes (authentication-mode). That
is, even if HWTACACS command-based authorization is implemented on an
administrator, non-HWTACACS authentication and authorization modes can be
implemented on this administrator as well.
2) Run the authorization-cmd no-response-policy { online | offline [ max-
times max-times-value ] } command to configure a no response policy in case
that the HWTACACS server is unavailable or in case of no administrator is
configured on the NGFW.
By default, administrator can remain online even though the command-
specific authorization fails.
l Run the authorization-mode local command to set the local authorization mode
for user name-based authorization.
If only RADIUS server authentication is configured for the administrator, the
administrator level can be set through the command line. By default, the
administrator level is 0 for Telnet and login modes other than web login. The
administrator level is 1 for web login.
1) Run the user privilege level level command to set the administrator level for
Telnet login. The default value is 0.
2) Run the web-manager user privilege level privilege-level command to set
the administrator level for web login. The default value is 1. Note that only
web administrators at level 3 or higher can log in to the device.
c. Run the quit command to return to the AAA view.
3. Configure the authentication server based on the authentication and authorization schemes.
Step 3 Bind the authentication scheme for the administrator account or domain based on the server
authentication mode and reference the server template.
l Bind the authentication scheme for the administrator and reference the template based on the
server authentication mode.
If administrator domain authentication is not used, the administrator account must be created
on the NGFW, and the password is saved on the authentication server. After an administrator
is created, the administrator uses User Name/Password to log in to and manage the
NGFW.
– In the AAA view, run the manager-user user-name command to configure an
administrator account and access the administrator view.
– Run the service-type { ftp | ssh | telnet | terminal | web } * to set the service type for the
administrator account.
By default, no service type is specified for an administrator created using the CLI.
NOTE
You can configure the FTP service type only after you bind the user to a system administrator role.
There are security risks if the service type is configured to be Telnet or FTP. So it is suggested to
configure the service type to be SSH.
For the NGFW to support SSH server authentication, you need to run the ssh authentication-type
default password command in the system view first.
Interface access control, administrator service type, and enabled service on the device determine
the login method. For example, if an administrator wants to log in using HTTPS through the
management interface, the management interface must enable the HTTPS access control, the
administrator account must support HTTPS, and the device must enable HTTPS. For detailed
configuration process, see Configuration Examples.
If administrator service types are changed, the service types of online administrators are not
changed, but for the administrators logging in after service types are changed, the new service types
take effect.
– Run the authorization-scheme scheme-name command to bind the authentication
scheme for the administrator account.
– Reference the server template.
– Run the radius-server template-name command to reference the RADIUS server
template.
– Run the hwtacacs-server template-name command to apply the HWTACACS server
template.
– Run the ad-server template-name command to reference the AD server template.
– Run the ldap-server template-name command to reference the LDAP server template.
– Run the securid-server template-name command to reference the SecurID server
template.
l Create an authentication domain.
If administrator domain authentication is used, the administrator account and password must
be created and saved on the authentication server. The NGFW does not have user information
configured. After an administrator is created, the administrator uses User
Name@Authentication Domain/Password to log in to and manage the NGFW.
NOTE
When administrator domain authentication is used, the administrator does not have any role. The
administrator level is set on the server. If not configured, the administrator level is determined by
command line authorization.
The administrator with server domain authentication has all service types without additional
configuration.
– Create an administrator on the server. For details, see the server-related document.
– Run the domain domain-name to create a domain (user group) and access the domain
view.
– Run the service-type { access | internet-access | administrator-access } * command to
configure access control for the authentication domain.
– Run the authorization-scheme scheme-name command to bind the authentication
scheme to the domain.
The authentication scheme configured in the domain view must be the same as that
configured in the AAA view.
– Optional: Run the authorization-scheme scheme-name command to configure the
authorization scheme for the domain.
This authentication scheme must be the same as that configured in the AAA view.
– Apply the server template based on the selected authentication server.
Run the radius-server template-name command to apply the RADIUS server template.
Step 4 Configure the permission and other attributes for the administrator account.
If no authentication domain is planned for the administrator, the administrator account is created
on the local device, and other functions can be configured for the administrator account as
required.
This function is invalid to the system administrator admin and console administrators.
After an administrator account is locked, using the account to log in fails even if the IP
address is changed or another mode (except the console port mode) is used. The
administrator account is unlocked only after the lockout duration expires.
Operation Command
Operation Command
Configure the validity period for the user password valid-days days
password.
----End
Context
The NGFW supports user login to the web UI through HTTP and HTTPS by default. The default
HTTP port is 80, and the default HTTPS port is 8443.
NOTE
HTTPS is more secure than HTTP. Therefore, you are advised to use HTTPS. If you do not need to log in
to the NGFW through HTTP, run the undo web-manager enable command to disable the HTTP service
to prevent security risks.
Procedure
Step 1 Access the system view.
system-view
Step 2 Configure a web service. You can configure HTTP or HTTPS with a default certificate, or
HTTPS with a specified certificate.
l Configure HTTP.
NOTE
If you do not use the default port to log in, run the undo web-manager enable command in advance
to disable the HTTP service and default port 80. Then enable the HTTP service again.
1. Run the web-manager enable [ port port-number ] command to enable the HTTP
service.
2. Optional:
Run the web-manager redirect https enable command enables the function of
redirecting HTTP access to Web services to HTTPS access.
l Configure HTTPS with a default certificate.
When a PC (client) attempts to use HTTPS to log in to a NGFW, the NGFW (server) delivers
a default certificate to the PC. The certificate is assigned by an unknown Certificate
Authority (CA). The PC cannot verify the certificate, and is therefore vulnerable to attacks.
NOTE
If you do not use the default port to log in, run the undo web-manager security enable port port-
number command in advance to disable the HTTPS service and default port 8443. Then enable the
HTTPS service again.
1. Run the web-manager security enable port port-number command to enable the
HTTPS service.
2. Specify an SSL protocol and an encryption algorithm.
The NGFW (server) and a PC (client) must run the same SSL protocol and use the
same encryption algorithm. An inconsistency causes an SSL negotiation failure.
a. Specify an SSL or TLSV protocol.
web-manager security version { { sslv3 | tlsv1 | tlsv1.1 | tlsv1.2 } * | all }
By default, the NGFW supports SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2.
b. Specify an encryption algorithm.
web-manager security cipher-suit { { medium-strength | high-strength } * |
all }
By default, the NGFW supports medium and strong encryption algorithms.
l Configure HTTPS with a specified certificate.
When a PC (client) uses HTTPS to log in to a NGFW, the NGFW (server) delivers a
specified certificate to the PC. The certificate is assigned by a CA that the PC can recognize.
Therefore the PC can establish a secure connection to the NGFW based on the valid
certificate.
NOTE
The certificate can be issued by a worldwide known certificate authority or a PC that supports the
certificate service. The PC must import a CA certificate before being able to authenticate a certificate
sent by the NGFW.
1. The NGFW generates a certificate request file, sends the file to the CA server to apply
for the certificate, and imports the local certificate to the NGFW. For the configuration
procedure, see 12.7 Certificate.
2. Optional:
Import the CA certificate obtained from the CA server which the NGFW applies for
a certificate to the browser. For details, see the instructions to the Firefox or Internet
Explorer.
NOTE
Although the client can still access the NGFW through HTTPS even if the CA certificate is not
imported to the browser, the client cannot authenticate the access and is vulnerable to attacks.
3. Configure the NGFW to send a certificate to the client when the client accesses the
NGFW through HTTPS.
web-manager security server-certificate file-name
4. Enable HTTPS.
web-manager security enable port port-number
Enter the address of a NGFW following the string of "https://" in the address bar on
the web browser of the PC to log in to the NGFW. Ensure that the address is the same
as that specified in the certificate.
5. Configure an SSL or TLS protocol and an encryption algorithm. For the configuration
procedure, see Configuring an SSL or TLS Protocol and an Encryption
Algorithm.
Step 4 Optional: Enable the authentication failure-triggered lockout function so that the NGFW
automatically locks out an administrator account if the administrator fails to log in to the Web
UI after a specified number of consecutive attempts.
NOTE
The blacklist duration is the duration in which the interface is locked.
----End
system-view
Existing VTY interfaces are assigned specified levels and authentication parameters manually.
If the maximum number of allowed VTY to be set is greater than the number of existing VTYs,
specify a level and a password for the password authentication mode for the new VTY. You can
also specify another authentication mode.
NOTE
By default, the maximum number of VTY administrator interfaces is five.
shell
Operation Command
Set the size of the historical command buffer. history-command max-size size-value
By default, the buffer caches a maximum of
10 historical commands.
Set the CLI administrator interface priority. user privilege level level
NOTE
NOTE
l If password, local, or AAA authentication is specified and no level is specified for an administrator
account for AAA authentication, the highest level of commands that an administrator can access is
determined by the CLI administrator interface level.
l If AAA authentication is enabled and a level is specified for an administrator account, the highest level
of commands that an administrator can access is determined by the administrator account level.
l After an authentication mode is specified, the default authentication mode does not take effect. Keep
the new account and password (if configured) secure.
The interactive mode is recommended for creating administrator passwords because the passwords
configured by the cipher password command are not safe.
Step 7 Optional: Enable the NGFW to automatically lock out an administrator account if the
administrator fails to log in to a CLI administrator interface for a specified number of times.
l Console interface
By default, if an administrator fails to be authenticated three consecutive times on a console
interface, the interface is locked out 10 minutes. Within the lockout period, the authentication
cannot be authenticated.
1. Access the Console interface view.
user-interface console first-ui-number
2. Set the maximum number of failed authentication attempts.
lock authentication-count count
3. Set the lockout duration.
lock lock-timeout timeout
l VTY interface
The administrator will be locked for 10 minutes if fails three successive authentications on
the VTY interface (the administrator cannot be authenticated again in the 10 minutes).
NOTE
The function of setting the maximum number of failed VTY interface authentication attempts applies
only to Telnet administrators.
The function of setting the VTY interface lockout duration applies only to Telnet and SSH
administrators.
----End
Operation Command
Operation Command
----End
Step 1 In the user view, enable the current interface to send messages to another administrator interface.
send { all | ui-type ui-number | ui-number }
Step 2 Enter a message to be sent and press Ctrl+Z or Enter to send the message.
----End
Step 1 View online administrator information, including interfaces to which the administrators log in.
Write down the administrators to be logged out and their administrator interfaces.
display users
Step 2 In the user view, specify an interface to which administrators logged in are to be logged out.
free user-interface { ui-number | ui-type ui-number }
----End
Run the commands listed in Table 5-11 in any view to display information about CLI
administrator interfaces and administrator accounts.
Table 5-11 Displaying information about CLI administrator interfaces and administrator
accounts
Action Command
Action Command
5.2.4.1 Example for Logging in to the Web UI Using HTTPS (Default Certificate)
This section provides an example of how to configure HTTPS using the web and log in to the
web UI.
Context
If the client logs in to the device using HTTPS, the device sends a default or specified certificate
to the client. If the device sends a default certificate to the client, the client cannot verify the
certificate and is prone to attacks. You are advised to use the specified certificate for security.
For details, see Logging in to the web UI Using HTTPS (Specified Certificate).
Networking Requirements
Figure 5-6 shows how to configure local authentication administrator webadmin that can use
HTTPS to log in to the web UI on the NGFW.
Figure 5-6 Networking diagram of logging in to the web UI using HTTPS (default certificate)
Administrator
GE1/0/3
10.3.0.1/24
10.3.0.10/24 NGFW
Data Planning
Item Data Description
Password Myadmin@123 -
Configuration Roadmap
1. Enable the HTTPS server on the interface.
2. Create an administrator role.
3. Create an administrator account and set the authentication mode, administrator role, and
trusted host.
4. Enable the HTTPS service and set the web service timeout period.
NOTE
This section describes only how to configure an administrator.
Procedure
Step 1 Enable the HTTPS server on interface GigabitEthernet 1/0/3.
NOTE
If you use the default settings of management interface GigabitEthernet 0/0/0 to log in to the device, skip
this step.
Because the default IP address of the management interface has been set to 192.168.0.1, the interface has
been added to the Trust zone, and the administrator is allowed to log in to the device using HTTPS.
1. Choose Network > Interface.
2. Click for interface GE1/0/3 and set the parameters as follows:
Zone trust
IP Address 10.3.0.1/255.255.255.0
3. Click OK.
Name service-admin
Description policy_object_network_readwrite_and_other_modules_non
e
Popedom
3. Click OK.
Password Mydevice@123
Role service-admin
Advanced
3. Click OK.
Step 4 Enable the HTTPS service (default certificate) and set the service port and web service timeout
period.
1. Choose System > Admin > Settings.
2. Select Enable next to HTTPS Service.
3. Enter 8443 for HTTPS Port.
4. Enter 5 for Web Timeout.
5. Click Apply.
Step 5 In the upper right of the page, click Save Then click OK in the dialog box that is displayed.
Step 6 Open a browser and enter https://10.3.0.1:8443.
NOTE
If the browser displays a notification for an insecure certificate, you can continue the browsing.
Step 7 On the login UI, enter user name webadmin and password Myadmin@123 and click Login to
access the web UI.
----End
Configuration Script
#
interface GigabitEthernet1/0/3
ip address 10.3.0.1 255.255.255.0
service-manage https permit
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
acl number 2000
rule 5 permit source 10.3.0.0 0.0.0.255
#
web-manager security cipher-suit medium-strength high-strength
web-manager security version sslv3 tlsv1 tlsv1.1 tlsv1.2
web-manager enable
web-manager security enable port 8443
web-manager timeout 5
#
aaa
authentication-scheme default
#
manager-user webadmin
5.2.4.2 Example for Logging In to the Web UI Using HTTPS (Specified Certificate)
This section provides an example for configuring HTTPS (specified certificate) using the CLI
and logging in to the web UI.
Networking Requirements
Figure 5-7 shows how to configure NGFW authentication administrator webadmin that can
use HTTPS to log in to the web UI.
Figure 5-7 Networking diagram of logging in to the web UI using HTTPS (specified certificate)
Administrator
GE1/0/3
10.3.0.1/24
10.3.0.10/24 NGFW
Data Planning
Item Data Description
Configuration Roadmap
1. Assign the administrator and device the certificates from one Certificate Authority (CA)
for connection security.
2. Enable the web service on the device and HTTPS on the interface so that the administrator
can log in to the web UI using HTTPS.
3. Create an administrator account and configure a trusted host for the administrator.
4. Set an IP address for the administrator PC.
Procedure
Step 1 Configure the certificate.
1. The NGFW generates a certificate request file. An administrator sends the file to the CA
server through web, disks, or emails to apply for a certificate. The CA server generates a
certificate. The administrator can use HTTP, LDAP, or other methods to download the CA
certificate and local certificate from the server that stores the certificate to the NGFW
memory and install the certificate. For detailed configuration process, see Certificate.
NOTE
CA certificate cep_ca.cer and local certificate cep_local.cer are used as examples.
2. Optional: Obtain the CA certificate and import it to the browser of the administrator PC
(client). For details, refer to the help of the browser.
NOTE
Although the client can still access the device through HTTPS even if the CA certificate is not
imported to the browser, the client cannot verify the certificate and is prone to attacks.
3. Configure the device to send a certificate to the client when the client accesses the device
using HTTPS.
<NGFW> system-view
[NGFW] web-manager security server-certificate cep_local.cer
The device and PC must support the same SSL and encryption algorithm. If not, the SSL
negotiation fails.
4. Optional: Configure the automatic lockout function upon a failed login on the web
administrator UI. The number of allowed login attempts is 5.
NOTE
By default, the web administrator account is blacklisted for 10 minutes after three consecutive
authentication failures. The lockout duration cannot be modified.
[NGFW] firewall blacklist authentication-count login-failed 5
2. On the login UI, enter user name webadmin and password Myadmin@123 and click
Login to access the web UI.
----End
Configuration Script
The configuration script of the administrator and web service is as follows:
#
interface GigabitEthernet1/0/3
ip address 10.3.0.1 255.255.255.0
service-manage enable
service-manage https permit
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
acl number 2001
rule 5 permit source 10.3.0.0 0.0.0.255
#
web-manager security cipher-suit medium-strength high-strength
web-manager security version sslv3 tlsv1 tlsv1.1 tlsv1.2
web-manager enable
web-manager security enable port 8443
web-manager timeout 5
#
aaa
authentication-scheme default
#
manager-user webadmin
password cipher %@%@fPXYG8r|>17U(MYaBLw0OE<3BRR/*~[B0>uW"^/){U_>wKB=%@%
@
service-type web
access-limit 10
acl-number 2001
authentication-scheme admin_local
#
bind manager-user webadmin role service-admin
role service-admin
description policy_object_network_readwrite_and_other_modules_none
dashboard none
monitor none
system none
network read-write
object read-write
policy read-write
return
Context
NOTE
Telnet login is not secure. You are advised to log in to the CLI using STelnet.
Networking Requirements
Figure 5-8 shows that the NGFW has a local administrator. The local administrator has some
administrator permissions and can use the Telnet to log in to the CLI only from a local PC for
NGFW management and maintenance.
Figure 5-8 Networking diagram of logging in to the CLI using the Telnet
Administrator( Telnet ) GE1/0/3
10.3.0.1/24
10.3.0.100/24 NGFW
Data Planning
Item Data Description
Configuration Roadmap
1. Configurations on the NGFW are as follows:
a. Enable the Telnet service on the NGFW.
b. Configure the administrator login interface.
Procedure
Step 1 If you log in to the CLI for the first time, reference Logging In to the CLI Through the Console
Port and establish the Telnet login environment.
Step 2 Enable the Telnet service for IPv4 or IPv6. IPv4 is used as an example.
<NGFW> system-view
[NGFW] telnet server enable
If you use the default settings of management interface GigabitEthernet 0/0/0 to log in to the device, do
not perform this step.
Because the default IP address of the management interface has been set to 192.168.0.1, the interface has
been added to the Trust zone, and the administrator is allowed to log in to the device using Telnet.
1. Configure the interface IP address and interface-based access control and enable the
administrator to log in to the device through Telnet.
[NGFW] interface GigabitEthernet 1/0/3
[NGFW-GigabitEthernet1/0/3] ip address 10.3.0.1 255.255.255.0
[NGFW-GigabitEthernet1/0/3] service-manage enable
[NGFW-GigabitEthernet1/0/3] service-manage telnet permit
[NGFW-GigabitEthernet1/0/3] quit
NOTE
The number of default VTY administrator interface is five. To add more interfaces, run the user-interface
maximum-vty number command.
[NGFW] user-interface vty 0 4
[NGFW-ui-vty0-4] authentication-mode aaa
[NGFW-ui-vty0-4] user privilege level 3
[NGFW-ui-vty0-4] idle-timeout 5
[NGFW-ui-vty0-4] quit
Enter Password:
Confirm Password:
[NGFW-aaa-manager-user-vtyadmin] level 3
[NGFW-aaa-manager-user-vtyadmin] service-type telnet
[NGFW-aaa-manager-user-vtyadmin] quit
By default, an account is locked for 30 minutes after three failed login attempts. In the
following example, the account is locked for 10 minutes after two failed login attempts.
[NGFW] aaa
[NGFW-aaa] lock-authentication enable
[NGFW-aaa] lock-authentication failed-count 2
[NGFW-aaa] lock-authentication timeout 10
----End
Configuration Script
#
telnet server enable
#
interface GigabitEthernet1/0/3
ip address 10.3.0.1 255.255.255.0
service-manage enable
service-manage telnet permit
#
user-interface vty 0 4
authentication-mode aaa
user privilege level 3
idle-timeout 5
#
aaa
authorization-scheme default
lock-authentication enable
lock-authentication failed-count 2
lock-authentication timeout 10
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
manager-user vtyadmin
password cipher %@%@*y:3*ZN}.%%qcL1cCyDwlB.|@XBVMDWq'6JF(iOz2D8>A\SN%@%@
service-type telnet
level 3
authentication-scheme admin_local
#
return
5.2.4.4 Example for Logging in to the CLI Using STelnet (Password Authentication)
This section provides an example for configuring the administrator PC as the STelnet client and
NGFW as the STelnet server, and how to use the STelnet to log in to the VTY administrator
interface of the NGFW after password authentication.
Networking Requirements
Figure 5-10 shows that the NGFW has an administrator. The administrator wants to use STelnet
to log in to the VTY administrator interface of the NGFW after password authentication and
manage and maintain the NGFW.
Figure 5-10 Networking diagram of using STelnet to log in to the CLI (password authentication)
Administrator(Stelnet) GE1/0/3
10.3.0.1/24
10.2.0.100/24 NGFW
Data Planning
Item Data
Authenticat Password
ion mode
Password Mydevice@123
Service STelnet
type
Item Data
Configuration Roadmap
1. Configure NGFW as the SSH server.
l Enable the SSH service on the interface.
l Configure the VTY administrator interface.
l Create an SSH administrator account and specify the authentication type and service
type.
l Generate a local key pair.
l Enable the STelnet service.
l Configure the SSH service parameters.
2. Configure the administrator PC as the SSH client.
l Set an IP address for the administrator PC.
l Install the PuTTY software.
l Use PuTTY to log in to the NGFW through SSH.
NOTE
The prerequisite is that IP addresses of the interface and administrator PC, security zone, route, and security
policies have been configured. The following example introduces content related only to the administrator.
Procedure
Step 1 Configure the NGFW.
1. Enable the SSH service on interface GigabitEthernet 1/0/3.
<NGFW> system-view
[NGFW] interface GigabitEthernet 1/0/3
[NGFW-GigabitEthernet1/0/3] service-manage enable
[NGFW-GigabitEthernet1/0/3] service-manage ssh permit
[NGFW] quit
3. Create SSH administrator account sshadmin and set the authentication type and service
type to Password and Stelnet.
[NGFW] aaa
[NGFW-aaa] manager-user sshadmin
[NGFW-aaa-manager-user-sshadmin] service-type ssh
[NGFW-aaa-manager-user-sshadmin] access-limit 11
[NGFW-aaa-manager-user-sshadmin] level 3
[NGFW-aaa-manager-user-sshadmin] ssh authentication-type password
[NGFW-aaa-manager-user-sshadmin] password
Enter Password:
Confirm Password:
[NGFW-aaa-manager-user-sshadmin] ssh service-type stelnet
[NGFW-aaa-manager-user-sshadmin] quit
[NGFW-aaa] quit
NOTE
The level of an SSH administrator is determined by the administrator level and the level of the
authentication mode or VTY interface. To ensure that the administrator can log in to the device
normally, you are advised to set the administrator level and the VTY interface level to not lower than
3.
4. Generate a local key pair.
[NGFW] rsa local-key-pair create
The key name will be: NGFW_Host
The range of public key size is (512 ~ 2048).
NOTES: A key shorter than 1024 bits may cause security risks.
The generation of a key longer than 512 bits may take several minutes.
Input the bits in the modulus[default = 2048]:
Generating keys...
...++++++++
..++++++++
..................................+++++++++
............+++++++++
# Set the listening port of the SSH server to 1025, authentication timeout period 80
seconds, number of authentication retries to 4, update interval of the key pair to 1 hour,
and enable the backward compatibility function.
[NGFW] ssh server port 1025
[NGFW] ssh server timeout 80
[NGFW] ssh server authentication-retries 4
[NGFW] ssh server rekey-interval 1
[NGFW] ssh server compatible-ssh1x enable
b. Choose Connection > SSH in the left Category tree. The interface shown in Figure
5-12 is displayed. In Protocol options, set Preferred SSH protocol version to 2 and
click Open.
c. Dialog box shown in Figure 5-13 is displayed upon the first login. Click Yes.
d. In the login page that is displayed, enter SSH administrator account sshadmin and
press Enter. Enter Mydevice@123 and press Enter again. You can log in to
NGFW, as shown in Figure 5-14.
----End
Configuration Script
The configuration script of server NGFW_B is as follows:
#
stelnet server enable
ssh server port 1025
ssh server timeout 80
ssh server authentication-retries 4
ssh server rekey-interval 1
ssh server compatible-ssh1x enable
#
interface GigabitEthernet1/0/3
ip address 10.3.0.1 255.255.255.0
service-manage enable
service-manage ssh permit
#
user-interface maximum-vty 11
user-interface vty 0 4
authentication-mode aaa
user privilege level 3
#
aaa
authorization-scheme default
#
manager-user sshadmin
service-type ssh
access-limit 11
level 3
ssh authentication-type password
password cipher %@%@fPXYG8r|>17U(MYaBLw0OE<3BRR/*~[B0>uW"^/){U_>wKB=%@%@
authentication-scheme admin_local
ssh service-type stelnet
#
return
5.2.4.5 Example for Logging In to the CLI Using STelnet (RSA Authentication)
This section describes how to configure the administrator PC as the STelnet client and NGFW
as the STelnet server, and how to use the STelnet to log in to the VTY administrator interface
of the NGFW after RSA authentication.
Networking Requirements
Figure 5-15 shows that the NGFW has an administrator. The administrator wants to use the
STelnet to log in to the VTY administrator interface of the NGFW after RSA authentication and
manage and maintain the NGFW.
Figure 5-15 Networking diagram of using STelnet to log in to the CLI (RSA authentication)
Administrator(Stelnet) GE1/0/3
10.3.0.1/24
10.2.0.100/24 NGFW
Data Planning
Item Data
Authenticat RSA
ion mode
Service Stelnet
type
Configuration Roadmap
1. Generate a local RSA key pair on the PC and an RSA public key in the format supported
by the NGFW.
l Install the PuTTY software.
l Use the PuTTYgen tool to generate a local SSH-RSA key pair.
Procedure
Step 1 Generate an RSA public key on the PC.
1. Install the PuTTY software. Details are omitted.
2. Use the PuTTYgen tool to generate a local SSH-RSA key pair. (PuTTYgen 0.60 is used as
an example in the following part.)
a. Double-click PuTTYgen.exe. The interface shown in Figure 5-16 is displayed. In
Parameters, set Type of key to generate to SSH-2 RSA. Click Generate. The PC
starts to generate a local RSA key pair.
Figure 5-16 Selecting the SSH version for generating the local SSH-RSA key pair
b. Figure 5-17 shows the interface for generating a local RSA key pair. You must move
the mouse continuously during the generation of the local RSA key pair. Move the
pointer only in the window other than the process bar in green. Otherwise, the progress
bar suspends, and the generation of the key pair is stopped.
c. Figure 5-18 shows the generation of the local RSA key pair. Do as follows to save
the RSA key pair in the specified format:
l OpenSSH: Copy the marked content in the Key text box.
l PEM: Click Save public key, enter public for the name of the public key file, and
click Save. Click Save private key, enter private for the name of the private key
file, and click Save.
NOTE
To enhance security, you must enter a password in the Key passphrase text box and enter the
password again in the Confirm passphrase text box to set a password for using this key pair.
3. Save the RSA public key of the intranet PC. In this example, the RSA public key is saved
in the OpenSSH coding format.
4. Create an SSH administrator account and specify the authentication type and service type.
# Create SSH administrator account sshadmin and set the authentication type to RSA,
bound key to key_pc, and service type to STelnet.
[NGFW] aaa
[NGFW-aaa] manager-user sshadmin
[NGFW-aaa-manager-user-sshadmin] service-type ssh
[NGFW-aaa-manager-user-sshadmin] access-limit 11
[NGFW-aaa-manager-user-sshadmin] level 3
[NGFW-aaa-manager-user-sshadmin] ssh authentication-type rsa
[NGFW-aaa-manager-user-sshadmin] ssh assign rsa-key key_pc
[NGFW-aaa-manager-user-sshadmin] ssh service-type stelnet
[NGFW-aaa-manager-user-sshadmin] quit
[NGFW-aaa] quit
NOTE
The level of an SSH administrator is determined by the administrator level and the level of the
authentication mode or VTY interface. To ensure that the administrator can log in to the device
normally, you are advised to set the administrator level and the VTY interface level to not lower than
3.
5. Enable the STelnet service.
[NGFW] stelnet server enable
# Set the listening port of the SSH server to 1025, authentication timeout period 80
seconds, number of authentication retries to 4, update interval of the key pair to 1 hour,
and enable the backward compatibility function.
[NGFW] ssh server port 1025
[NGFW] ssh server timeout 80
[NGFW] ssh server authentication-retries 4
[NGFW] ssh server rekey-interval 1
[NGFW] ssh server compatible-ssh1x enable
b. Choose Connection > SSH in the left Category tree. The interface shown in Figure
5-20 is displayed. In the Protocol options area, set Preferred SSH protocol
version to 2.
c. Select Auth in SSH. The dialog box shown in Figure 5-21 is displayed. Click
Browse, import the private key file private.ppk in the saved SSH-RSA key pair.
Figure 5-21 Importing the private key in the SSH-RSA key pair
d. Click Session, enter ssh-rsa in the Saved Sessions text box, and click Save to save
the SSH session, as shown in Figure 5-22.
NOTE
The saved session will be used when the PSFTP tool is used for SFTP login. Besides, no
configuration is required for future STelnet login. You can double-click the SSH session to
open the login page.
Figure 5-22 Importing the private key in the SSH-RSA key pair
e. Enter SSH administrator account sshadmin in the login page that is displayed and
press Enter. You can log in to NGFW_B, as shown in Figure 5-23.
NOTE
If a password is specified for using the key pair, you must enter the password for the login.
----End
Configuration Script
#
stelnet server enable
ssh server port 1025
ssh server timeout 80
ssh server authentication-retries 4
ssh server rekey-interval 1
ssh server compatible-ssh1x enable
#
interface GigabitEthernet1/0/3
ip address 10.3.0.1 255.255.255.0
service-manage enable
service-manage ssh permit
#
user-interface maximum-vty 11
user-interface vty 0 4
authentication-mode aaa
user privilege level 3
#
aaa
authorization-scheme default
#
manager-user sshadmin
service-type ssh
access-limit 11
level 3
ssh authentication-type rsa
ssh assign rsa-key key_pc
authentication-scheme admin_local
ssh service-type stelnet
#
return
Prerequisites
l The NGFW between the STelnet or Telnet server is routable.
l The STelnet server has been enabled on the server.
l The STelnet or Telnet user information configured on the STelnet or Telnet server has been
obtained.
Networking Requirements
The NGFW logs in to the server using STelnet or Telnet, as shown in Figure 5-24.
NOTICE
During Telnet login, data and passwords are transmitted in plaintext mode, causing security
risks. To secure data transmission, use STelnet instead.
Figure 5-24 Networking diagram of configuring NGFW as a client to log in to other devices
GE1/0/3
10.1.1.1/24 10.2.2.1/24
NGFW
Stelnet/Telnet Server
Stelnt/Telnet Client
Procedure
l Configure the NGFW to access the server using Telnet.
1. Enable the Telnet service on the server.
2. Use the NGFW to log in to the server using Telnet.
<NGFW> telnet 10.2.2.1
2. If the STelnet server uses RSA or PASSWORD-RSA authentication method, you must
bind the NGFW STelnet account to the RSA key on the server.
a. Generate a local RSA key pair.
[NGFW] rsa local-key-pair create
The key name will be: NGFW_Host
The range of public key size is (512 ~ 2048).
NOTES: A key shorter than 1024 bits may cause security
risks.
The generation of a key longer than 512 bits may take several
minutes.
Input the bits in the modulus[default = 2048]:
Generating keys...
...++++++++
..++++++++
..................................+++++++++
............+++++++++
b. Copy the RSA keys. The information in bold is the RSA keys generated by the
client. Copy the keys and save them.
[NGFW] display rsa local-key-pair public
=====================================================
=====================================================
Time of Key pair created: 11:43:19 2013/9/17
Key name: NGFW_Server
Key type: RSA encryption Key
=====================================================
Key code:
3067
0260
EC20AA8E 967145ED 186D85B4 3B928A81 C312F0E2
EF34E96C 944FDE4F 6215B98A C046FB51 A195AA9E
D926DE1B 59C6B87E 024C12D1 078DE2CE E9F9C5E6
C5C2E32D CDD74D33 78E70E64 C6CF46E3 A91F8C87
5354BDDD A1A2C9BB 21112D5E 0D2CB44B
0203
010001
<NGFW> system-view
[NGFW] stelnet 10.2.2.1
----End
l System administrator account admin and password Admin@123: You can use this account
to log in to the device through console or web UI for first login.
l Audit administrator account audit-admin and password Admin@123: This account is for
configuring audit policies and viewing audit logs only.
# Create a VLAN and add the interfaces to the VLAN. By default, the interfaces belong to
VLAN1.
<NGFW> system-view
[NGFW] vlan 2
[NGFW-vlan-2] quit
[NGFW] interface GigabitEthernet 1/0/1
[NGFW-GigabitEthernet1/0/1] portswitch
[NGFW-GigabitEthernet1/0/1] port access vlan 2
[NGFW-GigabitEthernet1/0/1] quit
[NGFW] interface GigabitEthernet 1/0/2
[NGFW-GigabitEthernet1/0/2] portswitch
[NGFW-GigabitEthernet1/0/2] port access vlan 2
[NGFW-GigabitEthernet1/0/2] quit
Log in to the device using 10.1.3.1 after the configurations are complete.
Version Description
5.3 Time
This section describes how to set the system time to ensure the proper coordination with other
devices.
----End
Step 2 Select Synchronize the Time with the Local System Time in Configuration Mode.
----End
----End
Enable DST
DST advances time by one hour in summer to save energies.
Before you enable DST, configure the system time first.
Item Description
Offset Time The offset time of the system in the DST mechanism
For example, set the Start Time to 08:00:00 on the first Monday in March,
End Time to 10:00:00 on the first Monday in November, and Offset
Time to 01:00:00. At 08:00:00 on the first Monday in March, the system
time is automatically changed to 09:00:00. At 10:00:01 on the first Monday
in November, the system time is automatically changed to 09:00:01.
----End
Context
To ensure the proper coordination with other devices, you must set an accurate system time.
NOTE
Procedure
Step 1 Set the UTC standard time.
clock datetime HH:MM:SS YYYY/MM/DD
l add indicates that the time of the time zone specified by time-zone-name is earlier than the
UTC time. For example, to set the time zone to GMT+8 in Beijing, set add 08:00:00 in this
command.
l minus indicates that the time of the time zone specified by time-zone-name is later than the
UTC time. For example, to set the time zone to GTM-8 in the United States, set minus
08:00:00 in this command.
Step 3 Set the time zone, start time, and end time.
clock daylight-saving-time time-zone-name one-year star
t-time start-data end-time end-data offset
Or:
clock daylight-saving-time time-zone-name repeating start-time { { first |
second | third | fourth | fifth | last } weekday month |
start-date }end-time { { first | second | third | fourth | fifth | last } weekday
month | end-date } offset [ start-year [ end-year ] ]
----End
5.4.1 Overview
License is an agreement that authorizes the use of a certain product within a specific scope and
duration. You can dynamically control the availability of certain features using the license.
License Definition
A license is a permission or authorization granted by the supplier to the customer regarding the
function, resource, and upgrade service of a product. The license is physically the combination
of a license file and a license authorization certificate.
After the license is purchased, the carrier provides the license authorization certificate for the
user to activate the license. The license authorization certificate contains the contract number,
license activation password, and the content of the license.
A license file is a .dat file obtained after the license is activated. Customers need to load the
license file to the device or software to use the functions that require a license.
License Categories
Licenses are divided into commercial licenses and non-commercial licenses according to their
actual purpose.
l Commercial license
This license is purchased under contract. If the customer needs to use license-controlled
features or the resources beyond the upper quantity limit, the customer must purchase
commercial licenses.
The commercial licenses are permanent or temporary. The permanent commercial license
includes the license certificate and the electronically delivered license file. Unless
otherwise specified, the term commercial license herein refers to permanent commercial
license. The temporary commercial license is for trial use or similar purposes.
l Non-commercial license
The license applies to non-commercial purposes such as internal tests, demonstrations, and
trainings. The non-commercial license requires no contract, and has a limited validity
period, which is no longer than three months.
Content Security Group (File The functions can be The function is available.
Blocking/Data Filtering/ configured but does not take
Application Behavior effect.
Control/Mail Filtering/Audit
Function)
Introduction to License
Only one activated license exists in the system. Activating a new license invalidates the original
one.
After you purchase or renew a license, you can use either of the following methods to activate
a license:
l Local manual activation
After you purchase or renew a license and obtain the license authorization certificate, apply
for and activate the license file manually.
l Automatic online activation
After you purchase or renew a license and obtain the license authorization certificate, obtain
the activation password. The device submits the activation password to the license center
website to automatically activate the license.
If you have not purchased a license, the system provides a two-month trial license that provides
such functions as antivirus, intrusion prevention, and URL remote query.
NOTE
The license certificate is delivered with the product as a paper document (A4 size) or on a CD-ROM.
NOTE
To apply for the licenses of multiple devices, make sure that the entitlement ID corresponds to the ESN.
If you cannot obtain the license file, contact the local technical support personnel.
Step 4 You need to obtain a new license file if you want to expand the license capacity or use new
features that are subject to license control. In this case, follow the preceding steps to apply for
the new license.
The license center automatically combines the licenses for new features with the existing license,
and generates a new license.
Step 5 Log in to the web UI and choose System > License Management.
Step 6 Select Local Manual Activation from the License Activation Mode.
Step 7 Click Browse. Select the license file to be uploaded.
Step 8 Click Activate to activate the uploaded license file.
----End
NOTE
To implement online automatic activation, you need to configure the DNS server and enable the DNS
service.
As shown in Figure 5-25, you can obtain the activation password from the license authorization
certificate in the delivery accessories.
NOTE
The license certificate is delivered with the product as a paper document (A4 size) or on a CD-ROM.
Step 2 Log in to the web UI and choose System > License Management.
Step 3 Select Automatic Online Activation from the License Activation Mode.
Step 4 Enter License Center Domain Name and License Authorization Code.
License Authorization Code: The entitlement ID is listed in the license authorization certificate.
Step 5 Click Activate, and the device automatically activates the license.
----End
Trial License
Step 1 Log in to the web UI and choose System > License Management.
Step 2 Select License trial use from the License Activation Mode.
You can click Stop Trial Use to stop the trial use and then click Activate to resume it. The time
during which the trial use is stopped will not be counted in the trial duration.
----End
Procedure
Step 1 Obtain the activation password.
As shown in Figure 5-27, you can obtain the activation password from the license authorization
certificate in the delivery accessories.
NOTE
The license certificate is delivered with the product as a paper document (A4 size) or on a CD-ROM.
Log in to the device and run the display firewall esn command in any view to obtain the ESN.
Log in to the http://app.huawei.com/isdp and obtain the license file according to the procedure
in the system help or displayed information.
NOTE
To apply for the licenses of multiple devices, make sure that the activation password corresponds to the
ESN.
If the device that you have purchased is a BDL device with a bound license, you need to search for the
ESN when you apply for a license file from the self-service system.
Step 4 You need to obtain a new license file if you want to expand the license capacity or use new
features that are subject to license control. In this case, follow the preceding steps to apply for
the new license.
The license center automatically combines the licenses for new features with the existing license,
and generates a new license.
----End
Context
For certain reasons, you need to obtain an revocation code before applying for a new license.
For example, adjusting the license between devices or the original license is incompatible on
the upgraded device. In this case, you should obtain an revocation code at first, then you can use
the license revocation code and ESN of device to apply for a new license file, and activate the
new license file to the device during the trial period.
The trial use period of a license is 60 days, during which all functions and services controlled
by the license is available. You need to apply for and activate a new license within 60 days.
NOTICE
Running the license revoke command causes the license file to be in trial state. The trial period
is 60 days. If the trial period is reached, services will be interrupted. Exercise caution when you
run the license revoke command.
Procedure
Step 1 Access the system view.
system-view
----End
Context
Before uploading the license file, run the dir command in the user view to query the storage
usage. Ensure that there is enough space to save the license file.
Procedure
Step 1 Check whether there is enough space to save the license file.
dir directory
Step 2 Upload the license file and save it in the default root directory.
The suffix of the license file is *.dat. The license file must be saved in the root directory of the
storage device.
For how to upload the license file and save it in the root directory, see 5.10.3.2 Configuring the
NGFW as an FTP Client.
----End
Context
NOTICE
Only one activated license exists in the system. Activating a new license deactivates the original
one.
The license is activated only when the Equipment Serial Number (ESN) of the NGFW matches
the license file.
Procedure
Step 1 Access the system view.
system-view
l Local manual activation: This method is recommended when the device cannot connect to
the Internet. You must manually obtain a license file and upload it to the NGFW to activate
it.
license active file-name
After activating a license, you can run the display license command to view the information
about the license.
----End
Procedure
Step 1 Display the information about the activated license file, activation time, resources and functions
subject to the license, and expiration time.
display license
----End
Before the debugging, you must run the terminal monitor and terminal debugging commands
in the user view to enable the display of logs, messages, debugging messages on the terminal,
so that debugging messages can be displayed on the terminal.
NOTICE
Enabling the debugging function compromises the system performance. Therefore, after
debugging, run the undo debugging all command to disable the debugging function at once.
Action Command
5.5 SNMP
The Simple Network Management Protocol (SNMP) is a network management protocol widely
used on TCP/IP networks. SNMP provides means to manage network elements (NEs) through
a central computer, that is, the network management system (NMS) in the network management
station (NM station) on which network management software is running. SNMP falls into three
versions, namely, SNMPv1, SNMPv2c, and SNMPv3. You can configure one or multiple
versions as required.
5.5.1 Overview
The Simple Network Management Protocol (SNMP) is a standard network management protocol
used on TCP/IP networks. Using SNMP, you can manage network elements on a central
computer that runs a network management software, which is also called the Network
Management Station (NM station).
The system for running SNMP consists of the NM station and the agent. SNMP defines how to
transmit management information between the NM station and the agent.
NM Station
The NM station is usually a PC on which the software management software runs.
Agent
The agent is a process that runs on the managed devices.
l Sends a Trap message to the NM station to report abnormal events, such as accessing or
quitting the system view or restarting the system once the trigger conditions configured on
each protocol module are matched.
Request
Response
NM Station Agent
UDP Port162
NM Station Agent
MIB
SNMP uses a hierarchical naming convention to identify each management variable and to
distinguish between managed objects. This hierarchical structure is similar to a tree with the
nodes representing managed objects. Figure 5-29 shows a managed object that can be identified
by the path from the root to the node representing the managed object.
1
1 2
1 2
1 B 2
5 6
A
In Figure 5-29, managed object B is represented by a string of digits similar to {1.2.1.1}. This
string is the Object Identifier of the managed object. The MIB describes the hierarchical structure
of the tree and is a definite collection of standard variables on monitored network devices.
SNMPv1
l Supports community-name-based access control.
l Supports MIB-view-based access control.
SNMPv2c
l Supports community-name-based access control.
l Supports MIB-view-based access control.
SNMPv3
SNMPv3 inherits basic functions of SNMPv2c. SNMPv3 defines a management frame, imports
the User Security Module (USM), and provides a securer access mechanism for users.
l Supports user group.
l Supports user-group-based access control.
l Supports user-based access control.
l Supports authentication and encryption mechanisms.
NOTICE
SNMPv3 is recommended, because SNMPv3 is more secure than SNMPv1 or SNMPv2c.
Applicable Environment
In a new network environment, you are advised to select an appropriate SNMP version as
required. In a network environment to be expanded or upgraded, you are advised to select a
proper SNMP version based on the NMS version to ensure proper communication between the
device and the NMS.
SNMPv1 SNMPv1 applies to small and simple networks, such as campus networks
and small enterprise networks.
Typical Application
As shown in Figure 5-30, the NMS manages devices through SNMP. By querying and receiving
trap messages sent by managed devices, the NMS can learn about the running status of the
devices. If possible, you can set device parameters for management.
NMS
Query and set parameters. Managed
device
Query replied and sent alarms.
5.5.3 Mechanism
This section describes the mechanism of the Simple Network Management Protocol (SNMP).
SNMP Development
SNMP is a network management protocol widely used on TCP/IP networks. In May 1990, RFC
1157 defined the first version of SNMP, namely, SNMPv1. Together with another information
management standard RFC 1155, RFC 1157 delivers a systematic method for monitoring and
managing networks. On this basis, SNMP is widely accepted as the standard for network
management.
SNMP developed rapidly in the early 1990s, but it has obvious weaknesses, such as incapable
of carrying heavy data traffic and lacking the identity authentication and privacy encryption
mechanisms. Against this backdrop, SNMPv2, released by the Internet Engineering Task Force
(IETF) in 1993, provides the following features:
l Distributed network management
l Expanded data type
l Massive data transmission, which improves efficiency and performance
l Diversified troubleshooting capabilities
l New centralized processing
l Enhanced data definition language
However, SNMPv2 did not meet all expectations, especially in terms of security performance,
such as identity authentication (identity authentication upon the first login, information integrity
analysis, and repetitive operation prevention), privacy encryption, authorization and access
control, and proper remote security configuration and management capability. As a revised
version of SNMPv2, SNMPv2c released in 1996 delivers enhanced functions but weak in
security which continues using plain-text key-based identity authentication.
In January 1998, the IETF SNMPv3 work group proposed RFC 2271 to 2275, which are
developed into SNMPv3. A series of documents define the architecture including all functions
of SNMPv1 and SNMPv2, and new security mechanisms covering authentication and encryption
services. Meanwhile, these files stipulate a set of dedicated network security and access control
rules. That is, SNMPv3 delivers security and management mechanisms based on SNMPv2.
SNMPv3 has a modularized design and facilitates the adding and modification of protocol
functions. SNMPv3 has the following features:
l Adaptability: You can use SNMPv3 to manage simple networks or complex networks.
l Expandability: You can add models as required.
l Security: SNMPv3 has multiple security models.
Figure 5-31 shows the relationship between the NM station and the Agent.
Response
NM Station Agent
UDP port162 UDP port161
The NM station performs Get-Set operations to manage device nodes by running the Agent on
managed devices. Device nodes are uniquely identified by the MIB.
l The NM station obtains information about managed devices through operations, such as
Get, Get-Next, and Get-Bulk.
l The NM station uses the Set operation to configure the managed devices.
l The Agent proactively reports trap messages to the NM station, so that the NM station
obtains the operating statuses of the managed devices promptly for you to take proper
measures accordingly.
SNMP Operations
SNMP replaces the complicated command set with the Get-Set operation and delivers all
functions by using operations shown in Figure 5-32.
GetRequest
GetResponse
GetNextRequest
GetResponse
NM Station SetRequest Agent
UDP port162 GetResponse UDP port161
Trap
NOTE
The Agent uses well-known port 161 to receive Get or Set packets, whereas the NM station uses well-
known port 162 to receive trap messages.
Action Function
SetRequest The NM station sends a SetRequest message to the managed device to set
values for variables, which therefore adjusts the status of a functional node.
Trap The managed device proactively sends trap messages to the NM station to
report events.
Management Model
In the management system of SNMP, the NM station and the Agent exchange signaling.
l The NM station, as the manager, sends SNMP request packets to the Agent.
l The Agent obtains the information to be queried by searching the MIB of the device and
sends an SNMP response packet to the NM station.
l When the module on the device meets the alarm triggering condition that is defined by the
module, the Agent sends a trap message to notify the NM station of the anomaly on the
device, which helps the network administrator clear the anomaly in a timely manner.
Figure 5-33 shows the network management model.
NMS
Agent
Managed
Device
MIB
Managed
object
MIB
To ensure that each management object in SNMP packets is uniquely identified, SNMP uses a
hierarchical naming scheme to identify a management object. Each managed resource is
expressed as a managed object. The MIB is a collection of managed objects. It defines a series
of attributes, such as the names, access permissions, and data types of the managed objects. The
MIB can also be regarded as an interface between the NM station and the Agent. With this
interface, the NM station has the permission to read or write into each managed object in the
Agent, therefore managing and monitoring devices.
The entire hierarchical structure is like a tree, and each node on the tree represents a managed
object. As shown in Figure 5-34, one path starting from the root can be used to uniquely identify
a managed object.
1 2
1 2
1 B 2
1 6
A
Managed object B is uniquely identified by a string of digits with a pair of braces ({}), for
example, {1.2.1.1}. This string of digits is the Object Identifier (OI) of the managed object. The
MIB describes the hierarchical structure of the tree. It is a set defined by the standard variable
on the monitored network device.
You can use either a standard MIB or user-defined MIB. The former helps reduce the costs of
Agent components or even the entire network management system (NMS).
SNMP MIB employs a tree structure, which is similar to the DNS structure with its root at the
top and no root name. Figure 5-35 shows part of the MIB, which is also called the object naming
tree.
root
dod(6)
internet(1)
……
system(1) intrerface(2) at(3) ip(4) icmp(5) tcp(6) udp(7) egp(8) ……
…… …… …… …… …… …… …… ……
The object naming tree has three top objects. They are ISO, ITU-T (CCITT), and the joint
organization of the two. Object ISO has four nodes. The third node (No. 3) under object ISO is
the identified organization node. The identified organization node has a subnode (No. 6) which
is named Department of Defense (DoD). Under this subnode, there is an Internet node (No. 1).
The default accessible view named Viewdefault is Internet: {1.3.6.1}.
The second node under the Internet node is management node mgmt which is numbered 2. The
management information base node is under management node mgmt, and its original name is
MIB. In 1991, a new MIB version is defined as MIB-II. At present, the name of this node is
changed to mib-2. The identifier is {1.3.6.1.2.1} or {Internet(1).2.1}. This identifier is an object
identifier.
The definition of MIB is irrelevant to network management protocols. Device vendors can define
MIB nodes according to relevant standards.
SMI
The Structure of Management Information (SMI) specifies a set of rules for naming the MIB
and defining MIB OIs, object types, access levels, and statuses. Two SMI versions are available,
SMIv1 and SMIv2.
The following lists the standard data types defined in the SMI.
l INTEGER
l OCTER STRIN
l DisplayString
l OBJECT IDENTIFIER
l NULL
l IpAddress
l PhysAddress
l Counter
l Gauge
l TimeTicks
l SEQUENCE
l SEQUENDEOF
Step 3 Set the parameters listed in Table 5-18 and Table 5-19 for connecting managed devices to the
NMS.
SNMP Version Select the version of SNMP. The value is negotiated with the
peer NMS.
SNMP Read- The managed devices use the The read-only community name on
Only community name to authenticate the NMS must be the same as that
Community NMS users. on the managed devices. Otherwise,
Name If you configure access permissions the NMS fails to access the
on all function modules on the managed devices.
managed devices and an NMS user To enhance security, the read-only
uses read-only community name for community name is suggested to
authentication, the user can only contain a minimum of eight
view the statuses of the function characters, including at least three
modules. types of characters from the
following four groups: : uppercase
letters (A to Z), lowercase letters (a
to z), digits (0 to 9), and special
characters, such as exclamation
points (!), at signs (@), number
signs (#), dollar signs ($), and
percent (%).
SNMP Read- The managed devices use the The read-write community name on
Write community name to authenticate the NMS must be the same as that
Community NMS users. on the managed devices. Otherwise,
Name If you configure access permissions the NMS fails to access the
on all function modules on the managed devices.
managed devices and an NMS user To enhance security, the read-write
uses read-write community name community name is suggested to
for authentication, the user can contain a minimum of eight
modify the statuses of the function characters, including at least three
modules. That is, the user can types of characters from the
configure the device. following four groups: : uppercase
letters (A to Z), lowercase letters (a
to z), digits (0 to 9), and special
characters, such as exclamation
points (!), at signs (@), number
signs (#), dollar signs ($), and
percent (%).
Trap Receiving Trap receiving host: IP address of By default, the UDP port number is
Host: Port: the host that receives trap packets. 162.
Security Name Port: Port on the managed device
for sending trap packets to a
destination host. Specify this
parameter when you need to use a
non-default port, for example, port
162 is in use.
Security Name: Is consistent with
the name of the NMS server.
SNMP Version Select the version of the SNMP. The value is negotiated with the
peer NMS.
User Name Enter the user name that is used by The user name on the NMS must be
an NMS user to access the managed the same as that on the managed
devices. devices.
Trap Receiving Trap receiving host: IP address of By default, the UDP port number is
Host: Port: the host that receives trap packets. 162.
Security Name Port: Port on the managed device
for sending trap packets to a
destination host. Specify this
parameter when you need to use a
non-default port, for example, port
162 is in use.
Security Name: Is consistent with
the name of the NMS server.
----End
NOTE
The following describes the flow for configuring SNMPv1/v2c/v3. In practice, their configuration flows differ.
For details, see the following steps.
Generally, the procedure for configuring SNMPv3 significantly differs from the procedures for configuring
SNMPv1 and SNMPv2c. Therefore, details on how to configure basic functions and access permissions are
described independently.
NOTICE
SNMPv3 is recommended, because SNMPv3 is more secure than SNMPv1 or SNMPv2c.
Start
Configure basic
SNMP functions.
Configure the
Configure interface
device to send
index attributes.
alarms to the NMS.
End
After SNMP configuration is complete, any network management system (NMS) that meets the
requirements and use the community name for SNMPv1 or SNMPv2c or the user group for
SNMPv3 can monitor and manage the specified node on the NGFW.
Context
On small user networks where a few devices exist and the network environments (such as campus
and enterprise networks) are relatively secure, SNMPv1 is recommended to ensure the
communication between the NMS and the devices.
On large user networks where a lot of devices exist, network security is less demanding or the
network environments (such as the VPN) are relatively secure, but traffic congestion may occur
due to busy services, SNMPv2c is recommended to ensure the communication.
NOTICE
SNMPv3 is recommended, because SNMPv3 is more secure than SNMPv1 or SNMPv2c. For
details, see 5.5.5.3 Configuring SNMPv3.
Procedure
Step 1 Access the system view.
system-view
By default, the SNMP agent function is disabled. Running any command with the parameter
snmp-agent can enable the SNMP agent function. Therefore, this step is optional.
The SNMP version must be the same as that of the NMS software.
After SNMPv1 is enabled on the managed device, and because SNMPv3 is enabled by default,
the device supports both SNMPv1 and SNMPv3. This means that the device can be monitored
and managed by NMSs running SNMPv1 or SNMPv3.
After SNMPv2c is enabled on the managed device, and because SNMPv3 is enabled by default,
the device supports both SNMPv2c and SNMPv3. This means that the device can be monitored
and managed by NMSs running SNMPv2c or SNMPv3.
When the snmp-agent sys-info version all command is executed, the managed device supports
all SNMP versions. That is, the NMS running SNMPv1, SNMPv2c, and SNMPv3 can monitor
and manage the device.
Step 4 Optional: Use the ACL to define the IP address of the NMS allowed to manage the NGFW.
When multiple NMSs use the same community name to manage a NGFW but only some NMSs
have the permission to access the Viewdefault view (MIB object 1.3.6.1), perform this step.
1. Create a basic ACL.
acl acl-number
NOTICE
After an NMS is allowed to access the NGFW and the IP address of the NMS changes,
modify the setting of the IP address in the ACL. Otherwise, the NMS fails to access the
NGFW.
Step 5 Optional: Permit or deny the MIB nodes managed by the NMS in the MIB view.
To enable the NMS to manage only the specified node on the NGFW, perform this step.
Create a MIB view and specify the object to be monitored and managed by the NMS.
snmp-agent mib-view { excluded | included } view-name oid-tree
To enable the NMS to manage most MIB nodes on the NGFW or disable NMS' access to only
certain nodes in the existing MIB view, set the excluded parameter to exclude these MIB nodes.
To enable the NMS to manage a few MIB nodes on the NGFW or enable NMS' access to certain
nodes in the existing MIB view, set the included parameter to add these manageable MIB nodes.
After the configuration is complete, only these manageable MIB nodes are accessible to the
NMS.
Step 6 Optional: Enable the SNMP community name complexity check function.
snmp-agent password complexity-check enable
Step 7 Set the read-only community name or the read-write community name of the NGFW and specify
the NMS and the manageable view.
snmp-agent community { read | write } community-name [ mib-view view-name | acl acl-
number ]*
To enhance security, the community name is suggested to contain a minimum of eight characters,
including at least three types of characters from the following four groups: uppercase letters (A
to Z), lowercase letters (a to z), digits (0 to 9), and special characters, such as exclamation points
(!), at signs (@), number signs (#), dollar signs ($), and percent (%).
The community name of the NGFW must be the same as that specified in the NMS software.
If the community name is set and no MIB view is configured, the NMS that uses the community
name has permissions to access objects in the Viewdefault view (MIB object: 1.3.6.1).
To grant read-only permission to the NMS in the specified view for a low-level NMS
administrator to read certain data, use parameter read in the command.
To grant read and write permission to the NMS in the specified view for a high-level NMS
administrator to read certain data, use parameter write in the command
If you specify an NMS in Step 4 and a MIB node in Step 5, you need to configure view-name
and acl-number for them to take effect.
Step 8 Optional: Specify the device administrator's contact information or device location.
snmp-agent sys-info { contact contact | location location }
By default, the device administrator's contact information is R&D. The default location of the
NGFW is China.
This step is required when the NMS administrator needs to know equipment administrators'
contact information or location of the NGFW if the NMS manages multiple devices. This allows
the NMS administrator to quickly contact the device administrator for fault location and
rectification.
To configure both the equipment administrator's contact information and location of the
NGFW, you need to run the command twice to configure them separately.
Step 9 Optional: Set the maximum size of an SNMP packet that the NGFW can receive or send.
snmp-agent packet max-size byte-count
By default, the maximum size of an SNMP packet that the NGFW can receive or send is 1500
bytes.
After the maximum size is specified, the NGFW discards any SNMP packet that is larger than
the specified size. You need to set this value based on the size of an SNMP packet that the NMS
can process. Otherwise, the NMS cannot process any SNMP packets from the NGFW.
----End
Example
# Configure SNMPv2c for the NGFW, set the read-write community name to Admin@123,
allow the NMS at 10.1.1.2 to manage the system node on the NGFW, and deny the NMS at
10.1.1.1 from managing the system node on the NGFW.
<NGFW> system-view
[NGFW] snmp-agent sys-info version v2c
[NGFW] acl 2001
[NGFW-acl-basic-2001] rule 1 permit source 10.1.1.2 0
[NGFW-acl-basic-2001] rule 6 deny source 10.1.1.1 0
[NGFW-acl-basic-2001] quit
[NGFW] snmp-agent mib-view included sys system
[NGFW] snmp-agent community write Admin@123 mib-view sys acl 2001
After the NGFW is routable to the NMSs, the NMS at 10.1.1.2, on which SNMPv2c runs and
which uses read-write community name Admin@123 can manage the system node on the
NGFW.
Context
SNMPv3 is recommended for the scenarios where the user network poses high requirements on
security and only legitimate administrators can manage network devices. For example, the
communication data between the NMS and the managed device needs to be transmitted over the
public network. The authentication and encryption functions of SNMPv3 secure transmitted data
and ensure proper communication between the NMS and the managed device.
Procedure
Step 1 Access the system view.
system-view
By default, the SNMP agent function is disabled. Running any command with the parameter
snmp-agent can enable the SNMP agent function. Therefore, this step is optional.
Step 4 Optional: Use the ACL to define the IP address of the NMS allowed to manage the NGFW.
When multiple NMSs use the same SNMPv3 user group to manage a NGFW but only some
NMSs have the permission to access the Viewdefault view (MIB node 1.3.6.1), perform this
step.
1. Create a basic ACL.
acl acl-number
NOTICE
After an NMS is allowed to access the NGFW and the IP address of the NMS changes,
modify the setting of the IP address in the ACL. Otherwise, the NMS fails to access the
NGFW.
Step 5 Optional: Permit or deny the MIB nodes managed by the NMS in the MIB view.
To enable the NMS to manage only the specified node on the NGFW, perform this step.
Create a MIB view and specify the object to be monitored and managed by the NMS.
snmp-agent mib-view { excluded | included } view-name oid-tree
By default, an NMS has permissions to access the objects in the Viewdefault view (MIB object:
1.3.6.1).
To enable the NMS to manage most MIB nodes on the NGFW or disable NMS' access to only
certain nodes in the existing MIB view, set the excluded parameter to exclude these MIB nodes.
To enable the NMS to manage a few MIB nodes on the NGFW or enable NMS' access to certain
nodes in the existing MIB view, set the included parameter to add these manageable MIB nodes.
After the configuration is complete, only these manageable MIB nodes are accessible to the
NMS.
Step 6 Configure an SNMP user group and reference the ACL and MIB view to enable the specified
user group to manage the specified MIB nodes on the NGFW.
snmp-agent group v3 group-name [ read-view read-view | write-view write-view |
notify-view notify-view ]* [ acl acl-number ]
A user group is a collection of users with certain permissions, such as the permission on a certain
view.
NOTE
If the NMS or NGFWs are on an insecure network (for example, the network is vulnerable to attacks), you are
advised to configure parameters privacy in the command to enable data authentication and encryption and
configure the different authentication and encryption password for the user.
perform operations on the same device. In this mode, only the authenticated administrators
can operate the managed device.
l Authentication and encryption: privacy is also configured in the command. This mode
applies to insecure networks managed by multiple administrators who may frequently
perform operations on the same device. In this mode, only the authenticated administrators
can access the managed device, and transmitted data is encrypted to avoid data interception
and data leak.
To grant the read-only permission (for a low-level administrator) to the NMS in the specified
view, use parameter read-view. To grant the read-write permission (for a high-level
administrator) to the NMS in the specified view, use parameter write-view.
To filter out useless alarms, use parameter notify-view notify-view to limit the MIB nodes that
send alarms to the NMS. Then the NGFW sends the alarms from only the MIB nodes that are
specified by parameter notify-view to the NMS.
After you configure the user group, run the snmp-agent usm-user command to add a user to
the user group. Then the NMS can access the NGFW with the user name after authentication
and authorization.
Step 7 Optional: Enable authentication and encryption password complexity checks for SNMP users.
snmp-agent password complexity-check enable
Step 8 Configure an SNMP user and add the user to the user group that is created by the snmp-agent
group command.
snmp-agent usm-user v3 user-name group-name [ authentication-mode { md5 | sha }
password [ privacy-mode { des56 | aes128 } password ] ]
The user name, password, and authentication and encryption modes must be the same as those
configured on the NMS.
After authentication and encryption are enabled for the user group, the users must select a proper
mode to authenticate and encrypt data for transmission and configure the different authentication
and encryption password.
l Authentication mode
– Message Digest 5 (MD5): generates a 128-bit message digest for an input message of any
length.
– Secure Hash Algorithm (SHA-1): generates a 160-bit message digest for an input message
of less than 264 bits.
MD5 is faster than SHA-1, but is considered less secure.
l Encryption mode
– DES56: uses a 56-bit key to encrypt a plain text block.
– AES128: uses a 128-bit key to encrypt a plain text block.
DES56 are less secure, and it is recommended to use AES128.
When authentication and encryption are disabled for the user group and the parameters are
specified using this command, no encryption and authentication parameters are required for the
NMS to connect to the NGFW.
NOTE
l User groups with the same name can be configured. These user groups may adopt different authentication
modes (authentication and encryption, authentication and non-encryption, or non-authentication and non-
encryption). User selection (such as using the MIB tool) determines the actual authentication mode.
l When user groups with the same name exist, one user group may be mistakenly configured with an
unexpected authentication mode. Non-authentication and non-encryption pose security risks.
Step 9 Optional: Specify the device administrator's contact information or device location.
snmp-agent sys-info { contact contact | location location }
This step is required when the NMS administrator needs to know the device administrators'
contact information or location of the NGFW if the NMS manages multiple devices. This allows
the NMS administrator to quickly contact the device administrators for fault location and
rectification.
To configure both the equipment administrator's contact information and location of the
NGFW, you need to run the command twice to configure them separately.
Step 10 Optional: Set the maximum size of an SNMP packet that the NGFW receives or sends.
snmp-agent packet max-size byte-count
By default, the maximum size of an SNMP packet that the NGFW receives or sends is 1500
bytes.
After the maximum size is specified, the NGFW discards any SNMP packet that is larger than
the specified size. You need to set this value based on the size of an SNMP packet that the NMS
can process. Otherwise, the NMS cannot process the SNMP packets from the NGFW.
----End
Example
# Configure SNMPv3 for the NGFW, set the user name of user group Testgroup to Testuser,
enable MD5 authentication on the user, allow the NMS at 10.1.1.2 to manage the NGFW, and
deny the NMS at 10.1.1.1 from managing the NGFW.
<NGFW> system-view
[NGFW] snmp-agent sys-info version v3
[NGFW] acl 2001
[NGFW-acl-basic-2001] rule 1 permit source 10.1.1.2 0
[NGFW-acl-basic-2001] rule 6 deny source 10.1.1.1 0
[NGFW-acl-basic-2001] quit
[NGFW] snmp-agent mib-view included sys system
[NGFW] snmp-agent group v3 Testgroup privacy write-view sys acl 2001
[NGFW] snmp-agent usm-user v3 Testuser Testgroup authentication-mode sha
Password@123 privacy-mode aes128 Password@123
After you connect NMSs to the NGFW, select SNMPv3 for the SNMP version, and configure
the user and authentication parameters on the NMSs, the NMS at 10.1.1.2 and which is a member
of user group Testgroup can manage the system node of the NGFW.
Context
NOTE
The NGFW sends Inform messages only when it uses SNMPv2c to communicates with the NMS.
Procedure
Step 1 Enable the information center (enabled by default).
1. Access the system view.
system-view
Step 2 Send trap messages to the SNMP Agent. (By default, trap messages are sent to the SNMP Agent,
and the information level is informational.)
1. Add traps to the information channel.
info-center source { module-name | default } channel { channel-number | channel-
name } [ trap { state { off | on } | level severity } * ]
The snmp-agent trap enable command without any parameter enables all modules to send all
types of SNMP trap messages.
Step 4 Set trap parameters. For details on how to set trap parameters, see Setting trap parameters.
For details on how to set Inform parameters, see Setting Inform parameters.
l Set trap parameters.
Specify the destination host which receives error code and trap messages.
snmp-agent target-host trap address udp-domain ip-address [ udp-port port-
number ] [ vpn-instance vpn-instance-name ] params securityname security-
string [ v1 | v2c |
v3 [ authentication | privacy ] ]
1. Specify the destination host which receives error code and Inform messages.
snmp-agent target-host inform address udp-domain ip-address [ udp-port
port-number ] [ vpn-instance vpn-instance-name ] params securityname
security-string v2c
The default timeout for Inform acknowledgement is 15 seconds, the default number
of Inform retransmission attempts is 3, and the default maximum number of the
Informs to be acknowledged is 39.
Note that the command is used to set global Inform parameters. If both the global
Inform parameters and Inform parameters of a specified host are configured, the latter
takes effect for the specified host.
If the current network is unstable, you need to extend the timeout and increase Inform
retransmission attempts and the maximum number of the Informs to be acknowledged.
You are advised to set the number of Inform retransmission attempts to a value equal
to or less than 10. Otherwise, the performance of the NGFW may deteriorate.
3. Optional:
Set the timeout for Inform acknowledgement and Inform retransmission attempts for
a specific host.
The default timeout for Inform acknowledgement is 15 seconds, and the default
number of Inform retransmission attempts is 3.
Note that this command is used to set the Inform parameters of a specific host. If both
the global Inform parameters and Inform parameters of a specified host are configured,
the latter takes effect for the specified host.
If the current network is unstable, you need to extend the timeout and increase trap
retransmission attempts.
You are advised to set the number of Inform retransmission attempts to a value equal
to or less than 10. Otherwise, the performance of the NGFW may deteriorate.
4. Optional:
Enable the notification log function.
snmp-agent notification-log enable
The default aging time of a notification log is 24 hours. After 24 hours, the notification
log is automatically deleted.
The log buffer stores a maximum of 500 notification logs by default. If the actual
number exceeds the threshold, earlier excess notification logs are deleted.
When the system memory is insufficient, you can set a relatively short aging time for
automatically resource release.
The larger the number of notification logs that can be stored in the log buffer is , the
more notification logs the buffer can store. The storage of more logs consumes more
memory resources. Therefore, adjust the value based on system performance
specifications and the actual consumption of the available services.
Step 5 Optional: Set the common parameters of alarm packets.
These parameters apply to both trap and Inform messages.
1. Specify the source interface for the sending of trap messages.
snmp-agent trap source interface-type interface-number
After you specify the source interface, the IP address of the source interface serves as the
IP address from which the trap messages are sent.
If multiple routes to the NMS are available, you can specify the source interface to ensure
that the source IP address of the trap messages is the IP address of a fixed interface. This
helps you identify the NGFW that sends the traps to the NMS.
The status of link-layer protocols is Up once the loopback interface is created. To ensure
device reliability, you are advised to set the source IP address for the sending of trap
messages to the local loopback address.
2. Set the queue length of the trap messages destined for a destination host.
snmp-agent trap queue-size size
To ensure that the NMS can receive traps, determine the trap queue length based on the
number of generated traps. If the NGFW generates traps frequently, you need to extend the
queue length to avoid trap loss.
3. Set the time for reserving traps.
snmp-agent trap life seconds
Trap messages are reserved for 300 seconds by default before they are deleted.
To ensure that the NMS can receive traps, determine the time for reserving trap messages
based on the number of generated traps. If the NGFW sends traps frequently, you need to
run this command to extend the time to avoid trap loss.
----End
Example
# The NGFW uses SNMPv2c to send Inform messages to the NMS. The notification log function
is enabled. Other parameters use the default values.
<NGFW> system-view
[NGFW] snmp-agent trap enable
[NGFW] snmp-agent target-host inform address udp-domain 10.1.1.2 params
securityname V2user@123 v2c
[NGFW] snmp-agent notification-log enable
# The NGFW uses SNMPv1 to send trap messages to the NMS. Other parameters use the default
values.
<NGFW> system-view
[NGFW] snmp-agent trap enable
[NGFW] snmp-agent target-host trap address udp-domain 10.1.1.2 params securityname
V1user@123 v1
# The NGFW uses SNMPv3 to send trap messages to the NMS. Other parameters use the default
values.
<NGFW> system-view
[NGFW] snmp-agent trap enable
[NGFW] snmp-agent target-host trap address udp-domain 10.1.1.2 params securityname
V3user@123 v3
Context
The interface index is a number that identifies a physical interface or logical interface. On the
NMS client, you can check the ifindex attribute of each interface. In general, the interface index
dynamically changes. For example, during the device restart, or the change of hardware/software
configurations, the interface index may change. In certain application scenarios, the interface
index value must be fixed and immune to the adding or deletion of interfaces, system restart, or
the change of software/hardware configurations.
NOTICE
After interface index persistence is enabled, the indexes of all the existing interfaces and newly
created interfaces are fixed. Before restarting the system, run the save command to save interface
configurations. Otherwise, the interface indexes change after the system restart.
Procedure
Step 1 Access the system view.
system-view
The default maximum number of interfaces with fixed indexes is 131,070. If the number of the
interfaces with fixed indexes is 0, interface index persistence is disabled.
Frequently adding and deleting interfaces result in oversized index files. These files are stored
on the NGFW and consume system resources. To limit the size of interface index files, you can
set the maximum number of interfaces with fixed indexes. After you specify this parameter, the
system fixes interface indexes within the specified range. If this number is smaller than the
number of existing interfaces with fixed indexes, the system assigns fixed indexes to interfaces
within the specified range based on their startup time. The indexes of excessive interfaces are
fixed.
Step 4 Set the memory distribution mode for the subinterface index.
set constant-ifindex subinterface { dense-mode | sparse-mode }
When a subinterface is created, the system generates an index image file for the subinterface in
the memory based on the specified mode. You may use different subinterface numbering modes,
such as continuous or discontinuous distribution numbering. In practice, one of the following
distribution modes can be used as required:
----End
Follow-up Procedure
Run the display constant-ifindex configuration command to display the status and
configuration of interface index persistence.
<sysname> display constant-ifindex configuration
ifindex constant : Enable
ifindex max-number : 65535
current ifindex subinterface mode : sparse-mode
next ifindex subinterface mode : sparse-mode
Action Command
Display notification logs in the log display snmp-agent notification-log [ info | logtime
buffer. starttime to endtime | size size ]
NOTICE
Enabling the debugging function compromises system performance. After the debugging, run
the undo debugging all command immediately to disable the debugging function.
For details on how to enable a debugging function, see Information Center Configuration.
For the description of debugging commands, refer to the Debugging Reference.
Table 5-21 lists the command for debugging SNMP.
Action Command
5.5.6.1 Example for Configuring the Communication Between the NGFW and the
NMS Through SNMPv1
This section provides an example for configuring the communication between the NGFW and
the NMS through SNMPv1.
Networking Requirements
NOTICE
SNMPv3 is recommended, because SNMPv3 is more secure than SNMPv1 or SNMPv2c. For
details, see 5.5.6.3 Example for Configuring the Communication Between the NGFW and
the NMS Through SNMPv3.
As shown in Figure 5-37, two NMSs are connected to the NGFW over the Internet. According
to service requirements, only NMS2 can manage the system node on the NGFW.
For NMS2 to manage the NGFW and to facilitate fault location based on trap messages and
avoid interference by excessive useless trap messages, only the modules enabled by default can
send trap messages to NMS2.
Because the NMS administrator is far away from the NGFW, you need to configure the contact
information of the device administrator, so that the NMS administrator can contact the device
administrator in time upon the occurrence of faults for rapid fault location and rectification.
Figure 5-37 Networking diagram of configuring communication between the NGFW and the
NMS through SNMPv1
NMS1
10.1.1.1/24
IP Network GE1/0/1
10.1.2.1/24
NGFW
NMS2
10.1.1.2/24
Configuration Roadmap
The configuration roadmap is as follows:
1. Set basic parameters for the interfaces, including the IP address, security zone to which the
interface is assigned, and routes.
2. Configure basic SNMP functions, including enabling SNMP Agent and setting the SNMP
version and community name.
3. Configure access permissions to prevent NMS1 from managing the NGFW and allow
NMS2 to manage only the system node on the NGFW.
4. Configure the trap function to enable the NGFW to send trap messages to the NMS.
5. Configure administrator's contact information.
6. Configure NMSs.
Procedure
Step 1 Set basic parameters on the NGFW.
# Set an IP address for interface GigabitEthernet 1/0/1.
<NGFW> system-view
[NGFW] interface GigabitEthernet 1/0/1
[NGFW-GigabitEthernet1/0/1] ip address 10.1.2.1 24
[NGFW-GigabitEthernet1/0/1] quit
# Configure routes to ensure that NMSs are routable to the NGFW. (Details are omitted.)
NOTE
After the previous configurations, run the display ip interface brief and display ip routing-table commands
to check whether the basic parameters of the NGFW are correctly specified.
Step 3 Configure access permissions to allow NMS2 to manage only the system node on the NGFW.
# Configure an ACL to allow NMS2 to manage the system node on the NGFW and prevent
NMS1 from managing theNGFW.
[NGFW] acl 2001
[NGFW-acl-basic-2001] rule 1 permit source 10.1.1.2 0
[NGFW-acl-basic-2001] rule 6 deny source 10.1.1.1 0
[NGFW-acl-basic-2001] quit
# Configure the MIB view to allow NMS2 to manage only the system node on the NGFW.
[NGFW] snmp-agent mib-view included sys system
# Set the community name and reference the ACL and MIB view.
NOTE
The community name must be the same as that specified on the NMS. Otherwise, the connection fails.
[NGFW] snmp-agent community write Private&123 mib-view sys acl 2001
# Configure the channel for outputting trap information and module information. (By default,
trap information can be sent to the SNMP Agent and the information level is informational.)
[NGFW] info-center source ip channel channel7 trap level informational state on
[NGFW] info-center snmp channel channel7
NOTE
The status of link-layer protocols is Up once the loopback interface is created. Therefore, to ensure device
reliability, you are advised to set the source IP address for the sending of trap messages to the local loopback
address.
[NGFW] interface LoopBack 0
[NGFW-LoopBack0] ip address 10.1.1.1 24
[NGFW-LoopBack0] quit
# Enable the trap function and set the target host, source IP address, and the queue length and
time for reserving trap messages.
----End
Configuration Verification
If the following results are displayed, configurations succeed:
l When basic SNMP functions are configured (Step 2), NMS1 and NMS2 can access the
NGFW after you configure both of them.
l When user permissions are configured (Step 3), NMS1 cannot access the NGFW, and
NMS2 can access only the system node.
l When the trap function is configured (Step 4), create a condition (such as returning to the
system view from the user view) to trigger the sending of traps. NMS2 can receive the traps.
l After the administrator contact information is configured (Step 5), send a Get request to
obtain information about the sysContact node, mail Operator at
someone@huawei.com is displayed.
Configuration Scripts
#
sysname NGFW
#
info-center source IP channel 7 trap level informational
info-center snmp channel 7
#
acl number 2001
rule 1 permit source 10.1.1.2 0
rule 6 deny source 10.1.1.1 0
interface GigabitEthernet1/0/1
ip address 10.1.2.1 255.255.255.0
#
interface LoopBack0
ip address 10.1.1.1 255.255.255.0
#
snmp-agent
snmp-agent local-engineid 000007DB
snmp-agent community read %$%$]5G+=l70OI!lbRG9j3'Th0'{%$%$
snmp-agent community write %$%$p[5*5;mf,#F\_06TFql;7}tk%$%$ mib-view sys acl
2001
snmp-agent sys-info contact mail Operator at
someone@huawei.com
snmp-agent sys-info version v1 v3
snmp-agent target-host trap address udp-domain 10.1.1.2 params securityname %$%$p
[5*;Fql7%$%$
snmp-agent mib-view included sys system
snmp-agent trap enable ipsec
snmp-agent trap enable l2tp
snmp-agent trap enable configuration
5.5.6.2 Example for Configuring the Communication Between the NGFW and the
NMS Through SNMPv2c
This section provides an example for configuring the communication between the NGFW and
the NMS through SNMPv2c.
Networking Requirements
NOTICE
SNMPv3 is recommended, because SNMPv3 is more secure than SNMPv1 or SNMPv2c. For
details, see 5.5.6.3 Example for Configuring the Communication Between the NGFW and
the NMS Through SNMPv3.
As shown in Figure 5-38, two NMSs are connected to the NGFW over the Internet. According
to service requirements, NMS2 can manage only the mib-2 node on the NGFW, whereas NMS1
cannot manage the NGFW.
For NMS2 to manage the NGFW and to facilitate fault location based on trap messages, only
modules enabled by default can send trap messages to the NMS. Because the trap messages sent
by the NGFW are received by NMS2 over the Internet, the Inform mode is used to ensure
reliability.
Because the NMS administrator is far away from the NGFW, you need to configure the contact
information of the device administrator, so that the NMS administrator can contact the device
administrator for rapid fault location and rectification.
Figure 5-38 Networking diagram of configuring communication between the NGFW and the
NMS through SNMPv2c
NMS1
10.1.1.1/24
IP Network GE1/0/1
10.1.2.1/24
NGFW
NMS2
10.1.1.2/24
Configuration Roadmap
The configuration roadmap is as follows:
1. Set basic parameters for the interface, including the IP address, security zone to which the
interface is assigned, and routes.
2. Configure basic SNMP functions, including enabling SNMP Agent and setting the SNMP
version and community name.
3. Configure access permissions to prevent NMS1 from managing the NGFW and allow
NMS2 to manage only the mib-2 node on the NGFW.
4. Configure the Inform function to enable the NGFW to send traps to the NMS.
5. Configure administrator contact information.
6. Configure NMSs.
Procedure
Step 1 Configure basic parameters for the NGFW.
# Configure routes to ensure that NMSs are routable to the NGFW. (Details are omitted.)
NOTE
After the previous configurations are complete, run the display ip interface brief and display ip routing-
table commands to check whether the basic parameters of the NGFW are correctly specified.
Step 2 Configure basic SNMP functions, including enabling SNMP Agent and setting the SNMP
version and community name.
Step 3 Configure access permissions to allow NMS2 to manage only the mib-2 node on the NGFW.
# Configure an ACL to allow NMS2 to manage the mib-2 node on the NGFW and prevent NMS1
from managing the NGFW.
[NGFW] acl 2001
[NGFW-acl-basic-2001] rule 1 permit source 10.1.1.2 0
[NGFW-acl-basic-2001] rule 6 deny source 10.1.1.1 0
[NGFW-acl-basic-2001] quit
# Configure the MIB view to allow NMS2 to manage only the mib-2 node on the NGFW.
[NGFW] snmp-agent mib-view included mib2 mib-2
# Set the community name and reference the ACL and MIB view.
[NGFW] snmp-agent community write Private&123 mib-view mib2 acl 2001
# Configure the channel for outputting trap information and module information. (By default,
informational trap messages can be sent to the SNMP Agent.)
[NGFW] info-center source ip channel channel7 trap level informational state on
[NGFW] info-center snmp channel channel7
NOTE
The status of link-layer protocols is Up once the loopback interface is created. Therefore, to ensure device
reliability, you are advised to set the source IP address for sending trap messages to the local loopback address.
[NGFW] interface LoopBack 0
[NGFW-LoopBack0] ip address 10.1.1.1 24
[NGFW-LoopBack0] quit
# Set the target host, Inform parameters, source IP address, and the queue length and time for
reserving trap messages
[NGFW] snmp-agent target-host inform address udp-domain 10.1.1.2 params
securityname Private&123 v2c
[NGFW] snmp-agent inform timeout 15 resend-times 3 pending 39
[NGFW] snmp-agent notification-log enable
[NGFW] snmp-agent notification-log global-ageout 12
[NGFW] snmp-agent trap source LoopBack0
[NGFW] snmp-agent trap queue-size 200
[NGFW] snmp-agent trap life 60
[NGFW] snmp-agent trap enable
----End
Configuration Verification
If the following results are implemented, configurations succeed:
l When basic SNMP functions are configured (Step 2), NMS1 and NMS2 can access the
NGFW after you configure both of them.
l When user permissions are configured (Step 3), NMS1 cannot access the NGFW, and
NMS2 can access only the mib-2 node.
l When trap messages are configured (Step 4), create a condition (such as returning to the
system view from the user view) to trigger the sending of traps. NMS2 can receive the traps.
l After the administrator contact information is configured (Step 5), send a Get request to
obtain information about the sysContact node, mail Operator at
someone@huawei.com is displayed.
Configuration Scripts
#
sysname NGFW
#
info-center source IP channel 7 trap level informational
info-center snmp channel 7
#
acl number 2001
rule 1 permit source 10.1.1.2 0
rule 6 deny source 10.1.1.1 0
interface GigabitEthernet1/0/1
ip address 10.1.2.1 255.255.255.0
#
interface LoopBack0
ip address 10.1.1.1 255.255.255.0
#
snmp-agent
snmp-agent local-engineid 000007DB
snmp-agent community read %$%$]5G+=l70OI!lbRG9j3'Th0'{%$%$
snmp-agent community write %$%$p[5*5;mf,#F\_06TFql;7}tk%$%$ mib-view mib2 acl
2001
snmp-agent sys-info contact mail Operator at
someone@huawei.com
snmp-agent sys-info version v2c v3
snmp-agent target-host inform address udp-domain 1.1.1.2 params securityname %$%$p
[5*5;Fql;7%$%$ v2c
snmp-agent mib-view included mib2 mib-2
snmp-agent trap enable ipsec
snmp-agent trap enable l2tp
snmp-agent trap enable configuration
snmp-agent trap enable system
snmp-agent trap enable standard
snmp-agent trap source LoopBack0
snmp-agent trap queue-size 200
snmp-agent trap life 60
snmp-agent notification-log enable
snmp-agent notification-log global-ageout 12
#
return
5.5.6.3 Example for Configuring the Communication Between the NGFW and the
NMS Through SNMPv3
This section provides an example for configuring the communication between the NGFW and
the NMS through SNMPv3.
Networking Requirements
As shown in Figure 5-39, two NMSs are connected to the NGFW over the Internet. According
to service requirements, NMS2 can manage only the system node on the NGFW, whereas NMS1
cannot manage the NGFW.
For NMS2 to manage the NGFW and to facilitate fault location based on trap messages, only
modules enabled by default can send trap messages to the NMS.
Because the NMS administrator is far away from the NGFW, you need to configure the contact
information of the device administrator, so that the NMS administrator can contact the device
administrator for rapid fault location and rectification.
Figure 5-39 Networking diagram of configuring communication between the NGFW and the
NMS through SNMPv3
NMS1
10.1.1.1/24
IP Network GE1/0/1
10.1.2.1/24
NGFW
NMS2
10.1.1.2/24
Configuration Roadmap
The configuration roadmap is as follows:
1. Set basic parameters for the interface, including the IP address, security zone to which the
interface is assigned, and default routes.
2. Configure basic SNMP functions, including enabling SNMP Agent and setting the SNMP
version, user group, and user.
3. Configure access permissions to prevent NMS1 from managing the NGFW and allow
NMS2 to manage only the system node on the NGFW.
4. Configure the trap function to enable the NGFW to send trap messages to the NMS.
5. Configure administrator contact information.
6. Configure NMSs.
Procedure
Step 1 Configure basic parameters for the NGFW.
# Set an IP address for interface GigabitEthernet 1/0/1.
<NGFW> system-view
[NGFW] interface GigabitEthernet 1/0/1
[NGFW-GigabitEthernet1/0/1] ip address 10.1.2.1 24
[NGFW-GigabitEthernet1/0/1] quit
# Configure routes to ensure that NMSs are routable to the NGFW. (Details are omitted.)
NOTE
After the previous configurations, run the display ip interface brief and display ip routing-table commands
to check whether the basic parameters of the NGFW are correctly specified.
[NGFW] snmp-agent
# Configure the user group and user for the authentication and encryption of user data.
[NGFW] snmp-agent group v3 Testgroup privacy
[NGFW] snmp-agent usm-user v3 Testuser Testgroup authentication-mode sha Public&123
privacy-mode aes128 Private&123
Step 3 Configure access permissions to allow NMS2 to manage only the system node on the NGFW.
# Configure an ACL to allow NMS2 to manage only the system node on the NGFW and prevent
NMS1 from managing the system node on the NGFW.
[NGFW] acl 2001
[NGFW-acl-basic-2001] rule 1 permit source 10.1.1.2 0.0.0.0
[NGFW-acl-basic-2001] rule 6 deny source 10.1.1.1 0.0.0.0
[NGFW-acl-basic-2001] quit
# Configure the MIB view to allow NMS2 to manage only the system node on the NGFW.
[NGFW] snmp-agent mib-view included sys system
# Configure the channel for outputting trap information and module information.
[NGFW] info-center source ip channel channel7 trap level informational state on
[NGFW] info-center snmp channel channel7
NOTE
The status of link-layer protocols is Up once the loopback interface is created. Therefore, to ensure device
reliability, you are advised to set the source IP address for sending trap messages to the local loopback address.
[NGFW] interface LoopBack 0
[NGFW-LoopBack0] ip address 10.1.1.1 24
[NGFW-LoopBack0] quit
# Set the target host, trap parameters, source IP address, and the queue length and time for
reserving trap messages and enable the sending of trap packets.
[NGFW] snmp-agent target-host trap address udp-domain 10.1.1.2 params securityname
Testuser v3 privacy
[NGFW] snmp-agent trap queue-size 200
[NGFW] snmp-agent trap source LoopBack0
[NGFW] snmp-agent trap life 60
[NGFW] snmp-agent trap enable
----End
Configuration Verification
If the following results are displayed, configurations succeed:
l When basic SNMP functions are configured (Step 2), NMS1 and NMS2 can access the
NGFW after you configure both of them.
l When user permissions are configured (Step 3), NMS1 cannot access the NGFW, and
NMS2 can access only the system node.
l When the trap function is configured (Step 4), create a condition (such as returning to the
system view from the user view) to trigger the sending of trap messages. NMS2 can receive
the traps.
l After the administrator contact information is configured (Step 5), send a Get request to
obtain information about the sysContact node, mail Operator at
someone@huawei.com is displayed.
Configuration Scripts
#
sysname NGFW
#
info-center source IP channel 7 trap level informational
info-center snmp channel 7
#
acl number 2001
rule 1 permit source 10.1.1.2 0
rule 6 deny source 10.1.1.1 0
interface GigabitEthernet1/0/1
ip address 10.1.2.1 255.255.255.0
#
interface LoopBack0
ip address 10.1.1.1 255.255.255.0
#
snmp-agent
snmp-agent local-engineid 000007DB
snmp-agent sys-info contact mail Operator at
someone@huawei.com
snmp-agent sys-info version v3
snmp-agent group v3 Testgroup privacy
snmp-agent group v3 Testgroup privacy write-view sys acl 2001
snmp-agent target-host trap address udp-domain 10.1.1.2 params securityname
Testuser v3 privacy
snmp-agent mib-view included sys system
snmp-agent usm-user v3 Testuser Testgroup authentication-mode sha EI]W>FU>>`^2
09KER5,ZOQ!! privacy-mode aes128 3OF\477=:>1"-+VCRMG=%Q!!
snmp-agent trap enable ipsec
snmp-agent trap enable l2tp
snmp-agent trap enable configuration
snmp-agent trap enable system
snmp-agent trap enable standard
snmp-agent trap source LoopBack0
5.6.1 Overview
This section describes the definition and service flow of across-Layer-3 MAC identification.
If an intranet PC uses a dynamic IP address to access the Internet, IP address cannot be used to
match the traffic to or from the PC. In this case, you need to use the MAC address as the matching
condition of policies.
However, in the across-layer-3 networking as shown in Figure 5-40 and Figure 5-41, the
NGFW cannot directly obtain MAC addresses of intranet PCs. You must enable across-Layer-3
MAC address identification on the NGFW.
The NGFW across-Layer-3 MAC address identification supports the following two networking
scenarios:
Figure 5-40 NGFW connected to the Layer-3 network device as a Layer-3 device
L3SW NGFW
Intranet
GE1/0/1 GE1/0/2
10.100.10.2/24 202.38.10.2/24
Figure 5-41 NGFW connected to the Layer-3 network device as a Layer-2 device
L3SW NGFW
Intranet
GE1/0/1 GE1/0/2
Service Flow
Figure 5-42 shows the service flow of across-Layer-3 MAC address identification on the
NGFW.
Phase 1
Returns the ARP Entries
1. Phase 1
a. The SNMP agent on the Layer-3 network device is enabled, and the network device
obtains IP-MAC mapping of intranet PCs and generate or update ARP entries.
b. The NGFW periodically sends SNMP requests to the specified Layer-3 network
device for ARP entries.
c. The Layer-3 network device replies and returns the ARP entries.
d. The NGFW learns MAC addresses of intranet PCs and saves the ARP entries to the
memory.
2. Phase 2
An administrator can use the learned MAC addresses on the NGFW as conditions in
policies.
The MAC addresses are obtained from ARP entries in the memory, not from packet header.
3. Phase 3
a. An intranet PC accesses the Internet through the Layer-3 network device and
NGFW.
b. The NGFW permits or blocks intranet packets based on configured policies.
After receiving intranet PC packets, the NGFW compares the IP and MAC address of
the PC with the obtained ARP entries to verify whether the MAC address is the real
MAC address. The NGFW uses the actual MAC address to match policies and process
intranet packets based on matching results.
Prerequisites
Before configuring the across-layer-3 MAC identification function, ensure that the Layer-3
network device connected to the NGFW supports SNMPv2c, and the SNMP agent has been
enabled and community name has been configured on the network device.
Context
Intranet users use the NGFW to access the Internet, and the NGFW uses MAC addresses as
matching conditions to control intranet traffic. If the NGFW uses a Layer-3 network device to
connect to an intranet PC, the NGFW cannot obtain the MAC address of the intranet PC directly.
Procedure
Step 1 Choose System > Configuration > Across-Layer-3 MAC Identification.
Parameter Description
Interval for Accessing SNMP Indicates the interval between two SNMP requests.
client
Parameter Description
Time of Failures in Accessing Indicates the length of time the SNMP client waits for a
SNMP client response to a request sent to the target network device. You
can specify this parameter based on the update interval of
a PC IP address and the network delay.
v2c Community Name Indicates the community name of SNMP client 1. The
community name must have been configured on the
specified Layer-3 network device, and the community
name and IP address must identify the same Layer-3
network device.
----End
Prerequisites
Before configuring the NGFW learning function, ensure that the Layer-3 network device
connected to the NGFW supports SNMPv2c, and the SNMP agent has been enabled and
community name has been configured on the network device.
Context
Intranet users use the NGFW to access the Internet, and the NGFW uses MAC addresses as
matching conditions to control intranet traffic. If the NGFW uses a Layer-3 network device to
connect to an intranet PC, the NGFW cannot directly obtain the MAC address of the intranet
PC. Therefore, across-Layer-3 MAC address learning must be enabled on the NGFW to
synchronize ARP entries of the intranet PCs from the specified Layer-3 network device.
NOTE
If multiple Layer-3 network devices are deployed between the NGFW and intranet PCs, you are advised
to specify a network device closest to the intranet PCs as a target network device. The NGFW can serve
multiple Layer-3 devices (SNMP agents).
This function can be configured using command lines in hot standby deployments.
Procedure
Step 1 Enable synchronization of Layer-3 network device ARP entries using SNMP in the system view.
snmp-server arp-syn enable
Step 2 Configure the IP address and community name of the target Layer-3 network device.
snmp-server target-host arp-sync address ip-address [ vpn-instance vpn-instance-name ]
community community-name v2c
address and community must identify the same Layer-3 network device. If the target network
device is configured in the specified VPN instance, vpn-instance, address, and community
must identify the same Layer-3 network device.
NOTE
With across-Layer-3 MAC identification, the NGFW can specify multiple Layer-3 network devices as
SNMP servers to obtain ARP entries using SNMP. The device supports 64 Layer-3 network devices as
SNMP servers to synchronize ARP entries.
----End
Example
# Specify a Layer-3 network device and enable the firewall to learn MAC addresses of intranet
PCs and set the IP address of the network device to 10.10.90.7 and community name to
Public@123.
<NGFW> system-view
[NGFW] snmp-server arp-syn enable
[NGFW] snmp-server target-host arp-sync address 10.10.90.7 community Public@123
v2c
[NGFW] snmp-server arp-sync interval 10 timeout 5
Follow-up Procedure
Run the display snmp-server arp-sync table [ vpn-instance vpn-instance-name ] command to
view ARP entries obtained using SNMP.
<NGFW> display snmp-server arp-sync table
Synchronization status of the IP-MAC address mapping table: Done
The start time of synchronizing IP-MAC mapping table: 2013/8/2 09:39:24
The end time of synchronizing IP-MAC mapping table: 2013/8/2
09:39:28
----------------------------------------------------------------------------------
-------------
IP Address MAC Address Expire(M) VPN
Instance
----------------------------------------------------------------------------------
-------------
10.10.90.220 0022-a105-b948
20
10.10.90.33 0000-1111-0000 20
The display information above includes obtained ARP entries. The synchronization status is
Done, indicating that ARP entry synchronization between the device and target network device
is complete.
Networking Requirements
The NGFW functions as the egress gateway on the enterprise network. Intranet users connect
to the NGFW through a Layer-3 switch and access the Internet through the NGFW. You need
to configure security policies, policy-based routes, and traffic policies on the NGFW for it to
control intranet traffic matching the specified MAC address.
L3SW NGFW
Trust
Intranet
10.3.1.0/24 GE1/0/1 GE1/0/2
Vlanif 2 Vlanif 3 GE1/0/1
10.3.1.2/24 10.3.2.1/24 10.3.2.2/24
Configuration Roadmap
If the NGFW is connected to an intranet PC with a Layer-3 switch in between, the NGFW cannot
directly obtain the MAC address of the intranet PC. In such cases, you need to configure across-
Layer-3 MAC identification on the NGFW for it to use SNMP to learn the ARP table of the
switch and thus obtain the MAC address of the intranet PC.
Procedure
Step 1 This example uses Huawei S5700 as an example to describe how to configure basic SNMP
functions. For basic network parameter settings of the switch, refer to the S5700 product
documentation.
1. Enable the SNMP agent function.
<Switch> system-view
[Switch] snmp-agent
NOTE
The community name set on the switch must be the same as that specified on the NGFW.
Zone trust
IP Address 10.3.2.2/24
2. Configure a security policy for the local -> trust interzone to allow the firewall to send
SNMP packets to the switch.
Choose Policy > Security Policy, click add, and set the parameters as follows:
Name policy_sec
NOTE
l If multiple Layer-3 devices are deployed between the NGFW and intranet PC, you need to specify
the intranet PC as the target network device.
l You can also specify multiple Layer-3 devices on different subnets as SNMP clients for the
NGFW to obtain their ARP entries.
Step 3 After the preceding configurations are complete, you can use the MAC address of the intranet
PC as the policy matching condition when configuring service-specific security policies, policy-
based routes, traffic policies, authentication policy, and audit policies.
----End
Verification
Choose Policy > Security Protection > IP-MAC Binding, select Authorized, and click
Search.
Configuration Script
#
sysname NGFW
#
interface GigabitEthernet1/0/1
ip address 10.3.2.2 255.255.255.0
#
firewall zone trust
set priority 85
add interface
GigabitEthernet1/0/1
Networking Requirements
The NGFW functions as the egress gateway on the enterprise network. Intranet users connect
to the NGFW through a Layer-3 switch and access the Internet through the NGFW. You need
to configure security policies, policy-based routes, and traffic policies on the NGFW for it to
control intranet traffic matching the specified MAC address.
L3SW NGFW
Trust
Intranet
10.3.1.0/24 GE1/0/1 GE1/0/2
Vlanif 2 Vlanif 3 GE1/0/1
10.3.1.2/24 10.3.2.1/24 10.3.2.2/24
Configuration Roadmap
If the NGFW is connected to an intranet PC with a Layer-3 switch in between, the NGFW cannot
directly obtain the MAC address of the intranet PC. In such cases, you need to configure across-
Layer-3 MAC identification on the NGFW for it to use SNMP to learn the ARP table of the
switch and thus obtain the MAC address of the intranet PC.
Procedure
Step 1 This example uses Huawei S5700 as an example to describe how to configure basic SNMP
functions. For basic network parameter settings of the switch, refer to the S5700 product
documentation.
1. Enable the SNMP agent function.
<Switch> system-view
[Switch] snmp-agent
NOTE
The community name set on the switch must be the same as that specified on the NGFW.
2. Configure a security policy for the local -> trust interzone to allow the firewall to send
SNMP packets to the switch.
[NGFW] security-policy
[NGFW-policy-security] rule name policy_sec
[NGFW-policy-security-rule-policy_sec] source-zone local
[NGFW-policy-security-rule-policy_sec] destination-zone trust
[NGFW-policy-security-rule-policy_sec] destination-address 10.3.2.1 32
[NGFW-policy-security-rule-policy_sec] action permit
NOTE
l If multiple Layer-3 devices are deployed between the NGFW and intranet PC, you need to specify
the intranet PC as the target network device.
l You can also specify multiple Layer-3 devices on different subnets as SNMP clients for the
NGFW to obtain their ARP entries.
Step 3 After the preceding configurations are complete, you can use the MAC address of the intranet
PC as the policy matching condition when configuring service-specific security policies, policy-
based routes, traffic policies, authentication policy, and audit policies.
----End
Verification
Verify the configuration as follows:
l Run the display snmp-server arp-sync table command to view the intranet PC MAC
address obtained by the NGFW using SNMP.
<NGFW> display snmp-server arp-sync table
Synchronization status of the IP-MAC address mapping table: Done
The start time of synchronizing IP-MAC mapping table: 2015/7/13 20:37:17
The end time of synchronizing IP-MAC mapping table: 2015/7/13
20:37:17
------------------------------------------------------------------------------
-----------------
IP Address MAC Address Expire(M) VPN
Instance
------------------------------------------------------------------
10.3.1.1 643e-8c48-f14a 20
10.3.1.2 0022-a10a-c85f 20
10.3.1.21 00e0-fc11-1111 20
10.3.2.1 0022-a100-0004
20
10.3.2.2 00e0-fc00-0014 20
------------------------------------------------------------------
Total:5
The display information above includes obtained ARP entries. The synchronization status
is Done, indicating that the NGFW has synchronized the ARP entries from the target device.
l Run the display arp command to view ARP entries, in which the intranet PC MAC
addresses learned across the Layer-3 network are included.
<NGFW> display arp
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-
INSTANCE
VLAN/PVC
------------------------------------------------------------------------------
----------------
10.3.1.1 643e-8c48-f14a 20 P
10.3.1.2 0022-a10a-c85f 20 P
10.3.1.21 00e0-fc11-1111 20 P
10.3.2.1 0022-a100-0004 20
P
10.3.2.2 00e0-fc00-0014 20 P
10.3.2.2 00e0-fc00-0014 I GE1/0/1
10.3.2.1 0022-a100-0004 19 D GE1/0/1
------------------------------------------------------------------------------
----------------
Total:7 Dynamic:1 Static:0 Interface:1 Authorized:0
SNMP:5
Configuration Script
#
sysname NGFW
#
interface GigabitEthernet1/0/1
ip address 10.3.2.2 255.255.255.0
#
firewall zone trust
set priority 85
add interface
GigabitEthernet1/0/1
Context
The NGFW sends notifications in text to users. You can specify the content of the notifications.
To modify a notification, export the notification template, edit the notification in the template,
and import the template file into the NGFW. The function modules that send notifications are:
l Antivirus
If you set the action for mail protocols in the antivirus profile to Alert, Declare or Delete
Attachment and the NGFW detects a virus from an email, the NGFW adds notification
information in the email body.
l URL filtering
When an accessed URL matches the filtering condition configured in the URL filtering
profile and the action specified in the profile is block, the NGFW pushes a notification page
to the user.
NOTICE
You can configure push information by using all kinds of HTML tags (including the script),
which is risky. Please use it cautiously.
Procedure
Step 1 Choose System > Setup > Information Push Configuration.
3. Click Email Declaration or Email Delete Attachment. Alternatively, you can click
the corresponding Import. Then click Browse to select the template file in which the
notification is configured.
4. Click Import. The new notification takes effect after the template is successfully
imported.
l Configure the URL filtering notification.
1. Click Blacklist Blocking Configuration, User-defined Blocking Configuration,
Pre-defined Blocking Configuration, Anti-Virus Blocking Configuration, or
Default Action or Query Timeout Blocking Configuration under URL Filtering.
Alternatively, you can click the corresponding Import. Then download the notification
template to the local computer.
2. Edit the notification content in the template.
<> indicates the Hypertext Markup Language (HTML). Change the content between
<> and </>. The notification template contains a maximum of 21,504 (21*1024)
characters.
In the Pre-defined Blocking Configuration notification template, parameters %
CATNAME and %SUBCATNAME respectively indicate the predefined category and
predefined subcategory of a URL. The NGFW automatically substitutes %
CATNAME and %SUBCATNAME with the actual values when sending notification
messages.
You can add parameter %URL in the notification template to represent the URLs
accessed by users. The NGFW automatically substitutes %URL with the actual value
when sending notification messages. Parameter %URL can reside at any position in a
notification message.
If a notification message has multiple same parameters (%CATNAME, %
SUBCATNAME, or %URL), the NGFW substitutes the first one by default and directly
outputs other parameters as characters when sending the notification message.
NOTE
If the information to be pushed contains Chinese characters, set the coding method to GB2312
between <head> and </head> (for example, <meta http-equiv="Content-Type" content="text/
html; charset=GB2312"></meta>) to ensure that the information can be properly displayed.
3. Click Blacklist Blocking Configuration, User-defined Blocking Configuration,
Pre-defined Blocking Configuration, Anti-Virus Blocking Configuration, or
Default Action or Query Timeout Blocking Configuration. Alternatively, you can
click the corresponding Import. Then click Browse and select the template file where
the notification has been configured.
4. Click Import. The new notification takes effect after the template is successfully
imported.
NOTICE
Ensure the security of the file to be imported to prevent pushed pages from containing
malicious information such as phishing websites or Trojan horses.
----End
l Click Export of the notification to be modified to download the notification file. Then edit
the downloaded notification and import the file into the NGFW.
l Click Reset corresponding to the notification to be modified to restore the default
notification.
– If you perform the reset operation in the root system, the root system uses the default
notification of the NGFW.
– If you perform the reset operation in the virtual system, the virtual system uses the
notification configured in the root system; if the default notification of the root system
has not been modified before you perform the reset operation, the virtual system uses
the default notification of the NGFW.
Context
After the mail service is enabled, the NGFW functions as an SMTP client to connect to the SMTP
server.
When the device sends information through mails, the device automatically references the mail
service parameters, such as email address.
Procedure
1. Choose System > Set Mail Service.
2. Configure the mail service.
From Specifies the sender address. Each mail address must contain 6
to 64 characters.
Copy To Specifies the CC recipient address. Each mail address must contain 6
to 64 characters.
To copy reports to multiple
addresses, separate the addresses
with line feeds.
SMTP Mail Specifies the domain name, IPv4 The default SMTP server port is
Server/Port address, or port of the mail server. 25.
NOTE
The device does not support email
sending through a forcibly SSL-
connected email server, such as
Gmail. Commonly used email servers,
such as Sina, 163, and Winmail, are
recommended.
User Name/ Specifies the user name and When the SMTP server requires ID
Password password for logging in to the authentication, select Verify
SMTP mail server. Sender's Name and Password,
and enter the user name and
password registered on the mail
server.
NOTE
When the SMTP mail server requires
ID authentication, "sender address" is
the mailbox address obtained during
the user name registration.
3. Click Apply.
4. Click Set Test Email and log in to the recipient's or CC recipient's mailbox to see whether
the test mail is received.
Test emails are sent to test whether email messages can be successfully sent and received.
If not, check whether the parameters are correctly configured. Then, check the connectivity
between the NGFW and the SMTP server.
5.9.1 Overview
This section describes the categorization and output principle of logs, trap messages, and
debugging messages.
Logs
Logs are the records of the events and anomalies related to managed objects. These records can
be used to track user activities, manage system security functions, and provide reference for
system diagnosis and maintenance.
Each service module generates and sends logs to the log system. After analyzing the received
logs, the log system displays logs and reports on web pages and sends logs to terminals and log
hosts in acceptable formats as configured. Based on the formats, logs are classified into syslogs
and binary logs.
l Syslogs: The log system displays the content of each passing syslogs on the terminal or
forwards them to a third-party log host. Syslog output impacts system performance. Only
system logs and operations logs, which are small in volume, are sent in syslog format.
l Binary logs: The log system encapsulates passing logs in binary format before sending
them to the eSight. After parsing the received binary logs, the eSight stores and analyzes
the parsed logs. Compared with syslogs, binary logs have a smaller impact on performance.
Therefore, logs, such as traffic and policy matching logs, that contains a large volume of
data are sent as binary logs.
Trap Messages
Trap messages are notifications generated when the system detects faults. Information about the
faults is carried in trap messages. Different from logs, trap messages are time sensitive and need
to be notified to administrators in time. Therefore, the information center processes trap
messages to the NMS in a way different from the way for the logs and other messages.
Trap messages are sent from a device to the NMS. With the SNMP agent enabled on a device,
the trap function enabled on the related module, and the NMS host that receives trap messages
configured, the device generates a trap message and sends it to the specified destination address
upon the happening of an event,such as the interface is down. If the device is reachable to the
NMS, the NMS receives the trap messages from the device.
Related concepts
l Event: indicates anything that takes place on the managed device. For example, the
managed device is added, deleted, or modified.
l Fault: indicates the events that cause system malfunctions. A fault may cause the system
to lose its operation or redundancy capability.
l Trap: indicates the notification generated when the system detects a fault.
Debugging Messages
Debugging messages are the outputs of the tracing information about the operating status of a
device. Devices generate debugging messages only after the debugging function of the module
is enabled in the user view. Debugging messages display the content of packets sent or received
by the debugged module. Note that enabling debugging only generates debugging messages.
Displaying generated debugging messages requires further configurations. Different from logs
and trap messages, no buffer is available for debugging messages. Debugging messages can be
output to the console or log hosts through certain configurations.
You can perform configurations through the console port or through Telnet. The former method
is termed as Console, and the latter is termed as monitoring terminal. While debugging the
routing device through the Console or the monitoring terminal, you can configure the content
of the debugging messages.
Abundant debugging commands are available for debugging protocols and functions that a
device supports. You can enable the debugging for a protocol or a function to diagnose and
locate the fault.
Figure 5-45 shows the relationship between the preceding two situations. After the debugging
for protocols 1 and 3 is enabled, corresponding debugging messages are generated. As screen
display is also enabled, the generated debugging messages are displayed. No debugging
messages about protocol 2 are generated or displayed because the debugging for protocol 2 is
not enabled.
Log Output
Figure 5-46 shows the mechanism for the output of the logs.
Log system
2 Log query
Database and report Web UI - Monitor
processing
1 4
Log cache Log retrieval WebUI - Dashboard
6
5
Log buffer CLI
Informatino channel
5
5 Remote terminal
Syslog 5
Local console
5 Log host
Information center
The NGFW identifies and controls traffic based on applications and services and records logs.
The logs are generated by different modules and are all sent to the log system of the NGFW.
The log system parses, stores, and redirects the logs of different modules. The process is
described as follows:
l Log receiving and parsing ( ): The log system parses, classifies, and sends the received
logs to the database, data flow encapsulation module, log buffer, or information center.
l Database ( ): The database stores received logs, including traffic, threat, URL, content,
operation, system, user activity, policy matching, mail filtering, and audit logs, and
periodically dumps the stored logs to hard disks. When you display logs on the web UI, the
NGFW sends the logs stored in the database and hard disk to the log query module for
further process before the log statistics is displayed. For details, see 25.1 Logs and
Reports.
l Dataflow encapsulation: After you configure binary log output, the log system will
encapsulate some logs (including threat logs, URL filtering logs, content logs, traffic
logs policy matching logs, IM auditing logs, HTTP auditing logs,and mail filtering logs or
session logs) in binary (dataflow) format and send the logs to the eSight system for storage
and analysis. The traffic logs and policy matching logs can be output only in binary format.
Threat logs, URL auditing logs, IM auditing logs, content logs, URL filtering logs, mail
filtering logs, and session logs are preferentially output in binary format. Other logs cannot
be output in binary format.
l Log buffer: The log buffer forwards any received threat log to the log query module for
further process before the log statistics is displayed on the Dashboard page. For details,
see Threat Report List.
l Information center: receives the log information except traffic logs and policy matching
logs, encapsulates the logs in syslog format, and sends them to the log buffer, local
console, remote terminal, and syslog host through different information channels. For
details, see Mechanism of the Information Center. In addition, the information center
sends system logs to the log buffer so that they can be displayed on the Dashboard
page after being processing by the log query module. For details, see System Logs.
NOTE
l If you do not configure binary log output, the syslog host can receive all logs except traffic logs and
policy matching logs.
l The eSight is capable of receiving syslogs and binary logs, whereas the third-party log hosts can receive
only syslogs.
l Trap message output: A trap message is generated on the NGFW once a fault is detected.
After receiving the trap message from the log buffer, the information center forwards the
trap message to the local console, remote terminal, or SNMP proxy.
l Debugging message output: Debugging messages can be generated on routers after a
debugging function is enabled. After receiving the debugging message from the routers,
the information center forwards the them to the local console, remote terminal, or log hosts.
For details on the output of trap messages and debugging message, see Mechanism of the
Information Center.
By default, the information center is enabled. The information center dispatches logs, trap
messages, and debugging messages to 10 information channels based on their severities.
As shown in Figure 5-47, Syslogs, trap messages, and debugging messages are output through
the default information channel. However, you can manually specify the information channel.
For example, if channel 6 is specified as the information channel to the log buffer, the information
center dispatches all logs destined for the log buffer to channel 6 instead of the default channel
4.
As shown in Table 5-22, the system provides ten information channels. The first six channels
IDed 0 through 5 have their default channel names and are associated with six output directions
by default. Logs and messages that are forwarded to the information channels must be output in
specific directions before they can be saved. For the NGFWs that are equipped with a hard disk,
channel 9 is also available. That is, the NGFW of such a type has all together seven output
directions.
2 loghost loghost Send logs to the log host, where the logs are stored
in files for viewing.
4 logbuffer logbuffer Outputs the logs to the log buffer. The NGFW
assigns a specified area as the log buffer that
records the logs.
When multiple log hosts are available, you can configure logs to be output to different log hosts
through one channel or multiple channels. For example, configure certain logs to be output to a
log host either through Channel 2 (loghost) or through Channel 6. You can also change the name
of Channel 6 for convenient management.
Prerequisites
Ensure the system time setting is correct during the initial configuration. Changes of the setting
when the device is running result in inaccuracy of the timestamps recorded in existing logs.
Context
The firewall can send all types of logs (except traffic logs and policy matching logs) to a syslog
host.
If you configure both the syslog host and binary log host, session logs are sent simultaneously
in syslog and binary formats to the syslog host. Other logs are sent preferentially in binary format
to the binary log host.
NOTE
Session logs in syslog format can be output only to syslog hosts, not to the log buffer, console, or terminal.
Procedure
Step 1 Optional: Run the engine log { app-control | audit | av | data-filter | file-block | ips | mail-
filter | url-filter } enable command to enable the log function.
NOTICE
By default, the information center is enabled. If excessive logs and messages are to be generated,
enabling the information center compromises the system performance.
Step 4 Optional: Run the info-center channel channel-number name channel-name command to set
the name of the information channel that IDed as channel-number to channel-name.
Step 5 Optional: Run the info-center syslog unicode enable command to enable the information
center to send logs in unicode to information channels.
NOTE
Unicode is used to display Chinese characters. Therefore, unicode logs support only UCS-2 character set
and UTF-8 coding scheme.
Step 6 Run the info-center source { module-name | default } channel { channel-number | channel-
name } [ log { state { off | on } | level severity } * ] command to configure the channels for log
output.
By default, log output is not enabled on the audit log (AUDIT), mail filtering (MAILFITER),
URL filtering (URL), anti-spam (RBL), application control (APPCTL), data leak prevention
(DLP), antivirus (AV), intrusion prevention (IPS) modules. On other modules, log output is
enabled by default.
Step 7 Configure the information center to send the logs to the log buffer, local console, remote terminal,
and third-party log hosts as required.
l Configure the information center to send logs to the log buffer.
By default, the information center dispatches the logs destined for the log buffer to channel
4 by default. The size of the log buffer is 1024 KB. The log output is enabled and the severity
of the logs is Warning.
Step 8 Optional: Configure the information display function of the VTY terminal.
1. Run the quit command to return to the user view.
2. Run the terminal monitor command to enable the information display function of the
terminal.
The information display function is enabled by default. This command applies only to the
current VTY terminal where the command is executed.
3. Run the terminal logging command to enable the information display function of the
terminal.
The information display function on the VTY terminal is enabled by default.
NOTE
The information display function must be enabled if the logs are sent to the local console or remote terminal.
----End
Example
1. Run the system-view command to access the system view.
2. Run the info-center source ARP channel 4 command to send logs through channel 4.
[NGFW] info-center source ARP channel 4
3. Run the info-center console channel 0 command to send debugging messages through
channel 10.
[NGFW] info-center console channel 0
Follow-up Procedure
After the configuration, display the information recorded in the information center.
<NGFW> display info-center
Information Center:enabled
Log host:
Console:
Prerequisites
Ensure that the system time settings on the NGFW are the same as the settings on the eSight
during the initial configuration. Changes of the setting when the device is running result in
inaccuracy of the timestamps recorded in existing logs.
Procedure
Step 1 Run the system-view command to access the system view.
Step 2 Optional: Run the log type traffic enable command to enable the output of traffic logs.
Step 3 Optional: Run the engine log { app-control | audit | av | data-filter | file-block | ips | mail-
filter | url-filter } enable command to enable the output of threat logs, URL filtering logs,
content logs, IM auditing logs, HTTP auditing logs, and mail filtering logs.
Step 4 Enable the output of policy matching logs in the security interzone.
1. Run the log type policy enable command to enable the output of policy matching logs.
By default, the log function is enabled.
2. Run the security-policy command to access the security policy view.
3. Run the rule name rule-name command to access the security policy rule view.
4. Run the policy logging command to enable the policy matching log function.
By default, the policy matching log function is disabled.
3. Run the session logging command to enable the session log function.
By default, the session log function is disabled.
Step 6 Run the data-flow loghost host-id ip-address ip-address [ port port-number ] [ vpn-instance
vpn-instance-name ] command to configure the log hosts that receive binary logs.
The NGFW supports a maximum of 16 log hosts for load balancing or redundancy.
NOTE
Only the eSight can serve as the log host that receives and parse binary logs. For details on the eSight, see
its product document.
Step 7 Optional: Run the data-flow loghost source ip-address ip-address [ source-port port-
number ] to set the source IP address and port that the NGFW uses to send binary logs.
If the source IP address is not configured, the NGFW uses the IP address of the outgoing interface
to the log host as the source IP address.
The configured source IP address must be the same as the IP address of the NGFW configured
on the log host.
Step 8 Optional: Run the data-flow send-type concurrent command to configure the output of binary
logs in concurrent mode.
If multiple log hosts are configured, the NGFW sends each binary log to all log hosts after this
command is executed.
By default, the NGFW sends binary logs in polling mode, that is, the NGFW sends binary logs
to the configured log hosts in turns.
Step 9 Optional: Run the data-flow encrypt password password command to configure the
encryption function on the NGFW for sending binary logs.
After you run this command, the NGFW will use the specified encryption password to encrypt
the binary logs before sending. After receiving the binary logs, the eSight will use the decryption
password to decrypt the logs. This ensures the log transmission security. The encryption
password specified on the NGFW and the decryption password specified on the eSight must be
the same.
NOTICE
The existing NGFW supports encryption of audit logs only. In order to ensure the security of
audit logs during the transmission, it is suggested to configure the encryption function.
----End
Procedure
Step 1 Enable the information center.
1. Run the system-view command to access the system view.
2. Run the info-center enable command to enable the information center.
NOTICE
By default, the information center is enabled. If excessive logs and messages are to be generated,
enabling the information center compromises the system performance.
Step 2 Optional: Run the info-center channel channel-number name channel-name command to set
the name of the information channel that IDed as channel-number to channel-name.
Step 3 Run the info-center source { module-name | default } channel { channel-number | channel-
name } [ trap { state { off | on } | level severity } * ] command to configure the channels for the
output of trap messages.
Trap messages can be sent only when the information center is enabled. The timestamps in trap
messages are in the date format. The trap message output function is enabled and the severity
of the trap messages is Warning.
Step 4 Configure the information center to send trap messages to the trap buffer, local console, remote
terminal, and SNMP proxy as required.
l Configure the information center to send trap messages to the trap buffer.
By default, the information center dispatches the trap messages destined for the trap buffer
to channel 13. The size of the trap buffer is 1024 trap messages.
1. Run the info-center trapbuffer [ channel { channel-number | channel-name } ]
command to enable the information center to send trap messages to the trap buffer.
2. Optional: Run the info-center trapbuffer size buffer-size command to set the size of
the trap buffer.
l Run the info-center console channel { channel-number | channel-name } command to
enable the information center to send trap messages to the local console.
By default, the information center dispatches the trap messages destined for the local console
to information channel 0. The output of trap messages is enabled and the severity of the trap
messages is Warning.
l Run the info-center monitor channel { channel-number | channel-name } command to
enable the information center to send trap messages to the VTY terminal.
By default, the information center dispatches the trap messages destined for the VTY terminal
to information channel 1. The output of trap messages is enabled and the severity of the trap
messages is Warning.
l Run the info-center snmp channel { channel-number | channel-name } command to enable
the information center to send trap messages to the SNMP proxy.
To enable the information center to send trap messages to the SNMP proxy, enable the SNMP
proxy function.
By default, the information center dispatches the trap messages destined for the SNMP proxy
to channel 15.
Step 5 Optional: Configure the information display function of the VTY terminal.
NOTE
The information display function must be enabled if the information center is configured to send the trap
messages to the local console or remote terminal.
----End
Example
1. Run the info-center source ARP channel 4 command to send the logs to through channel
4.
[NGFW] info-center source ARP channel 4
2. Run the info-center console channel 0 command to send the debugging messages through
channel 10.
[NGFW] info-center console channel 0
Follow-up Procedure
After the configuration, display the information recorded in the information center.
<NGFW> display info-center
Information Center:enabled
Log host:
Console:
channel number : 0, channel name : console
Monitor:
channel number : 1, channel name : monitor
SNMP Agent:
channel number : 5, channel name : snmpagent
Log buffer:
enabled,max buffer size 1024, current buffer size 1024,
current messages 259, channel number : 4, channel name : logbuffer
dropped messages 0, overwritten messages 57
Trap buffer:
enabled,max buffer size 1024, current buffer size 1024,
current messages 0, channel number:3, channel name:trapbuffer
dropped messages 0, overwritten messages 0
Information timestamp setting:
log - date, trap - date, debug - boot
Procedure
Step 1 Enable the information center.
1. Run the system-view command to access the system view.
2. Run the info-center enable command to enable the information center.
NOTICE
By default, the information center is enabled. If excessive logs and messages are to be generated,
enabling the information center compromises the system performance.
Step 2 Optional: Run the info-center channel channel-number name channel-name command to set
the name of the information channel that IDed as channel-number to channel-name.
Step 3 Run the info-center source { module-name | default } channel { channel-number | channel-
name } [ debug { state { off | on } | level severity } * ] command to configure the channels for
the output of debugging messages.
Debugging messages can be sent only when the information center is enabled. The timestamps
in debugging messages are in the boot format.
Step 4 Configure the information center to send debugging messages to the local console, remote
terminal, and log hosts as required.
l Run the info-center console channel { channel-number | channel-name } command to
enable the information center to send debugging messages to the local console.
l Run the info-center monitor channel { channel-number | channel-name } command to
enable the information center to send debugging messages to the VTY terminal.
l Run the info-center loghost ip-address [ port ] [ vpn-instance vpn-instance-name ]
[ module { module-name } &<1-6> ] [ channel { channel-number | channel-name } |
facility local-number | language { chinese | english } ] * command to send debugging
messages to the log hosts.
By default, the information center does not send debugging messages to the log hosts.
Step 5 Optional: Configure the information display function of the VTY terminal.
1. Run the quit command to return to the user view.
2. Run the terminal monitor command to enable the information display function of the
terminal.
The information display function is enabled by default. This command applies only to the
current VTY terminal where the command is executed.
3. Run the terminal debugging command to enable the information display function on the
VTY terminal.
The information display function on the VTY terminal is disabled by default.
NOTE
The information display function must be enabled if the information center is configured to send the
debugging messages to the local console or remote terminal.
----End
Example
l Run the info-center source default channel 0 command to send debugging messages
through channel 0.
[NGFW] info-center source default channel 0
l Run the info-center console channel 0 command to send debugging messages to console
CON0.
[NGFW] info-center console channel 0
Follow-up Procedure
After the configuration, display the information recorded in the information center.
<NGFW> display info-center
Information Center:enabled
Log host:
Console:
channel number : 0, channel name : console
Monitor:
channel number : 1, channel name : monitor
SNMP Agent:
channel number : 5, channel name : snmpagent
Log buffer:
enabled,max buffer size 1024, current buffer size 1024,
current messages 259, channel number : 4, channel name : logbuffer
dropped messages 0, overwritten messages 57
Trap buffer:
enabled,max buffer size 1024, current buffer size 1024,
current messages 0, channel number:3, channel name:trapbuffer
dropped messages 0, overwritten messages 0
Information timestamp setting:
log - date, trap - date, debug - boot
Table 5-23 Commands for viewing the configuration for the output of logs, trap messages, and
debugging messages.
Task Command
Clearing Statistics
NOTICE
The statistics cannot be restored after you clear it. Therefore, ensure that you are fully aware of
the result before you use the command.
Table 5-24 lists the commands for clearing the statistics about logs, trap messages, and
debugging messages.
Table 5-24 Commands for clearing the statistics about logs, trap messages, and debugging
messages
Task Command
Prerequisites
The system time setting is correct during the initial configuration. Changing system time during
device running results in incorrect timestamps in existing logs.
To output policy matching logs and session logs to log hosts, choose Policy > Security Policy
and enable Record Policy Matching Log and Record Session Log.
NOTE
If you configure both the syslog host and binary log host, session logs are sent simultaneously in syslog and
binary formats to the syslog host. Other logs are sent preferentially in binary format to the binary log host.
After a syslog host is configured, the NGFW sends the syslogs it has generated to the syslog
host. The syslog host analyzes and maintains the syslogs.
Parameter Description
Log Host IP Address IP address of the log host that receives syslogs from the NGFW
This IP address must be the actual IP address of the log host.
Destination Port Port number of the log host that receives syslogs from the NGFW
This port number must be the actual port number configured on
the log host. The default port number on the log host is 514.
Step 3 Click and repeat the preceding steps to add more log hosts.
If multiple log hosts are configured, the NGFW sends the same syslogs to different log hosts for
syslog backup.
If the Operation succeeded dialog box is displayed, the syslog sending function has been
configured.
----End
After you configure the binary log host, the NGFW sends the binary logs to the binary log host
for log analysis and management.
Parameter Description
Send Binary Logs to All If Send Logs Concurrently is selected, binary logs are sent to
Log Servers all log hosts.
If not, the device sends logs to all log hosts in turn based on the
specified log host IDs.
Log Source IP Address Specifies the source IP address for sending binary logs
Source Port Specifies the source port of binary logs. The default port is 1617.
Log Host IP Address Specifies the IP address of the log host that receives binary logs
Port Specifies the port of the log host that receives binary logs. The
default port is 9903.
Step 3 Click and repeat the preceding steps to add more log hosts.
If the Operation succeeded dialog box is displayed, the binary log sending function has
been configured.
----End
----End
Step 2 Enter the threshold in the area box next to Alarm Threshold.
The value is an integer ranging from 50 to 100, in percentage. By default, the threshold is 85%.
----End
Overwrite is the default log processing mode in case of insufficient log storage space.
----End
5.9.4.1 Example for Enabling the Information Center to Send Logs to Log Hosts
This section provides an example for configuring the output of syslogs generated by different
modules to log servers.
Networking Requirements
As shown in Figure 5-48, log information is sent to a log server. You can configure the
NGFW to send logs generated by the SHELL and SEC modules to different log servers
respectively. Two log servers are required for the NGFW.
DMZ
10.1.2.0/24
GE1/0/2
10.1.2.1/24 GE1/0/1
Trust 10.1.1.1/24 Untrust
10.1.3.0/24 GE1/0/3 10.1.1.0/24
10.1.3.1/24
NGFW
Configuration Roadmap
1. Enable the information center function to allow the output of device logs.
2. Configure a source interface for sending log information.
3. Configure log output channels to send the logs generated by different modules to log
servers.
4. Configure the log servers to receive logs from the NGFW.
Procedure
Step 1 Configure basic data for the NGFW.
# Configure a security policy between the Local zone and the DMZ to allow logs generated by
the NGFW to reach the DMZ.
[NGFW] security-policy
[NGFW-policy-security] rule name policy2
[NGFW-policy-security-rule-policy2] source zone local
[NGFW-policy-security-rule-policy2] destination zone dmz
[NGFW-policy-security-rule-policy2] destination-address 10.1.2.0 mask 24
[NGFW-policy-security-rule-policy2] action permit
[NGFW-policy-security-rule-policy2] quit
[NGFW-policy-security] quit
Step 5 Configure log output channels to send logs to the specified log servers.
NOTE
By default, logs are sent to a log server in syslog mode through channel 2. The default channel name is
loghost.
# Set local2 at 10.1.2.2 as the log server and configure the NGFW to allow the output of logs
generated by the SHELL module to Log Server 1 through channel 6.
[NGFW] info-center source SHELL channel 6 log level informational
[NGFW] undo info-center source default channel 6
[NGFW] info-center loghost 10.1.2.2 1000 module SHELL
# Set the log server at 10.1.2.3 and configure the NGFW to allow the output of logs generated
by the SEC module to Log Server 2 through channel loghost.
[NGFW] info-center source SEC channel 2 log level informational
[NGFW] undo info-center source default channel 2
[NGFW] info-center loghost 10.1.2.3 514 module SEC
NOTE
By default, attack defense logs are not sent to any host. To enable this function, run the info-center source
DDOS channel loghost log state on command.
----End
Configuration Verification
1. According to the information center output, you can view the output of log information.
<NGFW> display info-center
Information
Center:enabled
Log
host:
the interface name of the source
address:GigabitEthernet1/0/2
ip : 10.1.2.2, port : 1000,
channel number : 6, channel name :
channel6
language english , host facility
local2
ip : 10.1.3.3, port : 514,
channel number : 2, channel name :
loghost
language english , host facility
local7
Console:
channel number : 0, channel name :
console
Monitor:
channel number : 1, channel name :
monitor
SNMP
Agent:
channel number : 5, channel name :
snmpagent
Log
buffer:
enabled,max buffer size 1024, current buffer size
1024,
current messages 256, channel number : 4, channel name :
logbuffer
dropped messages 0, overwritten messages
150
Trap
buffer:
enabled,max buffer size 1024, current buffer size
1024,
current messages 0, channel number:3, channel
name:trapbuffer
dropped messages 0, overwritten messages
0
logfile:
channel number : 9, channel name : channel9, language :
english
Information timestamp
setting:
log - date, trap - date, debug -
boot
2. When the NGFW generate session logs, you can view logs of the SEC module on Log
Server 2.
3. Run commands on the NGFW or log out of the NGFW. You can view logs of the SHELL
module on Log Server 1.
5.9.4.2 Example for Enabling the Information Center to Send Debugging Messages
to the Console
The PC connects to the console port on the NGFW. You can configure the information center
on the NGFW to send debugging messages of the specified modules to the console.
Networking Requirements
As shown in Figure 5-49, the PC connects to the console port on the NGFW. The debugging
messages of the Address Resolution Protocol (ARP) module must be sent to the console.
Figure 5-49 Networking diagram for sending debugging messages to the console
Console
NGFW PC
Configuration Roadmap
The configuration roadmap is as follows:
1. Enable the information center on the NGFW.
2. Enable the information center to send debugging messages of the ARP module to the
console.
3. Enable the display of debugging message content on the terminal.
Procedure
Step 1 Enable the information center.
[NGFW] info-center enable
Step 2 Enable the information center to send debugging messages whose severity level is above
debugging through the console channel.
[NGFW] info-center source arp channel console debug level debugging
[NGFW] info-center console channel console
[NGFW] quit
----End
Result
Display the debugging messages that are sent through the specified channel.
<NGFW> display channel 0
channel number:0, channel name:console
Version Description
5.10.1 Overview
This section describes the file system structure and file transfer mode of the NGFW.
Hard disk vdbfs:/ Optional storage device. It is used to store logs and
reports.
You are advised to install hard disks for the
NGFW to store more logs and reports.
The NGFW allows you to repair and format the storage devices, as well as create, delete, and
modify files or directories on the storage devices.
Directory Function
Name
default-sdb Stores the default signature database file and version information.
l NGFW as a server: Administrators can access the NGFW from terminals to manage files
on the NGFW or transfer files with the NGFW.
l NGFW as a client: Administrators can access other devices from the NGFW to manage
files on these devices or transfer files with these devices.
In the TFTP mode, the NGFW can serve only as a client. In the FTP and SFTP modes, the
NGFW can server as a server or client.
Table 5-27 lists the advantages and disadvantages of different file management modes.
NOTICE
SFTP is recommended because of high security.
NOTE
Managing Directories
Table 5-29 lists the commands for managing directories.
NOTE
Displaying the files and dir [ /all ] [ filename | l /all: Displays the
subdirectories in the specific directory ] information about all
directory files, including deleted
files. Deleted files are
square-bracketed, for
example, [ text ].
l filename | directory:
Displays the files and
subdirectories of a
specific directory. If the
value is not specified, the
dir command displays all
files and subdirectories in
the current directory.
Managing Files
Table 5-30 lists the commands for managing files.
NOTE
All these commands need to be executed in the user view, except execute filename and file prompt { alert |
quiet } (in the system view).
Configuring a file system file prompt { alert | quiet } The file prompt command
prompt method enables the system to display
information or alert
especially when your
operations may lead to data
loss or damage. You can run
this command to change the
file system prompt method.
NOTICE
SFTP is recommended because of high security.
Procedure
Step 1 Access the system view.
system-view
The FTP server is configured on the NGFW by default. You need to run this command to enable
the FTP service.
NOTE
The interactive mode is recommended for creating administrator passwords because the passwords
configured by the cipher password command are not safe.
4. Set the administrator level.
level level
NOTE
To ensure that the administrator can log in to the NGFW, set the administrator level to be 3 or higher.
5. Set the service type to FTP for the administrator account.
service-type ftp
6. Set the FTP service directory for the administrator account.
ftp-directory directory
7. Set the maximum number of administrators that can concurrently log in using this
administrator account.
access-limit max-number
8. Return to the AAA view.
quit
9. Return to the system view.
quit
To prevent unauthorized access, the NGFW automatically closes the FTP connections if the
NGFW does not receive any FTP request in a specific period of time. To use the FTP service,
FTP administrators must log in to the FTP server again.
NOTE
FTP supports only basic ACLs. Therefore, the acl-number value ranges from 2000 to 2999.
2. Configure an ACL rule.
quit
4. Configure basic ACLs for FTP connections.
----End
Procedure
Step 1 Log in to the FTP server.
Different commands are available for you to log in to the FTP server from different views.
l Set up a connection with the FTP server from the user view.
ftp ip—address or hostname [ port-number ] [ vpn-instance vpn-instance-name ]
l Set up a connection with the FTP server from the FTP client view.
open ip—address or hostname [ port-number ] [ vpn-instance vpn-instance-name ]
Step 2 Optional: Configure the data type and file transfer mode.
Set the file transfer mode to passive or active. passive or undo passive
The client uses the passive mode to establish
the data tunnel by default.
Download a file from the FTP server to the get remote-filename [ local-filename ]
local device.
Change the login account and log in again. user user-name [ password ]
Close the connection with the FTP server and bye or quit
return to the user view.
----End
Procedure
Step 1 Access the system view.
system-view
To ensure that administrators can log in to the NGFW, set the VTY UI level to be 3 or higher.
By default, a VTY interface supports SSH and Telnet.
To ensure that the administrator can log in to the NGFW, set the administrator level to be 3 or higher.
4. Set the service type to SSH for the administrator account.
service-type ssh
5. Set the service type to SFTP for the SSH account.
ssh service-type sftp
6. Configure the SFTP service directory.
ftp-directory directory
7. Select one authentication mode for the SFTP account.
Configure the RSA 1. Run the ssh authentication-type rsa command to set the
authentication mode. authentication mode to RSA.
2. Bind the SFTP account with the RSA public key on the
client.
a. In the system view, run the rsa peer-public-key key-
name [ encoding-type { der | pem | openssh } ]
command to access the RSA public key view.
b. Run the public-key-code begin command to access
the public key editing view.
c. Enter the RSA public key through typing or copy and
paste.
d. Run the peer-public-code end command to return to
the public key view.
e. Run the peer-public-key end command to return to
the system view.
f. Run the aaa to access the AAA view.
g. Run the manager-user user-name to access the
administrator view.
user-name is the SFTP account created in Step 5.2.
h. Run the ssh assign rsa-key rsa-key-name command
to bind an RSA key to the SFTP account.
----End
Procedure
Step 1 Access the system view.
system-view
Step 2 Enable first-time authentication or bind the RSA public key to the SFTP server. First-time
authentication is recommended.
NOTE
When communicating with an SFTP server, the NGFW (SFTP client) needs to compare the RSA public key
sent by the server with the locally stored RSA public key to check whether it is communicating with the correct
server.
If the server RSA public key is not obtained in advance and does not exist on theNGFW, enable first-time
authentication on the NGFW to ensure that the NGFW can log in to the server.
If you have obtained the server RSA public key in advance, you can copy the public key to the NGFW and bind
the server to this public key. This method also ensures that the NGFW can log in to the server, but binding the
server to the RSA public key is complex. Therefore, first-time authentication is recommended.
l Enable first-time authentication.
ssh client first-time enable
l Bind the SFTP server to an RSA public key.
1. Access the public key view.
rsa peer-public-key key-name [ encoding-type { der | pem | openssh } ]
2. Access the public key editing view.
public-key-code begin
3. Enter the RSA public key through typing or copy and paste.
4. Return to the public key view.
public-key-code end
5. Return to the system view.
peer-public-key end
6. Bind the SFTP server to the RSA public key.
ssh client servername assign rsa-key keyname
NOTE
If the binding between the SFTP server and the RSA public key becomes invalid, run the undo
ssh client servername assign rsa-key command to cancel the binding and bind the SFTP server
to a new RSA public key.
Step 3 If the SFTP server uses password authentication, perform Step 4 to log in to the SFTP server.
If the SFTP server uses RSA authentication, bind the SFTP account of the NGFW to the RSA
public key on the server as follows:
1. Generate an RSA key pair on the NGFW.
rsa local-key-pair create
2. Check the public key in the RSA key pair, copy the public key information of the host key
pair to the server, and bind the SFTP account on the NGFW to this public key. For details,
refer to the SFTP server operation guide.
display rsa local-key-pair public
NOTE
The public key information to be copied is the Key code, Host public key for PEM format code,
or Public key code for pasting into OpenSSH authorized_keys file (based on the server coding
format) field below the sysname_Host field in the display rsa local-key-pair public command
output.
<sysname> display rsa local-key-pair public
=====================================================
Key
code:
308188
028180
CB35ED46 660B55CC 80EAAFD7 78DDFBF7
467A1C13
5D29865C 63509D5D E25E423A DB11A00F
77CDBBB4
D93436EA D50E4261 AC476E56 7AC6344A
B0ECE377
EA2E6912 4EC32710 FC4B5D2D 61E358B1
E8EA739F
A0338BE0 ED72A9A0 EDFE49FD 071623A4
96A0A45B
4EAD2641 A8D7A39F 567B02B9 90DE5722
980072B4
B320FDA0
10F18DF9
0203
010001
UJ1d4l5COtsRoA93zbu02TQ26tUOQmGsR25WesY0SrDs43fqLmkSTsMnEPxLXS1h
41ix6Opzn6Azi+Dtcqmg7f5J/
QcWI6SWoKRbTq0mQajXo59WewK5kN5XIpgAcrSz
IP2gEPGN
+Q==
---- END SSH2 PUBLIC KEY
----
If first-time authentication is enabled and the NGFW does not store the server RSA public key,
you need to determine whether to trust the server and whether to save the server RSA public key
upon first login. Select Y when prompted.
[sysname] sftp 10.2.2.1
Please input the username:sysname
Trying 10.2.2.1 ...
Press CTRL+K to abort
Connected to 10.2.2.1 ...
The server is not authenticated. Continue to access it? [Y/N] :Y
Save the server's public key? [Y/N] :Y
The server's public key will be saved with the name 10.2.2.1. Please wait .
..
NOTE
To improve file transfer security, use AES128 preferentially as the encryption algorithm. DES and 3DES
are not recommended. Use SHA1 or SHA1–96 preferentially as the HMAC algorithm. MD5 and MD5–
96 are not recommended.
----End
Procedure
Step 1 Optional: Configure ACLs to limit the access from the NGFW to the TFTP server.
1. Access the system view.
system-view
2. Access the ACL view.
acl [ number ] acl-number [ vpn-instance vpn-instance ]
NOTE
TFTP supports only basic ACLs. Therefore, the acl-number value ranges from 2000 to 2999.
3. Configure ACL rules.
rule [ rule-id ] { deny | permit } [ logging | source { source-ip-address source-wildcard
| any } | time-range time-name ]
4. Return to the system view.
quit
5. Use ACLs to limit the access from the NGFW to the TFTP server.
tftp-server acl acl-number
----End
5.10.4.1 Displaying Information About the FTP Server and FTP Administrator
This section describes how to use commands to display FTP configuration information.
Context
In routine maintenance, you can run the commands shown in Table 5-31 in any view to display
FTP configurations and FTP administrators.
Table 5-31 Displaying information about FTP configurations and FTP administrators
Action Command
5.10.4.2 Displaying Information About the SFTP Server and SFTP Administrator
This section describes how to display the SFTP server configuration and how to debug the SFTP
function.
Action Command
Debugging SFTP
Before you enable the debugging function, you must run the terminal monitor command and
the terminal debugging command in the user view to enable the information display and
debugging display functions of the terminal. Then debugging information can be displayed on
the terminal.
NOTICE
Debugging commands compromise system performance. After the debugging is complete, run
the undo debugging all command to disable all debugging functions.
Action Command
Requirements
You have already copied files to the specified directory.
Item Data
Procedure
Step 1 Display the information about the files in the directory of the storage device.
<NGFW> dir hda1:
Directory of hda1:/
0 -rw- 264 Oct 23 2009 10:58:16 private-data.txt
2 -rw- 679 Oct 18 2009 17:51:41 vspcfg.zip
3 -rw- 396 Aug 03 2009 09:58:16 hostkey
4 -rw- 540 Aug 03 2009 09:58:23 serverkey
13 -rw- 1717 Sep 21 2009 18:48:00 or4148.dat
15 -rw- 23 Oct 24 2009 11:14:39 sample.txt
<NGFW> dir hda1:/test/
Directory of hda1:/test/
0 drw- - Jul 12 2009 17:35:57 database
1 drw- - Jul 12 2009 17:25:57 conf
3 drw- - Jul 12 2009 17:32:57 log
----End
Configuration Verification
Check whether the copied files exist in the specified directory.
<NGFW> dir hda1:/test/
Directory of hda1:/test/
0 drw- - Jul 12 2009 17:35:57 database
1 drw- - Jul 12 2009 17:25:57 conf
3 drw- - Jul 12 2009 17:32:57 log
4 -rw- 23 Oct 24 2009 11:16:40 sample1.txt
Networking Requirements
As shown in Figure 5-50, a PC is used to log in to the NGFW and download files from the
NGFW through FTP.
NOTICE
FTP transmits passwords and data in plaintext mode, causing security risks. To secure data
transmission, use SFTP.
Figure 5-50 Networking diagram for configuring the NGFW as an FTP server
MGMT (GE0/0/0)
192.168.0.1/24
192.168.0.100/24
NGFW PC
Data Planning
Item Data
Procedure
Step 1 Configure the NGFW.
1. Configure a security policy for the Local-Trust interzone to permit the FTP service.
<NGFW> system-view
[NGFW] security-policy
[NGFW-policy-security] rule name policy_ftp
[NGFW-policy-security-rule-policy_ftp] service ftp
[NGFW-policy-security-rule-policy_ftp] source-zone trust
[NGFW-policy-security-rule-policy_ftp] destination-zone local
[NGFW-policy-security-rule-policy_ftp] source-address 192.168.0.100 32
[NGFW-policy-security-rule-policy_ftp] destination-address 192.168.0.1 32
[NGFW-policy-security-rule-policy_ftp] action permit
[NGFW-policy-security-rule-policy_ftp] quit
[NGFW-policy-security] quit
[NGFW-aaa-manager-user-admin_ftp] quit
[NGFW-aaa] quit
Step 2 Set an IP address and subnet mask for the PC. Details are omitted.
Step 3 Use FTP to log in to the NGFW from the PC and download files.
1. Choose Start > Run, enter cmd, and press Enter.
2. Enter D: and press Enter to set drive D as the working directory for the administrator's PC.
3. Enter ftp 192.168.0.1, press Enter, and then use the account and password to log in to the
NGFW.
4. Download file sys.bin from the FTP directory on the NGFW to the root directory of drive
D.
5. Close the FTP connection and view the downloaded file.
C:\Documents and Settings\user> d:
D:\> ftp 192.168.0.1
Trying 192.168.0.1 ...
Press CTRL+K to abort
Warning: Ftp is not a secure protocol, and it is recommended to use Sftp.
Connected to 192.168.0.1.
220 FTP service ready.
User(192.168.0.1:(none)):admin_ftp
331 Password required for admin_ftp.
Password:
230 User logged in.
ftp> binary
200 Type set to I.
ftp> get sys.bin
200 PORT command okay.
150 Opening BINARY mode data connection for sys.bin.
226 Transfer complete.
ftp:
20116676 bytes received for 43.60 seconds at 461.40 kbyte/s.
ftp> quit
D:\>dir
......
2010-09-25 15:56 20,116,676 sys.bin
......
----End
Configuration Script
#
sysname NGFW
#
aaa
#
manager-user admin_ftp
password cipher %@%@*y:3*ZN}.%%qcB.|@XBVML1cCyDwlDWq'6JF(iOz2D8>A\SN%@%
@
level 3
service-type ftp
ftp-directory hda1:
ssh authentication-type password
ssh service-type sftp
access-limit 3
#
security-policy
rule name policy_ftp
source-zone trust
destination-zone local
service ftp
source-address 192.168.0.100
32
destination-address 192.168.0.1 32
action permit
Networking Requirements
As shown in Figure 5-51, configure the NGFW as an FTP client and download files from the
FTP server to the specified local directory.
NOTICE
FTP transmits passwords and data in plaintext mode, causing security risks. To secure data
transmission, use SFTP.
Figure 5-51 Networking diagram for configuring the NGFW as an FTP client
GE1/0/1
192.168.0.100/24 192.168.0.1/24
Network
Data Planning
Item Data
Procedure
Step 1 Configure a security policy for the Local-Trust interzone to permit the FTP service.
<NGFW> system-view
[NGFW] security-policy
[NGFW-policy-security] rule name policy_ftp
[NGFW-policy-security-rule-policy_ftp] service ftp
[NGFW-policy-security-rule-policy_ftp] source-zone local
[NGFW-policy-security-rule-policy_ftp] destination-zone trust
[NGFW-policy-security-rule-policy_ftp] source-address 192.168.0.1 24
[NGFW-policy-security-rule-policy_ftp] destination-address 192.168.0.100 24
[NGFW-policy-security-rule-policy_ftp] action permit
[NGFW-policy-security-rule-policy_ftp] quit
[NGFW-policy-security] quit
Step 2 Log in to the FTP server from the NGFW and download the file to the specified directory.
# Set the file transfer mode to binary and display the current directory on the NGFW for saving
the file.
[ftp] binary
200 Type set to I.
[ftp] lcd
Info: Local directory now hda1:.
# Download the file from the FTP server and display the downloaded file in the specified
directory on the NGFW.
[ftp] get sys.bin
200 PORT command okay.
150 Opening BINARY mode data connection for sys.bin.
226 Transfer complete.
ftp: 20116676 byte(s) received, in 43.60 seconds at 461.40 kbytes/sec.
[ftp] quit
<NGFW> dir
Directory of hda1:/
...
3 -rw- 20116676 Aug 07 2009 06:58:17 sys.bin
...
----End
Networking Requirements
As shown in Figure 5-52, a PC is used to log in to the NGFW and download files from the
NGFW through SFTP.
Figure 5-52 Networking diagram for logging in to the NGFW through SFTP (password
authentication)
GE1/0/3
10.3.0.1/24
PC NGFW
10.3.1.100/24 (SFTP Server)
Data Planning
Item Data
Procedure
Step 1 Configure the NGFW.
1. Set an IP address for interface GigabitEthernet 1/0/3 and assign the interface to a security
zone.
<NGFW> system-view
[NGFW] interface GigabitEthernet 1/0/3
[NGFW-GigabitEthernet1/0/3] ip address 10.3.0.1 24
[NGFW-GigabitEthernet1/0/3] quit
[NGFW] firewall zone trust
[NGFW-zone-trust] add interface GigabitEthernet 1/0/3
[NGFW-zone-trust] quit
2. Configure a security policy for the Local-Trust interzone to permit the SSH service.
[NGFW] security-policy
[NGFW-policy-security] rule name policy_sftp
[NGFW-policy-security-rule-policy_sftp] service ssh
[NGFW-policy-security-rule-policy_sftp] source-zone trust
[NGFW-policy-security-rule-policy_sftp] destination-zone local
[NGFW-policy-security-rule-policy_sftp] source-address 10.3.1.0 24
[NGFW-policy-security-rule-policy_sftp] action permit
[NGFW-policy-security-rule-policy_sftp] quit
[NGFW-policy-security] quit
..+++++++
+
..................................++++++++
+
............+++++++++
6. Create an SFTP administrator account and specify an authentication mode and a service
type.
# Create SFTP administrator account sftpadmin_a and set the authentication mode to
password, service type to SFTP, and service directory to hda1:.
[NGFW] aaa
[NGFW-aaa] manager-user sftpadmin_a
[NGFW-aaa-manager-user-sftpadmin_a] service-type ssh
[NGFW-aaa-manager-user-sftpadmin_a] access-limit 3
[NGFW-aaa-manager-user-sftpadmin_a] level 3
[NGFW-aaa-manager-user-sftpadmin_a] ssh authentication-type password
[NGFW-aaa-manager-user-sftpadmin_a] password
Enter Password:
Confirm Password:
[NGFW-aaa-manager-user-sftpadmin_a] ssh service-type sftp
[NGFW-aaa-manager-user-sftpadmin_a] ftp-directory hda1:
[NGFW-aaa-manager-user-sftpadmin_a] quit
[NGFW-aaa] quit
b. Enter y and type the user name and password (sftpadmin_a/Mydevice@a) to log in to
the NGFW, as shown in Figure 5-54.
----End
Configuration Script
#
sysname NGFW
#
interface GigabitEthernet1/0/3
ip address 10.3.0.1 255.255.255.0
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
aaa
#
manager-user sftpadmin_a
password cipher %@%@fPXYG8r|>17U(MYaBLw0OE<3BRR/*~[B0>uW"^/){U_>wKB=%@%
@
service-type ssh
level 3
ftp-directory hda1:
ssh authentication-type password
ssh service-type sftp
access-limit 3
#
#
user-interface vty 0 4
authentication-mode aaa
user privilege level 3
#
security-policy
rule name policy_sftp
source-zone trust
destination-zone local
service ssh
source-address 10.3.1.0 24
action permit
Networking Requirements
As shown in Figure 5-56, a PC is used to log in to the NGFW and download files from the
NGFW through SFTP.
Figure 5-56 Networking diagram for logging in to the NGFW through SFTP (RSA
authentication)
GE1/0/3
10.3.0.1/24
PC NGFW
10.3.1.100/24 (SFTP Server)
Data Planning
Item Data
Procedure
Step 1 Generate an RSA public key on the PC.
1. Install the PuTTY software. Details are omitted.
2. Use the PuTTYgen tool to generate a local RSA key pair (the following uses PuTTYgen0.60
as an example).
a. Double-click PuTTYgen.exe. The interface shown in Figure 5-57 is displayed. In
Parameters, set Type of key to generate to SSH-2 RSA. Click Generate. The PC
starts to generate a local RSA key pair.
Figure 5-57 Selecting the SSH version for generating the local RSA key pair
b. Figure 5-58 shows the interface for generating a local RSA key pair. You must move
the mouse continuously during the generation of the local RSA key pair. Move the
pointer only in the window other than the progress bar in green. Otherwise, the
progress bar suspends, and the generation of the key pair stops.
c. Figure 5-59 shows the generation of the local RSA key pair. Do as follows to save
the RSA key pair in the specified format:
l OpenSSH: Copy the marked content in the Key text box.
l PEM: Click Save public key, enter public for the name of the public key file, and
click Save. Click Save private key, enter private for the name of the private key
file, and click Save.
NOTE
To enhance security, you must enter a password in the Key passphrase text box and enter the
password again in the Confirm passphrase text box to set a password for using this key pair.
2. Configure a security policy for the Local-Trust interzone to permit the SSH service.
[NGFW] security-policy
[NGFW-policy-security] rule name policy_sftp
[NGFW-policy-security-rule-policy_sftp] service ssh
[NGFW-policy-security-rule-policy_sftp] source-zone trust
[NGFW-policy-security-rule-policy_sftp] destination-zone local
[NGFW-policy-security-rule-policy_sftp] source-address 10.3.1.0 24
[NGFW-policy-security-rule-policy_sftp] action permit
[NGFW-policy-security-rule-policy_sftp] quit
[NGFW-policy-security] quit
5. Save the RSA public key of the intranet PC. In this example, the RSA public key is saved
in the OpenSSH coding format.
[NGFW] rsa peer-public-key key_pc encoding-type openssh
Enter "RSA public key" view, return system view with "peer-public-key end".
[NGFW-rsa-public-key] public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
[NGFW-rsa-key-code] ssh-rsa
AAAAB3NzaC1yc2EAAAABJQAAAIBwsFDGbVAbK35ecJqsioQ3BdTCa1
+eU3i13YQBHvBltIdI9bOMKYEYJbjuY4UYXkdtwA2ar6LWTI8X1hHbtYGqPk2MvjSF0hXn1DBabNUX
bLRyzWAhaopcsTbGboU88cQ6fe/DqE9jUpNLsPdg4EXz1LMyLNe134JCSe3Ufh7o/w== rsa-
key-20140515
[NGFW-rsa-key-code] public-key-code end
[NGFW-rsa-public-key] peer-public-key end
7. Create an SFTP administrator account and specify an authentication mode and a service
type.
# Create SFTP administrator account sftpadmin_a and set the authentication mode to
RSA, service type to SFTP, and service directory to hda1:.
[NGFW] aaa
[NGFW-aaa] manager-user sftpadmin_a
[NGFW-aaa-manager-user-sftpadmin_a] service-type ssh
[NGFW-aaa-manager-user-sftpadmin_a] access-limit 3
[NGFW-aaa-manager-user-sftpadmin_a] level 3
[NGFW-aaa-manager-user-sftpadmin_a] ssh authentication-type rsa
[NGFW-aaa-manager-user-sftpadmin_a] ssh assign rsa-key key_pc
[NGFW-aaa-manager-user-sftpadmin_a] ssh service-type sftp
[NGFW-aaa-manager-user-sftpadmin_a] ftp-directory hda1:
[NGFW-aaa-manager-user-sftpadmin_a] quit
[NGFW-aaa] quit
3. Use the PuTTY to log in to NGFWthrough SFTP (the following uses PuTTY0.60 as an
example).
a. Double-click PuTTY.exe. The interface shown in Figure 5-60 is displayed. Enter the
IP address of the SSH server in the Host Name (or IP address) text box.
b. Choose Connection > SSH in the left Category navigation tree. The interface shown
in Figure 5-61 is displayed. In the Protocol options area, set Preferred SSH protocol
version to 2.
c. Select Auth in SSH. The dialog box shown in Figure 5-62 is displayed. Click
Browse, import the private key file private.ppk in the saved RSA key pair.
Figure 5-62 Importing the private key in the RSA key pair
d. Click Session, enter ssh-rsa in the Saved Sessions text box, and click Save to save
the SSH session, as shown in Figure 5-63.
NOTE
The saved session will be used in the SFTP login using the PSFTP tool. Besides, no
configuration is required for future STelnet login. You can double-click the SSH session to
open the login page.
Figure 5-63 Importing the private key in the RSA key pair
e. Double-click PSFPT.exe, enter open ssh-rsa and press Enter (ssh-rsa is the name of
the saved PyTTY session), and then enter SSH administrator account sshadmin_b
and press Enter. You can access the file directory on NGFW, as shown in Figure
5-64.
----End
Configuration Script
#
sysname NGFW
#
interface GigabitEthernet1/0/3
ip address 10.3.0.1 255.255.255.0
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
aaa
#
manager-user sftpadmin_a
service-type ssh
level 3
ftp-directory hda1:
ssh authentication-type rsa
ssh assign rsa-key key_pc
ssh service-type sftp
access-limit 3
#
#
user-interface vty 0 4
authentication-mode aaa
user privilege level 3
protocol inbound all
#
security-policy
rule name policy_sftp
source-zone trust
destination-zone local
service ssh
source-address 10.3.1.0 24
action permit
Networking Requirements
As shown in Figure 5-66, the IP address of the TFTP server is 10.111.16.160/24. Log in to the
NGFW through PC and download test.cc from the TFTP server.
NOTICE
SFTP is recommended because of high security.
Figure 5-66 Networking diagram of downloading files from the TFTP server
Item Data
Configuration Roadmap
The configuration roadmap is as follows:
1. Start the TFTP software on the TFTP server and set the location of the source file on the
server.
2. Use the tftp command to download the file to the NGFW.
Procedure
Step 1 Start the TFTP server. Specify the directory where test.cc resides as the base directory. Figure
5-67 shows the window.
NOTE
The display varies with the TFTP server software running on the PC.
Step 2 Log in to the device through the PC and run the following commands to download the file:
<NGFW> tftp 10.111.16.160 get test.cc hda1:/test.cc
Transfer file in binary mode.
Now begin to download file from remote tftp server, please wait for a while...
\
TFTP: 86235884 bytes received in 42734 second.
TFTP: 15805100 bytes received in 42734 second.
File downloaded successfully.
----End
Configuration Verification
Check whether the downloaded file is in the specified directory of the device.
<NGFW> dir hda1:
Directory of hda1:/
0 -rw- 86211956 Jun 08 2009 15:20:14 test.cc
1 -rw- 40 Jun 24 2009 09:30:40 private-data.txt
2 -rw- 396 May 19 2009 15:00:10 rsahostkey.dat
3 -rw- 540 May 19 2009 15:00:10 rsaserverkey.dat
4 -rw- 2718 Jun 21 2009 17:46:46 1.cfg
5 -rw- 14343 May 19 2009 15:00:10 paf.txt
6 -rw- 1004 Feb 05 2009 09:30:22 vrp1.zip
7 -rw- 6247 May 19 2009 15:00:10 license.txt
8 -rw- 14343 May 16 2009 14:13:42 paf.txt.bak
5.11 NTP
This section describes the basic concepts, mechanism, and configuration methods of Network
Time Protocol (NTP), and provides several examples for configuring NTP.
5.11.1 Overview
The NTP is used for clock synchronization between distributed time server and clients. The
system running NTP can initiate clock synchronization with other systems or accept the
synchronization requests from other systems.
NTP synchronizes the clocks of all devices on a network. Therefore, the clocks on all these
devices are the same, which enables a device to implement various operations based on the
uniform time.
The clock of any local system that runs NTP can be synchronized by other clock sources, and
the system can also function as a clock source to synchronize the clock of other systems. In
addition, two devices can exchange NTP packets for mutual synchronization.
NTP packets are encapsulated in UDP packets and use port 123 for transmission.
5.11.2 Mechanism
This section describes the mechanism of NTP.
NTP synchronizes time among a set of distributed time servers and clients. In this manner, the
time of the host is synchronized with a certain time standard. The device that provides the
standard time is a server, whereas the device being synchronized is a client. The clock of a local
system running NTP can be synchronized by other clock sources or act as a clock source to
synchronize other clocks. In addition, two devices can exchange NTP packets for mutual
synchronization. NTP packets are encapsulated in UDP packets and use port 123 for
transmission.
Implementation Process
As shown in Figure 5-68,NGFW_A and NGFW_B are connected through a Wide Area Network
(WAN). NGFW_A synchronizes the time from NGFW_B.
Step1: Network
NGFW_A NGFW_B
NTP packet 10:00:00am 11:00:01am
Step2: Network
NGFW_A NGFW_B
NTP packet 10:00:00am 11:00:01am 11:00:02am
Step3: Network
NGFW_A NGFW_B
NTP Packet received at 10:00:03
Step4: Network
NGFW_A NGFW_B
l A round trip delay of the NTP packet: Delay = (T4 - T1) - (T3 - T2).
l The clock offset of NGFW_A by taking NGFW_B as the reference: Offset = ((T2 - T1) +
(T3 - T4))/2.
NGFW_A sets its clock based on the delay and offset to synchronize its clock with NGFW_B.
NOTE
NTP uses the standard algorithm in RFC 1305 to ensure the precision of clock synchronization. The
preceding example is only a brief introduction to the operating mechanism of NTP.
Network Architecture
As shown in Figure 5-69, the networking of NTP is composed of the primary time server,
secondary time servers, clients, and interconnections in between.
l The primary time server is directly synchronized with a primary reference source which is
usually a radio clock or Global Positioning System (GPS).
l A secondary time server synchronizes its clock with the clock of the primary time server
or another secondary time server on the network and transmits the time information to other
hosts on the network through NTP.
Under normal circumstances, primary and secondary time servers on the synchronization subnet
assume a hierarchical structure, with the primary server at the root and the secondary server at
successive stratums toward the leaf node. The higher the stratum level is, the less accurate the
clock.
Operating Mode
Server/Client mode:
l Client mode: The host operating in client mode (client) periodically sends NTP request
messages to the server regardless of the reachability and the stratum level of the server.
Usually, such a host is a workstation on a specified network. The host synchronizes its
clock with the clock on the server but does not change the clock of the server.
l Server mode: The host operating in server mode (server) receives NTP request messages
and responds to the client. Usually, such a host is a time server on a network and provides
synchronization information for the client but does not change its own clock.
During and after the restart, the client periodically sends NTP request messages to the server.
After receiving the NTP request message, the server encloses the destination IP address, source
IP address, source port, destination port and other necessary information in a message and sends
the message to the client. The server does not need to retain state information when the client
sends the request message. The client freely adjusts the interval for sending NTP request
messages based on the local conditions.
Peer mode:
In peer mode, the active peer and the passive peer synchronize with each other, and the lower-
level peer (higher stratum) synchronizes itself with the higher-level peer (lower stratum).
l Active peer: The host acting as the active peer periodically sends packets to the passive
peer regardless of the reachability and the stratum of the peer. The host can provide
synchronization information for the peer and also synchronize its clock with the peer.
l Passive peer: The host acting as the passive peer receives packets and responds to the peer.
The host provides synchronization information for the peer and also synchronizes its clock
with the peer.
l The premise of being a passive peer: The host receives messages from a peer operating in
active mode, the route from the host to the peer is reachable, and the stratum of the peer is
higher than or equal to the stratum of the host.
NOTE
The host acting as a passive peer is at the lower stratum on the synchronization subnet. You do not need
to obtain information about the peer in advance because the connection between peers is not set up and
status variables are not configured unless the passive host receives NTP messages from the peer.
Broadcast mode:
l The host operating in broadcast mode periodically sends clock-synchronization packets to
the broadcast address 255.255.255.255 regardless of the reachability or the stratum of its
peer. The host in this mode is usually a time server using high-speed broadcast media on
the specified network. Such a host provides synchronization information for its peers but
does not alter the clock of its own.
l The client listens in on the broadcast packets from the server. After receiving the first
broadcast packet, to estimate the network delay, the client leaves the broadcast mode and
temporarily operates in client/server mode to exchange packets with the remote server.
Later, the client restores the broadcast mode and continues to listen to the broadcast packets
and re-synchronizes the local clock according to the received broadcast packets.
The broadcast mode is applied to the high speed network that has multiple workstations and
does not require high accuracy. In a typical scenario, one or more time servers on the network
periodically send broadcast packets to the workstations. The delay of packet transmission in a
LAN is at the milliseconds level.
Multicast mode:
l The host operating in multicast mode periodically sends clock-synchronization packets to
a multicast address. Usually, the host in this mode is a time server using high-speed
broadcast media on the network. The host provides synchronization information for all the
peers but does not alter the clock of its own.
l The client listens in on the multicast packets from the server. After receiving the first
multicast packet, to estimate the network delay, the client temporarily operates in client/
server mode to exchange packets with the remote server. Later, the client restores the
multicast mode and continues to listen to the multicast packets and re-synchronizes the
local clock according to the received multicast packets.
Security Mechanism
When a time server on the subnet is faulty or data is maliciously modified or destroyed,
timekeeping on other time servers on the subnet should not be affected. To meet this requirement,
NTP provides two security mechanisms: access permission control and NTP authentication to
secure the network.
The NGFW provides four levels of access permissions. NTP access request messages match the
access permissions from level 1 to level 4 after they reach the local host. The first matched access
permission level takes effect. The matching sequence is as follows:
l peer: indicates the minimum access permission. The remote end can request and query
time for the local NTP service. The local clock can also be synchronized with the clock of
the remote server.
l server: The remote end can request and query time for the local NTP service. The local
clock, however, cannot be synchronized with the clock of the remote server.
l synchronization: The remote end can only request time for the local NTP service.
l query: indicates the maximum access permission. The remote end can only query the time
for the local NTP service.
Authentication:
You can enable NTP authentication on networks for high security. You need to configure NTP
authentication separately on the client and the server.
l Configurations of NTP authentication on both the client and the server must be complete.
Otherwise, the authentication does not take effect. If you enable NTP authentication, you
must configure the key and declare the key as reliable.
l Keys configured on the server and the client must be the same.
Context
To configure a NGFW to provide the primary NTP clock, do as follows on the NGFW
functioning as the NTP server.
Procedure
Step 1 Access the system view.
system-view
ip-address is the IP address of the local reference clock. The value is 127.127.t.u. t ranges from
0 to 37. Currently, the value of t is set to 1 and cannot be changed, indicating the local reference
clock. u indicates the NTP process ID, ranging from 0 to 3. If you do not specify the IP address,
the local clock is used as the NTP primary clock.
----End
Example
Access the system view, run the ntp-service refclock-master 2 command, set the local clock
to be the NTP primary clock, and set the stratum of the clock to 2.
[NGFW] ntp-service refclock-master 2
Follow-up Procedure
You can run the display ntp-service status command to display the status of the NTP service
after the configuration..
<NGFW> display ntp-service status
clock status: synchronized
clock stratum: 2
reference clock ID: LOCAL(0)
nominal frequency: 100.0000 Hz
actual frequency: 100.0000 Hz
clock precision: 2^13
clock offset: 0.0000 ms
root delay: 0.00 ms
root dispersion: 0.00 ms
peer dispersion: 10.00 ms
reference time: 16:33:26.001 UTC Apr 19 2010(CF770456.0066A11E)
Procedure
l Configure the NTP client.
ip-address is the IP address of the NTP server. It must be the IP address of a specific
host but not a broadcast address, a multicast address, or the IP address of the reference
clock.
NOTE
l After you specify the unicast NTP server, the local NGFW functions as the client. Only
the configuration of the NTP primary clock is necessary on the server.
l Step 2 is optional. If source-interface is specified in both Step 2 and Step 3, use the source
interface specified in Step 3 preferentially.
l For the unicast mode, after configuring the NTP client, you need to configure a security
policy between the security zone where the source interface resides and Local zone to
permit NTP packets. For the broadcast and multicast modes, you do not need to configure
the security policy.
l Optional: Specify the source interface for the NTP server to send NTP packets.
2. Specify the local source interface for the sending of NTP packets.
ntp-service source-interface interface-type interface-number
In normal cases, you need to specify only the IP address of the NTP server on the
client. The client and the server can then exchange NTP packets using this IP address.
If you specify the source interface on the server, the server IP address specified on the
client must be the same as that of the source interface. Otherwise, the client cannot
process NTP packets from the server, and the clock synchronization fails.
----End
Procedure
l Configure the NTP active peer.
1. Access the system view.
system-view
2. Optional: Specify the local source interface for the sending of NTP packets.
ntp-service source-interface interface-type interface-number [ vpn-
instance vpn-instance-name ]
Step 2 is optional. If source-interface is specified in both Step 2 and Step 3, use the
source interface specified in Step 3 preferentially.
ip-address is the IP address of the NTP peer. The value must be an IP address of a
specific host but not a broadcast address, multicast address, or the IP address of the
reference clock.
NOTE
l In NTP peer mode, you must enable NTP on the passive peer using a command described
in Configuring Basic NTP Functions. Otherwise, the passive peer is unable to process
NTP packets from the active peer.
l The active peer, or passive peer, or both must be in synchronized state. Otherwise, none of
them can be synchronized.
l To configure multiple passive peers, repeat the ntp-service unicast-peer command.
l Optional: Configure the source interface of the NTP passive peer.
1. Access the system view.
system-view
2. Specify the local source interface for the sendinf of NTP packets.
ntp-service source-interface interface-type interface-number [ vpn-
instance vpn-instance-name ]
In normal cases, you need to specify only the IP address of the NTP passive peer on
the active peer. Then the active and passive peers can then exchange NTP packets
using this IP address.
If you specify the source interface to send NTP packets on the passive peer, the IP
address of the NTP peer configured on the active peer must be the same as the IP
address of this source interface. Otherwise, the active peer cannot process NTP packets
from the passive peer.
----End
Procedure
l Configure the NTP broadcast server.
Perform the following steps on the NGFW that functions as an NTP broadcast server:
After the configuration, the local NGFW periodically sends clock synchronization
packets to broadcast address 255.255.255.255.
NOTE
The configured broadcast server takes effect only on the same LAN.
l Configure an NTP broadcast client.
Perform the following steps on the NGFW that functions as an NTP broadcast client:
After the configuration is complete, the local NGFW listens to the broadcast NTP
packets from the server and synchronizes the local clock.
----End
Procedure
l Configure the NTP multicast server.
Perform the following steps on the NGFW that functions as an NTP multicast server:
After the configuration, the local NGFW periodically sends clock synchronization
packets to multicast address 224.0.1.1.
l Configure an NTP multicast client.
Perform the following steps on the NGFW that functions as an NTP multicast client:
After the configuration, the local NGFW listens in on the broadcast NTP packets from
the server and synchronizes the local clock.
Running the ntp-service max-dynamic-sessions command does not affect the created
NTP sessions. When the number of the sessions reaches or exceeds the maximum
allowed number, new session cannot be created.
----End
Procedure
Step 1 Access the system view.
system-view
----End
Procedure
Step 1 Access the system view.
system-view
Step 2 Configure the permission for the access to NTP services on the local NGFW.
ntp-service access { peer | query | server | synchronization } acl-number
You can configure the ntp-service access command on a device based on the actual situation.
NTP multicast mode Synchronizing the client with NTP multicast client
the server
NTP broadcast mode Synchronizing the client with NTP broadcast client
the server
----End
Context
To enable NTP authentication, you must configure the same authentication key on both the client
and server and announce the key to be reliable.
NOTE
Procedure
Step 1 Access the system view.
system-view
----End
Context
Perform the following steps on the NGFW that functions as an NTP unicast client.
Procedure
Step 1 Access the system view.
system-view
Step 2 Specify the ID of the authentication key used for synchronizing the clock with the specified NTP
server.
ntp-service unicast-server ip-address authentication-keyid key-id [ version number
| source-interface interface-type interface-number | vpn-instance vpn-instance-
name | preference ] *
----End
Context
Perform the following steps on the device that functions as the active peer.
Procedure
Step 1 Access the system view.
system-view
Step 2 Specify the ID of the authentication key used for synchronizing the clock with the specified NTP
peer.
ntp-service unicast-peer ip-address [ version number | authentication-keyid key-id
| source-interface interface-type interface-number | vpn-instance vpn-instance-
name | preference ] *
----End
Procedure
Step 1 Access the system view.
system-view
Step 3 Specify the ID of the authentication key used by the NTP broadcast server.
ntp-service broadcast-server authentication-keyid key-id [ version number ]
The configuration of the client is the same as that without NTP authentication. For details, see
5.11.3.4 Configuring the NTP Broadcast Mode.
----End
Procedure
Step 1 Access the system view.
system-view
Step 2 Specify the interface for the sending of multicast NTP packets.
interface interface-type interface-number
Step 3 Specify the ID of the authentication key used by the NTP multicast server.
ntp-service multicast-server [ ip-address ] authentication-keyid key-id [ ttl ttl-
number | version number ] *
The configuration of the client is the same as that without NTP authentication. For details, see
5.11.3.5 Configuring the NTP Multicast Mode.
----End
Context
During routine maintenance, you can run the following commands in any view to check NTP
configurations.
Table 5-35 lists the commands for checking NTP configurations.
Action Command
Context
Before the debugging, you must run the terminal monitor and terminal debugging commands
in the user view to enable the display of logs, trap messages and debugging messages on the
terminal, so that debugging messages can be displayed on the terminal.
NOTICE
Enabling the debugging function affects system performance. Therefore, after the debugging,
you should run the undo debugging all command to disable the debugging immediately.
Action Command
Networking Requirements
As shown in Figure 5-70,
l NGFW_A functions as a unicast NTP server. The clock on NGFW_A is used as the primary
NTP clock, and the stratum is 2.
l NGFW_B functions as a unicast NTP client. The clock on NGFW_B needs to be
synchronized with the clock on NGFW_A.
l NGFW_C and NGFW_D function as NTP clients. They use NGFW_B as their NTP server.
l NTP authentication is enabled.
NGFW_D
Item Data
Authentication key ID 42
Password Hello@123
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Set IP addresses.
Step 2 Add interfaces to corresponding security zones and configure security policy between security
zones to ensure normal network communication. Details are omitted.
Step 3 Configure a primary NTP clock on NGFW_A and enable NTP authentication.
# On NGFW_A, set the local clock as the primary NTP clock and set the stratum to 2.
<NGFW_A> system-view
[NGFW_A] ntp-service refclock-master 2
# Enable NTP authentication, configure the authentication key, and announce the key to be
reliable.
[NGFW_A] ntp-service authentication enable
[NGFW_A] ntp-service authentication-keyid 42 authentication-mode hmac-sha256
Hello@123
[NGFW_A] ntp-service reliable authentication-keyid 42
NOTICE
Note that the authentication keys configured on the server and the client should be the same.
Step 4 Specify the NTP server on NGFW_B and enable NTP authentication.
# On NGFW_B, enable NTP authentication, configure the authentication key, and announce the
key to be reliable.
<NGFW_B> system-view
[NGFW_B] ntp-service authentication enable
[NGFW_B] ntp-service authentication-keyid 42 authentication-mode hmac-sha256
Hello@123
[NGFW_B] ntp-service reliable authentication-keyid 42
# Specify NGFW_A as the NTP server of NGFW_B and use the authentication key.
[NGFW_B] ntp-service unicast-server 2.2.2.2 authentication-keyid 42
----End
Result
l After the configuration is complete, the clock on NGFW_B can be synchronized with the
clock on NGFW_A.
Display the NTP status on NGFW_B and find that the clock status is synchronized. The
stratum of the clock is 3, one stratum lower than that on NGFW_A.
[NGFW_B] display ntp-service status
clock status: synchronized
clock stratum: 3
reference clock ID: 2.2.2.2
nominal frequency: 60.0002 Hz
actual frequency: 60.0002 Hz
clock precision: 2^13
clock offset: 3.8128 ms
root delay: 31.26 ms
root dispersion: 74.20 ms
peer dispersion: 34.30 ms
reference time: 11:55:56.833 UTC Mar 2 2009(C7B15BCC.D5604189)
l After the configuration, the clock on NGFW_C can be synchronized with the clock on
NGFW_B.
Display the NTP status on NGFW_C and find that the clock status is synchronized. The
stratum of the clock is 4, one stratum lower than that on NGFW_B.
[NGFW_C] display ntp-service status
clock status: synchronized
clock stratum: 4
reference clock ID: 10.0.0.1
nominal frequency: 60.0002 Hz
actual frequency: 60.0002 Hz
clock precision: 2^13
clock offset: 3.8128 ms
root delay: 31.26 ms
root dispersion: 74.20 ms
peer dispersion: 34.30 ms
reference time: 11:55:56.833 UTC Mar 2 2009(C7B15BCC.D5604189)
l Display the NTP status on NGFW_D and find that the clock status is synchronized. The
stratum of the clock is 4, one stratum lower than that on NGFW_B.
[NGFW_D] display ntp-service status
clock status: synchronized
clock stratum: 4
reference clock ID: 10.0.0.1
nominal frequency: 60.0002 Hz
actual frequency: 60.0002 Hz
clock precision: 2^13
clock offset: 3.8128 ms
root delay: 31.26 ms
root dispersion: 74.20 ms
peer dispersion: 34.30 ms
reference time: 11:55:56.833 UTC Mar 2 2009(C7B15BCC.D5604189)
Networking Requirements
As shown in Figure 5-71, three NGFWs locate on a LAN.
l The clock on NGFW_A is the primary NTP clock, and the stratum is 2.
l NGFW_B takes NGFW_A as its NTP server. That is, NGFW_B functions as the client.
l NGFW_C takes NGFW_B as its passive peer. That is, NGFW_C acts the active peer.
GE1/0/1
10.0.1.1/24
GE1/0/1 GE1/0/1
10.0.1.3/24 10.0.1.2/24
NGFW_C NGFW_B
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the clock on NGFW_A as the NTP primary clock and enable NGFW_B to send
clock synchronization request to NGFW_A.
2. Configure NGFW_C and NGFW_B as NTP peers and enable NGFW_C to send clock
synchronization request to NGFW_B
3. Synchronize the clocks on NGFW_A, NGFW_B, and NGFW_C.
Procedure
Step 1 Set the IP addresses.
<NGFW_A> system-view
[NGFW_A] interface GigabitEthernet 1/0/1
[NGFW_A-GigabitEthernet1/0/1] ip address 10.0.1.1 24
[NGFW_A-GigabitEthernet1/0/1] quit
Step 2 Add interfaces to corresponding security zones and configure security policy between security
zones to ensure normal network communication. Details are omitted.
Step 3 Configure IP addresses for NGFW_A, NGFW_B, and NGFW_C and ensure the connectivity in
between at the network layer.
Configure an IP address for each interface according toFigure 5-71. After the configuration is
complete, the three NGFWs can ping each other.
# Configure the clock on NGFW_A as the reference clock, and the stratum is 2.
<NGFW_A> system-view
[NGFW_A] ntp-service refclock-master 2
After the configuration, the clock on NGFW_B can be synchronized with the clock on
NGFW_A.
Display the NTP status on NGFW_B and find that the clock status is synchronized. The stratum
of the clock on NGFW_B is 3, one stratum lower than that on NGFW_A.
[NGFW_B] display ntp-service status
clock status: synchronized
clock stratum: 3
reference clock ID: 10.0.1.1
nominal frequency: 64.0029 Hz
actual frequency: 64.0029 Hz
clock precision: 2^13
clock offset: 0.0000 ms
root delay: 62.50 ms
root dispersion: 0.20 ms
peer dispersion: 7.81 ms
reference time: 06:52:33.465 UTC Mar 7 2009(C7B7AC31.773E89A8)
<NGFW_C> system-view
[NGFW_C] ntp-service unicast-peer 10.0.1.2
No primary clock is configured on NGFW_C, and the stratum of the clock is lower than that on
NGFW_B. Therefore, the clock on NGFW_C is synchronized with the clock on NGFW_B.
----End
Result
Display the status of NGFW_C after clock synchronization. You can find that the status is
synchronized. That is, clock synchronization is complete. You can also find that the stratum of
the clock on NGFW_C is 4, one stratum lower than that on NGFW_B.
[NGFW_C] display ntp-service status
clock status: synchronized
clock stratum: 4
reference clock ID: 10.0.1.2
nominal frequency: 64.0029 Hz
actual frequency: 64.0029 Hz
clock precision: 2^13
clock offset: 0.0000 ms
root delay: 124.98 ms
root dispersion: 0.15 ms
peer dispersion: 10.96 ms
reference time: 06:55:50.784 UTC Mar 7 2009(C7B7ACF6.C8D002E2)
Networking Requirements
As shown in Figure 5-72.
l NGFW_C and NGFW_D reside on the same network segment. NGFW_A resides on
another network segment. NGFW_B connects the two network segments.
l NGFW_C functions as the NTP broadcast server, and the local clock is the NTP primary
clock at the stratum 3. NGFW_C sends broadcast packets from GigabitEthernet 1/0/2.
l NGFW_D and NGFW_A receive the broadcast packets respectively on GigabitEthernet
1/0/2 of them.
l Enable NTP authentication.
After the configuration, the clock on NGFW_D can synchronize with the clock on NGFW_C
because they reside on the same network segment. The clock on NGFW_A, however, fails to
synchronize its clock because NGFW_A and NGFW_C are on different network segments, and
NGFW_A cannot receive the broadcast packets from NGFW_C.
NGFW_C
GE1/0/2 GE1/0/1
10.0.1.1/24 10.1.1.1/24
GE1/0/2
10.0.1.2/24
NGFW_A NGFW_B GE1/0/2
10.1.1.3/24
NGFW_D
Item Data
Authentication key ID 16
Password Hello@123
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure NGFW_C as the NTP broadcast server.
2. Configure NGFW_A and NGFW_D as the NTP broadcast clients.
3. Configure NTP authentication on NGFW_A, NGFW_C, and NGFW_D.
Procedure
Step 1 Set the IP addresses.
# Set the IP address for the NGFW_A.
<NGFW_A> system-view
[NGFW_A] interface GigabitEthernet 1/0/2
[NGFW_A-GigabitEthernet1/0/2] ip address 10.0.1.1 24
[NGFW_A-GigabitEthernet1/0/2] quit
Step 2 Add interfaces to corresponding security zones and configure security policy between security
zones to ensure normal network communication. Details are omitted.
Step 4 Configure an NTP broadcast server and enable NTP authentication on it.
# Set the local clock of NGFW_C as a primary NTP clock with stratum as 3.
<NGFW_C> system-view
[NGFW_C] ntp-service refclock-master 3
# Configure NGFW_C as an NTP broadcast server and enable the NGFW_C to encrypt broadcast
packets using authentication key ID 16 and send the broadcast packets from GigabitEthernet
1/0/2.
[NGFW_C] interface GigabitEthernet 1/0/2
[NGFW_C-GigabitEthernet1/0/2] ntp-service broadcast-server authentication-keyid 16
[NGFW_C-GigabitEthernet1/0/2] quit
# Configure NGFW_D as an NTP broadcast client that receives the broadcast packets from
GigabitEthernet 1/0/2.
[NGFW_D] interface GigabitEthernet 1/0/2
[NGFW_D-GigabitEthernet1/0/2] ntp-service broadcast-client
[NGFW_D-GigabitEthernet1/0/2] quit
After the configuration, the clock on NGFW_D is synchronized with the clock on NGFW_C.
Hello@123
[NGFW_A] ntp-service reliable authentication-keyid 16
# Configure NGFW_A as an NTP broadcast client that receives the NTP broadcast packets from
GigabitEthernet 1/0/2.
[NGFW_A] interface GigabitEthernet 1/0/2
[NGFW_A-GigabitEthernet1/0/2] ntp-service broadcast-client
[NGFW_A-GigabitEthernet1/0/2] quit
----End
Result
Display the NTP status on NGFW_D. You can find that the clock status is synchronized. That
is, the clock synchronization is complete. The stratum of the clock on NGFW_D is 4, one stratum
lower than that of NGFW_C.
[NGFW_D] display ntp-service status
clock status: synchronized
clock stratum: 4
reference clock ID: 10.1.1.2
nominal frequency: 60.0002 Hz
actual frequency: 60.0002 Hz
clock precision: 2^13
clock offset: 0.0000 ms
root delay: 0.00 ms
root dispersion: 0.42 ms
peer dispersion: 0.00 ms
reference time: 12:17:21.773 UTC Mar 7 2009(C7B7F851.C5EAF25B)
Networking Requirements
As shown in Figure 5-73,
l NGFW_C and NGFW_D reside on the same network segment. NGFW_A resides on
another network segment. NGFW_B connects the two network segments.
l NGFW_C functions as an NTP multicast server, and its clock is a primary NTP clock at
stratum 2. NGFW_C sends multicast packets from GigabitEthernet 1/0/2.
l NGFW_D and NGFW_A receive the multicast packets respectively on GigabitEthernet
1/0/2 of them.
NGFW_C
GE1/0/2 GE1/0/1
10.0.1.1/24 10.1.1.1/24
GE1/0/2
10.0.1.2/24
NGFW_A NGFW_B GE1/0/2
10.1.1.3/24
NGFW_D
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Set the IP addresses.
Step 2 Add interfaces to corresponding security zones and configure security policy between security
zones to ensure normal network communication. Details are omitted.
Step 3 Configure NGFW_C as the NTP multicast server.
# Set the local clock on NGFW_C as a primary NTP primary clock at stratum 2.
<NGFW_C> system-view
[NGFW_C] ntp-service refclock-master 2
# Configure NGFW_C as the NTP multicast server that sends NTP multicast packets from
GigabitEthernet 1/0/2.
[NGFW_C] interface GigabitEthernet 1/0/2
[NGFW_C-GigabitEthernet1/0/2] ntp-service multicast-server
----End
Result
After the configuration, the clock on NGFW_D is synchronized with the clock on NGFW_C.
The clock on NGFW_A, however, fails to be synchronized because NGFW_A and NGFW_C
reside on different network segments. Therefore, NGFW_A cannot receive the multicast packets
from NGFW_C.
Display the NTP status on NGFW_D. You can find that the clock status is synchronized. That
is, the clock synchronization is complete. The stratum of the clock on NGFW_D is 3, one stratum
lower than that on NGFW_C.
[NGFW_D] display ntp-service status
clock status: synchronized
clock stratum: 3
reference clock ID: 10.1.1.2
nominal frequency: 60.0002 Hz
actual frequency: 60.0002 Hz
clock precision: 2^13
clock offset: 0.66 ms
root delay: 24.47 ms
root dispersion: 208.39 ms
peer dispersion: 9.63 ms
reference time: 17:03:32.022 UTC Apr 25 2009(C61734FD.800303C0)
5.12.1 Overview
The update center can update the signature databases. Updating the signature databases enhances
the NGFW's capability in identifying intrusions, viruses, applications, and locations of IP
addresses and increases the identification ratio.
To enable the NGFW to identify new applications and defend against new attacks and viruses,
you must update the signature databases on the NGFW.
Updating the IPS signature database and antivirus signature database requires licenses. Ensure that the
licenses for updating the two signature databases are available and activated.
The region identification signature database supports only local update.
The signature database supports Scheduled Update, Immediate Update, and Local Update.
Select one as required.
Scheduled Update
Scheduled update refers to that the device automatically downloads and updates the signature
database from a specified update server at a specified interval. In different deployment
environments, the scheduled update can be implemented through a directly connected update
server or a proxy server.
l Update through a directly connected update server
The update server refers to the security center or other update server.
When the NGFW directly communicates with the update server over the Internet, it updates
the signature database through the update server. The default domain name of the security
center is sec.huawei.com.
As shown in Figure 5-74, the NGFW sends a version update request to the security center.
After passing update permission authentication, the NGFW downloads the latest signature
database from the security center.
2
Intranet
NGFW
If the proxy server runs the Windows operating system, CCProxy is recommended. If the proxy server
runs the Linux operating system, Squid is recommended. Ensure that the proxy server enables the
HTTP port and four access methods, namely, PUT, GET, CONNECT, and POST.
1
Intranet 2
3
4
NGFW Proxy Server
Immediate Update
You can enable immediate update when new attacks, viruses, or applications are detected on the
network but the signature database cannot be updated immediately through scheduled update.
The download address and process for updating the signature database immediately is the same
as that for the update through scheduled update. The two update modes differ in that immediate
update can be performed at any time whereas scheduled update must be implemented at the
specified time.
Local Update
l IPS, antivirus, and application signature databases
If the NGFW is deployed remotely from the Internet and the intranet does not have an
update server, you can enable the local update.
As shown in Figure 5-76, the administrator logs in to the security center to download the
update file and save the file to the local PC. The administrator then logs in to the NGFW
and uploads the file to the NGFW through FTP, SFTP, TFTP, or Web to update the signature
database locally.
Administrator
NGFW
NOTE
If you use FTP, SFTP, or TFTP to upload the update file, the file is uploaded to the specified directory
on the NGFW. If you use the Web, the update file is uploaded to the root directory of the CF card
(USG6000 series)/ eUSB (NGFW Module) on the NGFW.
l Region identification signature database
The region identification signature database supports only local update. The database is
released irregularly. You can obtain an update file using either of the following methods:
– Log in to the technical support website and download the signature database from the
Software area.
– Download the update file from https://sec.huawei.com.
Prerequisites
l A license is available for updating the signature database, and the license is activated on
the NGFW.
l The NGFW can access the security center directly or through the proxy server.
l HTTP and FTP are required for communication and downloading signature databases.
Therefore, security policies have been configured to permit HTTP and FTP traffic.
Procedure
Step 1 Choose System > Update Center.
Parameter Description
Server IP Address Enter the IP address of the server that the NGFW accesses for
the scheduled update. This address can be an IP address or a
domain name. By default, update through the security center
(domain name: sec.huawei.com) is used.
Note:
l You must configure the DNS to resolve the domain name of
the security center. For details, see 8.3 DNS.
l To update through the other update server or the proxy server,
set the IP address of the server to that of the other update
server or the proxy server.
Port Indicates the port of the server. The default port is 80.
Scheduled Update Time Enter a time for the scheduled update. Select the update interval
from the drop-down list, daily or a specified day in every week.
Then enter a specific hour and minute in the text box to the right
of the drop-down list.
Proxy server address If the device cannot directly access the security center platform,
you can use a proxy server to connect to the security center
platform for upgrading. The proxy server address can be an IP
address or domain name.
Note: If the proxy server domain name is used, you must
configure DNS to resolve the domain name. For details, see 8.3
DNS.
User name Indicates the user name and password for logging in to the proxy
server.
Password
Step 5 Select Enable Scheduled Update for the signature database on which the scheduled update is
enabled.
Step 6 After the update succeeds, you can see that Status is The loading succeeded. and Current
Version is the target version.
NOTE
After the scheduled update is enabled, if the network rate is too low and impacts the services and
performance of NGFW, you can abort the update.
----End
Prerequisites
l A license is available for updating the signature database, and the license is activated on
the NGFW.
l The NGFW can access the update server directly or through the proxy server.
l HTTP and FTP are required for communication and downloading signature databases.
Therefore, security policies have been configured to permit HTTP and FTP traffic.
Immediate Update
Step 4 After the update succeeds, you can see that Status is The loading succeeded. and Current
Version is the target version.
NOTE
After the immediate update is enabled, if the network rate is too low and impacts the services and
performance of NGFW, you can abort the update.
----End
Prerequisites
You have obtained update files from the security center (sec.huawei.com), As shown in Figure
5-77.
Location signature
Procedure
Step 1 Choose System > Update Center.
Step 2 Click Update Locally for the signature database to be updated.
Step 3 Click Browse... to select an update file.
NOTE
The IPS, antivirus, and application signature databases and region identification signature database update files
support the .zip format. When you select a file package, upload the .zip file that you have downloaded from the
website.
----End
NOTICE
The version can be rolled back only once to the previous version. Multiple times of rollback will
make the versions switch between the current version and previous version.
Version Rollback
Step 2 Click Roll Back for the signature database to be rolled back.
Step 4 After the version rollback succeeds, you can see that Status is The version rollback
succeeded. and Current Version is the source version.
----End
After the signature database is successfully updated, The loading succeeded is displayed in
Status, and the latest version number is displayed in Current Version. If the signature database
update fails, Status displays the specific update status information, as shown in Table 5-37.
1 The update service is not activated. 1. The license file is not loaded.
Please purchase this service. 2. The corresponding license control
item is disabled in the license.
2 The update service has expired. Please 1. The end time of the license control
renew this service. item of the update service is earlier
than the current system time.
2. The end time of the license control
item of the update service is earlier
than the release time of the
signature database.
7 An error occurred during online update An error occurred when the online
initialization. update parameters are initialized
during device startup.
9 The current version is the latest. The signature database version on the
current device is up to date.
10 No available update file was found. 1. The current device model and
Please contact customer service version are not registered on the
personnel. update server.
2. An error occurred when the
signature database on the update
server is released. As a result, the
incremental update package is
released, but the full update
package is not.
3. The current signature database
version on the device is higher than
the version released on the update
server.
11 The target version is running. The target version used in local update
is already running on the device.
12 The remaining space of the CF card is The remaining CF card space (250 MB)
insufficient. is smaller than the lower limit for
update.
13 Failed to verify the signature database The MD5 value of the signature
file. Please re-download the file. database file downloaded from the
download server is different from that
returned by the update server. The
problem usually occurs on networks
with packet loss faults.
14 Failed to parse the signature database. The signature database file format is
Please change the signature database correct but does not match the internal
file. format defined by modules. This
problem usually occurs when the
signature database version is
incompatible with the engine version.
16 Signature database file error. Please re- 1. The signature database file format
download the file. is incorrect.
2. The signature database file for
another module is used.For
example, the SA signature database
file is used during IPS update.
3. The signature database file used in
local update does not match the
current system software version.
17 Busy engine. Please try again later. 1. The signature database compilation
duration exceeds 30 minutes.
2. Failed to send the update message
to the engine process.
18 Engine compilation failed. Please re- 1. Failed to call the status machine for
download the signature database file. compilation. This problem usually
occurs when the signature database
contains non-standard regular
expressions.
2. The peak memory during
compilation is too high, and
memory space cannot be obtained.
20 The engine is not working properly. The engine status is abnormal during
Please try again later. the update.
21 System memory resources are During the update, the system memory
insufficient. Please try again later. is lower than the lower limit for update.
24 The engine is not ready. Please try The engine is not completely started
again later. when the update command is run.
26 Failed to access the update directory. Failed to access the update directory
Please contact customer service under the root directory of the CF card.
personnel.
27 Failed to authenticate the proxy server. 1. The IP address of the update proxy
Please check the update proxy server is incorrect.
configuration. 2. The user name and password of the
update proxy server are incorrectly
configured.
Context
If you enable the installation confirmation function, the new signature database version is
downloaded but not installed in the scheduled update and immediate update. When you want to
install the new version, you need to run the update confirm command.
By default, the installation confirmation function is disabled. The new signature database version
is installed directly after the download.
Procedure
l Manual installation
Confirm the downloaded new signature database version and run a specified command to
install the it.
1. Access the system view.
system-view
2. Enable the installation confirmation function for installing the signature database
version.
update confirm { av-sdb | ips-sdb | sa-sdb } enable
If a new signature database version exists on the NGFW and requires installing, go to
Step 3.
3. Install the new signature database version.
update apply
l Automatic installation
Enable the system to install the new version automatically after the download is complete.
1. Access the system view.
system-view
2. Disable the installation confirmation function for installing the signature database
version.
undo update confirm { av-sdb | ips-sdb | sa-sdb } enable
----End
Follow-up Procedure
Run the display update configuration command to view the installation mode of a new
signature database version.
<NGFW> display update configuration
Update Configuration Information:
------------------------------------------------------------
Internal Update Mode : Disable
Internal Update Server : -
Internal Update Port : 80
IPS-SDB:
NOTE
Ensure that a license for updating the signature database is available and the license is activated on the
NGFW.
NOTE
The specified source interface cannot be one bound to a virtual system. Otherwise, the update fails.
update schedule [ { daily | weekly { Mon | Tue | Wed | Thu | Fri | Sat | Sun } } time ]
NOTE
If the scheduled update affects the service performance of the NGFW, you can run the update abort
command to terminate the update. When the network connection is good, you can run the update online
{ av-sdb | ips-sdb | sa-sdb } command to download the latest signature database.
Step 6 Optional: Install the new signature database after the new signature database downloading.
NOTE
If the new signature database is installed automatically after the download, you do not need to run this
command. To change the installation mode of the new signature database, see 5.12.3.1 Installation
Mode.
----End
Prerequisites:
l A license for updating the signature database is available, and the license has been activated
on the NGFW.
l The NGFW can communicate with the proxy server; the proxy server can communicate
with the security center.
l You have obtained the user name and password for logging in to the proxy server.
To update from the intranet update server, you need a license. The license verifies whether you
have the permission to update certain modules.
Step 1 Set the domain name (or IP address), user name, and password of the proxy server.
NOTE
If a domain name is configured for the proxy server, a DNS server must be set to parse the domain name.
For the procedure, see Step 2.
dns resolve
Step 3 Optional: Set the source interface which sends the upgrade request packets.
By default, the online update query request packet is sent by the WAN interface to the Internet
server. You can run update host source to specify a LAN interface to send such packets. After
the interface is specified, the IP address of this interface is the source IP address of the request
packet.
NOTE
The specified source interface cannot be one bound to a virtual system. Otherwise, the update fails.
update schedule [ { daily | weekly { Mon | Tue | Wed | Thu | Fri | Sat | Sun } } time ]
Step 6 Install the new signature database after the new signature database downloading.
NOTE
If the new signature database is installed automatically after the download, you do not need to run this
command. To change the installation mode of the new signature database, see 5.12.3.1 Installation
Mode.
----End
Background
The immediate update uses the same update server or proxy server as that for the scheduled
update. The download process is also the same as that for the scheduled update. The two update
modes differ in that immediate update can be performed at any time whereas scheduled update
must be implemented at the specified time.
NOTE
Ensure that a license for updating the signature database is available and the license is activated on the
NGFW.
Step 1 Optional: Configure the security center or intranet update server. For details, see 5.12.3.2
Scheduled Update.
If you have configured the security center or intranet update server in 5.12.3.2 Scheduled
Update, skip this step.
Step 2 Optional: Set the source interface which sends the upgrade request packets.
By default, the online update query request packet is sent by the WAN interface to the Internet
server. You can run update host source to specify a LAN interface to send such packets. After
the interface is specified, the IP address of this interface is the source IP address of the request
packet.
NOTE
The specified source interface cannot be one bound to a virtual system. Otherwise, the update fails.
If the immediate update affects the service performance of the NGFW, you can run the update abort { av-
sdb | ips-sdb | sa-sdb } command to terminate the update. When the network connection is good, run the
Step 3 command to download the latest signature database.
If the new signature database is installed automatically after the download, you do not need to run this
command. To select the installation mode of the new signature database, see 5.12.3.1 Installation
Mode.
----End
Prerequisites
The update file must be obtained from the security center and uploaded to the NGFW before the
update.
NOTE
If you use FTP, SFTP, or TFTP to upload the update file, the file is uploaded to the specified directory on
the NGFW. If you use the Web, the update file is uploaded to the root directory of the CF card (USG6000
series)/ eUSB (NGFW Module) on the NGFW.
Procedure
Step 1 Download the update package.
l IPS, antivirus, and application signature databases: Download update packages from the
security center ( sec.huawei.com ) , as shown in Figure 5-78. For details, refer to Help of
the security center.
l Region identification signature database: Log in to the technical support website and click
Software to download the signature database or download it from the security center
( sec.huawei.com ) .
Location signature
Step 2 Upload the upgrade package from the PC to the specified directory of the NGFW.
system-view
filename contains the complete path of the update file. It can be a local file system. For example,
hda1:/IU_cup$20ips20100628.004.x01.zip.
NOTE
The IPS, antivirus, and application signature databases and region identification signature database update files
support the .zip format. When you select a file package, upload the .zip file that you have downloaded from the
website.
----End
Context
You can roll back to only one version. If you perform version rollbacks repeatedly, the version
rollback is implemented between the current version and the rollback version.
NOTICE
Before the version rollback, you are advised to run the display version { { av-sdb | engine |
ips-sdb | sa-sdb }* | location-sdb } command to view the information about the rollback version.
Then, you can choose whether to perform the version rollback. If no rollback version is available,
the version rollback fails. The version in the device remains unchanged.
Procedure
Step 1 Access the system view.
system-view
----End
Context
NOTICE
If the signature database is restored to the factory default version, all other versions on the
NGFW are deleted. Perform the operation with caution.
Procedure
Step 1 Access the system view.
system-view
----End
Action Command
Before you enable the debugging function, you must run the terminal monitor and terminal
debugging commands in the user view to enable the information display function and debugging
display function of the terminal, so that debugging information can be displayed on the terminal.
NOTICE
Enabling the debugging affects system performance. Therefore, after the debugging, you should
run the undo debugging all command to disable the debugging immediately.
For the description of the debugging commands, refer to the Debugging Reference.
Action Command
V100R001C30 The Web UI provides the causes and solutions of signature database
update failures.
V100R001C20SPC Deleted intranet update from signature database update and added
100 signature database update through a proxy server.
V100R001C10 l Added local update for the region identification signature database.
l Support the separate update of the IPS signature database. The
update of the signature database does not the restart of other content
security services.
----End
The extension name of a system software file is .bin. The software file name cannot contain any
Chinese characters.
Step 6 Click to set the current file as the system software for the next startup.
The upgraded system software can be used only after you restart the NGFW.
----End
The extension name of a system software file is .bin. The software file name cannot contain any
Chinese characters.
Step 2 Click One-Touch Version Upgrade. The One-Touch Version Upgrade wizard is displayed.
Step 3 Optional: Click the Export buttons in sequence to export the alarm information, log
information, and configuration information about the NGFW to the terminal.
Step 4 Optional: Click Save to save the current system configuration information.
You are advised to save the current system configuration information to the terminal.
Step 6 Select Restart the system now or Do not restart the system according to whether the current
network allows the device to restart immediately after system upgrade.
Step 7 Click Next. The device automatically starts to upgrade the system software.
The upgraded system software can be used only after you restart the NGFW.
----End
Step 6 Click of the patch file in idle state and click Yes in the dialog box that is displayed to upload,
activate, and run the patch file.
----End
----End
client Internet Explorer control, and client certificate filtering plug-in. When the updated client
accesses the virtual gateway, the virtual gateway automatically updates the installed components
on the client.
To load a new client patch file, the system will uninstall the loaded client patch file automatically.
The file name of the client patch file must be clientpatchmain. If the file name already exists,
the file is automatically deleted.
Step 2 Click One-Touch Client Patch Upgrade behind the Client Patch File in Use, the One-Touch
Client Patch Upgrade window is displayed.
----End
NOTE
The client and server software described in the following is not delivered with the NGFW. You need to
purchase and install them separately.
l FTP
– The NGFW serves as the FTP client.
The FTP server and the NGFW can reside on different network segments, but they must
be routable to each other.
Run the FTP server program on the FTP host and place the system software to be
downloaded in the corresponding FTP working directory. Then run the command in the
user view of the NGFW to download the system software to the specified directory of
the NGFW. For details, see 5.10.3.2 Configuring the NGFW as an FTP Client.
– The NGFW serves as the FTP server.
The FTP client and the NGFW can reside on different network segments, but they must
be routable to each other.
Start the FTP server on the NGFW. For details, see 5.10.3.1 Configuring the NGFW
as an FTP Server. Log in to the NGFW through an FTP client and upload the system
software to the corresponding directory of the NGFW.
l TFTP
The NGFW serving as the TFTP client obtains system software from the TFTP server. The
TFTP server and the NGFW can reside on different network segments, but they must be
routable to each other.
Run the TFTP server program on the TFTP host and put the system software to be uploaded
in the corresponding TFTP working directory. Then run the specified commands in the user
view of the NGFW to download the system software to the corresponding directory of the
NGFW. For details, see 5.10.3.5 Configuring the NGFW as a TFTP Client.
l SFTP
– The NGFW serves as the SFTP client.
The SFTP server and the NGFW can reside on different network segments, but they
must be routable to each other.
Run the SFTP server program on the SFTP host and place the system software to be
downloaded in the corresponding SFTP working directory. Then run the command in
the user view of the NGFW to download the system software to the specified directory
of the NGFW. For details, see 5.10.3.4 Configuring the NGFW as an SFTP Client.
– The NGFW serves as the SFTP server.
The SFTP client and the NGFW can reside on different network segments, but they
must be routable to each other.
Start the SFTP server on the NGFW. For details, see 5.10.3.3 Configuring the NGFW
as an SFTP Server. Log in to the NGFW through an SFTP client and upload the system
software to the corresponding directory of the NGFW.
NOTE
SFTP is more secure than FTP and TFTP. Therefore, you are advised to use SFTP to upload system
software.
NOTICE
The system software must be a .bin file and saved under the root directory of the storage device.
reboot
----End
Postrequisite
After the configuration, run the display startup command to display the system software and
configuration file for this and next startups.
For example:
Load
Idle Deactivated
Delete
Delete
Delete Active Deactive
Running Activated
Run
NOTE
The client and server software described in the following is not delivered with the NGFW. You need to
purchase and install them separately.
l FTP
– The NGFW serves as the FTP client.
The FTP server and the NGFW can reside on different network segments, but they must
be routable to each other.
Run the FTP server program on the FTP host and place the patch file to be downloaded
in the corresponding FTP working directory. Then run the command in the user view
of the NGFW to download the patch file to the specified directory of the NGFW. For
details, see 5.10.3.2 Configuring the NGFW as an FTP Client.
– The NGFW serves as the FTP server.
The FTP client and the NGFW can reside on different network segments, but they must
be routable to each other.
Start the FTP server on the NGFW. For details, see 5.10.3.1 Configuring the NGFW
as an FTP Server. Log in to the NGFW through an FTP client and upload the patch
file to the corresponding directory of the NGFW.
l TFTP
The NGFW serving as the TFTP client obtains patch file from the TFTP server. The TFTP
server and the NGFW can reside on different network segments, but they must be routable
to each other.
Run the TFTP server program on the TFTP host and put the patch file to be uploaded in
the corresponding TFTP working directory. Then run the specified commands in the user
view of the NGFW to download the patch file to the corresponding directory of the
NGFW. For details, see 5.10.3.5 Configuring the NGFW as a TFTP Client.
l SFTP
– The NGFW serves as the SFTP client.
The SFTP server and the NGFW can reside on different network segments, but they
must be routable to each other.
Run the SFTP server program on the SFTP host and place the patch file to be
downloaded in the corresponding SFTP working directory. Then run the command in
the user view of the NGFW to download the patch file to the specified directory of the
NGFW. For details, see 5.10.3.4 Configuring the NGFW as an SFTP Client.
– The NGFW serves as the SFTP server.
The SFTP client and the NGFW can reside on different network segments, but they
must be routable to each other.
Start the SFTP server on the NGFW. For details, see 5.10.3.3 Configuring the NGFW
as an SFTP Server. Log in to the NGFW through an SFTP client and upload the patch
file to the corresponding directory of the NGFW.
NOTE
SFTP is more secure than FTP and TFTP. Therefore, you are advised to use SFTP to upload patch
file.
Loading a Patch
When you load a patch, the system automatically checks whether the checksum of the patch is
consistent with that of the host. If no, the loading fails.
NOTE
l Patches not in Running state become Idle after system restart. To use such a patch, you need to load,
activate, and run the patch.
l For a cold patch, you must restart the system to validate the patch.
----End
Deleting a Patch
You can delete a patch that is not required by the system.
NOTE
Step 1 Run the following command in the user view to deactivate a patch.
patch deactive patch-file-name
Step 2 Delete a patch.
patch delete patch-file-name
----End
accesses the virtual gateway, the virtual gateway automatically updates the installed components
on the client.
To load a new client patch file, the system will uninstall the loaded client patch file automatically.
The file name of the client patch file must be clientpatchmain. If the file name already exists,
the file is automatically deleted.
Client patches have four states: Idle, Activated, Deactivated, and Running. Patches in Activated
state are rolled back to the Idle state after system restart and they no longer take effect; patches
in Running state recover after system restart and they still take effect.
Load
Idle Deactivated
Delete
Delete
Delete Active Deactive
Running Activated
Run
NOTE
The client and server software described in the following is not delivered with the NGFW. You need to
purchase and install them separately.
l FTP
– The NGFW serves as the FTP client.
The FTP server and the NGFW can reside on different network segments, but they must
be routable to each other.
Run the FTP server program on the FTP host and place the client patch file to be
downloaded in the corresponding FTP working directory. Then run the command in the
user view of the NGFW to download the client patch file to the specified directory of
the NGFW. For details, see 5.10.3.2 Configuring the NGFW as an FTP Client.
– The NGFW serves as the FTP server.
The FTP client and the NGFW can reside on different network segments, but they must
be routable to each other.
Start the FTP server on the NGFW. For details, see 5.10.3.1 Configuring the NGFW
as an FTP Server. Log in to the NGFW through an FTP client and upload the client
patch file to the corresponding directory of the NGFW.
l TFTP
The NGFW serving as the TFTP client obtains client patch file from the TFTP server. The
TFTP server and the NGFW can reside on different network segments, but they must be
routable to each other.
Run the TFTP server program on the TFTP host and put the client patch file to be uploaded
in the corresponding TFTP working directory. Then run the specified commands in the user
view of the NGFW to download the client patch file to the corresponding directory of the
NGFW. For details, see 5.10.3.5 Configuring the NGFW as a TFTP Client.
l SFTP
– The NGFW serves as the SFTP client.
The SFTP server and the NGFW can reside on different network segments, but they
must be routable to each other.
Run the SFTP server program on the SFTP host and place the client patch file to be
downloaded in the corresponding SFTP working directory. Then run the command in
the user view of the NGFW to download the client patch file to the specified directory
of the NGFW. For details, see 5.10.3.4 Configuring the NGFW as an SFTP Client.
– The NGFW serves as the SFTP server.
The SFTP client and the NGFW can reside on different network segments, but they
must be routable to each other.
Start the SFTP server on the NGFW. For details, see 5.10.3.3 Configuring the NGFW
as an SFTP Server. Log in to the NGFW through an SFTP client and upload the client
patch file to the corresponding directory of the NGFW.
NOTE
SFTP is more secure than FTP and TFTP. Therefore, you are advised to use SFTP to upload client
patch file.
client-patch load
client-patch active
client-patch run
NOTE
Patches not in Running state become Idle after system restart. To use such a patch, you need to load, activate,
and run the patch.
----End
NOTE
client-patch deactive
client-patch delete
----End
5.14.1 Overview
A configuration file defines the configuration items required for the startup of the NGFW. You
can save a configuration file on the Eudmon, modify and remove existing configuration files,
and specify the configuration file for the NGFW to load upon each startup.
Current Configuration
The current configuration is the configuration currently takes effect, not the configuration file.
A configuration file is generated only after you save the current configuration.
Configuration File
The configuration file is saved as a .txt file, and the requirements on its content are as follows:
NOTE
In a configuration file, the command that can be identified by the system must be a string of no more than
899 characters. Directly modifying the configuration file may cause certain commands in the configuration
file to have more than 899 characters. Therefore, perform the operation with caution.
Concepts related to the configuration file are the configuration file for this startup, configuration
file for the next startup, and configuration file for disaster recovery.
Related Operations
To manage configuration files, do as follows:
NOTICE
Restore the factory configuration will reboot the device.
Step 5 Click OK, and the device reboot and restore the factory default configuration.
----End
Displaying Configuration
You can display a maximum of 2000 configuration messages. To view more configuration
information, you must export the configuration information.
Step 2 Under Current Configuration, click Search, select search conditions on the Query
Condition dialog box, and click Search.
Parameter Description
Parameter Description
----End
Step 3 Click Save and select a path on the terminal to save the configuration file.
----End
Comparing Configurations
You can compare the current configurations with the configurations saved in configuration files.
----End
By default, only the system administrator has the configuration saving permission. If a non-system administrator
needs to save configuration, contact the system administrator for the permission.
Step 3 Select Overwrite configuration file for next startup or Save as.
If you select Save as, enter a new file name.
----End
Step 2 Click Select. The Configuration File Management dialog box is displayed.
Step 6 Click to set the current configuration file as the configuration file for the next startup.
You need to restart the device to complete the update.
----End
Context
NOTICE
l SFTP is recommended because of high security.
l After the function of updating the configuration file is enabled, the NGFW cannot restore
the factory default settings when you press the RST button before powering on the
NGFW.
Procedure
Step 1 Enable the function of updating the configuration file.
upgrade saved-configuration { ftp | sftp } server-address username password [ delay ]
NOTE
If you need to update the configuration file again, run the specified command to obtain the configuration file
and then update it.
----End
Procedure
Step 1 Specify a configuration file to be loaded for the next startup.
startup saved-configuration configuration-filename
----End
Context
To reduce the possibility of losing the configurations because of sudden device power-off or
restart, the NGFW provides real-time configuration saving function.
NOTE
By default, only the system administrator has the configuration saving permission.
For a non-system administrator to save configuration, the system administrator must run the non-system-admin
saveenable command to grant the configuration saving permission to the non-system administrator.
Procedure
Step 1 Save the current configuration.
save [ config-filename ]
The file name extension of the configuration file must be .cfg or .zip. The configuration file
must be saved in the root directory of the storage device.
If you run the save command without specifying any parameter, the current configuration is
automatically saved into the configuration file for the next startup. If you run the save command
and specify a configuration file name, the current configuration is saved into the specified
configuration file.
----End
Context
The configuration file for disaster recovery is a backup file generated in the hda1. This
configuration file cannot be deleted, modified, or renamed. You also cannot specify the
configuration file as the one for the next startup by running the startup saved-configuration
command. The file becomes lost only after the hda1 is formatted.
After you specify a configuration file by running the backup configuration command, the
system generates a copy as the configuration file for disaster recovery in the hda1, named
nicecfg.
It is recommended that you periodically maintain the configuration file. In so doing, the latest
configuration file is available for you to restore the configuration.
Procedure
Step 1 Specify a configuration file for disaster recovery.
backup-configuration backup-filename
You can specify only one configuration file for disaster recovery. If you execute this command
multiple times, the configuration file in the last time when the command is executed is specified
as the configuration file for disaster recovery.
The changes of the original configuration files do not affect the configuration file for disaster
recovery.
Step 2 Configure the configuration file for disaster recovery as the configuration file for the next startup.
startup backup-configuration
To stop using the configuration file for disaster recovery as the configuration file for startup,
perform either of the following operations:
l After modifying the configuration, run the save command in the user view. Then the system
employs the saved configuration file as the configuration file for the next startup.
l In the user view, run the undo startup backup-configuration command to stop using the
configuration file for disaster recovery as the configuration file for startup.
----End
Follow-up Procedure
Run the display backup-configuration command to display the details on the configuration
file for disaster recovery, namely, nicecfg.
Run the display startup command to display the configuration file for the next startup.
<NGFW> display startup
MainBoard:
Configed startup system software: hda1:/sup.bin
Startup system software: hda1:/sup.bin
Next startup system software: hda1:/sup.bin
Startup saved-configuration file: hda1:/vrpcfg.zip
Next startup saved-configuration file: hda1:/vrpcfg.zip
Next startup configuration: backup-configuration
According to the output that is displayed, Next startup configuration indicates the
configuration file for the next startup. Its priority is higher than that of the Next startup saved-
configuration file. This item can be displayed only when the configuration file is specified for
the next startup.
Context
You need to clear the configuration file that is currently loaded in the following cases:
l After the device software is upgraded, the software does not match the configuration file.
l The configuration file is damaged, or the device is loaded with an incorrect configuration
file.
Procedure
Step 1 Clear the configuration file that is currently loaded.
reset saved-configuration
After the configuration file is cleared, if you neither use the startup saved-configuration
command to specify a configuration file that contains correct configurations, nor use the save
command to save the current configurations in use, the NGFW initiates with default parameter
settings upon the next startup.
----End
Procedure
Step 1 Compare the current configuration with the configuration saved on the storage device.
compare configuration [ current-line-number save-line-number ]
If no parameter is specified, the comparison starts from the first line. You can use parameters
current-line-number and save-line-number to skip the differences that are identified between
the configurations during the comparison.
When identifying the differences, the system displays a certain number of characters (150
characters by default) in the current configuration file and saved configuration file starting from
the line with identified differences. If the length of the content from the line with identified
differences is fewer than 150 characters, the system displays all content till the end of both files.
----End
Action Command
If the configurations are successfully applied, run the preceding commands, and you can find
the following results:
l The current configuration of the device is correct without any redundant configuration.
l The current configuration of the device is saved in the storage device.
l The device system software and configuration file that are to be loaded upon the next startup
are correct, and they are saved in the root directory of the storage device.
V100R001C20SPC Added the function of updating the configuration file through SFTP.
700
5.15 Restart
After you upgrade the system or modify configurations on the NGFW, you must reboot the
NGFW to ensure that the latest configuration takes effect.
5.15.1 Overview
After you upgrade the system or load a host program or after an anomaly occurs in the system,
you need to restart the system.
Restarting the NGFW interrupts services. Therefore, select off-peak hours in non-emergent
cases, such as in the early morning, to restart the NGFW.
– Specify a specific duration as the delay before the NGFW restarts. For example, the
NGFW automatically restarts after a specific time period, such as three hours later.
Upon the restart, the NGFW loads the startup configuration file specified before the restart.
Background
NOTICE
l If the NGFW works improperly, try to rectify the fault. Do not restart the system frequently
in case that services are affected.
l If you must restart the system, select off-peak hours in non-emergent cases, such as in the
early morning.
l Restarting the NGFW may result in temporary data loss. Before the restart, make sure that
the configuration data is backed up.
----End
Context
NOTICE
l When the system works abnormally, you need to rectify the fault. Do not restart the system
frequently. Otherwise, services are affected.
l Restarting the system may cause the loss of temporary data. Before the reboot, ensure that
the configuration file is saved. In common cases, do not use the CLI to reboot the system.
----End
If the clock command is executed after you run the schedule reboot command, the parameters
specified in the schedule reboot command no longer take effect.
NOTE
After the configuration is complete, run the display schedule reboot command to display the parameter
settings of the system restart at a specified time.
<NGFW> display schedule reboot
System will reboot at 16:00:00 2011/11/1 (in 2 hours and 5 minutes).
----End
5.16.1 Overview
To upgrade through USB, you need to store the required upgrade file in a USB drive, insert it
into the NGFW, and upload the upgrade file in the USB drive to upgrade the NGFW.
Manual Upgrade
In manual upgrade, you need to run the upgrade command after inserting a USB disk to upgrade
system software and configuration files.
Automatic Upgrade
In automatic upgrade, the NGFW automatically upgrades after the USB drive is inserted. This
method simplifies operations and enhances the upgrade efficiency.
Before implementing upgrade through USB, check whether a configuration file exists on the
NGFW:
l If no configuration file exists, the NGFW starts the upgrade after the USB drive is inserted.
In this scenario, you need only to store all required upgrade files in the USB drive and insert
it into the NGFW, requiring no command execution.
l If a configuration file exists, you need to enable upgrade through USB before inserting the
USB drive.
NOTE
The NGFW begins to support automatic upgrade through USB from V100R001C30SPC100.
Procedure
Step 1 Obtain the system software and configuration file and store them in the same directory on USB.
In this example, the system software is system-software.bin, the configuration file is system-
config.zip, and they are stored in the root directory on the USB drive.
Step 2 Insert the USB drive into the NGFW.
Step 3 Upgrade the system software and configuration file.
l Upgrade the system software.
<NGFW> upgrade system-software udisk0:/system-software.bin
Upgrade system software ?[Y/
N]:Y
Info: Check system software begin, it will take a long time, please don't power
down or pull out disk...............................
...............................................................................
..............................................
Info:Udisk0:Successful upgrade, ready to restart.
Info: Check system configuration begin, it will take a long time, please don't
power down or pull out disk.....done.
Info: Upgrade system configuration begin, it will take a long time, please don't
power down or pull out disk.....done.
(Warning: Reboot system is required to make current upgrade take effect.)
NOTE
The number of USB ports varies with NGFW models. Enter the actual number of USB ports supported by the
NGFW in udisk0.
Step 4 Optional: Run the reboot command in the user view to restart the NGFW. Skip this step when
upgrading the system software because the NGFW will automatically restart.
l Run the display version command to check whether the SoftwareVersion on the NGFW is
the target version. If yes, the system software is upgraded successfully.
<NGFW> display version
HUAWEI Versatile Routing Platform Software
Software Version: V100R001C30SPC100 (VRP (R) Software, Version 5.30)
Copyright (C) 2014-2015 Huawei Technologies Co., Ltd.
sysname uptime is 0 week, 0 day, 15 hours, 20 minutes
Patch: V100R001C20SPH001
l Run the display current-configuration command to check whether the configuration of the
NGFW is the target version. If yes, the configuration file is upgraded successfully.
----End
Procedure
Step 1 Obtain the system software and configuration file and store them in the same directory in the
USB drive.
NOTICE
The name of the target system software in the USB drive must be different from that of the one
running currently. Otherwise, the upgrade will fail.
Field Content
DIRECTORY Enter the path of the upgrade files in the USB drive. If
the path is the root directory, enter DEFAULT.
Otherwise, enter the actual path. For example, if the
upgrade files are in the NGFW folder, enter /NGFW.
Field Content
TYPEn Enter the system software type and name. For example,
FILENAMEn to upgrade both the system software and configuration
file, enter system-software.bin for the system software
and system-config.zip for the configuration file as
follows:
TYPE1=SYSTEM-SOFTWARE
FILENAME1=system-software.bin
TYPE2=SYSTEM-CONFIG
FILENAME2=system-config.zip
NOTE
To upgrade multiple NGFWs to various versions, copy the
upgrade file package of one NGFW to the USB drive after
another NGFW is successfully upgraded and ensure that the
file name is the same as the FILENAME in the index file.
----End
5.16.4.2 Upgrading System Software and Configuration file (No Configuration File
on the NGFW)
The NGFW starts automatic upgrade through USB after a USB drive storing all required files
is inserted.
Procedure
1. Insert the USB drive into the NGFW.
If the SYS indicator (green) blinks eight times each second, the NGFW has started
automatic upgrade. The NGFW obtains the system software and configuration file from
the USB drive based on the index file usb.ini, copies them to its CF card, and automatically
sets them as the system startup files.
2. Wait until the NGFW restarts.
NOTE
The restart takes 10 to 30 minutes depending on the product model and version upgrade conditions.
3. Check the upgrade result.
l Determine the upgrade status based on the SYS and ALM indicators on the NGFW:
– If the SYS indicator (green) blinks twice per second, the upgrade has succeeded.
– If the SYS indicator (green) is off and the ALM indicator is on, the upgrade has
failed.
l Check the log file named ESN_time on the USB drive.
– If the upgrade succeeds, the log information resembles the following content. Device
SN is the same as SN in the index file in 5.16.4.1 Preparation for the Upgrade.
Upgrade time:
20141228084910
Device SN:
20141228.080910
Device ESN:
210235G7LNZ0C8000001
Info: Deployment using the USB flash drive is completed successfully, and
the device has restarted.
– If the upgrade through USB fails, check the Info content in the log file for
preliminary fault location.
Procedure
Step 1 Optional: Encrypt the configuration file (.cfg) to protect it. Skip this step if you do not need to
upgrade the configuration file.
NOTE
Configure an authentication password containing at least three of the following types of characters: upper-case
letters, lower-case letters, digits, and special characters (except spaces and question marks) for security.
You can download an encryption software, such as Winrar and 7zip from the Internet to encrypt
the configuration file. In this example, Winrar is used.
Step 2 Obtain system software and store them in the same directory that stores the configuration file
on the USB drive.
NOTICE
The name of the target system software in the USB drive must be different from that of the one
running currently. Otherwise, the upgrade will fail.
Step 3 Optional: Obtain the HMACs of the system software and configuration file. Skip this step if
HMAC check is not required.
NOTICE
l If the configuration file is encrypted, Key: must be the same as the encryption key in
Step 1. Otherwise, the upgrade will fail.
l If the configuration file is not encrypted, ensure that Key: contains at least three of the
following types of characters: upper-case letters, lower-case letters, digits, and special
characters (except spaces and question marks) for security.
l Select SHA256 because NGFW supports only this type of hash algorithm.
HMACn=
END
Field Content
ESN Enter the ESN of the NGFW. You can run the display
firewall esn command to obtain the ESN of each
NGFW. To match all NGFWs, enter DEFAULT.
DIRECTORY Enter the path where files are stored on USB. If it is the
root directory of USB, enter DEFAULT; otherwise,
enter the specific path, such as //test.
Field Content
TYPEn Enter the system software type and name. For example,
FILENAMEn to upgrade both the system software and configuration
file, enter system-software.bin for the system software
HMACn and system-config.zip for the configuration file as
follows:
TYPE1=SYSTEM-SOFTWARE
FILENAME1=system-software.bin
HMAC1=0ab30a2596bd0f6744631002d941f4218f40e784a
e51447ed0bf3a2ff075939a
TYPE2=SYSTEM-CONFIG
FILENAME2=system-config.zip
HMAC2=27dadb18efe4c0cf00268c3d3573a1ea9c270e5c5
6bfda9dd9bba1d168b5d680
----End
TYPE1=SYSTEM-SOFTWARE
FILENAME1=system-software01.bin
HMAC1=c3caaee8f4f6bd1389f438801e40dad9af30f2fbbe7e8f55121b39c6c16ba488
END
Example 2: The software of multiple NGFWs needs to be upgraded, and HMAC check is
not required.
Make an index file that meets the following requirements:
l The data change time is 2014-06-28 08:09:10.
l Upgrade is required.
l The system software system-software01.bin is in the root directory of the USB drive, the
version is V100R001C30SPC100, and HMAC check is not required.
The corresponding index file is as follows:
BEGIN
[USB CONFIG]
SN=20140628.080910
[UPGRADE INFO]
OPTION=AUTO
DEVICENUM=1
[DEVICE1 DESCRIPTION]
OPTION=OK
ESN=DEFAULT
MAC=DEFAULT
VERSION=V100R001C30SPC100
DIRECTORY=DEFAULT
FILENUM=1
TYPE1=SYSTEM-SOFTWARE
FILENAME1=system-software01.bin
END
Example 3: The software of two NGFWs needs to be upgraded, and HMAC check is not
required.
Make an index file that meets the following requirements:
l The data change time is 2014-06-28 08:09:10.
l For one NGFW, the ESN is 00080123456789, the MAC address is 0018-0303-1234, the
system software name is system-software01.bin, the version number is
V100R001C30SPC100, the configuration file is system-config01.zip, and neither file
requires HMAC check.
l For the other NGFW, the ESN is 66680123456789, the MAC address is 0018-0303-5678,
the system software name is system-software02.bin, the version number is
V100R001C30SPC100, the configuration file is system-config01.zip, and neighther file
requires HMAC check.
The corresponding index file is as follows:
BEGIN
[USB CONFIG]
SN=20140628.080910
[UPGRADE INFO]
OPTION=AUTO
DEVICENUM=2
[DEVICE1 DESCRIPTION]
OPTION=OK
ESN=00080123456789
MAC=0018-0303-1234
VERSION=V100R001C30SPC100
DIRECTORY=DEFAULT
FILENUM=2
TYPE1=SYSTEM-SOFTWARE
FILENAME1=system-software01.bin
TYPE2=SYSTEM-CONFIG
FILENAME2=system-config01.zip
[DEVICE2 DESCRIPTION]
OPTION=OK
ESN=66680123456789
MAC=0018-0303-5678
VERSION=V100R001C30SPC100
DIRECTORY=DEFAULT
FILENUM=2
TYPE1=SYSTEM-SOFTWARE
FILENAME1=system-software02.bin
TYPE2=SYSTEM-CONFIG
FILENAME2=system-config02.zip
END
Procedure
Step 1 Set the authentication password for automatic upgrade through USB on the NGFW.
NOTICE
l If configuration file encryption or HMAC check is configured, the password for automatic
upgrade through USB must be the same as the configuration file encryption password and
the HMAC.
l If configuration file encryption or HMAC check is not configured, ensure that the
authentication password contains at least three of the following types of characters: upper-
case letters, lower-case letters, digits, and special characters (except spaces and question
marks) for security.
<NGFW> system-view
[NGFW] usb autoupdate password
Enter Password:
Confirm Password:
Step 2 Optional: Enable HMAC check on the NGFW if the function is required.
NOTICE
If the index file does not contain the HMAC of the upgrade file, do not enable HMAC check;
otherwise, the upgrade will fail.
The NGFW automatically verifies the index file and starts automatic upgrade if the verification
succeeds, with the following information displayed on the screen:
Info: Auto update begin, it will take a long time, please don't power down or pull
out disk.
Info: Udisk0: The SN in the ini file is inconsistent with the device's setting, the
system need to be upgraded.
----End
V100R001C00 Supported manual upgrade through USB for the first time.
5.17 NQA
This chapter describes the Network Quality Analysis (NQA) mechanism, testing scenarios, and
general parameters and provides examples for configuring NQA.
5.17.1 Overview
The NQA function measures the performance of various protocols running on networks to ensure
that administrators can collect various network running indicators.
Introduction to NQA
With the improving requirements regarding the QoS, especially after traditional IP networks
bear voice and video services, Service Level Agreements (SLAs) are commonly signed between
broadband service providers and their subscribers.
To ensure the committed bandwidth stated in the SLA, broadband service providers require
statistics on various network parameters, such as delay, jitter, and packet loss ratio and learn
about the performance status of the network in time. The NAQ function delivered by the
NGFW fulfills the requirements.
NQA measures the performance of various protocols running on networks to ensure that
broadband service providers can collect various network parameters in real time, for example,
the measurement of total HTTP latency, TCP latency, file transmission rate, and FTP latency.
Through network management based on these parameters, broadband service providers provide
users with services of different levels at different costs.
IP/MPLS
Network
NQA Client
The information about the round trip time of each packet or whether the transmission of a packet
times out is not displayed on the console terminal in real time. You can run the display nqa
results command after the test to display the test result.
You can set the parameters of all NQA operations on the NMS and start the test.
You need to create NQA instances on NQA clients. Each instance is identified by the
administrator who creates the instance and an operation tag.
In an instance view, you need to configure test parameters for related test. Note that not all
parameters apply to every test type.
NQA Server
For most tests, you need to configure only the NQA clients. For TCP, UDP, and Jitter tests,
however, you must configure the NQA server.
The NQA server processes the test packets from the clients. As shown in Figure 5-82, the NQA
server responds to the test request packet initiated by the client through the listening on a specific
port.
Figure 5-82 Relationship between the NQA client and the NQA server
IP/MPLS
Network
NQA Client NQA Server
You can create multiple TCP or UDP listening services on an NQA server. Each listening service
maps a specific destination address and a port. You can specify the same destination address
and port for multiple services.
After creating an instance and configuring related test parameters, start the NQA test by running
the start command, and then run the display nqa results command to display the test result.
5.17.2 Mechanism
For an NQA test, both the NQA client and NQA server are involved. The NQA client sends test
requests to the server to initiate the an NQA test. You can use commands to configure NQA
instances or configure the NMS to send relevant configuration instructions to the NGFW. Then,
the NQA module on the NGFW places configured NQA instances into proper test queues for
scheduling.
You can immediately start an NQA instance after it is configured or delay the start for a period
of time, or you can set a specific time point in the future for the NQA instance to automatically
start. After an NQA instance starts, test packets are generated based on the test type of the
instance. If the packet size specified during the configuration of the instance is smaller than the
required minimum size of the packets transmitted through the tested protocol, the minimum
packet size takes effect.
After receiving the test request packet from the client, the NQA server returns a response packet.
Then the client timestamps the received response packet with the current local system time and
sends the packet back to the NQA server. After receiving another response packet from the
server, the client calculates the round-trip time (RTT) of the packet.
NOTE
For a Jitter test instance, both the client and the server timestamp the packet with the local system time of
their own. In this way, the client can calculate the jitter time of the packet.
Based on the RTT of the packet, you can learn about the running status of the tested packet.
HTTP Test
An NQA HTTP test is used to test the response speed in three phases. Figure 5-83 shows these
phases.
l DNS resolution: It is the time for the client to receive a DNS resolution packet containing
an IP address after it sends a DNS packet to the resolver for domain name resolution.
l Setting up a TCP connection: It is the time for the client to set up a TCP connection with
the HTTP server through a three-way handshake.
l Transaction: It is a period from the time at which the client sends a Get or Post packet to
the HTTP server to the time at which a response packet sent by the client reaches the HTTP
server.
Through an HTTP test, the following items can be calculated based on the information in the
packets received by the client:
You can use these statistics to assess HTTP performance over the network.
IP Network
10.1.1.1/24
DNS Server
10.3.1.1/24
DNS Test
A DNS test is used to test the DNS resolution speed. The DNS test uses UDP packets. Figure
5-83 shows the process of a DNS test.
1. The client sends a query packet to the DNS server for domain name resolution.
2. After receiving the query packet, the DNS server returns a response packet to the client.
3. After receiving the response packet, the client calculates the time for DNS resolution based
on the time between the sending of the query packet and the receiving of the response packet
on the client. You can use the test result to assess the DNS performance over the network.
FTP Test
An FTP test is used to test the response speed of the FTP server when you download a file from
or upload a file to the server. The FTP test uses TCP packets. You can obtain the response speed
in two phases. Figure 5-84 shows the process of an FTP test.
l Setting up and maintaining a control connection: It is the time that the client uses to set up
a TCP control connection with the FTP server through three-way handshake and
interchanges signals through the control connection.
l Setting up and maintaining a data transmission connection: It is the time that the client uses
to download a file from or upload a file to the FTP server through the data transmission
connection.
Through an FTP test, the following items can be calculated based on the information in the
packets received by the client:
You can use these statistics to assess the FTP performance over the network.
SNMP Test
An SNMP test is used to test the packet transfer rate between a host and an SNMP agent. The
SNMP test uses UDP packets. Figure 5-85 shows the process of an SNMP test.
1. The client sends a request packet to the SNMP agent for obtaining the system time.
2. After receiving the request packet, the SNMP agent queries the system time, constructs a
response packet, and sends the response packet to the client.
After receiving the response packet, the client calculates the packet transfer rate based on
the time between the sending of the request packet and the receiving of the response packet
on the client. You can use the test result to assess the SNMP performance over the network.
TCP Test
A TCP test is used to test the TCP connection rate between a host and a TCP server through a
three-way handshake. Figure 5-86 shows the process of a TCP test.
1. The client (device A) sends a SYN packet to the TCP server (device B).
2. After receiving the TCP SYN packet, the TCP server accepts the request and responds a
SYN-ACK packet.
3. After receiving the SYN-ACK packet, the client returns an ACK packet to the TCP server.
Then, a TCP connection is established.
The client can calculate the TCP connection rate based on the time between the sending of
the SYN packet and the receiving of the ACK packet on the client. You can use the test
result to assess the TCP performance over the network.
UDP Test
A UDP test is used to test the packet transfer rate between a host and a UDP server. Figure
5-86 shows the process of a UDP test.
1. The client (device A) constructs a UDP packet and sends it to the UDP server (device B).
2. After receiving the UDP packet, the UDP server returns the packet to the client.
After receiving the returned packet, the client calculates the packet transfer rate between
the client and the UDP server based on the time between the sending and receiving of the
packet on the client. You can use the test result to assess the UDP performance over the
network.
ICMP Test
An ICMP test is used to test the reachability of the route between the NQA client and NQA
server. The ICMP test is similar to the ping command. However, the output of the test is more
diversified.
l By default, the NGFW stores the results of the latest five tests.
l The test result contains information about average ICMP latency, packet loss ratio, and the
time at which the last packet is correctly received.
1. The client (device A) constructs an ICMP Echo Request packet and then sends it to the
server (device B).
2. After receiving the ICMP Echo Request packet, the server responds an ICMP Echo Reply
packet.
After receiving the ICMP Echo Reply packet, the client can calculate packet transfer rate
based on the time between the sending of the ICMP Echo Request packet and the receiving
of the ICMP Echo Request Reply packet. You can use the test result to test the reachability
of the route between the client and server.
A B
Traceroute Test
A Traceroute test is used to detect the forwarding path between the NQA client and a destination
and collect statistics related to the routers along the forwarding path.Figure 5-88 shows the
process of a Traceroute test.
1. The client (device A) constructs a UDP packet and sends the packet to the destination
(device B). The TTL of the packet is 1.
2. After the first-hop router (device C) receives the UDP packet, it checks the TTL field and
finds that the TTL is set to 0. Then, device C returns an ICMP Time Exceeded packet.
3. After the client receives the ICMP Time Exceeded packet, it obtains the IP address of the
first-hop router and re-constructs a UDP packet. The TTL of this packet is 2.
4. After the second-hop router (device D) receives the UDP packet, it checks the TTL of the
packet and finds that the TTL is set to 0. Then, device D returns an ICMP Time Exceeded
packet.
5. The procedure repeats and after the packet reaches the last-hop router, the router returns
an ICMP Port Unreachable packet to the client.
The client can then obtain the forwarding path from the client to the destination and collect
statistics related to each router along the forwarding path based on the ICMP packet returned
by each hop. You can use this statistics to assess the network performance.
A B
1. In an LSP Ping test, the client constructs a UDP MPLS Echo Request packet destined for
an IP address on network segment 127.0.0.0/8. The client searches for the LDP LSP based
on the specified remote LSR ID and then forwards the packet through the LDP LSP in the
MPLS domain. For the search for a TE LSP, the packet can be sent from a tunnel interface
and then forwarded along a specified CR-LSP.
2. The egress monitors port 3503 and then returns an MPLS Echo Reply packet.
The client can then calculate the packet transfer rate between the client and the egress based
on the time between the sending and receiving of packets. You can use the test results to
assess the network performance.
MPLS
Backbone
10.1.1.1/24 10.2.1.1/24
A 10.1.1.2/24 10.2.1.2/24
B C
Context
Do as follows on the NQA client:
Procedure
Step 1 Access the system view.
system-view
Step 2 Configure an NQA instance and access the NQA instance view.
nqa test-instance admin-name test-name
Step 5 Optional: Perform the following as required to set other ICMP test parameters.
l Configure the VPN instance to be tested.
vpn-instance vpn-instance-name
l Specify the source interface that sends test packets.
source-interface [ interface-type interface-number ]
l Specify the source IP address.
source-address ipv4 ip-address
NOTE
If the destination IP address is in a different network segment from the source IP address, you cannot use
this command. Otherwise, the NQA test fails.
l Set the size (packet header excluded) of the echo request packet.
datasize size
l Set the packet TTL value. ttl value
ttl value
ttl equals the -h option in theping command.
l Set the type of service (ToS) field in the IP packet header.
tos value
tos equals the -tos option in the pingcommand.
l Configure padding characters.
datafill string
datafill equals the -p option in the ping command.
l Specify the interval for sending the test packets.
interval seconds interval
interval seconds equals the -m option in the ping command.
l Specify the percentage of the failed NQA tests.
fail-percent percent
l Configure the NQA client to send test packets without querying the routing table,
sendpacket passroute
----End
Follow-up Procedure
Run the display nqa results command. If the following output is displayed, the test succeeds.
l testFlag is inactive
l The test is finished
l Completion:success
[NGFW] display nqa results
NQA entry(admin, icmp) :testFlag is inactive ,testtype is icmp
1 . Test 1 result The test is finished
Send operation times: 3 Receive response times: 3
Completion:success RTD OverThresholds number: 0
Attempts number:1 Drop operation number:0
Disconnect operation number:0 Operation timeout number:0
System busy operation number:0 Connection fail number:0
Operation sequence errors number:0 RTT Stats errors number:0
Destination ip address:10.1.1.2
Min/Max/Average Completion Time: 31/46/36
Sum/Square-Sum Completion Time: 108/4038
Last Good Probe Time: 2006-8-2 10:7:11.4
Last Packet Loss 0 %
NOTE
NQA test results cannot be automatically displayed on a terminal. You must run the display nqa results
command to display the test results. The command output contains the test results of only the last five tests.
Context
NOTE
You can configure the NGFW as a DHCP server. For details, refer to 8.4 DHCP.
Procedure
Step 1 Access the system view.
system-view
Step 2 Configure an NQA instance and access the NQA instance view.
nqa test-instance admin-name test-name
Step 4 Specify the source interface that sends the DHCP request packet.
source-interface interface-type interface-number
The specified source interface can be an Ethernet interface connected to the DHCP server, an
Eth-Trunk interface, or a Vlanif interface.
Step 5 Optional: Run the following commands to configure other parameters for the DHCP test.
l Set the timeout of the NQA test.
timeout time
NOTE
For the DHCP test, the time between the sending of the probe packet and the receiving of the response
packet may last for 10 seconds. By default, the timeout period is 15 seconds. You are advised to set the
timeout period longer than 10 seconds.
l Set the percentage of the failed NQA test items.
fail-percent percent
----End
Follow-up Procedure
Run the display nqa results command. If the following output is displayed, the test succeeds.
l Number of disconnections from the server and number of timeout disconnection operations.
l Number of times the server being busy and number of failed connections.
l Numbers of operations with incorrect sequences and number of packet discards.
l Number of incorrect statistics collections.
<NGFW> display nqa results
NQA entry(admin, dhcp) :testFlag is inactive ,testtype is dhcp
1 . Test 1 result The test is finished
Send operation times: 3 Receive response times: 2
Completion:success RTD OverThresholds number: 0
Attempts number:1 Drop operation number:0
Disconnect operation number:0 Operation timeout number:2
System busy operation number:0 Connection fail number:0
Operation sequence errors number:0 RTT Stats errors number:0
Destination ip address:10.1.1.3
Min/Max/Average Completion Time: 1030/1030/1030
Sum/Square-Sum Completion Time: 1030/1060900
Last Good Probe Time: 2009-6-2 16:00:2.2
Context
NOTE
If you set the FTP source port, you must set the FTP destination port at the same time. Ensure both ports
are the same.
Procedure
Step 1 Access the system view.
system-view
Step 2 Create an NQA test instance and access the test instance view.
nqa test-instance admin-name test-name
Step 6 Optional: Perform the following operations as required to configure other parameters of the
FTP Download test:
l Configure the VPN instance to be tested.
vpn-instance vpn-instance-name
l Specify the FTP source port.
source-port port-number
l Specify the FTP destination port.
destination-port port-number
l Configure the NQA client to send packets without querying the routing table.
sendpacket passroute
NOTE
During the FTP download test, select a file with a relatively small size for the test. If the file is too large,
the test may fail because of timeout.
----End
Follow-up Procedure
Run the display nqa results command. If the following output is displayed, the test succeeds.
l "CtrlConnTime"
l "DataConnTime"
l "SumTime"
<NGFW> display nqa results
NQA entry(admin, ftp) :testFlag is inactive ,testtype is ftp
1 . Test 1 result The test is finished
SendProbe:1 ResponseProb:1
Completion :success RTD OverThresholds number: 0
MessageBodyOctetsSum: 448 Stats errors number: 0
Operation timeout number: 0 System busy operation number:0
Drop operation number:0 Disconnect operation number: 0
CtrlConnTime Min/Max/Average: 438/438/438
DataConnTime Min/Max/Average: 218/218/218
SumTime Min/Max/Average: 656/656/656
Context
NOTE
If you set the FTP source port , set the destination port at the same time. Ensure both ports are the same.
Procedure
Step 1 Access the system view.
system-view
Step 2 Create an NQA test instance and access the test instance view.
nqa test-instance admin-name test-name
Step 6 Optional: Perform the following operations as required to set other parameters for the FTP
upload test:
l Configure the VPN instance to be tested.
vpn-instance vpn-instance-name
l Specify the source port.
source-port port-number
l Specify the destination port.
destination-port port-number
l Configure the NQA test client to send test packets without querying the routing table.
sendpacket passroute
l The file name cannot contain characters, such as ~, *, /, \, ', ", but the file path can contain these
characters.
l The file name can include the file name extension but cannot be the file name extension only, such
as .txt.
l Specify the size of the file to be uploaded if necessary.
ftp-filesize size
The client then automatically creates a file named nqa-ftp-test.txt for the upload.
NOTE
During the FTP test, select a file with a relatively small size. If the file is too large, the test may fail because
of timeout.
----End
Follow-up Procedure
Run the display nqa results command. If the following items are displayed, the test succeeds.
l "CtrlConnTime"
l "DataConnTime"
l "SumTime"
<NGFW> display nqa results
NQA entry(admin, ftp) :testFlag is inactive ,testtype is ftp
1 . Test 1 result The test is finished
SendProbe:1 ResponseProb:1
Completion :success RTD OverThresholds number: 0
MessageBodyOctetsSum: 5120 Stats errors number: 0
Operation timeout number: 0 System busy operation number:0
Drop operation number:0 Disconnect operation number: 0
CtrlConnTime Min/Max/Average: 657/657/657
DataConnTime Min/Max/Average: 500/500/500
SumTime Min/Max/Average: 1157/1157/1157
Context
Do as follows on the NQA client (HTTP client):
Procedure
Step 1 Access the system view.
system-view
Step 2 Create an NQA test instance and access the test instance view.
nqa test-instance admin-name test-name
Step 5 Optional: Perform the following operations as required to set other parameters for the HTTP
test:
l Configure the VPN instance to be tested.
vpn-instance vpn-instance-name
l Specify the source IP address
source-address ipv4 ip-address
l Specify the source port.
source-port port-number
l Specify the destination port.
destination-port port-number
NOTE
Step 7 Specify the name of the web page to be accessed during the test and the HTTP version
http-url deststring [ verstring ]
NOTE
Specify the name of the web page in the http-url deststring [ verstring ] command. Do not use http:// and
the domain name. Otherwise, the test may fail.
If the HTTP version is not specified, HTTP1.0 is applied by default. You can set the HTTP version to
HTTP 1.1.
----End
Follow-up Procedure
Run the display nqa results command. If the following output is displayed, the test succeeds.
l "DNSRTT"
l "TCPConnectRTT"
l "TransactionRTT and RTT"
<NGFW> display nqa results
NQA entry(admin, http) :testFlag is inactive ,testtype is http
1 . Test 1 result The test is finished
SendProbe:3 ResponseProb:3
Completions: success OverThresholdsnumber: 0
MessageBodyOctetsSum: 0 TargetAddress: 10.2.2.2
DNSQueryError number: 0 HTTPError number: 0
TcpConnError number : 3 System busy operation number:0
DNSRTT Sum/Min/Max:0/0/0 TCPConnectRTT Sum/Min/Max: 7/2/3
TransactionRTT Sum/Min/Max: 11/3/4 RTT Sum/Min/Max: 18/5/7
DNSServerTimeout:0 TCPConnectTimeout:0 TransactionTimeout: 0
Context
Do as follows on the NQA client (DNS client):
Procedure
Step 1 Access the system view.
system-view
Step 3 Create an NQA test instance and access the test instance view.
nqa test-instance admin-name test-name
----End
Follow-up Procedure
Run the display nqa results [ admin-name test-name ] command. If the following output is
displayed, the test succeeds.
<NGFW> display nqa results
NQA entry(admin, dns) :testFlag is inactive ,testtype is dns
1 . Test 1 result The test is finished
Send operation times: 1 Receive response times: 1
Completion:success RTD OverThresholds number: 0
Attempts number:1 Drop operation number:0
Disconnect operation number:0 Operation timeout number:0
System busy operation number:0 Connection fail number:0
Operation sequence errors number:0 RTT Stats errors number:0
Destination ip address:10.3.1.1
Min/Max/Average Completion Time: 5/5/5
Sum/Square-Sum Completion Time: 5/25
Last Good Probe Time: 2008-9-27 16:21:42.4
Context
Do as follows on the NQA client:
Procedure
Step 1 Access the system view.
system-view
Step 2 Create an NQA test instance and access the test instance view.
nqa test-instance admin-name test-name
Step 5 Perform the following operations as required to set other parameters for the Traceroute test:
l Configure the VPN instance to be tested.
vpn-instance vpn-instance-name
l Specify the maximum hop failures.
tracert-hopfailtimes
l Specify the initial TTL and the maximum TTLof the test packets.
tracert-livetime first-ttl first-ttl max-ttl max-ttl
l Set the ToS field in the IP packet header.
tos value
l Specify the source IP address.
source-address ipv4 ip-address
l Specify the destination port.
destination-port port-number
l Configure the NQA client to send test packets without querying the routing table.
sendpacket passroute
Step 6 Start the NQA test.
start
----End
Follow-up Procedure
Run the display nqa results command. If the statistics of each hop is displayed, the test succeeds.
<NGFW> display nqa results
NQA entry(admin, trace) :testFlag is inactive ,testtype is trace
1 . Test 1 result The test is finished
Completion:success Attempts number:1
Disconnect operation number:0 Operation timeout number:0
System busy operation number:0 Connection fail number:0
Operation sequence errors number:0 RTT Stats errors number:0
Drop operation number:0
Last good path Time:2006-8-5 14:38:58.5
1 . Hop 1
Send operation times: 3 Receive response times: 3
Min/Max/Average Completion Time: 46/47/41
Sum/Square-Sum Completion Time: 125/5349
OverThresholds number: 0
Last Good Probe Time: 2006-8-5 14:38:58.3
Destination ip address:10.1.1.2
2 . Hop 2
Send operation times: 3 Receive response times: 3
Min/Max/Average Completion Time: 31/79/62
Sum/Square-Sum Completion Time: 188/13286
RTD OverThresholds number: 0
Last Good Probe Time: 2006-8-5 14:38:58.5
Destination ip address:10.2.1.2
Context
Do as follows on the NQA client:
Procedure
Step 1 Access the system view.
system-view
Step 2 Create an NQA test instance and access the test instance view.
nqa test-instance admin-name test-name
Step 4 Specify the destination IP address which is the IP address of the SNMP agent.
destination-address ipv4 ip-address
NOTE
The SNMP function must be enabled on the destination host. Otherwise, the destination host fails to receive
echo packets.
Step 5 Optional: Perform the following operations as required to set other parameters for the SNMP
test:
l Configure the VPN instance to be tested.
vpn-instance vpn-instance-name
l Set the source IP address.
source-address ipv4 ip-address
l Specify the source port.
source-port port-number
l Specify the interval for sending test packets.
interval seconds interval
l Configure the NQA client to send test packets without querying the routing table
sendpacket passroute
----End
Follow-up Procedure
Run the display nqa results [ admin-name test-name ] command. If the following output is
displayed, the test succeeds.
<NGFW> display nqa results
NQA entry(admin, snmp) :testFlag is inactive ,testtype is snmp
1 . Test 1 result The test is finished
Send operation times: 3 Receive response times: 3
Completion:success RTD OverThresholds number: 0
Attempts number:1 Drop operation number:0
Disconnect operation number:0 Operation timeout number:0
System busy operation number:0 Connection fail number:0
Operation sequence errors number:0 RTT Stats errors number:0
Destination ip address:10.2.1.2
Min/Max/Average Completion Time: 63/172/109
Sum/Square-Sum Completion Time: 329/42389
Last Good Probe Time: 2006-8-5 15:33:49.1
Context
Do as follows on the NQA server:
Procedure
Step 1 Access the system view.
system-view
Note that the IP address and port listened by the server must be the same as those configured on
the client.
----End
Context
Do as follows on the NQA client (TCP client):
Procedure
Step 1 Access the system view.
system-view
Step 2 Create an NQA test instance and access the test instance view.
nqa test-instance admin-name test-name
Step 6 Optional: Perform the following operations as required to set other parameters for the TCP test:
l Configure the VPN instance to be tested.
vpn-instance vpn-instance-name
l Specify the source IP address.
source-address ipv4 ip-address
l Specify the source port.
source-port port-number
l Set the interval for sending test packets.
interval seconds interval
l Set the percentage of the failed NQA tests.
fail-percent percent
l Configure the NQA client to send test packets without querying the routing table.sendpacket
passroute
sendpacket passroute
The differences between the TCP Public tests and TCP Private tests are as follows:
l For TCP Public tests, connection requests are initiated and sent to TCP port 7. You do not
need to specify the destination port on the client. However, you must configure the server to
listen in on TCP port 7.
l For TCP Private tests, you must specify the destination port on the client and enable the
listening service on the server.
----End
Follow-up Procedure
l Run the display nqa results [ admin-name test-name ] command to display the test results
on the NQA client.
l Run the display nqa-server command to display the information about the NQA server.
Run the display nqa results command. If the following output is displayed, the test succeeds.
<NGFW> display nqa results
NQA entry(admin, tcp) :testFlag is inactive ,testtype is tcp
1 . Test 1 result The test is finished
Send operation times: 3 Receive response times: 3
Completion:success RTD OverThresholds number: 0
Attempts number:1 Drop operation number:0
Disconnect operation number:0 Operation timeout number:0
System busy operation number:0 Connection fail number:0
Operation sequence errors number:0 RTT Stats errors number:0
Destination ip address:10.2.1.2
Min/Max/Average Completion Time: 31/62/51
Sum/Square-Sum Completion Time: 155/8649
Last Good Probe Time: 2009-8-5 15:55:15.3
Context
Do as follows on the NQA server:
Procedure
Step 1 Access the system view.
system-view
NOTICE
The IP address and port listened by the server must be the same as those specified on the client.
----End
Context
Do as follows on the NQA client:
Procedure
Step 1 Access the system view.
system-view
Step 2 Create an NQA test instance and access the test instance view.
nqa test-instance admin-name test-name
Step 6 Optional: Perform the following operations as required to set other parameters for the UDP test:
l Configure the VPN instance to be tested.
vpn-instance vpn-instance-name
l Specify the source IP address.
source-address ipv4 ip-address
l Specify the source port.
source-port port-number
l Specify the interval for sending test packets, run the
interval seconds interval
l Specify the percentage of the failed NQA tests
fail-percent percent
l Configure the NQA client to send test packets without querying the routing table
sendpacket passroute
The differences between the UDP Public test and the UDP Private test are as follows:
l For UDP Public tests, connection requests are initiated and sent to UDP port 7. You do not
need to specify the destination port on the client. However, you must configure the server to
listen in on UDP port 7.
l For UDP Private tests, you must specify the destination port on the client and enable the
listening service on the server.
----End
Follow-up Procedure
l Run the display nqa results [ admin-name test-name ]command to display the test results
on the NQA client.
l Run the display nqa-server command to display the information about the NQA server.
Run the display nqa results command. If the following output is displayed, the test succeeds.
<NGFW> display nqa results
NQA entry(admin, udp) :testFlag is inactive ,testtype is udp
1 . Test 1 result The test is finished
Send operation times: 3 Receive response times: 3
Completion:success RTD OverThresholds number: 0
Attempts number:1 Drop operation number:0
Disconnect operation number:0 Operation timeout number:0
System busy operation number:0 Connection fail number:0
Operation sequence errors number:0 RTT Stats errors number:0
Destination ip address:10.2.1.2
Min/Max/Average Completion Time: 32/109/67
Sum/Square-Sum Completion Time: 203/16749
Last Good Probe Time: 2009-8-5 16:9:21.6
Context
The jitter time refers to the interval for sending two adjacent packets minus the interval for
receiving the two packets.
You can use the maximum, minimum, and average jitter time calculated based on the information
received on the source to assess network performance.
In a Jitter test, you can set the number of packets to be sent consecutively. Through this setting,
you can simulate traffic of certain types within a short period. For example, you can set 3000
UDP packets to be sent at an interval of 20 milliseconds for the simulation of G711 traffic.
Procedure
Step 1 Access the system view.
system-view
Note that the IP address and port listened by the NQA server must be the same as those specified
on the client.
NOTE
To improve the test accuracy, you can configure the Network Time Protocol (NTP) on both the client and
the server.
----End
Context
NOTE
The system supports the collection of the statistics on the maximum unidirectional transmission delay.
Procedure
Step 1 Access the system view.
system-view
Step 2 Create an NQA test instance and access the test instance view.
nqa test-instance admin-name test-name
Step 6 Optional: Perform the following operations as required to set other parameters for the Jitter test:
l Configure the VPN instance to be tested.
vpn-instance vpn-instance-name
l Specify the source IP address.
source-address ipv4 ip-address
l Specify the source port.
source-port port-number
l Set the number of test packets sent each time.
jitter-packetnum number number
The Jitter test collects statistics on and performs analysis on the transmission delay of the
UDP packets. The system sends multiple test packets for each test to calibrate the statistics
and analysis. The more test packets are sent, the more accurate the statistics and analysis are.
This process, however, is time consuming.
NOTE
The number of the Jitter tests performed depends on the settings in the probe-count command. The
number of test packets sent during each test depends on the settings in the jitter-packetnum command.
During the actual configuration, note that the number of tests being multiplied by the number of the
test packets for each test must be less than 3000.
l Set the interval for sending test packets.
interval { milliseconds interval | seconds interval }
The shorter the interval for sending the Jitter test packets is, the faster the test is completed.
If the interval, however, is set to a very small value, the test result may be inaccurate.
l Specify the percentage of the failed NQA tests.
fail-percent percent
l Configure the client to send test packets without querying the routing table.
sendpacket passroute
l Specify the version number of Jitter packets in the system view.
nqa-jitter tag-version { 1 | 2 }
If version 2 is used, after enabling the collection of statistics on the packet loss across a
unidirectional link, you can view the packet loss across the link from the source to the
destination, from the destination to the source, and from unknown directions. According to
the statistics, you can easily locate network faults and detect attacks.
----End
Follow-up Procedure
The configurations for jitter tests are complete.
l Run the display nqa results command to display the test results on the NQA client.
l Run the display nqa-server command to display the information about the NQA server.
If the following output is displayed, the jitter test succeeds.
<NGFW> display nqa results test-instance admin jitter
NQA entry(admin, jitter) :testFlag is inactive ,testtype is jitter
1 . Test 1 result The test is finished
SendProbe:100 ResponseProbe:100
Completion :success RTD OverThresholds number:0
OWD OverThresholds SD number:0 OWD OverThresholds DS number:0
Min/Max/Avg/Sum RTT:1/13/2/211 RTT Square Sum:589
NumOfRTT:100 Drop operation number:0
Operation sequence errors number:0 RTT Stats errors number:0
System busy operation number:0 Operation timeout number:0
Min Positive SD:1 Min Positive DS:1
Max Positive SD:1 Max Positive DS:11
Positive SD Number:11 Positive DS Number:22
Positive SD Sum:11 Positive DS Sum:36
Positive SD Square Sum :11 Positive DS Square Sum :154
Min Negative SD:1 Min Negative DS:1
Max Negative SD:1 Max Negative DS:11
Negative SD Number:11 Negative DS Number:20
Negative SD Sum:11 Negative DS Sum:35
Negative SD Square Sum :11 Negative DS Square Sum :157
Max Delay SD:6 Max Delay DS:6
Packet Loss SD:0 Packet Loss DS:0
Packet Loss Unknown:0 Average of Jitter:1
Average of Jitter SD:1 Average of Jitter DS:1
jitter out value:0.1960239 jitter in value:0.5825673
NumberOfOWD:100
OWD SD Sum:10 OWD DS Sum:101
NOTE
If the delay for the source end to send packets is longer than that for the destination end to receive packets,
the jitter is a negative value.
5.17.14 Setting the Parameters for an LSP Ping Test in the LDP
Tunnel
This section describes how to set the parameters on the NQA client for an LSP Ping test in the
LDP tunnel.
Procedure
Step 1 Access the system view.
system-view
Step 2 Create an NQA test instance and access the test instance view.
nqa test-instance admin-name test-name
Step 5 Optional: Perform the following operations as required to configure other parameters for the
LSP Ping test:
l Configure the response mode of the echo packet.
lsp-replymode { no-reply | udp }
NOTE
In a unidirectional LSP Ping test, if the lsp-replymode no-reply command is executed, the test result
displays that the test fails regardless of whether the test succeeds or fails. If the test succeeds, the test
result also displays the number of the timeout packets. If the test fails, the test result displays the number
of the discarded packets.
l Specify the source IP address.
source-address ipv4 ip-address
l Specify the packet size.
datasize size
NOTE
The sum of datasize and the size of the packet header should be less than the MTU of the interface.
Otherwise, the test may fail.
l Set the maximum TTL value of the packet.
ttl number
l Set the LSP EXP value.
lsp-exp exp
l Set the padding character of the packet.
datafill fillstring
l Set the interval for sending test packets.
interval seconds interval
l Set the percentage of the failed NQA tests.
fail-percent percent
----End
Follow-up Procedure
The configurations of the LSP Ping Test function are complete.
l Run the display nqa results command to display the test results on the NQA client.
l Run the display nqa-server command to display the information about the NQA server.
Run the display nqa results command. If the following output is displayed, the test succeeds.
Procedure
Step 1 Access the system view.
system-view
Step 2 Create an NQA test instance and access the test instance view.
nqa test-instance admin-name test-name
Step 7 Add the current NQA test instance to the created test group.
join group nqa admin-name test-name
Step 10 Optional: Set the test period for the test group.
group-testperiod period
NOTE
During the specified period of a test group, if there are too many tests in the test group, the group test cannot
be started. Therefore, you should set a proper test period for the group test based on the number of tests in
the test group.
----End
Follow-up Procedure
The configurations of the NQA reserved group Test function are complete.
l Run the display nqa results command to display the test results on the NQA client.
<NGFW> display nqa results
NQA entry(admin, test1) :testflag is inactive ,testtype is icmp
1 . Test 1 result The test is finished
Send operation times: 3 Receive response times: 1
Completion:success RTD OverThresholds number: 0
Attempts number:1 Drop operation number:0
l Run the display nqa-agent to view the status of the test on the NQA client.
Context
Do as follows on the NQA client:
Procedure
Step 1 Access the system view.
system-view
Step 2 Create an NQA test instance and access the instance view.
nqa test-instance admin-name test-name
Step 3 Perform the following operations as required to set the general parameters:
l Specify the description of the instance.
description string
l Specify the timeout period of the test.
timeout time
l Specify the number of probe packets sent during each test.
probe-count number
NOTE
The number of probe packets for each test does not apply to FTP and DNS tests.
l Specify the NQA test interval.
frequency interval
l Prohibit packet fragmentation.
set-df
NOTE
----End
Follow-up Procedure
The configurations of general NQA test parameters are complete.
l Run the display nqa-agent,to display the configured general parameters on the NQA client.
<NGFW> display nqa-agent
NQA Tests Max:2000 NQA Tests Number: 2
NQA Flow Max:1000 NQA Flow Remained:1000
nqa test-instance a a
test-type pwe3trace
local-pw-id 1
vc-type bgp
nqa status : normal
nqa test-instance a b
test-type icmpjitter
destination-address ipv4 10.1.1.201
source-address ipv4 10.1.1.200
hardware-based enable
ttl 100
tos 100
timeout 20
nqa status : normal
Context
Do as follows on the NQA client:
Procedure
Step 1 Access the system view.
system-view
Step 2 Create an NQA test instance and access the instance view.
nqa test-instance admin-name test-name
----End
Follow-up Procedure
l Run the display nqa-agent [ admin-name operation-tag ] [ verbose ] command to display
the configured round-trip delay threshold on the NQA client.
<NGFW> diplay nqa-agent test jitter verbose
1 NQA entry(admin, icmp):
test type:icmp current flag:inactive
current status:finished current completion:success
start at : no start time end at : no end time
nqa status : normal
configuration :
test-type icmp
threshold rtd 2
send-trap rtd
Context
Do as follows on the NQA client:
Procedure
Step 1 Access the system view.
system-view
Step 2 Create an NQA test instance and access the instance view.
nqa test-instance admin-name test-name
----End
Follow-up Procedure
The configurations of the unidirectional delay threshold are complete.
destination-port 2900
threshold owd-sd 1
Procedure
Step 1 Access the system view.
system-view
Step 2 Create an NQA test instance and access the instance view.
nqa test-instance admin-name test-name
Step 3 Enable the trap function for the NGFW to send trap messages if a test fails.
send-trap
Step 4 Specify the number of failed tests that triggers the sending of the trap message.
test-failtimes times
----End
Procedure
Step 1 Access the system view.
system-view
Step 2 Create an NQA test instance and access the instance view.
nqa test-instance admin-name test-name
Step 3 Enable the trap function for the NGFW to send trap messages when a probe fails.
send-trap probefailure
Step 4 Configure the number of probe failures that triggers the sending of the trap message.
probe-failtimes times
----End
Procedure
Step 1 Access the system view.
system-view
Step 3 Enable the trap function for the NGFW to send a trap message after the NQA test is complete.
send-trap testcomplete
----End
5.17.19.4 Sending Trap Messages When the Transmission Delay Exceeds the
Threshold
This section describes how to enable the NGFW to send a trap message when the transmission
delay exceeds the threshold during an NQA test.
Procedure
Step 1 Access the system view.
system-view
Step 3 Enable the trap function for the NGFW to send a trap message when the transmission delay
exceeds the threshold.
send-trap overthreshold
----End
Context
NOTICE
Restarting an NQA test instance interrupts the running of the test.
To restart an NQA test instance, run the following command in the NQA test instance view.
Action Command
Context
NOTICE
NQA statistics cannot be restored after you clear them. Therefore, confirm the action before you
use the command.
To clear NQA statistics, run the following command in the NQA view.
Action Command
Context
Before you enable the debugging function, you must run the terminal monitor and terminal
debugging commands in the user view to enable the display of terminal information and terminal
debugging messages, so that the debugging messages can be displayed on the terminal.
NOTICE
Enabling the debugging affects system performance. Therefore, after debugging, you need to
run the undo debugging all command to disable the debugging in time.
Action Command
Networking Requirements
As shown in Figure 5-90, NGFW_A functions as the NQA client to test whether NGFW_B is
routable.
GE1/0/1 GE1/0/1
10.1.1.1/24 10.1.1.2/24
NQA agent
Configuration Roadmap
1. Perform an ICMP test to check whether the packet sent by NGFW_A can arrive
atNGFW_B and obtain the round-trip time (RTT) of the packet.
Procedure
Step 1 Set the IP addresses.
# Set the IP address for the NGFW_A.
<NGFW_A> system-view
[NGFW_A] interface GigabitEthernet 1/0/1
[NGFW_A-GigabitEthernet1/0/1] ip address 10.1.1.1 24
[NGFW_A-GigabitEthernet1/0/1] quit
Step 2 Add interfaces to corresponding security zones and configure security policy between security
zones to ensure normal network communication. Details are omitted.
----End
Result
[NGFW_A-nqa-admin-icmp] display nqa results admin icmp
NQA entry(admin, icmp) :testFlag is inactive ,testtype is icmp
1 . Test 1 result The test is finished
Send operation times: 3 Receive response times: 3
Completion:success RTD OverThresholds number: 0
Attempts number:1 Drop operation number:0
Disconnect operation number:0 Operation timeout number:0
System busy operation number:0 Connection fail number:0
Operation sequence errors number:0 RTT Stats errors number:0
Destination ip address:10.1.1.2
Min/Max/Average Completion Time: 31/46/36
Sum/Square-Sum Completion Time: 108/4038
Last Good Probe Time: 2009-8-2 10:7:11.4
Networking Requirements
As shown in Figure 5-91,
l NGFW_B functions as the DHCP server.
l Performing a DHCP test is required to obtain the time that the DHCP server to assign an
IP address to the client (NGFW_A).
GE1/0/1 GE1/0/1
10.2.1.1/24 10.2.1.2/24
NQA agent DHCP Server
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Set the IP addresses.
Step 2 Add interfaces to corresponding security zones and configure security policy between security
zones to ensure normal network communication. Details are omitted.
----End
Result
[NGFW_A-nqa-admin-dhcp] display nqa results admin dhcp
NQA entry(admin, dhcp) :testFlag is active ,testtype is dhcp
1 . Test 1 result The test is finished
Networking Requirements
As shown in Figure 5-92, NGFW_A serves as the NQA client, and NGFW_B serves as the FTP
server. NGFW_A logs in to NGFW_B for downloading a test file.
GE1/0/1 GE1/0/1
10.1.1.1/24 10.1.1.2/24
FTP Client FTP Server
Item Data
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Set IP addresses.
<NGFW_A> system-view
[NGFW_A] interface GigabitEthernet 1/0/1
[NGFW_A-GigabitEthernet1/0/1] ip address 10.1.1.1 24
[NGFW_A-GigabitEthernet1/0/1] quit
Step 2 Add interfaces to corresponding security zones and configure security policy between security
zones to ensure normal network communication. Details are omitted.
----End
Result
After the test, you can run the display nqa results admin command to display the test result.
[NGFW_A-nqa-admin-ftp] display nqa results admin ftp
NQA entry(admin, ftp) :testFlag is inactive ,testtype is ftp
1 . Test 1 result The test is finished
SendProbe:1 ResponseProbe:1
Completion :success RTD OverThresholds number: 0
MessageBodyOctetsSum: 86 Stats errors number: 0
Operation timeout number: 0 System busy operation number:0
Drop operation number:0 Disconnect operation number: 0
CtrlConnTime Min/Max/Average: 50/50/50
DataConnTime Min/Max/Average: 20/20/20
SumTime Min/Max/Average: 70/70/70
Networking Requirements
As shown in Figure 5-93, NGFW_A serves as the FTP client and tests the speed of uploading
a file to the FTP server (NGFW_C).
Item Data
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Set the IP addresses.
Step 2 Add interfaces to corresponding security zones and configure security policy between security
zones. Details are omitted.
Step 3 Configure reachable routes between NGFW_A and NGFW_C. The detailed procedure is
omitted.
Step 5 Create an FTP instance on NGFW_A and create a 10 KB file for uploading.
<NGFW_A> system-view
[NGFW_A] nqa test-instance admin ftp
[NGFW_A-nqa-admin-ftp] test-type ftp
[NGFW_A-nqa-admin-ftp] destination-address ipv4 10.2.1.2
[NGFW_A-nqa-admin-ftp] source-address ipv4 10.1.1.1
[NGFW_A-nqa-admin-ftp] ftp-operation put
[NGFW_A-nqa-admin-ftp] ftp-username user1
[NGFW_A-nqa-admin-ftp] ftp-password hello@123
[NGFW_A-nqa-admin-ftp] ftp-filesize 10
----End
Result
l You can run the display nqa results admin ftp command on NGFW_A to display the test
result.
[NGFW_A-nqa-admin-ftp] display nqa results admin ftp
NQA entry(admin, ftp) :testFlag is inactive ,testtype is ftp
1 . Test 1 result The test is
finished
SendProbe:1 ResponseProbe:
1
Completion :success RTD OverThresholds number:
0
MessageBodyOctetsSum: 86 Stats errors number:
0
Operation timeout number: 0 System busy operation number:
0
Drop operation number:0 Disconnect operation number:
0
CtrlConnTime Min/Max/Average:
50/50/50
DataConnTime Min/Max/Average:
20/20/20
SumTime Min/Max/Average: 70/70/70
Networking Requirements
As shown in Figure 5-94, the NGFW connects to the HTTP server through the WAN. Perform
an HTTP test to test the response speed of the HTTP server.
NGFW
IP Network
GE1/0/1
10.1.1.1/24
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the NGFW as an NQA client.
2. Create an HTTP instance and start the HTTP test on the NGFW to check whether
theNGFW can set up a connection with the HTTP server and obtain the time for transferring
a file between the NGFW and the HTTP server.
Procedure
Step 1 Set the IP address.
<NGFW> system-view
[NGFW] interface GigabitEthernet 1/0/1
[NGFW-GigabitEthernet1/0/1] ip address 10.1.1.1 24
[NGFW-GigabitEthernet1/0/1] quit
Step 2 Add interface to corresponding security zone and configure security policy between security
zones. Details are omitted.
Step 3 Create an HTTP instance on NGFW.
<NGFW> system-view
[NGFW] nqa test-instance admin http
----End
Result
After the test, you can run the display nqa results admin http command to display the test
result.
[NGFW-nqa-admin-http] display nqa results admin http
NQA entry(admin, http) :testFlag is inactive ,testtype is http
1 . Test 1 result The test is finished
SendProbe:3 ResponseProbe:0
Completions: failed RTD OverThresholdsnumber: 0
MessageBodyOctetsSum: 0 TargetAddress: 10.2.1.1
DNSQueryError number: 0 HTTPError number: 0
TcpConnError number : 0 System busy operation number:0
DNSRTT Sum/Min/Max:0/0/0 TCPConnectRTT Sum/Min/Max: 0/0/0
TransactionRTT Sum/Min/Max: 0/0/0 RTT Sum/Min/Max: 0/0/0
DNSServerTimeout:0 TCPConnectTimeout:3 TransactionTimeout: 0
Networking Requirements
As shown in Figure 5-95, theNGFW functions as a DNS client and accesses the host at
10.2.1.1/24 using domain name example.com.
NGFW
IP Network
GE1/0/1
10.1.1.1/24
DNS Server
10.3.1.1/24
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Set the IP address.
<NGFW> system-view
[NGFW] interface GigabitEthernet 1/0/1
[NGFW-GigabitEthernet1/0/1] ip address 10.1.1.1 24
[NGFW-GigabitEthernet1/0/1] quit
Step 2 Add interface to corresponding security zone and configure security policy between security
zones. Details are omitted.
Step 3 Configure reachable routes between the NGFW, the DNS server, and the host to be accessed.
(The detailed procedure is omitted.)
Step 4 Create a DNS instance.
<NGFW> system-view
[NGFW] dns server 10.3.1.1
[NGFW] nqa test-instance admin dns
[NGFW-nqa-admin-dns] test-type dns
[NGFW-nqa-admin-dns] dns-server ipv4 10.3.1.1
[NGFW-nqa-admin-dns] destination-address url example.com
----End
Result
After the test, you can run the display nqa results admin dns command to display the test result.
[NGFW-nqa-admin-dns] display nqa results admin dns
NQA entry(admin, dns) :testFlag is inactive ,testtype is dns
1 . Test 1 result The test is finished
Send operation times: 1 Receive response times: 1
Completion:success RTD OverThresholds number: 0
Attempts number:1 Drop operation number:0
Disconnect operation number:0 Operation timeout number:0
System busy operation number:0 Connection fail number:0
Operation sequence errors number:0 RTT Stats errors number:0
Destination ip address: 10.3.1.1
Min/Max/Average Completion Time: 1/1/1
Sum/Square-Sum Completion Time: 1/1
Last Good Probe Time: 2009-9-3 10:52:5.7
Networking Requirements
As shown in Figure 5-96, NGFW_A connects to NGFW_C through NGFW_B and serves as
the NQA client. Perform the traceroute test on NGFW_A to trace the routing path to
GigabitEthernet 1/0/1 on NGFW_C.
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Set the IP addresses.
Step 2 Add interfaces to corresponding security zones and configure security policy between security
zones to ensure normal network communication. Details are omitted.
Step 3 Configure reachable routes between NGFW_A and NGFW_C. (The detailed procedure is
omitted.)
Step 4 Create a traceroute instance on NGFW_A and set the destination IP address of the test packets
to 10.2.1.2.
<NGFW_A> system-view
[NGFW_A] nqa test-instance admin trace
[NGFW_A-nqa-admin-trace] test-type trace
[NGFW_A-nqa-admin-trace] destination-address ipv4 10.2.1.2
----End
Result
After the test, you can run the display nqa results admin trace command on NGFW_A to
display the test result.
[NGFW_A-nqa-admin-trace] display nqa results admin trace
[NGFW_A-nqa-admin-trace] display nqa results admin trace
NQA entry(admin, trace) :testFlag is inactive ,testtype is trace
1 . Test 1 result The test is finished
Completion:success Attempts number:1
Disconnect operation number:0 Operation timeout number:0
System busy operation number:0 Connection fail number:0
Operation sequence errors number:0 RTT Stats errors number:0
Drop operation number:0
Last good path Time:2009-8-5 14:38:58.5
1 . Hop 1
Send operation times: 3 Receive response times: 3
Min/Max/Average Completion Time: 46/47/41
Sum/Square-Sum Completion Time: 125/5349
RTD OverThresholds number: 0
Last Good Probe Time: 2009-8-5 14:38:58.3
Destination ip address:10.1.1.2
2 . Hop 2
Send operation times: 3 Receive response times: 3
Min/Max/Average Completion Time: 31/79/62
Sum/Square-Sum Completion Time: 188/13286
RTD OverThresholds number: 0
Last Good Probe Time: 2009-8-5 14:38:58.5
Destination ip address:10.2.1.2
Networking Requirements
As shown in Figure 5-97,NGFW_C functions as an SNMP agent. It is required to perform an
SNMP test to obtain the duration between the sending of a query packet and the receiving of the
reply packet on NGFW_A.
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Set the IP addresses.
Step 2 Add interfaces to corresponding security zones and configure security policy between security
zones. Details are omitted.
Step 3 Configure reachable routes between NGFW_A and NGFW_C. (The detailed procedure is
omitted.)
----End
Result
After the test, you can run the display nqa results admin snmp command to display the test
result.
[NGFW_A-nqa-admin-snmp] display nqa results admin snmp
NQA entry(admin, snmp) :testFlag is inactive ,testtype is snmp
1 . Test 1 result The test is finished
Networking Requirements
As shown in Figure 5-98, NGFW_A connects to NGFW_C through NGFW_B. Start the TCP
Private test on NGFW_A to test the time for NGFW_A to establish a TCP connection with
NGFW_C.
Item Data
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure NGFW_A as the NQA client and NGFW_C as the NQA server.
2. Configure the listening port on the NQA server and create a TCP instance on the NQA
client.
Procedure
Step 1 Set the IP addresses.
# Set the IP address for the NGFW_A.
<NGFW_A> system-view
[NGFW_A] interface GigabitEthernet 1/0/2
Step 2 Add interfaces to corresponding security zones and configure security policy between security
zones. Details are omitted.
Step 3 Configure reachable routes between NGFW_A and NGFW_C. (The detailed procedure is
omitted.)
# Set the IP address and port that the NQA server listens in on.
<NGFW_C> system-view
[NGFW_C] nqa-server tcpconnect 10.2.1.2 9000
----End
Result
After the test, you can run the display nqa results admin tcp command to display the test result.
[NGFW_A-nqa-admin-tcp] display nqa results admin tcp
NQA entry(admin, tcp) :testFlag is inactive ,testtype is tcp
1 . Test 1 result The test is finished
Send operation times: 3 Receive response times: 3
Completion:success RTD OverThresholds number: 0
Attempts number:1 Drop operation number:0
Disconnect operation number:0 Operation timeout number:0
System busy operation number:0 Connection fail number:0
Operation sequence errors number:0 RTT Stats errors number:0
Destination ip address:10.2.1.2
Min/Max/Average Completion Time: 46/63/52
Sum/Square-Sum Completion Time: 156/8294
Last Good Probe Time: 2009-8-5 15:53:17.8
Networking Requirements
As shown in Figure 5-99, NGFW_A connects to NGFW_C through NGFW_B. Start an UDP
Public test to test the round-trip time of the UDP packet transmitted between NGFW_A and
NGFW_C.
Item Data
Configuration Roadmap
1. NGFW_A functions as the NQA client and NGFW_C functions as the NQA server.
2. Configure the listening port on the NQA server and create a UDP test instance on the NQA
client.
Procedure
Step 1 Set the IP addresses.
# Set the IP address for the NGFW_A.
<NGFW_A> system-view
[NGFW_A] interface GigabitEthernet 1/0/2
[NGFW_A-GigabitEthernet1/0/2] ip address 10.1.1.1 24
[NGFW_A-GigabitEthernet1/0/2] quit
<NGFW_C> system-view
[NGFW_C] interface GigabitEthernet 1/0/2
[NGFW_C-GigabitEthernet1/0/2] ip address 10.2.1.2 24
[NGFW_C-GigabitEthernet1/0/2] quit
Step 2 Add interfaces to corresponding security zones and configure security policy between security
zones. Details are omitted.
Step 3 Configure reachable routes between NGFW_A and NGFW_C. (The detailed procedure is
omitted.)
# Set the IP address and port that the NQA server listens in on.
<NGFW_C> system-view
[NGFW_C] nqa-server udpecho 10.2.1.2 6000
----End
Result
After the test, you can run the display nqa results admin udp command to display the test
result.
[NGFW_A-nqa-admin-udp] display nqa results admin udp
NQA entry(admin, udp) :testFlag is inactive ,testtype is udp
1 . Test 1 result The test is finished
Send operation times: 3 Receive response times: 3
Completion:success RTD OverThresholds number: 0
Attempts number:1 Drop operation number:0
Disconnect operation number:0 Operation timeout number:0
System busy operation number:0 Connection fail number:0
Operation sequence errors number:0 RTT Stats errors number:0
Destination ip address:10.2.1.2
Min/Max/Average Completion Time: 32/109/67
Sum/Square-Sum Completion Time: 203/16749
Last Good Probe Time: 2009-8-5 16:9:21.6
5.17.21.11 Example for Performing an LSP Ping Test in the LDP Tunnel
This section provides an example on how to perform an LSP Ping test on an intermediate device
to test the LSP connectivity between the other two devices.
Networking Requirements
As shown in Figure 5-100, NGFW_A connects to NGFW_C through NGFW_B.
l OSPF runs on NGFW_A, NGFW_B, and NGFW_C, and the three NGFWs learn the host
routes to loopback interfaces from each other.
l MPLS and MPLS LDP are enabled on NGFW_A, NGFW_B, and NGFW_C.
l MPLS and MPLS LDP are enabled on the interfaces connecting NGFW_A, NGFW_B, and
NGFW_C to trigger the establishment of an LDP tunnel.
It is required to perform an LSP Ping test to check the connectivity of the LSP between
NGFW_A and NGFW_C.
area 0
GE1/0/2 GE1/0/1
10.1.1.1/24 10.2.1.1/24
GE1/0/2 GE1/0/2
10.1.1.2/24 10.2.1.2/24
NGFW_A NGFW_B NGFW_C
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure NGFW_A as the NQA client.
2. Configure NGFW_C as the NQA server.
3. Create an LSP Ping test instance on NGFW_A.
Procedure
Step 1 Set the IP addresses.
# Set the IP address for the NGFW_A.
<NGFW_A> system-view
[NGFW_A] interface GigabitEthernet 1/0/2
[NGFW_A-GigabitEthernet1/0/2] ip address 10.1.1.1 24
[NGFW_A-GigabitEthernet1/0/2] quit
[NGFW_A] interface LoopBack 1
[NGFW_A-LoopBack1] ip address 10.10.1.9 32
[NGFW_A-LoopBack1] quit
Step 2 Add interfaces to corresponding security zones and configure security policy between security
zones. Details are omitted.
Step 3 Configure reachable routes between NGFW_A and NGFW_C. (The detailed procedure is
omitted.)
# Enable the NQA client and create an LSP Ping instance for the test in the LDP tunnel.
<NGFW_A> system-view
[NGFW_A] nqa test-instance admin lspping
[NGFW_A-nqa-admin-lspping] test-type lspping
[NGFW_A-nqa-admin-lspping] lsp-type ipv4
[NGFW_A-nqa-admin-lspping] destination-address ipv4 10.10.3.9 lsp-masklen 32
----End
Result
After the test, you can run the display nqa results admin lspping command to display the test
result.
[NGFW_A-nqa-admin-lspping] display nqa results admin lspping
NQA entry(admin, lspping) :testFlag is inactive ,testtype is lspping
1 . Test 1 result The test is finished
Send operation times: 3 Receive response times: 3
Completion:success RTD OverThresholds number: 0
Attempts number:1 Drop operation number:0
Disconnect operation number:0 Operation timeout number:0
System busy operation number:0 Connection fail number:0
Operation sequence errors number:0 RTT Stats errors number:0
Destination ip address:10.10.3.9
Min/Max/Average Completion Time: 1/1/1
Sum/Square-Sum Completion Time: 3/3
Last Good Probe Time: 2010-10-30 15:32:56.1
Networking Requirements
As shown in Figure 5-101, NGFW_A connects to NGFW_C through NGFW_B and functions
as the NQA client. It is required to test whether NGFW_B and NGFW_C are reachable.
GE1/0/2 GE1/0/1
10.1.1.1/24 10.2.1.1/24
GE1/0/2 GE1/0/2
10.1.1.2/24 10.2.1.2/24
NGFW_B
NGFW_A test2 NGFW_C
Item Data
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Set the IP addresses.
Step 2 Add interfaces to corresponding security zones and configure security policy between security
zones. Details are omitted.
Step 3 Configure reachable routes between NGFW_A and NGFW_C. (The detailed procedure is
omitted.)
Step 5 Create test instances admin test1 and admin test2 on NGFW_A to respectively check the
connectivity between NGFW_A, NGFW_B, and NGFW_C.
[NGFW_A] nqa test-instance admin test1
[NGFW_A-nqa-admin-test1] test-type icmp
[NGFW_A-nqa-admin-test1] join group nqa group icmp
[NGFW_A-nqa-admin-test1] destination-address ipv4 10.1.1.2
[NGFW_A-nqa-admin-test1] quit
[NGFW_A] nqa test-instance admin test2
[NGFW_A-nqa-admin-test2] test-type icmp
[NGFW_A-nqa-admin-test2] join group nqa group icmp
[NGFW_A-nqa-admin-test2] destination-address ipv4 10.2.1.2
[NGFW_A-nqa-admin-test2] quit
Step 6 Return to the test group view and configure the test to start in 10 seconds.
[NGFW_A] nqa test-instance group icmp
[NGFW_A-nqa-group-icmp] start delay seconds 10
# Run the display nqa-agent command on NGFW_A to display the status of the test group and
the member test instances on the client.
[NGFW_A-nqa-group-icmp] display nqa-agent
NQA Tests Max:2000 NQA Tests Num:3
NQA Concurrent Requests Max:1000 NQA Concurrent Requests Num:1
NQA Jitter Concurrent Max:5 NQA Jitter Concurrent Num:0
NQA icmp Concurrent Max:50 NQA icmp Concurrent Num:1
NQA Trace Concurrent Max:50 NQA Trace Concurrent Mum:0
1 NQA entry(admin, test1):
test type:icmp current flag:inactive
current status:no start current completion:no result
start at : no start time end at : no end time
nqa status : group member, belong to group : group icmp
2 NQA entry(admin, test2):
test type:icmp current flag:inactive
current status:no start current completion:no result
start at : no start time end at : no end time
nqa status : group member, belong to group : group icmp
3 NQA entry(group, icmp):
test type:icmp current flag:active
current status:no start current completion:NA
start at : 2009-8-24 14:35:34 end at : no end time
nqa status : group leader, group members number : 2
----End
Result
Twenty seconds after the test, you can run the display nqa results command to display the test
results.
[NGFW_A-nqa-admin-icmp] display nqa results
NQA entry(admin, test1) :testFlag is inactive ,testtype is icmp
1 . Test 1 result The test is finished
Send operation times: 3 Receive response times: 3
Completion:success RTD OverThresholds number: 0
Attempts number:1 Drop operation number:0
Disconnect operation number:0 Operation timeout number:0
System busy operation number:0 Connection fail number:0
Operation sequence errors number:0 RTT Stats errors number:0
Destination ip address:10.1.1.2
Min/Max/Average Completion Time: 30/50/36
Sum/Square-Sum Completion Time: 110/4300
Last Good Probe Time: 2009-8-24 14:35:43.2
NQA entry(admin, test2) :testFlag is inactive ,testtype is icmp
1 . Test 1 result The test is finished
Send operation times: 3 Receive response times: 3
Completion:success RTD OverThresholds number: 0
Attempts number:1 Drop operation number:0
Disconnect operation number:0 Operation timeout number:0
System busy operation number:0 Connection fail number:0
Operation sequence errors number:0 RTT Stats errors number:0
Destination ip address:10.2.1.2
Min/Max/Average Completion Time: 50/60/53
Sum/Square-Sum Completion Time: 160/8600
Last Good Probe Time: 2009-8-24 14:35:53.2
5.17.21.13 Example for Sending a Trap Message When the Transmission Time
Exceeds the Threshold
This section provides an example on how to enable the NGFW to send trap messages to the
NMS when the transmission time exceeds the threshold.
Prerequisites
The NGFW can communicate with the NMS.
Networking Requirements
As shown in Figure 5-102, NGFW_A connects to NGFW_C through NGFW_B. Create a jitter
instance, set the transmission delay threshold, and enable the trap function. After the jitter test,
if the transmission time of the test packet from NGFW_A to NGFW_C (or from NGFW_C to
NGFW_A) exceeds the specified threshold for unidirectional transmission, or the round trip time
of the test packet exceeds the specified threshold, NGFW_A sends a trap message to the NM
station. Based on the received trap message, you can know the cause of the trap message.
Figure 5-102 Networking diagram of enabling the trap function when the transmission delay
exceeds the threshold
NM Station
10.1.2.2/24
GE1/0/1
NQA Server
10.1.2.1/24
GE1/0/2 GE1/0/1
10.1.1.1/24 10.1.3.1/24
GE1/0/2 GE1/0/2
10.1.1.2/24 10.1.3.2/24
NGFW_A NGFW_B NGFW_C
Item Data
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Set the IP addresses.
Step 2 Add interfaces to corresponding security zones and configure security policy between security
zones. Details are omitted.
Step 3 Configure reachable routes between NGFW_A and NGFW_C. (The detailed procedure is
omitted.)
# Configure NGFW_C as the NQA server and set the IP address and port of the NQA server for
listening UDP services.
<NGFW_C> system-view
[NGFW_C] nqa-server udpecho 10.1.3.2 9000
# Configure NGFW_A as the NQA client and create a jitter instance on NGFW_A.
<NGFW_A> system-view
[NGFW_A] nqa test-instance admin jitter
[NGFW_A-nqa-admin-jitter] test-type jitter
[NGFW_A-nqa-admin-jitter] destination-address ipv4 10.1.3.2
[NGFW_A-nqa-admin-jitter] destination-port 9000
# Set the uni-directional transmission (from the destination to the source) delay threshold on
NGFW_A.
[NGFW_A-nqa-admin-jitter] threshold owd 100
Step 7 # Configure the NGFW to send traps to the NMS through SNMPv3 and keep default values for
other parameters.
[NGFW_A] snmp-agent trap enable
[NGFW_A] snmp-agent target-host trap address udp-domain 10.1.2.2 params
securityname v3user@123 v3 privacy
[NGFW_A-nqa-admin-jitter] quit
[NGFW_A] quit
----End
Result
After the test, you can run the display nqa results admin jitter command to display the test
result.
l When the RTD exceeds 20 seconds or the OWD exceeds 100 seconds, the NMS can receive
trap messages. To check the trap messages, choose Resource > Fault Manage > Current
Alarms in the NMS main menu.
5.18 LLDP
Link Layer Data Protocol (LLDP) provides a link-layer network discovery mode for tracing and
rapidly learning Layer-2 network topology changes.
5.18.1 Overview
LLDP is the neighbor discovery protocol defined in IEEE 802.1AB. Using the LLDP technology,
the Network Management System (NMS) can rapidly learn the current network topology and
topology changes when the network scale increases rapidly.
LLDP provides a standard link-layer discovery mode, which organizes the main capabilities,
management address, device identifier, and interface identifier of the local device into different
Type/Length/Value (TLVs), encapsulates them in the Link Layer Discovery Protocol Data Units
(LLDPDU), and then advertises LLDPDUs to the directly connected neighbors. After receiving
the LLDPDUs, the neighbors store them as the standard Management Information Base (MIB)
for the NMS to check and analyze the communication status along the links.
Context
NOTE
The LLDP function takes effect only after being enabled both globally and on appropriate interfaces. By
default, the LLDP function is disabled both globally and on appropriate interfaces.
When LLDP is enabled globally, the function on the interfaces is automatically enabled.
Procedure
Step 1 Access the system view.
system-view
lldp enable
----End
Context
The LLDP working modes are categorized into:
Procedure
Step 1 Access the system view.
system-view
----End
Context
NOTE
Procedure
Step 1 Access the system view.
system-view
----End
Context
The TLV is the unit that constitutes the LLDPDU. Each TLV represents a piece of information.
The TLVs that can be encapsulated through LLDP are basic TLVs, TLVs defined in IEEE 802.1,
and TLVs defined in IEEE 802.3. The basic TLV is the base TLV in network device
management.
Basic TLVs contains multiple types of TLVs mandatory for implementing the LLDP function,
and they must be advertised in LLDPDUs.
The TLV defined in IEEE 802.1 and TLV defined in IEEE 802.3 are used to enhance the
management over network devices. You can determine whether to send them in LLDPDUs as
required.
The TLV defined in IEEE 802.1 and TLV defined in IEEE 802.3 include other information, such
as the VLAN ID and interface speed.
Procedure
Step 1 Access the system view.
system-view
----End
Context
The management address must be a legal unicast IP address of the device. If an invalid or no IP
address is specified, the NGFW automatically finds an IP address and uses it as the LLDP
management address. The finding order is: the smallest IP address of loopback interfaces, the
smallest IP address of VLANIF interfaces, the smallest IP address of physical interfaces. If no
IP address is found, the bridge MAC of the NGFW is used as the management address.
Procedure
Step 1 Access the system view.
system-view
----End
Context
NOTICE
Both the LLDP packet sending interval and delay should be shorter than the TTL. Otherwise,
the neighbor device cannot receive the LLDP packets sent by the NGFW after the information
about the NGFW ages on the neighbor device.
Procedure
Step 1 Access the system view.
system-view
Step 2 Configure the number of LLDP packets rapidly sent by the NGFW to a neighbor node. The
default value is 3.
The number of packets rapidly sent is the value of count, that is, the number of packets
consecutively sent from an interface to the neighbor node when the working mode of the interface
changes from disable or rx to tx or txrx.
NOTE
The TTL in the TTL TLV carried by an LLDP packet sent by the local NGFW specifies the aging time of
the information about the local NGFW on the neighbor device. Its value is the TTL multiplier multiplied
by the interval at which an LLDP packet is sent (Formula: TTL = TTL multiplier x interval at which an
LLDP packet is sent). The maximum value is 65535. Therefore, you can set the aging time of the
information about the local NGFW on the neighbor device by specifying the TTL multiplier.
Step 6 Enable the checks in polling mode and specify the check interval.
----End
Context
NOTICE
LLDP statistics cannot be restored after you clear them. Therefore, ensure that the statistics to
be cleared is no longer in need.
To clear the information, run the following command in the user view.
Action Command
During routine maintenance, you can run the following commands in all views to display the
configurations.
Action Command
Display the current LLDP status display lldp local [ interface interface-type interface-
of the interface. number ]
Networking Requirements
As shown in Figure 5-103, NGFW_A connects to NGFW_B and the NMS respectively through
GigabitEthernet 1/0/2 and GigabitEthernet 1/0/1. The LLDP function is configured on both
NGFW_A and NGFW_B, so that the network administrator can check the status of the links
connected to NGFW_A.
Procedure
Step 1 Set the IP addresses.
Step 2 Add interfaces to corresponding security zones and configure security policy between security
zones to ensure normal network communication. Details are omitted.
Step 3 Configure the LLDP function on NGFW_A. Enable the function on GigabitEthernet 1/0/2 and
set the working mode of LLDP to rx. In this way, NGFW_A receives only the LLDP packets
from neighbor nodes.
<NGFW_A> system-view
[NGFW_A] lldp enable
[NGFW_A] interface GigabitEthernet 1/0/2
[NGFW_A-GigabitEthernet1/0/2] ip address 10.16.39.220 24
[NGFW_A-GigabitEthernet1/0/2] lldp state rx
[NGFW_A-GigabitEthernet1/0/2] quit
[NGFW_A] lldp management-address 10.16.39.220
Step 4 Configure the LLDP function on NGFW_B. Enable the function on GigabitEthernet 1/0/2 and
set the working mode of LLDP to tx. In this way, NGFW_B sends LLDP packets only to neighbor
nodes.
<NGFW_B> system-view
[NGFW_B] lldp enable
[NGFW_B] interface GigabitEthernet 1/0/2
[NGFW_B-GigabitEthernet1/0/2] ip address 10.16.39.221 24
[NGFW_B-GigabitEthernet1/0/2] lldp state tx
[NGFW_B-GigabitEthernet1/0/2] quit
[NGFW_B] lldp management-address 10.16.39.221
----End
Configuration Verification
l Run the display lldp neighbor interface GigabitEthernet 1/0/2 command on NGFW_A
to display the information about the LLDP neighbor of the specified interface.
<NGFW_A> display lldp neighbor interface GigabitEthernet 1/0/2
Interface GigabitEthernet1/0/2 has 1 LLDP
Neighbors:
Neighbor
1:
ChassisIdSubtype:
MacAddress
ChasssisId: 0022 a103
6079
PortIdSubtype:
InterfaceName
PortId: GigabitEthernet
1/0/2
TimeToLive: 120
seconds
PortDesc: Huawei, USG6600 series, GigabitEthernet 1/0/2
Interface
SysName: NGFW_B
SysDesc: NGFW_B Huawei Versatile Routing Platform Software, Software
Version : USG6600 V100R001C10 (VRP (R) Software, Version 5.30) ,
Copyright (C) 2014-2015 Huawei Technologies Co., Ltd.
SysCapSupported:
SysCapEnabled:
Router
Management Address: IPv4: 10.16.39.221 (System Port Number - 386) (OID:
Standard
LLDP
MIB)
Expired Time: 119 seconds
5.19 PMTU
You can perform Path Maximum Transmission Unit (PMTU) discovery to determine the
smallest MTU of all interfaces without fragmenting packets along the path from the source to
the destination.
5.19.1 Overview
This section provides the definition of PMTU and describes the application of PMTU discovery.
PMTU
PMTU is the smallest MTU of the packets that are transmitted along the path from the source
to the destination on the network. Packets that are smaller than the PMTU can be transmitted
along the path without being fragmented.
You can discover and obtain the PMTU of the specific destination IPv4 address and use an
appropriate MTU to send the packets over the network. In this way, packets are not fragmented
during transmission. This MTU eases the burden of intermediate routing devices, makes best
use of network resources, and offers the highest throughput.
PMTU varies with the selected path and may change during communication. In addition, the
PMTU values in the forward and return directions may also differ because the paths in both
directions are different.
PMTU Discovery
As shown in Figure 5-104, the PC establishes a TCP connection with the Web server before
accessing the Web server. The SYN packet contains the Maximum Segment Size (MSS) which
is the MTU header. When the SYN packet reaches the server, the server changes the MSS to an
appropriate value to ensure that packets are not fragmented. However, sometimes the
intermediate devices fail to process the packets properly. Therefore, the negotiated MTU value
is larger than the actual size. When the PC sends a non-fragmented packet that is larger than the
actual MTU, the packet is discarded when it reaches NGFW_B, causing access failure. To rectify
the fault, you need to tune the MTU on NGFW_A and enable the PC to renegotiate with
NGFW_A so that the PC can send packets with an appropriate MSS.
For example, the PC negotiates with the Web server and sends an 800-byte non-fragmented
packet. The packet can be forwarded by NGFW_A whose MTU is 1500 bytes. However, when
the packet reaches NGFW_B, it is discarded because the MTU of NGFW_B is 512 bytes, smaller
than the actual packet size.
Therefore, by PMTU discovery on NGFW_A, the MTU of all the interfaces that are used to
forward the non-fragmented packet to the specific destination IP address is obtained, and this
value is 512 bytes. After the PMTU is obtained, change the configurations on NGFW_A, for
example, changing the MTU of all the interfaces to 512 bytes. The PC renegotiates with
NGFW_A and sends a packet with a smaller MTU, so that the packet can be transmitted over
the network without being fragmented. In this way, the problem is resolved.
NGFW_A NGFW_B
Packet size = 800 bytes Reply packet unreachable
Non-fragmented Discarded
Context
NOTE
The first PMTU discovery packet is 48 bytes. If the PMTU on the path is less than 48 bytes, PMTU discovery
fails.
If the discovery packet passes through a tunnel, the discovered PMTU has a deviation. The deviation is the
size of the tunnel encapsulation payload.
Procedure
Step 1 Discover the PMTU along the path to the specific destination IPv4 address.
Parameter -a source-ip-address specifies the source IP address of the PMTU discovery packet.
If you do not set this parameter, the source IP address is the IP address of the route egress.
Parameter -max pmtu-max specifies the maximum test scope of PMTU. The default value is
1500 bytes.
Parameter -step step specifies the incremental step for the second-round discovery. The default
value is 10 bytes. Smaller step gets more precise PMTU but consumes more resources, such as
time and memory. The increasing step for the first round is fixed to 38 bytes. You cannot modify
this value.
Parameter -t timeout specifies the timeout time of the probing. The default value is two seconds.
----End
Follow-up Procedure
After the maximum MTU of the path is obtained through PMTU discovery, change the
configurations of the NGFW, for example, changing the MTU of the device interface. In this
way, packets are not fragmented on the network. This eases the burden of the intermediate
devices and rectifies relevant faults.
Networking Requirements
As shown in Figure 5-105, a PC accesses the Web server through the GRE tunnel. In case that
the MTU of the tunnel is too small and to ensure that packets can be transmitted in the tunnel,
packets are fragmented along the intermediate links. However, this increases the burden on the
intermediate devices. In addition, to avoid fragment attacks, the Web server receives only the
Don't Fragment packets. When the packet is too large, the normal access is affected. Therefore,
you need to discover the PMTU on NGFW_A to obtain the maximum MTU on the path to
NGFW_B. Then change the MTU of the uplink and downlink interfaces of the GRE tunnel to
ensure service continuity.
Item Data
Item Data
PC IP address: 10.1.1.1/24
Configuration Roadmap
The roadmap for probing the PMTU is as follows:
Procedure
Step 1 Set the IP Addresses.
<NGFW_A> system
[NGFW_A] interface GigabitEthernet 1/0/1
[NGFW_A-GigabitEthernet1/0/1] ip address 10.1.2.1 24
<NGFW_B> system
[NGFW_B] interface GigabitEthernet 1/0/2
[NGFW_B-GigabitEthernet1/0/2] ip address 10.1.3.1 24
Step 2 Add interface to security zone and configure security policy between security zone (omitted).
For details on how to add interface to security zone, refer to related chapters in Security
Zones, and for details on how to configure security policy, refer to related chapters in Security
Policy.
Step 3 Add interfaces to corresponding security zones and configure security policy between security
zones to ensure normal network communication. Details are omitted.
Step 4 Ensure that NGFW_A, NGFW_B, and NGFW_C are routable to each other. Details are omitted.
Step 5 Configure PMTU discovery onNGFW_A to discover the maximum MTU from the tunnel
(source IP address: 10.1.2.1/24) to the Web server (destination IP address: 10.1.3.2/24). The
incremental step is 10 byte.
<NGFW_A> pathmtu -a 10.1.2.1 -step 1 10.1.3.2
PathMtu test to 10.1.3.2 (public) , step: 1 byte(s) , discovery field max: 1500
1 * * *
2 * * *
PathMtu test result: Success, PathMtu: 1300
Step 6 Change the MTU of the uplink and downlink interfaces of the GRE tunnel to the discovered
PMTU 1300 to ensure that packets are not fragmented on the intermediate network. The MTU
eases the burden of the intermediate devices and ensures proper network communication. The
following uses changing the MTU of interface GigabitEthernet 1/0/1 as an example.
<NGFW_A> system-view
[NGFW_A] interface GigabitEthernet 1/0/1
[NGFW_A-GigabitEthernet1/0/1] mtu 1300
[NGFW_A-GigabitEthernet1/0/1] shutdown
[NGFW_A-GigabitEthernet1/0/1] undo shutdown
NOTE
The change of MTU on an interface takes effect only after you restart the interface (by running the
shutdown command and then the undo shutdown command on the interface).
Step 7 Configure the GRE tunnel. For details, refer to 20.5 GRE.
----End
5.20 NetStream
This chapter describes the basic concepts, mechanism, and application of the NetStream.
5.20.1 Overview
The NetStream collects statistics on network traffic and periodically sends statistics to the
NetStream Collector (NSC). The statistics can be used for charging, network management, and
guiding the network planning.
NGFW_A NSC
(NDE)
NDA
NGFW_B NSC
(NDE)
The NDE collects statistics over the passing traffic and sends detailed statistics to the NSC for
filtering and merging. Then the NSC sends the filtered and merged statistics to the NDA for
further merging and generation of intuitive graphs and reports. The generated graphs and reports
provide a reference for network planning, network monitoring, application analysis, and fault
location.
On networks, the IP network is connectionless. Therefore, the communication between different
types of services are implemented through a group of IP packets sent from one terminal to
another. Actually, these IP packets form the data flow of a network service. Most data flows are
temporary, intermittent, and bidirectional. NetStream mainly identifies different flows and
collects flow-specific statistics based on the destination and source IP addresses, destination and
source ports, protocol, ToS, and input and output interfaces. Serving as an NDE, the NGFW
periodically sends received statistics to the NSC for processing. Then the NSC sends the statistics
to the NDA for data analysis and report generation.
5.20.2 Mechanism
This section describes the mechanism of NetStream.
Concept of Sampling
After NetStream is enabled on an interface, the NGFW uses the CPU to process the
establishment, maintenance, aging, and aggregation of NetStream flows and generate data for
the export. At the meantime, the NGFW saves the NetStream information in the appropriate
interface table. If every packet is counted and involved in the establishment of NetStream flows,
the performance of the interface is heavily affected, especially for those high-speed interfaces.
Therefore, sampling is implemented. The sampled packets are sent to the NetStream card for
further process. The lower the sampling rate, the less the performance is affected.
Sampling Process
Figure 5-107 shows the sampling process.
The sampling
function is enabled
Sampling packets Sampling all packets
Compare randomly
The generated flow Determine whether a
generated value and
information is sent to sampling value is set
the value configured on No
the NSC on the interface
the interface
The sampling Sampling on
Yes
packets number
Compare the count
value and the value Extract the count vaule
configured on the for counting packets
information
The following table shows the related NetStream configurations on the interface.
Mark for enabling the 1 bit Indicates whether the packet destined for a unicast
transmission of unicast IP address is allowed through.
packets
Mark for enabling the 1 bit Indicates whether the packet destined for a multicast
transmission of IP address is allowed through.
multicast packets
Mark for enabling the 1 bit Indicates whether the sampling function is enabled
sampling of passing on the interface.
packets
Sampling mask 15 bits Indicates the count value ratio of sampling all packet
and sampling on packet number.
Interface index 16 bits Indicates the combination of the 4-bit long slot
information and the 12-bit long interface index
information, serving as the inbound interface
information of the NetStream flow.
The preceding information must be configured on the inbound interface and outbound interface.
The NGFW can then sample packets on both the inbound and outbound interfaces.
Aging Flows
Certain current flows must be deleted to release memory for the successive flows. This is because
the number of flows across the network burst up in a short time, Thousands of flows can be
generated in a few seconds. The process for deleting flows to release memory is called flow
aging.
Displaying aggregated flows: After the NetStream module collects the statistics on the aged
NetStream flows, the system classifies the raw statistics based on certain rules to aggregate flows.
The aggregated flows are sent in UDP packets. Aggregating original flows decreases bandwidth
and CPU usages and saves memory.Table 5-48 lists the currently supported aggregation modes.
as-tos Flows are classified based on five key values: source AS ID,
destination AS ID, index of the inbound interface, index of the
outbound interface, and ToS field. Flows with the same five key
values are aggregated into one flow, and one aggregation flow
record is generated.
protocol-port Flows are classified based on three key values: protocol ID, source
port, and destination port. Flows with the same three key values are
aggregated into one flow, and one aggregation flow record is
generated.
protocol-port-tos Flows are classified based on six key values: protocol ID, source
port, destination port, ToS field, index of the inbound interface, and
index of the outbound interface. Flows with the same six key values
are aggregated into one flow, and one aggregation flow record is
generated.
source-prefix Flows are classified based on four key values: AS ID, length of the
source mask, prefix of the source address, and index of the inbound
interface. Flows with the same four key values are aggregated into
one flow, and one aggregation flow record is generated.
source-prefix-tos Flows are classified based on five key values: AS ID, length of the
source address mask, prefix of the source address, ToS fields, and
index of the inbound interface. Flows with the same five key values
are aggregated into one flow, and one aggregation flow record is
generated.
destination-prefix Flows are classified based on four key values: AS ID, length of the
destination address mask, prefix of the destination address, and
index of the outbound interface. Flows with the same four key
values are aggregated into one flow, and one aggregation flow
record is generated.
destination-prefix-tos Flows are classified based on five key values: AS ID, length of the
destination address mask, prefix of the destination address, ToS
field, and index of the outbound interface. Flows with the same five
key values are aggregated into one flow, and one aggregation flow
record is generated.
prefix Flows are classified based on eight key values: source AS ID,
destination AS ID, length of the source address mask, length of the
destination address mask, prefix of the source address, prefix of the
destination address, index of the inbound interface, and index of the
outbound interface. Flows with the same eight key values are
aggregated into one flow, and one aggregation flow record is
generated.
prefix-tos Flows are classified based on nine key values: source AS ID,
destination AS ID, length of the source address mask, length of the
destination address mask, prefix of the source address, prefix of the
destination address, ToS field, index of the inbound interface, and
index of the outbound interface. Flows with the same nine key
values are aggregated into one flow, and one aggregation flow
record is generated.
mpls-label Flows are classified based on MPLS labels. Flows with the same
MPLS label are aggregated in to one flow, and one aggregation flow
record is generated.
Procedure
Step 1 Access the system view.
system-view
Step 3 Enable the NetStream function to collect statistics on IPv4 unicast traffic flows passing the
interface.
ip netstream inbound
NOTE
To enable the function for a sub-interface, set the VLAN ID for this sub-interface first.
By default, NetStream is disabled.
----End
Context
NOTE
Currently, the NetStream function of the NGFW supports two versions of the output packets, namely, 5
and 9. Version 9 provides users with a template for you to customize the statistics factors according to
actual requirements, thus ensuring the flexibility of the statistics output.
l Version 5: The original data flow is generated on the basis of the 7–tuple. The format of packets is
fixed and hard to extend. Version 5 does not support the statistic output on the BGP next hop.
l Version 9: Based on the template, version 9 ensures that the output of statistics is more flexible and
can be used to output the data of various format combinations. Version 9 supports the statistic output
of MPLS and the BGP next hop.
Procedure
Step 1 Access the system view.
system-view
The default format is version 5 with the AS option as peer-as. The output does not contain the
BGP next hop.
----End
Context
Do as follows on the NGFW on which traffic statistics need to be collected.
Procedure
Step 1 Access the system view.
system-view
Step 2 Optional: Set the source address of the output statistics packets.
ip netstream export source ip-address
You can set a maximum of two destination IP addresses respectively for the active and the
standby NSCs.
NOTE
You can configure two destination addresses in the system view and the aggregation mode view,
respectively.
----End
Procedure
Step 1 Access the system view.
system-view
Step 3 Enable the NetStream to collect statistics on unicast traffic flows that passing the interface.
ip netstream inbound
NOTE
To enable the function for a sub-interface, set the VLAN ID for the sub-interface first.
By default, NetStream is disabled.
----End
Context
NOTE
To aggregate the traffic statistics and output aggregated statistics in packets, configure the aggregation mode.
At present, both Version 8 and Version 9 support the following aggregation modes: as, as-tos, protocol-port,
protocol-port-tos, source-prefix, source-prefix-tos, destination-prefix, destination-prefix-tos, prefix, and prefix-
tos.
Procedure
Step 1 Access the system view.
system-view
You can configure the source aggregation mask only for modes prefix, prefix-tos, source-prefix,
and source-prefix-tos.
You can configure the destination aggregation mask only for modes prefix, prefix-tos,
destination-prefix, and destination-prefix-tos.
----End
Procedure
Step 1 Access the system view.
system-view
----End
Procedure
Step 1 Access the system view.
system-view
You can set a maximum of two destination IP addresses respectively for the active and the
standby NSCs.
NOTE
You can set two destination addresses in the system view and in the aggregation mode view.
----End
Context
Do as follows on the NGFW on which the statistics of traffic passing the VLANIF interface
need to be collected.
Procedure
Step 1 Access the system view.
system-view
----End
Context
Do as follows on the NGFW on which the statistics of traffic on the Vlanif interface need to be
collected.
Procedure
Step 1 Access the system view.
system-view
The default format is version 5 with the AS option as peer-as. The output does not contain the
BGP next hop.
NOTE
Version 5 does not support the output of the BGP next hop.
----End
Context
Do as follows on the NGFW on which the statistics of traffic passing the Vlanif interface need
to be collected.
Procedure
Step 1 Access the system view.
system-view
You can set a maximum of two destination IP addresses for the active and the standby NSCs.
NOTE
You can configure two destination addresses either in the system view and the aggregation mode view,
respectively.
----End
Context
Configure NetStream sampling in the interface view of the NGFW that samples the passing
flows.
Procedure
Step 1 Access the system view.
system-view
If the interface is configured with a sampling rate, the passing traffic flows are sampled at the
rate. If not, the sampling rate is 1:1, that is, all packets along the passing traffic flows are sampled.
----End
Context
Do as follows on the NGFW on which NetStream sampling is required.
Procedure
Step 1 Access the system view.
system-view
----End
Procedure
l Configure the parameters for refreshing the template for original traffic flows.
1. Run the following command on the NGFW on which NetStream sampling is required
to access the system view.
system-view
3. Set the parameters for refreshing the template for outputting the statistics on original
traffic flows in version 9.
For the NSC to receive and process the statistics, you need to send the appropriate
template to the NSC. After you set the parameters for refreshing the template, the
template on the NSC can be synchronized with that of the system.
The option template contains the information about the NetStream configuration.
export-stats and sampler indicate the system option and interface option respectively.
Once the refreshment parameters of the option template are configured, statistics
collection with the system option or that with the interface option is enabled.
4. Set the parameters for refreshing the template for outputting the statistics on
aggregated traffic in version 9.
template { refresh-rate packet-interval | timeout-rate timeout-interval }
----End
Context
During routine maintenance, you can run the following commands in any view to display the
NetStream configurations.
Table 5-49 lists the commands for displaying the running status of NetStream.
Action Command
Action Command
NOTICE
Statistics cannot be restored after being cleared. Perform the operation with caution.
Table 5-50 lists the commands for clearing the NetStream statistics.
Action Command
Before enable the debugging function, you must run the terminal monitor and terminal
debugging commands in the user view to enable the display of logs and messages on the
terminal, so that the debugging messages can be displayed on the terminal.
NOTICE
Enabling the debugging function affects the system performance. Therefore, after debugging,
you need to run the undo debugging all command to disable the debugging function.
Action Command
Networking Requirements
As shown in Figure 5-108, an enterprise network is connected to NGFW_B on the carrier
network through NGFW_A. NetStream is enabled on NGFW_B. In such a scenario, the carrier
can collect the statistics on the inbound traffic flows passing GigabitEthernet 1/0/1 of
NGFW_B. The collected statistics provides a reference for network accounting.
Item Data
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Set IP addresses for the interfaces on NGFW_A and NGFW_B.
Step 2 Enable the NetStream function for collecting inbound statistics on NGFW_B.
# Access the system view and change the system name to NGFW_B.
<NGFW> system-view
[NGFW] sysname NGFW_B
# Configure the NGFW_B to send the collected statistics to the NSCs and NDA.
[NGFW_B] ip netstream export host 10.2.1.2 6000
# Set the source address for the NGFW_B to send the collected statistics.
[NGFW_B] ip netstream export source 10.2.1.1
----End
Result
l After the configuration is complete, run the display ip netstream cache command in the
user view to display the statistics about the cached NetStream traffic flows.
<NGFW_B> display ip netstream cache
IP netstream cache
information
Stream active timeout(minute) :
30
Stream inactive timeout(second):
1
Active stream entry :
0
Inactive stream entry :
8000
Stream entry been created :
0
Last clearing of statistics :
never
stream
----------------------------------------------------------------------------
Total 0 0 0 0 0
0
l After the configuration is complete, run the display ip netstream export command in the
user view to display the information about the output of NetStream traffic statistics.
<NGFW_B> display ip netstream export
Version 5 ip export information
Stream destination IP(UDP): 10.2.1.2(6000)
Stream source IP: 10.2.1.1
Exported stream number: 120
Exported UDP datagram number: 120 failed number:0
Networking Requirements
As shown in Figure 5-109, enabling NetStream on NGFW_B helps collect the statistics on the
traffic flows from the user network to both ISP networks. The collected statistics provides a
reference for network accounting.
Figure 5-109 Networking diagram of collecting the statistics on aggregated traffic flows
loopback0
GE1/0/4
10.2.1.2/24
ISP1
NSC&NDA
10.4.1.2/24 NGFW_C
loopback0
loopback0
GE1/0/4
10.2.1.1/24 GE1/0/3
User GE1/0/4
10.1.1.1/24 i 10.4.1.1/24
Network
GE1/0/1 GE1/0/2
10.1.1.2/24 10.3.1.1/24
NGFW_A NGFW_B
loopback0
GE1/0/4 ISP2
10.3.1.2/24
NGFW_D
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure reachable routes between the user network and access network.
2. Configure reachable routes between the access network and ISP1 and between the access
network and ISP2.
3. Enable NetStream on NGFW_B.
Procedure
Step 1 Set IP addresses.
Step 3 Establish BGP neighbors between NGFW_B and NGFW_C and between NGFW_B and
NGFW_D.
----End
Result
l # After the configuration is complete, run the display ip netstream cache command in the
user view to display the statistics on the cached traffic flows.
<NGFW_B> display ip netstream cache
IP netstream cache
information
Stream active timeout(minute) :
30
Stream inactive timeout(second):
1
Active stream entry :
0
Inactive stream entry :
8000
Stream entry been created :
0
Last clearing of statistics :
never
----------------------------------------------------------------------------
Total 0 0 0 0 0
0
l After the configuration is complete, run the display ip netstream export command in the
user view to display the information about the output of the traffic.
<NGFW_B> display ip netstream export
Version 9 AS aggregation information
Networking Requirements
As shown in Figure 5-110, add GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to the same
VLAN and configure the collection of the statistics on the traffic passing interface
GigabitEthernet 1/0/1.
GE1/0/1 GE1/0/2
NSC&NDA VLANIF100 VLANIF100
172.16.8.145/24
192.168.2.2/24
VLANIF100
192.168.1.1/24
Switch1 Switch2
Item Data
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Create a VLAN and a Vlanif interface and set an IP address for each of them.
Step 2 Add interfaces to corresponding security zones and configure security policy between security
zones to ensure normal network communication. Details are omitted.
# Enable NetStream for collecting the statistics on the inbound and outbound traffic passing the
Vlanif member interface GigabitEthernet 1/0/1.
[NGFW] interface vlanif 100
[NGFW-Vlanif100] ip netstream inbound
----End
Result
l Run the display ip netstream cache command in the user view to display the statistics on
original traffic flows.
<NGFW> display ip netstream cache
The total records in cache is 3.
Show information of cache is starting.
get show cache user data success
DstIf DstIP SrcIP Pro Tos FlgsPkts
SrcIf DstPMsk AS SrcP Msk AS NextHop
BGP: BGP NextHop
--------------------------------------------------------------------------
GigabitEthernet 1/0/3 172.16.8.1 192.168.1.2 0 0 0 95040
0.0.0.0
l Run the display ip netstream export command in the user view to display the information
about the output of the original traffic statistics.
<NGFW> display ip netstream export
Version 8 AS aggregation information
Stream destination IP(UDP): 192.168.2.2
(6000)
Exported stream number:
395
Exported UDP datagram number: 93 failed number:0
5.21.1 Overview
The agile network is a new enterprise networking solution for legacy enterprise networks. It is
easier, more flexible, and faster in configuration, maintenance, and service response compared
with traditional enterprise networks.
Based on customer requirements, agile networks fall into three scenarios: service mobility,
service chain, and security collaboration. This section describes the working mechanisms and
configuration methods of the firewall in different application scenarios.
Service Mobility
Service mobility (also called service mobility) enables consistent enterprise resource access
permissions and experience (the same priority and bandwidth for users to access enterprise
resources) regardless of where the users access the enterprise network. As shown in the service
mobility scenario in Figure 5-111, the firewalls are deployed at the borders of the headquarters,
branch office, and data center to provide user identification and permission control functions.
Apart from the user identification and permission control functions, the firewalls at the borders
of the headquarters and branch office provide L2TP VPN, L2TP over IPSec VPN, and SSL VPN
services for mobile employees and allocate bandwidth resources to access users to ensure that
the traffic of VIP users is preferentially forwarded.
NGFW
(firewall)
Data center Control center
Core switch
Aggregatio
n switch
Access
... ... ... switch
In the service mobility application scenario, the Controller centrally manages user identity
information (user name and password) and access permissions (firewall security policies). The
Agile Controller (Controller for short) categorizes users into different security groups. After you
configure security groups and access permissions on the Controller, the Controller delivers the
configurations to all identity authentication and permission control devices (in this scenario,
both the firewalls and aggregation switches are identity authentication and permission control
devices to implement authentication and permission control). This section uses the firewall at
the egress of the campus network as an example to describe the mechanisms of user
authentication and permission control when a VPN user accesses data center resources or an
intranet user accesses Internet resources after the Controller server delivers the security groups
and access permissions to the device (firewall or aggregation switch).
l An employee on the move uses VPN to access enterprise networks and enterprise resources.
1. An employee on the move uses VPN to initiate a connection request to the firewall at
the headquarters egress.
2. After receiving the VPN request from the user, the firewall sends the user's identity
information to the Controller for verification.
3. After verifying the identity information, the Controller sends a response message to
the firewall indicating authentication success. The firewall establishes a VPN
connection with the user and records the security group and IP address of the user,
which are in the "online user list" on the firewall.
4. When receiving the service traffic from the employee on the move to the data center,
the firewall at the egress of the headquarters looks up the online user list for the traffic
IP address to find the corresponding user information. Then the firewall looks up the
permission control list based on the user information and implements permission
control accordingly.
l An intranet user accesses Internet resources.
1. The intranet user initiates identity authentication to the aggregation switch.
2. After receiving the authentication request from the user, the aggregation switch sends
the user's identity information to the Controller for verification.
3. The Controller records the IP address-account mapping of the user after verification
and sends a response message to the aggregation switch indicating authentication
success. After receiving the response message from the Controller, the aggregation
switch creates a mapping between the user and IP address.
4. The firewall sends an identity query message to the Controller to request the user
identity corresponding to the source address of the traffic. After receiving the query
request, the Controller returns the user identity information to the firewall. Then, the
firewall can find the permission control policy based on the user identity information.
In agile networks, users may need to access DNS, DHCP, or Portal servers before they are
authenticated. When the traffic from a user to a server goes through the firewall, the firewall
queries the corresponding security group information from the Controller server. However, the
user is not authenticated yet. Therefore, the Controller server informs the firewall that the user
belongs to the unknown group. In at least 10 minutes after that, the firewall will not query the
user information from the Controller server. Before the user information is refreshed (the interval
is 10 minutes by default), the user traffic will match the policies of the unknown group.
Therefore, the user cannot obtain the correct permission immediately after the user is
authenticated.
To resolve this problem, the pre-security domain is introduced into the agile network. The pre-
security domain refers to the domain accessible before users are authenticated. When an
unauthenticated user accesses a server in the pre-security domain, the firewall directly forwards
the traffic without querying the security group of the traffic. After the user is authenticated and
the service traffic reaches the firewall, the firewall queries the security group information from
the Controller server, which ensures that the query result is consistent with the actual security
group of the user. When you deploy an agile network, consider that users may need to access
the DNS, DHCP, and Portal servers before they are authenticated. You can select the servers
and deploy them in the pre-security domain as required.
Service Chain
Service chain is a scenario in which all security check devices are centrally deployed in the
security resource pool, with each device responsible for different security check tasks.
Enterprises can schedule the traffic going through the core switch in a specific order for the core
switch to send the traffic to these security devices for security checks. Figure 5-112 shows the
service chain scenario. In this scenario, the firewall resides in the security resource pool to
provide the content security check. The firewalls are deployed in off-line mode next to the core
switch and each firewall establish a GRE tunnel with each core switch. When receiving the
traffic to be checked, the core switch diverts the traffic over one GRE tunnel to the corresponding
firewall. After security checks, the firewall injects the traffic over the other GRE tunnel to the
core switch.
Security Collaboration
Security collaboration is a solution for improving overall intranet security defense capabilities.
This solution provides visibility into network health conditions, security event quantity and
types, and security risk trends and monitors and handles security events. As shown in Figure
5-113, the firewall sends to the Controller syslogs about security events, such as viruses,
intrusions, Trojans, and data leaks. After receiving security logs, the Controller delivers security
warning and actions, such as isolate or block, to the aggregation switch, so that the aggregation
switch can block these risks.
Restrictions
Table 5-52 lists the restrictions of the agile network function.
Virtual system Virtual systems do not support the agile network function.
IPv6 The agile network function does not support IPv6 services.
TSM function The TSM function and the agile network function are mutually
exclusive. Before you enable the agile network function, disable
the TSM function.
Security policy The agile network function cannot be enabled if security policies
are configured on the device. Before you enable the agile network
function, delete the configured security policies.
Precautions
The enabling or disabling of the agile network function affects other functions on the device, as
listed in Table 5-53.
User The user management function does The user management function takes
management not take effect. effect.
Policy When the agile network function is The policy redundancy analysis,
redundancy enabled, the policy redundancy policy matching analysis, and policy
analysis, analysis, policy matching analysis, tuning functions take effect.
policy and policy tuning functions do not
matching take effect.
analysis, and
policy
tuning
Traffic Traffic policies are not affected. The traffic policies that the Controller
policy delivers are deleted.
NOTE
When the agile network function is disabled, security policies, traffic policies, and PBR are "user group"-
based matching conditions. When the agile network function is enabled, parameter user group in the three
policies will be substituted with parameters Source Agile Security Group and Destination Agile Security
Group.
Procedure
Step 1 Choose System > Agile Network Configuration.
Step 3 Set the parameters for connecting the NGFW to the Controller.
Parameter Description
Authentication Password Indicates the password that the Controller uses to authenticate
the NGFW.
After the agile network is deployed, the IP address and password
of each device on the network will be specified on the Controller.
When a device sends a connection request to the Controller, the
Controller looks for the password of the device based on the
source IP address. If the passwords are the same, the
authentication succeeds.
RADIUS Server The NGFW needs to query the security group information of the
user from the RADIUS server to implement the security policy.
For configurations of the RADIUS server, see 11.5.6.1
Configuring a RADIUS Server. The RADIUS server is
integrated into the Controller. Therefore, the IP address of the
RADIUS server is that of the Controller. If an independent
RADIUS server is deployed, contact the network administrator
for the IP address of the RADIUS server.
----End
Step 2 The firewalls automatically obtains all security groups from the Controller, as shown in the
following figure.
----End
Step 2 When receiving service traffic from the user, the NGFW requests the user identity and group
information of the traffic from the Controller, looks up for the security policies based on the user
information, and add the user to the online user list, as shown in the following figure.
The firewall queries user status information from the Controller every 10 minutes. As a result,
the user information on the firewall may not be in synchrony with that on the Controller. You
can click Refresh to display the latest user status information.
Item Description
Item Description
----End
Step 2 The firewall automatically synchronizes security policy information from the Controller, as
shown in the following figure.
NOTE
When the agile network function is enabled, parameter user group in security policies will be substituted
with parameters Source Agile Security Group and Destination Agile Security Group. Other parameters
remain the same. For details on each parameter, see 13.1.6 Configuring a Security Policy.
----End
5.21.5.1 Configuring the Firewall to Provide L2TP Over IPSec Access Services and
Implement Identity Authentication and Permission Control for L2TP Users in a
Service Mobility Scenario
This section describes how to configure the firewall and Controller in a service mobility scenario
to allow mobile users to access the intranet through L2TP over IPSec.
Networking Requirements
As shown in Figure 5-114, an NGFW is deployed on the border of an intranet as a security
gateway. The NGFW provides VPN access services for mobile employees and implements
access permission control. A Controller is deployed for user information configuration and
delivers access permission control policies to the NGFW.
User requirement: Mobile employees are allowed to access web server resources on the intranet
through L2TP over IPSec only during working hours.
Figure 5-114 User access permission control in the service mobility scenario
NGFW
GE1/0/2 GE1/0/1
10.2.0.1/24 1.1.1.1/24
Controller
10.3.0.10/24
Data Planning
Item Data
Item Data
Configuration Roadmap
1. Configure the Controller.
Configure parameters for the Controller, as shown in the following figure.
① Configure a user.
Jack ④Configure an authentication rule. Configure access
Account: Configure a ⑤
J00001 ③ permission control.
security group.
Password: Authentication rule Access permission
Hello123
Department:
Matching Security group control policy
Rule name Authentication
marketing
condition result Source Destination
Working
Configure a Regulations Marketing Working security security security group security group Permission
②
schedule. for working Working group group Working
hours Web resource Permit
Schedule Non-working security group
Regulations Marketing Non-working security group
security
Working hours for non-workingNon-working security group
group Non-working Web resource Deny
hours
Web resource security group security group
Non-working hours User traffic during working
security group
hours matches the rule.
User traffic during non-working
hours matches the rule.
When Jack attempts to access web server resources during working hours, Jack's
department and schedule information matches the "work" authorization rule. Based on the
rule, Jack belongs to the "working security group". Query the access permission control
policy that uses the "working security group" as the source security group and the "web
resource security group" as the destination security group. Then you can obtain Jack's
access permission. The Controller delivers the access permission control policy to the
firewall. When traffic sent from Jack passes through the firewall, the firewall searches for
the source and destination security groups based on the user name and then implements the
access permission control policy (referred to as security policy on the firewall).
2. Configure the firewall.
a. Enable the agile network function on the firewall.
b. Configure L2TP over IPSec.
3. After interworking with the firewall, the Controller delivers all configured security groups
and access permission control policies to the firewall.
NOTE
The Controller updates with versions. Therefore, in this example, the Controller configuration is for
reference only. For details, refer to the configuration manual of the Controller.
Procedure
Step 1 Configure the Controller.
1. Add the firewalls to be managed by the Controller.
a. Choose Resource > Device > Device Manager, click Add, and configure information
on the firewalls to be managed by the Controller.
c. Click OK.
2. Add the account and password of the mobile user to the Controller.
a. Choose Resource > User > User Management. On the Department tab, click
, set Department to Marketing department, and click OK.
b. Click OK.
4. Configure security groups for the mobile user and web server.
a. Choose Policy > Permission Control > Security Group > Security Group
Management and click Add to add the working and non-working security groups.
Then click OK.
b. Choose Policy > Permission Control > Security Group > Security Group
Management, and click to add a security group for the web server, and click
OK.
5. Configure a pre-authentication domain, so that mobile employees can access the NGFW
and Controller before being authenticated.
Choose Policy > Security Group > Intranet Configuration and add the IP addresses of
the NGFW virtual gateway and Controller to the pre-authentication domain.
a. Choose Policy > Permission Control > Authorization Policy > Authorization
Rule and click to create a permission rules. Then click OK.
b. Click OK.
8. Configure an access permission template.
a. Choose Policy > Service Mobility > Permission Control and click Permission
Template. Configure the permission on the web server for mobile users during the
working and non-working hours.
b. Click OK.
9. Configure access permission control rules.
a. Choose Policy > Service Mobility > Permission Control and click Add. Configure
a policy for controlling the access to the web server from mobile users during the
working and non-working hours.
b. Click OK.
IPv4
IP address 1.1.1.1/24
c. Click OK.
d. Repeat the preceding steps to configure GE1/0/2 and GE1/0/3.
IPv4
IP address 10.2.0.1/24
IPv4
IP address 10.3.0.1/24
b. Click OK.
3. Configure an authentication domain.
a. Choose Object > User > Authentication Domain. Modify the default authentication
domain and set the following parameters.
b. Click OK.
4. Configure an L2TP over IPSec tunnel.
a. Choose Network > IPSec > IPSec. In IPSec Policy List, click Add.
b. Set Scenario to Site-to-multisite and Peer Type to L2TP over IPSec client.
c. Complete Basic Configuration. Multiple branches need to access the headquarters.
Therefore, do not specify the remote gateway addresses. The pre-shared key is
Admin@123.
e. Under Data Flow to Be Encrypted, click Add to add a data flow as follows.
f. In IKE/IPSec Proposal , click Accept Proposal from the Peer Device to accept the
IPSec protocol and algorithm proposed by the peer.
g. Click Apply to complete the NGFW configuration.
5. Enable the agile network function on the firewall.
The mobile user can use the VPN client or Windows L2TP client for VPN access through L2TP
over IPSec. For details, see 20.2.11.14 Web Example for Configuring L2TP over IPSec VPN
for Users to Access the Headquarters Using the Windows L2TP Client or 20.2.11.12 Web
Example for Configuring L2TP over IPSec VPN for Users that Dial Up to the Headquarters
Using the VPN Client.
Step 4 Log in to the Controller again and configure it to deliver the security groups and policies to the
firewall.
1. Choose Policy > Permission Control > Security Group > Security Group
Management and click Global Deployment. In the dialog box that is displayed, click
OK.
2. Choose Policy > Service Mobility > Permission Control and click Global
Deployment. In the dialog box that is displayed, click OK.
----End
Verification
1. Mobile employee Jack can access web server resources on the intranet after dialing to the
firewall with account J00001 through L2TP over IPSec during working time.
2. Mobile employee Jack cannot access web server resources on the intranet after dialing to
the firewall with account J00001 through L2TP over IPSec during non-working time.
5.21.5.2 Configuring the Firewall to Provide SSL VPN Access Services and
Implement Identity Authentication and Permission Control for SSL VPN Users in
a Service Mobility Scenario
This section describes how to configure the firewall and Controller in a service mobility scenario
to allow mobile users to access the intranet through SSL VPN.
Networking Requirements
As shown in Figure 5-115, an NGFW is deployed on the border of an intranet as a security
gateway. The NGFW provides VPN access services for mobile employees and implements
access permission control. A Controller is deployed for user information configuration and
delivers access permission control policies to the NGFW.
User requirement: Mobile employees are allowed to access web server resources on the intranet
through SSL VPN only during working hours.
Figure 5-115 User access permission control in the service mobility scenario
NGFW
GE1/0/2 GE1/0/1
10.2.0.1/24 1.1.1.1/24
Controller
10.3.0.10/24
Data Planning
Item Data
Configuration Roadmap
1. Configure the Controller.
Configure parameters for the Controller, as shown in the following figure.
① Configure a user.
Jack ④Configure an authentication rule. Configure access
Account: Configure a ⑤
J00001 ③ permission control.
security group.
Password: Authentication rule Access permission
Hello123
Department:
Matching Security group control policy
Rule name Authentication
marketing
condition result Source Destination
Working
Configure a Regulations Marketing Working security security security group security group Permission
②
schedule. for working Working group group Working
hours Web resource Permit
Schedule Non-working security group
Regulations Marketing Non-working security group
security
Working hours for non-workingNon-working security group
group Non-working Web resource Deny
hours
Web resource security group security group
Non-working hours User traffic during working
security group
hours matches the rule.
User traffic during non-working
hours matches the rule.
When Jack attempts to access web server resources during working hours, Jack's
department and schedule information matches the "work" authorization rule. Based on the
rule, Jack belongs to the "working security group". Query the access permission control
policy that uses the "working security group" as the source security group and the "web
resource security group" as the destination security group. Then you can obtain Jack's
access permission. The Controller delivers the access permission control policy to the
firewall. When traffic sent from Jack passes through the firewall, the firewall searches for
the source and destination security groups based on the user name and then implements the
access permission control policy (referred to as security policy on the firewall).
2. Configure the firewall.
a. Enable the agile network function on the firewall.
b. Configure SSL VPN.
3. After interworking with the firewall, the Controller delivers all configured security groups
and access permission control policies to the firewall.
NOTE
The Controller updates with versions. Therefore, in this example, the Controller configuration is for
reference only. For details, refer to the configuration manual of the Controller.
Procedure
Step 1 Configure the Controller.
1. Add the firewalls to be managed by the Controller.
a. Choose Resource > Device > Device Manager, click Add, and configure information
on the firewalls to be managed by the Controller.
c. Click OK.
2. Add the account and password of the mobile user to the Controller.
a. Choose Resource > User > User Management. On the Department tab, click
, set Department to Marketing Department, and click OK.
b. Click OK.
4. Configure security groups for the mobile user and web server.
a. Choose Policy > Permission Control > Security Group > Security Group
Management and click Add to add the working and non-working security groups.
Click OK.
b. Choose Policy > Permission Control > Security Group > Security Group
Management, and click to add a security group for the web server, and click
OK.
5. Configure a pre-authentication domain, so that mobile employees can access the NGFW
and Controller before being authenticated.
Choose Policy > Security Group > Intranet Configuration and add the IP addresses of
the NGFW virtual gateway and Controller to the pre-authentication domain.
6. Configure profile.
a. Create a permission profile. Choose Policy > Permission Control > Authentication
and Authorization > Authorization Result and click to create a permission
profile. Then click OK.
The permission profile will be referenced during authorization rule configuration. To
easily search for a security group during authorization rule configuration, the
permission profile name must be the same as the security group name.
a. Choose Policy > Permission Control > Authorization Policy > Authorization
Rule and click .
b. Click OK.
8. Configure an access permission template.
a. Choose Policy > Service Mobility > Permission Control and click Permission
Template. Configure the permission on the web server for mobile users during the
working and non-working hours.
b. Click OK.
9. Configure access permission control rules.
a. Choose Policy > Service Mobility > Permission Control and click Add. Configure
a policy for controlling the access to the web server from mobile users during the
working and non-working hours.
b. Click OK.
IPv4
IP address 1.1.1.1/24
c. Click OK.
d. Repeat the preceding steps to configure GE1/0/2 and GE1/0/3.
IPv4
IP address 10.2.0.1/24
IPv4
IP address 10.3.0.1/24
b. Click OK.
3. Configure an authentication domain.
a. Choose Object > User > Authentication Domain. Click Add to create an
authentication domain.
b. Click OK.
4. Enable the agile network function on the firewall.
a. Choose System > Agile Network Configuration.
5. Configure an SSL VPN gateway, including the gateway address, user authentication, and
maximum number of concurrent users.
a. Choose Network > SSL VPN > SSL VPN.
b. Click Add and set SSL VPN gateway parameters as follows:
c. Click Next.
6. Configure the SSL version, SSL encryption suite, and timeout duration and life cycle of
SSL sessions on the device. The configuration is optional. You can use the default values.
d. Click Next.
9. Configure the SSL VPN role authorization.
a. On the Group Permission List, Click Add.
b. Configure role authorization based on the following parameters.
User J00001 must already exist on the firewall.
e. Click Finish.
Step 3 Log in to the Controller again and configure it to deliver the security groups and policies to the
firewall.
1. Choose Policy > Permission Control > Security Group > Security Group
Management and click Global Deployment. In the dialog box that is displayed, click
OK.
2. Choose Policy > Service Mobility > Permission Control and click Global
Deployment. In the dialog box that is displayed, click OK.
----End
Verification
Jack accesses web server resources on the intranet through SSL VPN as follows:
1. Jack enters https://1.1.1.1 (URL of a virtual gateway) in the address box of the browser
and press Enter.
2. On the login page that is displayed, Jack enters account J00001 and password Hello123.
3. The network extension function is displayed on the SSL VPN gateway page, as shown in
Figure 5-116.
After Jack clicks Start, Jack's laptop obtains a campus network address from the virtual
gateway. Then Jack accesses intranet resources as Jack does on a LAN.
4. The firewall (virtual gateway) obtains users' access permission policies from the Controller.
Therefore, Jack can access web server resources during working time but cannot during
non-working time.
5.21.5.3 Configuring the Firewall to Prioritize VIP Users' Services and Implement
Bandwidth Management in a Service Mobility Scenario
This section describes how to configure the firewall to prioritize VIP users' services and
implement bandwidth management in a service mobility scenario.
Networking Requirements
As shown in Figure 5-117, an NGFW is deployed on the border of an intranet as a security
gateway. The NGFW controls users' bandwidth resources and prioritize VIP users' services in
case of insufficient bandwidth resources. A Controller is deployed for user information (such as
bandwidth and priority) configuration and delivers the information to the firewall. The firewall
controls user bandwidth and priorities.
Figure 5-117 User bandwidth and priority control in the service mobility scenario
VIP
NGFW
GE1/0/2 GE1/0/1
10.2.0.1/24 1.1.1.1/24
User
Controller
10.3.0.10/24
Data Planning
Item Data
Configuration Roadmap
1. Configure the Controller.
Configure parameters of the Controllers. Then the Controller delivers security groups and
their QoS and bandwidth policies to the firewall. After receiving traffic from a user, the
firewall searches for the matching security group and bound policies based on the user'
account.
① Configure a user.
Configure a QoS policy
Jack (common user)
③ Configure an authentication rule. ④
and a traffic policy.
Account: Configure a
J00001 ②
security group.
Password: Authentication rule QoS policy and traffic policy
Admin@123
Department: Matching Authentication Security group Security
marketing Rule name QoS Bandwidth
condition result group
Normal Normal
Normal Account Normal Upstream: 3M
security security
Mark (VIP user) service (J00001) group security group - Downstream:6
Account: group M
M00002 VIP VIP Upstream: 5M
Password: VIP Account VIP security
service security security group High Downstream:10
Hello@123 (M00002) group
group M
Department:
marketing Traffic of a normal user matches the rule.
Traffic of a VIP user matches the rule.
NOTE
Users in the example are VPN users. When a VPN user dials to the firewall, the firewall authenticates
the user's identity and finds the security group and policies defined for the user. If traffic sent by a
user on the campus to access the Internet passes through the firewall, the intranet switch will
authenticate the identity of the user. The firewall cannot directly identify traffic senders. Therefore,
the firewall queries user information from the Controller based on the source IP address of traffic.
Then the firewall executes QoS and bandwidth policies on the traffic based on the security group
defined for the user.
2. Configure the firewall.
a. Enable the agile network function on the firewall.
b. Configure the SSL VPN.
NOTE
When the SSL VPN Client enabled the auto selective preference function, the firewall shold enable
ping service. the configurations as follows:
1. Choose Network > Interface.
Procedure
Step 1 Configure the Controller.
1. Add the firewalls to be managed by the Controller.
a. Choose Resource > Device > Device Manager, click Add, and configure information
on the firewalls to be managed by the Controller.
c. Click OK.
2. Add the accounts and passwords of mobile users to the Controller.
a. Choose Resource > User > User Management. On the Department tab, click
, set Department to Market Department, and click OK.
c. In the rows of Jack and Mark, click . On the Account Management page, click
. On the Add Account page, set login accounts and passwords for Jack and
Mark.
The user name is used to identify a user, whereas the account and password configured
here are used for identity authentication when Jack accesses the intranet through L2TP
over IPSec.
Choose Policy > Permission Control > Security Group > Security Group
Management and click Add to add common and VIP security groups. Click OK.
4. Configure a pre-authentication domain, so that mobile employees can access the NGFW
and Controller before being authenticated.
Choose Policy > Security Group > Intranet Configuration and add the IP addresses of
the NGFW virtual gateway and Controller to the pre-authentication domain.
b. Click OK.
IPv4
IP address 1.1.1.1/24
c. Click OK.
d. Repeat the preceding steps to configure GE1/0/2 and GE1/0/3.
IPv4
IP address 10.2.0.1/24
IPv4
IP address 10.3.0.1/24
2. Complete VPN configuration based on actual networking. For details, see 5.21.5.1
Configuring the Firewall to Provide L2TP Over IPSec Access Services and Implement
Identity Authentication and Permission Control for L2TP Users in a Service Mobility
Scenario and 5.21.5.2 Configuring the Firewall to Provide SSL VPN Access Services
and Implement Identity Authentication and Permission Control for SSL VPN Users
in a Service Mobility Scenario.
3. Configure the RADIUS server.
a. Choose Object > Authentication Server > RADIUS. Click Add and set parameters
as follows:
The parameters must be consistent with those on the RADIUS server. The shared key
is Admin@123.
b. Click OK.
4. Enable the agile network function on the firewall.
a. Choose System > Agile Network Configuration.
b. Select Enable next to Agile Network Function.
Step 3 Log in to the Controller again, configure QoS and bandwidth policies, and configure the
Controller to send security groups and policies to the firewall.
After enabling the agile network function on the firewall, check whether the firewall can
interwork with the Controller. If yes, configure QoS and bandwidth policies on the Controller
and configure the Controller to deliver security groups and policies to the firewall.
1. Choose Policy > Service Mobility > User Qos Policy.
2. Configure QoS for the VIP security group.
4. Choose Policy > Quick Authorization and click to configure uplink and downlink
bandwidth for common and VIP security groups.
Set User Information as required.
5. Click Confirm.
----End
Verification
Mark's services (VIP user) are prioritized at peak hours.
5.21.5.4 Enabling the Firewall to Provide Content Security Check Services in the
Service Chain Scenario
This section describes how to enable the firewall to provide content security check services in
the service chain scenario.
Networking Requirements
Figure 5-118 shows the service chain scenario. The firewall is deployed in off-line mode next
to the core switch and checks the security of the specified traffic that passing through the core
switch. The enterprise requires that the firewall check the security of the traffic from all
employees to the Web server.
Core switch ne
l
t un
E l
GR un
ne
R Et NGFW
G
Web server
10.2.0.10/24
Controller
Intranet 10.3.0.10/24
users
10.1.2.1/24
Data Planning
Item Data
Item Data
Configuration Roadmap
1. Configure the firewall.
NOTE
If the firewall uses an Eth-Trunk interface to connect to the switch in the Service Chain scenario,
you need to configure per-packet load balancing on the Eth-Trunk interface. For configuration details,
see 8.6.6 Configuring the Load Balancing Mode.
a. Add the core switch and firewall to the Controller server so that the Controller can
deliver the configured policy information to the core switch and firewall.
b. Define the data flow that the firewall needs to check.
c. Configure service chain resources.
d. Orchestrate and deploy the defined service chains.
Procedure
Step 1 Configure the NGFW.
1. Set interface IP addresses and assign the interfaces to security zones.
a. Choose Network > Interface.
b. Click of GE1/0/1 and set the parameters as follows:
IPv4
IP address 10.2.1.1/24
b. Click OK.
3. Enable the agile network function on the firewall.
a. Choose System > Agile Network Configuration.
a. Choose Resource > Device > Device Manager, click Add, and set the parameters of
the firewall to be managed.
b. Click the XMPP tab and set the XMPP connection parameters.
c. Click OK.
d. Click Add and set the parameters of the core switch to be managed.
e. Click OK.
2. Define the data flow that the firewall needs to check.
a. In the main menu, choose Policy > Service Chain Orchestration > Service Flow
Defining, click Add, and set the parameters as shown in the following figure.
b. Click OK.
3. Configure the IP address pool.
a. In the main menu, choose Policy > Service Chain Orchestration > IP Address
Pool, click Add, and set the parameters as shown in the following figure.
The IP addresses in this address pool are used for the tunnel interfaces of the GRE
tunnels between the core switch and firewall.
b. Click OK.
4. Configure service chain resources.
a. In the main menu, choose Policy > Service Chain Orchestration > Service Chain
Resource, click Add.
l In the Orchestration Device group box, add the devices to the correct positions
in the topology on the right.
l In the Service Device group box, add the devices to the correct positions in the
topology on the right.
b. Click Save.
5. Arrange and deploy service chains.
a. In the main menu, choose Policy > ServiceChain Orchestration > Service Chain
Orchestration and click Add.
l In the Service Flow group box, add service flow user_to_web_server to the
corresponding service flow on the right topology.
l In the right topology, put the service devices, such as the firewall to the specified
position between the source and destination based on the traffic detection sequence.
b. ClickSave.
6. Configure users on the enterprise network.
a. Choose Resource > User > User Management, click on the Department
tab, and add employee Robert to the R&D department. Then click OK.
b. Click on the User tab of the R&D department and set the name of the
employee on the move. Then click OK.
c. In the row of Robert, click . On the Account Management page that is displayed,
click . Then on the Add Account page, set the login account and password
information of Robert.
User names are configured for administrators to identify users. Only the account and
password specified on this page are for user authentication. The login password is
Admin@1234.
a. Choose Policy > Permission Control > Security Group > Security Group
Management, click , and add a common and a VIP security group. Then click
OK.
b. In the row of the security group of the web server, click and bind an IP address
to the Web server. Then click OK.
b. Click OK.
1. Choose Policy > Security Policy, click Add, and set the parameters as shown in the
following figure.
NOTE
In the example, the default content security configuration is used as an example. For detailed
configurations, see 2.10.5 Configuring a Security Policy.
2. Click OK.
----End
Verification
Check whether the Controller has delivered the security group and policy configuration to the
firewalls and core switches and whether the firewalls have implemented content security checks
on the traffic from employees to the Web server.
5.21.6 Reference
This section provides references of the agile network function.
5.21.6.1 Specifications
This section describes agile network specifications.
Table 5-55 lists the specifications of the agile security groups, security policies, and maximum
number of displayed users that the firewall can synchronize from the Controller in the service
mobility scenario.
Item Specifications
6 High Availability
6.1.1 Overview
This section describes the background and basic functions of hot standby.
With the popularity of network applications and the exponential bandwidth growth, a short
network interruption may severely compromise services and lead to great losses. Therefore, high
availability becomes a crucial factor in network construction.
As shown in Figure 6-1, device 1 forwards the service traffic of all intranet users to the Internet.
If device 1 goes faulty, all data exchanges between the intranet and Internet are interrupted.
Switch
Device 1
Switch
Intranet
users
To prevent single-point failures, you can deploy two devices for hot standby. When one device
goes faulty, service traffic can be smoothly switched to the standby device.
As shown in Figure 6-2, service traffic is forwarded by device 1. When device 1 goes faulty,
service traffic switches to device 2, which ensures uninterrupted services and improves network
reliability.
Switch
Device 1 Device 2
Switch
Traffic direction
when the network is
operating properly
Traffic direction
when a fault occurs
Intranet user
Definition
In active/standby mode, the active device processes services, and the standby device stays in
idle state. If an error occurs on the interface or link of the active device or the active device is
faulty, the standby device becomes active and takes over services.
Router Router
Switch Switch
Fault
Traffic before
switchover
Traffic after
switchover
Heartbeat link
Typical Networking
Based on the type of service interfaces on the NGFWs and the type of the upstream and
downstream devices, you can deploy active/standby mode in the following scenarios:
l Service interfaces work at Layer 3 and connect to switches.
As shown in Figure 6-4, the service interfaces of the NGFW work at Layer 3 and directly
connect to switches. Static routes are configured for each NGFW to communicate with the
routers or PCs that are connected to the downstream and upstream switches.
This networking scheme is commonly used and recommended for deploying the NGFW.
This scheme applies to small and medium-sized networks and networks on which the
NGFW functions as a gateway.
NOTE
Compared with Figure 6-3, two switches are deployed at both the upstream and downstream links in
Figure 6-4, which enhances network availability.
Figure 6-4 Networking diagram of active/standby backup when service interfaces work at
Layer 3 and connect to switches
Internet
Switch3 Switch4
VRRP
Layer-3 Layer-3
interface interface
NGFW1 NGFW2
Layer-3 Layer-3
VRRP
interface interface
Switch1 Switch2
Based on Figure 6-4, you can connect the upstream and downstream interfaces on
NGFW1 respectively to Switch4 and Switch2 and the upstream and downstream interfaces
on NGFW2 respectively to Switch3 and Switch1.
In this way, a full redundancy hot standby network is deployed, as shown in Figure 6-5.
Full redundancy hot standby improves network availability and service continuity in case
multiple links fail. For example, when GE1/0/1 and GE1/0/2 on NGFW1 and GE1/0/1 on
NGFW2 are faulty, service traffic can be forwarded through GE1/0/2 on NGFW2.
Switch3 Switch4
GE1/0/2 GE1/0/2
GE1/0/1 GE1/0/1
NGFW1 NGFW2
Switch1 Switch2
Heartbeat link
Figure 6-6 Networking diagram of active/standby backup when service interfaces work at
Layer 3 and connect to routers
Router3 Router4
OSPF
Layer-3 Layer-3
interface interface
NGFW1 NGFW2
Layer-3 Layer-3 Traffic before
interface interface switchover
OSPF
Traffic after
switchover
Figure 6-7 Networking diagram of active/standby backup when service interfaces work at
Layer 2 and connect to switches
Switch3 Switch4
Layer-2 Layer-2
interface interface
NGFW1 NGFW2
Layer-2 Layer-2
Traffic before
interface interface
switchover
Traffic after
switchover
Definition
Load balancing means that two devices serve as backup for each other and both devices process
services. When one device is faulty, the other device takes over all the services. When you plan
the network topology, ensure that the total traffic load of two devices does not exceed the
processing capability of either device.
Both devices process services, which improves packet forwarding efficiency and eases the load
on a single device.
As shown in Figure 6-8, two NGFWs are deployed at the network border. Then service traffic
is forwarded to both NGFWs for processing. Each NGFW functions as an active device that
processes service traffic, as well as a standby device that synchronizes the configuration and
status of the other NGFW through the heartbeat cable.
If an interface or link on NGFW1, or the NGFW1 is faulty, NGFW2 takes over the forwarding
of all service traffic.
Router Router
Switch Switch
Fault
Traffic forwarded by
NGFW1
Traffic forwarded by
NGFW2
Heartbeat link
Intranet user Intranet user
Typical Networking
Based on the type of service interfaces on the NGFWs and the type of the upstream and
downstream devices, you can deploy load balancing in one of the following networking
diagrams:
Figure 6-9 Networking diagram of load balancing when service interfaces work at Layer
3 and connect to switches
Internet
Switch3 Switch4
Switch1 Switch2
Traffic forwarded by
NGFW1
Traffic forwarded by
Intranet NGFW2
Heartbeat link
Figure 6-10 Networking diagram of load balancing when service interfaces work at Layer
3 and connect to routers
Router3 Router4
OSPF
Layer-3 Layer-3
interface interface
NGFW1 NGFW2
Layer-3 Layer-3
interface interface
OSPF
Traffic forwarded by NGFW1
Traffic forwarded by NGFW2
Figure 6-11 Networking diagram of load balancing when service interfaces work at Layer
2 and connect to routers
Router3 Router4
OSPF
Layer-2 Layer-2
interface interface
NGFW1 NGFW2
Layer-2 Layer-2
interface interface
Traffic forwarded by NGFW1
OSPF Traffic forwarded by NGFW2
6.1.3 Mechanism
This section describes the protocols and concepts in hot standby.
As shown in Figure 6-12, the five key issues about hot standby are as follows:
Standby
Active Information
synchronization
NGFW_A NGFW_B
Fault detection
Status switchover
Standby Active
Information
synchronization
NGFW_B
NGFW_A
Traffic directing
Service traffic
Heartbeat link
Fault
As shown in Figure 6-13, each NGFW belongs two VGMP groups: one active and one standby.
The default priority of the active VGMP group is 65001, and that of the standby VGMP group
is 65000.
The VGMP groups of two NGFWs use heartbeat interfaces to exchange VGMP Hello packets
to negotiate the active/standby status.
l If the NGFWs work in active/standby mode, the NGFW in the active VGMP group is in
active state, and the NGFW in the standby VGMP group is in standby state.
l If the NGFWs work in load balancing mode, both NGFWs belong to the active VGMP
group.
In this case, the NGFW on which hot standby is enabled first is called a designated active
device, and the NGFW on which hot standby is enabled later is called a designated standby
device.
Active Standby
Active/Standby
NGFW_A NGFW_B
active group standby group
State: active State: standby
Active Active
Load balancing
NGFW_A NGFW_B
active group standby group
State: active State: standby
Heartbeat messages
Heartbeat link
Each time an interface monitored by a VGMP group fails, the priority of the VGMP group
decreases by 2. The priority of a VGMP group is calculated using this formula: Priority of a
VGMP group = Default priority of the VGMP group - 2 x N (N indicates the number of interface
faults).
Use a VRRP group to The service interfaces of each Configure VRRP groups. For
monitor interfaces. NGFW work at Layer 3 and details about VRRP groups,
are directly connected to see Interface Monitoring
switches. The NGFWs use Based on VRRP Groups.
static routes to communicate
with the routers or PCs
directly connected to the
switches.
Directly monitor interfaces. The service interfaces of each Configure VGMP groups to
NGFW work at Layer 3 and monitor interfaces.
are directly connected to
routers. The NGFWs and
routers run OSPF.
Monitor the VLAN to which The service interfaces of each Add these service interfaces
the service interfaces of each NGFW work at Layer 2. to VLANs and configure
NGFW belong. VGMP groups to monitor the
VLANs. Each time an
interface in a VLAN fails, the
priority value of the
corresponding VGMP group
is reduced by 2.
If the standby device does not receive a VGMP Hello packet from the active device within three
consecutive Hello intervals, the standby device considers the active device faulty. The standby
device switches its VGMP group to active and starts to work as the active device.
If the heartbeat link or a heartbeat interface goes faulty, the two devices cannot receive VGMP
Hello packets from each other and will both switch to active state. In this case, the devices cannot
synchronize configurations or sessions and requires troubleshooting.
VRRP group 1
Virtual IP address:
1.1.1.1/24
GE1/0/1
State: active GE1/0/1
State: standby
NGFW_A NGFW_B
GE1/0/3
GE1/0/3
State: active
State: standby
VRRP group 2
Virtual IP address:
10.1.1.1/24
Gateway
address of the VRRP groups
PC: 10.1.1.1/24 Intranet Service traffic
Heartbeat link
When you add an interface on the NGFW to a VRRP group, you must specify a VGMP group
for the interface. The status of a VGMP group determines the status of the interfaces in the
associated VRRP groups. If the status of the VGMP group is active, the status of the interfaces
in the associated VRRP group is active. If the status of the VGMP group is standby, the status
of the interfaces in the associated VRRP group is standby.
As shown in Figure 6-15, during the active/standby status switchover of a VGMP group, the
interfaces in all associated VRRP groups are forced to switch their status so that the upstream
and downstream interfaces of the NGFW simultaneously switch their status, which ensures that
both the incoming and outgoing traffic is forwarded by the standby device.
Figure 6-15 Network on which VGMP groups control the status of the interfaces in a VRRP
group
VGMP group status VGMP group status VGMP group status VGMP group status
Active Active Standby Standby
(1) Initial state (2) Upstream (3) VGMP group (4) Adjust the status of the
interface goes faulty. status changes. downstream interface.
As shown in Figure 6-16, the process in which VGMP groups control the device status
switchover is described as follows:
l In active/standby mode
Normally, the priority of the active VGMP group on NGFW_A is 65001, and NGFW_A
is the active device.
When a monitored interface of NGFW_A goes faulty, the priority of the active VGMP
group on NGFW_A decreases to 64999, which is smaller than that of the standby VGMP
group on NGFW_B. Therefore, the active VGMP group on NGFW_A becomes the standby
VGMP group, and NGFW_A becomes the standby device. The standby VGMP group on
NGFW_B becomes the active VGMP group, and NGFW_B becomes the active device.
If the preemption function is enabled and NGFW_A recovers, the priority of the standby
VGMP group on NGFW_A changes back to 65001, which is higher than that (65000) of
the active VGMP group on NGFW_B. Then NGFW_A preempts to be the active device.
If the preemption function is disabled and NGFW_A recovers, NGFW_A still acts as the
standby device and does not process services.
l In load balancing mode
Normally, the active VGMP group on NGFW_A and the standby VGMP group on
NGFW_B form a active/standby pair, and the standby VGMP group of NGFW_A and the
active VGMP group of NGFW_B form another active/standby pair. Therefore, both
NGFW_A and NGFW_B consider themselves as active devices, forming dual-active
device networking. The devices forward traffic based on the routes on the upstream and
downstream devices.
When a monitored interface of NGFW_A goes faulty, the priorities of active and standby
VGMP groups on NGFW_A decrease. The priority of the active VGMP group on
NGFW_A is smaller than that of the standby VGMP group on NGFW_B, and the priority
of the standby VGMP group on NGFW_A is smaller than that of the active VGMP group
on NGFW_B. Therefore, the VGMP groups on NGFW_A are in standby state. Therefore,
NGFW_A becomes the standby device, and NGFW_B starts to forward all traffic.
Standby
Active
Active/standby NGFW_B
NGFW_A
active group standby group
State: active State: standby
Standby Active
NGFW_A NGFW_B
active group standby group
State: standby State: active
Active Active
Load balancing
NGFW_A NGFW_B
active group standby group
State: active State: standby
Standby Active
NGFW_A NGFW_B
active group standby group
State: standby State: active
Heartbeat messages
Heartbeat link
Traffic Directing
In hot standby networking, traffic must always be directed to the active device.
Table 6-2 lists the methods for directing traffic in different networking environments.
Networking Method
The service interfaces of each NGFW work Only the active device responds to ARP
at Layer 3 and are directly connected to requests carrying virtual IP addresses. Each
switches. The NGFWs use static routes to ARP packet carries a virtual IP address and
communicate with the routers or PCs directly the corresponding MAC address (the MAC
connected to the switches. address can be a virtual one or the MAC
address of an interface, which is determined
by the vrrp virtual-mac enable command
setting). The upstream or downstream switch
updates its MAC table based on received
ARP packets. The MAC address
corresponding to the virtual IP address in the
MAC table indicates the interface connecting
to the active firewall. In this manner, traffic
from the upstream or downstream switch can
be diverted to the active firewall for
forwarding.
The service interfaces of each NGFW work The active device advertises routes with
at Layer 3 and are directly connected to regular costs. The standby device increases
routers. The NGFWs and routers run OSPF. the cost of each route by 65500. Therefore,
traffic is forwarded by the active device.
The service interfaces of each NGFW work The VLAN on the active device can forward
at Layer 2 and are added to the same VLAN. traffic, but the VLAN on the standby device
cannot. Therefore, traffic is forwarded by the
active device.
(HRP) to synchronize configuration information. After HRP is enabled, the key configurations
and session status information are synchronized to the standby device in real time.
The two NGFWs use the heartbeat link to detect each other's status and synchronize
configurations and status information. The interfaces at the ends of a heartbeat link are called
heartbeat interfaces.
As shown in Figure 6-17, the service interfaces of each NGFW work at Layer 3 and directly
connect to Layer 2 switches.
Active/Standby
Figure 6-17 Active/standby networking in which the service interfaces of each NGFW work at
Layer 3 and directly connect to switches
Next-hop address of
the router: 1.1.1.1/24
GE1/0/3 GE1/0/3
State: active VRRP group 2 State: standby
Virtual IP address: 1.1.1.1/24
Active Standby
NGFW_A NGFW_B
GE1/0/1 VRRP group 1 GE1/0/1
State: active Virtual IP address: 10.1.1.1/24 State: standby
Heartbeat link
As shown in Figure 6-17, a VRRP group is configured on each service interface of NGFW_A.
The service interfaces are in the active state. A VRRP group is configured on each service
interface of NGFW_B. The service interfaces are in the standby state. The virtual IP address of
the corresponding VRRP group is configured as the gateway address of the PC on the intranet.
1. The PC sends an ARP packet to the directly connected switch for requesting the MAC
address of the gateway. The switch broadcasts the ARP packet.
2. Only the interface (such as GE1/0/1 of NGFW_A) in active state responds to the ARP
packet and sends the interface MAC address.
3. The switch records the mapping between the interface MAC address and Eth0/0/1 and sends
the MAC address to the PC.
4. The PC sends a service packet with the interface GE1/0/1 MAC address of NGFW_A as
the destination address to the switch.
5. Based on the mapping between the MAC address and port, the switch sends the packet to
NGFW_A from Eth0/0/1.
Normally, the traffic sent from the PC is forwarded by NGFW_A (active device).
Next-hop address of
the router: 1.1.1.1/24
GE1/0/3 GE1/0/3
State: standby VRRP group 2 State: active
Virtual IP address: 1.1.1.1/24
Standby Active
NGFW_A NGFW_B
GE1/0/1 VRRP group 1 GE1/0/1
State: standby Virtual IP address: 10.1.1.1/24 State: active
Eth0/0/2
Eth0/0/1 MAC Address Port
0022-a100-0002 Eth0/0/2
Gateway
address of the
PC: 10.1.1.1/24 VRRP groups
Intranet
Service traffic
Gratuitous ARP packets
Heartbeat link
Fault
The analysis on the operating of the network on which NGFW_A goes faulty, as shown in Figure
6-18, is as follows:
1. When a service interface of NGFW_A goes faulty, NGFW_A becomes the standby device,
and NGFW_B becomes the active device.
2. NGFW_B sends gratuitous ARP packets, which triggers the directly connected switches
to update the mappings between MAC addresses and ports, such as the interface GE1/0/1
MAC address of NGFW_B and Eth0/0/2.
3. When the PC sends a service packet to the switch, the switch forwards the packet to
NGFW_B from Eth0/0/2.
Then the traffic sent from the PC is forwarded by NGFW_B.
Load Balancing
As shown in Figure 6-19, the load balancing networking is configured as follows:
l VRRP groups 1 and 2 are configured on GE1/0/1 of NGFW_A. GE1/0/1 is in active state
in VRRP group 1 and in standby state in VRRP group 2.
l VRRP groups 1 and 2 are configured on GE1/0/1 of NGFW_B. GE1/0/1 is in standby state
in VRRP group 1 and in active state in VRRP group 2.
l Set the gateway of PC1 to the virtual IP address of VRRP group 1 and set that of PC2 to
the virtual IP address of VRRP group 2.
l VRRP groups 3 and 4 are configured on GE1/0/3 of NGFW_A. GE1/0/3 is in active state
in VRRP group 3 and in standby state in VRRP group 4.
l VRRP groups 3 and 4 are configured on GE1/0/3 of NGFW_B. GE1/0/3 is in standby state
in VRRP group 3 and in active state in VRRP group 4.
l Two static routes are configured on the router. The next-hop address of one route is the
virtual IP address of VRRP group 3, and the next-hop address of the other route is the virtual
IP address of VRRP group 4.
GE1/0/1 of NGFW_A uses the virtual IP address of VRRP group 1 as the next-hop address to
forward packets. GE1/0/1 of NGFW_B uses the virtual IP address of VRRP group 2 as the next-
hop address to forward packets. Some PC traffic is forwarded by NGFW_A, while the other PC
traffic is forwarded by NGFW_B, implementing load balancing.
Figure 6-19 Load balancing networking in which the service interfaces of each NGFW work at
Layer 3 and directly connect to switches
Next-hop address of
the router: 1.1.1.1/24
VRRP group 4
Virtual IP address: 1.1.1.2/24
GE1/0/3 GE1/0/3
VRRP group 3
Virtual IP address: 1.1.1.1/24
Active Active
NGFW_A NGFW_B
GE1/0/1 VRRP group 1 GE1/0/1
Virtual IP address: 10.1.1.1/24
VRRP group 2
Virtual IP address: 10.1.1.2/24
VRRP groups
Traffic of PC1
Traffic of PC2
Heartbeat link
As shown in Figure 6-20, the service interfaces on each NGFW work at Layer 3 and directly
connect to routers. The NGFWs and their directly connected routers use OSPF to communicate.
Active/Standby
Figure 6-20 Networking in which the service interfaces of each NGFW work at Layer 3 and
directly connect to routers
Router_C Router_D
OSPF
NGFW_A NGFW_B
OSPF
Router_A Router_B
As shown in Figure 6-20, NGFW_A (active device) advertises routes properly. NGFW_B
(standby device) increases the cost of each route to be advertised by 65500.
The routers connected to the NGFWs use the path with the smaller cost to forward traffic.
Therefore, traffic is forwarded by NGFW_A (active device).
When a service interface of NGFW_A goes faulty, NGFW_A becomes the standby device, and
NGFW_B becomes the active device.
NGFW_B advertises routes properly, whereas NGFW_A increases the cost of each route to be
advertised by 65500. After route reconvergence, traffic is forwarded by NGFW_B.
Load balancing
Figure 6-21 Load balancing networking in which the service interfaces of each NGFW work at
Layer 3 and directly connect to routers
Router_C Router_D
Cost10 Cost10
OSPF
NGFW_A NGFW_B
OSPF
Cost10 Cost10
Router_A Router_B
As shown in Figure 6-21, NGFW_A and NGFW_B that work in load balancing mode are both
active devices and properly advertise routes.
Therefore, you need to set the same cost for the interfaces that connect Routers A and C to
NGFW_A and the interfaces that connect Routers B and D to NGFW_B. This setting allows
traffic to be balanced between NGFW_A and NGFW_B.
As shown in Figure 6-22, the service interfaces on each NGFW work at Layer 2 and connect
to Layer 2 switches. The service interfaces on each NGFW are added to the same VLAN.
Figure 6-22 Networking in which the service interfaces of each NGFW work at Layer 2 and
directly connect to switches
Switch_C Switch_D
NGFW_A NGFW_B
Switch_A Switch_B
Service link
Heartbeat link
VLAN
Traffic before switchover
Active/Standby
As shown in Figure 6-22, the VLAN on NGFW_A (active device) is enabled and can forward
traffic. The VLAN on NGFW_B (standby device) is disabled and cannot forward traffic.
Therefore, all traffic is forwarded by NGFW_A.
NOTICE
If hot standby in load balancing mode is enabled, the VLANs on the two firewalls need to be
enabled. Otherwise, a loop may be formed between the switches. Therefore, the networking
applies only to the active/standby mode. If you want to deploy hot standby in load balancing
mode, contact Huawei technical support personnel.
If NGFW_A goes faulty, NGFW_A becomes the standby device, and NGFW_B becomes the
active device.
If NGFW_A becomes the standby device, all interfaces on the VLAN of the NGFW_A goes
Down and then Up. Because of interface status changes, all switches update their MAC
forwarding tables. Therefore, traffic is diverted to NGFW_B.
As shown in Figure 6-23, the upstream and downstream interfaces on the NGFW work at Layer
2 and directly connect to routers. The NGFWs and their directly connected routers use OSPF to
communicate. The upstream and downstream service interfaces on each NGFW are added to
the same VLAN.
Figure 6-23 Networking in which the service interfaces of each NGFW work at Layer 2 and
directly connected to routers
Router_C Router_D
OSPF
NGFW_A NGFW_B
OSPF
Router_A Router_B
Service link
Heartbeat link
VLAN
Traffic forwarded by NGFW_A
Traffic forwarded by NGFW_B
Load Balancing
The VLANs on NGFW_A and NGFW_B are enabled and can forward traffic. NGFW_A,
NGFW_B, and their directly connected routers need to run OSPF to divert traffic.
Therefore, you need to set the same cost for the interfaces that connect Routers A and C to
NGFW_A and the interfaces that connect Routers B and D to NGFW_B. This setting allows
traffic to be balanced between NGFW_A and NGFW_B.
NOTICE
In this networking, hot standby in load balancing mode is recommended. If hot standby works
in active/standby mode, the VLANs on the standby firewall are disabled. When an active/standby
switchover occurs, route convergence is slow, affecting service forwarding.
If NGFW_A goes faulty, NGFW_A becomes the standby device, and NGFW_B becomes the
active device.
If NGFW_A becomes the standby device, all interfaces on the VLAN of the NGFW_A goes
Down and then Up. As a result, all routers need to recalculate routes. In this case, the VLAN on
NGFW_A is disabled, and the cost of the path that passes through NGFW_A increases.
Therefore, all traffic is forwarded by NGFW_B.
Hardware Restrictions
l Currently, hot standby can be implemented between only two devices.
l The active and standby devices must have the same product model and version.
l The active and standby devices must have the same number and types of boards installed
in the same arrangement. Otherwise, the information synchronized from the active device
does not match the physical configuration of the standby device. As a result, faults occur
after an active/standby switchover.
l If you want to use a Layer 2 interface as a heartbeat interface, add the Layer 2 interface to
a VLAN. Then create a VLANIF interface and configure an IP address for the VLANIF
interface. Use the VLANIF interface as a heartbeat interface and specify remote to specify
the IP address of the heartbeat interface on the remote device.
Software Restrictions
l The active and standby devices must run software of the same version. Otherwise, some
configurations or session table structures on the two devices may be different. As a result,
faults may occur when the active and standby devices synchronize configurations and
status.
l The BootROM versions on the active and standby devices must be the same.
l If configuration commands are executed manually on the active and standby devices after
the automatic backup function is disabled, the configuration contents are the same but the
configuration order is not. For example, the policy matching conditions on the active and
standby devices are different. In such cases, the consistency check function will determine
that the active and standby device configurations are different. However, this impacts
neither the hot standby service nor the performance. You just need to re-configure the
commands.
l It is recommended that the active and standby devices use their initial configuration files.
Otherwise, faults may occur after the active/standby switchover because of configuration
conflicts.
l The service interfaces and heartbeat interfaces used by active and standby devices must be
the same. For example, if the active device uses GigabitEthernet1/0/1 as the service
interface and GigabitEthernet1/0/7 as the heartbeat interface, the standby device must use
the same interfaces.
l The interfaces with vrrp virtual-mac enable configured cannot function as the heartbeat
interfaces.
l To configure an Eth-Trunk interface as a heartbeat interface, you need to run the load-
balance packet-all command to set per-packet load balancing for the Eth-Trunk interface.
l The default MTU of the heartbeat interface must be 1500.
l The service interfaces of the active and standby devices use fixed IP addresses. Therefore,
you cannot use the hot standby function together with the features, such as PPPoE and
DHCP, that use dynamic IP addresses.
l Before changing the working mode on the web page after hot standby is established, you
must clear all hot standby-related configurations.
l If you use the engine overload action command to set the engine overload action to
block, an active/standby switchover affects connected services (for example FTP
connections), and reconnection is required. If you set the action to bypass, reconnection is
not required. An active/standby switchover affects proxy services, such as SSL proxy and
mail proxy services, and reconnection is required, regardless of whether the value is
block or bypass.
l The configurations of hot standby and IPSec are respectively the same no matter when hot
standby interworks with IPSec or they are used separately.
l Only the IPSec policy configuration, not the interface configuration, is synchronized from
the active device to the standby device. Therefore, you need only to apply IPSec policies
in the outgoing interface of the standby device.
l If the NGFW initiates the establishment of an IPSec tunnel, you must run the local-
address ip-address command to specify the virtual VRRP IP address as the local IP address
for initiating the IPSec negotiation.
Prerequisites
1. Determine the networking mode. For networking details, see 6.1.4 Analysis of Typical
Hot Standby Networks.
2. Determine whether to use the active/standby or load balancing mode.
3. Complete basic network configurations, such as interface, routes, and security policy
configurations.
Context
The hot standby configuration varies according to networking modes.
Networking Operation
6.1.4.1 Networking 1: Service Interfaces of Complete the task of Step 4 and add the
Each NGFW Working at Layer 3 and upstream and downstream service interfaces
Directly Connecting to Switches of each NGFW to VRRP groups.
6.1.4.2 Networking 2: Service Interfaces of Complete the task of Step 5 to enable the
Each NGFW Working at Layer 3 and NGFWs to monitor their upstream and
Directly Connecting to Routers downstream service interfaces.
6.1.4.3 Networking 3: Service Interfaces of The tasks of Step 4 and Step 5 are not
Each NGFW Working at Layer 2 and required.
Directly Connecting to Switches Because a VGMP group monitors all VLANs
except VLAN1 by default, you only need to
add the upstream and downstream service
interfaces of the NGFWs to VLANs.
6.1.4.4 Networking 4: Service Interfaces of The tasks of Step 4 and Step 5 are not
Each NGFW Working at Layer 2 and required.
Directly Connecting to Routers Because a VGMP group monitors all VLANs
except VLAN1 by default, you only need to
add the upstream and downstream service
interfaces of the NGFWs to VLANs.
Procedure
Step 1 Choose System > High Availability > Dual-System Hot Backup.
Step 3 Select the check box of Enable and set basic hot standby parameters. Parameters are described
as follows:
Parameter Description
State Select the active or standby status of the local NGFW only when
two NGFWs work in active/standby mode.
Heartbeat Interface Select a heartbeat interface. Ensure that the heartbeat interface
has an IP address. The heartbeat interface is used to synchronize
configurations and status information between the NGFWs.
NOTE
You need to configure an interzone security policy between the Local
zone and the zone to which the heartbeat interfaces belong so that the two
devices can exchange packets.
If the heartbeat interfaces of the two devices are connected
through switches or routers, you must set Peer IP. Peer IP is the
IP address of the heartbeat interface on the remote device.
You can configure a maximum of 16 heartbeat interfaces. Only
the heartbeat interface that is configured first and is in the Up
state is used. You can click to add a heartbeat interface.
Parameter Description
Hello Packet Interval Set the interval at which Hello packets are sent. The default
interval is 1000 ms and is recommended. Ensure that the active
and standby devices have the same interval.
l In active/standby mode, this parameter is the interval at which
the active device sends Hello packets.
l In load balancing mode, this parameter is the interval at which
the two devices exchanges Hello packets.
Parameter Description
Parameter Description
Link-Local Address For a VRRPv6 group, both the virtual IP address and link-
local address are required. The link-local address is an IPv6
address whose prefix is FE80, such as FE80::7. This address
is used for communication between adjacent nodes on a link
and is valid only for the link. Before configuring a virtual
IPv6 address for a VRRPv6 group, you must configure a link-
local address for the group.
3. Click OK.
OSPF OSPF
GE1/0/3 GE1/0/1
Router B NGFW_B Router D
Parameter Description
Add selected monitored After you select this check box, the system adds all selected
interface to the monitored Monitored Interfaces to the monitored interface group.
interface group If an interface in the monitored interface group goes down, all
interfaces in this group go down. For example, if GE1/0/1 in
Figure 6-25 goes down, GE1/0/3 also goes down.
----End
Follow-up Procedure
After you compete the preceding operations, choose System > High Availability > Dual-
System Hot Backup to view the operating status of hot standby. The parameters related to hot
standby are described as follows:
Parameter Description
Current Working Mode l Single Device: is displayed if hot standby is not enabled.
l Active/Standby Backup: is displayed when the devices work
in active/standby mode.
l Load Balancing: is displayed when the devices work in load
balancing mode.
Configuration Whether the configurations of the active and standby devices are
Consistency consistent.
Click Check to check whether the configurations of the devices
are consistent.
Click Details to view the check results, check date, and
inconsistent items. In the dialog box that is displayed, click
Synchronize Configuration to synchronize device
configurations.
Click Recheck to check whether the configurations of the
devices are consistent.
For details about the flow for configuring hot standby, see Figure 6-26.
Start
Complete basic
network configurations.
Layer 3 service
Layer 3 service Layer 2 service interfaces
interfaces
interfaces connect connect to switches or
connect to
to routers. routers.
switches.
Perform
one of the Configure interface Configure VLAN
Configure VRRP groups.
operations monitoring. monitoring.
.
Configure heartbeat
interfaces.
Configure a backup
mode.
Check the
configuration.
End.
Prerequisites
1. Complete service interface configurations, such as IP address and security zone
configurations.
2. Configure security policies to permit legitimate traffic.
Context
The configuration rodmap is as follows:
NGFW_A
Switch A GE1/0/3 GE1/0/1 Switch C
10.3.0.1/24 10.2.0.1/24
l Active/standby
1. Configure a VRRP group on each service interface of the active device and add the
VRRP groups to a active VGMP group.
As shown in Figure 6-27, VRRP group 2 configured on GE1/0/1 and VRRP group 1
configured on GE1/0/3 of NGFW_A are added to the active VGMP group.
2. Configure a VRRP group on each service interface of the standby device and add the
VRRP groups to the standby VGMP group.
As shown in Figure 6-27, VRRP group 2 configured on GE1/0/1 and VRRP group 1
configured on GE1/0/3 of NGFW_A are added to the standby VGMP group.
3. On the hosts or devices that are directly connected to each NGFW, set the gateway
address or next-hop address of the static route to the virtual IP address of the
corresponding VRRP group.
l Load balancing
1. Two VRRP groups are configured on each service interface of NGFW_A. One VRRP
group is added to the active VGMP group, and the other to the standby VGMP group.
As shown in Figure 6-27, on the downlink interface of NGFW_A, configure VRRP
group 1 and add it to the active VGMP group; configure VRRP group 3 and add it to
the standby VGMP group. On the uplink interface, configure VRRP group 2 and add
it to the active VGMP group; configure VRRP group 4 and add it to the standby VGMP
group.
2. On the service interfaces of NGFW_B, configure the same VRRP groups but add them
to the opposite VGMP groups.
As shown in Figure 6-27, on the downlink service interface of NGFW_A, configure
VRRP group 1 and add it to the standby VGMP group; configure VRRP group 3 and
add it to the active VGMP group. On the uplink service interface, configure VRRP
group 2 and add it to the standby VGMP group; configure VRRP group 4 and add it
to the active VGMP group.
3. On the downstream devices, configure two static routes, with the next hop addresses
being the virtual IP addresses of the two VRRP groups respectively.
Procedure
Step 1 Access the interface view.
The interfaces that support VRRP groups include Layer 3 Ethernet interfaces and their
subinterfaces, Layer 3 Eth-Trunk interfaces, and VLANIF interfaces.
Step 2 Run the following commands to configure a VRRP or VRRPv6 group as required:
l Configure a VRRP group.
vrrp vrid virtual-router-id virtual-ip virtual-address [ ip-mask | ip-mask-length ]
{ active | standby }
l Configure a VRRPv6 group.
l virtual-router-ID specifies the VRRP group ID. The two hot standby NGFW must be
configured with the same VRID.
l FE80::X:X link-local specifies the link-local address of the VRRPv6 group. The link-local
address is an IPv6 address whose prefix is FE80. This address is used for communication
between adjacent nodes on a link and is valid only for the link. Before configuring a virtual
IPv6 address for a VRRPv6 group, you must configure a link-local address for the group.
l virtual-address specifies the virtual IPv4 address of the VRRP group, while virtual-ipv6-
address specifies the virtual IPv6 address of the VRRPv6 group. The virtual IP address should
not be the same as the interface address.
Both NGFWs use the virtual IP address to communicate with other devices. For upstream
and downstream devices, the two NGFWs serve as one device, with the virtual IP address
being the interface address. If you configure static routes on upstream and downstream
devices, configure the virtual IP address as the next hop.
l ip-mask | ip-mask-length specifies the subnet mask of the virtual IPv4 address of the VRRP
group. If the virtual IP address and interface IP address are in different network segments,
configure the subnet mask for the interface IP address.
By default, VRRP packets are not authenticated by the NGFW. VRRP packet authentication is
not required on a secure network.
You can enable VRRP packet authentication if necessary. The NGFW supports simple text
authentication (with parameter simple configured) and md5 authentication.
NOTE
Set the same VRRP authentication key on the service interfaces that are added to the same VRRP group.
VRRPv6 groups do not support VRRP packet authentication.
Step 4 Optional: Enable the virtual MAC address function on the interface.
Enable this function on the interface when the directly connected device is a Layer-4 switch.
Step 5 Optional: In the system view, configure the interval at which the active device sends gratuitous
ARP packets.
By default, the active device sends gratuitous ARP packets every 300s (5 minutes).
The time value must be smaller than the aging time of the MAC address table on the switches
directly connected to the NGFW. The smaller the time value, the sooner the MAC address table
on the switches is updated after the active/standby switchover of the NGFW.
----End
Example
When the NGFWs work in active/standby mode shown in Figure 6-27, the VRRP group
configuration is as follows:
[NGFW_A] interface GigabitEthernet 1/0/1
[NGFW_A-GigabitEthernet1/0/1] ip address 10.2.0.1 24
[NGFW_A-GigabitEthernet1/0/1] vrrp vrid 2 virtual-ip 10.2.0.3 active
[NGFW_A-GigabitEthernet1/0/1] quit
[NGFW_A] interface GigabitEthernet 1/0/3
[NGFW_A-GigabitEthernet1/0/3] ip address 10.3.0.1 24
[NGFW_A-GigabitEthernet1/0/3] vrrp vrid 1 virtual-ip 10.3.0.3 active
[NGFW_A-GigabitEthernet1/0/3] quit
[NGFW_B] interface GigabitEthernet 1/0/1
[NGFW_B-GigabitEthernet1/0/1] ip address 10.2.0.2 24
[NGFW_B-GigabitEthernet1/0/1] vrrp vrid 2 virtual-ip 10.2.0.3 standby
[NGFW_B-GigabitEthernet1/0/1] quit
[NGFW_B] interface GigabitEthernet 1/0/3
[NGFW_B-GigabitEthernet1/0/3] ip address 10.3.0.2 24
[NGFW_B-GigabitEthernet1/0/3] vrrp vrid 1 virtual-ip 10.3.0.3 standby
[NGFW_B-GigabitEthernet1/0/3] quit
When the NGFWs work in load balancing mode shown in Figure 6-27, the VRRP group
configuration is as follows:
[NGFW_A] interface GigabitEthernet 1/0/1
[NGFW_A-GigabitEthernet1/0/1] ip address 10.2.0.1 24
[NGFW_A-GigabitEthernet1/0/1] vrrp vrid 2 virtual-ip 10.2.0.3 active
[NGFW_A-GigabitEthernet1/0/1] vrrp vrid 4 virtual-ip 10.2.0.4 standby
[NGFW_A-GigabitEthernet1/0/1] quit
[NGFW_A] interface GigabitEthernet 1/0/3
[NGFW_A-GigabitEthernet1/0/3] ip address 10.3.0.1 24
[NGFW_A-GigabitEthernet1/0/3] vrrp vrid 1 virtual-ip 10.3.0.3 active
[NGFW_A-GigabitEthernet1/0/3] vrrp vrid 3 virtual-ip 10.3.0.4 standby
[NGFW_A-GigabitEthernet1/0/3] quit
[NGFW_B] interface GigabitEthernet 1/0/1
[NGFW_B-GigabitEthernet1/0/1] ip address 10.2.0.2 24
[NGFW_B-GigabitEthernet1/0/1] vrrp vrid 2 virtual-ip 10.2.0.3 standby
[NGFW_B-GigabitEthernet1/0/1] vrrp vrid 4 virtual-ip 10.2.0.4 active
[NGFW_B-GigabitEthernet1/0/1] quit
[NGFW_B] interface GigabitEthernet 1/0/3
[NGFW_B-GigabitEthernet1/0/3] ip address 10.3.0.2 24
[NGFW_B-GigabitEthernet1/0/3] vrrp vrid 1 virtual-ip 10.3.0.3 standby
[NGFW_B-GigabitEthernet1/0/3] vrrp vrid 3 virtual-ip 10.3.0.4 active
[NGFW_B-GigabitEthernet1/0/3] quit
Prerequisites
1. Service interfaces are configured, including setting interface IP addresses and assigning
interfaces to security zones.
2. OSPF is configured on the NGFWs and their downstream and upstream routers.
3. A security policy is configured to permit legitimate traffic.
Procedure
Step 1 Access an interface view from the system view.
The interface can be a Layer-3 Ethernet interface, its subinterface, or a Layer-3 Eth-Trunk
interface.
In active/standby mode, run the hrp track active command on the service interfaces of the active
NGFW and the hrp track standby command on the service interfaces of the standby NGFW.
In load balancing mode, run both the hrp track active and hrp track standby commands on
the service interfaces of the active and standby NGFWs.
Step 3 In the system view, enable OSPF cost adjustment based on VGMP group status.
l IPv4 networks:
hrp ospf-cost adjust-enable [ standby-cost ]
l IPv6 networks:
hrp ospfv3-cost adjust-enable [ standby--cost ]
NOTICE
This command is mandatory in active/standby mode when the service interfaces work at Layer
3 and connect to routers. This command is optional in load balancing mode.
By default, this function is enabled, and the cost value (standby-cost) is 65500.
The value of standby-cost depends on the OSPF costs of the upstream and downstream routers,
and it must be greater than the costs of the upstream and downstream routers of the standby
NGFW.
After you run this command, the NGFW advertise OSPF costs based on its active/standby status.
If the NGFW is the active device, it advertises the routes it learns. If the NGFW is the standby
device, it advertises the routes whose costs are standby-cost so that the upstream and downstream
routers can use the active NGFW as the next hop based on route calculation.
----End
Example
GE1/0/7
10.10.0.1/24
OSPF GE1/0/7 OSPF
10.10.0.2/24
GE1/0/3 GE1/0/1
10.3.1.1/24 10.2.1.1/24
Router B NGFW_B Router D
In active/standby mode shown in Figure 6-28, the interface monitoring configurations are as
follows:
[NGFW_A] interface GigabitEthernet 1/0/1
[NGFW_A-GigabitEthernet1/0/1] ip address 10.2.0.1 24
[NGFW_A-GigabitEthernet1/0/1] hrp track active
[NGFW_A-GigabitEthernet1/0/1] quit
[NGFW_A] interface GigabitEthernet 1/0/3
[NGFW_A-GigabitEthernet1/0/3] ip address 10.3.0.1 24
[NGFW_A-GigabitEthernet1/0/3] hrp track active
[NGFW_A-GigabitEthernet1/0/3] quit
[NGFW_B] interface GigabitEthernet 1/0/1
[NGFW_B-GigabitEthernet1/0/1] ip address 10.2.1.1 24
[NGFW_B-GigabitEthernet1/0/1] hrp track standby
[NGFW_B-GigabitEthernet1/0/1] quit
[NGFW_B] interface GigabitEthernet 1/0/3
[NGFW_B-GigabitEthernet1/0/3] ip address 10.3.1.1 24
[NGFW_B-GigabitEthernet1/0/3] hrp track standby
[NGFW_B-GigabitEthernet1/0/3] quit
In load balancing mode shown in Figure 6-28, the interface monitoring configurations are as
follows:
[NGFW_A] interface GigabitEthernet 1/0/1
[NGFW_A-GigabitEthernet1/0/1] ip address 10.2.0.1 24
[NGFW_A-GigabitEthernet1/0/1] hrp track active
[NGFW_A-GigabitEthernet1/0/1] hrp track standby
[NGFW_A-GigabitEthernet1/0/1] quit
[NGFW_A] interface GigabitEthernet 1/0/3
[NGFW_A-GigabitEthernet1/0/3] ip address 10.3.0.1 24
[NGFW_A-GigabitEthernet1/0/3] hrp track active
[NGFW_A-GigabitEthernet1/0/3] hrp track standby
[NGFW_A-GigabitEthernet1/0/3] quit
[NGFW_B] interface GigabitEthernet 1/0/1
[NGFW_B-GigabitEthernet1/0/1] ip address 10.2.1.1 24
[NGFW_B-GigabitEthernet1/0/1] hrp track active
[NGFW_B-GigabitEthernet1/0/1] hrp track standby
[NGFW_B-GigabitEthernet1/0/1] quit
[NGFW_B] interface GigabitEthernet 1/0/3
[NGFW_B-GigabitEthernet1/0/3] ip address 10.3.1.1 24
[NGFW_B-GigabitEthernet1/0/3] hrp track active
[NGFW_B-GigabitEthernet1/0/3] hrp track standby
[NGFW_B-GigabitEthernet1/0/3] quit
Prerequisites
1. Service interfaces are configured, including configuring interfaces as Layer 2 interfaces
and assigning interfaces to security zones.
2. The upstream and downstream service interfaces are added to the same VLAN (not
VLAN1).
3. A security policy is configured to permit legitimate traffic.
Context
Note the following when you configure VLAN monitoring:
l When service interfaces work at Layer 2 and connect to switches, VLAN monitoring can
be implemented only in active/standby mode.
l When service interfaces work at Layer 3 and connect to routers, VLAN monitoring can be
implemented only in load balancing mode. In such cases, the OSPF costs on the upstream
routers must be the same, and those on the downstream routers must be the same, too.
Procedure
Step 1 Access a VLAN view from the system view.
vlan vlan-id
In active/standby mode, run the hrp track active command in the view of the VLAN of the
service interfaces on the active NGFW and the hrp track standby command in that of the service
interfaces on the standby NGFW.
In load balancing mode, run both hrp track active and hrp track standby commands on the
service interfaces of the active and standby NGFWs.
----End
Example
GE1/0/3 GE1/0/1
VLAN2 VLAN2
GE1/0/3 GE1/0/1
Service link
Heartbeat link
VLAN
When service interfaces work at Layer 2 and connect to switches in active/standby mode shown
in Figure 6-29, the configurations of VLAN monitoring are as follows:
[NGFW_A] VLAN 2
[NGFW_A-vlan-2] port GigabitEthernet 1/0/1
[NGFW_A-vlan-2] port GigabitEthernet 1/0/3
[NGFW_A-vlan-2] hrp track active
[NGFW_B] VLAN 2
[NGFW_B-vlan-2] port GigabitEthernet 1/0/1
[NGFW_B-vlan-2] port GigabitEthernet 1/0/3
[NGFW_B-vlan-2] hrp track standby
GE1/0/3 GE1/0/1
OSPF area
GE1/0/3 GE1/0/1
VLAN2
Service link
Heartbeat link
VLAN
When service interfaces work at Layer 2 and connect to routers in load-balancing mode shown
in Figure 6-30, the configurations of VLAN monitoring are as follows:
[NGFW_A] VLAN 2
[NGFW_A-vlan-2] port GigabitEthernet 1/0/1
[NGFW_A-vlan-2] port GigabitEthernet 1/0/3
[NGFW_A-vlan-2] hrp track active
[NGFW_A-vlan-2] hrp track standby
[NGFW_B] VLAN 2
[NGFW_B-vlan-2] port GigabitEthernet 1/0/1
[NGFW_B-vlan-2] port GigabitEthernet 1/0/3
[NGFW_B-vlan-2] hrp track active
[NGFW_B-vlan-2] hrp track standby
Context
The NGFWs use the heartbeat interface to exchange heartbeat packets and synchronize
configuration and status information.
You are advised to directly connect the heartbeat interfaces on the NGFWs.
You can also use an Eth-Trunk interface as the heartbeat interface to improve network
availability and increase the bandwidth of heartbeat link.
To configure an Eth-Trunk interface as a heartbeat interface, you need to run the load-balance
packet-all command to set per-packet load balancing for the Eth-Trunk interface.
Procedure
Step 1 Set an IP address for each heartbeat interface.
A heartbeat interface can be a Layer-3 Ethernet interface or its subinterface, Layer-3 Eth-
Trunk interface, or Vlanif interface.
2. Set an IP address for each heartbeat interface.
You can set a private IP address because the heartbeat interface does not advertise routes
or forward service traffic.
You must assign the heartbeat interfaces on the two NGFWs to the same security zone.
2. Assign the heartbeat interfaces to a security zone.
l The type and ID of the heartbeat interfaces on the NGFWs must be the same. For example,
if you set GigabitEthernet 1/0/7 as the heartbeat interface on NGFW_A, you must also set
GigabitEthernet 1/0/7 as the heartbeat interface on NGFW_B.
l You can directly connect the heartbeat interfaces on the NGFWs or deploy a switch or router
in between.
If you deploy a switch or router in between, you must use the remote ip-address command
to specify the IP address of the remote heartbeat interface.
If you want to use a Layer 2 interface as a heartbeat interface, add the Layer 2 interface to a
VLAN. Then create a VLANIF interface and configure an IP address for it. If you use a
VLANIF interface as a heartbeat interface, the remote parameter must be set regardless of
whether the heartbeat interfaces are directly interconnected or through another device.
Step 4 Optional: Configure the action as permit in the security policy implemented between the Local
zone and the security zone to which the heartbeat interfaces are assigned.
NOTE
l If remote is not set, the heartbeat packets are encapsulated into VRRP packets, and the NGFW that has no
security policy can properly process backup packets.
l If remote is configured, the heartbeat packets are encapsulated into UDP packets, and a correct security
policy needs to configured for the interzone between the Local zone and the security zone where the heartbeat
interfaces reside, which enables the NGFW to properly send and receive the heartbeat packets.
1. Access the security policy view from the system view.
security-policy
2. Create a security policy and access the security policy view.
Set zone-name &<1-6> to local and the security zone to which the heartbeat interfaces are
assigned.
NOTE
Specify two security zones for both source-zone and destination-zone to permit bidirectional traffic
between the Local zone and the security zone to which the heartbeat interfaces are assigned.
4. Specify the destination security zone.
Set zone-name &<1-6> to local and the security zone to which the heartbeat interfaces are
assigned.
5. Set the action to permit.
action permit
----End
Example
GE1/0/7
10.10.0.1/24
OSPF GE1/0/7 OSPF
10.10.0.2/24
GE1/0/3 GE1/0/1
10.3.1.1/24 10.2.1.1/24
Router B NGFW_B Router D
As shown in Figure 6-31, NGFW_A and NGFW_B are connected using heartbeat interfaces
GigabitEthernet1/0/7, and GigabitEthernet1/0/7 is assigned to the DMZ.
[NGFW_A-policy-security-rule-ha] quit
[NGFW_A-policy-security] quit
[NGFW_A] hrp interface GigabitEthernet 1/0/7
The heartbeat interface configuration on NGFW_B is the same as that on NGFW_A except the
interface IP address.
Prerequisites
1. 6.1.7.2 Configuring VRRP Groups, 6.1.7.3 Configure Interface Monitoring, or 6.1.7.4
Configuring VLAN Monitoring is complete.
2. 6.1.7.5 Configuring Heartbeat Interfaces is complete.
Context
In active/standby mode, after you enable hot standby, the heartbeat interfaces are properly
configured if the HRP_A command prompt is displayed on the active device, and the HRP_S
command prompt is displayed on the standby device.
In load balancing mode, both NGFWs process services. The HRP_A command prompt is
displayed on the NGFW on which hot standby is enabled first, and the HRP_S command prompt
is displayed on the other NGFW.
NOTICE
In normal cases, HRP_A or HRP_S is not displayed on both NGFWs at the same time.
You must enable hot standby for the NGFWs to establish active/standby status before you
configure other services, such as NAT and IPSec. Then the configurations and status information
can be synchronized from the active NGFW to the standby NGFW.
Procedure
Step 1 Optional: In the system view, set the Hello interval.
The default Hello interval for the active VGMP group is 1000 milliseconds.
NOTICE
You are advised to use the default interval. If you set the interval to a smaller value, active/
standby switchover may be triggered when no fault occurs.
If you need to change this value, ensure that the intervals specified on active and standby
NGFWs are the same. Otherwise, the active/standby status of the NGFWs may frequently
change.
Step 2 Optional: Set the preemption delay for the VGMP group.
The preemption function of the VGMP group is enabled by default, and the default preemption
delay is 60 seconds.
In hot standby scenarios, you are not advised to disable the the preempt function of a VGMP
management group on the standby device. Otherwise, the standby device may fail to switch to
active when the active device is fault.
NOTICE
In hot standby mode, if VRRP and dynamic routing protocols are enabled on the NGFWs and
their upstream and downstream devices, ensure that the preemption delay for the VGMP groups
is longer than the convergence period of the dynamic routing protocols (such as OSPF) to prevent
service interruptions. Or you can disable the preemption function.
hrp loadbalance-device
By default, the NGFWs work in active/standby mode. You can run this command to switch to
the load balancing mode.
In the load balancing mode, you must configure the command on both NGFWs.
hrp standby-device
The NGFW functions as the active device by default. You can run this command to configure
the NGFW as the standby device.
In the active/standby mode, you need to run this command on the standby NGFW to configure
it as the standby device. Do not configure this command on the active NGFW.
In load balancing mode, you do not need to configure active and standby devices.
Step 5 Configure NAT port allocation for load balancing in the system view.
NOTICE
In load balancing mode, if a NAT address pool is required on the two NGFWs, you must run
the hrp nat ports-segment primary command on one NGFW and the hrp nat ports-segment
secondary command on the other NGFW to prevent port conflicts during NAT process.
You do not need to configure this command in active/standby mode.
Step 6 Optional: Set a delay for TCP session status detection in the system view.
When the upstream and downstream service interfaces on the NGFW work in hot standby mode
at Layer 2 and TCP session status detection is enabled on the NGFW, run the hrp tcp link-state
check delay command on active and standby NGFWs to set a delay for TCP session status
detection. Otherwise, the new active NGFW upon a switchover fails to establish sessions because
it cannot immediately learn the MAC address table. After a delay is set, TCP session status
detection is postponed on the new active NGFW after a switchover, ensuring that the new active
NGFW has enough time to learn the MAC address table.
Step 7 Optional: Configure the key for encrypting specific backup packets (configuration commands)
between the active and standby devices.
hrp encryption-key
By default, the backup packets are transferred in plain texts. When the heartbeat interfaces of
the two NGFW are not directly connected, you are advised to run the command to configure an
encryption key for security reasons. You need to configure the key on both the active and standby
NGFWs. Ensure that the keys on the two NGFWs are the same. Otherwise, backup between the
NGFWs may fail.
hrp enable
Auto-check is performed only on the active device. After auto-check is complete, the active
device sends the HRP/4/CFGCHECK log based on the check result.
This command can be automatically synchronized to the standby device. You only need to
configure this command on the active device. After an active/standby switchover is performed,
the new active device continues to check configuration consistency.
Step 10 Optional: Configure the priority in the IP header of the heartbeat packets.
A larger value of the priority-number indicates a higher priority. Packets with a higher priority
are forwarded first.
This function is disabled by default. All information to be backed up must be configured on the
active NGFW.
After enabling this function, you can configure all information that can be backed up, and the
configurations can be synchronized to the active NGFW.
If confilicting settings are configured on the active and standby NGFWs, the settings configured
later overrides previously configured settings.
----End
Prerequisites
Enabling Hot Standby is complete before you enable automatic or manual backup.
Context
The NGFW supports three backup modes shown in Table 6-3.
Manual batch backup When both the active When both the active Manual batch backup
and standby NGFWs and standby NGFWs is required when the
are working are working configurations
properly, you can properly, you can between the active
execute commands execute commands and standby NGFWs
to instruct the active to synchronize status are different.
NGFW to information that can
synchronize the be backed up to the
configuration standby NGFW.
commands that can Manual batch backup
be backed up to the of status information
standby NGFW. fails when the
Then the commands standby NGFW is
executed on the faulty.
active NGFW are
executed on the
standby NGFW at
the same time.
Manual batch backup
of configuration
commands fails
when the standby
NGFW is faulty.
Procedure
l Enable automatic backup of commands and status information in the system view.
You can run the hrp auto-sync config command to enable the automatic backup function
(except for automatic backup of static routes). To enable automatic backup of static routes,
run the hrp auto-sync config static-route command.
When you run the hrp auto-sync command without specifying parameter config or
connection-status, both the commands (except for automatic backup of static routes) and
status information are automatically backed up.
l Enable manual batch backup in the user view.
Enable manual batch backup when automatic backup fails or when configurations are out
of sync.
l Enable quick session backup in the system view.
When the NGFWs work in load-balancing mode, the forward and return packets may pass
through different NGFWs. To ensure service continuity, you must enable quick session
backup to ensure that the session information on one NGFW is synchronized to the other
NGFW.
When the NGFWs work in active/standby mode, enabling quick session backup is optional.
NOTE
----End
Procedure
Step 1 Check command prompts.
After the HRP active/standby relationship is established, the NGFW whose command line
prompt is HRP_A is the active device, and NGFW whose command prompt is HRP_S is the
standby device.
General items
1 Mand Models and software versions of the <sysname> display version □Passed
atory active and standby firewalls are the □Not passed
same.
2 Mand Types and slots of interface cards of <sysname> display device □Passed
atory the active and standby firewalls are □Not passed
the same.
3 Mand Service interfaces of the active and <sysname> display hrp state □Passed
atory standby firewalls are the same. □Not passed
4 Mand Heartbeat interfaces of the active and <sysname> display hrp interface □Passed
atory standby firewalls are the same. □Not passed
4.a Optio If the Eth-Trunk is used as the <sysname> display eth-trunk trunk- □Passed
nal heartbeat link, member interfaces of id □Not passed
the active and standby firewalls are
the same.
4.b Optio If the service link is used as the <sysname> display current- □Passed
nal heartbeat link, both the heartbeat configuration | include hrp □Not passed
interface and the IP address of the interface
peer heartbeat interface are specified.
5 Mand Interfaces of the active and standby <sysname> display zone □Passed
atory firewalls are configured into the same □Not passed
security zone.
6 Optio Service interfaces of the active and l IPv4: <sysname> display vrrp □Passed
nal standby firewall are configured into interface interface-type □Not passed
the same VRRP backup group and interface-number
share the same virtual IP address. l IPv6: <sysname> display vrrp6
interface interface-type
interface-number
7 Optio Service interfaces of the active and <sysname> display hrp state □Passed
nal standby firewalls are configured into □Not passed
different VRRP management groups.
8 Mand The preemption function of the active <sysname> display hrp group □Passed
atory firewall is disabled or the preemption □Not passed
delay is set to 60 seconds.
10 Mand The upstream and downstream <sysname> display port vlan □Passed
atory service interfaces are added to the [ interface-type interface-number ] □Not passed
same VLAN.
11 Mand VRRP management groups are <sysname> display hrp state □Passed
atory configured to monitor the status of □Not passed
service interfaces.
12 Optio If firewalls are connected to upstream <sysname> display hrp group □Passed
nal and downstream switches, the □Not passed
firewalls work in active/standby
mode.
13 Optio If firewalls are connected to upstream <sysname> display hrp group □Passed
nal and downstream routers, the firewalls □Not passed
work in load bandaging mode.
15 Optio If firewalls are connected to upstream Check the static route configurations □Passed
nal and downstream switches, the of the upstream and downstream □Not passed
switches are configured to consider devices.
the virtual IP address of the VRRP
backup group to be their next hop.
16 Optio If firewalls are connected to upstream <sysname> display ospf [ process- □Passed
nal and downstream routers, OSPF runs id ] brief □Not passed
between the firewalls and the
heartbeat interfaces are not in the
OSPF area.
Load Balancing
19 Optio The port range of the NAT address <sysname> display current- □Passed
nal pool is specified. configuration | include hrp nat □Not passed
Step 3 In the interface view of the active device, run the shutdown command to check whether the
active/standby switchover can be implemented.
After you run the shutdown command on a service interface of the active device, the interface
goes down and the other service interfaces are working properly. If the command prompt on the
active device begins with HRP_S, the command prompt on the standby device begins with
HRP_A, and traffic is forwarded properly, the active/standby switchover succeeds.
After you run the undo shutdown command on the same interface of the active device, the
interface goes up. After the preemption delay expires, the preemption succeeds if the command
prompt on the active device begins with HRP_A, the command prompt on the standby device
begins with HRP_S, and traffic is forwarded properly.
Step 4 In the user view of the active device, run the reboot command to check whether the active/
standby switchover can be implemented.
After you run the reboot command on the active device, the active/standby switchover succeeds
if the command prompt on the standby device begins with HRP_A, and packets are properly
forwarded.
The active device continues to work upon restart. After the preemption delay expires, the
preemption succeeds if the command prompt on the active device begins with HRP_A, the
command prompt on the standby device begins with HRP_S, and traffic is forwarded properly.
----End
Networking Requirements
On the network shown in Figure 6-32, the service interfaces of two NGFWs work at Layer 3
and are directly connected to switches.
The upstream switch is connected to the carrier network and the public IP address assigned to
the enterprise is 1.1.1.1.
The NGFWs are expected to work in active/standby mode. Normally, traffic is forwarded by
NGFW_A. When NGFW_A goes faulty, NGFW_B takes over.
Figure 6-32 Active/standby networking in which the service interfaces of each NGFW work at
Layer 3 and are directly connected to switches
Router
1.1.1.10/24
VRRP group 1
GE1/0/1 1.1.1.1/24 GE1/0/1
10.2.0.1/24 10.2.0.2/24
GE1/0/7
10.10.0.2/24
NGFW_A NGFW_B
GE1/0/7
GE1/0/3 10.10.0.1/24 GE1/0/3
10.3.0.1/24 VRRP group 2 10.3.0.2/24
10.3.0.3/24
Heartbeat link
Procedure
Step 1 Complete interfaces and basic network configurations.
1. Configure interfaces on NGFW_A.
Zone untrust
IPv4
IP Address 10.2.0.1/24
c. Click OK.
d. Repeat the preceding steps to configure GE1/0/3.
Zone trust
IPv4
IP Address 10.3.0.1/24
Zone dmz
IPv4
IP Address 10.10.0.1/24
Zone untrust
IPv4
IP Address 10.2.0.2/24
c. Click OK.
d. Repeat the preceding steps to configure GE1/0/3.
Zone trust
IPv4
IP Address 10.3.0.2/24
Zone dmz
IPv4
IP Address 10.10.0.2/24
d. Click OK.
2. Configure hot standby on NGFW_B.
a. Choose System > High Availability > Dual-System Hot Backup.
b. Click Edit.
c. Select the Enable check box and set the parameters as follows:
d. Click OK.
Step 3 Configure the default route whose next hop is the virtual IP address (10.3.0.3) of VRRP group
2.
Name policy_sec
Action Permit
4. Click OK.
Step 5 Configure a NAT policy to allow intranet users to access the Internet.
Name 1
5. Click OK.
6. Click the Source NAT tab.
7. Click Add.
8. Configure NAT policy policy_nat and set the parameters as follows:
Name policy_nat
Action NAT
After NAT
Address pool 1
9. Click OK.
----End
Configuration Verification
Choose System > High Availability > Dual-System Hot Backup to view the operating status
of hot standby.
l Normally, the Current Working Mode of NGFW_A is Active/Standby Backup and the
Current State is Active. The Current Working Mode of NGFW_B is Active/Standby
Backup and the Current State is Standby. This shows that traffic is forwarded by
NGFW_A.
l When NGFW_A goes faulty, the Current Working Mode of NGFW_A is Active/
Standby Backup and the Current State is Standby. The Current Working Mode of
NGFW_B is Active/Standby Backup and the Current State is Active. This shows that
traffic is forwarded by NGFW_B.
Configuration Script
NGFW_A NGFW_B
# #
hrp enable hrp enable
hrp standby-device
hrp interface GigabitEthernet 1/0/7 hrp interface GigabitEthernet 1/0/7
# #
interface GigabitEthernet 1/0/1 interface GigabitEthernet 1/0/1
ip address 10.2.0.1 255.255.255.0 ip address 10.2.0.2 255.255.255.0
vrrp vrid 1 virtual-ip 1.1.1.1 vrrp vrid 1 virtual-ip 1.1.1.1
255.255.255.0 active 255.255.255.0 standby
# #
interface GigabitEthernet 1/0/3 interface GigabitEthernet 1/0/3
ip address 10.3.0.1 255.255.255.0 ip address 10.3.0.2 255.255.255.0
vrrp vrid 2 virtual-ip 10.3.0.3 active vrrp vrid 2 virtual-ip 10.3.0.3
# standby
interface GigabitEthernet 1/0/7 #
ip address 10.10.0.1 255.255.255.0 interface GigabitEthernet 1/0/7
# ip address 10.10.0.2 255.255.255.0
firewall zone trust #
set priority 85 firewall zone trust
add interface GigabitEthernet 1/0/3 set priority 85
# add interface GigabitEthernet 1/0/3
firewall zone untrust #
set priority 5 firewall zone untrust
add interface GigabitEthernet 1/0/1 set priority 5
# add interface GigabitEthernet 1/0/1
firewall zone dmz #
set priority 50 firewall zone dmz
add interface GigabitEthernet 1/0/7 set priority 50
# add interface GigabitEthernet1/0/7
ip route-static 0.0.0.0 0.0.0.0 #
GigabitEthernet1/0/1 1.1.1.2 ip route-static 0.0.0.0 0.0.0.0
# GigabitEthernet1/0/1 1.1.1.2
nat address-group 1 #
section 0 1.1.1.1 1.1.1.1 nat address-group 1
# section 0 1.1.1.1 1.1.1.1
security-policy #
rule name policy_sec security-policy
source-zone trust rule name policy_sec
destination-zone untrust source-zone trust
action permit destination-zone untrust
# action permit
nat-policy #
rule name policy_nat nat-policy
source-zone trust rule name policy_nat
destination-zone untrust source-zone trust
action nat address-group 1 destination-zone untrust
action nat address-group 1
6.1.8.2 Load Balancing Networking in Which the Service Interfaces of Each NGFW
Work at Layer 3 and Are Directly Connected to Switches
This section provides an example of configuring hot standby in load balancing mode in which
the service interfaces work at Layer 3 and are upstream and downstream connected to switches.
Networking Requirements
As shown in Figure 6-33, service interfaces of the two NGFW devices work at Layer 3, having
upstream and downstream connections to Layer-2 switches.
Now the NGFW devices are supposed to work in load sharing mode. Normally, both
NGFW_A and NGFW_B forward traffic. If either NGFW fails, the other NGFW forwards all
traffic to ensure service continuity.
Figure 6-33 Load balancing networking in which the service interfaces work at Layer 3 and are
upstream and downstream connected to switches
GE1/0/1 GE1/0/1
1.1.1.1/24 1.1.1.2/24
GE1/0/7
10.10.0.2/24
NGFW_A NGFW_B
GE1/0/7
GE1/0/3 10.10.0.1/24 GE1/0/3
10.3.0.1/24 10.3.0.2/24
Intranet
Service path
Backup path
Procedure
Step 1 Configure interfaces and perform the basic network configurations.
1. Configure interfaces on NGFW_A.
a. Choose Network > Interface.
b. Click GE1/0/1 and set the following parameters:
IPv4
IP Address 1.1.1.1/24
c. Click OK.
d. Repeat the preceding steps to set the following parameters for the GE1/0/3 interface.
IPv4
IP Address 10.3.0.1/24
e. Repeat the preceding steps to set the following parameters for the GE1/0/7 interface.
IPv4
IP Address 10.10.0.1/24
Zone untrust
IPv4
IP Address 1.1.1.2/24
c. Click OK.
d. Repeat the preceding steps to set the following parameters for the GE1/0/3 interface.
IPv4
IP Address 10.3.0.2/24
e. Repeat the preceding steps to set the following parameters for the GE1/0/7 interface.
IPv4
IP Address 10.10.0.2/24
d. Click OK.
2. Configure dual-system hot standby on NGFW_B.
a. Choose System > High Availability > Dual-System Hot Backup.
b. Click Edit.
c. Select the Enable check box and set the parameters as follows:
d. Click OK.
Step 3 Configure default routes on the Intranet devices to set virtual IP address 10.3.0.3 of VRRP
backup group 3 as the next hop for certain devices and virtual IP address 10.3.0.4 of VRRP
backup group 4 as the next hop for the other devices.
Name policy_sec
Action Permit
4. Click OK.
5. Click New.
6. Set the following parameters to configure security policies:
Name policy_dmz
Action Permit
7. Click OK.
----End
Verification
Choose System > High Availability > Dual-System Hot Standby.
l Normally, Working Mode is Load Sharing for both NGFW_A and NGFW_B; Current
Status is Active for NGFW_A and Standby for NGFW_B. In this case, both NGFW
forward traffic.
l If NGFW_A malfunctions, Working Mode is Active/Standby Backup for both
NGFW_A and NGFW_B; Current Status is Standby for NGFW_A and Active for
NGFW_B. In this case, NGFW_B only forwards traffic.
Configuration Script
NGFW_A NGFW_B
# #
hrp mirror session enable hrp mirror session enable
hrp enable hrp enable
hrp loadbalance-device hrp loadbalance-device
hrp interface GigabitEthernet 1/0/7 hrp interface GigabitEthernet 1/0/7
# #
interface GigabitEthernet 1/0/1 interface GigabitEthernet 1/0/1
ip address 1.1.1.1 255.255.255.0 ip address 1.1.1.2 255.255.255.0
vrrp vrid 1 virtual-ip 1.1.1.3 active vrrp vrid 1 virtual-ip 1.1.1.3 standby
vrrp vrid 2 virtual-ip 1.1.1.4 standby vrrp vrid 2 virtual-ip 1.1.1.4 active
# #
interface GigabitEthernet 1/0/3 interface GigabitEthernet 1/0/3
ip address 10.3.0.1 255.255.255.0 ip address 10.3.0.2 255.255.255.0
vrrp vrid 3 virtual-ip 10.3.0.3 active vrrp vrid 3 virtual-ip 10.3.0.3
vrrp vrid 4 virtual-ip 10.3.0.4 standby
standby vrrp vrid 4 virtual-ip 10.3.0.4 active
# #
interface GigabitEthernet 1/0/7 interface GigabitEthernet 1/0/7
ip address 10.10.0.1 255.255.255.0 ip address 10.10.0.2 255.255.255.0
# #
firewall zone trust firewall zone trust
set priority 85 set priority 85
add interface GigabitEthernet 1/0/3 add interface GigabitEthernet 1/0/3
# #
firewall zone dmz firewall zone dmz
set priority 50 set priority 50
add interface GigabitEthernet1/0/7 add interface GigabitEthernet1/0/7
# #
firewall zone untrust firewall zone untrust
set priority 5 set priority 5
add interface GigabitEthernet 1/0/1 add interface GigabitEthernet 1/0/1
# #
security-policy security-policy
rule name policy_sec rule name policy_sec
source-zone trust source-zone trust
destination-zone untrust destination-zone untrust
action permit action permit
rule name policy_dmz rule name policy_dmz
source-zone local source-zone local
source-zone dmz source-zone dmz
destination-zone local destination-zone local
destination-zone dmz destination-zone dmz
action permit action permit
Networking Requirements
On the network shown in Figure 6-34, the service interfaces of two NGFWs work at Layer 3
and are directly connected to routers. The NGFWs and directly connected routers run OSPF.
The NGFWs are expected to work in active/standby mode. Normally, traffic is forwarded by
NGFW_A. When NGFW_A goes faulty, NGFW_B takes over.
Figure 6-34 Active/standby networking in which the service interfaces of each NGFW work at
Layer 3 and are directly connected to routers
OSPF
GE1/0/1 GE1/0/1
10.2.0.1/24 10.2.1.1/24
GE1/0/7
10.10.0.2
NGFW_A NGFW_B
GE1/0/7
GE1/0/3 10.10.0.1 GE1/0/3
10.3.0.1/24 10.3.1.1/24
OSPF
Service link
Heartbeat link
Procedure
Step 1 Configure interfaces and basic network configurations.
1. Configure interfaces on NGFW_A.
a. Choose Network > Interface.
b. Click GE1/0/1 and set the parameters as follows:
Zone untrust
IPv4
IP Address 10.2.0.1/24
c. Click OK.
d. Repeat the preceding steps to set the parameters of GE1/0/3.
Zone trust
IPv4
IP Address 10.3.0.1/24
Zone dmz
IPv4
IP Address 10.10.0.1/24
Zone untrust
IPv4
IP Address 10.2.1.1/24
c. Click OK.
d. Repeat the preceding steps to set the parameters of GE1/0/3.
Zone trust
IPv4
IP Address 10.3.1.1/24
Zone dmz
IPv4
IP Address 10.10.0.2/24
Type OSPF v2
Process ID 10
d. Click OK.
e. Click .
f. Click Add.
g. Create an OSPF area and set the parameters as follows:
Area 0.0.0.0
IP Network 10.2.0.0
Mask/Wildcard 255.255.255.0
Mask
h. Click OK.
i. Choose Basic Configuration > Network Settings.
j. Click Add.
k. Create a network and set the parameters as follows:
Area 0.0.0.0
IP Network 10.3.0.0
Mask/Wildcard 255.255.255.0
Mask
l. Click OK.
2. Configure OSPF on NGFW_B.
a. Choose Network > Router > OSPF.
b. Click Add.
c. Create an OSPF process and set the parameters as follows:
Type OSPF v2
Process ID 10
d. Click OK.
e. Click .
f. Click Add.
g. Create an OSPF area and set the parameters as follows:
Area 0.0.0.0
IP Network 10.2.1.0
Mask/Wildcard 255.255.255.0
Mask
h. Click OK.
i. Choose Basic Configuration > Network Settings.
j. Click Add.
k. Create a network and set the parameters as follows:
Area 0.0.0.0
IP Network 10.3.1.0
Mask/Wildcard 255.255.255.0
Mask
l. Click OK.
d. Click OK.
2. Configure hot standby on NGFW_B.
a. Choose System > High Availability > Dual-System Hot Backup.
b. Click Edit.
c. Select the Enable check box and set the parameters as follows:
d. Click OK.
Name policy_sec
Action Permit
4. Click OK.
----End
Configuration Verification
Choose System > High Availability > Dual-System Hot Backup to view the operating status
of hot standby.
l Normally, the Current Working Mode of NGFW_A is Active/Standby Backup and the
Current State is Active. The Current Working Mode of NGFW_B is Active/Standby
Backup and the Current State is Standby. This shows that traffic is forwarded by
NGFW_A.
l When NGFW_A goes faulty, the Current Working Mode of NGFW_A is Active/
Standby Backup and the Current State is Standby. The Current Working Mode of
NGFW_B is Active/Standby Backup and the Current State is Active. This shows that
traffic is forwarded by NGFW_B.
Configuration Script
NGFW_A NGFW_B
# #
hrp enable hrp enable
hrp standby-device
hrp ospf-cost adjust-enable hrp ospf-cost adjust-enable
hrp interface GigabitEthernet 1/0/7 hrp interface GigabitEthernet 1/0/7
# #
interface GigabitEthernet 1/0/1 interface GigabitEthernet 1/0/1
ip address 10.2.0.1 255.255.255.0 ip address 10.2.1.1 255.255.255.0
hrp track active hrp track standby
# #
interface GigabitEthernet 1/0/3 interface GigabitEthernet 1/0/3
ip address 10.3.0.1 255.255.255.0 ip address 10.3.1.1 255.255.255.0
hrp track active hrp track standby
# #
interface GigabitEthernet 1/0/7 interface GigabitEthernet 1/0/7
ip address 10.10.0.1 255.255.255.0 ip address 10.10.0.2 255.255.255.0
# #
firewall zone trust firewall zone trust
set priority 85 set priority 85
add interface GigabitEthernet1/0/3 add interface GigabitEthernet1/0/3
# #
firewall zone untrust firewall zone untrust
set priority 5 set priority 5
add interface GigabitEthernet 1/0/1 add interface GigabitEthernet 1/0/1
# #
firewall zone dmz firewall zone dmz
set priority 50 set priority 50
add interface GigabitEthernet 1/0/7 add interface GigabitEthernet 1/0/7
# #
ospf 10 ospf 10
area 0.0.0.0 area 0.0.0.0
network 10.2.0.0 0.0.0.255 network 10.2.1.0 0.0.0.255
network 10.3.0.0 0.0.0.255 network 10.3.1.0 0.0.0.255
# #
security-policy security-policy
rule name policy_sec rule name policy_sec
source-zone local source-zone local
source-zone trust source-zone trust
source-zone untrust source-zone untrust
destination-zone local destination-zone local
destination-zone trust destination-zone trust
destination-zone untrust destination-zone untrust
action permit action permit
6.1.8.4 Load Balancing Networking in Which the Service Interfaces of Each NGFW
Work at Layer 3 and Are Directly Connected to Routers
This section provides an example of how to configure hot standby in the load balancing mode
in which the service interfaces of each NGFW work at Layer 3 and are directly connected to
routers.
Networking Requirements
On the network shown in Figure 6-35, the service interfaces of two NGFWs work at Layer 3
and are directly connected to routers. The NGFWs and directly connected routers run OSPF.
The NGFWs are expected to work in load balancing mode. Normally, both NGFW_A and
NGFW_B forward traffic. When one NGFW goes faulty, the other NGFW takes over all the
traffic load.
Figure 6-35 Load balancing networking in which the service interfaces of each NGFW work at
Layer 3 and are directly connected to routers
OSPF
GE1/0/1 GE1/0/1
10.2.0.1/24 10.2.1.1/24
GE1/0/7
10.10.0.2
NGFW_A NGFW_B
GE1/0/7
GE1/0/3 10.10.0.1 GE1/0/3
10.3.0.1/24 10.3.1.1/24
OSPF
Service link
Heartbeat link
Procedure
Step 1 Configure interfaces and basic network configurations.
1. Configure interfaces on NGFW_A.
a. Choose Network > Interface.
b. Click GE1/0/1 and set the parameters as follows:
Zone untrust
IPv4
IP Address 10.2.0.1/24
c. Click OK.
d. Repeat the preceding steps to set the parameters of GE1/0/3.
Zone trust
IPv4
IP Address 10.3.0.1/24
Zone dmz
IPv4
IP Address 10.10.0.1/24
Zone untrust
IPv4
IP Address 10.2.1.1/24
c. Click OK.
d. Repeat the preceding steps to set the parameters of GE1/0/3.
Zone trust
IPv4
IP Address 10.3.1.1/24
Zone dmz
IPv4
IP Address 10.10.0.2/24
Type OSPF v2
Process ID 10
d. Click OK.
e. Click .
f. Click Add.
g. Create an OSPF area and set the parameters as follows:
Area 0.0.0.0
IP Network 10.2.0.0
Mask/Wildcard 255.255.255.0
Mask
h. Click OK.
i. Choose Basic Configuration > Network Settings.
j. Click Add.
k. Create a network and set the parameters as follows:
Area 0.0.0.0
IP Network 10.3.0.0
Mask/Wildcard 255.255.255.0
Mask
l. Click OK.
2. Configure OSPF on NGFW_B.
a. Choose Network > Router > OSPF.
b. Click Add.
c. Create an OSPF process and set the parameters as follows:
Type OSPF v2
Process ID 10
d. Click OK.
e. Click .
f. Click Add.
g. Create an OSPF area and set the parameters as follows:
Area 0.0.0.0
IP Network 10.2.1.0
Mask/Wildcard 255.255.255.0
Mask
h. Click OK.
i. Choose Basic Configuration > Network Settings.
j. Click Add.
k. Create a network and set the parameters as follows:
Area 0.0.0.0
IP Network 10.3.1.0
Mask/Wildcard 255.255.255.0
Mask
l. Click OK.
d. Click OK.
2. Configure hot standby on NGFW_B.
a. Choose System > High Availability > Dual-System Hot Backup.
b. Click Edit.
c. Select the Enable check box and set the parameters as follows:
d. Click OK.
Name policy_sec
Action Permit
4. Click OK.
----End
Configuration Verification
Choose System > High Availability > Dual-System Hot Backup to view the operating status
of hot standby.
l Normally, the Current Working Mode of NGFW_A is Load Balancing and the Current
State is Active. The Current Working Mode of NGFW_B is Load Balancing and the
Current State is Standby. This shows that traffic is forwarded by NGFW_A.
l When NGFW_A goes faulty, the Current Working Mode of NGFW_A is Active/
Standby Backup and the Current State is Standby. The Current Working Mode of
NGFW_B is Active/Standby Backup and the Current State is Active. This shows that
traffic is forwarded by NGFW_B.
l s
Configuration Script
NGFW_A NGFW_B
# #
hrp mirror session enable hrp mirror session enable
hrp enable hrp enable
hrp loadbalance-device hrp loadbalance-device
hrp interface GigabitEthernet 1/0/7 hrp interface GigabitEthernet 1/0/7
# #
interface GigabitEthernet 1/0/1 interface GigabitEthernet 1/0/1
ip address 10.2.0.1 255.255.255.0 ip address 10.2.1.1 255.255.255.0
hrp track active hrp track active
hrp track standby hrp track standby
# #
interface GigabitEthernet 1/0/3 interface GigabitEthernet 1/0/3
ip address 10.3.0.1 255.255.255.0 ip address 10.3.1.1 255.255.255.0
hrp track active hrp track active
hrp track standby hrp track standby
# #
interface GigabitEthernet 1/0/7 interface GigabitEthernet 1/0/7
ip address 10.10.0.1 255.255.255.0 ip address 10.10.0.2 255.255.255.0
# #
firewall zone trust firewall zone trust
set priority 85 set priority 85
add interface GigabitEthernet 1/0/3 add interface GigabitEthernet 1/0/3
# #
firewall zone untrust firewall zone untrust
set priority 5 set priority 5
add interface GigabitEthernet 1/0/1 add interface GigabitEthernet 1/0/1
# #
firewall zone dmz firewall zone dmz
set priority 50 set priority 50
add interface GigabitEthernet1/0/7 add interface GigabitEthernet1/0/7
# #
ospf 10 ospf 10
area 0.0.0.0 area 0.0.0.0
network 10.2.0.0 0.0.0.255 network 10.2.1.0 0.0.0.255
network 10.3.0.0 0.0.0.255 network 10.3.1.0 0.0.0.255
# #
security-policy security-policy
rule name policy_sec rule name policy_sec
source-zone local source-zone local
source-zone trust source-zone trust
source-zone untrust source-zone untrust
destination-zone local destination-zone local
destination-zone trust destination-zone trust
destination-zone untrust destination-zone untrust
action permit action permit
Networking Requirements
On the network shown in Figure 6-36, the service interfaces of two NGFWs work at Layer 3,
with routers as upstream devices and switches as downstream devices. The NGFWs and directly
connected routers run OSPF.
The NGFWs are expected to work in active/standby mode. Normally, traffic is forwarded by
NGFW_A. When NGFW_A goes faulty, NGFW_B takes over.
Figure 6-36 Active/standby networking in which the service interfaces of each NGFW work at
Layer 3 with routers as upstream devices and switches as downstream devices
OSPF
GE1/0/1 GE1/0/1
10.2.0.1/24 10.2.1.1/24
NGFW_A NGFW_B
GE1/0/7 GE1/0/7
GE1/0/3 10.10.0.1 10.10.0.2
GE1/0/3
10.3.0.1/24 10.3.0.2/24
Master VRRP group 1 Slave
10.3.0.3/24
Service link
Heartbeat link
Procedure
Step 1 Configure interfaces and basic network configurations.
1. Configure interfaces on NGFW_A.
a. Choose Network > Interface.
b. Click GE1/0/1 and set the parameters as follows:
Zone untrust
IPv4
IP Address 10.2.0.1/24
c. Click OK.
d. Repeat the preceding steps to set the parameters of GE1/0/3.
Zone trust
IPv4
IP Address 10.3.0.1/24
Zone dmz
IPv4
IP Address 10.10.0.1/24
Zone untrust
IPv4
IP Address 10.2.1.1/24
c. Click OK.
d. Repeat the preceding steps to set the parameters of GE1/0/3.
Zone trust
IPv4
IP Address 10.3.0.2/24
Zone dmz
IPv4
IP Address 10.10.0.2/24
Type OSPF v2
Process ID 10
d. Click OK.
e. Click .
f. Click Add.
g. Create an OSPF area and set the parameters as follows:
Area 0.0.0.0
IP Network 10.2.0.0
Mask/Wildcard 255.255.255.0
Mask
h. Click OK.
i. Choose Basic Configuration > Network Settings.
j. Click Add.
k. Create a network and set the parameters as follows:
Area 0.0.0.0
IP Network 10.3.0.0
Mask/Wildcard 255.255.255.0
Mask
l. Click OK.
2. Configure OSPF on NGFW_B.
a. Choose Network > Router > OSPF.
b. Click Add.
c. Create an OSPF process and set the parameters as follows:
Type OSPF v2
Process ID 10
d. Click OK.
e. Click .
f. Click Add.
g. Create an OSPF area and set the parameters as follows:
Area 0.0.0.0
IP Network 10.2.1.0
Mask/Wildcard 255.255.255.0
Mask
h. Click OK.
i. Choose Basic Configuration > Network Settings.
j. Click Add.
k. Create a network and set the parameters as follows:
Area 0.0.0.0
IP Network 10.3.0.0
Mask/Wildcard 255.255.255.0
Mask
l. Click OK.
d. Click OK.
2. Configure hot standby on NGFW_B.
a. Choose System > High Availability > Dual-System Hot Backup.
b. Click Edit.
c. Select the Enable check box and set the parameters as follows:
d. Click OK.
Step 4 Configure the default route whose next hop is the virtual IP address (10.3.0.3) of VRRP group
1.
Name policy_sec
Action Permit
4. Click OK.
----End
Configuration Verification
Choose System > High Availability > Dual-System Hot Backup to view the operating status
of hot standby.
l Normally, the Current Working Mode of NGFW_A is Active/Standby Backup and the
Current State is Active. The Current Working Mode of NGFW_B is Active/Standby
Backup and the Current State is Standby. This shows that traffic is forwarded by
NGFW_A.
l When NGFW_A goes faulty, the Current Working Mode of NGFW_A is Active/
Standby Backup and the Current State is Standby. The Current Working Mode of
NGFW_B is Active/Standby Backup and the Current State is Active. This shows that
traffic is forwarded by NGFW_B.
Configuration Script
NGFW_A NGFW_B
# #
hrp enable hrp enable
hrp standby-device
hrp ospf-cost adjust-enable hrp ospf-cost adjust-enable
hrp interface GigabitEthernet 1/0/7 hrp interface GigabitEthernet 1/0/7
hrp preempt delay 60 hrp preempt delay 60
# #
interface GigabitEthernet 1/0/1 interface GigabitEthernet 1/0/1
ip address 10.2.0.1 255.255.255.0 ip address 10.2.1.1 255.255.255.0
hrp track active hrp track standby
# #
interface GigabitEthernet 1/0/3 interface GigabitEthernet 1/0/3
ip address 10.3.0.1 255.255.255.0 ip address 10.3.0.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.3.0.3 active vrrp vrid 1 virtual-ip 10.3.0.3
# standby
interface GigabitEthernet 1/0/7 #
ip address 10.10.0.1 255.255.255.0 interface GigabitEthernet 1/0/7
# ip address 10.10.0.2 255.255.255.0
firewall zone trust #
set priority 85 firewall zone trust
add interface GigabitEthernet 1/0/3 set priority 85
# add interface GigabitEthernet 1/0/3
firewall zone untrust #
set priority 5 firewall zone untrust
add interface GigabitEthernet 1/0/1 set priority 5
# add interface GigabitEthernet 1/0/1
firewall zone dmz #
set priority 50 firewall zone dmz
add interface GigabitEthernet1/0/7 set priority 50
# add interface GigabitEthernet1/0/7
ospf 10 #
area 0.0.0.0 ospf 10
network 10.2.0.0 0.0.0.255 area 0.0.0.0
network 10.3.0.0 0.0.0.255 network 10.2.1.0 0.0.0.255
# network 10.3.0.0 0.0.0.255
security-policy #
rule name policy_sec security-policy
source-zone local rule name policy_sec
source-zone trust source-zone local
source-zone untrust source-zone trust
destination-zone local source-zone untrust
destination-zone trust destination-zone local
destination-zone untrust destination-zone trust
action permit destination-zone untrust
action permit
6.1.8.6 Load Balancing Networking in Which the Service Interfaces of Each NGFW
Work at Layer 3, with Routers as Upstream Devices and Switches as Downstream
Devices
This section provides an example of how to configure hot standby in load balancing mode in
which the service interfaces of each NGFW work at Layer 3, with routers as upstream devices
and switches as downstream devices.
Networking Requirements
On the network shown in Figure 6-37, the service interfaces of two NGFWs work at Layer 3,
with routers as upstream devices and switches as downstream devices. The NGFWs and directly
connected routers run OSPF.
The NGFWs are expected to work in load balancing mode. Normally, both NGFW_A and
NGFW_B forward traffic. When one NGFW goes faulty, the other NGFW takes over all the
traffic load.
Figure 6-37 Load balancing networking in which the service interfaces of each NGFW work at
Layer 3, with routers as upstream devices and switches as downstream devices
OSPF
GE1/0/1 GE1/0/1
10.2.0.1/24 10.2.1.1/24
NGFW_A NGFW_B
GE1/0/7 GE1/0/7
GE1/0/3 10.10.0.1 10.10.0.2
GE1/0/3
10.3.0.1/24 10.3.0.2/24
Master VRRP group 1 Slave
10.3.0.3/24
VRRP group 2
Slave Master
10.3.0.4/24
Service link
Heartbeat link
Procedure
Step 1 Configure interfaces and basic network configurations.
1. Configure interfaces on NGFW_A.
a. Choose Network > Interface.
b. Click GE1/0/1 and set the parameters as follows:
Zone untrust
IPv4
IP Address 10.2.0.1/24
c. Click OK.
d. Repeat the preceding steps to set the parameters of GE1/0/3.
Zone trust
IPv4
IP Address 10.3.0.1/24
Zone dmz
IPv4
IP Address 10.10.0.1/24
Zone untrust
IPv4
IP Address 10.2.1.1/24
c. Click OK.
d. Repeat the preceding steps to set the parameters of GE1/0/3.
Zone trust
IPv4
IP Address 10.3.0.2/24
Zone dmz
IPv4
IP Address 10.10.0.2/24
Type OSPF v2
Process ID 10
d. Click OK.
e. Click .
f. Click Add.
g. Create an OSPF area and set the parameters as follows:
Area 0.0.0.0
IP Network 10.2.0.0
Mask/Wildcard 255.255.255.0
Mask
h. Click OK.
i. Choose Basic Configuration > Network Settings.
j. Click Add.
k. Create a network and set the parameters as follows:
Area 0.0.0.0
IP Network 10.3.0.0
Mask/Wildcard 255.255.255.0
Mask
l. Click OK.
2. Configure OSPF on NGFW_B.
a. Choose Network > Router > OSPF.
b. Click Add.
c. Create an OSPF process and set the parameters as follows:
Type OSPF v2
Process ID 10
d. Click OK.
e. Click .
f. Click Add.
g. Create an OSPF area and set the parameters as follows:
Area 0.0.0.0
IP Network 10.2.1.0
Mask/Wildcard 255.255.255.0
Mask
h. Click OK.
i. Choose Basic Configuration > Network Settings.
j. Click Add.
k. Create a network and set the parameters as follows:
Area 0.0.0.0
IP Network 10.3.0.0
Mask/Wildcard 255.255.255.0
Mask
l. Click OK.
d. Click OK.
2. Configure hot standby on NGFW_B.
a. Choose System > High Availability > Dual-System Hot Backup.
b. Click Edit.
c. Select the Enable check box and set the parameters as follows:
d. Click OK.
Step 4 Configure the default routes on intranet devices. You can set the next hop of some devices to
the virtual IP address (10.3.0.3) of VRRP group 1 and that of other devices to the virtual IP
address (10.3.0.4) of VRRP group 2.
Name policy_sec
Action Permit
4. Click OK.
----End
Configuration Verification
Choose System > High Availability > Dual-System Hot Backup to view the operating status
of hot standby.
l Normally, the Current Working Mode of NGFW_A is Load Balancing and the Current
State is Active. The Current Working Mode of NGFW_B is Load Balancing and the
Current State is Standby. This shows that traffic is forwarded by NGFW_A.
l When NGFW_A goes faulty, the Current Working Mode of NGFW_A is Active/
Standby Backup and the Current State is Standby. The Current Working Mode of
NGFW_B is Active/Standby Backup and the Current State is Active. This shows that
traffic is forwarded by NGFW_B.
l s
Configuration Script
NGFW_A NGFW_B
# #
hrp mirror session enable hrp mirror session enable
hrp enable hrp enable
hrp loadbalance-device hrp loadbalance-device
hrp ospf-cost adjust-enable hrp ospf-cost adjust-enable
hrp interface GigabitEthernet 1/0/7 hrp interface GigabitEthernet 1/0/7
# #
interface GigabitEthernet 1/0/1 interface GigabitEthernet 1/0/1
ip address 10.2.0.1 255.255.255.0 ip address 10.2.1.1 255.255.255.0
hrp track active hrp track active
hrp track standby hrp track standby
# #
interface GigabitEthernet 1/0/3 interface GigabitEthernet 1/0/3
ip address 10.3.0.1 255.255.255.0 ip address 10.3.0.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.3.0.3 active vrrp vrid 1 virtual-ip 10.3.0.3
vrrp vrid 2 virtual-ip 10.3.0.4 standby
standby vrrp vrid 2 virtual-ip 10.3.0.4 active
# #
interface GigabitEthernet 1/0/7 interface GigabitEthernet 1/0/7
ip address 10.10.0.1 255.255.255.0 ip address 10.10.0.2 255.255.255.0
# #
firewall zone trust firewall zone trust
set priority 85 set priority 85
add interface GigabitEthernet 1/0/3 add interface GigabitEthernet 1/0/3
# #
firewall zone untrust firewall zone untrust
set priority 5 set priority 5
add interface GigabitEthernet 1/0/1 add interface GigabitEthernet 1/0/1
# #
firewall zone dmz firewall zone dmz
set priority 50 set priority 50
add interface GigabitEthernet 1/0/7 add interface GigabitEthernet 1/0/7
# #
ospf 10 ospf 10
area 0.0.0.0 area 0.0.0.0
network 10.2.0.0 0.0.0.255 network 10.2.1.0 0.0.0.255
network 10.3.0.0 0.0.0.255 network 10.3.0.0 0.0.0.255
# #
security-policy security-policy
rule name policy_sec rule name policy_sec
source-zone local source-zone local
source-zone trust source-zone trust
source-zone untrust source-zone untrust
destination-zone local destination-zone local
destination-zone trust destination-zone trust
destination-zone untrust destination-zone untrust
action permit action permit
6.1.8.7 Load Balancing Networking in Which the Service Interfaces of Each NGFW
Work at Layer 2 and Are Directly Connected to Routers
This section provides an example of how to configure hot standby in load balancing mode in
which the service interfaces of each NGFW work at Layer 2 and are directly connected to routers.
Networking Requirements
On the network shown in Figure 6-38, the service interfaces of two NGFWs work at Layer 2
and are directly connected to routers. The uplink and downlink service interfaces of each
NGFW are added to VLAN2.
The NGFWs and directly connected routers run OSPF. The NGFWs transparently transmit OSPF
packets and do not calculate routes.
The NGFWs are expected to work in load balancing mode. Normally, both NGFW_A and
NGFW_B forward traffic. When one NGFW goes faulty, the other NGFW takes over all the
traffic load.
Figure 6-38 Load balancing networking in which the service interfaces of each NGFW work at
Layer 2 and are directly connected to routers
OSPF
OSPF
Service link
Heartbeat link
VLAN
Procedure
Step 1 Configure interfaces and basic network configurations.
1. Configure interfaces on NGFW_A.
a. Choose Network > Interface.
b. Click GE1/0/1 and set the parameters as follows:
Zone untrust
Mode Switch
Access VLAN ID 2
c. Click OK.
d. Repeat the preceding steps to set the parameters of GE1/0/3.
Zone trust
Mode Switch
Access VLAN ID 2
Zone dmz
IPv4
IP Address 10.10.0.1/24
Zone untrust
Mode Switch
Access VLAN ID 2
c. Click OK.
d. Repeat the preceding steps to set the parameters of GE1/0/3.
Zone trust
Mode Switch
Access VLAN ID 2
Zone dmz
IPv4
IP Address 10.10.0.2/24
d. Click OK.
2. Configure hot standby on NGFW_B.
a. Choose System > High Availability > Dual-System Hot Backup.
b. Click Edit.
c. Select the Enable check box and set the parameters as follows:
d. Click OK.
Name policy_sec
Action Permit
4. Click OK.
----End
Configuration Verification
Choose System > High Availability > Dual-System Hot Backup to view the operating status
of hot standby.
l Normally, the Current Working Mode of NGFW_A is Load Balancing and the Current
State is Active. The Current Working Mode of NGFW_B is Load Balancing and the
Current State is Standby. This shows that traffic is forwarded by NGFW_A.
l When NGFW_A goes faulty, the Current Working Mode of NGFW_A is Active/
Standby Backup and the Current State is Standby. The Current Working Mode of
NGFW_B is Active/Standby Backup and the Current State is Active. This shows that
traffic is forwarded by NGFW_B.
l s
Configuration Script
NGFW_A NGFW_B
# #
hrp mirror session enable hrp mirror session enable
hrp enable hrp enable
hrp loadbalance-device hrp loadbalance-device
hrp interface GigabitEthernet 1/0/7 hrp interface GigabitEthernet 1/0/7
# #
vlan 2 vlan 2
hrp track active hrp track active
hrp track standby hrp track standby
GigabitEthernet1/0/1 GigabitEthernet1/0/1
GigabitEthernet1/0/3 GigabitEthernet1/0/3
# #
interface GigabitEthernet 1/0/1 interface GigabitEthernet 1/0/1
portswitch portswitch
port link-type access port link-type access
# #
interface GigabitEthernet 1/0/3 interface GigabitEthernet 1/0/3
portswitch portswitch
port link-type access port link-type access
# #
interface GigabitEthernet 1/0/7 interface GigabitEthernet 1/0/7
ip address 10.10.0.1 255.255.255.0 ip address 10.10.0.2 255.255.255.0
# #
firewall zone trust firewall zone trust
set priority 85 set priority 85
add interface GigabitEthernet 1/0/3 add interface GigabitEthernet 1/0/3
# #
firewall zone untrust firewall zone untrust
set priority 5 set priority 5
add interface GigabitEthernet 1/0/1 add interface GigabitEthernet 1/0/1
# #
firewall zone dmz firewall zone dmz
set priority 50 set priority 50
add interface GigabitEthernet1/0/7 add interface GigabitEthernet1/0/7
# #
security-policy security-policy
rule name policy_sec rule name policy_sec
source-zone trust source-zone trust
source-zone untrust source-zone untrust
destination-zone trust destination-zone trust
destination-zone untrust destination-zone untrust
action permit action permit
6.1.9 Troubleshooting
This section describes how to troubleshoot faults in hot standby.
Symptom
Two firewalls implement hot standby and work in load balancing mode. The intranet server
provides web services. Services are slow or unavailable to Internet users. The users on the
intranet can access web pages hosted on the intranet server.
Possible Causes
l The firewalls work in load balancing mode.
l The forward and return paths may be inconsistent when the firewalls work in load balancing
mode, and quick session backup is disabled.
l The heartbeat link fails and some sessions are not synchronized.
Procedure
Step 1 Run the display hrp state command to check the HRP status of each firewall. The command
output shows that the status of each firewall is normal.
Step 2 Run the display firewall session table or display firewall ipv6 session table command to check
the session table on each firewall. The numbers of sessions on the two firewalls are widely
different.
Step 3 Check whether quick session backup is enabled on the firewalls. Quick session backup is enabled
on the firewalls.
Step 4 Check the heartbeat link configuration. The firewalls use an Eth-Trunk as the heartbeat interface.
Three member interfaces are specified on the active firewall, but only two (no
GigabitEthernet1/0/6) are specified on the standby firewall.
The firewalls use multiple member interfaces of the Eth-Trunk in turn to send synchronization
messages. When the active firewall uses GigabitEthernet1/0/6 to synchronize sessions,
GigabitEthernet1/0/6 on the standby firewall discards the synchronization messages after
receiving them, because GigabitEthernet1/0/6 is not a member interface of the Eth-Trunk on the
standby firewall. As a result, some sessions on the active firewall cannot be synchronized to the
standby firewall.
The forward and return paths of service packets may be inconsistent when the firewalls work in
load balancing mode. If some sessions are not synchronized to the standby firewall, return
packets of these sessions are discarded by the standby firewall because they do not match any
session.
Step 5 On the standby firewall, add GigabitEthernet1/0/6 to the Eth-Trunk. Then the fault is rectified.
----End
Symptom
During the hot standby configuration, a subinterface is configured on the active firewall and
added to the Trust zone. A subinterface is also configured on the standby firewall but is not
added to the Trust zone.
Possible Causes
l Automatic configuration synchronization is disabled.
l Firewall configurations are incorrect.
Procedure
Step 1 Check the hot standby configuration. The automatic configuration synchronization function is
enabled.
Step 2 View the logs on the active and standby firewalls to check the configuration steps performed by
the administrator.
1. On the active firewall, subinterface GigabitEthernet1/0/2.5 is created.
2. On the active firewall, GigabitEthernet1/0/2.5 is added to the Trust zone.
3. On the standby firewall, subinterface GigabitEthernet1/0/2.5 is created.
The firewall can automatically synchronize security zone configurations, but not interface
configurations. Based on the configuration steps performed by the administrator, no subinterface
exists on the standby firewall when subinterface GigabitEthernet1/0/2.5 is added to the Trust
zone on the active firewall. The standby firewall cannot add a subinterface that does not exist
to the zone. Therefore, configuration synchronization fails.
Step 3 Delete the subinterface from the Trust zone on the active firewall and then add it to the zone.
----End
Symptom
Two firewalls are deployed in hot standby networking. On the active firewall, the administrator
adds GigabitEthernet1/0/2 to the Trust zone, but the configuration is not synchronized to the
standby firewall.
Possible Causes
l Automatic synchronization is disabled.
l Firewall configurations are incorrect.
Procedure
Step 1 Check the hot standby configuration. The automatic synchronization function is enabled.
Step 2 Create a temporary ACL on the active firewall. The configuration can be synchronized to the
standby firewall, which indicates that the function of automatic synchronization is working
properly.
Step 3 Check the configurations of the standby firewall. GigabitEthernet1/0/2 is added to the DMZ.
Step 5 On the standby firewall, remove GigabitEthernet1/0/2 from DMZ and add it to the Trust zone.
----End
Symptom
In hot standby networking, the standby firewall switches to the active state and then the standby
state.
2012-09-09 17:56:17 sysname
%%01VGMP/4/STATE(1): Virtual Router Management Group STANDBY : STANDBY
-->ACTIVE 2012-09-09 17:56:17 sysname %%01VRRP/4/STATEWARNING(1):
Interface: GigabitEthernet1/0/1 , Virtual Router 1 : STANDBY changed
to ACTIVE! 2012-09-09 17:56:17 sysname %%01VRRP/4/STATEWARNING(1):
Interface: GigabitEthernet1/0/2 , Virtual Router 1 : STANDBY changed
to ACTIVE! 2012-09-09 17:56:17 sysname %%01VGMP/4/STATE(1): Virtual
Router Management Group STANDBY : ACTIVE -->STANDBY 2012-09-09 17:56:17
sysname %%01VRRP/4/STATEWARNING(1): Interface: GigabitEthernet1/0/1
, Virtual Router 1 : ACTIVE changed to STANDBY! 2012-09-09 17:56:17
sysname %%01VRRP/4/STATEWARNING(1): Interface: GigabitEthernet1/0/2
, Virtual Router 1 : ACTIVE changed to STANDBY!
Possible Causes
l The VGMP group priority changes because of an interface or link fault.
l The active firewall is too busy to send heartbeat packets.
Procedure
Step 1 Check the firewall logs generated before the fault occurs.
When the fault occurs, no log is generated about interface status change. The firewall status
change is not caused by interface or link failures. The cause of the fault is that the standby firewall
does not receive any heartbeat packet from the active firewall within three heartbeat intervals.
Step 2 Check the firewall logs generated before the fault occurs.
When the fault occurs, a large number of attack logs exist on the standby firewall. The number
of logs during the period is far larger than that in other periods, which means that attack traffic
reaches the standby firewall when the fault occurs. The attacks exhaust the CPU of the standby
firewall. As a result, the standby firewall cannot receive any heartbeat packet during that period
of time.
NOTICE
Adjust the heartbeat interval on the standby firewall and then on the active firewall.
The default heartbeat interval is 1000 ms. Adjusting the heartbeat interval does not affect the
active/standby switchover speed when an interface or link fails.
----End
6.1.9.5 Service Interface of the Active Firewall Does not Change Its Status Because
the Standby Firewall Is Faulty
Symptom
After GigabitEthernet1/0/4 on the active firewall fails, traffic is not switched to the standby
firewall.
Alarm Information
The VRRP status of the active firewall has changed and GigabitEthernet1/0/4 has went down.
2012-03-22 14:15:59 sysname %%01VRRP/4/STATEWARNING(1): Interface:
GigabitEthernet1/0/1 , Virtual Router 1 : STANDBY changed to INITIALIZE!
2012-03-22 14:15:59 sysname %%01IFNET/4/LINK_STATE(1): Line protocol
on interface GigabitEthernet1/0/4 has turned into DOWN state.
Possible Causes
l The firewalls work in active state.
l After GigabitEthernet1/0/4 of the active firewall goes faulty, the VGMP group on the active
firewall still has a higher priority than that on the standby firewall.
Procedure
Step 1 Check the firewall logs. The HRP status is normal when the fault occurs.
Step 2 Run the display hrp group command to check the priorities of the VGMP groups on the two
firewalls.
The priority value of the active VGMP group on the active firewall is 64999, which is normal.
The priority value of the standby VGMP group on the standby firewall is reduced by four to
64996, which indicates that two interfaces fail on the standby firewall. The active VGMP group
on the active firewall has a higher priority than the standby VGMP group on the standby firewall.
Therefore, the HRP status does not change.
Step 3 Run the display hrp state command to check the HRP status of the standby firewall.
Two subinterfaces on the standby firewall go down. The priority of the standby VGMP group
is reduced from 65000 to 64996.
----End
Symptom
On the network shown in Figure 6-39, two firewalls implement hot standby. The uplink
interfaces of the firewalls are added to VRRP group 1, and the downlink interfaces of the
firewalls are added to VRRP group 2.
Figure 6-39 Network on which the active/standby switchover occurs when a VRRP group is
added
Switch Switch
VRRP 1
Firewall A Firewall B
VRRP 2
Switch Switch
Firewall A works in active state and all VRRP groups are added to the active VGMP group.
Firewall B works in standby state and all VRRP groups are added to the standby VGMP group.
After VRRP group 3 is configured on GigabitEthernet1/0/3 of firewall A, an active/standby
switchover occurs.
Possible Causes
After an interface in Down state of the active firewall is added to a VRRP group, the priority of
the VGMP group on the active firewall is lower than that on the standby firewall. As a result,
the HRP status changes.
Procedure
Step 1 Run the display hrp group command to check the priority of each VGMP group. The priority
of the active VGMP group is 64999, and that of the standby VGMP group is 65000.
By default, the priority value of the active VGMP group is 65001, and that of the standby VGMP
group is 65000. The priority is reduced by 2 when an interface is down.
Step 2 Check the status of GigabitEthernet1/0/3. The interface is down.
After you configure VRRP group 3 on GigabitEthernet1/0/3 of firewall A, the priority of the
VGMP group on the active firewall changes from 65001 to 64999, which is smaller than that
(65000) of the VGMP group on the standby firewall. As a result, the HRP status changes.
Step 3 Troubleshoot the interface to bring it up.
----End
firewall also triggers an active/standby switchover. Therefore, perform these operations on the
active firewall first.
Symptom
As shown in Figure 6-40, two firewalls are connected to upstream routers and downstream
switches.
l VRRP is enabled on the firewalls.
l The switches run different services. OSPF is enabled on the routers and the subinterfaces
of the firewalls.
l Hot standby is enabled on the two firewalls and the firewalls work in active/standby mode.
When the firewalls are normal, firewall A handles service traffic.
When the link fails between firewall A and router A, the HRP status does not change, resulting
in a service interruption.
Figure 6-40 Network on which an active/standby switchover fails because of incorrect HRP
track configuration
Private
network
Router A Router B
OSPF1 OSPF2
Firewall A Firewall B
Switch A Switch B
Possible Causes
The HRP track configurations on the two firewalls are incorrect.
Procedure
Step 1 Check the hot standby configurations on the two firewalls. HRP track is configured on the
interfaces connected to routers, but not on the subinterfaces.
Step 2 Configure HRP track on the subinterfaces connected to routers. The HRP status changes and
services are restored.
Possible causes are as follows:
l OSPF runs on the subinterfaces of the two firewalls and routers. The IP addresses of the
firewall interfaces are not specified, the link state of the interface is up, the protocol state of
the interface is down, and HRP track is configured on the interfaces on both firewalls. In this
case, the priority of the VGMP group on both firewalls is reduced by 2. Therefore, the HRP
status does not change.
l If HRP track is configured on the subinterfaces on the firewalls, and the link between firewall
A and router A fails, all subinterfaces become down. In this case, the priority of the VGMP
group is reduced by 2 when any subinterface becomes down. The VGMP group on firewall
A has a lower priority than firewall B. Therefore, the HRP status changes.
----End
Symptom
On the network shown in Figure 6-41, two firewalls and two switches are connected in a ring
topology. Hot standby is enabled on the firewalls.
Firewall A Firewall B
Switch A Switch B
Possible Causes
l The switch fails.
l The preemption delay is too short.
Procedure
Step 1 Set up a test environment and check the ARP table on the switch when firewall A preempts to
be the active device.
After the preemption, firewall A sends gratuitous ARP packets to refresh the ARP table and
MAC address table on the switch. During the seven to eight seconds before the ARP table is
refreshed, the switch continues to forward packets to the firewall B, causing a service
interruption.
Firewall A broadcasts five packets, including one gratuitous ARP packet destined for the
interface IP address and four gratuitous ARP packets destined for the virtual IP address of the
VRRP group.
Switch A receives only the last gratuitous ARP packet destined for the virtual IP address of the
VRRP group, but not the other four packets.
The debugging information on the switch shows that after the switch receives the gratuitous
ARP packet, services recover immediately. Switch A cannot receive the ARP packet
immediately after the interface on switch A becomes up.
Step 4 Change the preemption delay of the firewall to the default value (60 seconds). Services run
smoothly after firewall A preempts to be the active device and no interruption occurs.
----End
The preemption delay of the firewall must be larger than the duration for firewall interface
recovery. The default preemption delay is recommended.
Symptom
Two firewalls are deployed in hot standby networking. A large number of ping packets are lost
when the virtual IP address of the VRRP group is pinged from the downstream switch.
Possible Causes
l The link is faulty.
l VRIDs conflict.
Procedure
Step 1 Ping the IP address of the firewall interface from the downstream switch. If no packet is lost,
the link is normal.
Step 2 Check the firewall active/standby status. The active/standby status is correct.
Step 3 Check the ARP table on the switch. The virtual MAC address of one VRRP group is mapped to
two IP addresses.
Step 5 Check the VRRP configurations on the network. Another device has a same VRID as the firewall,
and the device is connected to the same switch as the firewall. As a result, the MAC address
entry on the switch is incorrect.
----End
Symptom
As shown in Figure 6-42, the two firewalls are deployed in hot standby mode, and the two
firewalls and two switches are connected in a ring topology. Firewall A is the active firewall,
and firewall B is the standby firewall.
Firewall A Firewall B
Server
The active/standby switchover is performed rapidly between the two firewalls when firewall A
is disconnected from the Internet or intranet. However, the NAT traffic is interrupted.
Possible Causes
The active/standby switchover is performed, but the NAT traffic is interrupted. This indicates
that a fault occurs in traffic forwarding. The configurations of firewall B may be incorrect, or
the MAC address table on the switches is not refreshed.
Procedure
Step 1 Check the configurations of firewall B. The configurations are correct.
Step 2 Disconnect the cable from the WAN interface of firewall A. Check the session statistics on both
firewalls.
Sessions are set up on firewall A, and the number of sessions increases continuously. The number
of sessions remain unchanged on firewall B. The cause may be that the MAC address table on
the switch is not refreshed after the active/standby switchover.
Step 3 Connect a PC to the switch. Ping the virtual IP address of the downstream VRRP group from
the PC. Continue to check the session statistics on both firewalls.
Sessions are set up on firewall B, and the number of sessions continuously increases on firewall
B, but the number of sessions remains unchanged on firewall A. This indicates that the MAC
address table on the switch is correct.
Step 4 Insert the cable to the WAN interface of firewall A. Wait for firewall A to preempt the active
state.
Step 5 On firewall A, add an interface in down state to the VRRP group to trigger the active/standby
switchover. Then check the session statistics.
Sessions are set up on firewall A, the number of sessions increases continuously, and statistics
on return traffic is displayed. This indicates that the NAT traffic resumes. In conclusion, the
packets destined for the Internet are forwarded to firewall A regardless of the active/standby
switchover.
Step 6 Display the routing table on the server. The next-hop of the default route is the inside interface
of firewall A, but not the virtual IP address of the VRRP group.
Step 7 Modify the route configuration on the server. The fault is rectified.
----End
6.1.9.11 Services Are Interrupted After the Upstream Switch Restarts Because the
Preemption Delay Is Too Short
Symptom
Figure 6-43 shows the networking diagram. Firewall A is the active firewall, and the preemption
function is enabled on this firewall. Services are interrupted after switch C unexpectedly restarts.
Possible Causes
l The active/standby switchover fails.
l Some sessions are not synchronized.
l Switch C is not started because the preemption delay is too short.
Procedure
Step 1 Check the logs on the firewalls and switches.
After switch C fails, the active/standby switchover is performed. Firewall B and switch D take
over services. However, the service interface of switch C goes up and down repeatedly when
switch C restarts. When the interface on switch C becomes up, firewall A determines that the
link recovers and starts to preempt. As a result, services are interrupted.
Step 2 Change the preemption delay of the active firewall to 240 seconds.
HRP_A<sysnameA> system-view HRP_A[sysnameA] hrp preempt delay 240
----End
6.1.10 Reference
This section provides reference information about hot standby.
The NGFW backs up the following configuration commands and status information:
In most cases, display, reset, and debugging commands cannot be backed up.
l Policy
– Security policy
– NAT policy
– Bandwidth management
– Authentication policy
– Attack defense
– Blacklist
– ASPF configuration
l Object
– Address
– Service
– Application
– User
NOTE
User-related configuration commands can be backed up. User, user group, and security group
information cannot be backed up.
– Authentication server
– Time range
– URL category
– Keyword group
– Email address group
– Signature
– Security configuration file
– Antivirus
– Intrusion prevention
– URL filtering
– File filtering
– Content filtering
– Application behavior control
– Mail filtering
l Network
– New logical interface
– Interface configuration
NOTE
– VLAN Configuration
NOTE
Why Are Services Interrupted After the Original Active Firewall Preempts?
Services are normal after the active/standby switchover, but services are interrupted after the
active firewall preempts. because the cause might be that the network has not converged or
sessions are not completely backed up. Besides, if a switch fails, its interfaces may go up and
down repeatedly when the switch restarts. If the firewall preempts during the process, services
may be interrupted.
In this case, adjust the preemption delay of the original active firewall.
Why Does Not the Original Active Firewall Preempt After Recovery?
Possible causes are as follows:
l The preemption function is disabled.
l The preemption conditions are not met. The original active firewall does not immediately
preempt after recovery. Instead, it waits for a delay before the preemption. The preemption
delay is set to avoid unstable active/standby switchover.
Why Are the Same Configuration Items Arranged in Different Orders in the
Configuration Files on the Active and Standby Firewalls?
The fault usually results from inconsistent initial configurations of the two firewalls. You need
to delete the configuration items in different orders and reconfigure them.
You are advised to configure hot standby based on the default settings.
Why Are the Session Tables on the Active and Standby Firewalls Different?
Check the status of the heartbeat link. If the heartbeat link fails, the sessions on the active firewall
cannot be synchronized to the standby firewall.
If the automatic session backup function is disabled, the sessions on the two firewalls are
different. Even when the automatic session backup function is enabled, sessions are not
synchronized in real time. Only when the sessions to be synchronized are detected by the session
aging thread, the sessions are synchronized to the standby firewall. Therefore, established
sessions are synchronized to the standby firewall after a period (about 10 seconds).
The firewalls do not back up sessions of the following types when the automatic session backup
function is enabled:
l Sessions to the firewall
l Half-open TCP connections
l Sessions in which the first packets are UDP packets and subsequent packets are not (such
as the BitTorrent packets)
What Are the Differences Between Automatic Session Backup and Quick Session
Backup? Why Is Quick Session Backup Required in Case of Inconsistent Forward
and Return Paths?
The differences between quick session backup and automatic session backup are as follows:
l In quick session backup, sessions are synchronized to the standby firewall immediately
after being set up. In automatic session backup, only sessions that require backup and are
detected by the session aging thread are synchronized to the standby firewall.
l The quick session backup function can back up half-open TCP sessions and sessions to the
firewall.
If the forward and return paths are different, enable quick session backup to ensure that the
sessions on the two firewalls are the same.
Why Does TCP Services Are Interrupted When Quick Session Backup Is Enabled
in Case of Inconsistent Forward and Return Paths?
In case of inconsistent forward and return paths, the synchronization may fail or be delayed due
to traffic bursts, result in service delay or interruption. For example, one firewall forwards TCP
SYN packets, and the other forwards TCP ACK packets. If the session table is not synchronized,
ACK packets may be discarded.
If this condition poses great impacts on services, disable stateful inspection on the firewall.
Why Are the Sessions of the Current Active Firewall Marked with Remote After
Active/Standby Switchover?
The sessions marked with remote are synchronized from the original active firewall. After
active/standby switchover, the synchronized sessions are still marked with remote until the
sessions age out.
To manually run these commands on the standby firewall, run the undo hrp auto-sync config
command to disable the automatic synchronization function.
Why Are Not Commands Executed on the Active Firewall Synchronized to the
Standby Firewall?
If you disable the automatic configuration synchronization function, the configurations are not
synchronized. Besides, not all commands can be synchronized. For example, interface and
routing configurations cannot be synchronized.
For commands that can be synchronized, see 6.1.10.1 Commands and Status Information
That Can Be Synchronized.
Why Does the Log Server Receive NAT Session Logs from Both the Active and
Standby Firewalls?
Log configuration on the active firewall is automatically synchronized to the standby firewall.
If the log configuration is synchronized to the standby firewall, the standby firewall sends logs
to the log server.
You can perform the following steps to negate the log configuration on the standby firewall:
1. Run the undo hrp auto-sync config command to disable the automatic configuration
synchronization function.
2. Negate the log server configuration.
3. Run the hrp auto-sync config command to enable the automatic configuration
synchronization. This ensures that subsequent configurations can be automatically
synchronized to the standby firewall.
Why Does the Ping to the Virtual IP Address of the VRRP Group Fail?
Possible causes are as follows:
l VRIDs conflict.
l Pinging virtual IP addresses is disabled. Huawei firewalls enable you to ping virtual IP
addresses by default. If ping virtual IP address is disabled, run the vrrp virtual-ip ping
enable command.
Why Does the Original Designated Active Firewall Become the Designated
Standby Firewall After Recovery?
To become the designated active firewall, the firewall must meet the following conditions:
l Only the firewall whose VRRP management group is in active state has the chance to
become the designated active device. (In active/standby mode, the active firewall is the
designated active firewall.)
l In load balancing mode, the designated active firewall is selected based on the priorities of
the VRRP management groups and IP addresses of heartbeat interfaces.
The designated active and standby firewalls do not switch statuses unless a fault occurs on the
designated active firewall or the designated active firewall leaves the VRRP group. This
mechanism ensures the stability of the designated active firewall.
Therefore, in load balancing mode, the original designated standby firewall becomes the
designated active firewall after the original designated active firewall fails. After the original
designated active firewall recovers, the original active VGMP group on this firewall preempts
to be the active VGMP group, but the original designated active firewall does not preempt.
Must I Set a Physical IP Address for the Uplink or Downlink Interface After I Set
the Virtual IP Address of the VRRP Group on the Interface?
Yes. You must set a physical IP address for the interface before you set the virtual IP address
of the VRRP group on the interface. The physical IP address and the virtual address of the VRRP
group can reside on the same network segment or different network segments.
Why Does the Active Firewall Require a Longer Preemption Delay Than That on
the Standby Firewall?
Preemption starts after the original active firewall recovers. If the preemption delay of the active
firewall is too shorter than that on the standby firewall, the active firewall may switch status
before the session entries on the standby firewall are completely synchronized to the active
firewall. As a result, some services may be interrupted. Therefore, the active firewall requires a
longer preemption delay.
Preemption does not start after the standby firewall recovers. Therefore, preemption delay is
meaningless for the standby firewall and you can use the default preemption delay.
Does a Long Preemption Delay for the Active Firewall Affect the Failure Response
Speed?
No. When the active firewall fails, services are immediately switched to the standby firewall.
After the original active firewall recovers, it must wait for the preemption delay before
preempting During the process, the standby firewall is working. Therefore, the long preemption
delay of the active firewall does not affect the failure response speed.
How Does the Adjustment to the VGMP Hello Interval Affect the Network?
VGMP Hello packets are known as heartbeat packets and are used to check the operating status
of the active and standby firewalls. If the standby VGMP group does not receive any VGMP
Hello packet from the peer within three consecutive Hello intervals, the standby VGMP group
considers that the peer fails and switches to the active state. Therefore, a short VGMP Hello
interval enhances the failure response speed of the firewall.
However, if the interval is too short, the hot standby status may become unstable. When the CPU
is overloaded, the task of sending VGMP Hello packets cannot be scheduled, resulting in a false
switchover. Therefore, the default value, 1 second, is recommended.
What Should I Pay Attention to When Configuring IPSec VPN in Hot Standby
Networking?
l The service interfaces (including VLANIFs) connecting the firewall to upstream and
downstream devices must work at Layer 3.
l Before configuring IPSec VPN, you must establish the hot standby status. The IPSec policy
configured on the active firewall will be automatically synchronized to the standby one.
On the standby firewall, you only need to apply the synchronized IPSec policy to the
outgoing interface.
l If the firewall serves as the initiator of the IPSec tunnel, you must run the local-address
ip-address command to specify the virtual IP address of the VRRP group as the IP address
for IPSec negotiation.
l Configure DPD to delete the tunnel that has been established on the original active firewall
after an active/standby switchover to prevent packet loss.
If the heartbeat interfaces are connected through intermediate devices, set remote to specify the
IP address of the peer heartbeat interface when configuring a heartbeat interface.
If you do not set remote, the NGFW encapsulates heartbeat packets into VRRP packets before
sending them. Because VRRP packets are sent in multicast mode, some switches and routers
send received VRRP packets to their CPUs for processing, which consumes CPU resources.
Heartbeat packets increase with services on the NGFW, causing high CPU usage on the switches
and routers. Meanwhile, the switches and routers also process other packets sent in multicast
mode, such as OSPF packets, which compromises services. As a result, the NGFW status is not
stable. As a result, heartbeat packets from the NGFW are discarded, and the NGFW status is not
stable.
After you set remote, the NGFW encapsulates heartbeat packets into UDP packets. The switches
and routers do not send UDP packets to their CPU, which has no impact on device performance
and services.
Is Security Policy Required to Permit Packets Between the Local Zone and the Zone
Where the Heartbeat Interface Resides?
l If you do not configure remote when you configure the heartbeat interface, the heartbeat
packets are encapsulated into VRRP packets, and the NGFW that has no security policy
can properly process backup packets.
l If you configure remote when you configure the heartbeat interface, the heartbeat packets
are encapsulated into UDP packets, and a correct security policy needs to configured for
the interzone between the Local zone and the security zone where the heartbeat interfaces
reside, which enables the NGFW to properly send and receive the heartbeat packets.
What Determines the Active and Standby Status of Firewalls in Load Balancing
Mode?
In load balancing mode, the firewall on which hot standby is enabled first is the designated active
firewall.
To ensure that configurations are correctly synchronized, the concepts of designated active
device and designated standby device are introduced. The firewall that sends synchronization
messages is called the designated active device (marked as HRP_A in the command prompt),
and the one that receives synchronization messages called the designated standby device (marked
as HRP_S in the command prompt).
Commands that can be automatically synchronized can be executed only on the designated active
device.
In the ARP reply, the source MAC address in the Ethernet header is the virtual MAC address of
the VRRP group. Upstream and downstream Layer-3 devices learn the virtual MAC address
mapped to the virtual IP address through the ARP reply.
Upstream and downstream use the virtual MAC address as the destination MAC address when
sending packets to the firewall.
hrp sync immediately synchronizes the existing configurations and status entries from the active
firewall to the standby firewall. The command takes effect immediately and does not affect
subsequent configurations and status entries.
Can the Virtual IP Address of a VRRP Group Be Added to the NAT Address Pool?
Yes. If the virtual IP address of the VRRP group is the only public IP address for the intranet,
you can add the virtual IP address to the NAT address pool.
If you use a subinterface as a service interface, you must add the subinterface, not the physical
interface, to the VRRP group or VGMP group.
Can the Virtual MAC Address Be Used as the Source MAC Address of Packets?
Yes. By default, the firewall uses the physical MAC address to encapsulate Layer-3 service
packets. To use the virtual MAC address, run the vrrp virtual-mac enable command in the
interface view.
By default, the firewall uses the physical MAC address to encapsulate service packets. On hot
standby networks, Layer-4 switches establish a connection status table to record the source MAC
address (that is, the MAC address of the service interface on the active firewall) in the packets
forwarded by the firewall. Layer-4 switches forward packets based on the connection status
table. During active/standby switchover, Layer-4 switches do not automatically refresh MAC
addresses in the connection status table. Therefore, packets are sent to the original active firewall
if the physical MAC address is used. As a result, services are interrupted.
If the virtual MAC address is used, the connection status tables on Layer-4 switches record the
virtual MAC address. After active/standby switchover, Layer-4 switches can forward service
packets to the new active firewall.
Corresponding to the virtual IP address, the virtual MAC address is automatically generated
based on the VRID in either of the following formats:
l IPv4: 00-00-5E-00-01-{VRID}
l IPv6: 00-00-5E-00-02-{VRID}
On a service interface of the firewall, you can run the following command to use the virtual
MAC address to encapsulate service packets.
<sysname> system-view
[sysname] interface GigabitEthernet 1/0/1
[sysname-GigabitEthernet1/0/1] vrrp virtual-mac enable
If other services require a license, ensure that licenses with the same specifications are activated
on both the active and standby firewalls. Otherwise, services may be interrupted.
6.2 Bypass
An electrical bypass function can be enabled to avoid network communication interruption
caused by an NE failure and improve network reliability. The bypass function requires an
installed bypass interface card.
6.2.1 Overview
This section describes the background and basic principles of bypass.
If a NGFW is deployed on a network in in-line mode, once the NGFW stops functioning, the
network services are interrupted, and enormous consequences may occur. Sometimes, the loss
is disastrous.
To minimize the impact of this failure and improve network reliability, a bypass interface card
can be installed on the NGFW. When the NGFW is powered off or faulty, the bypass interface
card directly connects to the upstream and downstream devices. In this way, the traffic directly
passes through the NGFW without detection or blocking, and the services are not interrupted.
After the NGFW recovers, the traffic is taken over by the NGFW for processing and forwarding,
and the traffic security is restored.
The NGFW supports the electrical bypass interface card: E4BY interface card, that is, 4-port 2-
link 10/100/1000M adaptive electrical bypass interface card.
On an E4BY interface card, GE0 and GE1, and GE2 and GE3 on the 4 x GE electrical bypass
interface card form two pairs of bypass interfaces. When bypass interfaces work at Layer 2, they
provide the electrical bypass function. When the NGFW is powered off or faulty, these interfaces
are in bypass state. In this case, the traffic passes between devices at both sides, not the
NGFW itself, realizing direct interconnection.
The following takes a pair of bypass interfaces (GE0 and GE1) as example to show data flows
in both bypass and non-pass states.
As shown in Figure 6-44, GE0 connects to Router_A and GE1 to Router_B. When interfaces
work in non-bypass state, the traffic flows from Router_A to the NGFW through GE0. After the
processing is complete , the traffic flows from GE1 on the NGFW to Router_B. The reverse also
works. When interfaces work in bypass state, the traffic flows from Router_A to the NGFW
through GE0. Then it directly flows to Router_B through GE1 without being processed by the
NGFW. That is, Router_A directly connects to Router_B.
Figure 6-44 Schematic diagram of data flows in bypass and non-bypass states
Router_A Router_A
GE0 GE0
NGFW NGFW
GE1 GE1
Router_B Router_B
To minimize the service interruption during the switchover of the bypassword working mode,
set the duplex mode of the bypass ports and their upstream and downstream ports to full duplex.
Context
Before you configure an electrical bypass function, ensure that a bypass interface card with
electrical interfaces is installed on the device.
l When the interfaces are in bypass state, the upstream and downstream devices are connected
directly by a pair of bypass interfaces, and traffic is not processed by the local device.
l When the interfaces are not in bypass state, a pair of bypass interfaces are not directly
connected, and traffic is processed by the local device.
The interfaces can be switched to the bypass state by either of the following two methods:
l Automatic mode
– Hardware mode: When the device is powered off and the relay automatically closes,
the interface is switched to the bypass state.
– Software mode: When the device is restarted, and the detection over the heartbeat with
the main board is enabled, the interface switches to the bypass state in the case that the
heartbeat is lost.
l Manual mode
In software mode, the interface can be manually switched to the bypass state.
When interfaces work in bypass state, services are not interrupted, for they are not processed by
the NGFW. That causes certain potential security risks. It is recommended that you rectify the
fault immediately to restore interface to the non-bypass state.
Procedure
Step 1 Choose System > High Availability > Bypass.
Step 2 On the Electrical Bypass List interface click corresponding to a pair of interfaces.
Parameter Description
----End
Context
Before you configure an electrical bypass function, ensure that a bypass interface card with
electrical interfaces is installed on the device.
l When the interfaces are in bypass state, the upstream and downstream devices are connected
directly by a pair of bypass interfaces, and traffic is not processed by the local device.
l When the interfaces are not in bypass state, a pair of bypass interfaces are not directly
connected, and traffic is processed by the local device.
The interfaces can be switched to the bypass state by either of the following two methods:
l Automatic mode
– Hardware mode: When the device is powered off and the relay automatically closes,
the interface is switched to the bypass state.
– Software mode: When the device is restarted, and the detection over the heartbeat with
the main board is enabled, the interface switches to the bypass state in the case that the
heartbeat is lost.
l Manual mode
In software mode, the interface can be manually switched to the bypass state.
When interfaces work in bypass state, services are not interrupted, for they are not processed by
the NGFW. That causes certain potential security risks. It is recommended that you rectify the
fault immediately to restore interface to the non-bypass state.
Procedure
Step 1 Run:
system-view
Step 2 Run:
bypass-link bypass-link-number
Step 3 Run:
switch bypass
auto-recover
When the automatic recovery of the bypass state is enabled, and the interface automatically
switches to the bypass state due to device breakdown or fault, the interface automatically
switches to the non-bypass state after the device restores to normal.
If the automatic recovery of the bypass state is disabled, the interface automatically switching
to the bypass state is always in bypass state.
----End
Follow-up Procedure
Run the display bypass command to display the bypass state of the interface.
<NGFW> display bypass
Interface-1 Interface-2 BYPASS-Switch
2/0/0 2/0/1 switch
2/0/2 2/0/3 no switch
6.3 Link-group
In link-group, multiple physical interfaces are bound to a logical group to ensure the status
consistency of the interfaces in the group.
6.3.1 Introduction
This section describes the definition and purpose of link-group.
Definition
A link-group is used to bind the state of several physical interfaces to form a logical group. If
one of the interfaces within the logical group is faulty, the system sets the state of the other
interfaces as Down. After all the interfaces are functional, the system resets the state of the
interfaces within the logical group as Up.
Purpose
The Link-group management group ensures the status consistency of the physical interfaces in
the group, and accelerates the route convergence when the link is faulty.
Prerequisites
Set the IP addresses of interfaces and add the interfaces to security zones.
Context
The link group function binds the status of several interfaces to form a logical group. If one
interface in the logical group is faulty, the system changes the status of the other interfaces to
Down. After all the interfaces recover, the system changes the status of the interfaces to Up. The
link group function ensures that the status of the upstream and downstream interfaces are
consistent with each other, avoiding the inconsistence of upstream and downstream paths upon
active/standby switchover.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
link-group link-group-id
By default, the system is not configured with the link-group management group.
----End
Follow-up Procedure
Run the display link-group link-group-id command to check the configuration of the link-
group.
<NGFW> display link-group 1
link group 1, total 2, fault 0
GigabitEthernet1/0/2 : up
GigabitEthernet1/0/1 : up
6.4 IP-link
IP-link, automatic service link reachability detection, detects the status of the links indirectly
connected to the device.
6.4.1 Introduction
This section describes the definition and purpose of IP-link.
Definition
With IP-link, the NGFW periodically transmits ICMP echo request or ARP request to a specific
destination IP address and waits for the response. If not receiving any response packet within
the specified interval (three seconds by default), the NGFW considers that the current link is
faulty, and then performs link-related subsequent operations. If receiving three successive
response packets within the time limit specified later through the link that is considered to be
faulty, the NGFW considers that the link recovers, and then performs the subsequent operations
of link recovery.
Purpose
IP-link, automatic service link reachability detection, detects the status of the links indirectly
connected to the NGFW to ensure service continuity.
After VGMP management group monitor IP-link is configured, the status of links or interfaces
indirectly connected to the NGFW can be identified. As shown in Figure 6-45, if the interface
(with IP address 1.1.1.1/24) of the router in the Untrust zone is faulty and IP-link is enabled, the
system automatically triggers the active/standby switchover to ensure service continuity.
NGFW_B
As shown in Figure 6-46, when intranet users access the Internet, two static routes are available.
One route is bound with IP-link. When this link is faulty, the traffic is switched to the other,
ensuring the normal running of services.
IP-Link 1
NGFW
Switch
Intranet GE1/0/2 GE1/0/1
192.168.1.1/24 10.10.1.1/24
10.10.1.3/24
Router 2
Interworking PBR with IP-link solves the previous problem and improves the flexibility of PBR
applications and the dynamic network environment sensation of PBR. When you configure IP-
link, ensure that the destination IP address of the monitored link is consistent with the specified
next hop or default next hop of PBR and associate policy-based routes with IP links. IP-link
monitors the reachability of the links of the next hop and default next hop and dynamically
determines the availability of policy-based routes by IP link state.
l When an IP link is Up, the link is reachable, and the settings of the next hop and default
next hop take effect for packet forwarding.
l When an IP link is Down, the link is unreachable, and the settings of the next hop and
default next hop are invalid, packet forwarding is performed without the policy-based route.
The device continues to search for routes to forward packets and ensure service continuity.
PPPoE
Context
IP-link, automatic service link reachability detection, detects the status of the links indirectly
connected to the NGFW to ensure service continuity.
When multiple IP links are configured on a device, the IP links send link detection packets
concurrently. As a result, the CPU usage increases dramatically. To resolve this problem, enable
the IP-Link group function to add IP links to an IP-Link group. The IP links of the IP-Link group
send link detection packets in batches within the interval to reduce the CPU usage.
Procedure
Step 1 Run:
system-view
l Create an IPv4-link.
ip-link link-id [ vpn-instance vpn-instance-name ] destination { ip-address | domain-
name } [ interface interface-type interface-number ] [ timer interval ] [ mode { icmp
[ next-hop { nexthop-address | dhcp | dialer } ] | arp } ]
l Create an IPv6-link.
ip-link link-id ipv6 destination { ipv6-address | domain-name } [ interface interface-type
interface-number ] [ timer interval ] [ mode { icmpv6 [ next-hop nexthop-ipv6-address ]
| ns } ]
NOTE
Using the default timer value (3s) for IP-link detection is recommended. A smaller value may cause IP-link
flapping.
Step 3 Configure the following items based on the number of IP-links on the device.
NOTE
The IP-link function and the IP-Link group function cannot be enabled concurrently. When the IP-link
function is enabled, the IP-links that are added to the IP-link become invalid, and the unadded IP-links
remain valid.
l When the number of IP-links on the device is larger than 32, you must run the ip-link group
enable command to enable the IP-link group function and then configure the following:
1. Run:
ip-link group add linkid beginlinkID [ to endlinkID ]
Add multiple IP links to an IP-Link group.
2. Run:
ip-link group interval interval
Configure the interval for the IP-Link group to send detection packets.
Increasing the interval reduces the CPU load, but the link detection sensitivity
decreases.
l When the number of IP-links is less than 32, run the ip-link check enable command to
enable the IP-link function. Alternatively, you can enable the IP-link group function.
----End
Prerequisites
Complete the configuration of the IP-link function. For details, see 6.4.3 Configuring IP-
Link.
Context
After the link reachability check function is configured, the NGFW periodically sends ICMP
echo request packets or ARP request packets to the specified destination IP address to detect the
status of the link that is not directly connected to the NGFW. If the NGFW does not receive any
response packet within the specified time limit, three seconds in default mode, the NGFW
considers that the link fails, and then performs link-related follow-up operations. If the
NGFW receives three successive response packets within the time limit specified later through
the link that was considered to be faulty, the NGFW considers that the link recovers, and then
performs follow-up operations of link recovery.
In dual-system hot backup networking mode, after IP link reachability check is enabled and
VGMP management group monitor IP-link is configured, when the link indirectly connected to
the NGFW fails, the VGMP management group module determines whether to synchronously
back up configuration commands and session state information and therefore trigger the failover
of the active and standby NGFWs.
NOTE
If the NGFW is connected to the upstream and downstream devices through GE optical interfaces, if the
upstream and downstream devices do not support the auto-negotiation function, and if an optical fiber fails,
the NGFW cannot detect the failure of the single optical fiber. If the IP link reachability check is enabled
and VGMP management group monitor IP-link is configured, the VGMP management group priority of
the active NGFW is reduced and the active/standby switchover occurs when a single optical fiber fails.
Procedure
Step 1 Run:
system-view
Step 2 Run:
You can configure the active management group or standby management group to monitor status
of an IP link.
On the active device, configure the Active management group to monitor IP-link status. On the
standby device, configure the Standby management group to monitor IP-link status.
----End
Follow-up Procedure
Run the display ip-link command to display the information about the IP-Link that interworks
with dual-system hot backup.
<sysname> display ip-link
num state timer vpn-instance ip-address interface-name mode vgmp next
-hop
11 down 3 10.1.1.111 icmp active
When IP-link is in Up state, the monitored link works properly. When IP-link is in Down state,
the monitored link is disconnected.
Prerequisites
Complete the configuration of the IP-link function. For details, see 6.4.3 Configuring IP-
Link.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ip route-static ip-address { mask | mask-length } { nexthop-address | interface-type interface-
number [ nexthop-address ] } [ preference preference ] track ip-link link-id [ description
description ]
----End
Follow-up Procedure
Run the display ip-link command to display the information about the IP-Link that interworks
with static routes.
<sysname> display ip-link
num state timer vpn-instance ip-address interface-name mode vgmp next
-hop
11 down 3 10.1.1.111 icmp active
When IP-link is in Up state, the monitored link works properly. When IP-link is in Down state,
the monitored link is disconnected.
Prerequisites
Complete the configuration of the IP-link function. For details, see 6.4.3 Configuring IP-
Link.
Procedure
Step 1 Run:
system-view
NOTE
----End
Follow-up Procedure
Run the display ip-link command to display the information about the IP-Link that interworks
with PBR.
<sysname> display ip-link
num state timer vpn-instance ip-address interface-name mode vgmp next
-hop
1 up 3 10.1.2.1 icmp none
2 up 3 10.1.3.1 icmp none
When IP-link is in Up state, the monitored link works properly. When IP-link is in Down state,
the monitored link is disconnected.
Prerequisites
Complete the configuration of the IP-link function. For details, see 6.4.3 Configuring IP-
Link.
Context
In dual-uplink networking, if active/standby switchover between links is required, the active
link must be assigned a high-priority route. The smaller the value, the higher the priority.
When the device acts as the DHCP client, the priority of the default route obtained from the
DHCP server is 245. In dual-uplink networking, if the active link is in DHCP mode and the
standby link is in other modes, the route priority of the standby link must be larger than 245.
Thereby, in interworking between DHCP and IP-link, the system disconnects the DHCP link
upon identifying its fault. In this way, traffic is switched to the standby link.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
dhcp client enable track ip-link ip-link-id
----End
Follow-up Procedure
Run the display ip-link command to display the information about the IP-Link that interworks
with DHCP.
<sysname> display ip-link
num state timer vpn-instance ip-address interface-name mode vgmp next
-hop
1 up 3 10.1.1.1 GE1/0/1 icmp none dhcp
When IP-link is in Up state, the monitored link works properly. When IP-link is in Down state,
the monitored link is disconnected.
Action Command
Debugging IP-Link
Before opening the debugging, you must run the terminal monitor and terminal debugging
commands in the user view to enable the terminal information display and terminal debugging
information display functions, so that the debugging information is displayed on the terminal.
NOTICE
Enabling the debugging affects the system performance. Therefore, after debugging, you need
to run the undo debugging all command to disable the debugging in time.
For details on the explanation of the debugging commands, refer to the Debugging Reference.
Action Command
6.4.6.1 Example for Configuring the Interworking Between IP-Link and Dual-
system Hot Backup
Introduce the example for configuring the interworking between IP-link and dual-system hot
backup according to the example for configuring active/standby dual-system hot backup
Network Requirements
The NGFW is deployed on the service node as a security device. Upstream and downstream
devices are routers. NGFW_A and NGFW_B work in active/standby mode
Figure 6-48 shows the networking diagram. The detailed description is as follows:
l OSPF is applied among the router and two NGFWs. The router sends service packets to
the Active NGFW according to the route calculation result.
l The upstream and downstream ports of the NGFW are added to the same link-group. Thus,
the route convergence rate is accelerated when a link is faulty.
l NGFW monitor the network egress through the interworking function between IP-Link and
dual-system hot backup. When the network egress on the link where NGFW_A resides is
down, NGFW_B can swtich to active device and the service packets are sended to
NGFW_B.
Figure 6-48 Networking diagram of the example for configuring the interworking between IP-
link and dual-system hot backup
GE1/0/1 NGFW_A GE1/0/3
10.100.10.2/24 10.100.30.2/24
Trust 1.1.1.1/24 Untrust
GE1/0/2 GE1/0/2
10.100.50.2/24 10.100.50.3/24
IP-Link
Configuration Roadmap
1. Set the IP addresses of interfaces on active and standby NGFWs, and add the interfaces to
corresponding security zones and upstream and downstream interfaces on the same
NGFW to the same link-group.
2. Run OSPF on active and standby NGFWs, and adjust the OSPF-related cost value according
to the HRP status.
3. Configure the active management group to monitor the status of interfaces in the interface
view of the active NGFW, and configure the standby management group to monitor the
status of interfaces in the interface view of the standby NGFW.
4. Configure the interworking between IP-link and dual-system hot backup on active and
standby NGFWs
5. Configure HRP backup channels on active and standby NGFWs and enable HRP.
6. Enable the automatic backup of configuration commands, and configure the security policy
for the Trust-Untrust interzone on active and standby NGFWs.
7. Configure the router.
Procedure
Step 1 Configure the NGFW_A.
# Set an IP address for GigabitEthernet 1/0/1.
<NGFW_A> system-view
[NGFW_A] interface GigabitEthernet 1/0/1
# Add GigabitEthernet 1/0/1 and GigabitEthernet 1/0/3 to the same link-group management
group.
[NGFW_A] interface GigabitEthernet 1/0/1
[NGFW_A-GigabitEthernet1/0/1] link-group 1
[NGFW_A-GigabitEthernet1/0/1] quit
[NGFW_A] interface GigabitEthernet 1/0/3
[NGFW_A-GigabitEthernet1/0/3] link-group 1
[NGFW_A-GigabitEthernet1/0/3] quit
# Enable the function of adjusting the related cost value of OSPF according to the HRP status.
NOTICE
When the NGFW is deployed on the OSPF network to work in dual-system hot backup mode,
this command must be configured.
# Configure the active management group to monitor the status of interfaces in the interface
view.
# Configure the interworking between IP-Link and dual-system hot backup. When the network
egress is down, the IP-Link status turns to down and the priority of management group reduces
2.
[NGFW_A] hrp track ip-link 1 active
# Enable HRP.
[NGFW_A] hrp enable
The configuration on the NGFW_B is similar to that on the NGFW_A. The differences are as
follows:
Step 3 Configure the interworking between IP-Link and dual-system hot backup on NGFW_B.
[NGFW_B] ip-link check enable
[NGFW_B] ip-link 1 destination 2.2.2.2 interface GigabitEthernet 1/0/3
[NGFW_B] hrp track ip-link 1 standby
Step 4 Enable automatic backup of configuration commands, and configure the interzone packet-
filtering rules for the Trust zone and Untrust zone on NGFW_A.
NOTE
When HRP is enabled on both NGFW_A and NGFW_B, and the automatic backup of configuration
commands is enabled on NGFW_A, the security policy configured on NGFW_A are automatically backed
up to NGFW_B.
# Configure security policy to ensure that the users on network segment 192.168.1.0/24 can
access the Untrust zone.
HRP_A[NGFW_A] security-policy
HRP_A[NGFW_A-policy-security] rule name ha
HRP_A[NGFW_A-policy-security-rule-ha] source-zone trust
----End
Configuration Verification
1. Run the display hrp state command on NGFW_A to check the status of the current HRP.
If the following information is displayed, HRP is successfully established.
HRP_A[NGFW_A] display hrp state
The firewall's config state is: ACTIVE
2. PC2, which is in the Untrust zone, serves as the HTTP server and provides HTTP services
externally. PC1 in the Trust zone accesses the HTTP server in the Untrust zone, and files
are downloaded. Check sessions respectively on NGFW_A and NGFW_B.
HRP_A[NGFW_A] display firewall session table verbose
http VPN: public --> public ID: a48f3648905d02c034567da1
Zone: trust -> untrust TTL: 00:10:00 Left: 00:08:39
Output-interface: GigabitEthernet1/0/1 Nexthop: 10.100.10.2 MAC:
00-00-5e-00-01-02
<-- packets:1135 bytes:86014 --> packets:1127 bytes:45653
192.168.1.3:2048 --> 3.3.3.3:80 PolicyName: ha
HRP_S[NGFW_B] display firewall session table verbose
http VPN: public --> public ID: a48f3648905d02c0553591da1
Zone: trust -> untrust Remote TTL: 00:10:00 Left: 00:09:00
Output-interface: GigabitEthernet1/0/1 Nexthop: 10.100.10.2 MAC:
00-00-5e-00-01-02
<-- packets:0 bytes:0 --> packets:0 bytes:0
192.168.1.3:2048 --> 3.3.3.3:80 PolicyName: ha
As shown in the previous information, sessions with remote tags exist on NGFW_B, which
indicates that the session backup succeeds after you configure dual-system hot backup. In
addition, the traffic passing through NGFW_B is 0, which indicates that NGFW_B is
completely in standby state. This represents active/standby networking.
Configuration Script
Configuration script of NGFW_A:
#
sysname NGFW_A
#
hrp enable
hrp ospf-cost adjust-enable
hrp interface GigabitEthernet 1/0/2
#
ip-link check enable
ip-link 1 destination 1.1.1.1 interface GigabitEthernet1/0/3 mode icmp
hrp track ip-link 1 active
#
interface GigabitEthernet 1/0/1
ip address 10.100.30.2 255.255.255.0
link-group 1
hrp track active
#
interface GigabitEthernet 1/0/2
ip address 10.100.50.2 255.255.255.0
#
interface GigabitEthernet 1/0/3
ip address 10.100.10.2 255.255.255.0
link-group 1
hrp track active
#
firewall zone trust
add interface GigabitEthernet 1/0/1
#
firewall zone dmz
add interface GigabitEthernet 1/0/2
#
firewall zone untrust
add interface GigabitEthernet 1/0/3
#
ospf 101
area 0.0.0.0
network 10.100.10.0 0.0.0.255
network 10.100.30.0 0.0.0.255
#
security-policy
rule name ha
source-zone trust
destination-zone untrust
source-address 192.168.1.0 24
action permit
#
return
#
ospf 101
area 0.0.0.0
network 10.100.20.0 0.0.0.255
network 10.100.40.0 0.0.0.255
#
security-policy
rule name ha
source-zone trust
destination-zone untrust
source-address 192.168.1.0 24
action permit
#
return
6.4.6.2 Example for Configuring the Interworking between Static Route and IP-
Link
This section describes the example for configuring IPv4 static route binding with IP-Link.
Networking Requirements
As shown in Figure 6-49, the switch is connected to two routers and the company has two links
to access the Internet. Two IP-Links are configured. IP-Link 1 is from the NGFW to router 1
and IP-Link 2 is from the NGFW to router 2. IP-Link 1 is the primary link. Two static routes
are installed, one bound to IP-Link 1, the other to IP-Link 2. If IP-Link 1 fails, traffic will be
switched to IP-Link 2 so that Internet access will not be interrupted.
Figure 6-49 Netwoking of configuring the interworking between static route and IP-Link
Router 1
10.10.1.2./24
IP-Link 1
NGFW
Switch
Intranet
GE1/0/2 GE1/0/1
192.168.1.1/24 10.10.1.1./24
10.10.1.3./24
Router 2
Procedure
Step 1 Configure two IP-Links to detect the links from NGFW to router 1 and router 2.
[NGFW] ip-link check enable
[NGFW] ip-link 1 destination 10.10.1.2 mode icmp
[NGFW] ip-link 2 destination 10.10.1.3 mode icmp
Step 2 Install two static routes to reach the Internet and bind them to the two IP-Links. Set the
preferences of the two links to ensure that the link to router 1 has a higher preference.
[NGFW] ip route-static 0.0.0.0 0.0.0.0 10.10.1.2 track ip-link 1
[NGFW] ip route-static 0.0.0.0 0.0.0.0 10.10.1.3 preference 70 track ip-link 2
----End
Configuration Verification
Verify the configuration on the NGFW as follows:
When the links between the NGFW and the two routers are both normal, run the display ip-
link command. The output resembles:
[NGFW] display ip-link
num state timer vpn-instance ip-address interface-name mode vgmp next-
hop
1 up 3 10.10.1.2 icmp
none
2 up 3 10.10.1.3 icmp none
Run the display ip routing-table command, the output shows that the default route to the Internet
is the one directed to router 1.
[NGFW] display ip routing-
table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 8 Routes : 8
Destination: 0.0.0.0/0
Protocol: Static Process ID: 0
Preference: 60 Cost: 0
NextHop: 10.10.1.2 Neighbour: 0.0.0.0
State: Active Adv GotQ Age: 00h03m29s
Tag: 0 Priority: 0
Label: NULL QoSInfo: 0x0
RelayNextHop: 0.0.0.0 Interface: GigabitEthernet1/0/1
TunnelID: 0x0 Flags: RD
Destination: 0.0.0.0/0
Protocol: Static Process ID: 0
Preference: 70 Cost: 0
NextHop: 10.10.1.3 Neighbour: 0.0.0.0
State: Inactive Adv GotQ Age: 00h00m08s
Tag: 0 Priority: 0
Label: NULL QoSInfo: 0x0
RelayNextHop: 0.0.0.0 Interface: GigabitEthernet1/0/1
TunnelID: 0x0 Flags: R
The output shows that when the two links are normal, the preference value of the route to
10.10.1.2 is 60 (the default preference value). Therefore, the link is in the Active state and is
installed in the routing table. The route to 10.10.1.3 has a preference value of 70 and is in the
Inactive state. This route is the backup route and is not installed in the routing table.
When the link to router 1 breaks, run the display ip-link command. The output shows that the
IP-Link to 10.10.1.2 is down.
[NGFW] display ip-link
num state timer vpn-instance ip-address interface-name mode vgmp next-
hop
1 down 3 10.10.1.2 icmp
none
2 up 3 10.10.1.3 icmp none
Run the display ip routing-table command, the output shows that the default route to the Internet
is the one directed to router 2.
[NGFW] display ip routing-
table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 8 Routes : 8
Destination: 0.0.0.0/0
Protocol: Static Process ID: 0
Preference: 60 Cost: 0
NextHop: 10.10.1.2 Neighbour: 0.0.0.0
State: Invalid Adv GotQ Age: 00h03m29s
Tag: 0 Priority: 0
Label: NULL QoSInfo: 0x0
RelayNextHop: 0.0.0.0 Interface: GigabitEthernet1/0/1
TunnelID: 0x0 Flags: RD
The output shows that when the link to 10.10.1.2 breaks, the state of IP-Link 1 is Down and the
route to 10.10.1.2 is set to Invalid. The route to 10.10.1.3, which has a preference value of 70,
is set to Active and installed in the routing table.
Configuration Scripts
#
sysname NGFW
#
ip-link check enable
ip-link 1 destination 10.10.1.2 mode icmp
ip-link 2 destination 10.10.1.3 mode icmp
#
ip route-static 0.0.0.0 0.0.0.0 10.10.1.2 track ip-link 1
ip route-static 0.0.0.0 0.0.0.0 10.10.1.3 preference 70 track ip-link 2
#
return
6.4.6.3 Example for Configuring the Interworking between PBR and IP-Link
This example describes how to configure PBR to select next hops for various packets and balance
link traffic. It also describes how to use IP-link for monitoring the reachability of links where
the next hops of the packets on policy-based routes reside and dynamically determining the
availability of the policy-based routes by IP-link state. When a policy-based route is unavailable,
the device can search for standby routes to ensure link continuity.
Networking Requirements
As shown in Figure 6-50, an enterprise has departments A and B. Departments A and B, acting
as service departments, have heavy traffic and require different links for traffic balancing. In
addition, the departments require high stability and continuity.
To meet their requirements, the enterprise applies for two links that access the Internet, namely,
ISP1 and ISP2 to balance link traffic. The two links are mutually backed up to ensure link
continuity.
l Department A resides on network segment 10.1.0.0/16 and its packets for accessing the
Internet pass through link ISP1 in normal cases.
l Department B resides on network segment 10.2.0.0/16 and its packets for accessing the
Internet pass through link ISP2 in normal cases.
l The links of departments A and B are mutually backed up. When the link (active link) of
a department is faulty, traffic is switched to the link (standby link) of another department.
Router_A
Switch 1.1.2.1/24
Department A GE1/0/4 nk1
IP-Li
10.1.0.1/16 ISP1
GE1/0/2
NGFW 1.1.2.2/24
GE1/0/3
1.1.3.2/24
ISP2
Department B GE1/0/1 IP-Li
10.2.0.1/16 nk2
Switch Router_B
1.1.3.1/24
Configuration Roadmap
NOTE
This example describes only PBR-related configurations, but not configurations (such as NAT and route
reachability among Router_A, Router_B, and NGFW) required by the NGFW for providing Internet access
services.
Procedure
Step 1 Configure IP-link.
NOTE
To ensure interworking between PBR and IP-link, the destination IP address detected by IP-link must be
consistent with the setting of the next hop of packets.
# Enable IP-link.
[NGFW] ip-link check enable
# Create IP-link 1 for detecting link reachability from the NGFW to destination address 1.1.2.1.
[NGFW] ip-link 1 destination 1.1.2.1 mode icmp
# Create IP-link 2 for detecting link reachability from the NGFW to destination address 1.1.3.1.
[NGFW] ip-link 2 destination 1.1.3.1 mode icmp
# Configure rule A_2, so that packets sent from 10.1.0.0/16 are sent to next-hop 1.1.2.1.
[NGFW-policy-pbr] rule name A_2
[NGFW-policy-pbr-rule-A_2] ingress-interface GigabitEthernet 1/0/4
# Configure rule B_1, so that packets sent from 10.2.0.0/16 to 10.1.0.0/16 are not pbr.
[NGFW] policy-based-route
[NGFW-policy-pbr] rule name B_1
[NGFW-policy-pbr-rule-B_1] ingress-interface GigabitEthernet 1/0/1
[NGFW-policy-pbr-rule-B_1] source-address 10.2.0.0 16
[NGFW-policy-pbr-rule-B_1] destination-address 10.1.0.0 16
[NGFW-policy-pbr-rule-B_1] action no-pbr
[NGFW-policy-pbr-rule-B_1] quit
# Configure rule B_2, so that packets sent from 10.2.0.0/16 are sent to next-hop 1.1.3.1.
[NGFW-policy-pbr] rule name B_2
[NGFW-policy-pbr-rule-B_2] ingress-interface GigabitEthernet 1/0/1
[NGFW-policy-pbr-rule-B_2] source-address 10.2.0.0 16
[NGFW-policy-pbr-rule-B_2] action pbr next-hop 1.1.3.1
# Configure the default route, set the next hop to 1.1.3.1/24, and associate the route with IP-link
2.
[NGFW] ip route-static 0.0.0.0 0.0.0.0 1.1.3.1 track ip-link 2
----End
Configuration Verification
1. When active links are reachable, packets for accessing the Internet from department A are
forwarded by the NGFW to ISP1, and packets for accessing the Internet from department
B are forwarded by the NGFW to ISP2.
# Run the display ip-link command. You can view that the IP links are Up.
[NGFW] display ip-link
num state timer vpn-instance ip-address interface-name mode vgmp
next
-hop
1 up 3 1.1.2.1 icmp none
2 up 3 1.1.3.1 icmp none
# Run the ping 1.1.2.1 command in department A. The pinging attempt is successful. Then
run the ping 1.1.3.1 command. The pinging attempt is unsuccessful.
C:\Documents and Settings\DepartA>ping 1.1.2.1
# Run the ping 1.1.3.1 command in department B. The pinging attempt is successful. Then
run the ping 1.1.2.1 command. The pinging attempt is unsuccessful.
C:\Documents and Settings\DepartB>ping 1.1.3.1
2. When the active link is faulty, the NGFW searches for the standby route and forwards the
packets of departments to the corresponding standby link. Active link ISP1 of department
A is used as an example for explanation.
# Run the display ip-link command. The IP link where department A resides is Down.
[NGFW] display ip-link
num state timer vpn-instance ip-address interface-name mode vgmp
next
-hop
1 down 3 1.1.2.1 icmp none
2 up 3 1.1.3.1 icmp none
# Run the ping 1.1.2.1 command in department A. The pinging attempt is unsuccessful.
Then run the ping 1.1.3.1 command. The pinging attempt is successful.
C:\Documents and Settings\DepartA>ping 1.1.3.1
3. When active links restore to normal, the NGFW forwards all packets to the active links.
Active link ISP1 of department A is used as an example.
# Run the display ip-link command. Both IP links of department A are Up.
[NGFW] display ip-link
num state timer vpn-instance ip-address interface-name mode vgmp
next
-hop
1 up 3 1.1.2.1 icmp none
2 up 3 1.1.3.1 icmp none
# Run the ping 1.1.2.1 command in department A. The pinging attempt is successful. Then
run the ping 1.1.3.1 command. The pinging attempt is unsuccessful.
C:\Documents and Settings\DepartA>ping 1.1.2.1
4. The mutual access of departments A and B is successful. The pinging attempt from
department A to B is used as an example.
C:\Documents and Settings\DepartA>ping 10.2.0.111
Configuration Scripts
Configuration scripts of NGFW
#
sysname NGFW
#
ip-link check enable
ip-link 1 destination 1.1.2.1 mode icmp
ip-link 2 destination 1.1.3.1 mode icmp
#
interface GigabitEthernet1/0/1
ip address 10.2.0.1 255.255.0.0
#
interface GigabitEthernet1/0/2
ip address 1.1.2.2 255.255.255.0
#
interface GigabitEthernet1/0/3
ip address 1.1.3.2 255.255.255.0
#
interface GigabitEthernet1/0/4
ip address 10.1.0.1 255.255.0.0
#
ip route-static 0.0.0.0 0.0.0.0 1.1.2.1 track ip-link 1
ip route-static 0.0.0.0 0.0.0.0 1.1.3.1 track ip-link 2
#
policy-based-route
rule name A_1
ingress-interface GigabitEthernet1/0/4
source-address 10.1.0.0 16
destination-address 10.2.0.0 16
action no-pbr
rule name A_2
ingress-interface GigabitEthernet1/0/4
source-address 10.1.0.0 16
track ip-link 1
action pbr next-hop 1.1.2.1
rule name B_1
ingress-interface GigabitEthernet1/0/1
source-address 10.2.0.0 16
destination-address 10.1.0.0 16
action no-pbr
rule name B_2
ingress-interface GigabitEthernet1/0/1
source-address 10.2.0.0 16
track ip-link 2
action pbr next-hop 1.1.3.1
#
return
6.4.6.4 Example for Configuring the Interworking between DHCP and IP-Link
By binding the link where DHCP runs to IP-Link, you can resolve the problem that the
automatically delivered static route cannot be bound to the IP-Link.
Networking Requirements
As shown in Figure 6-51, the router is the gateway of a building. All enterprises in the building
access the Internet through the router. NGFW_A acts as the gateway of an enterprise in the
building. To ensure network continuity, the enterprise uses the dual-uplink networking. The
active link accesses the Internet through DHCP, that is, NGFW_A as the DHCP client accesses
the Internet by obtaining the IP address from the DHCP server. The standby link accesses the
Internet through PPPoE.
Because the DHCP client cannot sense link reachability, NGFW_A cannot switch the traffic to
the standby link in the event of link faults. To interwork with IP-Link, check the availability of
the link where the DHCP client resides. Upon link faults, service traffic is switched to the standby
link.
Figure 6-51 Networking diagram of configuring the interworking between DHCP and IP-Link
IP-Link 1 Building
Enterprise
PC
DHCP client Router
GE1/0/2 DHCP server
10.1.1.2/24 8.8.8.1/24
Intranet 10.1.1.1/24 8.8.8.2/24
GE1/0/1
NGFW
PPPoE Dial-up
Procedure
Step 1 Configure IP-Link.
NOTE
To ensure interworking between DHCP and IP-link, the destination IP address detected by IP-link must be
consistent with the IP address of the Router.
# Enable IP-link.
<NGFW> system-view
[NGFW] sysname NGFW_A
[NGFW_A] ip-link check enable
# Create IP-link 1 for detecting link reachability from the NGFW_A to destination address
8.8.8.1.
[NGFW_A] ip-link 1 destination 8.8.8.1 interface GigabitEthernet 1/0/2 mode icmp
next-hop dhcp
Step 2 Configure the DHCP client function, and associate DHCP with the IP-Link.
# Enable the DHCP client function on interface GigabitEthernet 1/0/2, and associate DHCP with
the IP-Link 1.
[NGFW_A] dhcp enable
[NGFW_A] interface GigabitEthernet 1/0/2
When the NGFW_A acts as the DHCP client, the priority of the default route obtained from the DHCP
server is 245. When PPPoE is used for backup access, the priority of the default route must be larger than
245. The higher the priority value, the lower the priority.
[NGFW_A] ip route-static 0.0.0.0 0.0.0.0 Dialer 0 preference 255
----End
Configuration Verification
1. When the active link is reachable, access packets are forwarded by NGFW_A to the active
link.
# Run the display ip-link command. You can view that IP-Link is created and it is in Up
state.
[NGFW_A] display ip-link
num state timer vpn-instance ip-address interface-name mode vgmp
next
-hop
1 up 3 8.8.8.1 GE1/0/2 icmp none dhcp
# Run the display ip routing-table command on NGFW_A. You can view that the default
route to NGFW_A is the gateway address obtained through the DHCP server and the route
priority is 245.
[NGFW_A] display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
2. When the active link is faulty, NGFW_A switches the traffic to the standby link.
# Run the display ip-link command. You can view that the status of the IP-Link is Down.
[NGFW_A] display ip-link
num state timer vpn-instance ip-address interface-name mode vgmp
next
-hop
1 down 3 8.8.8.1 GE1/0/2 icmp none
dhcp
# Run the display ip routing-table command. You can view that default route obtained
through the DHCP server is deleted and the backup default route with outbound interface
Dialer 0 is loaded to the routing table.
Routing Tables:
Public
Destinations : 5 Routes : 5
3. When the active link recovers, run the display ip-link command on NGFW_A. You can
view that the status of the IP-Link turns to Up. Run the display ip routing-table command.
You can view that the default route to NGFW_A obtained through the DHCP server is re-
loaded to the routing table.
Configuration Scripts
Configuration scripts of NGFW
#
sysname NGFW
ip-link check enable
ip-link 1 destination 8.8.8.1 interface GigabitEthernet1/0/2 mode icmp next-hop
dhcp
#
interface GigabitEthernet1/0/2
dhcp client enable track ip-link 1
#
ip route-static 0.0.0.0 0.0.0.0 Dialer 0 preference 255
ip route-static 0.0.0.0 0.0.0.0 10.1.1.1 preference 245 track ip-link 1
#
return
6.5 BFD
As an independent hello protocol, BFD implements low-overhead and rapid fault detection. By
interworking with upper-layer protocols, BFD enables them to rapidly identify and recover from
faults.
6.5.1 Introduction
This section describes the definition and purpose of BFD.
Definition
Bidirectional Forwarding Detection (BFD) quickly detects communications faults between
systems and reports corresponding faults to the upper-layer protocol.
Purpose
To minimize the impact of failures and improve network availability, network devices need to
rapidly detect communication failures to take early remedial actions to ensure service continuity.
Applicable Environment
A link fault or the change of topology may lead to rerouting in a network. The short-duration
convergence of a routing protocol is important for the improvement of availability of the
network. A feasible solution is to fast detect the fault and notify the fault to the routing protocol
immediately.
In the BFD-OSPF interworking, OSPF is associated with a BFD session. The BFD session fast
detects a link fault and notifies OSPF of the fault. In this manner, OSPF speeds up the response
to the change of the network topology.
Table 6-8 shows statistics of convergence speeds when OSPF is and is not associated with a
BFD session.
Not associated with Timeout of the OSPF Hello keepalive timer At the second level
BFD
Associated with BFD BFD session in the Down state At the millisecond
level
Typical Application
As shown in Figure 6-52, OSPF runs among Router_A, Router_B, and Router_C which are
mutual neighbors. The link from Router_A to Router_B serves as the active link whereas the
link from Router_A to Router_C to Router_B as the standby link.
Create a BFD session on the link between Router_A and Router_B. Therefore, when the link
status changes, the convergence speed of OSPF increases. If the link between Router_A and
Router_B fails, BFD rapidly identifies the fault and notifies OSPF of the fault. Therefore, the
service traffic is switched to the standby link.
BFD session
Router_A Router_B
Applicable Environment
Static route is manually configured by administrators for a known path. Different from dynamic
route, static route does not have the detection mechanism. When the network fails, administrator
intervention is needed.
By interworking, the static route is bound to a static BFD session. Therefore, the status of the
static route changes with the status of the BFD session.
Typical Application
As shown in Figure 6-53, Router_A connects Router_B with a Layer-2 switch, and can
communicate with the Internet through a static route. The link from Router_A to Router_B serves
as the active link while the link from Router_A to Router_C to Router_B serves as the standby
link.
To increase the network reliability and shorten the route convergence time, you can establish a
BFD session between Router_A and Router_B to check the link status.
l If the BFD session on the static route detects a fault (the status changes from Up to Down),
BFD reports the fault to the system. The system deletes this route from the routing table,
and the traffic switches to the standby link.
l If the BFD session on the static route is successfully created (the status changes from Down
to Up), BFD reports to the system. The system adds this route to the routing table, and the
traffic switches back to the active link.
Figure 6-53 Networking diagram of the interworking between BFD and static route (one-hop
detection)
BFD session
Router_A Router_B
The interworking between BFD and static route supports two detection modes:
l One-hop detection
Devices on both ends of the BFD session connect directly or with a Layer-2 switch, that
is, the BFD session and the static route share the same outbound interface, and the IP address
of the peer end is the next hop of the route. Figure 6-53 shows the typical application of
the one-hop detection networking.
l Multi-hop detection
As Figure 6-54 shows, the devices on both ends of the BFD session are indirectly connected
with multi-hop routing channels. In this case, the BFD session binds the IP address of the
peer end but not the outbound interface of the static route.
Figure 6-54 Networking diagram of the interworking between BFD and static route (multi-
hop detection)
BFD session
Applicable Environment
Fast ReRoute (FRR) is a mechanism which reports the fault detected at the physical layer or
data link layer to the upper-layer routing system, and immediately performs the traffic
switchover by using a standby link. In this case, the impact of link failures on services is
minimized.
On traditional IP networks, if a fault is detected at a lower layer, the visible evidence is that the
physical interface on the router becomes Down. After detecting such faults, the router notifies
the upper-layer routing system to perform corresponding updates and recalculate the routes.
Usually, it takes a few seconds to converge the route (select another available route) after the
link fails.
In delay-sensitive or packet loss-sensitive services, the convergence duration of the second level
is unacceptable because service interruption occurs in the duration. For example, the acceptable
duration of network interruption for Voice Over IP (VoIP) service is of the millisecond level.
The application of IP FRR ensures that the forwarding system detects such faults and takes
countermeasures to rapidly recover services.
However, IP FRR takes effect only after being triggered by a fault detection mechanism (for
example, BFD).
Typical Application
As shown in Figure 6-55, two links are available between Router_A and Router_B. The link
from Router_A to Router_C to Router_B serves as the active link, while the link from Router_A
to Router_D to Router_B serves as the standby link.
Establish a BFD session between Router_A and Router_B. When the active link is faulty, BFD
reports the faulty to FRR, and the FRR switches the traffic to the standby link rapidly.
Router_A Router_B
BFD session
Router_D
Applicable Environment
To ensure network reliability, some enterprises use the dual-uplink networking. Usually, the
DHCP link serves as the active link. In such case, the egress gateway of the company serves as
the DHCP client, and the company obtains IP addresses from the DHCP server to access the
Internet. Links such as PPPoE link serve as the standby links.
As the DHCP client, the egress gateway cannot sense the availability of the link on which the
egress gateway resides. When the link fails, the gateway cannot switch the service traffic to the
standby link rapidly, resulting in service interruptions.
The BFD-DHCP interworking resolves this problem. The association of the DHCP client with
the BFD session enables BFD to dynamically determine the availability of the DHCP link
according to BFD session status.
Typical Application
As shown in Figure 6-56, Router_A serves as the egress gateway of a building. All companies
in the building access the Internet through Router_A. Router_B serves as the egress gateway of
a company in the building. To ensure network continuity, the company uses the dual-uplink
networking, with DHCP and PPPoE links as the active and standby link respectively.
Intranet
DHCP client
PPPoE
Normal traffic direction
Abnormal traffic direction
BFD session
To ensure that the DHCP client can sense the fault and perform the link switch quickly when
the active link fails, you can establish a static BFD session between Router_A and Router_B,
and bind the DHCP to BFD on Router_B.
Applicable Environment
Policy-Based Routing (PBR) is a mechanism, which selects routes based on the customized
policy rather than forwards packets by searching the FIB table based on the destination addresses
of IP packets. The PBR can be used for the purpose of security or load balancing.
PBR supports route selection based on packet information such as the source IP addresses and
packet types of received packets. Packets that meet certain conditions are forwarded according
to packet information such as the outbound interface and next hop, and the default outbound
interface and next hop.
PBR cannot sense the availability of the link where the PBR is enabled. When the link is
unreachable and the device forwards the packet, the packet forwarding may fail.
The BFD-PBR interworking resolves the previous problems, and improves the flexibility of PBR
applications and the dynamic network environment sensation of PBR. After the actions of PBR
are associated with the static BFD session, the BFD can monitor the reachability of the next hop
or outbound interface and dynamically detect the availability of the policy-based routes.
Typical Application
As shown in Figure 6-57, Router_A serves as the egress gateway of a company. There are two
links connecting to the Internet. Normally, the service initiated by Department A travels from
Router_A to Router_B. When a fault occurs, the service traffic is switched to the other link.
To ensure that Router_A can rapidly and dynamically sense the availability of PBR, you can
create a BFD session between Router_A and Router_B. When the link between Router_B and
the Layer-2 switch fails, the BFD can identify the fault and notify Router_A rapidly, and the
PBR bound to the BFD session becomes invalid. In this way, Router_A searches for standby
routes to ensure service continuity.
ion
s ess
BFD Router_B
PC
Department A Router_A
PC Router_C
PC
Normal traffic direction
Abnormal traffic direction
BFD session
Applicable Environment
The hot standby function enables the standby device to take over services from the faulty active
device to ensure service continuity.
Virtual Router Redundancy Protocol (VRRP) Group Management Protocol (VGMP) groups
determine the active/standby status of devices.
When BFD works with hot standby, VGMP groups are used to monitor static BFD sessions, and
the priorities of VGMP groups change based on the status of BFD sessions. The change of the
priorities of VGMP groups triggers active/standby switchover.
Typical Application
As shown in Figure 6-58, NGFW_A and NGFW_B are deployed on a hot standby network.
NGFW_A functions as the active device, and NGFW_B functions as the standby device.
To improve network reliability and enable the NGFWs to monitor the status of indirectly-
connected links, you need to create BFD sessions between the NGFW_A and the router_A and
use active VGMP group on the NGFW_A to monitor the status of BFD session. And you need
to create BFD sessions between the NGFW_B and the router_B and use standby VGMP group
on the NGFW_B to monitor the status of BFD session.
As shown in Figure 6-58, if interface GE1/0/1 on Router_A is faulty, the BFD session detects
the interface fault (changes the status from Up to Down) and notifies the VGMP group on
NGFW_A of the fault. Then the priority of the VGMP group on NGFW_A is lower than the
priority of the VGMP group on NGFW_B and triggers active/standby switchover. Therefore,
NGFW_A becomes the standby device, and NGFW_B becomes the active device.
Figure 6-58 Networking diagram of the interworking between BFD and Hot Standby
GE1/0/1
6.5.3 Mechanism
This section describes the BFD mechanism.
A BFD control packet consists of a mandatory part and an optional authentication part. Figure
6-59 shows the format of the BFD control packet.
0 7 16 23 31
Vers Diag Sta P F C A D R Detect Mult Length
My Discriminator
Your Discriminator
NOTE
Vers (Version) 3 bits Indicates the version number of the protocol. The current version
number is 1.
Diag 5 bits Indicates the cause that the status of the latest session changes
(Diagnostic) from Up to other status in the local system. Different values
indicate different causes:
l 0: No Diagnostic
l 1: Control Detection Time Expired
l 2: Echo Function Failed
l 3: Neighbor Signaled Session Down
l 4: Forwarding Plane Reset
l 5: Path Down
l 6: Concatenated Path Down
l 7: Administratively Down
l 8: Reverse Concatenated Path Down
l 9 to 31: Reserved for future use
Sta (State) 2 bits Indicates the status of the current BFD session. Different values
indicate different statuses:
l 0: AdminDown. Indicates that the BFD session is in
administrative Down state.
l 1: Down. Indicates that the BFD session is Down or just
established.
l 2: Init. Indicates that the BFD session can communicate with
the peer end and the local end expects the session to enter the
Up state.
l 3: Up. Indicates that the BFD session is successfully
established.
P (Poll) 1 bit Indicates the bit for connection request confirmation. Different
values indicate different meanings:
l 1: indicates that the sending system requests the confirmation
of the connection or the parameter changes.
l 0: indicates that the sending system does not request the
confirmation of the connection or the parameter changes.
F (Final) 1 bit Indicates the bit determining whether the sending system
responds to a BFD control packet with P bit as 1. Different values
indicate different meanings:
l 1: indicates that the sending system responds to a BFD control
packet with P bit as 1.
l 0: indicates that the sending system does not respond to a BFD
control packet with P bit as 1.
C (Control 1 bit Indicates the bit determining whether BFD control packets are
Plane transmitted on the control plane. Different values indicate
Independent) different meanings:
l 1: indicates that the sending system implements BFD
independent of the control plane. That is, BFD packets are
transmitted on the forwarding plane. BFD continues to work
even if the control plane fails.
l 0: indicates that BFD packets are transmitted on the control
plane.
D (Demand) 1 bit Indicates the demand mode operation bit. Different values
indicate different meanings:
l 1: indicates that the sending system expects to run in demand
mode.
l 0: indicates that the sending system does not expect to or
cannot run in demand mode.
R (Reserved) 1 bit This field is set to 0 when a BFD control packet is sent. This field
is ignored when a BFD control packet is received.
Detect Mult 1 byte Indicates the detection time multiplier, that is, the maximum
(Detect time number of continuous loss of packets permitted by the packet
multiplier) receiver. The bit is used to check whether the link is normal.
l Demand mode: uses the local detection time multiplier.
l Asynchronous mode: uses the detection time multiplier of the
peer end.
Desired Min Tx 4 Indicates the desired minimum interval for sending BFD control
Interval bytes packets by the local system, in microseconds.
Required Min 4 Indicates the minimum interval required between receiving two
Rx Interval bytes BFD control packets, in microseconds.
Required Min 4 Indicates the minimum interval required between receiving two
Echo Rx bytes BFD echo packets, in microseconds. If the interval is set to 0, the
Interval sending system cannot receive BFD echo packets.
Auth Type 1 byte Indicates the authentication type of BFD control packets.
Different values indicate different authentication types:
l 0: Reserved
l 1: Simple Password
l 2: Keyed MD5
l 3: Meticulous Keyed MD5
l 4: Keyed SHA1
l 5: Meticulous Keyed SHA1
l 6 to 255: Reserved for future use
Auth Len 1 byte Indicates the length of the authentication field, including the
authentication type field and the authentication length field, in
bytes.
BFD control packets are encapsulated in UDP packets for transmission. At the beginning of a
session, two systems negotiate with each other through the parameters (including the session
identifier, minimum expected packet sending/receiving interval, and BFD session status on the
local end) in BFD control packets. After the negotiation succeeds, BFD control packets are
transmitted along the path on the basis of the negotiated packet sending/receiving interval.
To ensure fast detection, the packet sending/receiving interval is specified to the microsecond
level by the BFD protocol. Limited by device processing capability, BFD only reaches the
millisecond level on the devices of most vendors, and is further converted to the microsecond
level during internal processing.
Detection Mode
BFD supports the following detection modes:
l Asynchronous mode
In this mode, two systems periodically transmit BFD control packets to each other on the
basis of the negotiated packet sending/receiving interval. If one system does not receive
any BFD control packets from the other system in the detection period, it is regarded that
the BFD session is Down. The asynchronous mode is the most frequently used BFD mode.
l Demand mode
In this mode, once a BFD session is established, the system does not periodically send BFD
control packets. Instead, other detection mechanisms (such as the Hello mechanism of
routing protocols and hardware detection mechanism) are adopted to reduce the costs
caused by BFD sessions. In demand mode, there is a timer in the system. When the timer
expires, the system sends a query packet with short sequence to check the link. If the system
does not receive the reply packet, it is regarded that the session is Down.
A supplementary function for the previous modes is the echo function. When the echo function
is enabled, a BFD control packet is transmitted in this method: The local system sends a BFD
control packet, and the remote system loops it back through the forwarding channel. If none of
several consecutive echo packets is received, it is regarded that the BFD session is Down. The
echo function can interwork with the asynchronous mode or demand mode.
Currently, the system supports only the passive echo function for the one-hop session in
asynchronous mode. If devices supporting the echo function are available on the network, you
need to configure the BFD passive echo function on the device to enable its compatibility with
other devices. When the device enters the passive echo mode, the interval for transmitting BFD
control packets is increased. The devices on both ends of the BFD session send the BFD echo
packets (the source and destination IP address are both the IP address of the outbound interface
on the local end) which returns to the local end through ICMP redirection. In this way, the link
status is checked.
Detection Time
The BFD time is determined by the following three values:
l Desired Min Tx Interval (DMTI): the minimum interval for the transmission of BFD control
packets desired by the local end
l Required Min Rx Interval (RMRI): the minimum interval for the reception of BFD control
packets required by the local end
l Detect time multiplier (Detect Mult): the detect time multiplier
After one system receives the BFD control packet from the peer end, it compares the RMRI
attached in the packet with the local DMTI, and uses the larger value as the interval for the
transmission of BFD control packets. That is, the system with a slower speed determines the
transmission rate of BFD control packets.
The value of Detect Mult is not negotiated. It is configured by the two systems on both ends.
The detection time in asynchronous mode equals to the value of the received Detect Mult from
the peer end times the larger value of the local RMRI and the received DMTI.
The detection time in demand mode equals to the value of the local Detect Mult times the larger
value of the local DMTI and the received RMRI.
For example, the value of the local RMRI is 400 milliseconds; the value of the local DMTI is
300 milliseconds; the value of the received DMTI is 300 milliseconds, the value of the received
RMRI is 400 milliseconds, the value of the received Detect Mult is 4, and the value of the local
Detect Mult is 5.
The detection time in asynchronous mode = 4 x maximum (400 milliseconds and 300
milliseconds) = 1600 milliseconds. And the detection time in demand mode = 5 x maximum
(300 milliseconds and 400 milliseconds) = 2000 milliseconds.
The values of DMTI, RMRI, and Detect Mult can be configured independently. Therefore, the
two systems may differ in the transmission rate of BFD control packets.
You are advised to configure the same value on both ends for hardware using the same
transmission medium.
1. The local end immediately sends a BFD control packet (carries a new DMTI) with P
bit as 1 in the transmission interval.
2. The local end recounts the transmission interval, and compares it with the current one.
If the transmission interval needs to be changed to a smaller value, the following
occurs:
– The local end immediately restarts the sending timer, and sends BFD control
packets with P bit as 1 based on the new transmission interval.
– After receiving the BFD control packet with P bit as 1, the peer end replies a BFD
packet with F bit as 1. The peer end recounts the detection time, restarts the
detection timer immediately, and detects the link based on the new detection time.
– After receiving the BFD packet with F bit as 1 from the peer end, the local end
stops sending BFD control packets with P bit as 1.
If the transmission interval needs to be changed to a larger value, the following occurs:
– The local end sends BFD control packets (carries a new DMTI) with P bit as 1
based on the current transmission interval.
– After receiving the BFD control packet with P bit as 1, the peer end replies a BFD
packet with F bit as 1. The peer end recounts the detection time, restarts the
detection timer immediately, and detects the link based on the new detection time.
– After receiving the BFD packet with F bit as 1 from the peer end, the local end
stops sending BFD control packets with P bit as 1. The local end restarts the sending
timer, and sends BFD control packets based on the new transmission interval.
If the recalculated transmission interval and the current transmission interval are equal,
the local end does not change the transmission interval.
l RMRI change
1. The local end immediately sends a BFD control packet (carries a new RMRI) with P
bit as 1 in the transmission interval.
2. The local end recounts the detection time, and compares it with the current one.
If the detection time becomes greater, the following situation occurs:
– The local end restarts the detection timer, and detects links based on the new
detection time. The local end continues sending BFD control packets (carries a
new RMRI) with P bit as 1.
– After receiving the BFD control packets with P bit as 1, the peer end immediately
replies a BFD control packets with F bit as 1, recounts the transmission interval,
and restarts the sending timer.
– After receiving the BFD packet with F bit as 1 from the peer end, the local end
stops sending BFD control packets with P bit as 1.
If the detection time becomes smaller, the following occurs:
– The local end sends BFD control packets (carries a new RMRI) with P bit as 1
based on the current transmission interval.
– After receiving the BFD control packets with P bit as 1, the peer end immediately
replies a BFD control packets with F bit as 1, recounts the transmission interval,
and restarts the sending timer.
– After receiving the BFD packet with F bit as 1 from the peer end, the local end
stops sending BFD control packets with P bit as 1, updates the detection time, and
restarts the detection timer.
If the recalculated detection time and the current detection time are equal, the local
end does not change the detection time.
3. Detect Mult change
a. The local end immediately sends a BFD control packet (carries a new detect time
multiplier) with P bit as 1 in the transmission interval. The new detect time
multiplier is attached in every packet from then on.
b. After receiving the BFD control packet, the peer end recounts the detection time,
and detects links based on the new detection time.
The system distinguishes static BFD session and dynamic BFD session according to the
classification of discriminators. The value of My Discriminator for static BFD session ranges
from 1 to 8191, and the value of My Discriminator for dynamic BFD session ranges from 8192
to 16,383.
– Self-learning Your Discriminator
Upon receiving the BFD control packet with the value of Your Discriminator as 0, the
system on one end of the BFD session determines whether the packet matches the local
Router_A Router_B
Init-> Up
Sta: Up Init-> Up
Sta: Up
1. After receiving the message from the upper-layer protocol, BFDs of Router_A and
Router_B send BFD control packets with the status as Down. In static BFD session with
manually designated discriminator, the value of Your Discriminator in the packet is
manually designated. In static BFD session with negotiated discriminator, the value of
Your Discriminator in the packet is negotiated by both parties. In the dynamic
establishment of BFD sessions, the value of Your Discriminator is 0.
2. After receiving the BFD control packet with the status as Down, Router_B switches the
session status to Init, and sends a BFD control packet with the status as Init. The change of
BFD sessions of Router_A is the same as Router_B.
3. After receiving the BFD control packet with the status as Init, Router_B switches the session
status to Up, and sends a BFD control packet with the status as Up. The change of BFD
sessions of Router_A is the same as Router_B.
4. When the statuses of Router_A and Router_B are both Up, the session is successfully
established and starts to detect the link.
After the status switches from Down to Init, a timeout timer is enabled on Router_A and
Router_B respectively. If the routers do not receive the BFD control packet whose status is Init
or Up within the timeout, the BFD session status in the local system automatically switches to
Down.
Prerequisites
Before you configure a static BFD session, complete the following tasks:
l Correctly connecting interfaces and setting IP addresses.
l Configuring routing protocols for the reachability of the network layer.
Context
One-hop detection and multi-hop detection of static BFD sessions are described as follows:
l One-hop detection detects the connectivity of the IP link between two directly-connected
systems. One-hop refers to a hop of the IP address.
Only one BFD session exists on the specified interface between the two systems going
through BFD one-hop detection.
l Multi-hop detection detects any paths between two systems. The paths may cover multiple
hops or even overlap in certain parts.
To detect and monitor direct links (or links connected by a Layer-2 switch) rapidly, you can
configure either BFD one-hop detection or multi-hop detection. However, the former is
recommended.
If the peer IP address resides on different network segments from the IP address of the local
outbound interface, you can configure only multi-hop detection to rapidly detect and monitor
the connectivity of IP links. By creating BFD sessions on both ends of a multi-hop path, you
can detect faults on the path rapidly.
To detect the physical link status using BFD, static BFD sessions can be configured in the
following ways:
l Specifying the peer IP address
If the peer IP address is known, bind the BFD session to this IP address and send BFD
control packets to the IP address.
l Using the default IP address
If the peer IP address cannot be specified (in some cases, the peer end does not have an IP
address), bind the BFD session to a multicast address and send BFD control packets to the
multicast address. The multicast address can be adjusted as required. For details, see 6.5.5.2
Configuring the Default Multicast Address for One-hop BFD.
Creating a BFD session through the default IP address is valid only for one-hop detection.
NOTE
When multiple protocols are bound to one static BFD session, the change of the session status affects all
related protocols.
Procedure
Step 1 Run:
system-view
Step 2 Run:
bfd
The global BFD function is enabled and the BFD global view is displayed.
You can configure the BFD only after the global BFD function is enabled.
Step 3 Run:
quit
Step 4 Select the following configuration methods according to the network status of both ends where
the static BFD session is created.
l For the Layer-3 interfaces with IP addresses:
Run:
bfd cfg-name bind peer-ip peer-ip [ vpn-instance vpn-instance-name ]
[ interface interface-type interface-number [ nexthop { nexthop-address |
dhcp } ] ] [ source-ip source-ip ]
because URPF checks the source IP addresses of received packets. In so doing, BFD
control packets are prevented from being incorrectly discarded.
– If both interface and source-ip are specified, the source IP address must be the same
as the IP address of the interface.
l For Layer-2 interfaces and the Layer-3 interfaces without IP addresses:
Run:
bfd cfg-name bind peer-ip default-ip interface interface-type interface-
number [ source-ip source-ip ]
l The local discriminator must correspond to the remote discriminator on both ends of a BFD session.
Otherwise, the session cannot be established.
l For a BFD session bound to the default multicast address, the local discriminator cannot be the same
as the remote one.
l The local and remote discriminators cannot be changed once they are created.
Step 6 Run:
commit
NOTE
After all necessary parameters (such as the local and remote discriminators) are specified, you must run
the commit command to successfully create a BFD session.
----End
Example
# Create static BFD session test on NGFW_A, set the peer IP address to 30.1.1.1, set the
outbound interface and next hop respectively to GigabitEthernet 1/0/1 and 1.1.1.1, and set the
local discriminator to 10 and remote one to 20.
<NGFW_A> system-view
[NGFW_A] bfd
[NGFW_A-bfd] quit
[NGFW_A] bfd test bind peer-ip 30.1.1.1 interface GigabitEthernet 1/0/1 nexthop
1.1.1.1
[NGFW_A-bfd-session-test] discriminator local 10
[NGFW_A-bfd-session-test] discriminator remote 20
[NGFW_A-bfd-session-test] commit
# Create static BFD session test on NGFW_B, set the peer IP address to 1.1.1.2, and set the local
discriminator to 20 and remote one to 10.
<NGFW_B> system-view
[NGFW_B] bfd
[NGFW_B-bfd] quit
[NGFW_B] bfd test bind peer-ip 1.1.1.2
[NGFW_B-bfd-session-test] discriminator local 20
[NGFW_B-bfd-session-test] discriminator remote 10
[NGFW_B-bfd-session-test] commit
Follow-up Procedure
l Run the display bfd configuration command to display the configuration information
about the static BFD session. The following uses the information that is displayed on
NGFW_A as an example
<NGFW_A> display bfd configuration static verbose
------------------------------------------------------------------------------
--
BFD Session Configuration Name :
test
------------------------------------------------------------------------------
--
Local Discriminator : 10 Remote Discriminator : 20
BFD Bind Type : Interface(GigabitEthernet1/0/1)
Bind Session Type : Static
Bind Peer Ip Address : 30.1.1.1
Bind Interface : GigabitEthernet1/0/1
TOS-EXP : 6 Local Detect Multi : 3
Min Tx Interval (ms) : 1000 Min Rx Interval (ms) : 1000
WTR Interval (ms) : -- Process PST : Disable
Proc interface status : Disable
Local Demand Mode : Disable
Bind Application : No Application Bind
Session Description : --
------------------------------------------------------------------------------
--
The local and remote discriminators, interface bound to the session, and peer IP address
configured on NGFW_A are displayed in the output information. According to the
statistics, the configuration of the session is submitted.
l Run the display bfd session command to display the information about the static BFD
session. The following uses the information that is displayed on NGFW_A as an example
<NGFW_A> display bfd session static
------------------------------------------------------------------------------
--
Local Remote Peer IP Address Interface Name State Type
------------------------------------------------------------------------------
--
10 20 30.1.1.1 GigabitEthernet1/0/1 Up Static
------------------------------------------------------------------------------
--
According to the output, if the BFD session is in Up state, the BFD session between two
devices is established. If the BFD session is in Down state, it failed to be established.
Context
The detection parameters of a BFD session includes the BFD control packet sending interval,
receiving interval, and local detection multiple. After detection parameters are changed, the
mapping between valid parameters and configured parameters on the local and peer devices is
as follows:
l Actual BFD control packet sending interval in the local = maximum (configured local
sending interval and configured peer receiving interval)
l Actual BFD control packet receiving interval in the local = maximum (configured peer
sending interval and configured local receiving interval)
l In asynchronous mode, actual BFD control packet detection interval in the local = Actual
local receiving interval x Configured peer BFD detection multiple
l In demand mode, actual BFD control packet detection interval in the local = Actual local
sending interval x Configured local BFD detection multiple
NOTE
When the network is in poor quality or overloaded, increase the BFD detection interval as required.
A larger BFD detection interval is required when a low-speed interface (such as virtual template, dialer, or tunnel
interface), the IPSec or L2TP tunnel, or traffic limiting through QoS is used.
For example:
l The configured local sending interval is 300 ms, receiving interval is 300 ms, and detection
multiple is 4.
l The configured peer sending interval is 400 ms, receiving interval is 600 ms, and detection
multiple is 5.
Then,
l The actual sending interval in the local is the maximum value between 300 ms and 600 ms,
namely, 600 ms. The actual receiving interval is the maximum value between 400 ms and
300 ms, namely, 400 ms. The actual detection interval in asynchronous mode is 2000 ms
(400 ms x 5). The actual detection interval in demand mode is 2400 ms (600 ms x 4).
l The actual sending interval on the peer end is the maximum value between 400 ms and 300
ms, namely, 400 ms. The actual receiving interval is the maximum value between 300 ms
and 600 ms, namely, 600 ms. The actual detection interval in asynchronous mode is 2400
ms (600 ms x 4). The actual detection interval in demand mode is 2000 ms (400 ms x 5).
NOTE
The system automatically changes the local sending interval and receiving interval to random values
ranging from 2,000 ms to 3,000 ms upon detecting the BFD session in Down state. When the BFD session
becomes Up, the system restores the intervals to the configured values. This limits the consumption over
system resources.
Procedure
Step 1 Run:
system-view
Step 2 Run:
bfd cfg-name
To change session parameters (by using the process-pst, min-tx-interval, min-rx-interval, detect-
multiplier, tos-exp, wtr, or description command) after a BFD session is created, you must run the
commit command. In this case, the configurations can take effect.
----End
Follow-up Procedure
l Run the display bfd configuration command to display the detection parameters of the
static BFD session.
<sysname> display bfd configuration static name test verbose
------------------------------------------------------------------------------
--
BFD Session Configuration Name :
test
------------------------------------------------------------------------------
--
Local Discriminator : 10 Remote Discriminator : 20
BFD Bind Type : Interface(GigabitEthernet1/0/1)
Bind Session Type : Static
Bind Peer Ip Address : 30.1.1.1
Bind Interface : GigabitEthernet1/0/1
TOS-EXP : 6 Local Detect Multi : 3
Min Tx Interval (ms) : 400 Min Rx Interval (ms) : 400
WTR Interval (ms) : -- Process PST : Disable
Proc interface status : Disable
Local Demand Mode : Disable
Bind Application : No Application Bind
Session Description : --
------------------------------------------------------------------------------
--
l Run the display bfd session command to display the specified detection parameters of the
static BFD session and the actual detection parameters after session negotiation.
Context
This function is used, when BFD interworks with the static route and the local device needs to
communicate with the peer device, which uses the dynamic BFD session.
Local and remote discriminators cannot be configured on the device when you configure the
auto-negotiation of static discriminators.
The configuration difference between the static auto-negotiated BFD session and the static BFD
session lies in:
l After you create the static auto-negotiation configuration by running the bfd bind peer-ip
source-ip auto command, the BFD session can be established without the commit
command executed.
l After the parameters (such as the BFD control packet sending interval, receiving interval,
and local detection multiple) of the static auto-negotiated BFD session are changed, they
take effect without the commit command executed.
Procedure
Step 1 Run:
system-view
Step 2 Run:
bfd
The global BFD function is enabled and the BFD global view is displayed.
Step 3 Run:
quit
Step 4 Run:
bfd cfg-name bind peer-ip peer-ip [ vpn-instance vpn-instance-name ] [ interface
interface-type interface-number] source-ip source-ip auto
----End
Follow-up Procedure
l Run the display bfd configuration command to display the configuration information
about the static auto-negotiated BFD session.
<sysname> display bfd configuration static-auto verbose
------------------------------------------------------------------------------
--
BFD Session Configuration Name : single
------------------------------------------------------------------------------
--
Local Discriminator : 8193 Remote Discriminator : 8192
BFD Bind Type : Peer Ip
Address
Bind Session Type : S_Auto
Bind Peer Ip Address : 10.0.0.2
Bind Interface : --
Bind Source Ip Address : 10.0.0.1
TOS-EXP : 6 Local Detect Multi :
3
Min Tx Interval (ms) : 1000 Min Rx Interval (ms) :
1000
WTR Interval (ms) : -- Process PST :
Disable
Proc interface status : Disable
Local Demand Mode : Disable
Bind Application : No Application Bind
Session Description : --
------------------------------------------------------------------------------
--
l Run the display bfd session command to display the information about the static auto-
negotiated BFD session.
<sysname> display bfd session static-auto verbose
------------------------------------------------------------------------------
--
Session MIndex : 16385 State : Up Name : single
------------------------------------------------------------------------------
--
Local Discriminator : 8193 Remote Discriminator : 8192
Session Detect Mode : Asynchronous Mode Without Echo Function
BFD Bind Type : Peer Ip Address
Bind Session Type : S_Auto
Bind Peer IP Address : 10.0.0.2
Bind Interface : --
Bind Source IP Address : 10.0.0.1
FSM Board Id : 2 TOS-EXP : 7
Min Tx Interval (ms) : 1000 Min Rx Interval (ms) : 1000
Actual Tx Interval (ms): 1150 Actual Rx Interval (ms): 1150
Local Detect Multi : 3 Detect Interval (ms) : 30
Echo Passive : Disable Acl Number : -
WTR Interval (ms) : - Process PST : Disable
Proc Interface Status : Disable
Local Demand Mode : Disable
Last Local Diagnostic : No Diagnostic
Bind Application : AUTO
Session TX TmrID : - Session Detect TmrID : -
Session Init TmrID : - Session WTR TmrID : -
PDT Index : FSM-3010000 | RCV-0 | IF-3010000 | TOKEN-0
Session Description : -
------------------------------------------------------------------------------
--
A BFD session of the S_Auto type is established. The local and remote discriminators are
8193 and 8192 respectively, which are obtained through auto-negotiation.
Context
After a BFD session is established, two detection modes are available:
l Asynchronous mode
In asynchronous mode, the systems send BFD control packets at the negotiated period. If
one system does not receive the BFD control packet sent by the peer end within the detection
interval, it regards that the BFD session is in Down state. The asynchronous mode is the
most commonly used one.
l Demand mode
In demand mode, once a BFD session is established, the systems do not periodically send
BFD control packets. Instead, other detection mechanisms (such as the slow Hello
mechanism of routing protocols and hardware detection mechanism) are used to reduce the
overheads caused by BFD sessions. In demand mode, there is a query timer in the system.
When the query timer expires, the system sends a query packet with short sequence to check
the link. If the system does not receive the reply packet, it is regarded that the session is
Down.
The communication parties are required to work in the same mode. That is, only after the demand
mode is configured on both ends, the BFD session can run in demand mode.
Procedure
Step 1 Run:
system-view
Step 2 Run:
bfd cfg-name
Step 3 Run:
demand
The detection mode for BFD sessions is set to the demand mode.
The scheduled demand in demand mode is enabled, and the demand interval is specified.
After timer time-value is configured, the device sends query packets at the interval specified by
time-value.
----End
Follow-up Procedure
Run the display bfd configuration command to check whether the demand mode is enabled for
static BFD sessions, and display the interval of scheduled demand.
<sysname> display bfd configuration static name test verbose
--------------------------------------------------------------------------------
BFD Session Configuration Name : test
--------------------------------------------------------------------------------
Local Discriminator : 20 Remote Discriminator : 30
BFD Bind Type : Interface(GigabitEthernet1/0/1)
Bind Session Type : Static
Bind Peer Ip Address : 30.1.1.1
Bind Interface : GigabitEthernet1/0/1
TOS-EXP : 6 Local Detect Multi : 3
Min Tx Interval (ms) : 1000 Min Rx Interval (ms) : 1000
WTR Interval (ms) : -- Process PST : Disable
Proc interface status : Disable
Local Demand Mode : Enable Demand Tx Interval (ms): 600
Bind Application : No Application Bind
Session Desciption : Router_A
--------------------------------------------------------------------------------
Context
NOTE
The description command is valid only for statically configured BFD sessions, but invalid for the
dynamically configured BFD sessions and the auto-negotiated BFD sessions with static discriminators.
Procedure
Step 1 Run:
system-view
Step 2 Run:
bfd cfg-name
Step 3 Run:
description description
Step 4 Run:
commit
NOTE
To change session parameters (by using the process-pst, min-tx-interval, min-rx-interval, detect-
multiplier, tos-exp, wtr, or description command) after a BFD session is created, you must run the
commit command. In this case, the configurations can take effect.
----End
Follow-up Procedure
Run the display bfd configuration command to display the description the static BFD session.
<sysname> display bfd configuration static name test verbose
--------------------------------------------------------------------------------
BFD Session Configuration Name : test
--------------------------------------------------------------------------------
Local Discriminator : 20 Remote Discriminator : 30
BFD Bind Type : Interface(GigabitEthernet1/0/1)
Bind Session Type : Static
Bind Peer Ip Address : 30.1.1.1
Bind Interface : GigabitEthernet1/0/1
TOS-EXP : 6 Local Detect Multi : 3
Min Tx Interval (ms) : 1000 Min Rx Interval (ms) : 1000
WTR Interval (ms) : -- Process PST : Disable
Proc interface status : Disable
Local Demand Mode : Disable
Bind Application : No Application Bind
Session Desciption : Router_A
--------------------------------------------------------------------------------
Procedure
Step 1 Run:
system-view
NOTE
To change session parameters (by using the process-pst, min-tx-interval, min-rx-interval, detect-
multiplier, tos-exp, wtr, or description command) after a BFD session is created, you must run the
commit command. In this case, the configurations can take effect.
----End
Follow-up Procedure
Run the display bfd configuration command to display the packet priority for the static BFD
session.
<sysname> display bfd configuration static name test verbose
--------------------------------------------------------------------------------
BFD Session Configuration Name : test
--------------------------------------------------------------------------------
Local Discriminator : 20 Remote Discriminator : 30
BFD Bind Type : Interface(GigabitEthernet1/0/1)
Bind Session Type : Static
Bind Peer Ip Address : 30.1.1.1
Bind Interface : GigabitEthernet1/0/1
TOS-EXP : 6 Local Detect Multi : 3
Min Tx Interval (ms) : 1000 Min Rx Interval (ms) : 1000
WTR Interval (ms) : -- Process PST : Disable
Proc interface status : Disable
Local Demand Mode : Enable Demand Tx Interval (ms): 600
Bind Application : No Application Bind
Context
If a BFD session flaps, BFD-related applications will be frequently switched between active and
standby devices. To avoid this case, you can configure the WTR time for the BFD session. When
a BFD session changes from Down to Up, the BFD will notify this status change to upper-layer
applications only after the WTR time.
Procedure
Step 1 Run:
system-view
Step 2 Run:
bfd cfg-name
Step 3 Run:
wtr wtr-value
By default, the time of waiting for recovery of the BFD session is 0, indicating no waiting.
NOTE
The BFD session is bidirectional. The detection is performed by BFD sessions set up on both ends
respectively. If WTR is needed, configure it on two ends manually. Or, when the status of the session on
one end changes, the applications on both ends can find that the status of the BFD sessions are inconsistent.
Step 4 Run:
commit
NOTE
To change session parameters (by using the process-pst, min-tx-interval, min-rx-interval, detect-
multiplier, tos-exp, wtr, or description command) after a BFD session is created, you must run the
commit command. In this case, the configurations can take effect.
----End
Follow-up Procedure
Run the display bfd configuration command to display the WTR time for the static BFD
session.
Context
In actual networking, some devices enable traffic switchover based on the BFD session status.
However, the routing protocol becomes Up later than the interface. As a result, traffic fails to
find the route when switched back, and is therefore lost. After you delay the Up state change of
the BFD session, the session will become Up a period after the fault is rectified, making up the
defect that the routing protocol becomes Up later than the interface.
Procedure
Step 1 Run:
system-view
Step 2 Run:
bfd
The global BFD function is enabled and the BFD global view is displayed.
Step 3 Run:
delay-up seconds
By default, the Up state change delay of the BFD session is 0 second. That is, the Up state change
of the BFD session is not delayed.
----End
Follow-up Procedure
Run the display bfd statistics command to display BFD global statistics.
<sysname> display bfd statistics
Current Display Board Number:Main;Current Product Register Type:
Current Session Number :
Static session : 256 Dynamic session : 0
S-Auto session : 0 IP session : 256
--------------------------------------------------------------------------------
PAF/LCS Name Maxnum Minnum Final Actual Create
--------------------------------------------------------------------------------
BFD_CFG_NUM 256 1 256 0 256
BFD_IF_NUM 256 1 256 0 0
BFD_SESSION_NUM 256 1 256 0 256
BFD_IO_SESSION_NUM 256 1 256 0 0
--------------------------------------------------------------------------------
IO Board Current Created Session Statistics Information :
--------------------------------------------------------------------------------
256
--------------------------------------------------------------------------------
Current Total Used Discriminator Num : 256
--------------------------------------------------------------------------------
BFD HA Information :
--------------------------------------------------------------------------------
Core Current HA Status : Slave Not Ready
Shell Current HA Status : Slave Not Ready
--------------------------------------------------------------------------------
BFD Timer Information :
--------------------------------------------------------------------------------
Period Refresh Session Timer ID/Position : 1026/0
System Session Delay Up Timer : OFF
Field System Session Delay Up Timer is displayed in the output, indicating the status of the
timer which delays becoming Up. OFF indicates that the system runs properly. ×s indicates that
X seconds after the system is recovered, the BFD session becomes Up.
Context
When you perform one-hop BFD on the Layer-3 physical interfaces without IP addresses or
Layer-2 interfaces, use the default multicast IP address.
By default, the default multicast IP address for BFD is 224.0.0.184.
The default multicast IP address must be changed in the following situations:
l Other protocols on the network use this multicast IP address.
l If there are overlapping BFD sessions on the BFD path, for example, Layer-3 interfaces
are connected by BFD-enabled Layer-2 switching devices, the devices where different
devices reside must be configured with different default multicast IP addresses. This
prevents BFD packets from being forwarded incorrectly.
l If the Layer-2 interfaces of the two devices are connected through a Layer-2 switch that
provides the BFD function, and multicast IP addresses are used to set up BFD sessions,
when the global BFD function is enabled on the switch, run the default-ip-address
command to configure different default multicast IP addresses for the two devices and
switch. Otherwise, the switch cannot forward the BFD multicast packets, resulting in BFD
session interruption.
Procedure
Step 1 Run:
system-view
Step 2 Run:
bfd
The global BFD function is enabled and the BFD global view is displayed.
----End
Prerequisites
Before enabling the passive echo function, you can configure the ACL if required.
NOTE
BFD echo packets loop back through ICMP redirection on the peer end. In an IP packet encapsulating the
BFD echo packet, the destination address and source address are both the IP address of the local outbound
interface. Therefore, the ACL rule must allow the source IP addresses of both the local end and peer end.
Context
When there are echo-supported devices on the network, you need to configure the BFD passive
echo function for compatibility with other devices.
Procedure
Step 1 Run:
system-view
Step 2 Run:
bfd
The global BFD function is enabled and the BFD global view is displayed.
Step 3 Run:
echo-passive { all | acl basic-acl-number }
l If you configure all, the passive echo function of all BFD sessions is enabled.
l If you configure acl basic-acl-number, the passive echo function of BFD sessions is
determined by the ACL rule. That is, the passive function of only ACL-compliant BFD
sessions is enabled.
----End
Prerequisites
Before you configure BFD-OSPF interworking, complete the following tasks on devices at both
ends:
Context
NOTE
You can select one of the following modes to configure BFD-OSPF interworking:
Procedure
Step 1 Run:
system-view
Step 2 Run:
bfd
The global BFD function is enabled and the BFD global view is displayed.
Step 3 Run:
quit
BFD is enabled in the OSPF process and the BFD session is established.
After BFD is enabled in the OSPF process, BFD sessions are created on all interfaces
whose neighbor status is Full in the process.
3. (Optional) Run:
bfd all-interfaces { detect-multiplier multiplier-value | min-rx-interval
receive-interval | min-tx-interval transmit-interval } *
The BFD session is prohibited from being dynamically created on the interface.
After BFD is enabled on all interfaces in the OSPF process, you can run this command
on certain interfaces to reduce monitored links. This improves performance.
l Enables BFD on the interface.
1. Run:
ospf bfd enable
Parameters for the BFD session on the OSPF-enabled interface are specified.
– By default, the local detection multiple is 3, the minimum receiving interval is
1000 ms, and the minimum sending interval is 1000 ms.
– Because the priority of BFD on the interface is higher than that of BFD in the OSPF
process, the parameters of the BFD session on the interface enjoy higher priorities
than those of the BFD session in the OSPF process.
----End
Example
# Enable BFD for OSPF process 100. Assume that OSPF runs between devices at both ends and
the neighbor status is Full. The following takes what is configured on the device at one end as
an example.
<sysname> system-view
[sysname] ospf 100
[sysname-ospf-100] bfd all-interfaces enable
Follow-up Procedure
# Run the display ospf bfd session command on one device to display the information about
the BFD session in the OSPF process.
<sysname> display ospf bfd session all
NeighborId:172.16.1.2 AreaId:0.0.0.0
Interface:GigabitEthernet1/0/1
BFDState:up rx :1000 tx :1000
Multiplier:3 BFD Local Dis:8192 LocalIpAdd:10.1.1.1
RemoteIpAdd:10.1.1.2 Diagnostic
Info:Init
BFDState is Up, indicating that the status of the BFD session in the OSPF process is Up. In this
case, BFD starts monitoring the link status of OSPF.
Prerequisites
Before you configure the interworking between BFD and static routes, perform the following
on devices at both ends:
Procedure
Step 1 Run:
system-view
Step 2 Run:
ip route-static [ vpn-instance vpn-instance-name ] ip-address { mask | mask-
length } { nexthop-address | interface-type interface-number [ nexthop-address ] |
vpn-instance vpn-instance-name nexthop-address } [ preference preference ] track
bfd-session cfg-name [ description description ]
l Before you configure the interworking, make sure that the destination IP address and next-
hop IP address (or outbound interface) are the same as those of the static route. Generally,
configure the static route, and then bind it to the BFD session.
l cfg-name specifies the BFD session, where the link to be monitored is specified.
----End
Example
# The device has a default static route, whose destination IP address is 10.1.1.1. Configure the
interworking between the static route and BFD to monitor the link. (Suppose that the bfd_a for
the static route and the static BFD session is configured.)
<sysname> system-view
[sysname] ip route-static 0.0.0.0 0 10.1.1.1 track bfd-session bfd_a
Follow-up Procedure
l Run the display ip routing-table command to display the IP routing table. When the link
is faulty, the static route entry does not exist in the routing table. After the fault is rectified,
the static route entry is available in the routing table.
l Run the display bfd session command to display the information about the BFD session.
Prerequisites
For details on how to manually configure the static BFD session, see 6.5.4 Manually
Configuring a Static BFD Session.
Context
BFD-FRR interworking is configured as follows:
l Configure FRR to form the standby link.
l Configure BFD to detect the status of active and standby links.
Procedure
Step 1 Configure FRR. For details, see 10.1.3.4 Configuring FRR.
----End
Prerequisites
Before you configure BFD-DHCP interworking, complete the following tasks:
1. Configuring the device as the DHCP client and enable the device to obtain the IP address
from the DHCP server. For details, see 8.4.5.3 Configuring a DHCP Client.
2. Manually configuring static BFD sessions on devices at both ends. For details, see 6.5.4
Manually Configuring a Static BFD Session.
The neighbor relationship can be successfully negotiated only if static BFD sessions
(excluding auto-negotiated static sessions), must be specified with local and remote
discriminators.
When one end of the BFD session is the DHCP client, the next hop of the static BFD session
needs to be specified as nexthop dhcp. That is, when the device acts as the DHCP client,
the obtained gateway address serves as the next-hop IP address for forwarding BFD packets.
For the peer DHCP client for BFD interworking, you need to specify the peer IP address
in the static BFD session as the IP address of the DHCP client. If the IP address obtained
by the DHCP client changes, you need to re-create a BFD session.
Context
In dual-uplink networking, if active/standby switchover between links is required, the active
link must be assigned a high-priority route. The smaller the value, the higher the priority.
When the device acts as the DHCP client, the priority of the default route obtained from the
DHCP server is 245. In dual-uplink networking, if the active link is in DHCP mode and the
standby link is in other modes, the route priority of the standby link must be larger than 245.
Thereby, in DHCP-BFD interworking, the system disconnects the DHCP link upon identifying
its fault. In this way, traffic is switched to the standby link.
NOTE
To implement DHCP-BFD interworking, you need to only configure the device serving as the DHCP client.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
dhcp client enable track bfd-session local-discr-value
During DHCP-BFD interworking, the bound local-discr-value value is the local discriminator
of the monitored BFD session, not the BFD configuration name.
----End
Follow-up Procedure
Run the display bfd session command on the DHCP client to display the information about the
static BFD session that interworks with DHCP.
<sysname> display bfd session static verbose
--------------------------------------------------------------------------------
Session MIndex : 1024 State : Up Name : 1
--------------------------------------------------------------------------------
Local Discriminator : 10 Remote Discriminator : 20
Session Detect Mode : Asynchronous Mode Without Echo Function
BFD Bind Type : Interface(GigabitEthernet 1/0/1)
Bind Session Type : Static
Bind Peer Ip Address : 10.1.1.1
Bind Interface : GigabitEthernet 1/0/1
FSM Board Id : 0 TOS-EXP : 6
Min Tx Interval (ms) : 1000 Min Rx Interval (ms) : 1000
Actual Tx Interval (ms): 1000 Actual Rx Interval (ms): 1000
Local Detect Multi : 3 Detect Interval (ms) : 3000
Echo Passive : Disable Acl Number : -
WTR Interval (ms) : -- Process PST : Disable
Proc interface status : Disable
Active Multi : 3
Local Demand Mode : Disable
Last Local Diagnostic : Control Detection Time Expired
Bind Application : DHCP
Session TX TmrID : 4103 Session Detect TmrID : 4104
Session Init TmrID : -- Session WTR TmrID : --
PDT Index : FSM-0|RCV-0|IF-0|TOKEN-0
Session Description : --
--------------------------------------------------------------------------------
Prerequisites
Before you configure BFD-PBR interworking, complete the following tasks on devices at both
ends:
l Manually configuring the static BFD session. For details, see 6.5.4 Manually Configuring
a Static BFD Session.
The static BFD session can be of the one-hop or multi-hop type.
l Configuring the IP unicast PBR. For details, see 17 PBR.
Context
You need to configure the interworking function only on the device where the PBR function is
enabled.
When the interworking function is configured and the BFD session is deleted from the remote
device, the interworking function fails. In this case, the local device continues forwarding traffic
based on the PBR.
Procedure
Step 1 Run:
system-view
Step 2 Run:
policy-based-route
Step 3 Run:
rule name rule-name
Step 4 Run:
track bfd-session local-discr-value
NOTE
----End
Follow-up Procedure
Run the display bfd session command to display the information about the static BFD session
bound to the PBR.
<sysname> display bfd session static
--------------------------------------------------------------------------------
Local Remote Peer IP Address Interface Name State Type
--------------------------------------------------------------------------------
10 20 10.1.2.1 -- Up Static
If BFD sessions are in Down state, they fail to be created. If BFD sessions are in Up state, they
are created at both devices.
Prerequisites
Before you configure the interworking between BFD and Hot Standby, complete the following
tasks on devices at both ends:
l Manually configuring the static BFD session. For details, see 6.5.4 Manually Configuring
a Static BFD Session.
l Configuring the Hot Standby. For details, see 6.1 Hot Standby.
Procedure
Step 1 Run:
system-view
Step 2 Run:
You can configure the active management group or standby management group to monitor status
of an BFD session.
On the active device, configure the Active management group to monitor BFD session status.
On the standby device, configure the Standby management group to monitor BFD session status.
----End
Follow-up Procedure
Run the display bfd session command to display the information about the static BFD session
bound to the VGMP groups.
<sysname> display bfd session static
--------------------------------------------------------------------------------
Local Remote Peer IP Address Interface Name State Type
--------------------------------------------------------------------------------
10 20 10.1.2.1 -- Up Static
--------------------------------------------------------------------------------
If BFD sessions are in Down state, they fail to be created. If BFD sessions are in Up state, they
are created at both devices.
NOTE
You can view the information about BFD session statistics and BFD sessions only after parameters for
BFD sessions are specified and BFD sessions are successfully created.
Action Command
Check the configuration of display bfd configuration { all | dynamic | peer-ip peer-ip
the BFD session. [ vpn-instance vpn-instance-name ] | static [ name cfg-
name ] | static-auto } [ verbose ]
Check the information about display bfd session { all | discriminator local-discr-value |
the BFD session. dynamic | peer-ip peer-ip [vpn-instance vpn-instance-
name ] | static | static-auto } [ verbose ]
Check statistics on BFD display bfd statistics session { all | discriminator local-
sessions. discr-value | dynamic | peer-ip peer-ip [ vpn-instance vpn-
instance-name ] | static | static-auto }
Check the information about display ospf [ process-id ] bfd session interface-type
the BFD session triggered interface-number [ router-id ]
by the OSPF neighbor. display ospf [ process-id ] bfd session { router-id | all }
NOTICE
BFD statistics cannot be restored after you clear them. Therefore, perform the operation with
caution.
Action Command
Debugging BFD
When a BFD running fault occurs, you can run the debugging commands in the user view to
debug BFD, view the debugging information, and locate and analyze the fault.
Before you enable debuggings, run the terminal monitor and terminal debugging commands
in the user view to enable terminal information display and debugging information display on
the terminal.
Enabling debuggings will deteriorate system performance. After debuggings are complete, run
the undo debugging all command in a timely manner to disable debuggings.
Action Command
Action Command
Networking Requirements
As shown in Figure 6-61, NGFW_A carries main services of an enterprise and OSPF runs
between NGFW_B and NGFW_C. The link from NGFW_A to NGFW_B is an active link,
whereas the link from NGFW_A, NGFW_C, to NGFW_B is a standby link. It is required that
traffic can be immediately switched to the standby link when the active link is faulty, and it can
be also switched back after the active link is recovered.
NGFW_A NGFW_B
Loopback 0 BFD Session Loopback 0
172.16.1.1/32 172.16.1.2/32
GE1/0/3 GE1/0/1 GE1/0/1
192.168.1.1/24 10.1.1.1/24 10.1.1.2/24
.1 /2
G 0.1
.2 /0
E1 .3
4
1
.1 E1
/2
/0 .1/2
10
10 G
G .3.2
4
/2 4
.2 1
E1 /2
/2
.1 /0/
.1
.2
/0 4
10 E1
/2
Loopback 0
172.16.1.3/32
NGFW_C
Area 0
Configuration Roadmap
The configuration roadmap is as follows:
1. OSPF runs among NGFW_A, NGFW_B, and NGFW_C. The OSPF neighbor status is Full.
2. To monitor the active link, enable BFD for the OSPF process on each device.
3. To better switch traffic on the active link, enable BFD between NGFW_A and NGFW_B.
Procedure
Step 1 Configure NGFW_A.
# Enable BFD for interface GigabitEthernet 1/0/1. Set the minimum sending and receiving
interval to 500 ms, and the local detection multiple to 4.
[NGFW_A] interface GigabitEthernet 1/0/1
[NGFW_A-GigabitEthernet1/0/1] ospf bfd enable
[NGFW_A-GigabitEthernet1/0/1] ospf bfd min-tx-interval 500 min-rx-interval 500
detect-multiplier 4
[NGFW_A-GigabitEthernet1/0/1] quit
# Enable BFD for interface GigabitEthernet 1/0/1. Set the minimum sending and receiving
interval to 500 ms, and the local detection multiple to 4.
[NGFW_B] interface GigabitEthernet 1/0/1
[NGFW_B-GigabitEthernet1/0/1] ospf bfd enable
[NGFW_B-GigabitEthernet1/0/1] ospf bfd min-tx-interval 500 min-rx-interval 500
detect-multiplier 4
[NGFW_B-GigabitEthernet1/0/1] quit
----End
Configuration Verification
1. After configurations are complete, view the next-hop address of the external route in the
OSPF process on NGFW_B, to determine whether to use the active link.
# Run the display ospf routing command. You can view the next hop of 192.168.1.1 is
10.1.1.1. In this case, the active link is used.
<NGFW_B> display ospf routing
Routing for
Network
Destination Cost Type NextHop AdvRouter
Area
10.1.3.0/24 2 Transit 10.1.1.1 172.16.1.3
0.0.0.0
10.1.3.0/24 2 Transit 10.1.2.2 172.16.1.3
0.0.0.0
10.1.2.0/24 1 Transit 10.1.2.1 172.16.1.3
0.0.0.0
172.16.1.3/32 2 Stub 10.1.2.2 172.16.1.3
0.0.0.0
172.16.1.2/32 1 Stub 172.16.1.2 172.16.1.2
0.0.0.0
Total Nets:
8
Intra Area: 8 Inter Area: 0 ASE: 0 NSSA: 0
2. View the OSPF neighbor status on one device. The following uses the information
displayed on NGFW_A as an example.
# Run the display ospf peer command to view the OSPF neighbor status. You can view
that OSPF neighbor status is Full. Therefore, the BFD session is automatically established
after BFD for the OSPF process is enabled.
<NGFW_A> display ospf peer
Neighbors
Neighbors
# Run the display ospf bfd session all command. You can view that the status of the BFD
session is Up.
<NGFW_B> display ospf bfd session all
NeighborId:172.16.1.1 AreaId:0.0.0.0
Interface:GigabitEthernet1/0/1
BFDState:up rx :1000 tx :
1000
NeighborId:172.16.1.3 AreaId:0.0.0.0
Interface:GigabitEthernet1/0/2
BFDState:up rx :1000 tx :
1000
Multiplier:3 BFD Local Dis:8193 LocalIpAdd:
10.1.2.1
RemoteIpAdd:10.1.2.2 Diagnostic Info:Init
NeighborId:172.16.1.2 AreaId:0.0.0.0
Interface:GigabitEthernet1/0/1
BFDState:up rx :500 tx :
500
Multiplier:4 BFD Local Dis:8192 LocalIpAdd:
10.1.1.1
RemoteIpAdd:10.1.1.2 Diagnostic
Info:Init
NeighborId:172.16.1.3 AreaId:0.0.0.0
Interface:GigabitEthernet1/0/2
BFDState:up rx :1000 tx :
1000
Multiplier:3 BFD Local Dis:8193 LocalIpAdd:
10.1.3.1
RemoteIpAdd:10.1.3.2 Diagnostic Info:Init
Routing for
Network
Destination Cost Type NextHop AdvRouter
Area
10.1.3.0/24 2 Transit 10.1.2.2 172.16.1.3
0.0.0.0
10.1.2.0/24 1 Transit 10.1.2.1 172.16.1.3
0.0.0.0
172.16.1.3/32 2 Stub 10.1.2.2 172.16.1.3
0.0.0.0
172.16.1.2/32 1 Stub 172.16.1.2 172.16.1.2
0.0.0.0
172.16.1.1/32 3 Stub 10.1.2.2 172.16.1.1
0.0.0.0
192.168.1.0/24 3 Stub 10.1.2.2 172.16.1.1 0.0.0.0
Total Nets:
6
Intra Area: 6 Inter Area: 0 ASE: 0 NSSA: 0
# Run the undo shutdown command on GigabitEthernet 1/0/1 of NGFW_A. The traffic
is switched to the active link. 1 shows the routing table.
Configuration Scripts
l Configuration scripts of NGFW_A
#
sysname NGFW_A
#
bfd
#
interface GigabitEthernet 1/0/1
ip address 10.1.1.1 255.255.255.0
ospf bfd
enable
ospf bfd min-tx-interval 500 min-rx-interval 500 detect-multiplier
4
#
interface GigabitEthernet 1/0/2
ip address 10.1.3.1 255.255.255.0
#
interface GigabitEthernet 1/0/3
ip address 192.168.1.1 255.255.255.0
#
interface Loopback 0
ip address 172.16.1.1 255.255.255.255
#
ospf
100
bfd all-interfaces
enable
area
0.0.0.0
network 172.16.1.1
0.0.0.0
network 10.1.1.0
0.0.0.255
network 10.1.3.0
0.0.0.255
network 192.168.1.0 0.0.0.255
#
return
100
bfd all-interfaces
enable
area
0.0.0.0
network 172.16.1.2
0.0.0.0
network 10.1.1.0
0.0.0.255
network 10.1.2.0
0.0.0.255
#
return
6.5.8.2 Example for Configuring Interworking Between BFD and Static Routes
If two static routes with different priorities to the same destination are configured, active and
standby links can be automatically switched through the probing over the reachability of the
gateway.
Networking Requirements
As shown in Figure 6-62, a company accesses the Internet through dual links. Static routes are
configured respectively between NGFW_A and NGFW_B as well as between NGFW_A and
NGFW_C. NGFW_A->NGFW_B is the active link, and NGFW_A->NGFW_C is the standby
link. It is required that traffic can be immediately switched to the standby link when the active
link is faulty, and it can be also switched back after the active link is recovered.
Figure 6-62 Networking diagram of configuring the interworking between BFD and static routes
ion NGFW_B
e ss
S /1 GE
D 1/0 4 19 1/0/
BF GE .2/2 2.1 2
1 68
.1. .1.
10 1/24
/1
E 1/0 .1/24
G .1.1
10
GE
10 1/0/
.1. 2
2.1
24
NGFW_A /2 4
1/
10 GE1
16 1
2.
2. /0/
.1.
2.2 /0/2
8.
19 E1
/24
G
NGFW_C
Configuration Roadmap
The roadmap is as follows:
1. Configure static routes to different destinations between NGFW_A and NGFW_B as well
as between NGFW_A and NGFW_C. Configure the priorities for the routes, distinguishing
the active and standby links.
2. To better switch traffic on the active link, manually configure the BFD function between
NGFW_A and NGFW_B.
Procedure
Step 1 Configure NGFW_A.
# Configure a static route, and set the priority of the static route between NGFW_A and
NGFW_C to 100. In this case, NGFW_A->NGFW_B is the active link, and NGFW_A-
>NGFW_C is the standby link.
<NGFW> system-view
[NGFW] sysname NGFW_A
[NGFW_A] ip route-static 192.168.1.0 255.255.255.0 10.1.1.2
[NGFW_A] ip route-static 192.168.2.0 255.255.255.0 10.1.2.2 preference 100
----End
Configuration Verification
1. After the configurations are complete, view the information in the routing table.
# Run the display ip routing-table command on NGFW_A. In the routing table, there are
two static routes to different destinations.
<NGFW_A> display ip routing-table
Route Flags: R - relay, D - download to
fib
------------------------------------------------------------------------------
Routing Tables:
Public
Destinations : 8 Routes :
8
If the Pre field has a smaller value, the route to destination IP address 192.168.1.0/24 has
a higher priority, and serves as the active link. When the link is normal, traffic is forwarded
from this link.
2. View the BFD session status on NGFW_A or NGFW_B.
# Run the display bfd session all command. You can view that the status of the BFD session
is Up. The following uses the information that is displayed on NGFW_A as an example.
<NGFW_A> display bfd session all
------------------------------------------------------------------------------
--
Routing Tables:
Public
Destinations : 5 Routes :
5
When you check the routing table on NGFW_A, you can view that the static route to
192.168.1.0/24 is deleted and the standby link is used in this case.
After the undo shutdown command is configured, the active link is recovered, and the
static route to 192.168.1.0/24 is added to the routing table again.
Configuration Scripts
l Configuration scripts of NGFW_A
#
sysname NGFW_A
#
bfd
#
interface GigabitEthernet 1/0/1
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet 1/0/2
ip address 10.1.2.1 255.255.255.0
#
bfd ab bind peer-ip
10.1.1.2
discriminator local
10
discriminator remote
20
commit
#
ip route-static 192.168.1.0 255.255.255.0 10.1.1.2 track bfd-session ab
ip route-static 192.168.2.0 255.255.255.0 10.1.2.2 preference 100
#
return
Networking Requirements
As shown in Figure 6-63, two LANs communicate with each other through three NGFWs. To
ensure link reliability, two links exist between VLANs. The active link is between NGFW_A
and NGFW_B, whereas the standby link is between NGFW_A and NGFW_C. In BFD-FRR
interworking, traffic is rapidly switched to the standby link, when the active link is faulty. After
the fault of the active link is rectified, the system automatically switches to the active link.
/1
G 92.
1/0 24
E1 16
E
1
G .2/
/0 8.1
1
.1.
/2 .1
10 NGFW_B
/2
4
/1
E 1/0 .1/24
G .1.1 Switch
10 GE1/0/2 GE1/0/1
10.1.2.1/24 192.168.2.1/24
GE1/0/2
NGFW_A 10.1.2.2/24
NGFW_C
Configuration Roadmap
NOTE
Procedure
Step 1 Configure NGFW_A.
# Configure the IP prefix list named 1 to match only the default route. This configures the backup
outbound interface for the route.
<NGFW> system-view
[NGFW] sysname NGFW_A
[NGFW_A] ip ip-prefix 1 permit 0.0.0.0 0
# Specify the backup interface and next hop for the active link.
[NGFW_A] route-policy ipfrr permit node 10
[NGFW_A-route-policy] if-match ip next-hop ip 1
[NGFW_A-route-policy] apply backup-interface GigabitEthernet 1/0/2
[NGFW_A-route-policy] apply backup-nexthop 10.1.2.2
[NGFW_A-route-policy] quit
# Enable FRR.
[NGFW_A] ip frr route-policy ipfrr
[NGFW_A] bfd
[NGFW_A-bfd] quit
[NGFW_A] bfd ab bind peer-ip 10.1.1.2
[NGFW_A-bfd-session-ab] discriminator local 10
[NGFW_A-bfd-session-ab] discriminator remote 20
[NGFW_A-bfd-session-ab] commit
[NGFW_A-bfd-session-ab] quit
----End
Configuration Verification
1. Run the display ip routing-table verbose command to display the information about the
backup outbound interface and next hop in the routing table.
<NGFW_A> display ip routing-table verbose
Destination: 0.0.0.0/0
Protocol: Static Process ID: 0
Preference: 60 Cost: 0
NextHop: 10.1.1.2 Neighbour: 0.0.0.0
State: Active Adv GotQ Age: 00h00m06s
Tag: 0 Priority: 0
Label: NULL QoSInfo: 0x0
RelayNextHop: 0.0.0.0 Interface: GigabitEthernet1/0/1
TunnelID: 0x0 Flags: RD
BkNextHop: 10.1.2.2 BkInterface: GigabitEthernet1/0/2
BkLabel: NULL SecTunnelID: 0x0
BkPETunnelID: 0x0 BkPESecTunnelID: 0x0
The previous information shows that GigabitEthernet 1/0/2 serves as a backup interface.
2. Run the display bfd session all command to display the information about the BFD session.
The following uses the information displayed on NGFW_A as an example.
<NGFW_A> display bfd session all
------------------------------------------------------------------------------
--
Local Remote Peer IP Address Interface Name State
Type
------------------------------------------------------------------------------
--
10 20 10.1.1.2 -- Up
Static
------------------------------------------------------------------------------
--
3. Run the shutdown command to disable interface GigabitEthernet 1/0/1. Then view the
routing table on NGFW_A. The result shows that the outbound interface to 0.0.0.0/0 is
GigabitEthernet1/0/2. In this case, the standby link is used.
4. Run the undo shutdown command to re-enable interface GigabitEthernet 1/0/1. Then view
the routing table on NGFW_A. The result shows that the outbound interface to 0.0.0.0/0 is
GigabitEthernet1/0/1. In this case, the active link recovers.
Configuration Scripts
l Configuration scripts of NGFW_A
#
sysname NGFW_A
#
bfd
#
ip ip-prefix 1 permit 0.0.0.0 0
#
ip frr route-policy ipfrr
#
route-policy ipfrr permit node 10
if-match ip next-hop ip-prefix 1
apply backup-nexthop 10.1.2.2
apply backup-interface GigabitEthernet1/0/2
#
interface GigabitEthernet1/0/1
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/2
ip address 10.1.2.1 255.255.255.0
#
bfd ab bind peer-ip 10.1.1.2
discriminator local 10
discriminator remote 20
commit
#
return
Networking Requirements
As shown in Figure 6-64, the router is the gateway of a building. All enterprises in the building
access the Internet through the router. NGFW acts as the gateway of an enterprise in the building.
To ensure network continuity, the enterprise uses the dual-uplink networking. The active link
accesses the Internet through DHCP, that is, NGFW as the DHCP client accesses the Internet
by obtaining the IP address from the DHCP server. The standby link accesses the Internet through
PPPoE.
Because the DHCP client cannot sense link reachability, NGFW cannot switch the traffic to the
standby link in the event of link faults. To interwork with BFD, check the availability of the link
where the DHCP client resides. Upon link faults, service traffic is rapidly switched to the standby
link.
Procedure
Step 1 Configure static BFD sessions.
# Configure BFD session 1 with peer IP address 8.8.8.1, local discriminator 10, and remote
discriminator 20.
[NGFW] bfd
[NGFW-bfd] quit
[NGFW] bfd 1 bind peer-ip 8.8.8.1 interface GigabitEthernet 1/0/1 nexthop dhcp
[NGFW-bfd-session-1] discriminator local 10
[NGFW-bfd-session-1] discriminator remote 20
[NGFW-bfd-session-1] commit
[NGFW-bfd-session-1] quit
# Configure the default route with outbound interface Dialer 0 and route priority 255.
NOTE
When the NGFW acts as the DHCP client, the priority of the default route obtained from the DHCP server
is 245. When PPPoE is used for backup access, the priority of the default route must be larger than 245.
The higher the priority value, the lower the priority.
[NGFW] ip route-static 0.0.0.0 0.0.0.0 Dialer 0 preference 255
2. Configure a static route with destination IP address 10.1.1.0/24 and next hop 8.8.8.2 to
NGFW.
[Router] ip route-static 10.1.1.0 255.255.255.0 8.8.8.2
----End
Configuration Verification
1. When the active link is reachable, access packets are forwarded by NGFW to the active
link.
# Run the display bfd session all command. You can view that BFD sessions are created
and they are in Up state. The following uses the information displayed on NGFW as an
example.
[NGFW] display bfd session all
------------------------------------------------------------------------------
--
Local Remote Peer IP Address Interface Name State
Type
------------------------------------------------------------------------------
--
10 20 8.8.8.1 GigabitEthernet1/0/1 Up
Static
------------------------------------------------------------------------------
--
# Run the display ip routing-table command on NGFW. You can view that the default
route to NGFW is the gateway address obtained through the DHCP server and the route
priority is 245.
[NGFW] display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
2. When the active link is faulty, NGFW switches the traffic to the standby link.
# Run the display bfd session all command. You can view that the status of the BFD session
is Down. The following uses the information displayed on NGFW as an example.
[NGFW] display bfd session all
------------------------------------------------------------------------------
--
# Run the display ip routing-table command. You can view that default route obtained
through the DHCP server is deleted and the backup default route with outbound interface
Dialer 0 is loaded to the routing table.
[NGFW] display ip routing-table
Route Flags: R - relay, D - download to
fib
------------------------------------------------------------------------------
Routing Tables:
Public
Destinations : 5 Routes : 5
3. When the active link recovers, run the display bfd session all command on NGFW. You
can view that the status of the BFD session turns to Up. Run the display ip routing-
table command. You can view that the default route to NGFW obtained through the DHCP
server is re-loaded to the routing table.
Configuration Scripts
l Configuration scripts of NGFW
#
sysname NGFW
#
bfd
#
interface GigabitEthernet1/0/1
dhcp client enable track bfd-session 10
#
bfd 1 bind peer-ip 8.8.8.1 interface GigabitEthernet1/0/1 nexthop dhcp
discriminator local 10
discriminator remote 20
commit
#
ip route-static 0.0.0.0 0.0.0.0 Dialer 0 preference 255
ip route-static 0.0.0.0 0.0.0.0 10.1.1.1 preference 245 track bfd-session 1
#
return
commit
#
ip route-static 10.1.1.0 255.255.255.0 8.8.8.2
#
return
Networking Requirements
As shown in Figure 6-65, an enterprise has departments A and B. Departments A and B, acting
as service departments, generate heavy traffic and require different links for traffic balancing.
In addition, the departments require high stability and service continuity.
To meet their requirements, the enterprise has two links (ISP1 and ISP2) to access the Internet.
The two links share the traffic and can back up for each other to ensure service continuity.
l Department A resides on network segment 10.1.0.0/16 and its packets pass through link
ISP1 in normal cases.
l Department B resides on network segment 10.2.0.0/16 and its packets pass through link
ISP2 in normal cases.
l The links of departments A and B are mutually backed up. When the link (active link) of
a department is faulty, traffic is switched to the link (standby link) of another department.
Figure 6-65 Networking diagram of configuring interworking between PBR and BFD
PC
BFD session 1
ISP1 Router_A
Department A GE1/0/1 1.1.2.1/24
GE1/0/3
10.1.0.1/16 1.1.2.2/24
PC
PC PC NGFW
Configuration Roadmap
NOTE
This example describes only PBR-related configurations, but not configurations (such as NAT and route
reachability among Router_A, Router_B, and NGFW) required by the NGFW for providing Internet access.
1. To balance traffic on different links, configure the PBR based on source IP addresses, so
that packets from department A pass through ISP1 and those from department B pass
through ISP2.
2. To ensure the continuity and mutual backup of links at which departments A and B reside,
perform the following:
a. Configure static BFD sessions respectively on the NGFW, Router_A, and Router_B
to detect the link connectivity between the NGFW and Router_A, and between the
NGFW and Router_B.
b. Configure the interworking between PBR and BFD. BFD monitors the availability of
the active links of departments A and B. When the active links are faulty, PBR becomes
invalid. The device searches for standby routes to ensure service continuity.
c. Configure static routes from department A to link ISP2 and from department B to link
ISP1 as the backup routes of departments A and B. Moreover, configure static routes
to interwork with BFD. BFD monitors the availability of the standby links of
departments A and B.
Procedure
Step 1 Configure the NGFW.
1. Configure static BFD sessions.
# Configure BFD session 1 with peer IP address 1.1.2.1, local discriminator 10, and remote
discriminator 20.
[NGFW] bfd
[NGFW-bfd] quit
[NGFW] bfd 1 bind peer-ip 1.1.2.1
[NGFW-bfd-session-1] discriminator local 10
[NGFW-bfd-session-1] discriminator remote 20
[NGFW-bfd-session-1] commit
[NGFW-bfd-session-1] quit
# Configure BFD session 2 with peer IP address 1.1.3.1, local discriminator 30, and remote
discriminator 40.
[NGFW] bfd 2 bind peer-ip 1.1.3.1
[NGFW-bfd-session-2] discriminator local 30
[NGFW-bfd-session-2] discriminator remote 40
[NGFW-bfd-session-2] commit
[NGFW-bfd-session-2] quit
# Configure rule A_1, so that packets sent from 10.1.0.0/16 to 10.2.0.0/16 are not pbr.
[NGFW] policy-based-route
[NGFW-policy-pbr] rule name A_1
[NGFW-policy-pbr-rule-A_1] ingress-interface GigabitEthernet 1/0/4
[NGFW-policy-pbr-rule-A_1] source-address 10.1.0.0 16
[NGFW-policy-pbr-rule-A_1] destination-address 10.2.0.0 16
[NGFW-policy-pbr-rule-A_1] action no-pbr
[NGFW-policy-pbr-rule-A_1] quit
# Configure rule A_2, so that packets sent from 10.1.0.0/16 are sent to next-hop 1.1.2.1.
[NGFW-policy-pbr] rule name A_2
[NGFW-policy-pbr-rule-A_2] ingress-interface GigabitEthernet 1/0/4
[NGFW-policy-pbr-rule-A_2] source-address 10.1.0.0 16
[NGFW-policy-pbr-rule-A_2] action pbr next-hop 1.1.2.1
# Configure rule B_1, so that packets sent from 10.2.0.0/16 to 10.1.0.0/16 are not pbr.
[NGFW] policy-based-route
[NGFW-policy-pbr] rule name B_1
[NGFW-policy-pbr-rule-B_1] ingress-interface GigabitEthernet 1/0/1
[NGFW-policy-pbr-rule-B_1] source-address 10.2.0.0 16
[NGFW-policy-pbr-rule-B_1] destination-address 10.1.0.0 16
[NGFW-policy-pbr-rule-B_1] action no-pbr
[NGFW-policy-pbr-rule-B_1] quit
# Configure rule B_2, so that packets sent from 10.2.0.0/16 are sent to next-hop 1.1.3.1.
[NGFW-policy-pbr] rule name B_2
[NGFW-policy-pbr-rule-B_2] ingress-interface GigabitEthernet 1/0/1
[NGFW-policy-pbr-rule-B_2] source-address 10.2.0.0 16
[NGFW-policy-pbr-rule-B_2] action pbr next-hop 1.1.3.1
# Configure a default route, set the next hop to 1.1.2.1/24, and associate the route with BFD
session 1.
[NGFW] ip route-static 0.0.0.0 0.0.0.0 1.1.2.1 track bfd-session 1
# Configure a default route, set the next hop to 1.1.3.1/24, and associate the route with BFD
session 2.
[NGFW] ip route-static 0.0.0.0 0.0.0.0 1.1.3.1 track bfd-session 2
# Configure BFD session 1 with peer IP address 1.1.2.2, local discriminator 20, and remote
discriminator 10.
<Router_A> system-view
[Router_A] bfd
[Router_A-bfd] quit
[Router_A] bfd 1 bind peer-ip 1.1.2.2
[Router_A-bfd-session-1] discriminator local 20
[Router_A-bfd-session-1] discriminator remote 10
[Router_A-bfd-session-1] commit
[Router_A-bfd-session-1] quit
# Configure BFD session 2 with peer IP address 1.1.3.2, local discriminator 40, and remote
discriminator 30.
<Router_B> system-view
[Router_B] bfd
[Router_B-bfd] quit
[Router_B] bfd 2 bind peer-ip 1.1.3.2
[Router_B-bfd-session-1] discriminator local 40
[Router_B-bfd-session-1] discriminator remote 30
[Router_B-bfd-session-1] commit
[Router_B-bfd-session-1] quit
----End
Configuration Verification
1. When active links are reachable, packets from department A are forwarded by the
NGFW to ISP1, and those from department B are forwarded by the NGFW to ISP2.
# Run the display bfd session all command. You can view that BFD sessions are created
and they are in Up state.
[NGFW] display bfd session all
------------------------------------------------------------------------------
--
Local Remote Peer IP Address Interface Name State
Type
------------------------------------------------------------------------------
--
10 20 1.1.2.1 -- Up
Static
30 40 1.1.3.1 -- Up
Static
------------------------------------------------------------------------------
--
# Run the ping 1.1.2.1 command in department A. The ping succeeds. Then run the ping
1.1.3.1 command. The ping fails.
C:\Documents and Settings\DepartA>ping 1.1.2.1
# Run the ping 1.1.3.1 command in department B. The ping succeeds. Then run the ping
1.1.2.1 command. The ping fails.
C:\Documents and Settings\DepartB>ping 1.1.3.1
2. When the active link is faulty, the NGFW searches for the standby route and forwards the
packets of departments to the corresponding standby link. The following uses active link
ISP1 of department A as an example.
# Run the display bfd session all command. The status of BFD session 1 of the link where
department A resides is Down.
[NGFW] display bfd session all
------------------------------------------------------------------------------
--
Local Remote Peer IP Address Interface Name State
Type
------------------------------------------------------------------------------
--
10 20 1.1.2.1 -- Down
Static
30 40 1.1.3.1 -- Up
Static
------------------------------------------------------------------------------
--
# Run the ping 1.1.2.1 command in department A. The ping fails. Then run the ping
1.1.3.1 command. The ping succeeds.
C:\Documents and Settings\DepartA>ping 1.1.3.1
3. When active links restore to normal, the NGFW forwards all packets to the active links.
The following uses active link ISP1 of department A as an example.
# Run the display bfd session all command. The status of the BFD session of the link where
department A resides is Up.
[NGFW] display bfd session all
------------------------------------------------------------------------------
--
Local Remote Peer IP Address Interface Name State
Type
------------------------------------------------------------------------------
--
10 20 1.1.2.1 -- Up
Static
30 40 1.1.3.1 -- Up
Static
------------------------------------------------------------------------------
--
# Run the ping 1.1.2.1 command in department A. The ping succeeds. Then run the ping
1.1.3.1 command. The ping fails.
C:\Documents and Settings\DepartA>ping 1.1.2.1
4. Departments A and B can communicate with each other. In the following example, the user
in department A pings that in department B.
C:\Documents and Settings\DepartA>ping 10.2.0.111
Configuration Scripts
l Configuration scripts of NGFW
#
sysname NGFW
#
bfd
#
interface GigabitEthernet1/0/1
ip address 10.1.0.1 255.255.0.0
#
interface GigabitEthernet1/0/2
ip address 10.2.0.1 255.255.0.0
#
interface GigabitEthernet1/0/3
ip address 1.1.2.2 255.255.255.0
#
interface GigabitEthernet1/0/4
ip address 1.1.3.2 255.255.255.0
#
bfd 1 bind peer-ip 1.1.2.1
discriminator local 10
discriminator remote 20
commit
#
bfd 2 bind peer-ip 1.1.3.1
discriminator local 30
discriminator remote 40
commit
#
ip route-static 0.0.0.0 0.0.0.0 1.1.2.1 track bfd-session 1
ip route-static 0.0.0.0 0.0.0.0 1.1.3.1 track bfd-session 2
#
policy-based-
route
rule name
A_1
ingress-interface
GigabitEthernet1/0/1
source-address 10.1.0.0
16
destination-address 10.2.0.0
16
action no-
pbr
rule name
A_2
ingress-interface
GigabitEthernet1/0/1
source-address 10.1.0.0
16
track bfd-session
10
action pbr next-hop
1.1.2.1
rule name
B_1
ingress-interface
GigabitEthernet1/0/2
source-address 10.2.0.0
16
destination-address 10.1.0.0
16
action no-
pbr
rule name
B_2
ingress-interface
GigabitEthernet1/0/2
source-address 10.2.0.0
16
track bfd-session
30
action pbr next-hop 1.1.3.1
#
return
6.5.8.6 Example for Configuring the Interworking Between BFD and Hot Standby
Introduce the example for configuring the interworking between BFD and Hot Standby
according to the example for configuring active/standby mode.
Network Requirements
The NGFW is deployed on the service node as a security device. Upstream and downstream
devices are routers. NGFW_A and NGFW_B work in active/standby mode
Figure 6-66 shows the networking diagram. The detailed description is as follows:
l OSPF is applied among the router and two NGFWs. The router sends service packets to
the Active NGFW according to the route calculation result.
l NGFW monitor the network egress through the interworking function between BFD and
Hot Standby. When the network egress on the link where NGFW_A resides is down,
NGFW_B can swtich to active device and the service packets are sended to NGFW_B.
Figure 6-66 Networking diagram of the example for configuring the interworking between BFD
and Hot Standby
GE1/0/1
NGFW_A GE1/0/3
10.100.10.2/24 10.100.30.2/24 Router_A
192.168.1.0/24
1.1.1.2
GE1/0/2
10.100.50.2/24 GE1/0/2
10.100.50.3/24
2.2.2.2
Procedure
Step 1 Configure the Hot Standby function on NGFW_A.
# Enable the function of adjusting the related cost value of OSPF according to the HRP status.
NOTICE
When the NGFW is deployed on the OSPF network to work in dual-system hot backup mode,
this command must be configured.
# Configure the active management group to monitor the status of interfaces in the interface
view.
[NGFW_A] interface GigabitEthernet 1/0/1
[NGFW_A-GigabitEthernet1/0/1] hrp track active
[NGFW_A-GigabitEthernet1/0/1] quit
[NGFW_A] interface GigabitEthernet 1/0/3
[NGFW_A-GigabitEthernet1/0/3] hrp track active
[NGFW_A-GigabitEthernet1/0/3] quit
# Enable HRP.
[NGFW_A] hrp enable
# Configure BFD session 1 with peer IP address 1.1.1.2, local discriminator 10, and remote
discriminator 20 on NGFW_A.
HRP_A[NGFW_A] bfd
HRP_A[NGFW_A-bfd] quit
HRP_A[NGFW_A] bfd 1 bind peer-ip 1.1.1.2
HRP_A[NGFW_A-bfd-session-1] discriminator local 10
HRP_A[NGFW_A-bfd-session-1] discriminator remote 20
HRP_A[NGFW_A-bfd-session-1] commit
HRP_A[NGFW_A-bfd-session-1] quit
# Configure BFD session 1 with peer IP address 10.100.30.2, local discriminator 20, and remote
discriminator 10 on Router_A.
<Router_A> system-view
[Router_A] bfd
[Router_A-bfd] quit
[Router_A] bfd 1 bind peer-ip 10.100.30.2
[Router_A-bfd-session-1] discriminator local 20
[Router_A-bfd-session-1] discriminator remote 10
[Router_A-bfd-session-1] commit
[Router_A-bfd-session-1] quit
Step 6 Configure the interworking between BFD and Hot Standby on NGFW_A.
HRP_A[NGFW_A] hrp track bfd-session 10 active
# Configure BFD session 1 with peer IP address 2.2.2.2, local discriminator 10, and remote
discriminator 20 on NGFW_B.
HRP_S[NGFW_B] bfd
HRP_S[NGFW_B-bfd] quit
HRP_S[NGFW_B] bfd 1 bind peer-ip 2.2.2.2
HRP_S[NGFW_B-bfd-session-1] discriminator local 10
HRP_S[NGFW_B-bfd-session-1] discriminator remote 20
HRP_S[NGFW_B-bfd-session-1] commit
HRP_S[NGFW_B-bfd-session-1] quit
# Configure BFD session 1 with peer IP address 10.100.40.2, local discriminator 20, and remote
discriminator 10 on Router_B.
<Router_B> system-view
[Router_B] bfd
[Router_B-bfd] quit
[Router_B] bfd 1 bind peer-ip 10.100.40.2
[Router_B-bfd-session-1] discriminator local 20
[Router_B-bfd-session-1] discriminator remote 10
[Router_B-bfd-session-1] commit
[Router_B-bfd-session-1] quit
Step 8 Configure the interworking between BFD and Hot Standby on NGFW_B.
HRP_S[NGFW_B] hrp track bfd-session 10 standby
----End
Configuration Script
Configuration script of NGFW_A:
#
sysname NGFW_A
#
bfd
#
hrp enable
hrp ospf-cost adjust-enable
hrp interface GigabitEthernet 1/0/2
hrp track bfd-session 10 active
#
interface GigabitEthernet 1/0/1
ip address 10.100.30.2 255.255.255.0
hrp track active
#
interface GigabitEthernet 1/0/2
ip address 10.100.50.2 255.255.255.0
#
interface GigabitEthernet 1/0/3
ip address 10.100.10.2 255.255.255.0
hrp track active
#
firewall zone trust
add interface GigabitEthernet 1/0/1
#
firewall zone dmz
add interface GigabitEthernet 1/0/2
#
firewall zone untrust
add interface GigabitEthernet 1/0/3
#
bfd 1 bind peer-ip 1.1.1.2
discriminator local 10
discriminator remote 20
commit
#
ospf 101
area 0.0.0.0
network 10.100.10.0 0.0.0.255
network 10.100.30.0 0.0.0.255
#
security-policy
rule name ha
source-zone trust
destination-zone untrust
source-address 192.168.1.0 24
action permit
#
return
7 Virtual System
7.1 Overview
A virtual system is a logical device created on a physical device. Virtual systems are independent
from each other.
A NGFW can be logically divided into multiple virtual systems. Each virtual system has its
resources and configurations, such as interface, address set, user/user group, and routing table
and policies, and provides the same functions as a physical system.
l Each virtual system has its own administrators and can be managed independently. With
virtual systems, a large network can be divided into smaller subnets with each being served
by a virtual system, simplifying the network management.
l Each virtual system has its own configurations and routing table so that networks connected
to different virtual systems can have overlapping private addresses.
l Each virtual system has its own resource quota so that a busy virtual system has no impact
on other virtual systems.
l The traffic of different virtual systems is separated to ensure security. However, different
virtual systems can still communicate with each other if needed.
l Virtual system technology reduces hardware investment, power consumption, and
equipment footprint.
virtualization technology allows you to divide a network into multiple smaller subnets and
configure a virtual system for each subnet, making network boundaries clearer and network
management easier.
As shown in Figure 7-1, virtual systems are created on the NGFW for the R&D, financial, and
administrative departments of an enterprise. The administrators of each department have clearly
defined permissions, and the departments can communicate based on the policies. The
departments can also have different Internet access permissions.
R&D
department
Financial
department
Administrative
department
As shown in Figure 7-2, enterprises A and B have servers at the cloud computing center. The
NGFW functions as the security gateway at the egress of the cloud computing center. It isolates
the traffic of different enterprises and protects the cloud computing center based on the
configured security policies.
Enterprise A Enterprise A
Virtual
system A
Enterprise B Enterprise B
Virtual
system B Service data flow
7.3 Mechanism
This section describes the mechanism of the virtual system.
Virtual System
The NGFW has two types of virtual systems: root system (root) and virtual system (VSYS).
Figure 7-3 shows the logical structure of the root system and virtual systems.
Figure 7-3 Logical structure of the root system and virtual systems
Virtual system N
Virtual system A
Virtual system B
……
Root system
To forward, isolate, and independently manage traffic of different virtual systems, the NGFW
implements virtualization in the following aspects:
l Resources: Each virtual system has dedicated resources, including interfaces, VLANs,
policies, and sessions. The resources are assigned by root system administrators and
managed by virtual system administrators.
l Configuration: Each virtual system has its own configuration interface and administrators
and cannot be accessed by administrators of other virtual systems.
l Services: Each virtual system has its own route entries, policies, and security
configurations, which apply only to packets of the virtual system.
With the preceding virtualization techniques, each virtual system can function as a dedicated
firewall that is exclusively managed by its administrator.
Administrator
Administrators are classified into root system administrators and virtual system administrators.
Figure 7-4 illustrates the permissions of the two types of administrators.
system B
Virtual
Virtual
Virtual
system resources.
……
Root system
Basic resources, such as security zones, policies, and sessions, can be either automatically or
manually assigned to virtual systems, whereas other resources are preempted by all virtual
systems.
Resource Allocation
Table 7-1 lists the resources that are automatically and manually assigned.
New Session Rate Manually assigned The new session rate indicates the number of new
sessions a virtual system can create in one
second.
DHCP Static Manually assigned Specifies the number of static IP addresses that
Address Lease can be assigned to a virtual system.
l Guaranteed value: specifies the amount of a resource committed to a virtual system and
cannot be preempted by other virtual systems.
l Maximum value: specifies the maximum allowed amount of resource that a virtual system
can have. Whether the virtual system can achieve the maximum value depends on available
resources and competition between virtual systems.
For example, 10 virtual systems are configured on the NGFW and the total number of sessions
available for the NGFW is 500,000. If virtual system A is configured with a guaranteed number
of 10,000 sessions and a maximum number of 50,000 sessions, then virtual system A can
establish 10,000 sessions without preemption. However, whether virtual system A can establish
50,000 sessions depends on the competition of other nine virtual systems and the root system.
If the total number of sessions established by the other nine virtual systems and the root system
is less than 450,000, then virtual system A can establish a maximum number of 50,000 sessions.
Root system administrators can assign resources to virtual systems based on their purpose. For
example, virtual system 1 connects to the zone where the enterprise servers reside to protect the
servers and virtual system 2 connects to the zone created for a department of 20 employees to
control Internet access. In this case, the two virtual systems have different needs for resources.
Virtual system 1 needs more sessions than virtual system 2, but does not need any users, whereas
virtual system 2 needs a quota of 20 users but needs fewer sessions than virtual system 1.
Resource Preemption
The following resources are preempted by all virtual systems:
If no virtual systems are configured on the NGFW, the NGFW forwards packets based on policies
and various tables (such as session, MAC address, and routing table) of the root system. After
virtual systems are configured on the NGFW, each virtual system functions as a dedicated device
and has its own policies and tables for packet processing. In this case, after receiving a packet,
the NGFW must first determine the destination virtual system of the packet. This process is
called traffic sorting.
The NGFW sorts traffic based on interface (for Layer-3 interface) or VLAN (for Layer-2
interfaces).
In Figure 7-5, the three virtual systems, VSYSA, VSYSB, and VSYSC, have their dedicated
inside interfaces, which are respectively GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and
GigabitEthernet 1/0/3. After receiving packets, the NGFW forwards them to their virtual systems
for routing and policy matching.
GE1/0/4
Traffic sorting
GE1/0/1(VSYSA) GE1/0/3(VSYSC)
GE1/0/2(VSYSB)
10.3.0.0/24 10.3.2.0/24
10.3.1.0/24
In Figure 7-6, the inside interface GigabitEthernet 1/0/1 of the NGFW is a Layer-2 trunk
interface and is configured to permit packets from VLAN10, VLAN20, and VLAN30, which
are bound to VSYSA, VSYSB, and VSYSC respectively. After receiving a packet on
GigabitEthernet 1/0/1, the NGFW checks the VLAN tag carried in the packet header to determine
the source VLAN of the packet and then forwards the packet to the virtual system to which the
VLAN is bound.
After the packet enters the virtual system, the NGFW checks the MAC address table to obtain
the outgoing interface and then forwards or discards the packet based on the inter-zone policy.
GE1/0/2
Trunk VLAN10,20,30
Traffic sorting
GE1/0/1
Trunk VLAN10,20,30
VLAN 10 VLAN 30
VLAN 20
Virtual Interface
Virtual interfaces are logical interfaces used for inter-virtual system communication. After a
virtual system is created, the system automatically creates a virtual interface for the virtual
system. Virtual interfaces are named in the format of Virtualif+number, with the virtual interface
of the root system numbered 0 (Virtualif0). Other virtual interfaces are automatically numbered
from 1. Unlike other interfaces, virtual interfaces can work without IP addresses.
As shown in Figure 7-7, the virtual interfaces (Virtualif1 to VirtualifN) of all virtual systems
are connected to the virtual interface (Virtualif0) of the root system through a virtual link. You
can add virtual interfaces to secure zones and configure routes and security policies to enable
and control the communication between the root system and virtual systems.
You can compare the root system to a router that forwards traffic for virtual systems.
Virtualif2
Virtual system B Virtualif0
Virtual interface
The communication between virtual systems and between a virtual system and the root system
is described as follows.
Figure 7-8 Communication between a virtual system and the root system
2 Forwards packets VSYSA routing table
based on the Destination Destination Outgoing Destination Destination Outgoing
firewall processing Next hop Next hop
Address VSYS interface Address VSYS interface
flow and find the
destination VSYS in 3.3.3.3/32 root - - 3.3.3.3/32 root GE1/0/1 1.1.1.254
the routing table 10.3.0.0/24 VSYSA GE1/0/2 - 10.3.0.0/24 VSYSA - -
based on the
destination address. …… …… …… …… …… …… …… ……
4 Forwards packets based on the
firewall processing flow and find
1
Se the outgoing interface and next
req nds hop in the routing table based on
ue an a
st. cc the destination address.
ess 3 Sends
2 Forwards 4 Forwards 5 Access the Internet.
packets.
packets. packets.
Configure routes as follows to enable communication between VSYSA and the root system:
1. Configure a static route on VSYSA. Set the destination IP address to 3.3.3.3 and destination
virtual system to root.
2. Configure a static route on the root system. Set the destination IP address to 3.3.3.3, the
outgoing interface to GE1/0/1, and the next hop to the gateway IP address obtained from
the carrier. The static routes in steps 1 and 2 are used to forward traffic from hosts connected
to VSYSA to the Internet.
3. Configure a static route on the root system. Set the destination IP address to 10.3.0.0/24
and destination virtual system to VSYSA.
4. Configure a static route on VSYSA. Set the destination IP address to 10.3.0.0/24 and the
outgoing interface to GE1/0/2. The static routes in steps 3 and 4 are used to forward traffic
from the Internet to hosts connected to VSYSA.
Configure security policies as follows to enable communication between VSYSA and the root
system:
1. On VSYSA, add interface GE1/0/2 to the Trust zone and Virtualif1 to the Untrust zone,
and configure a security policy to allow the Trust zone to access the Untrust zone.
2. On the root system, add interface GE1/0/1 to the Untrust zone and Virtualif0 to the Trust
zone, and configure a security policy to allow the Trust zone to access the Untrust zone.
Network 10.3.0.0/24 is a private network. Therefore, a NAT policy must be configured for the
network to access the Internet. The NAT policy can be configured on VSYSA or the root system,
whichever the public IP addresses are configured.
1 Sends an access
Virtual
request.
system A
2 Forwards
(VSYSA)
packets. 3 Finds the outgoing
GE1/0/2 interface in the
10.3.0.0/24 Virtualif1
routing table of the
root system.
Virtualif 0
4 Sends packets.
10.3.1.0/24 GE1/0/3 Virtualif2
Root
5 Forwards Virtual system
packets. system B
Server 6 Access the (VSYSB)
10.3.1.3 server.
…… …… …… ……
1. Configure a static route on VSYSA. Set the destination IP address to 10.3.1.3 and
destination virtual system to root.
2. Configure a static route on the root system. Set the destination IP address to 10.3.1.3 and
destination virtual system to VSYSB.
3. Configure a static route on VSYSB. Set the destination IP address to 10.3.1.3 and the
outgoing interface to GE1/0/3. The static routes in steps 1, 2, and 3 are used to forward
traffic from hosts connected to VSYSA to the server connected to VSYSB.
4. Configure a static route on VSYSB. Set the destination IP address to 10.3.0.0/24 and
destination virtual system to root.
5. Configure a static route on the root system. Set the destination IP address to 10.3.0.0/24
and destination virtual system to VSYSA.
6. Configure a static route on VSYSA. Set the destination IP address to 10.3.0.0/24 and the
outgoing interface to GE1/0/2. The static routes in steps 4, 5, and 6 are used to forward
traffic from VSYSB to hosts connected to VSYSA.
Configure security policies as follows to enable communication between VSYSA and VSYSB:
1. On VSYSA, add interface GE1/0/2 to the Trust zone and Virtualif1 to the Untrust zone,
and configure a security policy to allow the Trust zone to access the Untrust zone.
2. On VSYSB, add interface GE1/0/3 to the Trust zone and Virtualif2 to the Untrust zone,
and configure a security policy to allow the Untrust zone to access the Trust zone.
NOTE
The root system only forwards packets between virtual systems based on the routing table and does not
implement any security functions. Therefore, you do not need to configure any security policies on the root
system.
10.3.0.0/24 192.168.1.1
- 192.168.2.1 root -
- 192.168.2.1 VSYSB -
Restrictions
Most functions of the NGFW are available in virtual systems. For detailed function availability,
see Function Availability for Virtual Systems. Table 7-2 describes the usage restrictions for
some functions available on virtual systems.
Function Restrictions
Signature database and The signature database and system software can only be updated
system software update on the root system.
Function Restrictions
Port management The ports for services, including HTTP, HTTPS, and SSH, can
only be set on the root system.
User management and The redirection mode for authentication and the authentication
authentication page can only be configured on the root system. The user
management and authentication configurations of the root
system apply to all virtual systems.
Log and report The log server can only be configured on the root system. The
log and report configurations of the root system apply to all
virtual systems
Precautions
A Layer-3 GE, VLAN, or VLANIF interface cannot be assigned in any of the following
situations:
The following configurations of an interface are automatically cleared when the interface is
assigned to a virtual system:
l IP address
l IPSec
l DDoS attack defense
Trunk and hybrid Layer-2 interfaces and Layer-3 interfaces on which subinterfaces are created
may be simultaneously used by multiple virtual systems. Therefore, the Traffic History
displayed on the Dashboard of each virtual system is the total traffic of all virtual systems that
use the interfaces.
Virtual systems can forward only session logs and packet discard logs (excluding policy
matching logs) to the log server of the public system. Attack defense logs of virtual systems can
be displayed only on the device, and they cannot be sent to the log server by the information
center.
Procedure
Step 1 Access the Dashboard page. Click Configure next to Virtual System in the System
Information group area.
----End
l The Virtual System drop-list box is displayed at the upper right corner of the page, as
shown in Figure 7-11. If multiple virtual systems are created on the NGFW, you can select
the name of a virtual system to access the configuration page of the virtual system. In the
drop-list box, root indicates the root system, vsysa and vsysb are the virtual systems that
the administrator has created.
l The Virtual System node is displayed in the navigation tree on the System page.
Context
All virtual systems created on a NGFW share the resources available on the NGFW. To ensure
the availability of system resources for all virtual systems and prevent a virtual system from
overusing system resources, restrict the amount of system resources available for each virtual
system.
To do so, add a resource class, configure the system resources for the resource class, and bind
the resource class to a virtual system.
NOTE
A resource class can be bound to multiple virtual system. If multiple virtual systems require the same type and
amount of system resources, bind the same resource class to each of these virtual systems.
NOTE
Resource class r0 is bound to the root system by default and cannot be deleted or renamed.
Procedure
Step 1 Check resource usage.
Before allocating resources for virtual systems, check the available resources using a root system
administrator account.
Parameter Description
Name -
Parameter Description
Parameter Description
----End
Context
A resource class must be specified for a virtual system to allocate resources, such as policy and
concurrent sessions quota.
In addition, interfaces and VLANs must be allocated as required after a virtual system has been
added.
Procedure
Step 1 Choose System > Virtual System > Virtual System.
Step 2 Click Add. Then click the Basic Configuration tab and configure necessary parameters.
Parameter Description
Step 5 To apply the configuration, click Save at the upper right corner of the page. Then click OK in
the dialog box that is displayed.
----End
Follow-up Procedure
After configurations are complete, perform the following operations:
l Check the created virtual system and system resources allocated to it in Virtual System
List.
l Select a virtual system in Virtual System List and click Resource Usage to view the usage
of the resources allocated to the virtual system.
l Select a virtual system and click to access the virtual system administrator page.
To delete a virtual system, select the virtual system in the Virtual System List, and click
Delete. Then, click OK in the dialog box that is displayed. All configurations of the deleted
virtual system are cleared, and all resources allocated to the virtual system are reclaimed.
Context
To enable the communication between the virtual system and root system, you need to correctly
configure the routes and security policies on the virtual system and root system, just as on two
physical devices.
Before the actual configuration, you are advised to read Communication between a virtual
system and the root system and learn about the mechanism for the communication between a
virtual system and the root system.
As shown in Figure 7-13, routes and security policies must be configured to enable the users of
virtual system VSYSA to access the Internet server at IP address 3.3.3.3 through public interface
GE1/0/1 of the root system.
Figure 7-13 Communication between a virtual system and the root system
Trust Untrust
NGFW
GE1/0/3 GE1/0/1
10.3.0.1/24 1.1.1.1/24
10.3.0.0/24
VSYSA root
ISP Gateway
1.1.1.254 3.3.3.3
Virtual interface
Procedure
Step 1 Configure routes and security policies on VSYSA.
1. Select vsysa in the Virtual System drop-down list at the upper right corner of the page to
access virtual system VSYSA.
2. Choose Network > Router > Static Route.
3. Click Add and configure a static route to the Internet as follows:
Next Hop -
Interface -
NOTE
An inter-virtual system static route has the destination virtual system specified to guide packet forwarding
for the source virtual system. The packets destined for the destination address are sent from the source
virtual system to the destination virtual system for route searching and packet forwarding.
Inter-virtual system static routes do not have next hops specified.
4. Choose Network > Interface.
5. Click next to the Virtualif1 interface to add the interface to the Untrust zone.
NOTE
The ID of a virtual interface is automatically assigned based on existing IDs in the system. Therefore, in
actual configurations, the interface might not be Virtualif1. You can view the mapping between the virtual
system and virtual interface in Interface List.
6. Choose Policy > Security Policy > Security Policy.
7. Click Add and configure a security policy as follows:
Name to_internet
Action Permit
Interface -
4. Repeat the preceding step and configure a static route to the users of VSYSA.
Next Hop -
Interface -
Name vsys_to_internet
Action Permit
----End
Context
As shown in Figure 7-14, users connected to VSYSA must use the root system to access the
server connected to VSYSB. The root system acts as a router that connects both virtual systems
and forwards packets from one virtual system to the other.
Before the configuration, you are advised to read Communication Between Two Virtual
Systems and learn about the mechanism for the communication between two virtual systems.
Virtual interface
Trust
root
GE1/0/4
10.3.1.0/24 10.3.1.1/24
VSYSB
10.3.1.3
Procedure
Step 1 Configure the routes for the communication between VSYSA and VSYSB on the root system.
NOTE
The root system only forwards packets between virtual systems based on the routing table and does not
implement any security functions. Therefore, you do not need to configure any security policies in the root
system.
1. Select root in the Virtual System drop-down list at the upper right corner of the page to
access the root system.
2. Choose Network > Router > Static Route.
3. Click Add and configure a static route to VSYSB as follows:
Next Hop -
Interface -
NOTE
An inter-virtual system static route has the destination virtual system specified to guide packet forwarding
for the source virtual system. The packets destined for the destination address are sent from the source
virtual system to the destination virtual system for route searching and packet forwarding.
Inter-virtual system static routes do not have next hops specified.
4. Repeat the preceding step and configure a static route to the users of VSYSA.
Next Hop -
Interface -
VSYSA traffic must be transited through the root system. Therefore, the destination virtual system of the
static route must be the root system.
Next Hop -
Interface -
5. Click next to the Virtualif1 interface to add the interface to the Untrust zone.
NOTE
The ID of a virtual interface is automatically assigned based on existing IDs in the system. Therefore, in
actual configurations, the interface might not be Virtualif1. You can view the mapping between the virtual
system and virtual interface in Interface List.
6. Choose Policy > Security Policy > Security Policy.
7. Click Add and configure a security policy as follows:
Name to_server
Action Permit
VSYSB traffic must be transited through the root system. Therefore, the destination virtual system of the
static route must be the root system.
Next Hop -
Interface -
Name vsysa_to_server
Action Permit
----End
Context
Once a virtual system is created, the root system administrator can configure one or more
administrators for the virtual system. You can log in to and manage the virtual system using the
accounts of these administrators. The root system administrator can create system administrators
for a virtual system only on the configuration page of the virtual system. The method for creating
a virtual system administrator is the same as that for creating a root system administrator.
Data Planning
Item Data
NOTE
The following assumes that VSYSA has already been created and interface GE1/0/3 has already been allocated
for the virtual system as the login interface.
Procedure
Step 1 Create a virtual system administrator.
1. Select vsysa in the Virtual System drop-down list at the upper right corner of the page to
access VSYSA.
2. Choose System > Administrator > Administrator.
3. Click Add and set the parameters.
NOTE
The name of a virtual system administrator must be suffixed with @@Virtual system name.
If a third-party authentication server is used to authenticate the virtual system administrator, the user name
configured on the authentication server does not need to carry the suffix "@@virtual system name". For
example, if the authentication server needs to authenticate administrator admin@@vsysa of virtual system
VSYSA, configure user name admin on the authentication server.
NOTE
Trusted hosts are the IP addresses of the hosts that are allowed to log in to the virtual system. If the IP
address of the administrator PC is fixed, add the IP address as a trusted host so that the administrator can
log in to the virtual system using the PC. If the IP address of the administrator PC is dynamically allocated,
do not configure any trusted hosts. Otherwise, the administrator may fail to log in to the virtual system if
the IP address of the administrator PC changes.
NOTE
Select HTTPS in Access management so that the virtual system administrator can log in to the Web UI
over HTTPS. Another option is HTTP. However, you are advised to select HTTPS for security reasons.
Select Ping so that the interface can be pinged to test the connectivity between the administrator PC and
the login interface.
Step 4 To apply the configuration, click Save at the upper right corner of the page. Then click OK in
the dialog box that is displayed.
----End
Follow-up Procedure
After the configuration is complete, you can log in to the virtual system as the virtual system
administrator as follows:
1. Open a browser and enter https://10.3.0.1:Port number. Port number indicates the port
number specified when you enable the HTTPS service.
NOTE
If the browser displays a certificate error page, ignore it and continue to the website.
2. On the login page, enter the user name (admin@@vsysa) and password
(Vsysadmin@123) of the virtual system administrator and click Login to log in to the
virtual system.
Procedure
Step 1 Access the system view and run the following command to enable the virtual system function.
vsys enable
----End
Context
All virtual systems created on a NGFW share the resources available on the NGFW. To ensure
the availability of system resources for all virtual systems and prevent a virtual system from
overusing system resources, restrict the amount of system resources available for each virtual
system.
To do so, add a resource class, configure the system resources available for the resource class,
and bind the resource class to the virtual system.
NOTE
A resource class can be bound to multiple virtual system. If multiple virtual systems require the same type and
amount of system resources, configure a single resource class and bound the resource class to each of these
virtual systems.
Procedure
Step 1 Run the following command to check resource usage.
Check the available resources as the root system administrator before allocating resources for
virtual systems.
The following is a sample command output of the display resource global-resource command:
<NGFW> display resource global-resource
Global resource table:
------------------------------------------------------------
Global-Num Remain-Num RemUse-Num
session 3000000 3000000 1
policy 15000 15000 18
online-user 4000 4000 0
user 4000 4000 17
user-group 512 512 14
security-group 5000 5000 4
bandwidth-ingress 10000000 10000000 0
ssl-vpn-concurrent 500 500 0
session-rate 30000 30000 0
dhcps-dynamic-lease 15000 15000 100
dhcps-static-lease 5000 5000 0
------------------------------------------------------------
Number of available resources = Number of reserved resources on the root system (Remain-
Num) - Number of resources used by the root system (RemUse-Num)
Ensure that the guaranteed amount of a specified resource allocated to a virtual system must not
exceed the amount of available resources.
Step 2 In the system view, run the following command to create a resource class and access the resource
class view.
resource-class resource-class-name
Step 3 Configure the guaranteed and maximum amount of resources available for a virtual system.
NOTE
l Guaranteed value: Minimum amount of a specified resource item available for a virtual system. Once the
amount of system resources are allocated to a virtual system, they are exclusively used by the virtual system.
l Maximum value: Maximum allowed amount of a specified resource item available for a virtual system.
Whether the resources used by a virtual system can reach the maximum amount is determined by the
resources used by other virtual systems.
----End
Follow-up Procedure
To rename a created resource class, run rename in the resource class view.
<NGFW> system-view
[NGFW] resource-class r1
[NGFW-resource-class-r1] rename r2
[NGFW-resource-class-r2]
Context
A resource class must be specified for a virtual system to allocate resources, such as policy and
concurrent sessions quota.
In addition, interfaces and VLANs must be allocated as required after a virtual system has been
added.
Procedure
Step 1 Run the following command in the system view to create a virtual system and access the
management view of the virtual system.
vsys name vsys-name
Step 2 Optional: Run the following command to configure the description of a virtual system.
description description
The description must clearly indicate the function of the virtual system so that virtual systems
can be easily searched for.
Step 3 Bind a resource class to the virtual system.
assign resource-class resource-class-name
Step 4 Allocate interfaces or VLANs for the added virtual system.
l Run the following command to allocate interfaces for the added virtual system.
assign interface interface-type interface-number
The interface must be an available Layer-3 Ethernet interface or Layer–3 Ethernet
subinterface.
l Run the following command to allocate the VLAN to the added virtual system.
assign vlan vlan-id
The Layer-2 interface or VLANIF interfaces of the VLAN are also available for the virtual
system.
Step 5 Save the current configuration in the user view.
save [ configuration-file ]
You are advised to save the current configuration after the virtual system is created.
----End
Follow-up Procedure
After configurations are complete, perform the following:
l Run the display vsys [ vsys-name ] [ verbose ] command to view the configuration of the
created virtual system.
l Run the display resource resource-usage vsys vsys-name command to view the resources
used by the virtual system.
l Run the switch vsys vsys-name command in the system view to access the virtual system
view and configure services on the virtual system.
l Run the undo vsys name vsys-name command in the system view to delete a virtual system.
All configurations of the deleted virtual system are cleared, and all resources allocated to
the virtual system are reclaimed.
Context
To enable the communication between the virtual system and root system, you need to correctly
configure the routes and security policies on the virtual system and root system, just as on two
physical devices.
Before the actual configuration, you are advised to read Communication between a virtual
system and the root system and learn about the mechanism for the communication between a
virtual system and the root system.
As shown in Figure 7-15, routes and security policies must be configured to enable the users of
VSYSA to access the Internet server at IP address 3.3.3.3 through public interface GE1/0/1 of
the root system.
Figure 7-15 Communication between a virtual system and the root system
Trust Untrust
NGFW
GE1/0/3 GE1/0/1
10.3.0.1/24 1.1.1.1/24
10.3.0.0/24
VSYSA root
ISP Gateway
1.1.1.254 3.3.3.3
Virtual interface
Procedure
Step 1 Configure routes and security policies on VSYSA.
# Access the VSYSA view.
<NGFW> system-view
[NGFW] switch vsys vsysa
NOTE
Users connected to VSYSA access the Internet through the public interface of the root system. Therefore, the
destination VPN of the static route must be the VPN instance named public of the root system.
[NGFW-vsysa] ip route-static 3.3.3.3 32 public
NOTE
The ID of a virtual interface is automatically assigned based on existing IDs in the system. Therefore, the actual
interface may not be Virtualif1. To view the virtual interface of the virtual system, run display interface
brief.
[NGFW-vsysa] firewall zone untrust
[NGFW-vsysa-zone-untrust] add interface Virtualif1
[NGFW-vsysa-zone-untrust] quit
# Configure the policies for users of VSYSA to access the server on the Internet.
[NGFW-vsysa] security-policy
[NGFW-vsysa-policy-security] rule name to_internet
[NGFW-vsysa-policy-security-rule-to_internet] source-zone trust
[NGFW-vsysa-policy-security-rule-to_internet] destination-zone untrust
[NGFW-vsysa-policy-security-rule-to_internet] source-address 10.3.0.0 24
[NGFW-vsysa-policy-security-rule-to_internet] destination-address 3.3.3.3 32
[NGFW-vsysa-policy-security-rule-to_internet] action permit
[NGFW-vsysa-policy-security-rule-to_internet] quit
[NGFW-vsysa-policy-security] quit
# Configure a default route to the Internet and set the next hop of the default route to
1.1.1.254.
[NGFW] ip route-static 3.3.3.3 32 1.1.1.254
NOTE
After a virtual system is created, the NGFW creates a VPN instance of the same name for the virtual system.
When configuring the static route to a specified virtual system, set the destination VPN of the static route to the
VPN instance corresponding to the virtual system.
[NGFW] ip route-static 10.3.0.0 24 vpn-instance vsysa
# Add virtual interface Virtualif0 of the root system to the Trust zone.
[NGFW] firewall zone trust
[NGFW-zone-trust] add interface Virtualif0
[NGFW-zone-trust] quit
# Configure the policies for users of VSYSA to access the server on the Internet.
[NGFW] security-policy
[NGFW-policy-security] rule name vsys_to_internet
[NGFW-policy-security-rule-vsysa_to_internet] source-zone trust
[NGFW-policy-security-rule-vsysa_to_internet] destination-zone untrust
[NGFW-policy-security-rule-vsysa_to_internet] source-address any
[NGFW-policy-security-rule-vsysa_to_internet] destination-address any
[NGFW-policy-security-rule-vsysa_to_internet] action permit
[NGFW-policy-security-rule-vsysa_to_internet] quit
[NGFW-policy-security] quit
----End
Context
As shown in Figure 7-16, users of virtual system VSYSA must use the root system to access
the server connected to virtual system VSYSB. The root system acts as a router that connects
both virtual systems and forwards packets from one virtual system to the other.
Before the configuration, you are advised to read Communication Between Two Virtual
Systems and learn about the mechanism for the communication between two virtual systems.
Virtual interface
Trust
root
GE1/0/4
10.3.1.0/24 10.3.1.1/24
VSYSB
10.3.1.3
Procedure
Step 1 Configure the routes for the communication between virtual systems VSYSA and VSYSB on
the root system.
NOTE
The root system only forwards packets between virtual systems based on the routing table and does not
implement any security functions. Therefore, you do not need to configure any security policies in the root
system.
NOTE
After a virtual system is created, the NGFW creates a VPN instance of the same name for the virtual system.
When configuring the static route to a specified virtual system, set the destination VPN of the static route to the
VPN instance corresponding to the virtual system.
<NGFW> system-view
[NGFW] ip route-static 10.3.0.0 24 vpn-instance vsysa
NOTE
The traffic destined for VSYSB passes the root system. Therefore, configure the destination VPN of the static
route to the VPN instance named public of the root system.
[NGFW-vsysa] ip route-static 10.3.1.3 32 public
# Configure a static route to users of VSYSA with interface GE1/0/3 as the outgoing interface.
[NGFW-vsysa] ip route-static 10.3.0.0 24 GigabitEthernet 1/0/3
NOTE
The ID of a virtual interface is automatically assigned based on existing IDs in the system. Therefore, the actual
interface may not be Virtualif1. To view the virtual interface of the virtual system, run display interface
brief.
[NGFW-vsysa] firewall zone untrust
[NGFW-vsysa-zone-untrust] add interface Virtualif1
[NGFW-vsysa-zone-untrust] quit
# Configure the policies for users of VSYSA to access the server connected to VSYSB.
[NGFW-vsysa] security-policy
[NGFW-vsysa-policy-security] rule name to_server
[NGFW-vsysa-policy-security-rule-to_internet] source-zone trust
[NGFW-vsysa-policy-security-rule-to_internet] destination-zone untrust
[NGFW-vsysa-policy-security-rule-to_internet] source-address 10.3.0.0 24
[NGFW-vsysa-policy-security-rule-to_internet] destination-address 10.3.1.3 32
[NGFW-vsysa-policy-security-rule-to_internet] action permit
[NGFW-vsysa-policy-security-rule-to_internet] quit
[NGFW-vsysa-policy-security] quit
# Configure a static route to the server connected to VSYSB with interface GE1/0/4 as the
outgoing interface.
[NGFW-vsysb] ip route-static 10.3.1.0 24 GigabitEthernet 1/0/4
NOTE
The traffic destined for VSYSA passes the root system. Therefore, configure the destination VPN of the static
route to the VPN instance named public of the root system.
[NGFW-vsysb] ip route-static 10.3.0.0 24 public
# Configure the policies for users of VSYSA to access the server connected to VSYSB.
[NGFW-vsysb] security-policy
[NGFW-vsysb-policy-security] rule name vsysa_to_server
[NGFW-vsysb-policy-security-rule-vsysa_to_vsysb] source-zone untrust
[NGFW-vsysb-policy-security-rule-vsysa_to_vsysb] destination-zone trust
[NGFW-vsysb-policy-security-rule-vsysa_to_vsysb] source-address 10.3.0.0 24
[NGFW-vsysb-policy-security-rule-vsysa_to_vsysb] destination-address 10.3.1.3 32
[NGFW-vsysb-policy-security-rule-vsysa_to_vsysb] action permit
[NGFW-vsysb-policy-security-rule-vsysa_to_vsysb] quit
[NGFW-vsysb-policy-security] quit
----End
Context
Once a virtual system is created, the root system administrator can configure one or more
administrators for the virtual system. You can log in to and manage the virtual system using the
accounts of these administrators. The root system administrator can create system administrators
for a virtual system only on the configuration page of the virtual system. The method for creating
a virtual system administrator is the same as that for creating a root system administrator.
Data Planning
Item Data
Item Data
NOTE
The following assumes that VSYSA has already been created and interface GE1/0/3 has already been allocated
for the virtual system as the login interface.
If you have already configured the administrators that log in to the CLI using Telnet, perform only the operations
in Step 4 through Step 6.
Procedure
Step 1 Enable Telnet.
<NGFW> system-view
[NGFW] telnet server enable
# Configure five VTY administrator interfaces that support AAA and Telnet and set the level
of the VTY administrator interfaces to 3.
[NGFW] user-interface vty 0 4
[NGFW-ui-vty0-4] authentication-mode aaa
[NGFW-ui-vty0-4] user privilege level 3
[NGFW-ui-vty0-4] quit
NOTE
To ensure that the administrator can log in to the device, you are advised to set the level of the VTY administrator
interfaces to 3 or larger.
Step 3 Configure the automatic lockout function for failed login attempts.
By default, an account is locked for 30 minutes after three consecutive login failures. In the
following example, the account is locked for 10 minutes after five consecutive login failures.
[NGFW] aaa
[NGFW-aaa] lock-authentication enable
NOTE
The name of a virtual system administrator must be suffixed with @@Virtual system name.
If a third-party authentication server is used to authenticate the virtual system administrator, the user name
configured on the authentication server does not need to carry the suffix "@@virtual system name". For example,
if the authentication server needs to authenticate administrator admin@@vsysa of virtual system VSYSA,
configure user name admin on the authentication server.
NOTE
To ensure that the administrator can log in to the device properly, you are advised to set the administrator level
to 3 or larger.
The maximum number of the connections for the account must be smaller than the number of online users
configured for the virtual system.
NOTE
Trusted hosts are the IP addresses of the hosts that are allowed to log in to the virtual system. If the IP address
of the administrator PC is fixed, add the IP address as a trusted host so that the administrator can log in to the
virtual system using the PC. If the IP address of the administrator PC is dynamically allocated, do not configure
any trusted hosts. Otherwise, the administrator may fail to log in to the virtual system if the IP address of the
administrator PC changes.
# Configure the interface IP address and interface-based access control and enable the
administrator to log in to the device through HTTPS.
[NGFW-vsysa] interface GigabitEthernet 1/0/3
[NGFW-vsysa-GigabitEthernet1/0/3] ip address 10.3.0.1 255.255.255.0
[NGFW-vsysa-GigabitEthernet1/0/3] service-manage enable
----End
Follow-up Procedure
After the configuration is complete, the virtual system administrator can log in to the virtual
system as follows:
1. The following uses the Windows operating system as an example. Choose Start > Run.
The Run dialog box is displayed. Then enter telnet 10.3.0.1 in Open.
Context
As shown in Figure 7-17, each virtual system has independent resources, such as interfaces,
security zones, and users quota, and acts as a separate device. Configuring services for virtual
system is the same as configuring service for the root system. However, certain functions may
be restricted due to the limit of resources for the virtual system and permissions of virtual system
administrators.
10.2.0.0/24
DMZ
Trust Untrust
GE1/0/6
10.3.0.0/24
GE1/0/3 GE1/0/1
VSYSA
The following procedure covers only the key points and precautions in configuring virtual system
services. For details, see corresponding sections in the administrator guide.
Procedure
Step 1 Access the configuration page of the virtual system.
Virtual system services can be configured by the root system or virtual system administrator.
The root system and virtual system administrators access the virtual system in different ways.
For details, see Table 7-3.
The key step in the configuration of a service interface is to add the configured interface to a
proper security zone. After interfaces are assigned into proper security zones, the networks
connected to these interfaces are divided. Then, you can configure services specific to security
zones. By default, security zones Trust, Untrust, DMZ, and Local are created on each virtual
system. Plan the security zones on a virtual system by following the same rules that apply to the
root system.
Table 7-3 lists the interface types that may be available on a virtual system and their
configuration descriptions.
NOTE
The root system administrator has already completed the configuration of the interface before assigning them
to virtual systems. Therefore, these interfaces are not configurable on the virtual system.
In common cases, security policies are required for following types of traffic:
l Traffic destined from intranet users to the Internet in the Untrust zone
l Traffic destined from intranet users in the Trust zone to the intranet server in the DMZ zone
l Traffic destined from Internet users in the Untrust zone to the intranet server in the DMZ
zone
Each security policy can reference different content security profiles to implement content
security functions, such as antivirus, intrusion prevention, URL filtering, file blocking, content
filtering, application behavior control, and anti-spam.
If the number of public IP addresses is insufficient, you can configure NAT policies to support
Internet access of intranet users. You can also use NAT policies to hide network topology.
For example, you can configure a NAT policy for the virtual system in Table 7-3 as follows:
l Configure a source NAT policy in the Trust->Untrust interzone so that intranet users can
access the Internet by sharing a few public IP addresses.
l Configure the NAT Server in the Untrust->DMZ interzone so that public network users can
access the server on the intranet.
To implement user-specific access and permission control, create users and add them to different
groups. Then, configure authentication policies for user groups.
For example, as shown in Figure 7-17, you can add the senior executives to one group and
common employees to another user groups and configure different authentication policies for
the user groups. The configurations give senior executives full Internet access without being
authenticated, whereas common employees must be authenticated before obtaining Internet
access.
Table 7-4 Configure other security function for the created virtual system.
Configure SSL VPN. SSL VPN allows users to access the resources on the
intranet over the Internet.
----End
Networking Requirements
Medium-sized enterprise A deploys a firewall as the network gateway. The network of this
enterprise is divided into three subnets respectively for the R&D, financial, and administrative
department. The security policies for the three departments are different and must meet the
following requirements:
l The intranet has only one public IP address and one outside interface. Therefore, all
departments must use the same interface to access the Internet.
l Internet access is granted to all employees of the administrative department, some
employees of the R&D department, but none of the employees of the financial department.
l The three departments have similar traffic volumes and therefore are assigned the same
amount of virtual system resources.
Configure virtual systems to meet the preceding requirements. Figure 7-18 shows the
networking diagram.
Figure 7-18 Networking diagram of network isolation (Layer-3 access, virtual systems sharing
the WAN interface of the root system)
Intranet
Trust NGFW
GE1/0/3
R&D 10.3.0.1/24
department
10.3.0.0/24
VSYSA
Trust
GE1/0/4
Financial 10.3.1.1/24
department
10.3.1.0/24 GE1/0/1
1.1.1.1/24
VSYSB root
Trust
GE1/0/5
Administrative 10.3.2.1/24
department
10.3.2.0/24
VSYSC
Data Planning
Item Data Description
Configuration Roadmap
1. The root system administrator creates three virtual systems VSYSA, VSYSB, and VSYSC,
assigns resources, and configures an administrator for each virtual system.
2. The root system administrator configures routes and NAT policies for intranet users to
access the Internet.
3. The administrator of the R&D department logs in to the NGFW to configure IP addresses,
routes, and security policies for VSYSA.
4. The administrator of the financial department logs in to the NGFW to configure IP
addresses, routes, and security policies for VSYSB.
5. The administrator of the administrative department logs in to the NGFW to configure IP
addresses, routes, and security policies for VSYSC.
Procedure
Step 1 The root system administrator creates virtual systems VSYSA, VSYSB, and VSYSC and assigns
resources to them.
1. Use the account of the root system administrator to log in to the NGFW web UI.
2. Select Dashboard. Click Configure of Virtual System in the System Information
dashboard, select Enable of Virtual System, and click Apply.
3. Choose System > Virtual System > Resource Class and click Add. Then set resource
class parameters as follows.
4. Choose System > Virtual System > Virtual System and click Add. Then configure basic
information for VSYSA as follows.
5. Click the Assign Interface tab and click to assign the GE1/0/3 interface to VSYSA.
6. Click Save on the upper right of the panel to save the configurations.
7. Create virtual systems VSYSB and VSYSC by referring to the preceding substeps and
assign the GE1/0/4 interface to VSYSB and the GE1/0/5 interface to VSYSC.
Step 2 The root system administrator configures administrators for virtual systems.
1. Select the vsysa from the Virtual System drop-down list at the upper right corner.
2. Choose System > Administrator > Administrator and click Add. Then configure
parameters for VSYSA. The following figure shows the example parameter settings.
Step 3 The root system administrator configures routes, security policies, and NAT policies for intranet
users to access the Internet.
1. Choose Network > Interface and click corresponding to GE1/0/1. Then configure a
security zone and an IP address as follows.
4. Click Add and configure a static route as follows. This static route is used to divert to
VSYSA the Internet traffic requested by users of VSYSA.
5. Click Add and configure a static route as follows. This static route is used to divert to
VSYSC the Internet traffic requested by users of VSYSC.
6. Choose Policy > Security Policy > Security Policy and click Add. Then configure a
security policy as follows. This security policy allows intranet users to access the Internet.
A virtual system administrator can configure security policies specific to intranet users' IP
addresses. Therefore, the root system administrator does not need to specify IP address
ranges but selects any when configuring a security policy.
7. Choose Policy > NAT Policy > Source NAT > Source NAT and click Add. Then configure
a NAT policy as follows.
Step 4 The administrator of the R&D department configures IP addresses, routes, and security policies
for VSYSA.
1. Use the virtual system administrator account admin@@vsysa to log in to the NGFW web
UI.
2. Choose Network > Interface and click corresponding to the GE1/0/3 interface. Then
configure a security zone and an IP address for the GE1/0/3 interface as follows.
The ID of a virtual interface is automatically assigned based on existing IDs in the system. Therefore,
the actual interface may not be Virtualif1. You can view the mapping between virtual systems and
virtual interfaces in Interface List.
4. Choose Network > Router > Static Router and click Add. Then configure a static route
as follows. This static route is used to divert the Internet traffic requested by users of
VSYSA to the root system.
NOTE
For simplicity, this example is based on the assumption that VSYSA only processes the Internet
access of intranet users. Therefore, in this example, Destination Address/Mask is set to
0.0.0.0/0.0.0.0 so that all packets are sent to the root system by default. In real-world configurations,
to ensure correct routing, you must set Destination Address/Mask to a specific IP address range
that is allowed to access the Internet. If the routing configuration is incorrect, the private networks
attached to VSYSA may not communicate with each other.
5. Choose Object > Address > Address and click Add. Then configure IP addresses.
6. Choose Policy > Security Policy > Security Policy and click Add. Then configure a
security policy A as follows. This security policy allows intranet users of a specific network
segment to access the Internet.
7. Configure a security policy B by referring to the preceding substeps, which blocks all the
other intranet users from accessing the Internet. The priority of security policy B is lower
than that of security policy A. Therefore, you do not need to specify IP address ranges for
security policy B but select any.
8. Click Save on the upper right of the panel to save the configurations.
The configuration is similar as that of the R&D department except the following:
----End
Verification
l Access the Internet from the administrative department. If the access succeeds, the IP
addresses, security policies of VSYSC, and NAT policy of the root system are correctly
configured.
l Access the Internet from the financial department. If the access fails, the IP addresses and
security policies of VSYSB are correctly configured.
l Use a PC that is allowed to access the Internet and a PC that is not allowed to access the
Internet from the R&D department and use the PCs to access the Internet. If the results are
as expected, the IP addresses and security policies of VSYSA are correctly configured.
Configuration Scripts
Configuration script of the root system
#
sysname NGFW
#
vsys enable
#
resource-class r1
resource-item-limit session reserved-number 10000 maximum 50000
resource-item-limit policy reserved-number 300
resource-item-limit user reserved-number 300
resource-item-limit user-group reserved-number 10
resource-item-limit bandwidth-ingress reserved-number 0 maximum 100000
#
vsys name vsysa 1
assign resource-class r1
assign interface GigabitEthernet1/0/3
#
vsys name vsysb 2
assign resource-class r1
assign interface GigabitEthernet1/0/4
#
vsys name vsysc 3
assign resource-class r1
assign interface GigabitEthernet1/0/5
#
interface GigabitEthernet1/0/1
ip address 1.1.1.1 255.255.255.0
#
firewall zone trust
set priority 85
add interface Virtualif0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
#
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/1 1.1.1.254
ip route-static 10.3.0.0 255.255.255.0 vpn-instance vsysa
ip route-static 10.3.2.0 255.255.255.0 vpn-instance vsysc
#
security-policy
rule name to_internet
source-zone trust
destination-zone untrust
action permit
#
nat-policy
rule name nat1
source-zone trust
egress-interface GigabitEthernet1/0/1
source-address address-set 10.3.0.0 16
action nat easy-ip
#
return
#
aaa
#
manager-user admin@@vsysa
password cipher %@%@@~QEN4"Db/xmvR'5@=5)^`WN]~h`Mwn-{BNPy#ZYE>`6`f]X%@%@
service-type web telnet ssh
level 15
ssh authentication-type password
ssh service-type stelnet
authentication-scheme admin_local
#
bind manager-user admin@@vsysa role system-admin
#
ip address-set ipaddress1 type object
address 0 range 10.3.0.2 10.3.0.10
#
ip route-static 0.0.0.0 0.0.0.0 public
#
security-policy
rule name to_internet
source-zone trust
destination-zone untrust
source-address address-set ipaddress1
action permit
rule name to_internet2
source-zone trust
destination-zone untrust
action deny
#
return
Networking Requirements
As shown in Figure 7-19, a NGFW is deployed in area of the large campus network as the access
gateway. The network of area A comprises the R&D and non-R&D departments, and the two
departments have different network access permissions. Requirements are as follows:
l Some employees in the R&D department can access the Internet, and all employees in the
non-R&D department can access the Internet.
l The R&D and non-R&D departments are isolated from each other and cannot communicate.
l The service volumes of the R&D and non-R&D departments are nearly the same. Therefore,
the same virtual system resources are allocated to them.
Figure 7-19 Networking diagram of network isolation (Layer-3 access, virtual systems having
independent WAN interfaces)
Area A Intranet NGFW
Trust
GE1/0/3 GE1/0/1
R&D 10.3.0.1/24 10.1.1.8/24
department
10.3.0.0/24
VSYSA
Trust
GE1/0/4 GE1/0/2
Non-R&D 10.3.1.1/24 10.1.1.9/24
department
10.3.1.0/24
VSYSB 10.1.1.1/24
Data Planning
Item Data Description
Configuration Roadmap
1. The root system administrator creates two virtual systems VSYSA, and VSYSB, assigns
resources.
2. The root system administrator configures IP addresses, routes, security policies, and NAT
policies for VSYSA.
3. The root system administrator configures IP addresses, routes, security policies, and NAT
policies for VSYSB.
Procedure
Step 1 The root system administrator creates virtual systems VSYSA, and VSYSB, and assigns
resources to them.
1. Use the account of the root system administrator to log in to the NGFW web UI.
2. Select Dashboard. Click Configure of Virtual System in the System Information
dashboard, select Enable of Virtual System, and click Apply.
3. Choose System > Virtual System > Resource Class and click Add. Then set resource
class parameters as follows.
4. Choose System > Virtual System > Virtual System and click Add. Then configure basic
information for VSYSA as follows.
5. Click the Assign Interface tab and click to assign the GE1/0/1 and GE1/0/3 interfaces
to VSYSA.
6. Click Save on the upper right of the panel to save the configurations.
7. Create virtual systems VSYSB by referring to the preceding substeps and assign the
GE1/0/2 and GE1/0/4 interfaces to VSYSB.
Step 2 The root system administrator configures IP addresses, routes, security policies, and NAT
policies for VSYSA.
1. Select the vsysa from the Virtual System drop-down list at the upper right corner.
2. Choose Network > Interface and click corresponding to GE1/0/1. Then configure a
security zone and an IP address as follows.
4. Choose Network > Router > Static Router and click Add. Then configure a static route
as follows.
5. Choose Object > Address > Address and click Add. Then configure IP addresses.
6. Choose Policy > Security Policy > Security Policy and click Add. Then configure a
security policy as follows. This security policy allows intranet users of a specific network
segment to access the Internet.
7. Configure a security policy by referring to the preceding substeps, which blocks all the
other intranet users from accessing the Internet. The priority of security policy B is lower
than that of security policy A. Therefore, you do not need to specify IP address ranges for
security policy B but select any.
8. Choose Policy > NAT Policy > Source NAT > Source NAT and click Add. Then configure
a NAT policy as follows.
9. Click Save on the upper right of the panel to save the configurations.
Step 3 The root system administrator configures IP addresses, routes, security policies, and NAT
policies for VSYSB.
The configuration is similar as that of the R&D department except the following:
l The IP address of the inside interface is different.
l You do not need to create an IP address range for the non-R&D department. You only need
to configure a security policy to allow all IP addresses to access the Internet.
l The outbound interface of the NAT policy must be set to GE1/0/2, and the source address
must be set to any.
----End
Verification
l Use a PC that is allowed to access the Internet and a PC that is not allowed to access the
Internet from the R&D department and use the PCs to access the Internet. If the results are
as expected, the IP addresses, security policies and NAT policies of VSYSA are correctly
configured.
l Access the Internet from the non-R&D department. If the access succeeds, the IP addresses,
security policies and NAT policies of VSYSB are correctly configured.
Configuration Scripts
Configuration script of the root system
#
sysname NGFW
#
vsys enable
#
resource-class r1
resource-item-limit session reserved-number 10000 maximum 50000
resource-item-limit policy reserved-number 300
resource-item-limit user reserved-number 300
resource-item-limit user-group reserved-number 10
resource-item-limit bandwidth-ingress reserved-number 0 maximum 100000
#
vsys name vsysa 1
assign resource-class r1
assign interface GigabitEthernet1/0/1
assign interface GigabitEthernet1/0/3
#
vsys name vsysb 2
assign resource-class r1
assign interface GigabitEthernet1/0/2
assign interface GigabitEthernet1/0/4
#
return
Networking Requirements
Medium-sized enterprise A deploys a firewall as the network gateway. The network of this
enterprise is divided into three subnets respectively for the R&D, financial, and administrative
department. The security policies for the three departments are different and must meet the
following requirements:
l The NGFW connects to an existing intranet through Layer-2 access, without changing the
intranet's network topology.
l Internet access is granted to all employees of the administrative department, some
employees of the R&D department, but none of the employees of the financial department.
l The three departments have similar traffic volumes and therefore are assigned the same
amount of virtual system resources.
Configure virtual systems to meet the preceding requirements. Figure 7-20 shows the
networking diagram.
Trust
Financial
department
10.3.0.100~
199 GE1/0/2 VSYSB GE1/0/1
vlan20 vlan10,20,30 vlan20 vlan10,20,30
Trust
Administrative
department
10.3.0.200~
254 VSYSC
vlan30 vlan30
Data Planning
Item Data Description
Configuration Roadmap
1. Configure GE1/0/1 and GE1/0/2 as trunk interfaces and add them to VLANs.
2. The root system administrator creates three virtual systems VSYSA, VSYSB, and VSYSC,
assigns VLANs and resources, and configures an administrator for each virtual system.
3. The administrator of the R&D department logs in to the NGFW to configure security
policies for VSYSA.
4. The administrator of the financial department logs in to the NGFW to configure security
policies for VSYSB.
5. The administrator of the administrative department logs in to the NGFW to configure
security policies for VSYSC.
Procedure
Step 1 Configure GE1/0/1 and GE1/0/2 as trunk interfaces and add them to VLANs.
1. Use the account of the root system administrator to log in to the NGFW web UI.
2. Choose Network > Interface and click corresponding to the GE1/0/1 interface. Then
configure the GE1/0/1 interface as a trunk interface as follows.
3. Configure the GE1/0/2 interface as a trunk interface by referring to the preceding substeps.
Step 2 The root system administrator creates virtual systems VSYSA, VSYSB, and VSYSC and assigns
VLANs to them.
1. Select Dashboard. Click Configure of Virtual System in the System Information
dashboard, select Enable of Virtual System, and click Apply.
2. Choose System > Virtual System > Resource Class and click Add. Then set resource
class parameters as follows.
3. Choose System > Virtual System > Virtual System and click Add. Then configure basic
information for VSYSA as follows.
4. Click the Assign VLAN tab and click to assign the VLAN vlan 10 to VSYSA.
5. Click Save on the upper right of the panel to save the configurations.
6. Create virtual systems VSYSB and VSYSC by referring to the preceding substeps and
assign the VLAN vlan 20 to VSYSB and the VLAN vlan 30 to VSYSC.
Step 3 The root system administrator configures administrators for virtual systems.
1. Select the virtual system vsysa from the Virtual System drop-down list at the upper right
corner.
2. Choose System > Administrator > Administrator and click Add. Then configure
parameters for VSYSA. The following figure shows the example parameter settings.
Step 4 The administrator of the R&D department configures security zones and security policies for
VSYSA.
1. Use the virtual system administrator account admin@@vsysa to log in to the NGFW web
UI.
2. Choose Network > Interface and click corresponding to the GE1/0/2 interface. Then
configure a security zone for the GE1/0/2 interface as follows.
3. Assign the GE1/0/1 interface to the Untrust zone by referring to the preceding substep.
4. Choose Object > Address > Address and click Add. Then configure IP addresses.
5. Choose Policy > Security Policy > Security Policy and click Add. Then configure a
security policy A as follows. This security policy allows intranet users of a specific network
segment to access the Internet.
6. Configure a security policy B by referring to the preceding substeps, which blocks all the
other intranet users from accessing the Internet. The priority of security policy B is lower
than that of security policy A. Therefore, you do not need to specify IP address ranges for
security policy B but select any.
7. Click Save on the upper right of the panel to save the configurations.
The configuration is similar as that of the R&D department except the following:
l You do not need to create an IP address range for the financial department. You only need
to configure a security policy to prevent the IP address segment 10.3.0.0/24 from accessing
the Internet.
l You do not need to create an IP address range for the administrative department. You only
need to configure a security policy to allow the IP address segment 10.3.0.0/24 to access the
Internet.
----End
Verification
l Use a PC that is allowed to access the Internet and a PC that is not allowed to access the
Internet from the R&D department to access the Internet. If the results are as expected, the
security policies of VSYSA are correctly configured.
l Access the Internet from the financial department. If the access fails, the security policies
of VSYSB are correctly configured.
l Access the Internet from the administrative department. If the access succeeds, the security
policies of VSYSC are correctly configured.
Configuration Scripts
Configuration script of the root system
#
sysname NGFW
#
vsys enable
#
resource-class r1
resource-item-limit session reserved-number 10000 maximum 50000
resource-item-limit policy reserved-number 300
resource-item-limit user reserved-number 300
resource-item-limit user-group reserved-number 10
resource-item-limit bandwidth-ingress reserved-number 0 maximum 100000
#
vsys name vsysa 1
assign vlan 10
assign resource-class r1
#
vsys name vsysb 2
assign vlan 20
assign resource-class r1
#
vsys name vsysc 3
assign vlan 30
assign resource-class r1
#
vlan 10
GigabitEthernet1/0/1 GigabitEthernet1/0/2
#
vlan 20
GigabitEthernet1/0/1 GigabitEthernet1/0/2
#
vlan 30
GigabitEthernet1/0/1 GigabitEthernet1/0/2
#
return
source-zone trust
destination-zone untrust
action deny
#
return
Networking Requirements
A cloud computing data center uses a NGFW for security protection of the egress gateway to
meet the following requirements:
l Customers of the data center can independently manage and access their server resources.
l The NGFW has only one outside interface but provides sufficient public IP addresses. NAT
polices are configured on the NGFW so that customers have independent public IP
addresses to access their own server resources.
l Enterprises A and B have similar traffic volumes and purchase the same amount of
resources: a quota of 10,000 guaranteed sessions, a maximum of 50,000 sessions, and a
maximum of 100,000 kbit/s bandwidth.
Configure virtual systems to meet the preceding requirements. Figure 7-21 shows the
networking diagram.
Trust GE1/0/1
root 1.1.1.1/24
… GE1/0/2.2
10.3.1.1/24 Enterprise B
10.3.1.2/24
Enterprise B
10.3.1.0/24 VSYSB
Data Planning
Item Data Description
Configuration Roadmap
1. The root system administrator creates virtual systems VSYSA and VSYSB and allocates
resources to them.
2. Create subinterfaces GE1/0/2.1 and GE1/0/2.2 on the GE1/0/2 and configure these two
subinterfaces as inside interfaces of VSYSA and VSYSB, respectively.
3. The root system administrator configures IP address mapping for VSYSA and VSYSB.
4. The root system administrator configures routes and security policies for VSYSA and
VSYSB.
Procedure
Step 1 The root system administrator creates virtual systems VSYSA and VSYSB and allocates
resources to them.
1. Use the account of the root system administrator to log in to the NGFW web UI.
2. Select Dashboard. Click Configure of Virtual System in the System Information
dashboard, select Enable of Virtual System, and click Apply.
3. Choose System > Virtual System > Resource Class and click Add. Then set resource
class parameters as follows.
4. Choose System > Virtual System > Virtual System and click Add. Then configure basic
information for VSYSA as follows.
5. Click Save on the upper right of the panel to save the configurations.
6. Configure basic information for VSYSB by referring to the preceding substeps.
Step 2 Configure inside interfaces, outside interfaces, and virtual interfaces on the root system.
1. Choose Network > Interface and click Add. Create the subinterface GE1/0/2.1 and assign
this subinterface to VSYSA.
2. Click Add. Create the subinterface GE1/0/2.2 and assign this subinterface to VSYSB.
3. Click corresponding to the GE1/0/1 interface. Then configure a security zone and an IP
address for the GE1/0/1 interface as follows.
4. Assign the virtual interface Virtualif0 of the root system to the Trust zone, Virtualif1 of
VSYSA the Untrust zone, and Virtualif2 of VSYSB the Untrust zone by referring to the
preceding substeps.
NOTE
The ID of a virtual interface is automatically assigned based on existing IDs in the system. Therefore,
the actual interface may not be Virtualif1 or Virtualif2. You can view the mapping between virtual
systems and virtual interfaces in Interface List.
Step 3 Configure routes, security policies, and NAT policies on the root system.
1. Choose Network > Router > Static Router and click Add. Then configure a static route
as follows.
2. Click Add and configure a static route as follows. This static route is used to divert to
VSYSA the server traffic requested by users of enterprise A.
3. Click Add and configure a static route as follows. This static route is used to divert to
VSYSB the server traffic requested by users of enterprise B.
4. Choose Policy > Security Policy > Security Policy and click Add. Then configure a
security policy as follows. This security policy allows intranet users to access servers on
the intranet.
5. Choose Policy > NAT Policy > NAT Server and click Add. Then configure IP address
mapping as follows for servers connected to VSYSA.
6. Click Add and configure IP address mapping as follows for servers connected to VSYSB.
2. Choose Network > Router > Static Router and click Add. Then configure a static route
as follows. This static route is used to divert to the root system the server traffic requested
by users of enterprise A.
3. Choose Policy > Security Policy > Security Policy and click Add. Then configure a
security policy as follows. This security policy allows intranet users to access servers on
the intranet.
4. Click Save on the upper right of the panel to save the configurations.
Step 5 Configure routes and security policies on VSYSB.
The details are omitted because the configurations are the same as those of VSYSA, except the
IP addresses.
----End
Verification
l Access http://1.1.1.2:8080 from enterprise A. If the access succeeds, IP address mapping
and security policies are correctly configured.
l Access http://1.1.1.3:8080 from enterprise B. If the access succeeds, IP address mapping
and security policies are correctly configured.
Configuration Scripts
Configuration script of the root system
#
sysname NGFW
#
vsys enable
#
nat server publicserver_vsysa protocol tcp global 1.1.1.2 8080 inside 10.3.0.2 www
no-reverse
nat server publicserver_vsysb protocol tcp global 1.1.1.3 8080 inside 10.3.1.2 www
no-reverse
#
resource-class r1
resource-item-limit session reserved-number 10000 maximum 50000
resource-item-limit bandwidth-ingress reserved-number 0 maximum 100000
#
vsys name vsysa 1
assign resource-class r1
assign interface GigabitEthernet1/0/2.1
#
vsys name vsysb 2
assign resource-class r1
assign interface GigabitEthernet1/0/2.2
#
interface GigabitEthernet1/0/1
ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/2.1
vlan-type dot1q 10
ip address 10.3.0.1 255.255.255.0
service-manage ping permit
#
interface GigabitEthernet0/0/2.2
vlan-type dot1q 20
ip address 10.3.1.1 255.255.255.0
service-manage ping permit
#
firewall zone trust
set priority 85
add interface Virtualif0
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
#
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/1 1.1.1.254
7.9 References
This section describes specifications, supported services, and release history of the Virtual
System feature.
7.9.1 Specifications
This section describes the virtual system specifications of the NGFW.
Configuratio Supported -
n File
Management
IP-Link Supported -
Security Supported -
Zones
Domain Supported -
Group
Application Supported -
and
Application
Group
Schedule Supported -
ACL Supported -
Bandwidth Supported -
Management
Policy
Quota Supported -
Control
Policy
Blacklist Supported -
IP-MAC Supported -
Binding
ASPF Supported -
Session Supported -
Table
Diagnosis Supported -
Center
V100R001C30SPC l Added the function for configuring the DHCP server and DHCP
100 relay.
l Added DHCP Dynamic Address Lease and DHCP Static
Address Lease to the resource items that the root system
administrator allocates to virtual systems.
l Added DHCP Server in Popedom of new administrator roles in
virtual systems.
V100R001C20SPC l Added Security Groups in the resource items that the root system
700 administrator allocates to each virtual system.
l When you create a virtual system administrator, the
administrator@virtual system name format is changed to the
administrator@@virtual system name format.
V100R001C10SPC Added New Session Rate in the resource items that the root system
100 administrator allocates to each virtual system.
8 Networks
8.1.1 Overview
A NGFW uses interfaces to exchange data with other devices on a network.
Interface Types
A NGFW supports physical and logical interfaces. Table 8-1 describes types of interfaces and
their configuration methods.
Web UI CLI
Web UI CLI
Web UI CLI
Web UI CLI
Trunk interface,
see 8.1.2.6
Configuring an
Eth-Trunk
Interface.
Web UI CLI
IPv4 Addresses
An IPv4 address consists of four binary octets separated by dots. Each octet can be expressed
in a decimal number. For example, 10.0.0.1 is an IPv4 address.
– Network ID field: distinguishes a networks from each other. The network ID is called
a class field, and network ID bits are called class bits.
– Host ID field: identifies a host on a network.
IPv4 addresses have five classes to facilitate address management and networking. Figure
8-1 shows classes of IPv4 addresses.
A 0 Net-id Host-id
B 10 Net-id Host-id
D 1110 Multicast-address
E 11110 Reserved
Most IPv4 addresses in use belong to class A, B, or C. Class D addresses are multicast
addresses. Class E addresses are reserved. For more information, see RFC 1166 "Internet
Numbers."
Some IPv4 addresses are reserved for special use. Table 8-2 lists the range of each class
of IPv4 addresses.
Some special IPv4 addresses exist in real-world situations. Table 8-3 lists special IPv4
addresses.
NOTE
IPv6 Addresses
Internet Protocol Version 6 (IPv6), also called IP Next Generation (IPng), is a set of
specifications designed by the Internet Engineering Task Force (IETF).
IPv6 is a second-generation network protocol and an upgraded version of IPv4. Different from
IPv4, IPv6 extends an address to 128 bits long.
l IPv6 address formats
IPv6 addresses are expressed in either of the following formats:
– X:X:X:X:X:X:X:X
An IPv6 address is divided into eight groups, separated by colons. Each group has 16
bits. Each 16–bit group is represented by four hexadecimal digits, including 0 to 9 and
A to F. For example, 2031:0000:130F:0000:0000:09C0:876A:130B is an IPv6 address.
For convenience, all 0s in a group are displayed as a single 0. The example address can
be written as 2031:0:130F:0:0:9C0:876A:130B.
Two or more consecutive groups of 0s can be replaced with an empty group using a pair
of colons (::), which helps minimize the IPv6 address length. The example address can
also be written as 2031:0:130F::9C0:876A:130B.
NOTE
An IPv6 address can only contain a single pair of colons (::). If an IPv6 address contains more
than one pair of colons, a NGFW cannot restore the compressed address to the original 128-bit
address because it cannot identify the number of zeros in the IPv6 address.
– X:X:X:X:X:X:d.d.d.d
Each "X" is 16 bits long and consists of four hexadecimal digits. Each "d" is 8 bits long
and is presented by a decimal number. "d.d.d.d" is an IPv4 address. The following
addresses are expressed in this format:
– 0:0:0:0:0:0:IPv4-address: an IPv4-compatible IPv6 address. The most significant
96 bits of 0s precede a 32-bits IPv4 address. The IPv4 address must be reachable on
an IPv4 network and can only be a unicast address, but not a multicast address, a
64 bits 64 bits
2001:A304:6101:0001 0000:00E0:F726:4E58
Although no IPv6 broadcast addresses exist, IPv6 multicast addresses provide broadcast
address functions.
l Unicast address types
A unicast address is used for one-to-one transmission. Similar to a unicast IPv4 address, a
unicast IPv6 address only identifies a single interface. Table 8-5 lists types of IPv6 unicast
addresses.
MAC: 0012:3400:ABCD
Binary:
00000000 00010010 00110100 00000000 10101011 11001101
Insert FFFE:
00000000 00010010 00110100 11111111 11111110 00000000
10101011 11001101
Set U/L bit:
00000010 00010010 00110100 11111111 11111110 00000000
10101011 11001101
EUI-64: 0012:34FF:FE00:ABCD
l Static IP
Specify IPv6 addresses for Layer 3 Ethernet interfaces and their subinterfaces, VLAN
interfaces, Eth-Trunk interfaces, and loopback interfaces.
l DHCP
Configure DHCP to automatically assign IPv6 addresses for Layer 3 Ethernet interfaces
and their subinterfaces, VLAN interfaces, and Eth-Trunk interfaces.
l PPPoE
Configure PPPoE to perform PPP negotiation to assign IPv6 addresses to Layer 3 Ethernet
interfaces and their subinterfaces, VLAN interfaces, and Eth-Trunk interfaces.
l Neighbor Discovery (ND) Router Advertisement (RA)
Configure stateless address autoconfiguration to enable interfaces to obtain IPv6 prefixes
from RA messages. The interfaces then use IPv6 prefixes and local interface IDs to form
EUI-64 IPv6 addresses.
The interfaces can be Layer 3 Ethernet interfaces or their subinterfaces, VLAN interfaces,
or Eth-Trunk interfaces.
Context
A Layer 3 Ethernet interface uses an IPv4 address to connect to an IPv4 network or an IPv6
address to connect to an IPv6 network.
Procedure
Step 1 Choose Network > Interface.
Parameter Description
IPv4
Parameter Description
Connection Type Method used by the interface to obtain an IPv4 address in routing
mode.
This parameter can only be set when Mode is set to Route.
Perform one of the following steps to set a connection type:
l Static IP: specifies an IPv4 address for the interface. For
information about static IP address parameters, see Table
8-6.
l DHCP: allows the interface to run DHCP to automatically
obtain an IPv4 address.
l PPPoE: allows the interface to obtain an IPv4 address
through PPP negotiation. For PPPoE parameters, see Table
8-7.
Multi-egress options After you select Multi-egress options, the interface will function
as an intelligent uplink selection member interface.
For details on intelligent uplink selection, see Intelligent Uplink
Selection.
Carrier Select the name of the ISP directly connected to the interface.
Selecting the ISP of the interface equals to binding an interface
to an ISP interface group.
Default route After you select this option, the NGFW will generate a default
route in its routing table.
A default route is a special static route. When the destination
address of a data packet does not match any routing table of the
NGFW, the NGFW will use the default route to forward the data
packet. Both the destination network address and the subnet mask
of the default route are 0.0.0.0.
If the interface serves as an intranet interface and has the sticky
load balancing function enabled, the default route must be
canceled. Otherwise, the interface cannot access extranets.
Carrier Route After you enable the ISP route function, the NGFW will generate
static routes in a batch to the ISP network. In the generated static
routes, the destination is an IP address in the ISP address file, and
the next hop is the gateway address specified on the outbound
interface. These static routes are called ISP routes. They have the
same priority as common static routes, and the default priority is
60.
Choose Network > Router > Routing Table. You can view the
generated ISP route entries.
Parameter Description
Sticky load balancing In the multi-ISP load balancing NAT server scenario, the
NGFW looks up the routing table for an outgoing interface to
send the return traffic from a server. As a result, the return traffic
from the server may take a path on ISP2, although the request to
the server takes a link on ISP1. The inconsistent forward and
return paths may slow down or even interrupt services. To
resolve this issue, configure the sticky load balancing function
on the incoming interface of ISP1.
The NGFW uses the incoming interface of the forward packets
as the outgoing interface of return packets instead of searching
for policy-based routes, specific routes, and default routes.
NOTE
If equal-cost multipath (ECMP) routes are configured, the sticky load
balancing function is enabled by default. Otherwise, configure the sticky
load balancing function.
Link Health Check Apply the link health check group to the interface.
IPv6
Interface Bandwidth
Parameter Description
Management Access
Advanced
Parameter Description
Parameter Description
Parameter Description
Parameter Description
Parameter Description
Obtain an IP Address Obtain an IPv4 address that a PPPoE server assigns after
Automatically negotiating with a PPPoE client on a PPP link. The IPv4 address
to be assigned must be specified on the PPPoE server.
Use the Following IP Set an IPv4 address statically. This method requires the input of
Address an IPv4 address in IP Address. The IPv4 address must be one
that a PPPoE server can assign.
Obtain DNS Server Obtain a DNS address that a PPPoE server assigns after
Address Automatically negotiating with a PPPoE client on a PPP link.
Use the Following DNS Statically set a DNS address. This method requires the input of
Server Addresses DNS server addresses in Primary DNS Server and Secondary
DNS Server.
Parameter Description
Parameter Description
Parameter Description
----End
Follow-up Procedure
l Check the interface status.
1. Choose Network > Interface.
2. Verify that the physical, IPv4, and IPv6 statuses of the VLAN interface are Up.
l Enable or disable the interface.
1. Choose Network > Interface.
2. Perform either of the following operations as needed:
– To enable the interface, select the Enable check box of the interface.
– To disable the interface, clear the Enable check box of the interface.
Context
Ensure that you have performed the following operations:
l Select an Ethernet interface and switch it to Layer 2 mode.
l Assign the interface to a specific VLAN. For more information about VLANs, see 8.11
VLAN.
l Configure interface parameters, such as a duplex mode and a transmission rate.
NOTICE
If the interfaces work at Layer 2 and IPv6 needs to be processed on NGFW, you need to choose
Dashboard > System Information to enable the global IPv6 function.
Procedure
Step 1 Choose Network > Interface.
Parameter Description
Parameter Description
Mode Layer at which the interface works and whether to enable bypass
detection when the interface works at Layer 2:
l Select Switch to enable the interface to work at Layer 2 and
disable bypass detection.
l Select Bypass to enable the interface to work at Layer 2 and
enable bypass detection
After bypass detection is enabled, the device detects packets
received on this interface and then discards them.
When a Layer 3 Ethernet interface is configured to work in Layer
2 mode or bypass mode, the device automatically clears specific
configurations, such as, DHCP, DDNS, and route configurations
of the interface and retains specific configurations, such as HRP
heartbeat interface configurations of the interface. If the interface
is specified as a heartbeat interface, the interface cannot be
configured to work in Layer 2 mode. Therefore, before you
configure a Layer 3 Ethernet interface to work in Layer 2 mode
or bypass mode, ensure that the interface has no configuration.
Parameter Description
Default VLAN ID Default VLAN ID of a trunk interface. This parameter is set only
when Connection Type is set to Trunk.
Interface Bandwidth
Advanced
Follow-up Procedure
l Check the interface status.
1. Choose Network > Interface.
2. Check the physical status of the interface.
l Enable or disable the interface.
1. Choose Network > Interface.
2. Perform either of the following operations as needed:
– To enable the interface, select the Enable check box.
– To disable the interface, clear the Enable check box.
Context
Subinterfaces are logical or virtual interfaces created on a physical interface. Subinterfaces share
the physical parameters of the physical interface on which they are created. However,
subinterfaces have their own data link layer and network layer parameters. A subinterface status
change does not affect the main interface status, whereas a main interface status change affects
the subinterface status. Subinterfaces work properly only when their main interface is in the Up
state.
Procedure
Step 1 Choose Network > Interface.
Parameter Description
Primary Interface Type and number of a Layer 3 interface to which the new
subinterface belongs.
Parameter Description
IPv4
Multi-egress options After you select Multi-egress options, the interface will function
as an intelligent uplink selection member interface.
For details on intelligent uplink selection, see Intelligent Uplink
Selection.
Carrier Select the name of the ISP directly connected to the interface.
Selecting the ISP of the interface equals to binding an interface
to an ISP interface group.
Default route After you select this option, the NGFW will generate a default
route in its routing table.
A default route is a special static route. When the destination
address of a data packet does not match any routing table of the
NGFW, the NGFW will use the default route to forward the data
packet. Both the destination network address and the subnet mask
of the default route are 0.0.0.0.
If the interface serves as an intranet interface and has the sticky
load balancing function enabled, the default route must be
canceled. Otherwise, the interface cannot access extranets.
Parameter Description
Carrier Route After you enable the ISP route function, the NGFW will generate
static routes in a batch to the ISP network. In the generated static
routes, the destination is an IP address in the ISP address file, and
the next hop is the gateway address specified on the outbound
interface. These static routes are called ISP routes. They have the
same priority as common static routes, and the default priority is
60.
Choose Network > Router > Routing Table. You can view the
generated ISP route entries.
Sticky load balancing In the multi-ISP load balancing NAT server scenario, the
NGFW looks up the routing table for an outgoing interface to
send the return traffic from a server. As a result, the return traffic
from the server may take a path on ISP2, although the request to
the server takes a link on ISP1. The inconsistent forward and
return paths may slow down or even interrupt services. To
resolve this issue, configure the sticky load balancing function
on the incoming interface of ISP1.
The NGFW uses the incoming interface of the forward packets
as the outgoing interface of return packets instead of searching
for policy-based routes, specific routes, and default routes.
NOTE
If equal-cost multipath (ECMP) routes are configured, the sticky load
balancing function is enabled by default. Otherwise, configure the sticky
load balancing function.
Link Health Check Apply the link health check group to the interface.
IPv6
Parameter Description
Interface Bandwidth
Management Access
Parameter Description
Parameter Description
Parameter Description
Parameter Description
Parameter Description
Obtain an IP Address Obtain an IPv4 address that a PPPoE server assigns after
Automatically negotiating with a PPPoE client on a PPP link. The IPv4 address
to be assigned must be specified on the PPPoE server.
Use the Following IP Set an IPv4 address statically. This method requires the input of
Address a fixed IPv4 address in IP Address. The IPv4 address to be
entered is the one that a PPPoE server can assign.
Obtain DNS Server Obtain a DNS address that a PPPoE server assigns after
Address Automatically negotiating with a PPPoE client on a PPP link.
Use the Following DNS Statically set a DNS address. This method requires the input of
Server Addresses DNS server addresses in Primary DNS Server and Secondary
DNS Server.
Parameter Description
Parameter Description
Parameter Description
Follow-up Procedure
l Check the subinterface status.
1. Choose Network > Interface.
2. Verify that the physical, IPv4, and IPv6 statuses of the subinterface are Up.
l Enable or disable the interface.
1. Choose Network > Interface.
2. Perform either of the following operations as needed:
– To enable the interface, select the Enable check box.
– To disable the interface, clear the Enable check box.
Context
Subinterfaces are logical or virtual interfaces created on a physical interface. Subinterfaces share
the physical parameters of the physical interface on which they are created. However,
subinterfaces have their own data link layer and network layer parameters. A subinterface status
change does not affect the main interface status, whereas a main interface status change affects
the subinterface status. Subinterfaces work properly only when their main interface is in the Up
state.
The device supports creating subinterfaces on Layer 2 Ethernet and Layer 2 Eth-Trunk interfaces.
Using a subinterface to terminate a VLAN allows for inter-VLAN forwarding.
Procedure
Step 1 Choose Network > Interface.
Parameter Description
Primary Interface Type and number of a Layer 2 interface to which the new
subinterface belongs.
Mode Layer at which the interface works and whether to enable bypass
detection when the interface works at Layer 2:
l Select Switch to enable the interface to work at Layer 2 and
disable bypass detection.
l Select Bypass to enable the interface to work at Layer 2 and
enable bypass detection
After bypass detection is enabled, the device detects packets
received on this interface and then discards them.
VLAN Tag Specifies the VLAN tag (ID of the VLAN to which the new
subinterface belongs). Each subinterface receives or forwards
only packets that carry the specified VLAN tag.
Access VLAN ID Specifies the access VLAN ID. Subinterfaces must be added to
the same VLAN to communicate with each other.
Interface Bandwidth
Parameter Description
If the operation is successful, the new subinterface is displayed among Layer 2 interfaces in
Interface List.
----End
Follow-up Procedure
l Check the subinterface status.
Context
A LAN can be divided into logical broadcast domains. A broadcast domain is a VLAN. Devices
on a LAN logically belong to different VLANs, regardless of their physical locations.
When hosts on a VLAN need to communicate with a device at the network layer, you can create
a VLAN interface on the device. The VLAN interface functions as a Layer 3 interface to provide
Layer 3 functions, such as IPv4 or IPv6 address settings.
Procedure
Step 1 Choose Network > Interface.
Parameter Description
IPv4
Multi-egress options After you select Multi-egress options, the interface will function
as an intelligent uplink selection member interface.
For details on intelligent uplink selection, see Intelligent Uplink
Selection.
Carrier Select the name of the ISP directly connected to the interface.
Selecting the ISP of the interface equals to binding an interface
to an ISP interface group.
Parameter Description
Default route After you select this option, the NGFW will generate a default
route in its routing table.
A default route is a special static route. When the destination
address of a data packet does not match any routing table of the
NGFW, the NGFW will use the default route to forward the data
packet. Both the destination network address and the subnet mask
of the default route are 0.0.0.0.
If the interface serves as an intranet interface and has the sticky
load balancing function enabled, the default route must be
canceled. Otherwise, the interface cannot access extranets.
Carrier Route After you enable the ISP route function, the NGFW will generate
static routes in a batch to the ISP network. In the generated static
routes, the destination is an IP address in the ISP address file, and
the next hop is the gateway address specified on the outbound
interface. These static routes are called ISP routes. They have the
same priority as common static routes, and the default priority is
60.
Choose Network > Router > Routing Table. You can view the
generated ISP route entries.
Sticky load balancing In the multi-ISP load balancing NAT server scenario, the
NGFW looks up the routing table for an outgoing interface to
send the return traffic from a server. As a result, the return traffic
from the server may take a path on ISP2, although the request to
the server takes a link on ISP1. The inconsistent forward and
return paths may slow down or even interrupt services. To
resolve this issue, configure the sticky load balancing function
on the incoming interface of ISP1.
The NGFW uses the incoming interface of the forward packets
as the outgoing interface of return packets instead of searching
for policy-based routes, specific routes, and default routes.
NOTE
If equal-cost multipath (ECMP) routes are configured, the sticky load
balancing function is enabled by default. Otherwise, configure the sticky
load balancing function.
Link Health Check Apply the link health check group to the interface.
IPv6
Parameter Description
Interface Bandwidth
Management Access
Parameter Description
Parameter Description
Parameter Description
Parameter Description
Parameter Description
Obtain an IP Address Obtain an IPv4 address that a PPPoE server assigns after
Automatically negotiating with a PPPoE client on a PPP link. The IPv4 address
to be assigned must be specified on the PPPoE server.
Use the Following IP Statically set an IPv4 address. This method requires the input of
Address an IPv4 address in IP Address. The IPv4 address must be one
that a PPPoE server can assign.
Obtain DNS Server Obtain a DNS address that a PPPoE server assigns after
Address Automatically negotiating with a PPPoE client on a PPP link.
Use the Following DNS Statically set a DNS address. This method requires the input of
Server Addresses DNS server addresses in Primary DNS Server and Secondary
DNS Server.
Parameter Description
Parameter Description
Parameter Description
Follow-up Procedure
l Check the VLAN interface status.
1. Choose Network > Interface.
2. Verify that the physical, IPv4, and IPv6 statuses of the VLAN interface are Up.
l Enable or disable the interface.
1. Choose Network > Interface.
2. Perform either of the following operations as needed:
– To enable the interface, select the Enable check box.
– To disable the interface, clear the Enable check box.
Context
Many Ethernet interfaces are bundled into an Eth-Trunk interface. An Eth-Trunk interface
provides bandwidth that is equal to the total bandwidth of all its member interfaces. If a member
interface goes Down, traffic transmission over other member interfaces continues, which
increases link reliability.
A physical interface can only be assigned to a single Eth-Trunk at a time. Before assigning the
physical interface to another Eth-Trunk, you must first remove it from the Eth-Trunk to which
it is currently attached.
Procedure
Step 1 Choose Network > Interface.
Parameter Description
Mode Layer at which the interface works and whether to enable bypass
detection when the interface works at Layer 2:
l Select Route to enable the interface to work at Layer 3.
l Select Switch to enable the interface to work at Layer 2 and
disable bypass detection. For the description of parameter
Connection Type in switching mode, see Table 8-22.
l Select Bypass to enable the interface to work at Layer 2 and
enable bypass detection. For the description of parameter
Connection Type in switching mode, see Table 8-22.
After bypass detection is enabled, the device detects packets
received on this interface and then discards them.
Parameter Description
IPv4
Multi-egress options After you select Multi-egress options, the interface will function
as an intelligent uplink selection member interface.
For details on intelligent uplink selection, see Intelligent Uplink
Selection.
Carrier Select the name of the ISP directly connected to the interface.
Selecting the ISP of the interface equals to binding an interface
to an ISP interface group.
Default route After you select this option, the NGFW will generate a default
route in its routing table.
A default route is a special static route. When the destination
address of a data packet does not match any routing table of the
NGFW, the NGFW will use the default route to forward the data
packet. Both the destination network address and the subnet mask
of the default route are 0.0.0.0.
If the interface serves as an intranet interface and has the sticky
load balancing function enabled, the default route must be
canceled. Otherwise, the interface cannot access extranets.
Parameter Description
Carrier Route After you enable the ISP route function, the NGFW will generate
static routes in a batch to the ISP network. In the generated static
routes, the destination is an IP address in the ISP address file, and
the next hop is the gateway address specified on the outbound
interface. These static routes are called ISP routes. They have the
same priority as common static routes, and the default priority is
60.
Choose Network > Router > Routing Table. You can view the
generated ISP route entries.
Sticky load balancing In the multi-ISP load balancing NAT server scenario, the
NGFW looks up the routing table for an outgoing interface to
send the return traffic from a server. As a result, the return traffic
from the server may take a path on ISP2, although the request to
the server takes a link on ISP1. The inconsistent forward and
return paths may slow down or even interrupt services. To
resolve this issue, configure the sticky load balancing function
on the incoming interface of ISP1.
The NGFW uses the incoming interface of the forward packets
as the outgoing interface of return packets instead of searching
for policy-based routes, specific routes, and default routes.
NOTE
If equal-cost multipath (ECMP) routes are configured, the sticky load
balancing function is enabled by default. Otherwise, configure the sticky
load balancing function.
Link Health Check Apply the link health check group to the interface.
IPv6
Parameter Description
Interface Bandwidth
Management Access
Parameter Description
Advanced
Parameter Description
Lower Limit of Up Links Lower limit of member interfaces in the Up state before an Eth-
Trunk interface goes Down. If the number of member links in
the Up state is smaller than the lower limit, the Eth-Trunk
interface goes Down, and all its member interfaces cannot
forward data. This prevents a small number of member links in
the Up state from discarding packets due to overload.
To ensure proper forwarding, configure the same lower limit for
an Eth-Trunk interface on both ends of a link.
Parameter Description
Parameter Description
Obtain an IP Address Obtain an IPv4 address that a PPPoE server assigns after
Automatically negotiating with a PPPoE client on a PPP link. The IPv4 address
to be assigned must be specified on the PPPoE server.
Use the Following IP Statically set an IPv4 address. This method requires the input of
Address a fixed IPv4 address in IP Address. The IPv4 address must be
one that a PPPoE server can assign.
Obtain DNS Server Obtain a DNS address that a PPPoE server assigns after
Address Automatically negotiating with a PPPoE client on a PPP link.
Use the Following DNS Statically set a DNS address. This method requires the input of
Server Addresses DNS server addresses in Primary DNS Server and Secondary
DNS Server.
Parameter Description
Parameter Description
Parameter Description
Default VLAN ID Default VLAN ID of a trunk interface. This parameter is set only
when Connection Type is set to Trunk.
Hybrid VLAN ID (With ID of the VLAN to which the hybrid interface belongs. Frames
VLAN Tag) on the VLAN are sent from this interface in Tagged mode. This
parameter is set only when Connection Type is set to Hybrid.
If the operation is successful, the new Eth-Trunk interface is displayed in Interface List.
----End
Follow-up Procedure
l Check interface status.
Context
This section describes how to configure a loopback interface. A loopback interface is a virtual
interface. The IP address of a loopback interface is specified as a source address for packets to
improve network reliability.
Procedure
Step 1 Choose Network > Interface.
Parameter Description
IPv4
IPv6
Parameter Description
If the operation is successful, the new loopback interface is displayed in Interface List.
----End
Follow-up Procedure
Check the interface status.
Context
A tunnel interface is a logical interface for packet encapsulation. By default, tunnel interfaces
created through the Web use only IPSec, that is, supporting only IPSec tunnels. GRE is another
common encapsulation protocol. When configuring GRE through the Web, tunnel interfaces are
automatically created and configured. For details, see 20.5.3 Configuring GRE Using the Web
UI.
Procedure
Step 1 Choose Network > Interface.
Parameter Description
Interface Name Another name specified for the tunnel interface, facilitating
memorization and identification.
IPv4
IP Address/Mask Ensure that the IP addresses of the tunnel interfaces at the two
ends of the IPSec tunnel are routable.
Multi-egress options After you select Multi-egress options, the interface will function
as an intelligent uplink selection member interface.
For details on intelligent uplink selection, see Intelligent Uplink
Selection.
Carrier Select the name of the ISP directly connected to the interface.
Selecting the ISP of the interface equals to binding an interface
to an ISP interface group.
Default route After you select this option, the NGFW will generate a default
route in its routing table.
A default route is a special static route. When the destination
address of a data packet does not match any routing table of the
NGFW, the NGFW will use the default route to forward the data
packet. Both the destination network address and the subnet mask
of the default route are 0.0.0.0.
If the interface serves as an intranet interface and has the sticky
load balancing function enabled, the default route must be
canceled. Otherwise, the interface cannot access extranets.
Carrier Route After you enable the ISP route function, the NGFW will generate
static routes in a batch to the ISP network. In the generated static
routes, the destination is an IP address in the ISP address file, and
the next hop is the gateway address specified on the outbound
interface. These static routes are called ISP routes. They have the
same priority as common static routes, and the default priority is
60.
Choose Network > Router > Routing Table. You can view the
generated ISP route entries.
Parameter Description
Sticky load balancing In the multi-ISP load balancing NAT server scenario, the
NGFW looks up the routing table for an outgoing interface to
send the return traffic from a server. As a result, the return traffic
from the server may take a path on ISP2, although the request to
the server takes a link on ISP1. The inconsistent forward and
return paths may slow down or even interrupt services. To
resolve this issue, configure the sticky load balancing function
on the incoming interface of ISP1.
The NGFW uses the incoming interface of the forward packets
as the outgoing interface of return packets instead of searching
for policy-based routes, specific routes, and default routes.
NOTE
If equal-cost multipath (ECMP) routes are configured, the sticky load
balancing function is enabled by default. Otherwise, configure the sticky
load balancing function.
Link Health Check Apply the link health check group to the interface.
Interface Bandwidth
If the operation succeeds, Interface List displays the new tunnel interface.
----End
Follow-up Procedure
l Check the interface status.
1. Choose Network > Interface.
2. Check the physical status of the interface.
Context
An interface pair is a pair of incoming and outgoing interfaces. After an interface pair is formed,
the traffic enters the incoming interface of the interface pair is forwarded out of the outgoing
interface in the interface pair, without MAC address table lookup.
If the incoming and outgoing interfaces are the same interface, the packets entering the interface
are forwarded out of the same interface after being processed.
Interfaces that can form an interface pair include Layer 2 Ethernet interfaces and their
subinterfaces and Layer 2 Eth-Trunk interfaces and their subinterfaces.
Procedure
Step 1 Choose Network > Interface Pair.
Parameter Description
----End
To assign the second and subsequent IPv4 addresses to the interface, configure the sub parameter
in the ip address command.
Before performing IPv6 configurations in the interface view, enable the IPv6 capability in
the interface view.
To allow the interface to forward IPv6 packets, run the ipv6 command in the system view.
2. Perform either of the following operations to configure an IPv6 link-local address:
l To enable the system to automatically generate an IPv6 link-local address, run:
ipv6 address auto link-local
This is a recommended way to configure an IPv6 link-local address because the link-
local address is only used for protocol-based communication between link-local nodes,
regardless of communication between users.
If no IPv6 link-local address is specified for an interface, the device automatically
generates an IPv6 link-local address for the interface after an IPv6 global unicast address
is specified for the interface.
l To specify an IPv6 link-local address, run:
ipv6 address ipv6-address link-local
The prefix of an IPv6 link-local address is FE80::/10.
NOTE
Only a single link-local address can be configured on an interface. If you configure multiple link-local
addresses on the same interface, only the last configuration takes effect.
3. Assign a global unicast IPv6 address to the interface.
An EUI-64 address supports the same function as a global unicast address. The difference
between the two addresses is as follows:
l Only the network bits need to be specified for the EUI-64 address, because the host bits
are transformed from the MAC addresses of the interface. The prefix length of the
network bits in an EUI-64 address must not be longer than 64 bits.
l A complete 128-bit address needs to be specified for the global unicast address.
The EUI-64 address and global unicast address can be configured simultaneously or
separately. However, IP addresses configured for the same interface cannot be on the same
network segment.
By default, an interface works in auto-negotiation mode. To set parameters duplex and speed
to adjust the duplex mode and rate of an interface, run the undo negotiation auto command to
disable the interface from working in auto-negotiation mode.
This command applies only to Ethernet electrical interfaces and Ethernet optical interfaces that
work in electrical interface mode.
This command applies only to Ethernet electrical interfaces and Ethernet optical interfaces that
work in electrical interface mode.
This command applies only to Ethernet electrical interfaces and Ethernet optical interfaces that
work in electrical interface mode.
If a packet is added with a non-fragment flag and the packet length exceeds the interface MTU, the
NGFW drops the packet. To ensure service continuity, you can run the clear ip df command to enable the
clearing function, delete non-fragment flags, and forward packets in fragments.
Step 11 Optional: Set the maximum bandwidth for upstream traffic on the interface.
bandwidth ingress bandwidth-number
Step 12 Optional: Set the maximum bandwidth for downstream traffic on the interface.
bandwidth egress bandwidth-number
Step 14 Optional: Allow or block HTTP, HTTPS, ping, SSH, SNMP, or Telnet access to the NGFW.
service-manage { http | https | ping | ssh | snmp | telnet } { permit | deny }
By default, the management interface (GE0/0/0) allows HTTP, HTTPS, ping, SSH, SNMP, and
Telnet access to a NGFW, and a non-management interface denies HTTP, HTTPS, ping, SSH,
SNMP, and Telnet access to a NGFW.
Step 15 Optional: Restore the access control management function of an interface to the default setting.
reset service-manage
After you run this command, the access control management function of the management
interface (GE0/0/0) is enabled, and the administrator is allowed to use HTTP, HTTPS, Ping,
SSH, SNMP, and Telnet to access the device. For non-management interfaces, the access control
management function is enabled, but the administrator is not allowed to use HTTP, HTTPS,
Ping, SSH, SNMP, or Telnet to access the device.
If a gateway address is configured on the interface, you are advised to set nexthop-address the
same as the gateway address.
In the multi-ISP load balancing NAT server scenario, the NGFW looks up the routing table for
an outgoing interface to send the return traffic from a server. As a result, the return traffic from
the server may take a path on ISP2, although the request to the server takes a link on ISP1. The
inconsistent forward and return paths may slow down or even interrupt services. To resolve this
issue, configure the sticky load balancing function on the incoming interface of ISP1.
The NGFW uses the incoming interface of the forward packets as the outgoing interface of return
packets instead of searching for policy-based routes, specific routes, and default routes.
NOTE
If equal-cost multipath (ECMP) routes are configured, the sticky load balancing function is enabled by
default. Otherwise, configure the sticky load balancing function.
----End
NOTICE
For broadcast traffic suppression and multicast traffic suppression based on packet rates,
the granularity of parameter max-pps is 125. For example, if you set max-pps to 5, the actual
value is 125. If you set max-pps to 126, the actual value is 250. The rest can be done in the
same manner.
The mode of broadcast traffic suppression and multicast traffic suppression of all interfaces
on the same LPU must be the same. For example, if traffic suppression based on packet
rates is configured for interface GE1/0/1, you cannot configure traffic suppression based
on suppression ratio for interface GE1/0/2.
After you configure multicast traffic suppression, the NGFW does not suppress the
registered multicast traffic designated by protocols, such as IGMP, DVMRP, PIM, and
OSPF.
An Ethernet interface works at Layer 3 by default. To use the Layer 3 Ethernet interface as a
Layer 2 interface, switch the Ethernet interface to Layer 2 mode.
When a Layer 3 Ethernet interface is configured to work in Layer 2 mode, the device
automatically clears specific configurations, such as, DHCP, DDNS, and route configurations
of the interface and retains specific configurations, such as HRP heartbeat interface
configurations of the interface. If the interface is specified as a heartbeat interface, the interface
cannot be configured to work in Layer 2 mode. Therefore, before you configure a Layer 3
Ethernet interface to work in Layer 2 mode, ensure that the interface has no configuration.
To switch Layer 3 Ethernet interfaces to Layer 2 mode in a batch, run the portswitch batch
interface-type { interface-number1 [ to interface-number2 ] } &<1-10> command in the system
view.
By default, a Layer 2 Ethernet interface belongs to VLAN 1 and works as an access port. For
information about how to configure a VLAN, see VLAN.
NOTICE
If the interfaces work at Layer 2 and IPv6 needs to be processed on NGFW, you need to run the
ipv6 command to enable the global IPv6 function.
After bypass detection is enabled, the device detects packets received on this interface and then
discards them.
By default, an interface works in auto-negotiation mode. To set parameters duplex and speed
to adjust the duplex mode and rate of an interface, run the undo negotiation auto command to
disable the interface from working in auto-negotiation mode.
This command applies only to Ethernet electrical interfaces and Ethernet optical interfaces that
work in electrical interface mode.
This command applies only to Ethernet electrical interfaces and Ethernet optical interfaces that
work in electrical interface mode.
This command applies only to Ethernet electrical interfaces and Ethernet optical interfaces that
work in electrical interface mode.
Step 10 Optional: Set the maximum bandwidth for upstream traffic on the interface.
bandwidth ingress bandwidth-number
Step 11 Optional: Set the maximum bandwidth for downstream traffic on the interface.
bandwidth engress bandwidth-number
----End
NOTICE
For broadcast traffic suppression and multicast traffic suppression based on packet rates,
the granularity of parameter max-pps is 125. For example, if you set max-pps to 5, the actual
value is 125. If you set max-pps to 126, the actual value is 250. The rest can be done in the
same manner.
The mode of broadcast traffic suppression and multicast traffic suppression of all interfaces
on the same LPU must be the same. For example, if traffic suppression based on packet
rates is configured for interface GE1/0/1, you cannot configure traffic suppression based
on suppression ratio for interface GE1/0/2.
After you configure multicast traffic suppression, the NGFW does not suppress the
registered multicast traffic designated by protocols, such as IGMP, DVMRP, PIM, and
OSPF.
----End
Context
Subinterfaces are logical or virtual interfaces created on a physical interface. Subinterfaces share
the physical parameters of the physical interface on which they are created. However,
subinterfaces have their own data link layer and network layer parameters. A subinterface status
change does not affect the main interface status, whereas a main interface status change affects
the subinterface status. Subinterfaces work properly only when their main interface is in the Up
state.
Subinterfaces can be created on Layer 3 Ethernet and Eth-Trunk interfaces. To distinguish
VLAN packets on a Layer 3 Ethernet interface or an Eth-Trunk interface, configure subinterfaces
with different VLAN IDs. Each subinterface with a specific VLAN ID forwards packets carrying
the VLAN ID, which provides configuration flexibility.
Procedure
Step 1 Display the system view.
system-view
Step 2 Display the Ethernet subinterface view.
interface interface-type interface-number.subinterface-number
The subinterface-number parameter specifies the number of an Ethernet subinterface.
Step 3 Specify an encapsulation mode and a VLAN ID for the subinterface.
vlan-type dot1q vlan-id
By default, no encapsulation mode or VLAN ID is configured on a subinterface.
To ensure VLAN connectivity, set the same VLAN ID on two subinterfaces at two ends of a
link.
Step 4 Assign an IPv4 address to the interface.
ip address ip-address { mask | mask-length } [ sub ]
To assign the second and subsequent IPv4 addresses to the interface, configure the sub parameter
in the ip address command.
Step 5 Assign an IPv6 address to the interface.
1. Enable the IPv6 capacity on the interface.
ipv6 enable
By default, the IPv6 capability is disabled on the interface.
Before performing IPv6 configurations in the interface view, enable the IPv6 capability in
the interface view.
To allow the interface to forward IPv6 packets, run the ipv6 command in the system view.
2. Perform either of the following operations to configure an IPv6 link-local address:
l To enable the system to automatically generate an IPv6 link-local address, run:ipv6
address auto link-local
NOTE
Only a single link-local address can be configured on an interface. If you repeatedly configure link-local
addresses, the last configuration takes effect.
3. Assign a global unicast IPv6 address to the interface.
ipv6 address { ipv6-address | ipv6-address/prefix-length } [ eui-64 ]
An EUI-64 address supports the same function as a global unicast address. The difference
between the two addresses is as follows:
l Only the network bits need to be specified for the EUI-64 address, because the host bits
are transformed from the MAC addresses of the interface. The prefix length of the
network bits in an EUI-64 address must not be longer than 64 bits.
l A complete 128-bit address needs to be specified for the global unicast address.
The EUI-64 address and global unicast address can be configured simultaneously or
separately. However, IP addresses configured for the same interface cannot be on the same
network segment.
Step 8 Optional: Set the maximum bandwidth for upstream traffic on the interface.
bandwidth ingress bandwidth-number
Step 9 Optional: Set the maximum bandwidth for downstream traffic on the interface.
bandwidth egress bandwidth-number
Step 11 Optional: Allow or block HTTP, HTTPS, ping, SSH, SNMP, or Telnet access to the NGFW.
service-manage { http | https | ping | ssh | snmp | telnet } { permit | deny }
By default, the management interface (GE0/0/0) allows HTTP, HTTPS, ping, SSH, SNMP, and
Telnet access to a NGFW, and a non-management interface denies HTTP, HTTPS, ping, SSH,
SNMP, and Telnet access to a NGFW.
Step 12 Optional: Restore the access control management function of an interface to the default setting.
reset service-manage
After you run this command, the access control management function of the management
interface (GE0/0/0) is enabled, and the administrator is allowed to use HTTP, HTTPS, Ping,
SSH, SNMP, and Telnet to access the device. For non-management interfaces, the access control
management function is enabled, but the administrator is not allowed to use HTTP, HTTPS,
Ping, SSH, SNMP, or Telnet to access the device.
If a gateway address is configured on the interface, you are advised to set nexthop-address the
same as the gateway address.
In the multi-ISP load balancing NAT server scenario, the NGFW looks up the routing table for
an outgoing interface to send the return traffic from a server. As a result, the return traffic from
the server may take a path on ISP2, although the request to the server takes a link on ISP1. The
inconsistent forward and return paths may slow down or even interrupt services. To resolve this
issue, configure the sticky load balancing function on the incoming interface of ISP1.
The NGFW uses the incoming interface of the forward packets as the outgoing interface of return
packets instead of searching for policy-based routes, specific routes, and default routes.
NOTE
If equal-cost multipath (ECMP) routes are configured, the sticky load balancing function is enabled by
default. Otherwise, configure the sticky load balancing function.
----End
Context
Subinterfaces are logical or virtual interfaces created on a physical interface. Subinterfaces share
the physical parameters of the physical interface on which they are created. However,
subinterfaces have their own data link layer and network layer parameters. A subinterface status
change does not affect the main interface status, whereas a main interface status change affects
the subinterface status. Subinterfaces work properly only when their main interface is in the Up
state.
The device supports creating subinterfaces on Layer 2 Ethernet and Layer 2 Eth-Trunk interfaces.
Using a subinterface to terminate a VLAN allows for inter-VLAN forwarding.
Procedure
Step 1 Run the system-view command to access the system view.
Step 2 Run the interface interface-type interface-number command to access the interface view.
Step 3 Run the portswitch command to configure a Layer 3 Ethernet interface to work in Layer 2 mode.
Step 6 Run the vlan-type dot1q vlan-id command to configure the encapsulation type for the
subinterface and associate a VLAN ID with the subinterface.
Step 7 Run the portswitch command to configure the subinterface as a Layer 2 subinterface.
Step 8 Optional: Set the maximum bandwidth for upstream traffic on the interface.
bandwidth ingress bandwidth-number
Step 9 Optional: Set the maximum bandwidth for downstream traffic on the interface.
bandwidth engress bandwidth-number
Step 10 Optional: Run the bypass-detection command to enable the bypass detection function on the
interface.
After bypass detection is enabled, the device detects packets received on this interface and then
discards them.
----End
Context
A LAN can be divided into several logical LANs. Each logical LAN is a broadcast domain,
which is called a VLAN. Devices on a LAN logically belong to different VLANs, regardless of
their physical locations. VLANs separate broadcast domains within a LAN from each other.
When hosts on a VLAN need to communicate with a device at the network layer, you can create
a VLAN interface on the device. The VLAN interface functions as a Layer 3 interface to provide
Layer 3 functions, such as IPv4 or IPv6 address settings.
Procedure
Step 1 Display the system view.
system-view
portswitch
If a VLAN already exists, running this command directly displays the VLAN view.
Step 8 Create a Vlanif interface for a specific VLAN and display the Vlanif interface view.
interface vlanif vlan-id
If a Vlanif interface already exists, running this command directly displays the Vlanif interface
view.
To assign the second and subsequent IPv4 addresses to the interface, configure the sub parameter
in the ip address command.
Enable the IPv6 capability in the interface view before performing IPv6 configurations in
the interface view.
To allow the interface to forward IPv6 packets, run the ipv6 command in the system view.
2. Perform either of the following operations to configure an IPv6 link-local address:
l To enable the system to automatically generate an IPv6 link-local address, run:ipv6
address auto link-local
Allowing the system to automatically generate a link-local address is recommended.
This is because the link-local address is only used for protocol-based communication
between link-local nodes, regardless of communication between users.
If no IPv6 link-local address is specified for an interface, the device automatically
generates an IPv6 link-local address for the interface after an IPv6 global unicast address
of the interface is specified.
l To specify an IPv6 link-local address, run:ipv6 address ipv6-address link-local
NOTE
Only a single link-local address can be configured on an interface. If you repeatedly configure link-local
addresses, the last configuration takes effect.
3. Assign a global unicast IPv6 address to the interface.
ipv6 address { ipv6-address | ipv6-address/prefix-length } [ eui-64 ]
An EUI-64 address supports the same function as a global unicast address. The difference
between the two addresses is as follows:
l Only the network bits need to be specified for the EUI-64 address, because the host bits
are transformed from the MAC addresses of the interface. The prefix length of the
network bits in an EUI-64 address must not be longer than 64 bits.
l A complete 128-bit address needs to be specified for the global unicast address.
The EUI-64 address and global unicast address can be configured simultaneously or
separately. However, IP addresses configured for the same interface cannot be on the same
network segment.
Step 13 Optional: Set the maximum bandwidth for upstream traffic on the interface.
bandwidth ingress bandwidth-number
Step 14 Optional: Set the maximum bandwidth for downstream traffic on the interface.
bandwidth egress bandwidth-number
Step 16 Optional: Allow or block HTTP, HTTPS, ping, SSH, SNMP, or Telnet access to the NGFW.
service-manage { http | https | ping | ssh | snmp | telnet } { permit | deny }
By default, the management interface (GE0/0/0) allows HTTP, HTTPS, ping, SSH, SNMP, and
Telnet access to a NGFW, and a non-management interface denies HTTP, HTTPS, ping, SSH,
SNMP, and Telnet access to a NGFW.
Step 17 Optional: Restore the access control management function of an interface to the default setting.
reset service-manage
After you run this command, the access control management function of the management
interface (GE0/0/0) is enabled, and the administrator is allowed to use HTTP, HTTPS, Ping,
SSH, SNMP, and Telnet to access the device. For non-management interfaces, the access control
management function is enabled, but the administrator is not allowed to use HTTP, HTTPS,
Ping, SSH, SNMP, or Telnet to access the device.
If a gateway address is configured on the interface, you are advised to set nexthop-address the
same as the gateway address.
In the multi-ISP load balancing NAT server scenario, the NGFW looks up the routing table for
an outgoing interface to send the return traffic from a server. As a result, the return traffic from
the server may take a path on ISP2, although the request to the server takes a link on ISP1. The
inconsistent forward and return paths may slow down or even interrupt services. To resolve this
issue, configure the sticky load balancing function on the incoming interface of ISP1.
The NGFW uses the incoming interface of the forward packets as the outgoing interface of return
packets instead of searching for policy-based routes, specific routes, and default routes.
NOTE
If equal-cost multipath (ECMP) routes are configured, the sticky load balancing function is enabled by
default. Otherwise, configure the sticky load balancing function.
----End
Context
Many Ethernet interfaces are bundled into an Eth-Trunk interface. An Eth-Trunk interface
provides bandwidth that is equal to the total bandwidth of all its member interfaces. If a member
interface goes Down, traffic keeps being transmitted by other member interfaces, which
increases link reliability.
A physical interface can only be added to a single Eth-Trunk interface. If a physical interface
needs to be added to other Eth-Trunk interfaces, remove the physical interface from the existing
Eth-Trunk interface before adding the physical interface to another Eth-Trunk interface.
Procedure
Step 1 Display the system view.
system-view
NOTE
Only a single link-local address can be configured on an interface. If you repeatedly configure link-local
addresses, the last configuration takes effect.
3. Assign a global unicast IPv6 address to the interface.
ipv6 address{ ipv6-address | ipv6-address/prefix-length } [ eui-64 ]
An EUI-64 address supports the same function as a global unicast address. The difference
between the two addresses is as follows:
l Only the network bits need to be specified for the EUI-64 address, because the host bits
are transformed from the MAC addresses of the interface. The prefix length of the
network bits in an EUI-64 address must not be longer than 64 bits.
l A complete 128-bit address needs to be specified for the global unicast address.
The EUI-64 address and global unicast address can be configured simultaneously or
separately. However, IP addresses configured for the same interface cannot be on the same
network segment.
Step 12 Optional: Set the maximum bandwidth for upstream traffic on the interface.
bandwidth ingress bandwidth-number
Step 13 Optional: Set the maximum bandwidth for downstream traffic on the interface.
bandwidth egress bandwidth-number
Step 15 Optional: Allow or block HTTP, HTTPS, ping, SSH, SNMP, or Telnet access to the NGFW.
service-manage { http | https | ping | ssh | snmp | telnet } { permit | deny }
By default, the management interface (GE0/0/0) allows HTTP, HTTPS, ping, SSH, SNMP, and
Telnet access to a NGFW, and a non-management interface denies HTTP, HTTPS, ping, SSH,
SNMP, and Telnet access to a NGFW.
Step 16 Optional: Restore the access control management function of an interface to the default setting.
reset service-manage
After you run this command, the access control management function of the management
interface (GE0/0/0) is enabled, and the administrator is allowed to use HTTP, HTTPS, Ping,
SSH, SNMP, and Telnet to access the device. For non-management interfaces, the access control
management function is enabled, but the administrator is not allowed to use HTTP, HTTPS,
Ping, SSH, SNMP, or Telnet to access the device.
If a gateway address is configured on the interface, you are advised to set nexthop-address the
same as the gateway address.
In the multi-ISP load balancing NAT server scenario, the NGFW looks up the routing table for
an outgoing interface to send the return traffic from a server. As a result, the return traffic from
the server may take a path on ISP2, although the request to the server takes a link on ISP1. The
inconsistent forward and return paths may slow down or even interrupt services. To resolve this
issue, configure the sticky load balancing function on the incoming interface of ISP1.
The NGFW uses the incoming interface of the forward packets as the outgoing interface of return
packets instead of searching for policy-based routes, specific routes, and default routes.
NOTE
If equal-cost multipath (ECMP) routes are configured, the sticky load balancing function is enabled by
default. Otherwise, configure the sticky load balancing function.
After bypass detection is enabled, the device detects packets received on this interface and then
discards them.
----End
Context
A combo interface is an optical/electrical Ethernet interface, but it can work only as an optical
or electrical interface at a time.
By default, the combo interface works as an electrical interface. When it works as an optical
interface, you need to further specify the working status of the combo interface through the
following steps.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number
Step 3 Run:
combo enable { copper | fiber }
----End
Context
Loopback interface usage is as follows:
l The IPv4 or IPv6 address of a loopback interface is designated as the source address of
packets.
l The IPv4 or IPv6 address of a loopback interface is used to control access to an interface
and filter information, such as logs.
Because the loopback interface is always Up, its address can be used as a router ID, a label
switching router (LSR) ID, or an unnumbered address.
Procedure
Step 1 Display the system view.
system-view
Step 2 Create a loopback interface and display the loopback interface view.
interface loopback loopback-number
To assign the second and subsequent IPv4 addresses to the interface, configure the sub parameter
in the ip address command.
Enable the IPv6 capability in the interface view before performing IPv6 configurations in
the interface view.
To allow the interface to forward IPv6 packets, run the ipv6 command in the system view.
2. Perform either of the following operations to configure an IPv6 link-local address:
l To enable the system to automatically generate an IPv6 link-local address, run:ipv6
address auto link-local
Allowing the system to automatically generate a link-local address is recommended.
This is because the link-local address is only used for protocol-based communication
between link-local nodes, regardless of communication between users.
NOTE
Only a single link-local address can be configured on an interface. If you repeatedly configure link-local
addresses, the last configuration takes effect.
3. Assign a global unicast IPv6 address to the interface.
ipv6 address{ ipv6-address | ipv6-address/prefix-length } [ eui-64 ]
An EUI-64 address supports the same function as a global unicast address. The difference
between the two addresses is as follows:
l Only the network bits need to be specified for the EUI-64 address, because the host bits
are transformed from the MAC addresses of the interface. The prefix length of the
network bits in an EUI-64 address must not be longer than 64 bits.
l A complete 128-bit address needs to be specified for the global unicast address.
The EUI-64 address and global unicast address can be configured simultaneously or
separately. However, IP addresses configured for the same interface cannot be on the same
network segment.
----End
Context
A null interface is similar to a null device supported by an operating system. Any network data
packets sent to this interface are discarded.
Procedure
Step 1 Display the system view.
system-view
alias alias
----End
Example
# Configure a blackhole route to allow a null interface on the NGFW to discard all received
packets destined for 10.1.1.0/24.
<NGFW> system-view
[NGFW] ip route-static 10.1.1.0 24 NULL 0
Context
An interface pair is a pair of incoming and outgoing interfaces. After an interface pair is formed,
the traffic enters the incoming interface of the interface pair is forwarded out of the outgoing
interface in the interface pair, without routing table or MAC address table lookup.
If the incoming and outgoing interfaces are the same interface, the packets entering the interface
are forwarded out of the same interface after being processed.
Interfaces that can form an interface pair include Layer 2 Ethernet interfaces and their
subinterfaces and Layer 2 Eth-Trunk interfaces and their subinterfaces.
Procedure
Step 1 Run the system-view command to access the system view.
----End
You can run a display command to check the configuration and status of a specific interface.
Table 8-23 lists the display commands.
Action Command
Display brief information about Ethernet display interface ethernet brief [ | { begin |
interfaces. include | exclude } regular-expression ]
Action Command
Display brief information about interfaces. display interface brief [ | { begin | include |
exclude } regular-expression ]
Display the status of the null interface. display interface null [ number ] [ | { begin
| include | exclude } regular-expression ]
Display the status of the loopback interface. display interface loopback [ number ] [ |
{ begin | include | exclude } regular-
expression ]
8.1.4.1 Example for Accessing the Internet Using a Static IPv4 Address
This section provides an example for configuring a NGFW to obtain a static IPv4 address from
a carrier and allow PCs attached to the NGFW to access broadband Internet services.
Networking Requirements
An enterprise shown in Figure 8-4 subscribes to broadband Internet services and obtains a static
IPv4 address 1.1.1.1/24. The IP addresses of both a gateway and a DNS server are 1.1.1.254.
The enterprise assigns the static IPv4 address to a NGFW to allow PCs attached to the NGFW
to access the Internet.
Intranet
GE1/0/3 GE1/0/1
10.3.0.1/24 1.1.1.1/24
Router
PC
Configuration Roadmap
The configuration roadmap is as follows:
1. Obtain an IPv4 address from the carrier and assign this static IPv4 address to
GigabitEthernet 1/0/1 on the NGFW.
2. Assign an IP address to GigabitEthernet 1/0/3 that connects the NGFW to the intranet.
3. Configure a security policy and a NAT policy (easy-IP) on the NGFW.
4. Set the IP address of the gateway to 10.3.0.1 and the IP address of a DNS server to 1.1.1.254.
The following example describes the configuration procedure of the NGFW. The
configuration procedure for the PCs is not provided.
Procedure
Step 1 Configure GigabitEthernet 1/0/1.
1. Choose Network > Interface.
2. Click and set the following parameters for GE1/0/1.
Zone untrust
Mode Route
IPv4
IP Address 1.1.1.1/255.255.255.0
3. Click OK.
Zone trust
Mode Route
IPv4
IP Address 10.3.0.1/255.255.255.0
3. Click OK.
Step 3 Configure a security policy to allow the PCs to access the Internet.
1. Choose Policy > Security Policy > Security Policy.
2. Click Add and set the following parameters.
The following example provides basic security policy parameters. You can set other
parameters as needed.
Name policy_sec_1
Action Permit
3. Click OK.
Step 4 Configure a NAT policy to translate private network IP addresses into public network IP
addresses before PCs access the Internet.
1. Choose Policy > NAT Policy > Source NAT.
2. Click Add in Source NAT Policy List. Then set the following parameters.
Name policy_nat_1
Before NAT
Action NAT
After NAT
3. Click OK.
----End
Configuration Verification
1. Check the status of GigabitEthernet 1/0/1 (uplink).
a. Choose Network > Interface.
b. Verify that the physical status and IPv4 status of GigabitEthernet 1/0/1 are Up.
2. Check whether the PC on the intranet can use domain names to access the Internet. If the
PC can access the Internet, the configuration is successful. If the PC fails to access the
Internet, modify the configuration and try again.
Configuration Script
#
sysname NGFW
#
interface GigabitEthernet1/0/1
ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/3
ip address 10.3.0.1 255.255.255.0
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
#
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/1 1.1.1.254
#
security-policy
rule name policy_sec_1
source-zone trust
destination-zone untrust
source-address 10.3.0.0 24
action permit
#
nat-policy
rule name policy_nat_1
source-zone trust
egress-interface GigabitEthernet1/0/1
source-address 10.3.0.0
24
action nat easy-ip
#
return
Networking Requirements
Figure 8-5 shows that a NGFW functions as an egress gateway and connect PCs in an intranet
to the Internet. The network plan is as follows:
l An administrator manually specifies an IPv4 address for each PC on the network segment
10.3.0.0/24.
l An interface with a static IPv4 address connects the NGFW to the intranet.
l Another interface on the NGFW that functions as a DHCP client applies for a client IPv4
address and a DNS server IP address from a DHCP server and connects the intranet to the
Internet.
Figure 8-5 Networking diagram for accessing the Internet using DHCP
Trust Untrust
PC NGFW
Intranet
GE1/0/3 GE1/0/1
10.3.0.1/24 DHCP Client
DHCP Server
PC
Configuration Roadmap
The configuration roadmap is as follows:
1. Enable the DHCP client function on GigabitEthernet 1/0/1 of the NGFW to obtain a client
IPv4 address and a DNS server address from a DHCP server.
2. Specify a static IPv4 address on GigabitEthernet 1/0/3 that connects the NGFW to the
intranet.
3. Configure a security policy and a NAT policy (easy-IP) on the NGFW.
4. Enable the DNS proxy on the NGFW.
5. Set the IP addresses of the PCs' gateway and a DNS server to 10.3.0.1. By default, DNS
proxy is enabled on the NGFW. This example provides the configuration procedure on the
NGFW. The configuration procedure for the PCs is not provided.
NOTE
After the NGFW obtains an IPv4 address from a DHCP server, the DHCP server issues a default route to
the NGFW that function as a DHCP client. The next hop of the default route is a carrier's device. Therefore,
there is no need to configure a default route.
Procedure
Step 1 Configure GigabitEthernet 1/0/1.
1. Choose Network > Interface.
2. Click and set the following parameters for GE1/0/1.
Zone untrust
Mode Route
IPv4
3. Click OK.
Zone trust
Mode Route
IPv4
IP Address 10.3.0.1/255.255.255.0
3. Click OK.
Step 3 Configure a security policy to allow the PCs to access the Internet.
1. Choose Policy > Security Policy > Security Policy.
2. Click Add and set the following parameters.
The following example provides basic security policy parameters. You can set other
parameters as needed.
Name policy_sec_1
Action Permit
3. Click OK.
Step 4 Configure a NAT policy to translate private network IP addresses into public network IP
addresses before PCs access the Internet.
1. Choose Policy > NAT Policy > Source NAT.
2. Click Add in Source NAT Policy List. Then set the following parameters.
Name policy_nat_1
Before NAT
Action NAT
After NAT
3. Click OK.
Step 5 Enable the DNS proxy on the NGFW.
NOTE
----End
Configuration Verification
1. Check the status of GigabitEthernet 1/0/1 (uplink).
a. Choose Network > Interface.
b. Verify that the physical status and IPv4 status of GigabitEthernet 1/0/1 are Up, the
connection type is DHCP, and the interface obtained an IPv4 address.
2. Check whether the PC on the intranet can use domain names to access the Internet. If the
PC can access the Internet, the configuration is successful. If the PC fails to access the
Internet, modify the configuration and try again.
Configuration Script
#
dns resolve
dns server unnumbered interface GigabitEthernet1/0/1
#
dns proxy enable
#
sysname NGFW
#
interface GigabitEthernet1/0/1
dhcp client enable
#
interface GigabitEthernet1/0/3
ip address 10.3.0.1 255.255.255.0
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.254 preference 245
#
security-policy
rule name policy_sec_1
source-zone trust
destination-zone untrust
source-address 10.3.0.0 24
action permit
#
nat-policy
rule name policy_nat_1
source-zone trust
egress-interface GigabitEthernet1/0/1
source-address 10.3.0.0 24
action nat easy-ip
#
return
Networking Requirements
The NGFW show in Figure 8-6 functions as an egress gateway that connects PCs on the LAN
to the Internet.
The NGFW is configured as a PPPoE client. After the NGFW obtains IPv4 addresses for users
and a DNS address from the carrier's server, users on the intranet can access the Internet.
Figure 8-6 Networking diagram for accessing the Internet using IPv4 PPPoE
Trust Untrust
PC NGFW DSLAM
Intranet
GE1/0/3 GE1/0/1
10.3.0.1/24 PPPoE Client
PPPoE
PC Server
Configuration Roadmap
The configuration roadmap is as follows:
1. Enable the PPPoE client function on GigabitEthernet 1/0/1 of the NGFW to obtain IPv4
addresses and a DNS server address from a PPPoE server.
2. Specify a static IPv4 address on GigabitEthernet 1/0/3 that connects the NGFW to the
intranet.
3. Configure a security policy and a NAT policy (easy-IP) on the NGFW.
4. Enable the DNS proxy on the NGFW.
5. Set the IP addresses of the PCs' gateway and a DNS server to 10.3.0.1. By default, DNS
proxy is enabled on the NGFW. This example provides the configuration procedure on the
NGFW. The configuration procedure for the PCs is not provided.
Procedure
Step 1 Configure GigabitEthernet 1/0/1.
1. Choose Network > Interface.
2. Click and set the following parameters for GE1/0/1.
In the following example, a carrier provides a user name user and password Password.
The settings vary depending on real-world situations.
Zone untrust
Mode Route
IPv4
Password Password
3. Click OK.
Zone trust
Mode Route
IPv4
IP Address 10.3.0.1/255.255.255.0
3. Click OK.
Step 3 Configure a security policy to allow the PCs to access the Internet.
1. Choose Policy > Security Policy > Security Policy.
2. Click Add and set the following parameters.
The following example provides basic security policy parameters. You can set other
parameters as needed.
Name policy_sec_1
Action Permit
3. Click OK.
Step 4 Configure a NAT policy to translate private network IP addresses into public network IP
addresses before the PCs access the Internet.
1. Choose Policy > NAT Policy > Source NAT.
2. Click Add in Source NAT Policy List. Then set the following parameters.
Name policy_nat_1
Before NAT
Action NAT
After NAT
3. Click OK.
Step 5 Enable the DNS proxy on the NGFW.
NOTE
<NGFW> system-view
[NGFW] dns proxy enable
----End
Configuration Verification
1. Check the status of GigabitEthernet 1/0/1 (uplink).
a. Choose Network > Interface.
b. Verify that the physical status and IPv4 status of GigabitEthernet 1/0/1 are Up, the
connection type is PPPoE.
2. Check whether the PC on the intranet can use domain names to access the Internet. If the
PC can access the Internet, the configuration is successful. If the PC fails to access the
Internet, modify the configuration and try again.
Configuration Script
#
dns resolve
dns server unnumbered interface Dialer0
#
dns proxy enable
#
sysname NGFW
#
interface Dialer0
link-protocol ppp
ppp chap user user
ppp chap password cipher %$%$={~dOY5l1Xs<t&F{j)~R,md[%$%$
ppp pap local-user user password cipher %$%$={~dOY5l1Xs<t&F{j)~R,md[%$%$
ppp ipcp dns admit-any
ip address ppp-negotiate
dialer user user
dialer bundle 1
#
interface GigabitEthernet1/0/1
pppoe-client dial-bundle-number 1 ipv4
#
interface GigabitEthernet1/0/3
ip address 10.3.0.1 255.255.255.0
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
firewall zone untrust
set priority 5
add interface Dialer0
add interface GigabitEthernet1/0/1
#
ip route-static 0.0.0.0 0.0.0.0 Dialer 0
#
security-policy
rule name policy_sec_1
source-zone trust
destination-zone untrust
source-address 10.3.0.0 24
action permit
#
nat-policy
rule name policy_nat_1
source-zone trust
egress-interface GigabitEthernet1/0/1
source-address 10.3.0.0 24
action nat easy-ip
#
return
8.1.4.4 Example for Configuring Static IPv6 Addresses for Devices to Communicate
This section describes how to configure static IPv6 addresses for devices to communicate. The
interfaces connecting two devices are configured with IPv6 addresses.
Networking Requirements
NGFW_A and NGFW_B are connected, as shown in Figure 8-7. Global unicast IPv6 addresses
can be assigned to interfaces that directly connect NGFW_A and NGFW_B to allow the two
devices to communicate with each other.
GE1/0/1 GE1/0/1
3000::1/64 3000::2/64
NGFW_A NGFW_B
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Configure NGFW_A.
1. Choose Dashboard > System Information and enable IPv6 globally to allow the
NGFW to forward IPv6 packets.
2. Configure GigabitEthernet 1/0/1.
a. Choose Network > Interface.
b. Click and set the following parameters for GE1/0/1.
Zone untrust
Mode Route
IPv6
c. Click OK.
3. Configure a security policy.
a. Choose Policy > Security Policy > Security Policy.
b. Click Add and set the following parameters.
In this example, only basic security policy parameters are set. You can set other
parameters as needed.
Name policy_sec_1
Action Permit
c. Click OK.
----End
Configuration Verification
1. Check the status of GigabitEthernet 1/0/1. The following example uses GigabitEthernet
1/0/1 on NGFW_A.
a. Choose Network > Interface.
b. Verify that both the physical and IPv6 statuses of GigabitEthernet 1/0/1 are Up.
2. Run the ping command on NGFW_A to test the connectivity between the devices.
Configuration Scripts
Configuration script for NGFW_A:
#
ipv6
#
sysname NGFW_A
#
interface GigabitEthernet1/0/1
ipv6 enable
ipv6 address 3000::1 64
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
#
security-policy
rule name policy_sec_1
source-zone local
source-zone untrust
destination-zone local
destination-zone untrust
action permit
#
return
Networking Requirements
As shown in Figure 8-8, two project teams in the same R&D department belong to different
VLANs that need to communicate.
Figure 8-8 Networking diagram for configuring VLAN Interfaces to allow VLANs to
communicate
Trust Untrust
PC NGFW PC
VLAN2 VLAN3
10.3.0.0/24 Vlanif2 Vlanif3 10.3.1.0/24
GE1/0/2 GE1/0/3
10.3.0.1/24 10.3.1.1/24
PC PC
Configuration Roadmap
The configuration roadmap is as follows:
1. Switch GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3 of the NGFW to Layer 2 mode
and assign GigabitEthernet 1/0/2 to VLAN2 and GigabitEthernet 1/0/3 to VLAN3.
2. Create and configure Vlanif2 and Vlanif3 on the NGFW.
3. Configure security policies on the NGFW.
4. Set the gateway address used by VLAN2 PCs to 10.3.0.1 and the gateway address used by
VLAN3 PCs to 10.3.1.1. This example describes the configuration procedure on the
NGFW. The configuration details on PCs are not provided.
Procedure
Step 1 Configure GigabitEthernet 1/0/2.
1. Choose Network > Interface.
2. Click and set the following parameters for GigabitEthernet 1/0/2.
Zone trust
Mode Switch
Access VLAN ID 2
3. Click OK.
Zone untrust
Mode Switch
Access VLAN ID 2
3. Click OK.
Type VLAN
Zone trust
VLAN ID 2
IPv4
IP Address 10.3.0.1/255.255.255.0
3. Click OK.
Type VLAN
Zone untrust
VLAN ID 3
IPv4
IP Address 10.3.1.1/255.255.255.0
3. Click OK.
The following example provides basic security policy parameters. You can set other
parameters to the desired values.
Name policy_sec_1
Action Permit
3. Click OK.
----End
Configuration Verification
1. Check the status of Vlanif2 and Vlanif3.
a. Choose Network > Interface.
b. Verify that the physical and IPv4 statuses of each Vlanif interface are Up.
2. After completing the configuration, verify that PCs of VLANs 2 and 3 can communicate.
If they can, the configuration is successful. If they cannot, modify the configuration and
try again.
Configuration Script
#
vlan batch 1 to 3
#
sysname NGFW
#
interface Vlanif2
alias Vlanif2
ip address 10.3.0.1 255.255.255.0
#
interface Vlanif3
alias Vlanif3
ip address 10.3.1.1 255.255.255.0
#
interface GigabitEthernet1/0/2
portswitch
port link-type access
port access vlan 2
#
interface GigabitEthernet1/0/3
portswitch
port link-type access
port access vlan 3
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/2
add interface Vlanif2
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/3
add interface Vlanif3
#
security-policy
rule name policy_sec_1
source-zone trust
source-zone untrust
destination-zone trust
destination-zone untrust
action permit
#
return
Networking Requirements
Three project teams in the R&D department shown in Figure 8-9 are deployed separately and
belong to VLAN10, VLAN20, and VLAN30, respectively. PCs of these project teams need to
communicate with each other to enable project teams to work with each other.
Figure 8-9 Networking diagram for configuring VLANs on Layer 3 subinterfaces to allow the
VLANs to communicate with each other
NGFW
Trust GE1/0/3
Switch
Configuration Roadmap
The configuration roadmap is as follows:
1. Enable the subinterface function on GigabitEthernet 1/0/3 of the NGFW and create a
subinterface for each VLAN to allow inter-VLAN communication, which enables Layer 3
communication between different VLANs.
2. Configure a VLAN on the switch and assign interfaces to VLANs. The configuration details
are not provided.
3. Use the IP address of a VLAN-specific subinterface as the gateway address for the PCs on
a specific VLAN. The configuration details on PCs are not provided.
Procedure
Step 1 Create GigabitEthernet 1/0/3.1.
1. Choose Network > Interface.
2. Click Add and set the following parameters.
Type Subinterface
Zone trust
VLAN ID 10
IPv4
IP Address 10.3.1.1/255.255.255.0
3. Click OK.
Type Subinterface
Zone trust
VLAN ID 20
IPv4
IP Address 10.3.2.1/255.255.255.0
3. Click OK.
Step 3 Create GigabitEthernet 1/0/3.3.
1. Choose Network > Interface.
2. Click Add and set the following parameters.
Type Subinterface
Zone trust
VLAN ID 30
IPv4
IP Address 10.3.3.1/255.255.255.0
3. Click OK.
----End
Configuration Verification
1. Check the status of each subinterface.
a. Choose Network > Interface.
b. Verify that the physical and IPv4 statuses of each subinterface are Up.
2. Check whether PCs in VLAN10, VLAN20, and VLAN30 can communicate. If they can
communicate, the configuration is successful. If they fail to communicate, modify the
configuration and try again.
Configuration Script
#
sysname NGFW
#
interface GigabitEthernet1/0/3.1
vlan-type dot1q 10
alias GigabitEthernet1/0/3.1
ip address 10.3.1.1 255.255.255.0
#
interface GigabitEthernet1/0/3.2
vlan-type dot1q 20
alias GigabitEthernet1/0/3.2
ip address 10.3.2.1 255.255.255.0
#
interface GigabitEthernet1/0/3.3
vlan-type dot1q 30
alias GigabitEthernet1/0/3.3
ip address 10.3.3.1 255.255.255.0
#
Networking Requirements
As shown in Figure 8-10, PCs of the financial and marketing departments of an enterprise are
distributed in two buildings, each of which is connected to a NGFW. The two NGFWs are
connected to each other. To improve service security, the NGFWs can be configured to forbid
inter-department communication so that only PCs of the same department can communicate
with each other.
VLAN5 VLAN5
Financial Financial
Department Trust Trust
Department
GE1/0/2 VLAN5 GE1/0/2
GE1/0/1 GE1/0/1
NGFW_A NGFW_B
VLAN9 VLAN9
Marketing Marketing
Department Department
Configuration Roadmap
The configuration roadmap is as follows:
1. Create VLAN5 and VLAN9 on both NGFW_A and NGFW_B. Add interfaces of each
NGFW to two VLANs so that PCs connected to each interface can access separate VLANs.
2. Configure trunk interfaces on NGFW_A and NGFW_B to allow VLAN5 and VLAN9
packets through.
Procedure
l Configure NGFW_A.
1. Configure GigabitEthernet 1/0/2.
a. Choose Network > Interface.
b. Click and set the following parameters for GE1/0/2.
Zone trust
Mode Switch
IP Address 5
c. Click OK.
2. Configure GigabitEthernet 1/0/3.
a. Choose Network > Interface.
b. Click and set the following parameters for GE1/0/3.
Zone trust
Mode Switch
IP Address 9
c. Click OK.
3. Configure GigabitEthernet 1/0/1.
a. Choose Network > Interface.
b. Click and set the following parameters for GE1/0/1.
Zone trust
Mode Switch
Trunk VLAN ID 5, 9
Default VLAN ID 1
c. Click OK.
l Configure NGFW_B.
The configuration of NGFW_B is similar to that of NGFW_A. The configuration details
are not provided.
----End
Configuration Verification
1. Check the status of GigabitEthernet 1/0/1, GigabitEthernet 1/0/2 and GigabitEthernet
1/0/3.
a. Choose Network > Interface.
b. Verify that the physical status of GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and
GigabitEthernet 1/0/3 is Up.
2. After completing the configuration, verify that PCs only in the same department can
communicate with each other.
Configuration Scripts
Configuration script for NGFW_A:
#
vlan batch 1 5 9
#
sysname NGFW_A
#
interface GigabitEthernet1/0/1
portswitch
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 5 9
#
interface GigabitEthernet1/0/2
portswitch
port link-type access
port access vlan 5
#
interface GigabitEthernet1/0/3
portswitch
port link-type access
port access vlan 9
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/1
add interface GigabitEthernet1/0/2
add interface GigabitEthernet1/0/3
#
return
Symptom
Figure 8-11 shows the networking diagram for the Ethernet interface. The indicator connected
to the interface is off, or the physical status of the NGFW is Down.
GE1/0/1 GE1/0/1
NGFW_A NGFW_B
Possible Causes
The possible causes are as follows:
l Cause four: The interfaces on both ends are configured with different rates or working
modes.
l Cause five: A subcard of the NGFW fails.
Fault Diagnosis
Figure 8-12 shows the troubleshooting flow when the electronic interface cannot go Up.
Figure 8-12 Flowchart for troubleshooting the fault that the electronic interface cannot go Up
The indicator of the
interface is off.
Yes Yes
Is the cable faulty? Replace the cable. Is the fault rectified?
No
No
No
No
Is auto Yes Configure the
negotiation adopted by
mandatory rate and
interfaces at both
duplex mode. Yes
ends?
Is the fault rectified?
No
Seek technical
End
support
Procedure
l Run the display interface GigabitEthernet interface-number command in the user or
system view to view the current running status of the interfaces of NGFWs on both ends.
For example, run the display interface GigabitEthernet 1/0/1 command on NGFW_A.
<NGFW_A> display interface GigabitEthernet
1/0/1
GigabitEthernet1/0/1 current state :
UP
Line protocol current state : Administratively
DOWN
Description : GigabitEthernet1/0/1 Interface, Route Port
The Maximum Transmit Unit is 1500 bytes, Hold timer is 10
(sec)
Internet Address is
10.11.1.1/24
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0022-
b130-0001
Media type is twisted pair, loopback not set, promiscuous mode not
set
1000Mb/s-speed mode, Full-duplex mode, link type is auto negotiation
QoS max-bandwidth : 1000000
Kbps
Output queue : (Urgent queue : Size/Length/Discards)
0/50/0
Output queue : (Frag queue : Size/Length/Discards)
0/1000/0
Output queue : (Protocol queue : Size/Length/Discards)
0/1000/0
Output queue : (FIFO queue : Size/Length/Discards)
0/256/0
---- More ----
If negotiation disable is displayed and the cable and subcard hardware are working
properly, go to Cause four.
– Current BW: rate of the interface.
– full-duplex mode: The interface is working in full-duplex mode.
– Loopback: none: The loopback function is disabled. The loopback command is used
to test whether the hardware of the interface is faulty. If not fault occurs, disable the
Loopback function.
l Cause one: Faults occur in the cable.
1. Run the loopback command in the interface view.
2. Run the display interface interface-type interface-number command to view the
physical status of the interface.
If the physical status of the interface is Up, local hardware works properly. The cable
may be abnormal and needs to be replaced.
l Cause two: The shutdown command is executed on an interface.
1. Run the undo shutdown command on the interface to start the interface.
l Cause three: The auto negotiation protocols of the bottom chips on the devices on both ends
are inconsistent.
1. Run the speed and duplex commands in the interface view on both ends.
For example, you can configure the rate as 100 Mbit/s and the negotiation mode as
full-duplex on NGFW_A.
Run the speed 100 and duplex full commands in the interface view of NGFW_A.
Run the display this command in the interface view of NGFW_A to view the interface
configuration.
[NGFW_A-GigabitEthernet 1/0/1] display
this
#
interface GigabitEthernet
1/0/1
speed
100
duplex
full
#
return
l Cause four: The interfaces on both ends are configured with different rates or working
modes.
1. Check whether the configured rates and working modes of the interfaces on both ends
are consistent. If the rates and working modes are inconsistent, change them to the
same settings.
l Cause five: A subcard of the NGFW fails.
1. Run the loopback command in the interface view.
2. Run the display interface interface-type interface-number command to view the
physical status of the interface.
If the physical status of the interface is Down, hardware is abnormal.
3. Run the undo loopback command to disable the loopback function.
NOTE
After testing and troubleshooting the cable or hardware, run the loopback command to disable
the loopback function.
4. Replace the interface on the local device. If possible, replace the original interface
with an interface of another subcard of the same type. Then, check whether the fault
is removed.
– If the fault persists, go to Step 5.
– If the fault does not occur on other subcards, contact technical support personnel
to repair the faulty subcard.
5. Replace the interface on the remote device. If possible, replace the original interface
with an interface of another subcard of the same type. Then, check whether the fault
is removed. If the fault persists, contact technical support personnel to repair the faulty
subcard.
----End
Symptom
NOTICE
When maintaining devices that have optical modules or interfaces, note the following issues:
l Do not look into the fiber connector when installing and maintaining fibers.
l Do not look into the fiber connector without eye protection when replacing a pluggable
optical module.
l Wear an electrostatic discharge (ESD) wrist strap when replacing a pluggable optical module.
l Only engineers with professional training are allowed to operate optical modules or fibers.
Configure the subcard on which the optical interface resides on the NGFW with the SFP optical
or electronic module.
After optical interfaces are interconnected, the LINK indicator is off, or the interface is in Down
state. Figure 8-13 shows the typical networking.
Receive Send
Send Receive
NGFW_A NGFW_B
Possible Causes
l Cause one: The optical modules or fibers on both ends are inconsistent.
l Cause two: An optical fiber or module is abnormal.
l Cause three: The interface configurations on both ends are inconsistent.
l Cause four: An interface or a subcard fails.
Fault Diagnosis
Figure 8-14 Flowchart for troubleshooting the fault that the physical status of the optical
interface cannot be Up
The optical interface
cannot be in Up state.
Change to the
Does the optical No Yes
optical module and
module match the LPU Is the fault rectified?
fibers that match
and fibers? each other.
No
Yes
No Yes
Are the fibers normal? Replace the fibers. Is the fault rectified?
No
Yes
Yes No
No Yes
Is the interface card or Replace the
Is the fault rectified?
slot normal? interface card.
No
Yes
When troubleshooting faults, you may use tools, meters, and materials listed in Table 8-49.
Procedure
l Run the display interface command on both ends to view the current status of the interfaces.
For example, run the display interface GigabitEthernet 1/0/1 command on NGFW_A.
[NGFW_A] display interface GigabitEthernet 1/0/1
GigabitEthernet1/0/1 current state : DOWN
Line protocol current state : Administratively DOWN
Description : GigabitEthernet1/0/1 Interface, Route Port
The Maximum Transmit Unit is 1500 bytes, Hold timer is 10(sec)
Internet Address is 10.1.8.1/24
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0022-
a100-0008
Media type is SFP,Loopback not set,promiscuous mode not set
1000Mb/s-speed mode, full-duplex mode, link type is auto negotiation
Vendor Name: huawei
Vendor PN: 02310CRM
SN: AD1342R001C
Transceiver max BW: 1G
Transceiver Mode: SingleMode
WaveLengh: 1310nm
Transmission Distance: 52km
Current SFP module temperature(-128c/128c): 41.93 c
Current SFP module supply(0/6.55V): 3.29 V
Current SFP module Tx bias(0/131mA): 23.26 mA
Current SFP module Rx power(<8.129dBm): 2.79 dBm
---- More ----
You can test the input optical power based on segments by using the optical power meter
to locate the segment on which the fault occurs. If the input optical power is not in the
sensitivity range of the optical interface, a fault of the optical power may occur on the
remote end, or a fault may occur in the optical cable.
– If the input optical power is lower than the indicator, clean with dust-free cotton to
ensure that the optical interface for the output optical power is free of dust.
The coupling of the optical signal in optical cables may be affected by dust or even the
optical cables are blocked. This may cause faults, such as low optical power, low
sensitivity, and no optical power.
– If the input optical power is too high, the optical module at the receiving end receives
the overload optical power. The input optical power is higher than packet-receiving
sensitivity, the bit error ratio increases, and the LINK indicator is off. Add an optical
attenuator to the packet-receiving optical fiber.
– If the input optical power is too low, the fiber or optical module at the sending end may
be damaged. Replace the fiber or optical module of the sending end.
l Cause three: The configurations of the interfaces on both ends are inconsistent.
1. Verify that interfaces on both ends have the same the negotiation mode, rate, and
duplex mode.
– If the value of the Link type field is auto negotiation, the negotiation mode of the
interfaces on both ends is auto negotiation. perform the following operations:
– Run the speed command in the interface view on both ends to configure the
rate.
– Run the duplex command in the interface view on both ends to configure the
duplex mode.
In auto negotiation mode, the rates of the interfaces on both ends are different. This
may be due to that the auto negotiation protocols of the forwarding layer chips on
the devices on both ends are inconsistent. In this case, configure the same rate and
duplex mode on the devices on both ends.
For example, set the rate to 1000 Mbit/s and the negotiation mode to full-duplex on
NGFW_A.
[NGFW_A] display interface GigabitEthernet 1/0/1
GigabitEthernet1/0/1 current state : DOWN
Line protocol current state : Administratively DOWN
Description : GigabitEthernet1/0/1 Interface, Route Port
The Maximum Transmit Unit is 1500 bytes, Hold timer is 10(sec)
Internet Address is 10.1.8.1/24
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0022-
a100-0008
Run the display this command in GigabitEthernet 1/0/1 view of NGFW_A to view
the interface configuration.
[NGFW_A-GigabitEthernet 1/0/1] display this
#
interface GigabitEthernet 1/0/1
speed 1000
duplex full
#
return
If the status of the interface is still Down after several changes, perform the following
operations to check whether faults occur on the subcard.
2. Run the display device command onNGFWs on both ends to view the current status
of the subcard on which the interface resides.
<sysname> display device
USG6680's Device status:
The Status field shows the subcard status. If the status of the subcard is Normal, the
subcard is working properly.
----End
8.2.1 Overview
A security zone or zone is a security concept introduced by the device. Most security policies
are implemented based on security zones.
Definition
A security zone is a set of the networks connected by interfaces. Users on these networks have
the same security attributes.
Purpose
In the application of network security, if the network security device checks all packets one by
one, a large number of resources are consumed and performance is severely degraded. Moreover,
it is unnecessary to check all packets. Therefore, a packet check mechanism based on the security
zone is brought forward in the network security field.
Then the network administrator can classify the network devices at the same security level into
one security zone. Since the network devices in the same security zone are at the same security
level, the NGFW considers that data flows in the same security zone bring no security risks and
thus no security policy is required. The NGFW triggers the security check and implements
security policies only on data flows between security zones.
All in all, in addition to the direct forwarding of packets, the NGFW supports creating security
zones, and allows the network administrator to implement security check on special packets and
enable the security function on the basis of security zones.
8.2.2 Mechanism
This section describes the security zone mechanism.
Security Zones
A security zone is a set of the networks connected by interfaces. Users on these networks have
same security attributes.
The NGFW considers that data flows within a single security zone are trustful and require no
security policy. The NGFW enforces security policies only on data flows between security zones.
The security level value ranges from 1 to 100. The larger the value, the higher the security level.
NOTE
Default security zones cannot be deleted, and their security levels cannot be reset.
You can create security zones and specify their security levels as needed.
Local area 100 A local zone is a device itself, including interfaces on the
(highest) device. The Local zone is equivalent to the device.
Users cannot change Local area configurations, for example,
adding interfaces to the Local area.
NOTE
A security policy for exchanging packets between the Local zone and
the security zone of a peer can be configured in the following scenarios:
l A local device itself requires management using Telnet, web, or
SNMP NMS.
l A local device serves as a client to initiate requests or as a server to
processes requests in the FTP, PPPoE dial-up, NTP, or IPSec VPN
scenario.
An interface is added to a security zone. A network connected to the
interface is in the security zone, and the interface is in the Local zone.
An interzone connects any two security zones. An interzone provides a specific view, in which
firewall configurations are performed.
Although an interzone forwards packets to both parties that exchange packets, the interzone
determines a traffic direction based on the first packet.
For example, a client in a Trust zone sends the first packet to request for an HTTP connection
to a web server in an Untrust zone with a security level lower than that of the Trust zone. The
NGFW considers that the packet is transmitted in the outbound direction and uses an outbound
security policy to determine whether to permit or deny the packet. After the HTTP connection
is successfully established, the NGFW creates a session table, which records the quintuple of
the connection in a session entry. The quintuple includes the source and destination IP addresses,
source and destination port numbers, and protocol type.
If packets exchanged between the client and web server match the quintuple, the NGFW
processes the packets based on the outbound security policy, without re-checking the packet
transmission direction.
If a user only enables an outbound security policy for Trust-to-Untrust traffic in an interzone,
the following situations occur:
Parameter Description
Zone Name Name of a security zone. The name of the security zone cannot
be changed once it is configured.
The value must be different from the name of an existing security
zone.
Parameter Description
If the Operation succeeded dialog box is displayed, the security zone is successfully
created.
Repeat the previous operations to create more security zones with different security levels.
----End
NOTE
A Local zone defines a device itself, including the interfaces on the device. Although an interface is assigned
to a security zone, only the network connected to the interface is in the security zone, and the interface is
in the Local zone.
Step 2 Perform either of the following methods to enter the operation page before adding interfaces to
security zones:
l After a security zone is created, perform operations on the Add Zone page.
l Click of the line where the entry to be modified resides and enter the Modify Zone
operation page.
l On the Un-Added Interface page, select a desired interface and click . This interface
appears in the Added Interface window.
----End
Specify the priority after creating a security zone. If no priority is set, you cannot proceed with
other security zone configurations.
Step 2 Create a security zone and display the security zone view.
firewall zone [ name ] zone-name
Set a security level (priority) for a security zone based on the following rules:
l A security level is only set for a user-defined security zone. A new security zone without a
security level configured cannot take effect.
l A security level cannot be changed after being configured.
l Interfaces can only be manually assigned to security zone, except for the Local zone.
l Either a physical or logical interface can be assigned to a security zone.
l A maximum of 1024 interfaces can be assigned to a security zone.
Appropriate descriptions help the administrator learn system configurations and device
maintenance.
----End
Two related security zones must be already created. For details, see Creating a Security Zone
and Adding an Interface to It.
After a new security zone is created, the view of the interzone between the security zone and
another security zone is automatically created.
Step 2 Display the view of the interzone between two security zones.
firewall interzone zone-name1 zone-name2
Security policy checks are triggered when the data flows in security interzones. After entering
the security interzone view, you can configure security functions, such as application specific
packet filter (ASPF).
----End
Table 8-51 lists the commands used to display security zone configurations.
Action Command
V100R001C20SPC The root system supports a maximum of 100 security zones which is
200 changed from the maximum of 32.
8.3 DNS
This section describes the basic concepts, configuration procedures, and configuration examples
of DNS, DDNS, DNS transparent proxy, and smart DNS.
8.3.1 Overview
The Domain Name System (DNS) establishes the mapping between domain names and IP
addresses.
Definition
TCP/IP uses IP addresses to connect to devices. Users find it is difficult to memorize the IP
address of each device. Therefore, the host naming mechanism is specially designed to match
IP addresses with host names in the string format. The DNS provides the conversion and query
mechanism between IP addresses and host names.
Objective
The DNS uses a hierarchical naming mode to specify a meaningful name for each device on a
network, set the DNS server, and establish the mapping between the domain name and the IP
address.
8.3.2 Mechanism
This section describes the mechanisms of DNS, DDNS, DNS transparent proxy, and smart
DNS.
8.3.2.1 DNS
This section describes the mechanism of the domain name system (DNS).
TCP/IP designs a hierarchical DNS structure. The domain name structure of the Internet is
defined by the DNS in the TCP/IP protocol stack. The DNS divides the Internet into multiple
top-level domains (TLDs). Table 8-52 lists the domain name of each TLD. TLDs are classified
in either organization or geography mode. The geography mode is used to classify domain names
based on countries. Each country must register a TLD with the NIC before joining the Internet.
For example, "cn" represents China, and "us" represents the United States.
TLD Meaning
NOTE
The first seven domains are defined in organization mode, and the country code domain is defined in
geography mode.
The NIC authorizes management agencies to classify domains into subdomains. The agencies
in charge of this can authorize subordinate agencies to continue classifying domains. As a result,
the Internet has a hierarchical domain architecture.
Static domain name resolution requires a static domain name resolution table, which lists the
mapping created manually between domain names and IP addresses. This table is similar to the
hosts file in a Windows 9X. The table contains commonly used domain names. After searching
for a specified domain name in the resolution table, clients can obtain the IP address mapped to
it. This process improves domain name resolution efficiency.
1. A client uses a specific application, such as ping or Telnet, to send a DNS request to a
device.
2. The device queries a local cache for the required mapping entry. If the device does not find
an entry, the device sends a query packet to the DNS server.
3. The DNS server checks whether the requested domain name is within the domain it manages
and responds to the device.
4. The device resolves the packet and decides what to do next based on the contents of the
packet.
Dynamic domain name resolution also supports a domain name suffix list. Pre-defining some
domain name suffixes allows you to enter only a field of a domain name to be resolved. The
system automatically adds a specific suffix to the domain name before resolving the domain
name.
For instance, If you configure "com" in the suffix list and enter "example" in a domain name
query, the system automatically associates "example" with the suffix "com" and searches for
"example.com."
You may encounter the following situations during a resolution process:
l If you enter a domain name without a dot (.), such as "example", the system considers it as
a host name and adds suffixes one by one used for search. If there are no matched domain
names, the system searches for an IP address mapped to "example."
l If you enter a domain name with a dot (.), such as "www.example", the system immediately
searches for it. If the system does not find a matched entry, the system adds every configured
suffix to the domain name to search for an IP address mapped to the domain name.
l If you enter a domain name with a dot (.) at the end, such as "example.com.", the system
removes the last dot (.) before searching for an IP address mapped to the domain name. If
the search fails, the system adds every configured suffix to the domain name without the
last dot to search for an IP address mapped to the domain name.
Network Internet
A DNS proxy is deployed to relay DNS request and response packets exchanged between the
DNS client and server.
A DNS client uses a DNS proxy as a DNS server and sends DNS query messages to the DNS
proxy. The DNS proxy forwards request packets to a real DNS server and response packets to
the DNS client.
After the DNS proxy function is enabled and the IP address of a DNS server changes, you only
need to change the DNS proxy configurations, not those on all DNS clients on the LAN.
Therefore, the DNS proxy simplifies network management.
DNS server
DNS proxy
8.3.2.4 DDNS
This section describes the mechanism of Dynamic Domain Name System (DDNS).
TCP/IP defines both the string-based DNS host naming mechanism and IP addressing. The DNS
only provides the static mapping between domain names and IP addresses. If an IP address
mapped to a domain name changes, the DNS cannot dynamically update the mapping. If a host
attempts to use the domain name to access the node with the IP address, host name resolution
fails, which causes an access failure.
The Dynamic Domain Name System (DDNS) addresses this problem.
DDNS can dynamically update the mapping on a DNS server, which ensures that the resolved
IP address is correct.
Figure 8-17 shows a typical DDNS network.
DDNS server
GE1/0/1
DDNS client
DNS server
(NGFW)
PC
NOTE
l DDNS deployment must be supported by a DDNS service provider. The following DDNS service
providers currently support DDNS deployment: www.3322.org, dyndns.org, freedns.afraid.org,
zoneedit.com, and no-ip.com.
l Since a DDNS server is deployed on the Internet, ensure that the DDNS client (NGFW) can access the
Internet properly before using DDNS.
The IP address of GigabitEthernet 1/0/1 on the NGFW (DDNS client) can be obtained
dynamically from the network carrier on the network shown in Figure 8-17. Since the IP address
obtained each time is different, the PC needs to use the domain name to access the NGFW. DNS
cannot dynamically update the mapping between domain names and IP addresses. As a result,
the PC fails to access the NGFW. To allow successful access, DDNS can be deployed.
After DDNS is deployed, the NGFW automatically sends a request to the DDNS server to update
the mapping between a domain name and the changed IP address of GigabitEthernet 1/0/1. The
DDNS server processes this request and sends the updated mapping to the DNS server. The PC
can obtain the correct IP address for the NGFW before accessing the NGFW again using the
domain name.
As shown in Figure 8-18, an enterprise rents multiple ISP links as network egresses, and each
ISP network deploys the same Web servers. Generally speaking, the same DNS server address
(such as the DNS server address of ISP1) is configured on the clients of all intranet users. The
DNS server then resolves domain names to the address of the Web server (such as the Web
server address of ISP1) on the same ISP network. Therefore, the Internet access traffic from all
intranet users is forwarded on the same ISP link, causing link congestion and compromising
users' Internet access experiences. At the same time, other ISP links are not used, causing
resource waste.
Figure 8-18 Forwarding Internet access traffic on the same ISP link
www.example.com
Web server on ISP1 Web server on ISP2
ISP1 ISP2
Common gateway
Intranet
DNS requests
The DNS transparent proxy function on the NGFW can change the destination address of some
DNS query messages to the DNS server addresses on other ISP networks (such as the DNS
server address on ISP2 network). The DNS requests are then forwarded to different ISP
networks, and the resolved Web server addresses belong to different ISPs. Therefore, the Internet
access traffic will be forwarded over different ISP links. In this way, all link resources are made
full use of, as shown in Figure 8-19.
ISP1 ISP2
NGFW
Intranet
DNS requests
Figure 8-20 shows how DNS transparent proxy processes the packet from an intranet user to a
specific domain name.
Start
Is the domain
name in the DNS query
Yes
message an excluded
domain name?
No
Yes
No
End
If the policy-based route specifies multiple outbound interfaces, then different link selection
modes can meet different load balancing requirements, such as selecting an outbound
interface based on the interface bandwidth or weight, which is the same as the global link
selection policy. However, the link selection result differs. Link selection results are
dynamic. Therefore, two requests from the same user may use different outbound interfaces,
and the two interfaces may belong to different ISPs. Hence the substitute DNS server
addresses also differ.
3. The NGFW binds two DNS servers (one preferred DNS server and one alternate DNS
server) on each outbound interface. Both DNS servers belong to the ISP network directly
connecting to the outbound interface. After the NGFW determines the outbound interface
of a DNS query message, the DNS transparent proxy function preferentially uses the
preferred DNS server to substitute the destination address of the DNS query message. If
the preferred DNS server is Down, the alternate DNS server is used.
4. The DNS server returns the resolved Web server address to the user. The Web server and
DNS server belong to the same ISP.
5. The user then uses the returned address to access the Web server. At this time, you need to
enable ISP address database link selection to forward traffic to corresponding outbound
interfaces and ensure that the traffic is forwarded to the Web server over the ISP network
of the destination address.
ISP2
ISP1
Intranet
An enterprise network has a DNS server. The DNS server has the mappings between the domain
name of a Web server and one or multiple public IP addresses. When a user accesses the domain
name to connect to the Web server, the packet destination address after resolution is the public
IP address of the Web server. The NGFW then uses the NAT Server function to map the packet
destination address to the private address of the Web server.
The IP address after DNS resolution may belong to a different ISP from the user's IP address,
causing access delay. Or multiple users may access the Web server using the same link, causing
link congestion.
You can configure the smart DNS function for the NGFW to intelligently change the resolved
address in DNS reply packets, so that each user can have the most appropriate address after
resolution.
As shown in Figure 8-22, the enterprise or data center is connected to multiple ISP networks
through several links. The private address of the web server is 10.1.1.10, and the public address
of the web server is 2.2.2.10. The intranet DNS server has only mappings between the domain
names (such as www.example.com) and public addresses (such as 2.2.2.10) of web servers.
When users on ISP2 access a web server on the intranet through domain name
www.example.com, the domain name is mapped to IP address 2.2.2.10. The NGFWthen uses
the NAT server function to translate the destination address of packets from 2.2.2.10 to the
private address (10.1.1.10) of the NAT server.
When smart DNS is not configured and a user from another ISP network (such as ISP1 users)
accesses the Web service provided by the enterprise through domain name
www.example.com, the address that the DNS server provides after domain name resolution is
2.2.2.10, which resides on a different ISP network as the user's IP address (the ISP1 user address
is 1.1.1.1). Therefore, the traffic of ISP1 user needs to make a detour on ISP2 network to reach
the Web server, which increases the service access delay and inter-ISP settlement. Besides, all
traffic from external users to the Web server is forwarded over ISP2 network. This may cause
network congestion on the link from the NGFW to ISP2 network, but other links (such as ISP1
link) are idle.
www.example.com
DNS Server 2.2.2.10
ISP1
NGFW
www.example.com
ISP2
Serves ISP2 network.
Private IP address: 10.1.1.10
Public IP address: 2.2.2.10
2.2.2.2
To resolve the preceding problem, you can configure ISP egress-based smart DNS for ISP1
users, so that the NGFW can map the resolved address to an address on ISP1 network (such as
1.1.1.10 obtained from ISP1 network). In this way, ISP1 users can access the web server directly
from ISP1 network without taking a detour on ISP2 network.
As shown in Figure 8-23, it is assumed that the ISP egress-based smart DNS function is
configured for ISP1 users on the NGFW. The NGFW maps the resolved address in the DNS
reply packet with the outbound interface of GE1/0/1 to 1.1.1.10. The process for an ISP1 user
to access the web server is as follows:
1. The ISP1 user sends a DNS request to access the web server through domain name
www.example.com.
2. The DNS server returns resolved IP address 2.2.2.10.
3. According to the smart DNS mapping table, the NGFW changes the IP address in the DNS
reply packet to 1.1.1.10 that belongs to the same ISP network as the ISP1 user. Outbound
interface GE1/0/1 in the mapping table is mapped to address 1.1.1.10.
4. The ISP1 user initiates a packet destined to 1.1.1.10 for access. The packet reaches the
NGFW through ISP1 network.
5. With the NAT server function, the NGFW translates the destination address (1.1.1.10) of
the packet into the private address (10.1.1.10) of the web server.
As for users on ISP2 network, the NGFW retains the address returned by the DNS server
unchanged, namely, 2.2.2.10. With the NAT server function, the NGFW translates the
destination address (2.2.2.10) of the packet into the private address (10.1.1.10) of the web server.
Then ISP2 users can access the web server through ISP2 network. In this way, idle ISP1 links
or congested ISP2 links no longer exist, and the user access speed and user experience are
increased.
www.example.com
3 ISP1
2
1
4
GE1/0/1
Web server 1.1.1.1
GE1/0/2
5
NGFW
www.example.com Smart DNS mapping table ISP2
Serves ISP2 network.
Outbound interface Mapped address
Private IP address: 10.1.1.10
Public IP address: 2.2.2.10 GE1/0/1 1.1.1.10
Server-map table
Address before Address after 2.2.2.2
translation translation
1.1.1.10 10.1.1.10
2.2.2.10 10.1.1.10
With the round robin- or weighted round robin-based smart DNS function, the NGFW can
allocate addresses to users based on weights. The NGFW changes the destination addresses of
user access requests to divert traffic to web servers over various links, implementing load
balancing. As shown in Figure 8-24, it is assumed that round robin-based smart DNS is
configured for ISP1 users on the NGFW. The NGFW maps the resolved address in the DNS
reply packet with the outbound interface of GE1/0/1 to 1.1.1.9 and 1.1.1.10. The process for an
ISP1 user to access the web server is as follows:
1. The ISP1 user sends a DNS request to access the web server through domain name
www.example.com.
2. The DNS server returns resolved IP address 2.2.2.10.
3. According to the smart DNS mapping table, the NGFW changes the IP address in the DNS
reply packet to 1.1.1.9 or 1.1.1.10 in round robin mode. Outbound interface GE1/0/1 in the
mapping table is mapped to 1.1.1.9 and 1.1.1.10.
4. The ISP1 user initiates a packet destined to 1.1.1.9 or 1.1.1.10 for access. The packet reaches
the NGFW.
5. With the NAT server function, the NGFW translates the destination address (1.1.1.9 or
1.1.1.10) of the packet into the private address (10.1.1.10) of the web server.
Figure 8-24 Round robin-based or weighted round robin-based single-server smart DNS
www.example.com
DNS服务器 2.2.2.10
3 ISP1
2
1
4
GE1/0/1
Web Server 1.1.1.1
GE1/0/2
5
NGFW
www.example.com Smart DNS mapping table
Outbound Mapped
ISP2
Serves ISP2 network.
Private IP address: 10.1.1.10 interface address
Public IP address: 2.2.2.10 1.1.1.9
GE1/0/1
1.1.1.10
Server-map table 2.2.2.2
Address before Address after
translation translation
1.1.1.9
10.1.1.10
1.1.1.10
2.2.2.10 10.1.1.10
As shown in Figure 8-25, a large enterprise or data center provides the Web service (such as
website access) for external users and usually provides multiple Web server addresses (1.1.1.10
and 2.2.2.10) for users on different ISP networks to access. The DNS server of the enterprise or
data center has the mapping between multiple Web service domain names and multiple server
addresses.
If smart DNS is not configured and a user of one ISP (such as ISP1) enters a domain name to
access the Web service (such as www.example.com), the user first initiates a DNS request to
the DNS server on the intranet. The DNS server resolves the domain name and returns multiple
server addresses (1.1.1.10 and 2.2.2.10) to the user. The ISP1 user selects one of them randomly
to initiate an access, but the selected server address may belong to the other ISP (the ISP1 user
may accidentally select the ISP server address 2.2.2.10). As a result, the ISP1 user needs to make
a detour on ISP2 network before reaching the server, which increases the service access delay
and inter-ISP settlement.
www.example.com
1.1.1.10
ISP1
NGFW
ISP2
www.example.com
Serves ISP2 network.
Private IP address: 10.1.2.10
Public IP address: 2.2.2.10
2.2.2.2
If you configure ISP egress-based smart DNS, the NGFW will return only one server address
to each user, and the server address is on the same ISP network as the user. In this way, the user
does not need to make a detour on other ISP networks to access the Web server.
As shown in Figure 8-26, it is assumed that the ISP egress-based smart DNS function on the
NGFW. The NGFW maps the resolved address in the DNS reply packet with the outbound
interface of GE1/0/1 to 1.1.1.10 and the resolved address in the DNS reply packet with the
outbound interface of GE1/0/2 to 2.2.2.10. The process for an ISP1 user to access the web server
is as follows:
1. The ISP1 user sends a DNS request to access the web server through domain name
www.example.com.
2. The DNS server returns resolved IP addresses 1.1.1.10 and 2.2.2.10.
3. According to the smart DNS mapping table, the NGFW changes the IP address in the DNS
reply packet to 1.1.1.10. Outbound interface GE1/0/1 in the mapping table is mapped to
address 1.1.1.10.
4. The ISP1 user sends a packet destined for IP address 1.1.1.10 for access. The packet reaches
the NGFW. In this way, ISP1 users can access the web server directly from ISP1 network
without taking a detour on ISP2 network, which increases the user access speed and user
experience.
5. With the NAT server function, the NGFW translates the destination address (1.1.1.10) of
the packet into the private address (10.1.1.10) of the web server.
Similarly, when an ISP2 user accesses the web server through domain name www.example.com,
the NGFW changes the IP address in the DNS reply packet to 2.2.2.10 according to the smart
DNS mapping table. The ISP2 initiates a packet destined to IP address 2.2.2.10 for access. With
the NAT server function, the NGFW translates the destination IP address (2.2.2.10) of the packet
into the private address (10.1.2.10) of the web server.
www.example.com
www.example.com DNS Server 2.2.2.10
Serves ISP1 network.
Private IP address: 10.1.1.10
Public IP address: 1.1.1.10
3 ISP1
2
1
4
GE1/0/1
Web Server 1.1.1.1
GE1/0/2
5
NGFW
With the round robin- or weighted round robin-based smart DNS function, the NGFW can
allocate addresses to users based on weights. The NGFW changes the destination addresses of
user access requests to divert traffic to web servers over various links, implementing load
balancing. As shown in Figure 8-27, it is assumed that the ISP egress-based smart DNS function
is configured for ISP1 users on the NGFW. The NGFW maps the resolved address in the DNS
reply packet with the outbound interface of GE1/0/1 to 1.1.1.9 and 1.1.1.10. The process for an
ISP1 user to access the web server is as follows:
1. The ISP1 user sends a DNS request to access the web server through domain name
www.example.com.
2. The DNS server returns resolved IP addresses 1.1.1.9 and 1.1.1.10.
3. According to the smart DNS mapping table, the NGFW changes the IP address in the DNS
reply packet to 1.1.1.9 or 1.1.1.10 in round robin mode. Outbound interface GE1/0/1 in the
mapping table is mapped to 1.1.1.9 and 1.1.1.10.
4. The ISP1 user initiates a packet destined to 1.1.1.9 or 1.1.1.10 for access. The packet reaches
the NGFW.
5. With the NAT server function, the NGFW translates the destination address (1.1.1.9 or
1.1.1.10) of the packet into the private address (10.1.1.10 or 10.1.1.11) of the web server.
Figure 8-27 Round robin-based or weighted round robin-based multi-server smart DNS
www.example.com
1.1.1.10
4
GE1/0/1
Web Server 1.1.1.1
GE1/0/2
5
NGFW
Smart DNS mapping table
ISP2
Outbound interface Mapped address
www.example.com 1.1.1.10
GE1/0/1
Serves ISP2 network. 2.2.2.10
Private IP address: 10.1.2.10 1.1.1.10
GE1/0/2
Public IP address: 2.2.2.10 2.2.2.10 2.2.2.2
Server-map table
Address before Address after
translation translation
1.1.1.10 10.1.1.10
2.2.2.10 10.1.2.10
Precautions
l When the NGFW functions as an egress gateway and a DNS server is deployed on the
enterprise intranet, the DNS transparent proxy function does not take effect, because DNS
query messages are forwarded to the intranet DNS server for domain name analysis, and
the NGFW is not used for DNS transparent proxy on these DNS query messages.
l DNS transparent proxy must function with intelligent uplink selection (Policy-based
Routeor Global Link Selection Policy) and ISP Address Database Link Selectionto
implement load balancing. Intelligent uplink selection selects the outbound interface for
forwarding DNS query messages, and ISP address database link selection ensures that the
service traffic is forwarded to the Web server over the ISP network of the destination
address. It is meaningless to configure DNS transparent proxy independently, because the
configuration does not take effect after delivery. For details on the implementation of DNS
transparent proxy, see DNS Transparent Proxy.
l When you configure smart DNS on multi-egress networks, you must configure sticky load
balancing on the outbound interface.
l Smart DNS modifies DNS reply packets based on the smart DNS mapping table. The
mapping table records the mapping between outbound interfaces and the substituted DNS
server addresses. The substituted DNS server addresses must be public IP addresses.
8.3.4.1 DNS
After you specify a DNS server address on a device, the device can serve as a DNS client or
DNS proxy agent to send domain name resolution requests to a specific DNS server.
Context
A DNS server accepts the domain name resolution requests initiated by a DNS client. You can
manually set an address for the DNS server connected to a device. The DNS server address is
generally provided by an Internet Service Provider (ISP). The address can also be automatically
obtained using Dynamic Host Configuration Protocol (DHCP) or Point-to-Point Protocol over
Ethernet (PPPoE) on an interface. For information about how to configure interfaces, see
Interface.
The DNS server whose address is manually configured has a higher priority than the one whose
address is dynamically obtained. If two DNS servers obtain addresses in the same way, the one
that obtains an address earlier enjoys a higher priority. When resolving domain names, the device
sends query packets (based on the priorities) to DNS servers until the query succeeds.
When forwarding DNS request packets to the DNS server, the NGFW uses the IP address of the
source port as the default source IP address of the DNS request packets. However, in some cases,
you need to set the source IP address of DNS request packets to other IP addresses.
As shown in Figure 8-28, when the NGFW forwards DNS request packets to the DNS server
using interface A, the NGFW uses the IP address of interface A as the source IP address of the
request packets by default. If the DNS server has only a route to the IP address of interface B,
you need to set the source IP address of DNS request packets to the IP address of interface B.
Otherwise, the route query fails, and the DNS server fails to send DNS response packets.
Figure 8-28 Networking diagram for setting a source address for DNS request packets
Interface B
Procedure
Step 1 Choose Network > DNS > DNS.
If the operation succeeds, the new configuration with Obtaining Mode of Manual is displayed
in DNS Server List.
Repeat the previous operations to assign IPv4/IPv6 addresses to multiple DNS servers.
NOTE
In addition to Manual, the following address allocation modes can be selected from DNS Server List:
l DHCP: The address of the DNS server is obtained dynamically using DHCP.
l PPPoE: The address of the DNS server is obtained dynamically using PPPoE.
Step 4 Optional: In Configure DNS Query Packets's Source Address, set the Source Interface or
Source Address.
Parameter Description
Source Interface Select an interface name from the drop-down list. The source
address of request packets are the IP address of the source port.
NOTE
You cannot set the source address of DNS request packets to an IPv6 address on the NGFW.
----End
Follow-up Procedure
When deleting a DNS server, you can delete only the DNS server addresses that are obtained
manually, but not those obtained using DHCP or PPPoE. If the interface that is connected using
DHCP or PPPoE is physically Down, or the interface fails to be connected using DHCP or
PPPoE, the corresponding DNS server address is deleted automatically from the DNS server
list.
Enabling DDNS
Enable DDNS before using other related DDNS functions. If DDNS disabled, DDNS-related
configurations do not take effect.
Step 2 Select the Enable check box corresponding to DDNS in Configure DDNS.
----End
Parameter Description
Domain Name Register the DDNS client domain name to the DDNS service
provider.
User Name User name used by the DDNS client to access the DDNS service
provider.
The user name must be registered to the DDNS service provider
in advance.
Password Password for the user name used by the DDNS client to access
the DDNS service provider.
Parameter Description
----End
Parameter Description
Initial The DDNS function has not been enabled. The device does not initiate
update requests to the DDNS service provider.
Updating The device is initiating update requests to the DDNS service provider to
update the mapping between domain names and IP addresses of the DDNS
client in this policy on the DNS server.
Active The device initiates DDNS update requests and updates succeeds. The
mapping between domain names and IP addresses of the DDNS client in
this policy is updated on the DNS server.
Inactive The device initiates DDNS update requests but updates fails. The mapping
between domain names and IP addresses of the DDNS client in this policy
is not updated on the DNS server.
----End
Prerequisites
l One or two DNS server addresses are obtained from each ISP as the DNS server addresses
bound on interfaces.
l You cannot deploy any DNS server on the intranet. If a DNS server is deployed on the
intranet, the DNS transparent proxy function does not take effect, because DNS query
messages are forwarded to the intranet DNS server for domain name analysis, and the
NGFW is not used for DNS transparent proxy on these DNS query messages.
Context
DNS transparent proxy must function with intelligent uplink selection (Policy-based Route or
Global Link Selection Policy) and ISP Address Database Link Selection to implement load
balancing. Intelligent uplink selection selects the outbound interface for forwarding DNS query
messages, and ISP address database link selection ensures that the service traffic is forwarded
to the Web server over the ISP network of the destination address. It is meaningless to configure
DNS transparent proxy independently, because the configuration does not take effect after
delivery. For details on the implementation of DNS transparent proxy, see DNS Transparent
Proxy.
Procedure
Step 1 Choose Network > DNS > DNS.
Step 3 Bind interfaces to the DNS servers, as shown in Figure 8-29. For parameter description, see
Table 8-53.
Parameter Description
Preferred DNS server Address of the DNS server on the ISP network connecting to the
WAN interface.
The NGFW substitutes the destination addresses of DNS query
messages with the address of the preferred DNS server
preferentially.
Alternate DNS server Address of the DNS server on the ISP network connecting to the
WAN interface.
When the preferred DNS server is Down, the NGFW will
substitute the destination addresses of DNS query messages with
the address of the alternate DNS server.
Step 5 Enable the DNS transparent proxy function and specify the DNS server addresses requiring
proxy processing, as shown in Figure 8-30. For parameter description, see Table 8-54.
Parameter Description
DNS Transparent Proxy Select Enable to enable the DNS transparent proxy function.
Parameter Description
Enter DNS server IP Specify the address of the DNS server that requires DNS
addresses transparent proxy.
When an intranet user initiates a DNS request, the NGFW
substitutes the destination address of the DNS query message
with the DNS server address bound to the outbound interface.
You need to enter the DNS server address specified on the client
of the intranet user. After you bind interfaces to DNS servers, the
addresses of the preferred and alternate DNS servers will
automatically become addresses requiring transparent proxy
processing.
Step 6 In Domain Name Exception, clickAdd, and specify the domain names that do not require DNS
transparent proxy.
When an intranet user accesses a domain name that does not require DNS transparent proxy,
even if the DNS server address is in the Enter DNS server IP addresses list, the NGFW will
not do DNS transparent proxying but directly forwards the DNS query message.
If the preferred DNS server address is specified for a domain name that exempts DNS transparent
proxy, the DNS request will be forwarded to this server, not the DNS server specified on the
client.
If both preferred and alternate DNS server addresses are specified, DNS requests will be
forwarded to the preferred DNS server. If the preferred DNS server is Down, DNS requests will
be forwarded to the alternate DNS server.
A maximum of 64 domain names that exempt DNS transparent proxy can be set.
----End
Prerequisites
l A web server has been deployed on an enterprise intranet, and web services have been
enabled.
l A DNS server has been deployed on the enterprise intranet and has the mappings between
domain names and the web server global address.
l Extranet users can access the web and DNS servers on the enterprise intranet.
Context
Single-server smart DNS must work with the NAT server function.
The address before smart DNS is the public address of the web server. The address after smart
DNS is the public address requested from other ISP networks.
The address before NAT server is the public address of the intranet web server or the public
network after smart DNS. The address after NAT server is the private address of the web server.
Procedure
Step 1 Choose Network > DNS > Smart DNS.
Step 4 Enter the global IP address of the internal web server in DNS Reply Address.
Step 5 In Traffic Distribution Mode, select Based on ISP egresses, Round Robin, or Weighted
Round Robin as required.
NOTE
To ensure that the DNS reply address is on the same ISP network as the user's address and that traffic from
the same ISP arrives at the web server over the same link, select Based on ISP egresses.
To ensure that different DNS reply addresses are allocated to users so that traffic arrives the web server
over different links for load balancing, select Round Robin or Weighted Round Robin.
l If you select Based on ISP egresses, click Add to configure ISP egress mappings in ISP
WAN Interface Mapping List.
As shown in Figure 8-31, the NGFW returns 3.3.3.10 to ISP1 users, 2.2.2.10 to ISP2 users.
l If you select Round Robin, select ISP egresses in ISP WAN Interface. In ISP WAN
Interface Mapping List, click Add to configure the public address of the ISP server.
As shown in Figure 8-32, for ISP1 or ISP2 users, the NGFW returns the configured address
(2.2.2.10 or 3.3.3.10) in round robin mode.
l If you select Weighted Round Robin, select ISP egresses in ISP WAN Interface. In ISP
WAN Interface Mapping List, click Add to configure the public address and weight of
the ISP server.
As shown in Figure 8-32, for ISP1 or ISP2 users, the NGFW returns the configured address
(2.2.2.10 or 3.3.3.10) in weighted round robin mode.
Parameter Description
DNS Reply Address Enter the public IP address of the intranet web server.
Traffic Distribution Mode Select Based on ISP egresses, Round Robin, or Weighted
Round Robin as required
ISP Server Public Enter the server address to be sent to ISP users.
Address
Weight Set the weight for the public address of the ISP server. The
NGFW allocates public addresses of ISP servers based on
weights. This parameter is set only when Traffic Distribution
Mode is set to Weighted Round Robin.
Step 9 In New Server Mapping, configure server mapping. The following table lists server mapping
parameters.
Parameter Description
Public IP Address Enter ISP Server Public Address, namely, the server global
address sent to ISP users.
Private IP Address Enter the private IP address of the internet web server.
If multiple ISP egresses and public ISP server addresses are configured, configure server mapping repeatedly
to translate each public ISP server address into the private IP address of the ISP server.
----End
Prerequisites
l Multiple web servers have been deployed on an enterprise intranet, and web services have
been enabled.
l A DNS server has been deployed on the enterprise intranet and has the mappings between
domain names and web server global addresses.
l Extranet users can access the web and DNS servers on the enterprise intranet.
Context
Multi-server smart DNS must work with the NAT server function.
In a multi-server smart DNS scenario, you need to create multiple smart DNS mappings
(mappings between ISP egresses and public ISP server addresses).
The address before NAT server is the public address of the intranet web server. The address
after NAT server is the private address of the web server.
Procedure
Step 1 Choose Network > DNS > Smart DNS.
Step 4 In Traffic Distribution Mode, select Based on ISP egresses, Round Robin, or Weighted
Round Robin as required.
NOTE
To ensure that the DNS reply address is on the same ISP network as the user's address and that traffic from
the same ISP arrives at the web server over the same link, select Based on ISP egresses.
To ensure that different DNS reply addresses are allocated to users so that traffic arrives the web server
over different links for load balancing, select Round Robin or Weighted Round Robin.
l If you select Based on ISP egresses, click Add to configure ISP egress mappings in ISP
WAN Interface Mapping List.
As shown in Figure 8-34, the NGFW returns ISP1 server's public IP address 2.2.2.10 to
ISP1 users, ISP2 server's public IP address 3.3.3.10 to ISP2 users.
l If you select Round Robin, select ISP egresses in ISP WAN Interface. In ISP WAN
Interface Mapping List, click Add to configure the public addresses of the ISP servers.
As shown in Figure 8-35, for ISP1 or ISP2 users, the NGFW returns the configured ISP
server public address (2.2.2.10 or 3.3.3.10) in round robin mode.
l If you select Weighted Round Robin, select ISP egresses in ISP WAN Interface. In ISP
WAN Interface Mapping List, click Add to configure the public addresses and weights
of the ISP servers.
As shown in Figure 8-36, for ISP1 or ISP2 users, the NGFW returns the configured ISP
server public address (2.2.2.10 or 3.3.3.10) in weighted round robin mode.
Parameter Description
DNS Reply Address Indicates the internet server address sent by the DNS
server to users.
The value is automatically generated on the basis of ISP
Server Public Address in ISP WAN Interface Mapping
List.
ISP WAN Interface Select the interface connecting the NGFW to ISP.
Weight Set the weight for the public address of the ISP server. The
NGFW allocates public addresses of ISP servers based on
weights. This parameter is set only when Traffic Distribution
Mode is set to Weighted Round Robin.
Step 8 In New Server Mapping, configure server mapping. The following table lists server mapping
parameters.
Parameter Description
Public IP Address Enter ISP Server Public Address, namely, the server global
address sent to ISP users.
Private IP Address Enter the private IP address of the internet web server.
If multiple ISP egresses and public ISP server addresses are configured, configure server mapping repeatedly
to translate each public ISP server address into the private IP address of the ISP server.
----End
Prior to configuring IPv4 static domain name resolution, you must know the mapping between
the domain name and the IPv4 address. In case of a change in the mapping, you must modify
the DNS entry manually.
Step 1 Run:
system-view
Step 2 Specify a host name and an IPv4 address mapped to the host name.
ip host host-name ip-address
A host name is mapped to only a single IPv4 address. When you configure an IPv4 address for
a host several times, only the IPv4 address configured at the latest is valid. Repeat Step 2 to
allow the device to resolve several host names.
----End
Before configuring IPv4 dynamic domain name resolution, complete the following tasks:
Context
Dynamic domain name resolution supports the domain name suffix list function. You can
configure specific domain name suffixes and enter some fields of a domain name before the
system automatically adds different suffixes to the domain name for resolution.
Procedure
Step 5 Enables the DNS query function for a specific VPN instance.
dns server vpn-instance vpn-instance-name
If the interface connecting the NGFW to the DNS server belongs to a specific VPN instance,
you must enable DNS query for the VPN instance so that the interfaces of the VPN instance can
exchange DNS packets with the DNS server.
By default, the NGFW supports DNS query only for the public network VPN instance.
NOTE
Currently, the DNS query function takes effect only for the public network VPN instance or a specific VPN
instance. If you run the dns server vpn-instance command several times, the latest configuration
overwrites the previous ones.
----End
Step 2 Specify a host name and an IPv6 address mapped to the host name.
ipv6 host host-name ipv6-address
If you run this command repeatedly, the command configured firstly takes effect.
----End
NOTICE
If the IPv4 and IPv6 DNS servers are configured, query requests are processed based on their
types. If a IPv4 query request is generated, query packet A is sent to an IPv4 DNS server, and
then query packet AAAA to an IPv6 DNS server. If an IPv9 query packet is generated, the IPv6
DNS server is queried, and then the IPv4 DNS server.
If multiple IPv4 or IPv6 DNS servers are configured, the query packet is sent to DNS servers of
the same type in configuration order until a correct response packet is received.
Procedure
If the DNS fails in searching for a host name, it appends a domain name to the host name
following a dot (.) and continues the DNS search. You can configure some commonly used
domain names like "com", and "net". For example, if the search for the host name "example"
fails, the system then searches for "example.com" or "example.net".
----End
Context
If DNS proxy is configured and the IPv4 address of a DNS server changes, change the DNS
proxy configuration, but not the configuration on each client on the LAN, which simplifies
network management.
When forwarding DNS request packets to the DNS server, the NGFW uses the IP address of the
source port as the default source IP address of the DNS request packets. However, in some cases,
you need to set the source IP address of DNS request packets to other IP addresses.
As shown in Figure 8-37, when the NGFW forwards DNS request packets to the DNS server
using interface A, the NGFW uses the IP address of interface A as the source IP address of the
request packets by default. If the DNS server has only a route to the IP address of interface B,
you need to set the source IP address of DNS request packets to the IP address of interface B.
Otherwise, the route query fails, and the DNS server fails to send DNS response packets.
Figure 8-37 Networking diagram for setting a source address for DNS request packets
Interface B
Procedure
----End
Procedure
system-view
l If ipv6-address is set to a link-local address, such as FE80::1, you must set interface-type
interface-number to the outbound interface to the link-local address.
l To enable the interface to automatically obtain an IPv6 DNS server address, select dhcpv6
or nd-ra.
----End
Step 2 Create a DDNS policy and access the DDNS policy view.
ddns policy policy-name
Step 3 Specify the user name and password for accessing the website of a DDNS service provider
through the DDNS client.
ddns username username password password
Step 4 Specify the DDNS client domain name registered on the website of the DDNS service provider.
ddns client domain-name
----End
----End
Step 3 Manually update the mapping between domain names and IPv4 addresses.
ddns refresh
----End
Prerequisites
l One or two DNS server addresses are obtained from each ISP as the DNS server addresses
bound to interfaces.
l You cannot deploy any DNS server on the intranet. If a DNS server is deployed on the
intranet, the DNS transparent proxy function does not take effect, because DNS query
messages are forwarded to the intranet DNS server for domain name resolution, and the
NGFW is not used for DNS transparent proxy on these DNS query messages.
Context
DNS transparent proxy must function with intelligent uplink selection (Policy-based Route or
Global Link Selection Policy) and ISP Address Database Link Selection to implement load
balancing. Intelligent uplink selection selects the outbound interface for forwarding DNS query
messages, and ISP address database link selection ensures that the service traffic is forwarded
to the Web server over the ISP network of the destination address. It is meaningless to configure
DNS transparent proxy independently, because the configuration does not take effect after
delivery. For details on the implementation of DNS transparent proxy, see DNS Transparent
Proxy.
Procedure
Step 1 Access the system view.
system-view
Step 3 Set the IP address of the DNS server bound to the interface.
The NGFW uses the address of the preferred DNS server (preferred preferred-dns-address) to
replace the destination addresses of DNS query messages. When the preferred DNS server is
down, the NGFW will replace the destination addresses of DNS query messages with the address
of the alternate DNS server (alternate alternate-dns-address).
Step 4 Set the address of the DNS server that requires DNS transparent proxy.
The DNS server address specified in this command is the DNS server address specified on
clients. DNS transparent proxy uses the DNS server address bound to the interface to replace
this IP address.
Step 5 Specify the domain names that do not require DNS transparent proxy.
If you exclude a domain name from DNS transparent proxy, even if DNS transparent proxy is
configured on the DNS server specified on the client, the NGFW directly forwards the DNS
query messages without honoring the messages.
If the preferred DNS server address is specified (server preferred preferred-dns-address) for
a domain name that exempts DNS transparent proxy, the DNS request will be forwarded to this
server, not the DNS server specified on the client.
If both preferred and alternate DNS server addresses are specified (server preferred preferred-
dns-address alternate alternate-dns-address), DNS requests will be forwarded to the preferred
DNS server. If the preferred DNS server is Down, DNS requests will be forwarded to the alternate
DNS server.
If the preferred DNS server address is deleted, the alternate DNS server automatically becomes
the preferred one.
If multiple domain names exempt DNS transparent proxy, run this command for the specified
times. A maximum of 64 domain names that exempt DNS transparent proxy can be set.
If multiple domain names do not require DNS transparent processing, you need to perform this
step for these domain names.
----End
Prerequisites
l A web server has been deployed on an enterprise intranet, and web services have been
enabled.
l A DNS server has been deployed on the enterprise intranet and has the mappings between
domain names and the web server address.
l Extranet users can access the web and DNS servers on the enterprise intranet.
Context
Single-server smart DNS must work with the NAT server function.
The address before smart DNS mapping is the intranet web server address, and the address after
smart DNS mapping is a public address obtained from another ISP.
The address before NAT server is the public address of the intranet web server and the public
network after smart DNS. The address after NAT server is the private address of the web server.
Procedure
Step 1 Enter the system view.
system-view
dns-smart enable
Step 3 Create a smart DNS group and access the smart DNS group view.
Step 4 Set the orginal IP address of the source server before smart DNS mapping.
real-server-ip ip-address
This command applies only to single-server smart DNS scenarios. ip-address specifies the IP
address of the Web server on the enterprise intranet.
NOTE
After the metric command is executed, the smart DNS mapping table configured under the smart DNS group
is cleared. You need to run the out-interface map to reconfigure the mapping table.
To ensure that the DNS reply address is on the same ISP network as the user's address and that traffic from the
same ISP arrives at the web server over the same link, select the ISP egress mode.
To ensure that different DNS reply addresses are allocated to users so that traffic arrives the web server over
different links for load balancing, select the Round Robin or Weighted Round Robin mode.
If the round robin mode is selected, run the weight-rule roundrobin ip-address &<1–8>
command to configure weight rules. The default weight of each IP address is 32 and cannot be
changed.
If the weighted round robin mode is selected, run the weight-rule weightrr ip-address weight-
value &<1–8> command to configure weight rules. Each IP address can be allocated a different
weight.
The NGFW takes the outbound interface and original server address configured in the out-interface
map command as matching conditions to match the payload information in the DNS reply packet.
If the information is consistent, the NGFW changes the DNS reply address to the mapped address
configured in the out-interface map command.
For example, if the original server address is 1.1.1.1 and mapping entry out-interface
GigabitEthernet 1/0/1 map 2.2.2.2 is configured, the NGFW takes 1.1.1.1 and GE1/0/1 as a pair of
matching conditions to match the payload information in the DNS reply packet.
If the address is 1.1.1.1 and the outbound interface is GE1/0/1 in the DNS reply packet, the NGFW
changes the address to 2.2.2.2. If the address is 2.2.2.2 and the outbound interface is GE1/0/1 in the
DNS reply packet, the NGFW does not change the address.
l If the traffic allocation mode is set to round robin or weighted round robin, run the out-
interface interface-type interface-number map weight-rule command to configure the
outbound interface mapping.
NOTE
The NGFW takes the outbound interface configured in the out-interface map command as a
matching condition to match the payload information in the DNS reply packet.
description description
quit
----End
Prerequisites
l Multiple web servers have been deployed on an enterprise intranet, and web services have
been enabled.
l A DNS server has been deployed on the enterprise intranet and has the mappings between
domain names and web server global addresses.
l Extranet users can access the web and DNS servers on the enterprise intranet.
Context
Multi-server smart DNS must work with the NAT server function.
In a multi-server smart DNS scenario, you need to create multiple smart DNS mappings
(mappings between ISP egresses and public ISP server addresses).
The address before NAT server is the public address of the intranet web server. The address
after NAT server is the private address of the web server.
Procedure
Step 1 Enter the system view.
system-view
Step 2 Enable the smart DNS function.
dns-smart enable
By default, the smart DNS function is disabled.
Step 3 Create a smart DNS group and access the smart DNS group view.
dns-smart group group-id type multi
Step 4 Select a traffic allocation mode.
metric { out-interface | weightrr | roundrobin }
The ISP egress mode is used by default.
If you select round robin or weighted round robin, configure corresponding weight rules.
NOTE
After the metric command is executed, the smart DNS mapping table configured under the smart DNS group
is cleared. You need to run the out-interface map to reconfigure the mapping table.
To ensure that the DNS reply address is on the same ISP network as the user's address and that traffic from the
same ISP arrives at the web server over the same link, select the ISP egress mode.
To ensure that different DNS reply addresses are allocated to users so that traffic arrives the web server over
different links for load balancing, select the Round Robin or Weighted Round Robin mode.
If the round robin mode is selected, run the weight-rule roundrobin ip-address &<1–8>
command to configure weight rules. The default weight of each IP address is 32 and cannot be
changed.
If the weighted round robin mode is selected, run the weight-rule weightrr ip-address weight-
value &<1–8> command to configure weight rules. Each IP address can be allocated a different
weight.
Step 5 Configure smart DNS mapping.
l If the ISP egress-based traffic allocation mode is used, run the out-interface interface-type
interface-number map new-ip-address command to configure the outbound interface
mapping.
interface-type interface-number is the outbound interface on the NGFW connecting to a
specific ISP. new-ip-address is the address after smart DNS mapping, which is also the
public address of the ISP server on the intranet. One interface-type interface-number must
correspond to one new-ip-address. For example, interface GE1/0/0 on the NGFW
connecting to ISP1 must correspond to public IP address 1.1.1.10 of the ISP1 server.
NOTE
interface-type interface-number and new-ip-address in different mapping rules form a pair of matching
conditions. For example, if rules out-interface GigabitEthernet1/0/1 map 1.1.1.1 and out-interface
GigabitEthernet1/0/2 map 2.2.2.2 are configured, GigabitEthernet1/0/1 and 2.2.2.2 form a pair, and
GigabitEthernet1/0/2 and 1.1.1.1 form a pair.
If the address is 2.2.2.2 and the outbound interface is GigabitEthernet1/0/1 in the DNS reply packet, the
NGFW changes the address to 1.1.1.1. If the address is 1.1.1.1 and the outbound interface is
GigabitEthernet1/0/1 in the DNS reply packet, the NGFW does not change the address.
l If the traffic allocation mode is set to round robin or weighted round robin, run the out-
interface interface-type interface-number map weight-rule command to configure the
outbound interface mapping.
NOTE
The NGFW takes the outbound interface configured in the out-interface map command as a
matching condition to match the payload information in the DNS reply packet.
----End
Action Command
Action Command
Table 8-59 shows the operations for displaying smart DNS configurations.
Action Command
Action Command
Debugging DNS
Before enabling the debugging, you must run the terminal monitor command in the user view
to enable the terminal information display and the terminal debugging command in the user
view to terminal debugging information display functions.
NOTICE
Enabling the debugging deteriorates system performance. After the debugging is complete, run
the undo debugging all command to disable the debugging immediately.
For details on the description of the debugging commands, see Debugging Reference.
Action Command
Action Command
Action Command
Networking Requirements
A NGFW functioning as a gateway connects PCs on an intranet to the Internet. The interface IP
addresses, a security zone, a security policy, and a NAT policy are configured on the NGFW.
The DNS function needs to be configured on the NGFW. The NGFW functions as a DHCP relay
agent and sends domain names that users on PCs enter to a DNS server on the Internet. Upon
receipt, the DNS server translates the domain names into IP addresses to allow the PCs to access
the Internet. The IP address of a DNS server on the Internet is 2.2.2.2.
Intranet
GE1/0/3 GE1/0/1
10.3.0.1/24 1.1.1.1/24
PC
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Configure the DNS function on the NGFW.
1. Choose Network > DNS > DNS.
----End
Configuration Verification
1. View the DNS server status.
Configuration Script
#
dns resolve
dns server 2.2.2.2
#
dns proxy enable
#
sysname NGFW
#
return
Networking Requirements
A company deploys a NGFW as the gateway to provide Internet access for the intranet and uses
the NAT server function of the NGFW to provide web services for Internet users. Interface
addresses, security zones, a security policy, and the NAT server function have been configured
on the NGFW. GigabitEthernet 1/0/1 on the NGFW dials up to log in and obtains a public IP
address that may change with each connection. The DDNS function is to be configured on the
NGFW to map the dynamic IP address to the domain name example.com. The configuration
allows users on the Internet to use the domain name to access the web server. A DNS server
(2.2.2.2) also needs to be configured on the NGFW to resolve the domain name of the DDNS
server for the NGFW.
Intranet
GE1/0/3 GE1/0/1
10.3.0.1/24
DDNS Server
dyndns.org
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Configure the DNS server function.
1. Choose Network > DNS > DNS.
2. Enter 2.2.2.2 in the text box.
3. Click OK.
The following parameters are used as an example and vary depending on local operator
networks.
Parameter Description
Password Admin@1234
Parameter Description
5. Click OK.
----End
Configuration Verification
1. View the DNS server status.
a. Choose Network > DNS > DNS.
b. View DNS server information.
2. View the DDNS status.
a. Choose Network > DNS > DDNS.
b. View DDNS policy information in DDNS Policy List.
3. Check whether a user on the Internet can use the domain name example.com to access the
web server. If the user successfully accesses the web server, the configuration is successful.
If the user fails to access the web server, modify the configuration and try again.
Configuration Script
#
dns resolve
dns server 2.2.2.2
#
dns proxy enable
#
ddns client enable
#
sysname NGFW
#
interface GigabitEthernet1/0/1
ddns apply policy abc
#
ddns policy abc
ddns username abc password %$%$;><#H@tZ'P-fu(/Ixr9H,{ri%$%$
ddns client
example.com
ddns server dyndns.org
#
return
Networking Requirements
As shown in Figure 8-40, an enterprise rents links from both ISP1 and ISP2. The bandwidth of
ISP1 link is 100M, and that of ISP2 link is 50M. The DNS server addresses of ISP1 are 8.8.8.8
and 8.8.8.9, and the DNS server addresses of ISP2 are 9.9.9.8 and 9.9.9.9. The DNS server
address specified on all intranet user clients is 10.2.0.70.
l The enterprise requires that the Internet access traffic of intranet users can be distributed
to ISP1 and ISP2 links in the ratio of 2:1 to ensure that the links are made full use of but
not congested to improve users' Internet access experience.
l When intranet users access domain name www.example.com, the firewall does not perform
DNS transparent proxying, but the Web server address of the domain name must be resolved
by the specified DNS server (8.8.8.10).
l To prevent link congestion when the bandwidth usage of one link reaches a specified value,
subsequent traffic must be forwarded to the other ISP link.
ISP2
ISP1
100M 50M
DNS server on ISP1 GE1/0/1 GE1/0/7 DNS server on ISP2
8.8.8.8 1.1.1.1 2.2.2.2 9.9.9.8
8.8.8.9 9.9.9.9
NGFW
GE1/0/3
10.3.0.1
Intranet
DNS requests
Modified DNS requests
Internet access traffic
Configuration Roadmap
Configure the transparent proxy function on the NGFW to distribute DNS query messages from
intranet users in the ratio of 2:1 to the DNS servers on ISP1 and ISP2 networks. In this case, the
Internet access traffic from intranet users can also be distributed to ISP1 and ISP2 links in the
ratio of 2:1. When processing DNS query messages, the DNS transparent proxy function replaces
the destination addresses of the messages with the DNS server address bound to the outbound
interface. The selection of the outbound interface depends on the intelligent uplink selection
function. Because the enterprise requires that the Internet access traffic can be distributed in the
ratio of 2:1 to both links, you need to set the intelligent uplink selection mode to load balancing
by link bandwidth. In the example, global link selection policies are configured. To ensure that
the Internet access traffic is directly forwarded to the Web server on the ISP network of the
destination address without taking a detour on other ISP networks, you need to configure ISP
address database link selection.
Procedure
Step 1 Choose Network > DNS > DNS.
Step 2 Click Add in DNS Server List and bind ISP1 DNS server address to interface GE1/0/1.
Step 3 Click Add in DNS Server List and bind ISP2 DNS server address to interface GE1/0/7.
Step 4 Select Enable of DNS Transparent Proxy and set the DNS server addresses requiring DNS
transparent proxy and the domain names to be excluded.
NOTE
DNS server addresses bound to the interface on the web UI will automatically become the addresses
requiring DNS transparent proxy. You can manually change them.
Step 7 Click the Carrier Address Library tab, then click Import, and set the following parameters.
Name isp1_network
Address Library File Click Browser and select the ISP1 address file to be uploaded.
Name isp2_network
Address Library File Click Browser and select the ISP2 address file to be uploaded.
NOTE
Because the DNS server addresses are bound to interfaces in DNS Server List, the addresses of the
preferred and alternate DNS servers are automatically displayed. If you change the addresses of the
preferred and alternate DNS servers, the configuration in DNS Server List is also changed.
Step 17 Click the Global Route Selection Policy tab, then click Edit, and configure a global link
selection policy as follows:
----End
Configuration Verification
Choose Network > Router > Intelligent Uplink Selection. On the Global Route Selection
Policy tab, you can view the traffic statistics in the last five minutes, as shown in Figure 8-41.
Configuration Script
#
dns transparent-proxy enable
dns server bind interface GigabitEthernet1/0/1 preferred 8.8.8.8 alternate
8.8.8.9
dns server bind interface GigabitEthernet1/0/7 preferred 9.9.9.8 alternate
9.9.9.9
dns transparent-proxy server 10.2.0.70
dns transparent-proxy exclude domain www.example.com server preferred 8.8.8.10
#
interface GigabitEthernet1/0/1
ip address 1.1.1.1 255.255.255.0
gateway 1.1.1.254
bandwidth ingress 100000 threshold 90
bandwidth egress 100000 threshold 90
#
interface GigabitEthernet1/0/7
ip address 2.2.2.2 255.255.255.0
gateway 2.2.2.254
bandwidth ingress 50000 threshold 90
bandwidth egress 50000 threshold 90
#
isp name isp1_network
isp name isp1_network set filename isp1_network.csv
isp name isp2_network
isp name isp2_network set filename isp2_network.csv
#
interface-group isp isp1_network interface GigabitEthernet1/0/1 route enable
interface-group isp isp2_network interface GigabitEthernet1/0/7 route enable
#
multi-interface
add interface GigabitEthernet1/0/1
add interface GigabitEthernet1/0/7
mode proportion-of-bandwidth
#
return
8.3.6.4 Web Example for Configuring Single-server Smart DNS in ISP Egress Mode
This section provides an example for configuring single-server smart DNS in ISP egress mode.
Networking Requirements
As shown in Figure 8-42, an enterprise deploys ISP1 server to provide the web service whose
domain name is www.example.com. The private IP address of ISP1 server is 10.1.1.10, and the
public IP address is 1.1.1.10. The DNS server on the enterprise intranet has the mapping between
domain name www.example.com and ISP1 server public address 1.1.1.10.
When ISP1 users access www.example.com, the domain name can be resolved to public IP
address 1.1.1.10 of the ISP1 server, then the access traffic be transmitted over the ISP1 network
to the NGFW, and the NGFW can use the NAT Server function to map the public IP address to
the private IP address 10.1.1.10 of the ISP1 server.
The enterprise also applies for a public IP address 2.2.2.10 from ISP2. The enterprise requires
that when ISP2 users access www.example.com, the domain name can be resolved to this public
IP address, then the access traffic be transmitted over the ISP2 network to the NGFW, and the
NGFW can use the NAT Server function to map the public IP address to the private server IP
address 10.1.1.10.
DNS server
ISP1 server
Web server
10.1.1.10
Resolved Web address for
ISP1 users: ISP1
server address:
1.1.1.10 1.1.1.10
GE1/0/0
Web server
GE1/0/1
NGFW
Web server ISP2
address for
ISP2 users:
2.2.2.10
ISP2 user
2.1.1.1
Configuration Roadmap
To enable ISP2 users to obtain ISP2 address 2.2.2.10, configure smart DNS in ISP egress mode
to change IP address 1.1.1.10 after DNS resolution to 2.2.2.10.
Because only one web server is deployed on the intranet, you need to configure single-server
smart DNS in ISP egress mode. The configuration roadmap is as follows:
l Configure a NAT Server mapping for the NGFW to translate ISP2 public IP address
2.2.2.10 to the private IP address 10.1.1.10 of the ISP1 server, so that ISP2 users can
access the ISP1 server using a public IP addresses.
4. Configure the sticky load balancing function.
Procedure
Step 1 Choose Network > DNS > Smart DNS.
Step 4 In Create Smart DNS, configure single-server smart DNS and change the DNS server address
returned to ISP2 users from 1.1.1.10 (applied for from ISP1) to 2.2.2.10 (applied for from ISP2).
Step 8 In Add Address Mapping, configure server mapping as follows to translate the public IP address
(1.1.1.10) of ISP1 server to the private IP address (10.1.1.10).
Name isp1_server_nat
Step 11 In Add Address Mapping, configure server mapping as follows to translate IP address 2.2.2.10
after smart DNS mapping to private IP address 10.1.1.10 of the Web server.
Name isp2_server_nat
Step 14 Click of interfaces GE1/0/0 and GE1/0/1 respectively and configure sticky load balancing
(in the example, basic interface settings, such as the interface IP addresses and default gateways,
have been completed).
----End
Configuration Verification
1. Run the ping www.example.com on the PC of an ISP2 user. The command output shows
that the returned server address is 2.2.2.10.
2. On the NGFW, choose Monitor > Session Table. The session table has the session entry
with Destination Address being 2.2.2.10 and NAT Destination Address being
10.1.1.10.
Configuration Script
#
nat server isp1_server_nat global 1.1.1.10 inside 10.1.1.10 no-reverse
nat server isp2_server_nat global 2.2.2.10 inside 10.1.1.10 no-reverse
#
dns-smart enable
#
dns-smart group 1 type single
real-server-ip 1.1.1.10
out-interface GigabitEthernet1/0/1 map 2.2.2.10
#
interface GigabitEthernet1/0/0
ip address 1.1.1.1
reverse-route nexthop 1.1.1.2
#
interface GigabitEthernet1/0/1
ip address 2.2.2.2
reverse-route nexthop 2.2.2.3
8.3.6.5 Web Example for Configuring Multi-server Smart DNS in ISP Egress Mode
This section provides an example for configuring multi-server smart DNS in ISP egress mode.
Networking Requirements
As shown in Figure 8-43, an enterprise deploys two web servers to provide the web service
whose domain name is www.example.com. The public address of ISP1 server is 1.1.1.10, and
the private address is 2.2.2.10. The public address of ISP2 server is 2.2.2.10, and the private
address is 10.2.2.10. The DNS server of on the intranet of the enterprise has the mappings
between domain name www.example.com and the two server public addresses (1.1.1.10 and
2.2.2.10).
The enterprise requires that when ISP1 users access www.example.com, the domain name can
be resolved to public IP address 1.1.1.10 of the ISP1 server, then the access traffic be transmitted
over the ISP1 network to the NGFW, and the NGFW can use the NAT Server function to map
the public IP address to the private IP address 10.1.1.10 of the ISP1 server. When ISP2 users
access www.example.com, the domain name can be resolved to public IP address 2.2.2.10 of
the ISP2 server, then the access traffic be transmitted over the ISP2 network to the NGFW, and
the NGFW can use the NAT Server function to map the public IP address to the private IP address
10.2.2.10 of the ISP2 server.
DNS server
ISP1 server
Private IP address: 10.1.1.10
ISP1 Public IP address: 1.1.1.10
GE1/0/0
Web server
GE1/0/1
NGFW
ISP2
ISP2 server
Private IP address: 10.2.2.10
Public IP address: 2.2.2.10
ISP2 user
2.1.1.1
Configuration Roadmap
As shown in Figure 8-43, ISP users usually obtain ISP server addresses 1.1.1.10 and 2.2.2.10.
To enable ISP1 users to obtain ISP1 server address and ISP2 users to obtain ISP2 server address,
configure smart DNS in ISP egress mode. The configuration roadmap is as follows:
ISP server addresses. For example, associate GE1/1/0 of ISP1 network with public ISP1
server address 1.1.1.10 and GE1/1/1 of ISP2 network with public ISP2 server address
2.2.2.10.
3. Configure NAT Server.
l Configure a NAT Server mapping for the NGFW to translate ISP1 public IP address
1.1.1.10 to the private IP address 10.1.1.10 of the ISP1 server, so that ISP1 users can
access the ISP1 server using a public IP addresses.
l Configure a NAT Server mapping for the NGFW to translate ISP2 public IP address
2.2.2.10 to the private IP address 10.2.2.10 of the ISP2 server, so that ISP2 users can
access the ISP2 server using a public IP addresses.
4. Configure the sticky load balancing function.
Procedure
Step 1 Choose Network > DNS > Smart DNS.
Step 4 In Create Smart DNS, configure multi-server smart DNS and set ISP1 server address returned
to ISP1 users to 1.1.1.10 and that to ISP2 users to 2.2.2.10.
Step 8 In Add Address Mapping, configure server mapping as follows to translate the public IP address
(1.1.1.10) of ISP1 server to the private IP address (10.1.1.10).
Name isp1_server_nat
Name isp2_server_nat
Step 14 Click of interfaces GE1/0/0 and GE1/0/1 respectively and configure sticky load balancing
(in the example, basic interface settings, such as the interface IP addresses and default gateways,
have been completed).
----End
Configuration Verification
1. Run the ping www.example.com on the PC of an ISP1 user. The command output shows
that the returned server address is 1.1.1.10.
2. Run the ping www.example.com on the PC of an ISP2 user. The command output shows
that the returned server address is 2.2.2.10.
Configuration Script
#
nat server isp1_server_nat global 1.1.1.10 inside 10.1.1.10
nat server isp2_server_nat global 2.2.2.10 inside 10.2.2.10
#
dns-smart enable
#
dns-smart group 1 type multi
out-interface GigabitEthernet1/0/0 map 1.1.1.10
out-interface GigabitEthernet1/0/1 map 2.2.2.10
#
interface GigabitEthernet1/0/0
ip address 1.1.1.1
reverse-route nexthop 1.1.1.2
gateway 1.1.1.2
#
interface GigabitEthernet1/0/1
ip address 2.2.2.2
reverse-route nexthop 2.2.2.3
V100R001C30SPC Supported the configuration of an alternate DNS server for the domain
100 names that exempt DNS transparent proxy.
V100R001C30 Added the round robin- and weighted round robin-based smart DNS
functions.
V100R001C20SPC Added the DNS transparent proxy and smart DNS functions.
100
8.4 DHCP
This section describes Dynamic Host Configuration Protocol (DHCP) concepts and how to
configure DHCP, as well as provides configuration examples.
8.4.1 Overview
The Dynamic Host Configuration Protocol (DHCP) applies to IPv4 networks to dynamically
assign information, such as IPv4 addresses to clients.
Definition
DHCP is a technology used to dynamically manage and configure IPv4 addresses for clients.
DHCP uses the client/server model. A client applies to a server for parameters, such as the IPv4
address, default gateway address, DNS server address, and WINS server address. The server
replies with corresponding configuration parameters based on policies. DHCP dynamic allocates
IPv4 addresses and allows you to configure and manage other network parameters on a server
before delivering the parameters to clients.
Objective
As the network expands and network complexity increases, the number of PCs usually exceeds
the number of available IPv4 addresses. Furthermore, with the popularity of laptops and wireless
networks, PC locations and IPv4 addresses are changeable. To dynamically and properly assign
IPv4 addresses to hosts, DHCP is introduced.
DHCP is developed based on the Bootstrap Protocol (BOOTP). BOOTP runs in a static
environment where each host has a fixed network connection. An administrator configures a
specific BOOTP parameter file for each host, and the file keeps unchanged in a long period.
DHCP dynamically manages and configures IPv4 addresses for clients in a concentrated manner,
which simplifies manual configuration and enables enterprise users to adapt to frequent network
changes.
DHCP Server
Applicable Environment
You can use a DHCP server to assign IP addresses in the following situations:
Typical Application
l The DHCP server and clients reside on the same network segment.
The NGFW functions as a DHCP server to connect to DHCP clients using a Layer 2 switch
(or hub) on the network shown in Figure 8-44.
DHCP server
Layer 2 Layer 2
LAN switch LAN switch
NGFW
DHCP clients
Network
segment 1
Network
segment 2 DHCP relay DHCP server
Network segment 3
DHCP clients
l Configure address pools and an address lease, which enables the DHCP server to
dynamically allocate IP addresses to DHCP clients.
l Reserve IP addresses for devices with fixed IP addresses, such as an FTP server.
l Assign fixed IP addresses to servers and special hosts.
l Configure IP address detection to prevent the DHCP server from allocating a single IP
address to different clients.
l Configure network parameters on the DHCP server for the clients. The parameters include
DNS server addresses, default gateway addresses, and WINS server addresses.
DHCP Relay
Applicable Environment
A DHCP client sends a DHCP Request packet to apply for a dynamic IP address in broadcast
mode. This means that the DHCP server can receive the request only if the server is on the same
network segment as the client. Deploying a DHCP server on each network segment to assign IP
addresses is uneconomical.
DHCP relay can be used to address this problem. DHCP relay allows DHCP clients on different
network segments to communicate with a single DHCP server and obtain IP addresses. This
function helps reduce costs and facilitate centralized management.
Typical Application
The DHCP server and clients reside on different network segments, as shown in Figure 8-46.
A DHCP relay agent is deployed to enable DHCP clients to obtain configuration information,
such as IP addresses, from the DHCP server.
DHCP clients
Network
segment 1
Network
segment 2 DHCP relay DHCP server
Network segment 3
DHCP clients
DHCP Client
Applicable Environment
Some network border devices cannot obtain fixed IP addresses because IP addresses are
insufficient. To address this problem, the network devices can be configured as DHCP clients
and dynamically obtain IP addresses from a DHCP server.
Typical Application
A building shown in Figure 8-47 accesses the Internet through a router, and the router also works
as a DHCP server to assign IP addresses to enterprise users in the building. The NGFW function
as a gateway for a small enterprise in the building. The DHCP client function is enabled on
interface1 of the NGFW to enable interface1 to dynamically obtain network parameters,
including an IP address, from the DHCP server and to provide online services for enterprise
users.
NGFW Router
The DHCP client and server functions can be enabled on different interfaces of the same device.
For example, the DHCP client function is enabled on the NGFW interface1 that connects to the
network shown in Figure 8-47, on which the building resides. The DHCP client function enables
the interface to obtain an IP address and configurations from the DHCP server. Meanwhile, the
DHCP server function is enabled on the NGFW interface2 that connects to the enterprise
network. The DHCP server function enables interface2 to allocate IP addresses to PCs on the
enterprise network.
8.4.3 Mechanism
This section describes Dynamic Host Configuration Protocol (DHCP) mechanism.
When a DHCP client accesses a network for the first time, the DHCP client sets up a connection
to a DHCP server. The process consists of four stages, as shown in Figure 8-48.
Figure 8-48 Process for obtaining an IP address before a DHCP client accesses a network for
the first time
DHCP client DHCP server
Figure 8-49 Process for obtaining an IP address when the DHCP client accesses the network
not for the first time
DHCP client DHCP server
has been released. The DHCP server keeps the DHCP client settings and reuses the settings if
the client applies for a new IP address.
The DHCP relay function is implemented on a specific interface, which is called the DHCP relay
interface. This interface must reside on the same network segment with the DHCP client and
can forward DHCP packets transparently between the DHCP client and server.
DHCP client using DHCP relay to request an address for the first time
Figure 8-50 shows the process for when a client uses DHCP relay to obtain an address for the
first time.
Figure 8-50 Process for a client using DHCP relay to request an address for the first time
If there are several DHCP relay agents, the DHCP relay agent whose address matches the Relay
Agent IP Address field is nearest to the client. Other relay agents connected to the client do
not check the Relay Agent IP Address field.
b. The agent checks the broadcasting flag of the packet. If the broadcasting flag is 1, the
DHCP relay agent broadcasts the packet to the DHCP client. If the value is not 1, the
agent sends the unicast packet to the client. The Your (Client) IP Address field in
the packet carries the IP address of the client, and the Client Hardware Address field
carries the MAC address of the client.
5. The DHCP client sends a DHCPREQUEST message to the DHCP relay agent in response
to the DHCPOFFER message. Upon receiving the packet, the DHCP relay agent handles
the packet in the same way described in step 2 and forwards the packet in unicast mode to
the DHCP server.
6. The DHCP server then sends a DHCPACK or DHCPNAK message to the DHCP relay
agent. The DHCP relay agent handles the packet in the same way described in step 4 and
forwards the packet to the DHCP client.
Figure 8-51 shows the process for when the DHCP client extends its address lease using DHCP
relay.
Figure 8-51 Process for a client extending the address lease using DHCP relay
T1
DHCPREQUEST (Unicast)
Step 1
l After the Lease Renewing Timer on the DHCP client expires, the DHCP client attempts to
renew the IP address lease without using DHCP relay:
1. The DHCP client sends a DHCPREQUEST message in unicast mode to the DHCP
server that assigned an IP address to the client the last time.
2. Upon receiving the message, the DHCP server directly sends a DHCPACK or
DHCPNAK message to the client in unicast mode. If the DHCP client receives a
DHCPACK message, the client's lease is renewed. If the client receives a DHCPNAK
message, the lease was not renewed, and the client must apply for an IP address.
l After the Rebinding timer on the DHCP client expires, the DHCP client performs the
following steps to renew the lease using DHCP relay:
NOTE
After a DHCP relay agent receives a message from the client or server, the DHCP relay agent handles
the message as described in DHCP client using DHCP relay to request an address for the first
time.
1. The DHCP client broadcasts a DHCPREQUEST message. The DHCP relay agent
handles the message and forwards it to the DHCP server in unicast mode.
2. The DHCP server sends a DHCPACK or DHCPNAK message to the client through
the DHCP relay agent. If the client receives a DHCPACK message, the lease has been
renewed. If the client receives a DHCPNAK message, the release was not renewed,
and the client must apply for an IP address.
Address Pools
Address pool structure
A DHCP server establishes an address pool in a tree structure. The root of the tree is a natural
network segment address, the branches are subnet addresses, and the leaves are the manually
bound client addresses.
E
Address pool Address pool
10.1.1.0 D F 10.2.1.0
Static address pool
255.255.255.0 255.255.255.0
IP: 10.1.2.1
MAC: 00e0-4c86-58eb
Figure 8-52 shows the tree structure. This tree structure enables the subnet (child-node) and
natural network segment (parent-node) to inherit each other's configurations. This means that
you only need to configure parameters, such as IP addresses of DNS servers, for either the natural
network segment or the subnet.
l After you establish a parent-child relationship, a child address pool inherits the
configurations of a parent address pool.
l If you configure a parent address pool after you establish a parent-child relationship, either
of the following situations occurs:
– If a child address pool does not have settings, it inherits the parent address pool settings.
– If a child address pool already has settings, it does not inherit parent address pool
settings.
After a client sends a DHCPREQUEST message to a DHCP server, the DHCP server selects an
IP address from an address pool based on the following principles before delivering parameters,
including an IP address, to the client:
l If the server has an address pool that contains an IP address that is statically bound to the
MAC address of the client, the server selects the address pool and assigns the IP address
to the client.
l If no address pool contains an IP address that is statically bound to the MAC address of the
client, either of the following address pools is selected:
– An address pool that uses the smallest mask and contains the destination IP address of
the DHCPREQUEST message when the client and server are on the same network
segment
– An address pool that uses the smallest mask and contains the IP address specified in the
Relay Agent IP Address field of the DHCPREQUEST message when the client and
server are on different network segments and the client obtains an IP address using
DHCP relay
If none of the IP addresses in the selected address pool are available, the server cannot
assign an IP address to the client, nor does the server assign an IP address from the parent
address pool to the client.
For example, two address pools are configured on a DHCP server, and the network
segments of IP addresses for dynamic allocation are 1.1.1.0/24 and 1.1.1.0/25. If the IP
address of the interface that receives the DHCPREQUEST messages is 1.1.1.1/25, the
server selects an IP address from address pool 1.1.1.0/25 for the client. If none of the IP
addresses in address pool 1.1.1.0/25 are available, the server cannot assign an IP address
to the client. If the destination IP address of the DHCPREQUEST messages is 1.1.1.130/25,
the server selects an IP address from address pool 1.1.1.0/24 for the client.
A DHCP server selects an IP address in the following sequence before assigning the IP address
to a client:
The DHCP server defines a specific lease for each address pool, and the addresses in the same
DHCP address pool have the same lease.
Timer Value
On a DHCP client assigned an IP address, the three timers take effect as follows:
l After the Lease renewal timer expires, the DHCP client changes from the binding state to
the renewing state. The DHCP client automatically sends a DHCPREQUEST message to
the DHCP server that has assigned an IP address to the DHCP client.
l The follow-up procedure depends on the Rebinding timer:
– Upon receipt of the DHCPREQUEST message but before the Rebinding timer expires,
the DHCP server checks the IP address to be renewed before proceeding with either of
the following operations:
– If the IP address is valid, the DHCP server replies with a DHCPACK message to
the client to renew the lease. The DHCP client then re-enters the binding state and
resets the Lease renewal and Rebinding timers.
– If the IP address is invalid, the DHCP server replies with a DHCPNAK message to
the DHCP client. The DHCP client enters the initializing state and requests for a
new IP address.
– After the Rebinding timer expires and the client receives no response, the client
considers the original DHCP server to be unavailable and broadcasts a
DHCPREQUEST message.
l After the rebinding follow-up procedure, the follow-up procedure depends on the Lease
expiration timer:
– Before the Lease expiration timer expires, any DHCP server on the network may reply
to the DHCPREQUEST message:
– If the client receives a DHCPACK message, it enters the binding state and resets the
Lease renewal and Rebinding timers.
– If the client receives a DHCPNAK message, it enters the initializing state, stops
using the existing IP address, and requests a new IP address.
– After the Lease expiration timer expires and the client receives no response, it stops
using this IP address immediately, returns to the initializing state, and requests a new
IP address.
Context
If a DHCP server and clients are on the same network segment, the DHCP server provides the
clients with dynamically assigned IP addresses, statically configured IP addresses, designated
DNS servers, gateways, and WINS servers. If the DHCP server and clients are on different
network segments, the DHCP server works with a DHCP relay agent to assign network
parameters, including IP addresses, to the clients.
The DHCP server and relay services cannot coexist on the same interface.
Procedure
Step 1 Choose Network > DHCP Server > Settings.
Parameter Description
Interface Name Name of the interface on which the DHCP server function is
configured.
The interface must be an existing one and Connection Type
must be set to Static IP.
Service Type Enable either the DHCP server or relay service on this interface.
When the DHCP server is enabled on the interface, the Service
Type must be set to Server.
Parameter Description
Subnet Mask Subnet mask of the IP address assigned to a DHCP client. The
subnet mask determines which part of an IP address serves as the
network/subnet ID and which part serves as a host ID.
For example, the subnet mask of a relay-enabled network can be
the same as the mask of the IP address of a DHCP relay interface.
By default, the system uses the mask of the interface IP address
as the subnet mask. If necessary, you can change the subnet mask.
Parameter Description
Primary DNS Server Primary DNS server address assigned to a DHCP client.
This parameter needs to be specified when DNS Service is
Specify.
Secondary DNS Server Secondary DNS server address assigned to a DHCP client.
When the DHCP client fails to resolve domain names using the
primary DNS server, the DHCP client requests the secondary
DNS server for domain name resolution.
This parameter can be specified when DNS Service is Specify.
The secondary DNS server address must be different from the
primary one.
Advanced
Lease Duration Lase for an address assigned to a DHCP client. The lease
specifies how long the DHCP client can use the IP address
assigned by the server.
You can set an address lease based on the duration of a
connection between a client and a physical network in an address
pool. If clients on a wireless network frequently disconnect from
the network, you can decrease the address lease, such as to 0 days
8 hours 0 minutes. If clients are connected to the network for a
stably long period of time, you can increase the lease or even set
an infinite period.
Parameter Description
Primary WINS Server Primary WINS server address assigned to a DHCP client.
Hosts running the Windows operating system and NetBIOS
resolve NetBIOS host names to IP addresses. The resolution
methods for NetBIOS host name include local name resolution,
broadcast query, and WINS server resolution. WINS server
resolution is implemented by a WINS server.
The primary WINS server and DHCP server must be routable.
Secondary WINS Server Secondary WINS server address assigned to a DHCP client.
When the DHCP client fails to resolve NetBIOS host names
using the primary WINS server, the client requests the secondary
WINS server for host name resolution.
The secondary WINS server and DHCP server must be routable.
Start IP Address First IP address in a range of IP addresses that are not assigned
automatically.
The configuration takes effect when the first IP address is listed
in IP Addresses Range.
Parameter Description
End IP Address Last IP address in a range of IP addresses that are not assigned
automatically.
The last IP address must be on the same network segment with
the first IP address and higher than the first IP address. The
configuration takes effect when the last IP address is listed in IP
Addresses Range.
If you do not specify the last IP address, only the first IP address
is reserved.
If the operation is successful, DHCP Service Information List is displayed on the page, and
new configuration items are added to the list.
----End
Prerequisites
l A DHCP server has been configured based on a global address pool.
No interface address pool can be configured for the DHCP server interface that connects
to the DHCP relay agent.
l The DHCP server and DHCP relay interface are reachable to each other.
l The DHCP relay interface and client reside on the same network segment.
The IP address of the DHCP relay interface must be on the same network segment as the
IP address that the DHCP server assigns to the client.
l The default gateway address of the DHCP client must be the IP address of the DHCP relay
interface.
Context
The DHCP server and relay cannot be configured on the same interface.
Procedure
Step 1 Choose Network > DHCP Server > Settings.
Parameter Description
Interface Name Name of the interface on which the DHCP relay function is
configured.
The interface must exist. Connection Type can be set only to
Static IP, and the interface IP address must be on the same
network segment as the DHCP client.
Service Type Enable either the DHCP server or relay service on this interface.
When DHCP relay is enabled on the interface, the Service
Type must be Relay.
IPv4 Server IP Address IP address that a DHCP server assigns and the DHCP relay agent
forwards to a client.
If the operation is successful, DHCP Service Information List is displayed on the page, and
new configuration items are added to the list.
Repeat previous operations to configure the DHCP relay function on multiple interfaces.
----End
Step 2 Click Refresh to refresh the latest information about address lease duration.
----End
Parameter Description
MAC Address MAC address of a client to which a DHCP server that assigns an
IP address.
Lease Expiration Expiration date and time of the lease for an IP address assigned
by a DHCP server. Values and their meanings are as follows:
l Specific time (such as 2011-11-7 18:01:20): Date and time
when a lease expires.
l NOT used: A statically bound lease is not assigned to the
specific client yet.
l Unlimited: A lease does not expire.
Parameter Description
----End
Configuration Flow
The flow for configuring a DHCP server helps you focus on your interested configuration
operations.
Start
Assigning client IP addresses and network Assigning client IP addresses and network
parameters (based on a global address pool) parameters (based on an interface address pool)
Configuring dynamic address allocation Enabling Authorized ARP Enabling an interface address pool
and network parameters
----End
Prerequisites
l The link between the DHCP client and server is working properly.
l Before a client domain name and a DNS server are configured, the DHCP client must
support the DNS client functions.
l Before a client WINS server address is configured, the DHCP client must support the WINS
client functions.
l The DHCP server and server or the WINS server are routable to each other (unnecessary
if the two servers are not configured).
NOTICE
The system does not verify the configuration during the Option field configuration;
therefore, you must confirm the configuration correctness.
Configure self-defined options with caution because the DHCP working process may be
affected.
Procedure
By default, the IP addresses in the DHCP address pool, except for the DHCP server interface IP
addresses, can be assigned automatically.
l To reserve an IP address range, specify both start-ip-address and end-ip-address. Note that
start-ip-address is less than end-ip-address, and they are on the same network segment.
For example, 10.1.1.3 to 10.1.1.9 have been used as fixed IP addresses and need to be
reserved.
[NGFW] dhcp server forbidden-ip 10.1.1.4 10.1.1.9
NOTE
l After repeatedly running the dhcp server forbidden-ip command, you can configure multiple reserved
IP addresses or segments that cannot be automatically assigned.
l Before using the undo dhcp server forbidden-ip command to delete the setting, ensure that the
specified parameters are consistent with the previously configured parameters. You cannot delete only
some originally configured addresses.
pool-name is a unique identifier of the global address pool. You can define an easily
recognizable name for the global address pool. For example, the IP addresses in a global
address pool are assigned to department A, and then you can name "dept_a."
2. Specify the IP address range available for dynamic address allocation in the global address
pool.
network ip-address [ mask { mask | mask-length } ]
When you configure the network segment of an address pool, specify an address segment
to each address pool and determine the address range by the subnet mask or mask length.
For example, set the IP address range for dynamic address allocation in a global address
pool to 10.1.1.0/24.
If mask is not specified, the NGFW automatically uses a natural mask. For example,
network 10.1.1.1 indicates network 10.0.0.0 mask 255.0.0.0.
NOTE
The IP address range available for dynamic address allocation must be on the same network segment
as the DHCP server interface address or the DHCP relay interface address.
3. Specify an egress gateway address for the DHCP client.
NOTICE
Do not configure the egress gateway address allocated to DHCP clients as a broadcast
address or network address.
This command must be run if the DHCP client needs to access other network segments.
To balance traffic loads and enhance network reliability, you can configure multiple egress
gateway addresses.
On a network with DHCP relay, the egress gateway address that is assigned to the DHCP
client by the DHCP server must be the same as the IP address of the DHCP relay interface.
4. Specify a domain name suffix to be allocated to the DHCP client.
domain-name domain-name
When the DHCP client with a domain name suffix uses the specified domain name to
attempt to access network resources and even if you do not enter the name suffix, the client
automatically adds the name suffix to enable the access.
For example, a domain name suffix obtained by the DHCP client is example.com, and after
you enter ping xyz, domain name xyz.example.com is queried.
5. Specify a DNS server address to be assigned to the DHCP client.
dns-list { ip-address &<1-8> | unnumbered interface interface-type interface-
number }
This command must be run when the DHCP client accesses Internet using its domain name.
l If the DNS server address is already obtained, you can specify ip-address.
l If an interface (for example, a dialer interface) has obtained a DNS server address, you
can specify unnumbered interface. For example, Dialer 1 is a PPPoE Dialer interface,
and it dynamically obtains DNS server addresses on Internet, you can run the dns-list
unnumbered interface dialer 1 command to assign the DNS server address that is
dynamically obtained by Dialer 1 to the DHCP client.
To balance traffic loads and enhance network reliability, you can configure multiple DNS
servers. You can configure a maximum of eight DNS servers by specifying ip-address.
6. Optional: Specify a WINS server address to be assigned to the DHCP client.
nbns-list ip-address &<1-8>
In the Windows operating system, the name of a host that uses the NetBIOS protocol needs
to be resolved to an IP address. A NetBIOS host name can be resolved using local name
resolution, broadcast query, and WINS server resolution. The WINS server resolution must
be performed by a WINS server.
To balance traffic loads and enhance network reliability, you can configure multiple WINS
servers.
7. Optional: Specify the type for the NetBIOS node that is assigned to the DHCP client.
netbios-type { b-node | h-node | m-node | p-node }
l b-node: The host name is resolved using broadcast query, not the WINS server. This
method increases the network traffic loads and cannot be performed across network
segments.
If b-node is configured, there is no need to specify the WINS server address.
l h-node: The host name is first resolved using the WINS server and then using broadcast
query if the first resolution attempt fails.
l p-node: The host name is resolved using the WINS server, not broadcast query.
l m-node: The host name is first resolved using broadcast query and then using the WINS
server if the first resolution attempt fails.
NOTE
Each operating system has a default node types. Normally, a DHCP server does not need to change
client node types.
8. Optional: Specify the DHCP Option field.
option code { ascii ascii-string | hex hex-string | ip-address ip-address
&<1-8> }
The DHCP server can specify different lease values for different address pools, but must
specify a unique lease for IP addresses in one address pool.
Before you specify a lease, consider the duration of connections between the clients related
to the address pool and the physical network. For example, on a wireless network, clients
are continuously connected to and disconnected from the network; therefore, you can
configure a short lease. (For example, set 8 hours instead of eight days.)
If a client's connection to the network is stable, you can configure a long lease or even an
infinite lease.
If a client requires a fixed IP address, bind the IP address that has been assigned to it to its
MAC address.
The static-bind ip-address command and the static-bind mac-address command must
be executed together to statically allocate the IP address to a client with the specified MAC
address. After the commands are executed multiple times, the latest configuration overrides
the previous one.
NOTICE
If the IP address for static allocation is selected from the global address pool and does not
have a parent address pool, it cannot automatically inherit network parameter
configurations from the parent address pool; therefore, configure the network parameters
for the IP address manually. For details, see steps c to g in Step 3.
By default, the lease of statically-allocated IP addresses is infinite. It is not restricted by
the expired command.
l Apply the global address pool configuration on designated interfaces in the system view.
dhcp select global { all | interface interface-type interface-number.sub-
interface-number1 [ to interface-type interface-number.sub-interface-number2 ]
| interface interface-type interface-number }
The clients can use these interfaces to obtain IP addresses and network parameters from the
global address pool.
NOTE
l If multiple Ethernet subinterfaces are designated, the subinterfaces must belong to a single physical
interface.
l The all parameter indicates all interfaces with IP addresses. The interfaces can be GE interfaces
and subinterfaces, Vlanif interfaces, and Eth-trunk interfaces.
l Apply the global address pool configuration on designated interfaces in the system view.
dhcp select global
The clients that log in using the specified interface obtain IP addresses and network parameter
configurations from the global address pool.
NOTE
The address pool configurations apply only to the current interface. The interface can be a GE interface
or its subinterface, a Vlanif interface, or an Eth-trunk interface.
After the global address pool is configured, interface IP addresses to use the configurations of
the global address pool need to be specified. After this, the DHCP clients related to the interfaces
can obtain IP addresses and network parameters from the global address pool.
l If the DHCP client and the NGFW (working as the DHCP server) are on the same network
segment, and no DHCP relay is in between, the NGFW selects a global address pool that
resides on the same network segment as the interface to assign IP addresses. If the interface
has no IP address, or no address pool is on the same network segment as the interface, the
client fails to obtain an IP address.
l If the DHCP client and the NGFW (working as the DHCP server) are on different network
segments, and a DHCP relay is in between, the NGFW resolves the Relay Agent IP
Address fields in received DHCP request packets to assign an IP address. If the IP address
does not match any address pool, the client fails to obtain an IP address.
----End
NOTICE
The customized Option field may affect the DHCP working process. Perform this operation
with caution.
l The dhcp select interface, dhcp server expired, dhcp server domain-name, dhcp server
netbios-type, dhcp server nbns-list, and dhcp server option commands can be executed
in the interface and system views. In the system view, you can configure multiple or all
interfaces in a batch for improved efficiency. This section uses the configuration in the
interface view as an example.
NOTE
If multiple Ethernet subinterfaces are designated, the subinterfaces must belong to a single physical
interface.
For example, to enable the interface address pool for subinterfaces from GigabitEthernet
1/0/1.1 to GigabitEthernet 1/0/1.3:
[NGFW] dhcp select interface interface GigabitEthernet 1/0/1.1 to
GigabitEthernet 1/0/1.3
Procedure
NOTE
The interface can be a GE interface or its subinterface, an Ethernet interface or its subinterface, a
Vlanif interface, a Virtual-Ethernet interface, or an Eth-trunk interface.
2. Assign an IP address to the interface.
ip address ip-address { mask | mask-length }
The address range of the interface address pool is the network segment on which the IP
address of the interface resides. The range only takes effect on the interface.
You can configure other network parameters of the interface address pool only after the interface
address pool is enabled.
By default, the IP addresses in the DHCP address pool, except for the DHCP server interface IP
addresses, can be assigned automatically.
l To reserve an IP address range, specify both start-ip-address and end-ip-address. Note that
start-ip-address is less than end-ip-address, and they are on the same network segment.
For example, 10.1.1.3 to 10.1.1.9 have been used as fixed IP addresses and need to be
reserved.
[NGFW-GigabitEthernet1/0/1] dhcp server forbidden-ip 10.1.1.4 10.1.1.9
NOTE
l After repeatedly running the dhcp server forbidden-ip command, you can configure multiple reserved
IP addresses or segments that cannot be automatically assigned.
l Before using the undo dhcp server forbidden-ip command to delete the setting, ensure that the
specified parameters are consistent with the previously configured parameters. You cannot delete only
some originally configured addresses.
NOTICE
Do not configure the default gateway address allocated to DHCP clients as a broadcast
address or network address.
This command must be run if the DHCP client needs to access other network segments.
To balance traffic loads and enhance network reliability, you can configure multiple
gateway addresses.
On a network with DHCP relay, the gateway address that is assigned to the DHCP client
by the DHCP server must be the same as the IP address of the DHCP relay interface.
2. Specify a domain name suffix for the DHCP client.
dhcp server domain-name domain-name
When the DHCP client with a configured domain name suffix uses a domain name to
attempt to access network resources and even if you do not enter the name suffix, the client
automatically adds the name suffix to enable the access.
For example, a domain name suffix obtained by the DHCP client is example.com, and after
you enter ping xyz, domain name xyz.example.com is queried.
3. Specify a DNS server address to be assigned to the DHCP client.
dhcp server dns-list { ip-address &<1-8> | unnumbered interface interface-type
interface-number }
This command must be run when the DHCP client accesses Internet using its domain name.
l If the DNS server address is already obtained, you can specify ip-address.
l If an interface (for example, a dialer interface) has obtained a DNS server address, you
can specify unnumbered interface. For example, Dialer 1 is a PPPoE Dialer interface,
and it dynamically obtains DNS server addresses on Internet, you can run the dhcp
server dns-list unnumbered interface dialer 1 command to assign the DNS server
address that is dynamically obtained by Dialer 1 to the DHCP client.
The two methods can be used simultaneously.
To balance traffic loads and enhance network reliability, you can configure multiple DNS
servers. You can configure a maximum of eight DNS servers by specifying ip-address.
4. Optional: Specify a WINS server address to be assigned to the DHCP client.
dhcp server nbns-list ip-address &<1-8>
In the Windows operating system, the name of a host that uses the NetBIOS protocol needs
to be resolved to an IP address. A NetBIOS host name can be resolved using local name
resolution, broadcast query, and WINS server resolution. The WINS server resolution must
be performed by a WINS server.
To balance traffic loads and enhance network reliability, you can configure multiple WINS
servers.
5. Optional: Specify a type for the NetBIOS node allocated to the DHCP client.
dhcp server netbios-type { b-node | h-node | m-node | p-node }
An operating system has a default node type. The DHCP server does not need to change client node
types.
6. Optional: Specify the DHCP Option field.
dhcp server option code { ascii ascii-string | hex hex-string &<1-10> | ip-
address ip-address &<1-8> }
If a client's connection to the network is stable, you can configure a long lease or even an infinite
lease.
The IP address in the interface address pool is manually bound to its MAC address.
If a client requires a fixed IP address, bind the IP address that has been assigned to it to its MAC
address.
This command is used to bind one pair of IP-MAC addresses and can be executed many times
to bind many pairs. The IP addresses to be bound must be available for dynamic address
allocation in interface address pool.
----End
Prerequisites
Before you adjust the address collision detection parameters, you must finish the DHCP server
configurations.
Context
The DHCP server sends ping packets to detect the address collision by checking whether
responses are received in the designated period of time. A DHCP server sends the ping packets
destined for the IP address to be allocated. If no response is received within the maximum
response time of the ping command, the server continues sending ping packets until the number
of sent ping packets reaches the upper limit. If no response is received, the server allocates the
IP address to a client. This ensures that the IP address allocated to the client is unique.
Procedure
Step 2 Specify the time for waiting the response after the ping packets is sent by a DHCP server.
dhcp server ping timeout milliseconds
By default, the longest waiting time for ping response packets is 500 ms. The value 0 indicates
no ping operation.
It is recommended not to change this parameter. You can increase the waiting time to reduce
the network delay.
Step 3 Set the maximum number of ping packets sent by the DHCP server.
dhcp server ping packets number
By default, the maximum number of ping packets being sent is 2. The value 0 indicates no ping
operation.
It is recommended not to change this parameter. A large value of this parameter adds the DHCP
server loads. However, if the network is unstable, increase the maximum number of ping packets.
NOTE
If the value of either address detection parameter is set to 0, the DHCP server does not perform address
detection and directly assigns an IP address to a client.
----End
Prerequisites
Context
Authorized ARP, valid on only devices on which the DHCP server is enabled, applies when the
DHCP server and client reside on the same network segment, but not in the DHCP relay scenario.
Authorized ARP prevents a DHCP server from dynamically learning illegitimate ARP
responses. Only clients to which the DHCP server assigns IP addresses can add ARP entries
(called authorized ARP entries) automatically based on ARP response packets.
If an attacker forges the IP or MAC address of a legitimate DHCP client to originate an ARP
request, the IP or MAC address does not match authorized ARP entries recorded by the gateway
(the DHCP server), and no response is returned. As a result, the attacker fails to access the
network by forging a legitimate IP or MAC address.
Authorized ARP entries do not age. After DHCP clients apply for logouts, their authorized ARP
entries are automatically deleted from the ARP table.
The priorities of authorized ARP entries are higher than those of dynamic ARP entries, but lower
than those of static ARP entries. A new authorized ARP entry overrides the duplicate dynamic
ARP entry, but not the static ARP entry. However, the authorized ARP entry can be overridden
by a duplicate static ARP entry.
Procedure
----End
Verifying Configuration
This section describes how to verify the DHCP server configuration.
----End
Prerequisites
l A DHCP server has been configured based on a global address pool.
No interface address pool can be configured for the DHCP server interface that connects
to the DHCP relay.
l The DHCP server and the DHCP relay interface are routable to each other.
l The DHCP relay interface and the DHCP client reside on the same network segment.
The IP address of the DHCP relay interface is on the same network segment as the IP
address of the client that is assigned by the DHCP server.
l The default gateway address of the DHCP client must be the IP address of the DHCP relay
interface.
Context
During certain phases in DHCP configuration, the DHCP client sends broadcast packets;
therefore, the DHCP relay interface must support the broadcast mode.
A DHCP relay interface supports a maximum of 20 DHCP server addresses.
The ip relay address and dhcp select relay commands can be executed in either of the following
views:
l In the interface view, you can set the current interface as a DHCP relay interface.
l In the system view, you can configure a specific interface, multiple subinterfaces, or all
interfaces as the DHCP relay interfaces for an improved efficiency.
This section uses the configuration in the interface view as an example.
NOTE
If multiple Ethernet subinterfaces are designated, the subinterfaces must belong to a single physical
interface.
For example, allocate a DHCP server for GigabitEthernet 1/0/1.1 and GigabitEthernet 1/0/1.2
and apply the DHCP relay configurations.
[NGFW] ip relay address 10.1.1.2 interface GigabitEthernet 1/0/1.1 to
GigabitEthernet 1/0/1.2
[NGFW] dhcp select relay interface GigabitEthernet 1/0/1.1 to GigabitEthernet
1/0/1.2
NOTE
A DHCP message sent from a client to a server can be relayed for a maximum of four times. If more than
four times, the packet will be discarded. If more than one DHCP relay agent exists on the network, the
DHCP relay function must be enabled on each DHCP relay agent, and the client, relay agents, and DHCP
server are routable to each other. The last DHCP relay agent specifies the IP address of the DHCP server
as the source IP address. The other DHCP relay agents specify the IP address of the next DHCP relay as
the source IP address.
Procedure
Step 1 Access the system view.
system-view
NOTE
The interface can be a GE interface or its subinterface, a Vlanif interface, or an Eth-trunk interface.
Step 4 Specify the DHCP server IP address for the DHCP relay interface.
ip relay address ip-address
NOTE
When more than one DHCP relay agents exist on a network, the last DHCP relay agent specifies the IP
address of the DHCP server. The other DHCP relay agents specify the IP address of the next DHCP relay
agent.
Step 5 Apply the DHCP relay interface configurations to the current interface.
dhcp select relay
----End
Follow-up Procedure
1. Configure a DHCP client (using a Windows XP-based PC as an example).
Set the network connection properties.
Set Internet Protocol (TCP/IP) Properties to Obtain an IP address automatically and
Obtain DNS server address automatically.
2. On each DHCP client, run the ipconfig /all command to view the configuration of the
DHCP client. Check whether the DHCP client has obtained the key configuration, including
an IP address, a default gateway, and a DNS server.
l If all key information is displayed, no action is required.
l If some PCs fail to obtain the information, such as IP addresses, troubleshoot the PC
settings and network connections. Then, go to 2.
l If some PCs obtain IP addresses but fail to obtain other network parameters, restart the
PC NIC to disable and enable the network connection. Or, run the ipconfig /release
command and the ipconfig /renew command in sequence to apply for new IP addresses
and network parameters. Then, go to 2.
Prerequisites
On a DHCP relay-based network, the IP address of the DHCP relay interface is used as a client
default gateway address.
Context
The interface IP addresses can be obtained by manual configuration (both primary and secondary
IP addresses), PPP negotiation, or DHCP. Note that these methods are mutually exclusive;
therefore, you can use only a single method.
An interface can use DHCP to obtain network parameters from a DHCP server. The parameters
include IP addresses, egress gateway addresses, static routes, IP address leases, domain name
suffixes, DNS server addresses, and WINS server addresses. WINS server addresses are
reserved, and the WINS client function is not supported currently.
The obtained domain name suffix is invalid. If necessary, run the dns domain domain-name
command to manually create a suffix. If the device works as a DHCP client and accesses the
Internet using its domain name, run the dns resolve command to enable the dynamic domain
name resolution.
If the DHCP client function is enabled on an interface, the interface cannot be added to an Eth-
Trunk interface. If an interface is added to an Eth-Trunk interface, the DHCP client function
cannot be enabled on the interface.
In the dual-uplink networking, the interworking between DHCP and IP-Link or BFD can be
configured. Traffic is switched to the standby link if the active link fails. After the faulty link is
restored, the traffic is switched back to the active link. For details, see Configuring the
Interworking Between IP-Link and DHCP and Configuring the Interworking Between
BFD and DHCP.
Procedure
Step 1 Access the system view.
system-view
NOTE
The interface can be a GE interface or its subinterface, a Vlanif interface, or an Eth-trunk interface.
The DHCP client function allows the interface to use DHCP to obtain network parameters, such
as an IP address.
NOTE
If the IP address assigned to the interface by the DHCP server resides on the same network segment as the
IP addresses of other interfaces on the device, the interface fails to apply for an IP address from the DHCP
server. To rectify this fault, manually delete the conflicting interface IP address.
The gateway-option parameter allocated by the DHCP server is not allowed on the DHCP client.
By default, the gateway-option parameter allocated by the DHCP server is allowed on the DHCP
client. The obtained egress gateway addresses are added to the FIB table. The route priority is
245.
You can run the ip route-static 0.0.0.0 0.0.0.0 nexthop-address command to manually configure
a default route and forbid the gateway-option parameter allocated by the DHCP server. If a
device has a default route that is manually configured and permits the gateway-option parameter
allocated by the DHCP server, the device uses the default route for the default route has a higher
priority.
Step 6 Optional: Prevent the DHCP client from using the static-route-option parameter allocated by
the DHCP server.
dhcp client forbid apply static-route-option
By default, the static-route-option parameter allocated by the DHCP server is allowed on the
DHCP client. The obtained static route is added to the FIB table.
You can run the ip route-static command to manually configure a static route and prevent the
client from using the static-route-option parameter. If a device has a static route that is manually
configured and permits the static-route-option parameter, the DHCP client has multiple routes
for load balancing.
----End
Follow-up Procedure
1. Run the display dhcp-client command to view the interface configuration. Check whether
the interface obtains the information, such as an IP address, egress gateway, and DNS
server.
l If the following message is displayed, the interface obtains the configuration, and no
action is required.
<NGFW> display dhcp-client interface GigabitEthernet 1/0/1 verbose
GigabitEthernet1/0/1 dhcp client : enable
current state : BOUND
Begin time : 2011.01.06 09:29:23
Server IP : 192.168.0.1
Client IP : 192.168.0.2
Subnet mask : 255.255.255.0
Gateway : 192.168.0.1
Static route : (10.1.1.1,192.168.0.2)
domain name : example.com
dns server : 192.168.0.1
Wins :
Bound time : 2011.01.06 09:29:30
Lease : 86400s
Renew time : 43200s
Rebind time : 75600s
l If the following message is displayed, the interface does not obtain the configuration.
=>2.
<NGFW> display dhcp-client interface GigabitEthernet 1/0/1 verbose
GigabitEthernet1/0/1 dhcp client : enable current state : SELECTING
Begin time : 2011.01.06 09:45:30
Or
<NGFW> display dhcp-client interface GigabitEthernet 1/0/1 verbose
GigabitEthernet1/0/1 dhcp client : enable
2. Check the network connectivity and route configurations. Ensure that the link between the
DHCP client and server is working properly.
3. Check whether the security policy rules are correct. Add the interfaces to security zones
and enable security policy between the security zone where the DHCP relay interface
resides and the Local zone, to allow packets through.
4. Check whether the DHCP server and the DHCP relay are properly configured.
l For details on how to troubleshoot a DHCP server, see Verifying Configuration.
l For details on how to troubleshoot a DHCP relay, see the follow-up procedure in 8.4.5.2
Configuring DHCP Relay.
Table 8-66 lists the commands to display the DHCP server configuration.
Action Command
Display information about the IP addresses display dhcp server expired { all |
with expired leases in the DHCP address interface [ interface-type interface-number ]
pool. | ip ip-address | pool [ pool-name ] }
Display information about the tree structure display dhcp server tree { all | interface
of a DHCP address pool. [ interface-type interface-number ] | pool
[ pool-name ] }
Display information about the conflict display dhcp server conflict { all | ip ip-
addresses in the DHCP address pool. address }
Display the path at which DHCP database is display dhcp server database
saved and file information about the database.
Table 8-67 lists the commands to display the DHCP relay configuration.
Action Command
Display the DHCP relay interface status. (An display ip interface [ interface-type
interface is a relay interface if its DHCP interface-number ]
message deal mode is relay.)
Action Command
Display statistics about the DHCP relay. display dhcp relay statistics
Display the DHCP server address that is display dhcp relay address { all |
configured for the DHCP relay interface. interface interface-type interface-number }
Action Command
Resetting DHCP
You can remove connections by resetting DHCP address allocation information on a DHCP
server. This function is used to delete DHCP dynamic address allocation information when new
IP addresses need to be assigned.
NOTICE
Resetting DHCP connections using the reset dhcp command interrupts the operations on the
DHCP server. Exercise caution when using this command.
Table 8-69 lists commands run in the user view to reset DHCP.
Action Command
Reset the address allocation information of a reset dhcp server ip-in-use ip ip-address
designated IP address.
Reset the address allocation information of a reset dhcp server ip-in-use pool [ pool-
global address pool. name ]
Reset the address allocation information of an reset dhcp server ip-in-use interface
interface address pool. [ interface-type interface-number ]
Reset the address allocation information of all reset dhcp server ip-in-use all
address pools.
Releasing an IP Address
To prevent IP address collisions and reassign IP addresses after a PC is re-allocated or the settings
of a network device are modified, you can proactively release client IP addresses on the DHCP
server, DHCP relay agent, and DHCP clients.
Run the display dhcp server conflict command. If an IP address collision is detected, run the
following commands in the user view.
Action Command
Release all conflicting IP addresses on the reset dhcp server conflict all
DHCP server.
The original DHCP relay interface does not function as a relay agent or the clients on the LAN
change, you can run a following commands to forcibly release the IP addresses on a DHCP
server.
Table 8-71 DHCP relay's request for releasing a client IP address on a DHCP server
Action Command
Require all DHCP servers to release the client dhcp relay release client-ip-address mac-
IP addresses (in the system view). address
Require a designated DHCP server to release dhcp relay release client-ip-address mac-
the client IP addresses (in the system view). address server-ip-address
Require the DHCP server on which a dhcp relay release client-ip-address mac-
specified interface resides to release the client address [ server-ip-address ]
IP addresses (in the interface view).
When the configurations of the DHCP server change, you can run the following command in
the system view on a DHCP client to automatically update the lease and IP address.
Action Command
NOTE
The dhcp client renew command can be successfully executed only when the interface is configured with
the DHCP client function and has obtained an IP address.
NOTE
DHCP statistics cannot be restored after you clear it. So, confirm the action before you use the command.
Table 8-73 lists commands run in the user view to clear DHCP statistics.
Action Command
Debugging DHCP
When a DHCP running fault occurs, run the following debugging commands in the user view
to debug DHCP, view the debugging information, and locate and analyze the faults.
Before enabling the debugging, you must run the terminal monitor command in the user view
to enable the terminal information display and the terminal debugging command in the user
view to terminal debugging information display functions.
NOTICE
Enabling the debugging deteriorates system performance. After the debugging is complete, run
the undo debugging all command to disable the debugging immediately.
For details on the description of the debugging commands, see Debugging Reference.
Action Command
Action Command
Enable the debugging of all DHCP relay debugging dhcp relay all
information.
Enable the DHCP relay error debugging. debugging dhcp relay error
Enable the DHCP relay event debugging. debugging dhcp relay event
Enable the DHCP relay packet debugging. debugging dhcp relay packet
Action Command
Enable the debugging of all DHCP client debugging dhcp client all
information.
Enable the DHCP client error debugging. debugging dhcp client error
Enable the DHCP client event debugging. debugging dhcp client event
Enable the DHCP client packet debugging. debugging dhcp client packet
Networking Requirements
The network is small and tens of PCs and two servers are deployed on network segment
192.168.0.0/24. The NGFW shown in Figure 8-54 connects to a Layer 2 switch using
GigabitEthernet 1/0/1 and assigns IP addresses to clients attached to this interface.
The network topology is as follows:
l Two PCs use DHCP to obtain IP addresses.
l The address lease is 10 days and 12 hours, a domain name suffix is example.com, a DNS
server address is 192.168.0.253, a WINS server address is 192.168.0.254, and an egress
gateway address is 192.168.0.1.
NGFW
GE1/0/1
192.168.0.1/24
DNS server
DHCP client
192.168.0.253
Configuration Roadmap
The configuration roadmap is as follows:
1. Enable DHCP service on the NGFW.
2. Configure DHCP client network parameters on the NGFW. The parameters include domain
name suffixes, DNS server addresses, WINS server addresses, and egress gateway
addresses.
3. Set Internet Protocol (TCP/IP) Properties to Obtain an IP address automatically and
Obtain DNS server address automatically on each DHCP client. The settings enable the
DHCP clients to automatically obtain IP addresses and other network parameters allocated
by a DHCP server.
NOTE
Correctly plan and configure important network parameters, such as the domain name suffixes, DNS server
addresses, and egress gateway addresses, for the DHCP clients on the DHCP server. The plan helps prevent
network access errors caused by incorrect DHCP client parameters.
Procedure
Step 1 Configure GigabitEthernet 1/0/1 on the NGFW.
1. Choose Network > Interface.
2. Click and set the following parameters for GE1/0/1.
Zone trust
Mode Route
IPv4
IP Address 192.168.0.1/255.255.255.0
3. Click OK.
Type IPv4
Advanced
3. Click OK.
Step 3 Configure a DHCP client. The following example uses a PC running Windows XP.
1. Right-click Network Neighborhood on the desktop, and choose Attributes > Network
Connections.
2. Right-click Local Area Connection of the connected network adapter, and choose
Properties.
3. Select Internet Protocol (TCP/IP) and click Properties. The Internet Protocol (TCP/
IP) Properties window is displayed. Select Obtain an IP address automatically and
Obtain DNS server address automatically.
----End
Configuration Verification
1. Check the address lease duration list of the DHCP server to determine whether IP addresses
are assigned to PCs on the LAN.
a. Choose Network > DHCP Server > Monitor.
b. Check the client IP address assigned by the DHCP server.
2. On a PC (DHCP client), press Start > Run and enter cmd to display the DOS screen. Run
the ipconfig /all command and verify that the client has obtained the network parameters.
The parameters include an IP address, default gateway address, WINS server address, and
DNS server address.
C:\Documents and Settings\Administrator> ipconfig /all
Ethernet adapter Local Area Connection:
Configuration Script
#
sysname NGFW
#
interface GigabitEthernet1/0/1
ip address 192.168.0.1 255.255.255.0
dhcp select interface
dhcp server ip-range 192.168.0.1 192.168.0.254
dhcp server gateway-list 192.168.0.1
dhcp server dns-list 192.168.0.253
dhcp server domain-name example.com
dhcp server nbns-list 192.168.0.254
dhcp server expired day 10 hour 12
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/1
#
return
Networking Requirements
As shown in Figure 8-55, an enterprise has two offices, which are connected to the NGFW using
the Layer 2 switches. To save resources, the NGFW also works as the DHCP server for the hosts
in the two offices to assign IP addresses, gateways, DNS servers, and WINS servers.
l Fixed IP addresses have been assigned to the four hosts (DNS server, WINS server, and
two hosts in the offices). The IP addresses are respectively are 10.1.1.2/25, 10.1.1.4/25,
10.1.1.126/25, and 10.1.1.254/25.
l The two hosts require higher access permissions, and apply for new fixed IP addresses
10.1.1.5/25 and 10.1.1.253/25.
l Office 1 resides on network segment 10.1.1.0/25. Its address lease is 10 days and 12 hours,
domain name suffix is example.com, DNS server address is 10.1.1.2/25, WINS server
address is 10.1.1.4/25, and egress gateway address is 10.1.1.1/25.
l Office 2 resides on network segment 10.1.1.128/25. Its address lease is 5 days, domain
name suffix is example.com, DNS server address is 10.1.1.2/25, no WINS server is
configured, and egress gateway address is 10.1.1.129/25.
Figure 8-55 Networking diagram for configuring a global address pool-based DHCP server
using the Layer-3 Ethernet Interfaces
GE1/0/1 GE1/0/2
Layer 2 Trust Trust Layer 2
LAN switch LAN switch
NGFW
DNS DHCP
Host1 Host2
server client
Network: 10.1.1.0/25 Network: 10.1.1.128/25
Configuration Roadmap
The configuration roadmap of DHCP server is as follows:
1. Enable DHCP service.
2. Reserve the IP addresses that have been specified (such as DNS server address, WINS
server address, and two host addresses) to avoid reassigning them.
3. Dynamically allocate IP addresses and other network parameters.
On the network, the NGFW connects to clients using a Layer 2 switch and multiple
interfaces; therefore, you are advised to assign IP addresses based on global address pools.
To simplify the configuration, you can employ three address pools. Address pool 0 (network
segment 10.1.1.0/24) specifies the common attributes of all clients (such as their domain
name suffix and DNS server). Address pool 1 (network segment 10.1.1.0/25) and address
pool 2 (network segment 10.1.1.128/25) specify the unique attributes of each network
segment (such as their address ranges, address lease, gateway addresses, and WINS
servers).
NOTE
You can also employ two address pools, pool 1 and pool 2. The two address pools cannot inherit the
configurations of their parent node; therefore, their unique attributes must be configured separately.
4. To meet the requirement of the hosts for using fixed IP addresses, allocate IP addresses
statically and configure other network parameters.
Create two global address pools 3 and 4, each of which has one IP address (10.1.1.5/25 and
10.1.1.253/25 respectively) for static address allocation. Address pool 3 inherits the
common attributes of address pool 0 and address pool 1. Address pool 4 inherits common
attributes of address 0 and address 2. No other network parameter needs to be configured
for address pools 3 and 4.
5. Set Internet Protocol (TCP/IP) Properties to Obtain an IP address automatically and
Obtain DNS server address automatically on each DHCP client, enabling the DHCP
clients to automatically obtain IP addresses and other network parameters allocated by the
DHCP server.
NOTE
It is recommended to centrally plan and configure important network parameters, such as domain name suffix,
DNS server, and egress gateway, for the DHCP clients on the DHCP server, to avoid network access errors
caused by incorrect configurations of the DHCP client network parameters.
Procedure
Step 1 Enable DHCP service.
<NGFW> system-view
[NGFW] dhcp enable
Step 2 Reserve IP addresses, including addresses of the DNS server, the WINS server, Host1, and
Host2.
[NGFW] dhcp server forbidden-ip 10.1.1.2
[NGFW] dhcp server forbidden-ip 10.1.1.4
[NGFW] dhcp server forbidden-ip 10.1.1.126
[NGFW] dhcp server forbidden-ip 10.1.1.254
Step 3 Configure the global address pool attributes of the DHCP server.
# In address pool 0, specify the IP address range of DHCP address pool 0, and configure common
attributes (domain name suffix and DNS server address) for address pools 0, 1, and 2.
# Configure the attributes of address pool 1 (the IP address range of the address pool, the egress
gateway, and the address lease).
[NGFW] dhcp server ip-pool 1
[NGFW-dhcp-1] network 10.1.1.0 mask 255.255.255.128
[NGFW-dhcp-1] gateway-list 10.1.1.1
[NGFW-dhcp-1] expired day 10 hour 12
[NGFW-dhcp-1] quit
# Configure the attributes of address pool 2 (the IP address range of the address pool, the egress
gateway, the WINS server address, and the address lease).
[NGFW] dhcp server ip-pool 2
[NGFW-dhcp-2] network 10.1.1.128 mask 255.255.255.128
[NGFW-dhcp-2] nbns-list 10.1.1.4
[NGFW-dhcp-2] gateway-list 10.1.1.129
[NGFW-dhcp-2] expired day 5
[NGFW-dhcp-2] quit
# Configure the attributes of address pool 3, and perform IP-MAC address binding in the address
pool.
[NGFW] dhcp server ip-pool 3
[NGFW-dhcp-3] static-bind ip-address 10.1.1.5 mask 255.255.255.128
[NGFW-dhcp-3] static-bind mac-address 0021-97cf-2238
[NGFW-dhcp-3] quit
# Configure the attributes of address pool 4, and perform IP-MAC address binding in the address
pool.
[NGFW] dhcp server ip-pool 4
[NGFW-dhcp-4] static-bind ip-address 10.1.1.253 mask 255.255.255.128
[NGFW-dhcp-4] static-bind mac-address 00e0-4c86-58eb
[NGFW-dhcp-4] quit
Step 4 Specify the interface IP address, and configure the clients under the interface to obtain IP
addresses from global address pools.
# Configure the clients under interface GigabitEthernet 1/0/1 to obtain IP addresses from global
address pools.
[NGFW] interface GigabitEthernet 1/0/1
[NGFW-GigabitEthernet1/0/1] ip address 10.1.1.1 255.255.255.128
[NGFW-GigabitEthernet1/0/1] dhcp select global
[NGFW-GigabitEthernet1/0/1] quit
# Configure the clients under interface GigabitEthernet 1/0/2 to obtain IP addresses from global
address pools.
[NGFW] interface GigabitEthernet 1/0/2
[NGFW-GigabitEthernet1/0/2] ip address 10.1.1.129 255.255.255.128
[NGFW-GigabitEthernet1/0/2] dhcp select global
[NGFW-GigabitEthernet1/0/2] quit
Step 5 Add interfaces to corresponding security zones and configure the security policy.
[NGFW] firewall zone trust
[NGFW-zone-trust] add interface GigabitEthernet 1/0/1
[NGFW-zone-trust] add interface GigabitEthernet 1/0/2
[NGFW-zone-trust] quit
[NGFW] security-policy
[NGFW-policy-security] rule name sec_policy
[NGFW-policy-security-rule-sec_policy] source-zone trust
[NGFW-policy-security-rule-sec_policy] source-zone local
[NGFW-policy-security-rule-sec_policy] destination-zone local
[NGFW-policy-security-rule-sec_policy] destination-zone trust
[NGFW-policy-security-rule-sec_policy] action permit
----End
Configuration Verification
1. On any PC on the two network segments where office 1 and office 2 reside, run the cmd
command to enter the DOS environment. Run the ipconfig /all command to verify whether
the client has obtained the network parameters, such as an IP address, default gateway
address, WINS server address, and DNS server address. If the configurations are correct,
host 1 and host 2 are specified with fixed IP addresses.
NOTE
If the information obtained by the DHCP client is incomplete (for example, only the IP address is
obtained but other network parameters are not), run the ipconfig /release command to lease the
dynamic IP address, and then run the ipconfig /renew command to apply for a new IP address and
other network parameters.
C:\Documents and Settings\Administrator> ipconfig /all
Windows IP Configuration
2. On the DHCP server NGFW, run the display dhcp server tree command to view the tree
structure of the DHCP address pool, including the information about the DNS server
address, egress gateway address, and address lease.
[NGFW] display dhcp server tree all
Global pool:
Pool name: 0
Child node:1
dns-list 10.1.1.2(S)
domain-name example.com
expired day 1 hour 0 minute 0
network 10.1.1.0 mask 255.255.255.0
Pool name: 1
Parent node:0
Child node:3
Sibling node:2
gateway-list 10.1.1.1
dns-list 10.1.1.2(S)
domain-name example.com
expired day 10 hour 12 minute 0
network 10.1.1.0 mask 255.255.255.128
Pool name: 3
Parent node:1
gateway-list 10.1.1.1
dns-list 10.1.1.2(S)
domain-name example.com
expired unlimited
static-bind ip-address 10.1.1.5 mask 255.255.255.128
static-bind mac-address 0021-97cf-2238
Pool name: 2
Parent node:0
Child node:4
PrevSibling node:1
gateway-list 10.1.1.129
dns-list 10.1.1.2(S)
domain-name example.com
nbns-list 10.1.1.4
expired day 5 hour 0 minute 0
network 10.1.1.128 mask 255.255.255.128
Pool name: 4
Parent node:2
gateway-list 10.1.1.129
dns-list 10.1.1.2(S)
domain-name example.com
nbns-list 10.1.1.4
expired unlimited
static-bind ip-address 10.1.1.253 mask 255.255.255.128
static-bind mac-address 00e0-4c86-58eb
3. On the DHCP server NGFW, run the display dhcp server statistics command to view the
statistics information.
[NGFW] display dhcp server statistics
Global Pool:
Pool Number: 5
Binding
Auto: 2
Manual: 2
Expire: 0
Interface Pool:
Pool Number: 0
Binding
Auto: 0
Manual: 0
Expire: 0
Boot Request: 46
Dhcp Discover: 16
Dhcp Request: 22
Dhcp Decline: 0
Dhcp Release: 0
Dhcp Inform: 8
Boot Reply: 32
Dhcp Offer: 8
Dhcp Ack: 22
Dhcp Nak: 2
Bad Messages: 0
HA Message:
BatchBackup send msg: 0
BatchBackup recv msg: 0
BatchBackup send lease: 0
BatchBackup recv lease: 0
4. On the DHCP server NGFW, run the display dhcp server ip-in-use command to verify
whether the correct IP address is specified.
[NGFW] display dhcp server ip-in-use all
Global pool:
IP address Hardware address Lease expiration Type
10.1.1.5 0021-97cf-2238 Unlimited Manual
10.1.1.253 00e0-4c86-58eb Unlimited Manual
10.1.1.130 0efc-0505-86e3 Jan 20 2011 15:56:25 PM
Auto:COMMITED
10.1.1.3 001B-B97A-7D61 Jan 26 2011 03:56:34 AM
Auto:COMMITED
5. On the DHCP server NGFW, run the display dhcp server conflict command to check for
conflicting IP addresses.
[NGFW] display dhcp server conflict all
Info:No ip conflicted!
Configuration Scripts
Configuration scripts of NGFW
#
sysname NGFW
#
dhcp server forbidden-ip 10.1.1.2
dhcp server forbidden-ip 10.1.1.4
dhcp server forbidden-ip 10.1.1.126
dhcp server forbidden-ip 10.1.1.254
#
dhcp server ip-pool 0
network 10.1.1.0 mask 255.255.255.0
dns-list 10.1.1.2
domain-name example.com
#
dhcp server ip-pool 1
network 10.1.1.0 mask 255.255.255.128
gateway-list 10.1.1.1
expired day 10 hour 12
#
dhcp server ip-pool 2
network 10.1.1.128 mask 255.255.255.128
gateway-list 10.1.1.129
nbns-list 10.1.1.4
expired day 5
#
dhcp server ip-pool 3
static-bind ip-address 10.1.1.5 mask 255.255.255.128
static-bind mac-address 0000-e03f-0305
#
dhcp server ip-pool 4
static-bind ip-address 10.1.1.253 mask 255.255.255.128
static-bind mac-address 00e0-4c86-58eb
#
interface GigabitEthernet1/0/1
ip address 10.1.1.1 255.255.255.128
#
interface GigabitEthernet1/0/2
ip address 10.1.1.129 255.255.255.128
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/1
add interface GigabitEthernet1/0/2
#
security-
policy
NOTE
By default, the DHCP service is enabled and IP addresses are assigned from global address pools (in
global mode); therefore, the dhcp enable command and the dhcp select global command are not mentioned
in this configuration script.
Networking Requirements
An enterprise attempts to divide different VLANs for different departments using a Layer 2
switch. To save resources, the NGFW works as the DHCP server to specify network parameters
to all hosts on VLANs, including allocating IP addresses, configuring domain names, DNS
server addresses, WINS server addresses, and egress gateway addresses.
As shown in Figure 8-56, the NGFW connects to the Layer 2 switch using interface
GigabitEthernet 1/0/1, and divides interface GigabitEthernet 1/0/1 to two subinterfaces that
connect to VLAN 10 and VLAN 20 respectively.
NOTE
To focus on how to assign IP addresses to DHCP clients on VLANs using subinterfaces, this section
highlights a part of the network.
l Two servers are specified with fixed IP addresses: 10.1.2.2/24 and 10.1.1.4/24.
l For hosts on VLAN 10, their address lease is 10 days and 12 hours, domain name is
example.com, DNS server address is 10.1.2.2/24, WINS server address is 10.1.1.4//24, and
egress gateway address is 10.1.1.1/24.
l For hosts on VLAN 20, their address lease is 5 days, domain name is example.com, DNS
server address is 10.1.2.2/24, no WINS server is configured, and egress gateway address
is 10.1.2.1/24.
Figure 8-56 Networking diagram for configuring a global address pool-based DHCP server
using subinterfaces
WINS server
DHCP client
10.1.1.4/24
VLAN10
NGFW
GE1/0/1.1
Layer 2 Trust
LAN switch
GE1/0/1.2
Trust DHCP
VLAN20 server
10.1.2.2/24
DHCP client
DNS server
Configuration Roadmap
The configuration roadmap is as follows:
1. To assign IP addresses and specify network parameters for DHCP clients on VLANs using
interfaces, you need to configure the following items on DHCP servers.
d. Associate two subinterfaces to VLAN 10 and VLAN 20. Enable global address pools
for the two subinterfaces.
2. Set the switch interface connected to the NGFW as a Trunk interface. Add the switch
interfaces connected to PCs to related VLANs in default mode. (The configuration
procedure is not mentioned here. )
3. Set Internet Protocol (TCP/IP) Properties to Obtain an IP address automatically and
Obtain DNS server address automatically on each DHCP client, enabling the DHCP
clients to automatically obtain IP addresses and other network parameters allocated by the
DHCP server.
NOTE
It is recommended to centrally plan and configure important network parameters, such as domain name
suffix, DNS server, and egress gateway, for the DHCP clients on the DHCP server, to avoid network access
errors caused by incorrect configurations of the DHCP client network parameters.
Procedure
Step 1 Enable DHCP service.
<NGFW> system-view
[NGFW] dhcp enable
Step 2 Reserve IP addresses (including DNS server addresses and WINS server addresses).
[NGFW] dhcp server forbidden-ip 10.1.2.2
[NGFW] dhcp server forbidden-ip 10.1.1.4
Step 3 Configure the global address pool attributes of the DHCP server.
# In address pool 0, specify the IP address range of DHCP address pool 0, and configure common
attributes (domain name suffix and DNS server address) for address pools 0 and 1.
[NGFW] dhcp server ip-pool 0
[NGFW-dhcp-0] network 10.1.0.0 mask 255.255.0.0
[NGFW-dhcp-0] domain-name example.com
[NGFW-dhcp-0] dns-list 10.1.2.2
[NGFW-dhcp-0] quit
# Configure the attributes of DHCP address pool 1 (the IP address range of the address pool, the
egress gateway, the WINS server address, and the address lease).
[NGFW] dhcp server ip-pool 1
[NGFW-dhcp-1] network 10.1.1.0 mask 255.255.255.0
[NGFW-dhcp-1] gateway-list 10.1.1.1
[NGFW-dhcp-1] nbns-list 10.1.1.4
[NGFW-dhcp-1] expired day 10 hour 12
[NGFW-dhcp-1] quit
# Configure the attributes of DHCP address pool 2 (the IP address range of the address pool, the
egress gateway, the WINS server address, and the address lease).
[NGFW] dhcp server ip-pool 2
[NGFW-dhcp-2] network 10.1.2.0 mask 255.255.255.0
[NGFW-dhcp-2] gateway-list 10.1.2.1
[NGFW-dhcp-2] expired day 5
[NGFW-dhcp-2] quit
Step 4 Configure subinterfaces, and assign IP addresses and specify network parameters to clients in
VLANs.
# Configure subinterface GigabitEthernet 1/0/1.1, and assign IP addresses and specify network
parameters to clients on VLAN 10.
# Configure subinterface GigabitEthernet 1/0/1.2, and assign IP addresses and specify network
parameters to clients on VLAN 20.
[NGFW] interface GigabitEthernet 1/0/1.2
[NGFW-GigabitEthernet1/0/1.2] vlan-type dot1q 20
[NGFW-GigabitEthernet1/0/1.2] ip address 10.1.2.1 255.255.255.0
[NGFW-GigabitEthernet1/0/1.2] dhcp select global
[NGFW-GigabitEthernet1/0/1.2] quit
Step 5 Add interfaces to corresponding security zones and configure the security policy.
[NGFW] firewall zone trust
[NGFW-zone-trust] add interface GigabitEthernet 1/0/1.1
[NGFW-zone-trust] add interface GigabitEthernet 1/0/1.2
[NGFW-zone-trust] quit
[NGFW] security-policy
[NGFW-policy-security] rule name sec_policy
[NGFW-policy-security-rule-sec_policy] source-zone trust
[NGFW-policy-security-rule-sec_policy] source-zone local
[NGFW-policy-security-rule-sec_policy] destination-zone local
[NGFW-policy-security-rule-sec_policy] destination-zone trust
[NGFW-policy-security-rule-sec_policy] action permit
----End
Configuration Verification
1. On any PC on a VLAN, run the cmd command to enter the DOS environment. Run the
ipconfig /all to verify whether the client has obtained the network parameters, such as an
IP address, default gateway address, WINS server address, and DNS server address.
NOTE
If the information obtained by the DHCP client is incomplete (for example, only the IP address is
obtained but other network parameters are not), run the ipconfig /release command to lease the
dynamic IP address, and then run the ipconfig /renew command to apply for a new IP address and
other network parameters.
C:\Documents and Settings\Administrator> ipconfig /all
Windows IP Configuration
2. On the DHCP server NGFW, run the display dhcp server tree command to view the tree
structure of the DHCP address pool, including the information about the DNS server
address, egress gateway address, and address lease.
[NGFW] display dhcp server tree all
Global pool:
Pool name: 0
Child node:1
dns-list 10.1.2.2(S)
domain-name example.com
expired day 1 hour 0 minute 0
network 10.1.0.0 mask 255.255.0.0
Pool name: 1
Parent node:0
Sibling node:2
gateway-list 10.1.1.1
dns-list 10.1.2.2(S)
domain-name example.com
nbns-list 10.1.1.4
expired day 10 hour 12 minute 0
network 10.1.1.0 mask 255.255.255.0
Pool name: 2
Parent node:0
PrevSibling node:1
gateway-list 10.1.2.1
dns-list 10.1.2.2(S)
domain-name example.com
expired day 5 hour 0 minute 0
network 10.1.2.0 mask 255.255.255.0
3. On the DHCP server NGFW, run the display dhcp server statistics command to view the
statistics information.
[NGFW] display dhcp server statistics
Global Pool:
Pool Number: 3
Binding
Auto: 2
Manual: 0
Expire: 0
Interface Pool:
Pool Number: 0
Binding
Auto: 0
Manual: 0
Expire: 0
Boot Request: 131
Dhcp Discover: 125
Dhcp Request: 5
Dhcp Decline: 0
Dhcp Release: 1
Dhcp Inform: 0
Boot Reply: 38
Dhcp Offer: 33
Dhcp Ack: 5
Dhcp Nak: 0
Bad Messages: 0
HA Message:
BatchBackup send msg: 0
BatchBackup recv msg: 0
BatchBackup send lease: 0
BatchBackup recv lease: 0
4. On the DHCP server NGFW, run the display dhcp server ip-in-use command to verify
whether the correct IP address is specified.
[NGFW] display dhcp server ip-in-use all
Global pool:
IP address Hardware address Lease expiration Type
10.1.2.5 0efc-0505-86e3 Jan 20 2011 15:00:05 PM
Auto:COMMITED
10.1.1.3 001B-B97A-7D61 Jan 21 2011 03:00:34 AM
Auto:COMMITED
5. On the DHCP server NGFW, run the display dhcp server conflict command to check for
conflicting IP addresses.
[NGFW] display dhcp server conflict all
Info:No ip conflicted!
Configuration Scripts
Configuration scripts of NGFW:
#
sysname NGFW
#
dhcp server forbidden-ip 10.1.2.2
dhcp server forbidden-ip 10.1.1.4
#
dhcp server ip-pool 0
network 10.1.0.0 mask 255.255.0.0
dns-list 10.1.2.2
domain-name example.com
#
dhcp server ip-pool 1
network 10.1.1.0 mask 255.255.255.0
gateway-list 10.1.1.1
nbns-list 10.1.1.4
expired day 10 hour 12
#
dhcp server ip-pool 2
network 10.1.2.0 mask 255.255.255.0
gateway-list 10.1.2.1
expired day 5
#
interface GigabitEthernet1/0/1.1
vlan-type dot1q 10
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1.2
vlan-type dot1q 20
ip address 10.1.2.1 255.255.255.0
#
firewall zone local
security-
policy
Networking Requirements
The IP address plan of a department on the network shown in Figure 8-57 is as follows:
A DHCP relay agent needs to be deployed on the same network segment as a DHCP client to
connect the DHCP client and server across network segments. DHCP relay enables the DHCP
client to request the DHCP server for configurations, such as the IP address and DNS server
address.
FTP server
0021-97cf-2238
Configuration Roadmap
The configuration roadmap is as follows:
1. To enable the DHCP server to assign network parameters, including an IP address, to the
DHCP client across different network segments, configure an available IP address range
(includes the DHCP relay interface address) on NGFW_B and specify DHCP client
parameters, such as an egress gateway, a domain name suffix, and a DNS server address.
a. Enable DHCP.
b. Configure dynamic IP address allocation and other network parameters assigned to
the DHCP client.
c. Configure static IP address allocation and other network parameters assigned to the
FTP server.
d. Configure a route between the DHCP server and the relay interface.
2. Enable the DHCP relay function on NGFW_A to enable communication between the
DHCP client and server across different network segments:
a. Enable DHCP.
b. Specify a DHCP server IP address on the relay interface.
3. Set Internet Protocol (TCP/IP) Properties to Obtain an IP address automatically and
Obtain DNS server address automatically on the DHCP client, which enables the DHCP
client to automatically obtain the IP address and other network parameters allocated by the
DHCP server.
Procedure
Step 1 Configure GigabitEthernet 1/0/1 on NGFW_A.
1. Choose Network > Interface.
Zone trust
Mode Route
IPv4
IP Address 192.168.20.1/255.255.255.0
3. Click OK.
Zone dmz
Mode Route
IPv4
IP Address 10.1.1.1/255.255.255.0
3. Click OK.
Zone dmz
Mode Route
IPv4
IP Address 10.1.1.2/255.255.255.0
3. Click OK.
Step 4 Configure DHCP server NGFW_B to dynamically assign an IP address and other network
parameters to the DHCP client.
1. Choose Network > DHCP Server > Settings.
2. Click Add and set the following parameters.
Type IPv4
Advanced
3. Click OK.
Step 5 On NGFW_B, configure a reachable static route between the DHCP server and relay interface.
NOTE
The IP address of the DHCP relay interface and the IP address of the DHCP server reside on different
network segments. Configure the DHCP server with a static route to the DHCP relay interface or enable a
dynamic routing protocol.
1. Choose Router > Static > Static Route.
2. Click Add in Static Route List. Then set the following parameters.
Mask 255.255.255.0
3. Click OK.
Type IPv4
3. Click Apply.
2. Right-click Local Area Connection of the connected network adapter, and choose
Properties.
3. Select Internet Protocol (TCP/IP) and click Properties. The Internet Protocol (TCP/
IP) Properties window is displayed. Select Obtain an IP address automatically and
Obtain DNS server address automatically.
----End
Configuration Verification
1. On any PC in the department, press Start > Run and enter cmd to display the DOS screen.
Run the ipconfig /all command to view the network parameters obtained by the client, such
as an IP address, a default gateway address, a WINS server address, and a DNS server
address. Also, verify that the FTP server has obtained a fixed IP address 192.168.20.254.
NOTE
If the DHCP client obtains incomplete information (for example, only the IP address is obtained),
run the ipconfig /release command to lease the dynamic IP address, and run the ipconfig /renew
command to apply for a new IP address and other network parameters.
C:\Documents and Settings\Administrator> ipconfig /all
Ethernet adapter Local Area Connection:
2. Check the address lease duration list of the DHCP server to determine whether the DHCP
server assigns IP addresses to the PC and FTP server on the LAN.
a. Choose Network > DHCP Server > Monitor.
b. Verify the client IP address assigned by the DHCP server.
Configuration Scripts
Configuration script for NGFW_A:
#
sysname NGFW_A
#
interface GigabitEthernet1/0/1
ip address 192.168.20.1 255.255.255.0
ip relay address 10.1.1.2
dhcp select relay
#
interface GigabitEthernet1/0/2
ip address 10.1.1.1 255.255.255.0
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/1
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/2
#
return
8.4.7.1 Specifications
This section provides DHCP specifications.
The specifications of the DHCP service are as follows:
l Number of DHCP dynamic address leases supported by the entire system: 15000
l Number of DHCP static address leases supported by the entire system: 5000
8.5 DHCPv6
This section describes Dynamic Host Configuration Protocol version 6 (DHCPv6) concepts and
how to configure DHCPv6, as well as provides configuration examples.
8.5.1 Overview
Dynamic Host Configuration Protocol for IPv6 (DHCPv6) applies to IPv6 networks to
dynamically assign information, such as IPv6 addresses/prefixes to clients.
Definition
DHCPv6, designed on the basis of the dynamic addressing scheme on IPv6 networks, assigns
IPv6 addresses/prefixes and other network configuration to clients.
Objective
DHCPv6 simplifies the settings of IPv6 addresses/prefixes and minimizes errors caused by
manual IPv6 address setting. With DHCPv6, network administrators can manage the IPv6
addresses/prefixes and other configuration in a centralized way.
8.5.2 Mechanism
This section describes the mechanism of Dynamic Host Configuration Protocol version 6
(DHCPv6).
Overview
Designed based on the dynamic addressing scheme on an IPv6 network, DHCPv6 provides
clients with network configuration information, including IPv6 addresses and prefixes.
Methods in which a client can obtain an IPv6 address/prefix and other configuration
information
A client can obtain an IPv6 address/prefix and other configuration information using one of the
following methods:
l Manual configuration: A user statically configures an IPv6 address/prefix and other
configuration information.
l Stateless autoconfiguration: The client uses the Neighbor Discovery (ND) protocol to
obtain an IPv6 address/prefix and other configuration information from adjacent routers.
l DHCPv6-PD: The server functions as a delegating router (DR), and the client functions as
a requesting router (RR). The DR assigns prefixes and other configuration information to
the RR. The RR saves the prefixes in a local prefix pool and allocates them to other clients.
l Stateful DHCPv6: The client obtains an IPv6 address/prefix and other configuration
information from a DHCPv6 server.
l Stateless DHCPv6: The client uses stateless autoconfiguration to obtain an IPv6 prefix and
a hot limit and runs DHCPv6 to obtain other configuration information, such as the IP
address of a DNS server.
DHCPv6-PD, stateful DHCPv6, and stateless DHCPv6 are DHCPv6 applications.
DHCPv6 outperforms manual configuration and stateless autoconfiguration in terms of the
following:
l Network resource management
– A DHCPv6 server maintains IPv6 addresses/prefixes and renews their leases.
– A DHCPv6 server assigns other configuration information, such as the IP addresses of
the DNS server and SIP server to the client.
l IP address assignment control
In the DHCPv6-PD scenario, the DHCPv6 server assigns some of prefixes to a client, and
the client segments and assigns prefixes to other clients. This facilitates network
autoconfiguration and management. You can assign a fixed prefix to a client.
DHCPv6 communication modes
DHCPv6 uses the client/server (C/S) communication mode. A client applies for configurations
from a server. The server then replies to the client with configuration information, such as an
IPv6 address. DHCPv6 dynamically configures parameters, such as the IPv6 address and prefix,
for the client.
The client and server exchange DHCPv6 messages using UDP ports 546 and 547. The client
receives DHCPv6 messages using UDP port 546, and the server and relay agent receive DHCPv6
messages using UDP port 547.
DUID
A DHCP unique identifier (DUID) uniquely identifies a client or server. The server uses a client
DUID to assign a local address.
A DUID is generated using one of the following methods:
l Manual configuration: A user manually sets a DUID.
l DUID based on Link-layer Address Plus Time (DUID-LLT): The DUID is generated based
on a link-layer address and a time value.
l DUID Assigned by Vendor Based on Enterprise Number (DUID-EN): The DUID is
generated based on an enterprise number registered in IANA.
l DUID Based on Link-layer Address (DUID-LL): The DUID is generated based on a link-
layer address.
A NGFW uses DUID-LL to generate a DUID.
Multicast DHCPv6 addresses
Like a DHCPv4 client, a DHCPv6 client locates a DHCPv6 server by sending a Solicit message
destined for a multicast address, without setting the IPv6 address of the DHCPv6 server. The
client selects a server based on a specified policy (for example, the Preference option).
DHCPv6 defines the following multicast addresses:
l All_DHCP_Relay_Agents_and_Servers (FF02::1:2): applies to all servers and relay agents
on a link. A client uses this address to exchange DHCPv6 messages with all servers and
relay agents.
l All_DHCP_Servers (FF05::1:3): applies to all servers at a site. A DHCP relay agent uses
this address to forward packets to all servers at a site, without obtaining the unicast address
of a server.
DHCPv6 Principles
DHCPv6 client-server exchange modes
DHCPv6 uses the client/server (C/S) communication mode. A client sends a packet to a server
for requesting configuration information, including a valid dynamic IPv6 address and a prefix.
Upon receiving the message, the server replies with a packet carrying configuration information
based on a specific policy. The modes for exchanging messages between the client and server
are as follows:
l Client-server exchange involving two messages (two-step exchange)
(2) Reply
1. Upon connecting to a network, the DHCPv6 client sends a multicast DHCPv6 Solicit
message with a Rapid Commit option to a DHCPv6 server.
2. If the DHCPv6 server that supports the two-step exchange receives the DHCPv6
Solicit message, the server selects an unassigned IP address/prefix from an IPv6
address/prefix pool and replies with a unicast DHCPv6 Reply message carrying the
IPv6 address/prefix and other configuration information. If the DHCPv6 server that
does not support the two-step exchange receives the DHCPv6 Solicit message, the
DHCPv6 server replies with a unicast DHCPv6 Advertise message and proceeds with
client-server exchanges involving four messages.
l Client-server exchange involving four messages
(1) Solicit
(2) Advertise
(3) Request
(4) Reply
1. Discovery phase: A client sends a multicast DHCPv6 Solicit message to search for an
available DHCP server.
2. Providing phase: After a DHCPv6 server receives the DHCPv6 Solicit message, it
selects an unassigned IP address/prefix from the IPv6 address/prefix pool and replies
with a unicast DHCPv6 Advertise message carrying the IPv6 address/prefix and other
configuration information.
3. Selection phase: If many DHCPv6 servers reply with DHCPv6 Advertise messages,
the client selects a server based on a specific policy and sends a unicast DHCPv6
Request message to the server to apply for an IPv6 address/prefix.
4. Confirmation phase: After the DHCPv6 server receives the DHCPv6 Request
message, it replies with a unicast DHCPv6 Reply message carrying an IPv6 address/
prefix and other configuration information.
A DHCPv6 server specifies a lease before assigning an IPv6 address/prefix to a client. After the
lease expires, the DHCPv6 server withdraws the IPv6 address/prefix. To continue to use the
IPv6 address/prefix, the client needs to renew the lease.
A DHCPv6 Reply message sent by the DHCPv6 server carries the preferred lifetime, valid
lifetime, renew time, and rebinding time, in addition to an IPv6 address/prefix to a client. These
time settings determine the IPv6 address/prefix status and the actions that the client performs.
The following formula applies:
Renew time < Rebinding time < Preferred lifetime < Valid lifetime
After the client obtains an IPv6 address/prefix, the client enters the binding state. The client sets
three timers for lease renewal, rebinding, and lease expiration. Table 8-85 lists timers and their
default settings.
Lease 50% of the preferred lifetime (The default preferred lifetime is 2 days.)
renewal
Before assigning an IPv6 address/prefix to a client, a DHCPv6 server can specify timer values.
If the server does not specify timer values, the client uses the default settings.
l If the lease is about to expire, the client automatically sends a DHCPv6 Renew message to
the server to renew the IPv6 address/prefix lease.
If the IPv6 address/prefix is valid, the DHCPv6 server replies with a DHCPv6 Reply
message carrying a new IPv6 address/prefix lease. After the client receives the DHCPv6
Reply message, its IPv6 address/prefix lease is renewed.
l If the IPv6 address/prefix lease is not renewed after the rebinding time elapses, the client
multicasts a DHCPv6 Rebind message to all available DHCPv6 servers.
If the IPv6 address/prefix is valid, the DHCPv6 server replies with a DHCPv6 Rebind
message carrying a new IPv6 address/prefix lease. After the client receives the DHCPv6
Reply message, its IPv6 address/prefix lease is renewed.
l After the lease expires, the DHCPv6 server withdraws the IPv6 address/prefix. To continue
to use the IPv6 address/prefix, the client needs to renew the lease before the valid lifetime
expires.
If a link on which a client resides changes, for example, when a network cable is inserted or
removed, the client sends a message to a DHCPv6 server to check whether the previously
obtained IPv6 address/prefix is available.
Either of the following situations occurs based on the contents to be checked by the server:
l To check IPv6 address availability, the DHCPv6 client sends a multicast DHCPv6 Confirm
message carrying the IPv6 address to be checked.
If the IPv6 address is still available, the DHCPv6 server sends a Reply message to the client
to declare that the address can be used. The client continues to use this IPv6 address.
l To check IPv6 prefix availability, the DHCPv6 client sends a multicast DHCPv6 Rebind
message carrying the IPv6 prefix to be checked. The DHCPv6 server receives and processes
the Rebind message and replies with a Reply message. If the lifetime contained in the Reply
message is not 0s, the client continues to use this prefix, and the lease is renewed.
If the client detects an IPv6 address conflict, it sends a DHCPv6 Decline message carrying the
conflicting IPv6 address.
After receiving the Decline message, the DHCPv6 labels the IPv6 address as conflicting and no
longer assigns it to any clients.
If a client is no longer using an IPv6 address/prefix assigned by a DHCPv6 server, the client
sends to the server a DHCPv6 Release message carrying the IPv6 address/prefix to be released.
After receiving the Release message, the DHCPv6 server releases the IPv6 address/prefix and
replies with a Reply message.
Prerequisites
Choose Dashboard > System Information and enable IPv6 globally to allow the NGFW to
forward IPv6 packets.
Context
A DHCPv6 server globally maintains parameters, such as IPv6 addresses, prefixes, and
information leases. DHCPv6 also assigns configuration information, such as the IPv6 addresses
of DNS and SIP servers, to DHCPv6 clients.
The DHCPv6 server and relay services cannot be configured on the same interface.
Procedure
Step 1 Choose Network > DHCP Server > Settings.
Parameter Description
Interface Name Name of the interface on which the DHCPv6 server function is
configured.
The interface must be an existing one and Connection Type
must be set to Static IP.
Service Type Enable either the DHCPv6 server or the DHCPv6 relay service
on this interface.
When the DHCPv6 server is enabled on the interface, the Service
Type must be set to Server.
Primary DNS Server Primary DNS server address to be assigned to a DHCPv6 client.
l Address prefix pool: used in a stateful DHCPv6 scenario, in which a network administrator
uses a DHCPv6 server to globally manage network resources, such as IPv6 prefixes. A
DHCPv6 server assigns an IPv6 prefix (for example, 3000::/32) to the DHCPv6 client.
l Delegation prefix pool: used in a DHCPv6-PD scenario, in which a DHCPv6 client needs to
segment an IPv6 address space assigned by a server. A DHCPv6 server assigns a set of IPv6
prefixes to a DHCPv6 client. For example, if the assigned prefix is 3000::/32 and the
delegating prefix length is 33 bits, the DHCPv6 server assigns IPv6 prefixes 3000::/33 and
3000:0:8000::/33.
1. Click Add in Delegated Prefix. In the dialog box, click OK.
2. Configure DHCPv6 prefix parameters.
l Configure a delegation prefix pool.
a. Set the following prefix pool parameters.
Parameter Description
Parameter Description
Delegation Prefix Length of the IPv6 prefix that is assigned by the device
Length (delegating router) to the requesting router.
The length of a prefix to be assigned must be longer
than or equal to the length of Prefix.
Parameter Description
3) Click OK.
l Set the following address prefix pool parameters.
Parameter Description
3. Click OK.
Parameter Description
Domain Name DNS suffix that a DHCPv6 server assigns to a DHCPv6 client.
SNTP Server SNTP server address that a DHCPv6 server assigns to a DHCPv6
client.
SIP Server SIP server address that a DHCPv6 server assigns to a DHCPv6
client.
If the operation is successful, DHCPv6 Service Information List is displayed on the page, and
new configuration items are added to the list.
Repeat previous operations to configure the DHCPv6 server function on multiple interfaces.
----End
Prerequisites
l A DHCPv6 server has been configured based on a global address pool.
No interface address pool can be configured for the DHCPv6 server interface that connects
to the DHCP relay agent.
l The DHCPv6 server and DHCPv6 relay interface are reachable to each other.
l The DHCPv6 relay interface and client reside on the same network segment.
The IPv6 address of the DHCPv6 relay interface must be on the same network segment as
the IPv6 address that the DHCPv6 server assigns to the client.
l The default gateway address of the DHCPv6 client must be the IP address of the DHCP
relay interface.
l Choose Dashboard > System Information and enable IPv6 globally to allow the
NGFW to forward IPv6 packets.
Context
The DHCPv6 server and DHCPv6 relay cannot be configured on the same interface.
Procedure
Step 1 Choose Network > DHCP Server > Settings.
Parameter Description
Parameter Description
Service Type Enable either the DHCPv6 server or relay service on this
interface.
When DHCPv6 relay is enabled on the interface, the Service
Type must be Relay.
IPv6 Server IP Address IPv6 address that the DHCPv6 server assigns and the DHCPv6
relay agent forwards to the client.
Interface Connected to Name of the interface that connects the DHCPv6 relay agent to
IPv6 Server the DHCPv6 server.
If the operation is successful, DHCP Service Information List is displayed on the page, and
new configuration items are added to the list.
Repeat previous operations to configure the DHCPv6 relay function on multiple interfaces.
----End
----End
Step 2 Select one of the following methods to query the address lease:
l Select All from the search box.
l Select Interface Name from the search box and select a desired interface name.
l Select IP Address from the search box and enter a desired IPv6 address.
Parameter Description
Parameter Description
MAC Address Displays the MAC address for a DHCPv6 server to assign an
IPv6 address to a client.
Lease Expiration Displays the expiration attribute of the lease for an IPv6 address
assigned by a DHCP server:
l A specific date and time when the lease expires. For example,
the value is "2011-11-7 18:01:20."
l NOT used: The statically bound lease is not assigned to the
specific client.
l Unlimited: The lease is permanent.
Status Displays the binding status of the IPv6 address assigned by the
DHCP server:
l Static address binding: The DHCP server statically assigns
a fixed IPv6 address to the client at the specified MAC
address.
l Dynamic assignment: To be confirmed: The DHCP server
assigns an IPv6 address dynamically, and the binding
between the IPv6 address and MAC address is temporarily
specified after the DHCP server sends a DHCPOFFER
packet.
l Dynamic assignment: Succeeded: The DHCP server
assigns an IPv6 address dynamically, and the binding
between the IPv6 address and MAC address is successfully
specified after the DHCP server sends a DHCPACK packet.
l Released: After the client applies for IPv6 address release,
the DHCP server cancels the binding between the IPv6
address and MAC address.
----End
Configuration Flow
Figure 8-60 shows the flowchart for configuring a DHCPv6 server.
Start
Configure the
Authentication Function
End
Mandatory
Optional
----End
2. Create a DHCPv6 prefix pool and display the DHCPv6 prefix pool view.
dhcpv6 prefix-pool address-prefix prefix-pool-name
prefix-name specifies the prefix name of a DHCPv6 prefix pool and is used only in the
DHCPv6-PD scenario. After the client obtains prefixes, the client becomes a DHCPv6
server and assigns the prefixes to other clients.
l DHCPv6-PD scenario
1. Display the interface view.
system-view
2. Create a DHCPv6 prefix pool and display the DHCPv6 prefix pool view.
dhcpv6 prefix-pool delegation-prefix prefix-pool-name
The delegating-prefix-length value is the length of the IPv6 prefix that is assigned by
the device (Delegating Router) to the Requesting Router.
The delegating-prefix-length value cannot be shorter than the prefix-length value.
Otherwise, the configuration fails.
5. Optional: Bind the specified prefix in the delegation prefix pool to the client DUID.
client-duid client-duid bind prefix prefix-address
This command reserves an IPv6 prefix for a client, which means that the IPv6 prefix
cannot be assigned to another client.
Step 2 Optional: Specify the preferred lifetime and valid lifetime of the prefix pool.
lifetime preferred-lifetime { second-value | unlimited } valid-lifetime { second-
value | unlimited }
The valid-lifetime value must be greater than or equal to the preferred-lifetime value.
----End
A DHCPv6 server by default exchanges information with a client using four messages and the
multicast function. The DHCPv6 server and client can also communicate using the following
functions to simplify communication and effectively use network resources:
l Client-server exchanges involving two messages: The DHCPv6 client uses only two
messages for information exchange with the DHCPv6 server to assign data such as IPv6
prefixes. This function is applicable when only one server is available on the network.
l Unicast option function: The DHCPv6 client and server use the unicast option function,
not the multicast function, to exchange information. This function is applicable when the
DHCPv6 client and server obtain each other's location information.
NOTE
The preceding functions are available only when both the DHCPv6 client and server support them.
2. Create a DHCPv6 address pool and display the address pool view.
dhcpv6 pool pool-name
The pool-name value is a string of 1 to 32 characters that can be letters, digits, and
underscores (_).
3. Configure the DHCPv6 address pool to use a specific DHCPv6 prefix pool.
prefix-pool prefix-pool-name
NOTE
Contents assigned by the DHCPv6 server to the DHCPv6 client vary depending on the type of the bound
DHCPv6 prefix pool.
If an address prefix pool is bound to an address pool, a single IPv6 prefix can be assigned. If a delegation
prefix pool is bound to an address pool, a set of IPv6 prefixes can be assigned.
4. Optional: Set the priority of the DHCPv6 address pool.
preference preference-value
The client selects the DHCPv6 server with the highest priority. The larger the value, the
higher the priority.
5. Optional: Enable the unicast option function of the DHCPv6 server.
dhcpv6 unicast-option
After the command is executed, the DHCPv6 server can receive DHCPv6 unicast packets
and inform the client of unicast communication.
6. Optional: Enable the function of client-server exchanges involving two messages.
dhcpv6 rapid-commit
After the command is executed, the DHCPv6 client and server use two types of messages,
not four types of messages, to communicate with each other.
7. Optional: Set the ratios of the renew time to the preferred time and the rebinding time to
the preferred time.
Step 2 Optional: Configure server information that can be assigned by the DHCPv6 address pool.
1. Specify a DNS server address that the DHCPv6 server assigns to a DHCPv6 client.
dns-server ipv6-address &<1-2>
2. Specify a DNS suffix that the DHCPv6 server assigns to a DHCPv6 client.
dns-search-list dns-search-list-name
3. Specify the SIP server address and domain name that the DHCPv6 server assigns to a
DHCPv6 client.
sip-server { address ipv6-address | domain-name domain-name }
4. Specify an SNTP server address that the DHCPv6 server assigns to a DHCPv6 client.
sntp-server ipv6-address
----End
NOTE
----End
Step 3 Configure the mode used to generate a default username in the authentication domain.
default-user-name [ template template-name ] include { mac-address { separator |
noseparator } | option18 } *
After the authentication function of the DHCPv6 server is enabled, use the authentication scheme
and authentication mode associated with the authentication domain.
NOTE
This step does not need to be configured if you use the default-user-name command without the template-
name parameter configured.
Parameter template-name in this command must be the same as template-name in the default-user-
name command.
----End
Context
The DHCPv6 relay device is transparent to both the client and server. Therefore, you do not
need to associate the client and server with a DHCPv6 relay agent.
l DHCPv6 server address: an IPv6 address of an interface on a DHCPv6 server. The interface
is connected to the DHCPv6 relay agent.
l Outbound interface on the relay agent: an interface on the DHCPv6 relay agent. The
interface is connected to the DHCPv6 server.
NOTE
When there are some routers between DHCPv6 relay and server, the IPv6 address of DHCPv6 server must
be specified on the DHCPv6 relay agent.
Procedure
Step 1 Display the system view.
system-view
Before performing IPv6 configurations in the interface view, enable the IPv6 capability in the
interface view.
Step 5 Specify the DHCPv6 server address or the name of the outbound interface.
dhcpv6 relay { destination ipv6-address | interface interface-type interface-
number [ server-address | server-relay-address ] }
----End
Example
# Enable DHCPv6 relay on GigabitEthernet 1/0/1 connected to a client and set the IPv6 address
of GigabitEthernet 1/0/1 to 2000::1/64 and the IPv6 address of the DHCPv6 server to 3000::1.
<NGFW> system-view
[NGFW] ipv6
[NGFW] interface GigabitEthernet 1/0/1
[NGFW-GigabitEthernet1/0/1] ipv6 enable
[NGFW-GigabitEthernet1/0/1] dhcpv6 relay enable
[NGFW-GigabitEthernet1/0/1] ipv6 address 2000::1 64
[NGFW-GigabitEthernet1/0/1] dhcpv6 relay destination 3000::1
Follow-up Procedure
Run the display this command in the interface view to view the configuration of GigabitEthernet
1/0/1.
[NGFW-GigabitEthernet1/0/1] display this
#
interface
GigabitEthernet1/0/1
description connect-to-client
ipv6 enable
ipv6 address 2000::1 64
dhcpv6 relay enable
dhcpv6 relay destination 3000::1
#
return
Prerequisites
Choose Dashboard > System Information and enable IPv6 globally to allow the NGFW to
forward IPv6 packets.
Context
By default, a DHCPv6 server exchanges information with a client using four messages and
multicast function. In special scenarios, the DHCPv6 server can use two messages (Rapid
Commit) and unicast option function (Unicast Option) to simplify the information exchange
with the client. In this way, network resources are saved.
l Client-server exchanges involving two messages: The DHCPv6 client uses only two
messages for information exchange with the DHCPv6 server to assign data, such as IPv6
prefixes, instead of default four messages. This function applies to the scenario where only
one server is available.
l Unicast option function: The DHCPv6 client and server use the unicast option function
rather than the multicast function to exchange information. This function applies to the
scenario where the locations of the DHCPv6 client and server are clear.
NOTE
The unicast option function and the function of client-server exchanges involving two messages are
available only when both the DHCPv6 client and server support the functions.
Procedure
Step 1 Access the system view.
system-view
ipv6 enable
----End
Example
Enable the DHCPv6 client function of GigabitEthernet 1/0/1, and apply for IPv6 address
5000::200.
<NGFW> system-view
[NGFW] ipv6
[NGFW] interface GigabitEthernet 1/0/1
[NGFW-GigabitEthernet1/0/1] ipv6 enable
[NGFW-GigabitEthernet1/0/1] ipv6 address auto link-local
[NGFW-GigabitEthernet1/0/1] dhcpv6 client enable
[NGFW-GigabitEthernet1/0/1] dhcpv6 client ia-address 5000::200
Follow-up Procedure
You can run the display dhcpv6 client command in any view to check whether the DHCPv6
client obtains an IPv6 address.
[NGFW] display dhcpv6 client interface GigabitEthernet1/0/1
GigabitEthernet1/0/1 dhcp client : enable
Action Command
Display information about a DHCPv6 client. display dhcpv6 server [ ipv6-address ipv6-
address | mac-address mac-address ]
Action Command
You can run the command listed in Table 8-89 in the DHCPv6 prefix pool view to resolve an
IPv6 address conflict.
Action Command
Networking Requirements
The PC shown in Figure 8-61 runs Windows 7 Professional.
The NGFW that functions as a DHCPv6 server, which assigns the following information to the
PC:
Figure 8-61 Network diagram for configuring a NGFW as the DHCPv6 server
SIP Server
3001::3
DNS Server SNTP Server
3001::2 3001::4
example.com
GE1/0/2
3001::1/64
DMZ
Untrust
IPv6 Network
GE1/0/1
3000::1/64
PC Trust
NGFW
DHCPv6 Server
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure a DHCPv6 prefix pool and define prefixes that the DHCPv6 server can assign
to a DHCPv6 client.
2. Configure a DHCPv6 address pool, and associate it with the DHCPv6 prefix pool, and
define parameters, such as a DNS server address that the DHCPv6 server can assign to a
DHCPv6 client.
3. Configure security policies.
Procedure
Step 1 Choose Dashboard > System Information and enable IPv6 globally to allow the NGFW to
forward IPv6 packets.
Zone trust
Mode Route
IPv6
IP Address 3000::1/64
3. Click OK.
Zone dmz
Mode Route
IPv6
IP Address 3001::1/64
3. Click OK.
Type IPv6
Prefix 2000::/32
6. Click OK.
7. In Advanced, set the following parameters.
8. Click OK.
Step 5 Configure a security policy to allow the PC to access a server in the DMZ and an IPv6 network
in the Untrust zone.
1. Choose Policy > Security Policy > Security Policy.
2. Click Add and set the following parameters.
The following example provides basic security policy parameters. You can set other
parameters as needed.
Name policy_sec_1
Action Permit
3. Click OK.
----End
Configuration Verification
# On the PC, verify that an IPv6 global unicast address is automatically generated.
C:\> ipconfig/all
Windows IP Configuration
The preceding command output shows that the PC has obtained an IPv6 global unicast address
2000::448e:2cc2:8ce3:cbe5.
Configuration Script
#
ipv6
#
sysname NGFW
#
interface GigabitEthernet1/0/1
ipv6 enable
ipv6 address 3000::1 64
dhcpv6 server enable
dhcpv6 pool gigabitethernet1_0_1
#
interface GigabitEthernet1/0/2
ipv6 enable
ipv6 address 3001::1 64
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/1
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/2
#
dhcpv6 prefix-pool address-prefix gigabitethernet1_0_1_1343810878
prefix 2000::/32
lifetime preferred-lifetime 1036800 valid-lifetime 1036800
#
dhcpv6 pool gigabitethernet1_0_1
dns-search-list
example.com
dns-server 3001::2
sip-server address 3001::3
sntp-server 3001::4
prefix-pool gigabitethernet1_0_1_1343810878
#
security-policy
rule name policy_sec_1
source-zone trust
destination-zone dmz
destination-zone local
destination-zone untrust
action permit
#
return
8.5.5.2 Example for Configuring the DHCPv6 Server with the Authentication
Function
This section provides an example for configuring the DHCPv6 server with the authentication
function.
Networking Requirements
The PC shown in Figure 8-62 runs Windows 7 Professional.
The NGFW that functions as a DHCPv6 server, which assigns the following information to the
PC:
The NGFW employs the local authentication mode to authenticate and charge PCs.
Figure 8-62 Network diagram for configuring a NGFW as the DHCPv6 server
SIP Server
3001::3
DNS Server SNTP Server
3001::2 3001::4
example.com
GE1/0/2
3001::1/64
DMZ
Untrust
IPv6 Network
GE1/0/1
3000::1/64
PC Trust
NGFW
DHCPv6 Server
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure the authentication function of the DHCPv6 server to enable the DHCPv6 server
to authenticate the requests from the PC.
2. Configure a DHCPv6 prefix pool and define prefixes that the DHCPv6 server can assign
to a DHCPv6 client.
3. Configure a DHCPv6 address pool, and associate it with the DHCPv6 prefix pool, and
define parameters, such as a DNS server address that the DHCPv6 server can assign to a
DHCPv6 client.
4. Configure the users.
5. Configure security policies.
Procedure
Step 1 Enable the IPv6 packet forwarding function of the NGFW.
NOTE
You can perform other IPv6 configurations only after you enable the IPv6 packet forwarding function on the
NGFW.
<NGFW> system-view
[NGFW] ipv6
# Configure authentication scheme authen1 and set the authentication mode to local
authentication.
[NGFW] aaa
[NGFW-aaa] default-user-name include mac-address -
[NGFW-aaa] default-password cipher Admin@123
[NGFW-aaa] authentication-scheme authen1
[NGFW-aaa-authen-authen1] authentication-mode local
[NGFW-aaa-authen-authen1] quit
# Configure authentication domain dom and associate it with the authentication scheme.
[NGFW-aaa] domain dom
[NGFW-aaa-domain-dom] authentication-scheme authen1
[NGFW-aaa-domain-dom] quit
[NGFW-aaa] quit
Step 3 Configure a DHCPv6 prefix pool. Create address prefix pool pool111, assign prefix 2000::/32
to it, and set the preferred lifetime and valid lifetime to three and four days respectively.
[NGFW] dhcpv6 prefix-pool address-prefix pool111
[NGFW-dhcpv6-prefix-pool-pool111] prefix 2000::/32
[NGFW-dhcpv6-prefix-pool-pool111] lifetime preferred-lifetime 259200 valid-
lifetime 345600
[NGFW-dhcpv6-prefix-pool-pool111] quit
Step 4 Configure a DHCPv6 address pool. Create address pool pool222, associate it with DHCPv6
prefix pool pool111, and configure the information about the DNS server, SIP server, and SNTP
server to be assigned.
[NGFW] dhcpv6 pool pool222
[NGFW-dhcpv6-pool-pool222] prefix-pool pool111
[NGFW-dhcpv6-pool-pool222] dns-server 3001::2
[NGFW-dhcpv6-pool-pool222] dns-search-list example.com
[NGFW-dhcpv6-pool-pool222] sip-server address 3001::3
[NGFW-dhcpv6-pool-pool222] sntp-server 3001::4
[NGFW-dhcpv6-pool-pool222] quit
# Enable the IPv6 server function on the interface and set an IPv6 address for it.
[NGFW] interface GigabitEthernet 1/0/1
[NGFW-GigabitEthernet1/0/1] ipv6 enable
[NGFW-GigabitEthernet1/0/1] dhcpv6 server enable
[NGFW-GigabitEthernet1/0/1] ipv6 address 3000::1/64
# Enable the DHCPv6 authentication function and associate it with the authentication domain.
[NGFW-GigabitEthernet1/0/1] dhcpv6 authentication enable
[NGFW-GigabitEthernet1/0/1] dhcpv6 authentication default-domain dom
Step 8 Assign the interfaces into security zones and configure security policies.
[NGFW] firewall zone trust
[NGFW-zone-trust] add interface GigabitEthernet 1/0/1
[NGFW-zone-trust] quit
[NGFW] firewall zone dmz
[NGFW-zone-dmz] add interface GigabitEthernet 1/0/2
[NGFW-zone-dmz] quit
[NGFW] security-policy
[NGFW-policy-security] rule name sec_policy_1
[NGFW-policy-security-rule-sec_policy_1] source-zone trust
[NGFW-policy-security-rule-sec_policy_1] source-zone local
[NGFW-policy-security-rule-sec_policy_1] destination-zone local
[NGFW-policy-security-rule-sec_policy_1] destination-zone trust
[NGFW-policy-security-rule-sec_policy_1] action permit
[NGFW-policy-security-rule-sec_policy_1] quit
[NGFW-policy-security] rule name sec_policy_2
[NGFW-policy-security-rule-sec_policy_2] source-zone trust
[NGFW-policy-security-rule-sec_policy_2] destination-zone dmz
[NGFW-policy-security-rule-sec_policy_2] destination-zone untrust
[NGFW-policy-security-rule-sec_policy_2] action permit
----End
Configuration Verification
# On the PC, verify that an IPv6 global unicast address is automatically generated.
C:\> ipconfig/all
Windows IP Configuration
DHCP Enabled . . . . . . . . . . : No
Autoconfiguration Enabled. . . . : Yes
IPv6 Address . . . . . . . . . . : 2000::448e:2cc2:8ce3:cbe5(Preferred)
Lease Obtained . . . . . . . . .: Friday, November 12, 2010 8:12:19 PM
Lease Expires . . . . . . . . . : Saturday, November 15, 2010 8:12:19 PM
Link-local IPv6 Address. . . . . : fe80::2e0:4cff:fe90:3dc9%11(Preferred)
IPv4 Address . . . . . . . . . . : 10.2.2.2(Preferred)
Subnet Mask . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . .:
DHCPv6 IAID . . . . . . . . . . .: 234938444
DHCPv6 Client DUID . . . . . . .: 00-01-00-01-15-0B-47-82-00-E0-4C-97-3E-94
The preceding command output shows that the PC has obtained an IPv6 global unicast address
2000::448e:2cc2:8ce3:cbe5.
Configuration Script
#
ipv6
#
sysname NGFW
#
interface GigabitEthernet1/0/1
ipv6 enable
ipv6 address 3000::1 64
dhcpv6 server enable
dhcpv6 authentication enable
dhcpv6 pool pool222
dhcpv6 authentication default-domain dom
#
interface GigabitEthernet1/0/2
ipv6 enable
ipv6 address 3001::1 64
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/1
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/2
#
aaa
authentication-scheme authen1
#
domain
dom
authentication-scheme authen1
#
default-user-name include mac-address noseparator
default-password cipher %$%$@5.j"ILN\AkdI]U5OqX*kkbY%$%$
#
dhcpv6 prefix-pool address-prefix pool111
prefix 2000::/32
lifetime preferred-lifetime 259200 valid-lifetime 345600
#
dhcpv6 pool pool222
dns-search-list
example.com
dns-server 3001::2
sip-server address 3001::3
sntp-server 3001::4
prefix-pool pool111
#
security-policy
rule name sec_policy_1
source-zone local
source-zone trust
destination-zone local
destination-zone trust
action permit
rule name sec_policy_2
source-zone trust
destination-zone dmz
destination-zone untrust
action permit
#
return
8.5.5.3 Example for Configuring the IPv6 Prefix Assignment in DHCPv6-PD Mode
This section provides an example for assigning IPv6 prefixes to users in delegation mode.
Networking Requirements
As shown in Figure 8-63, on the IPv6 network, NGFW_A and NGFW_B are connected through
interfaces GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2. NGFW_A is also connected to the
DNS server, SIP server, and SNTP server. NGFW_A acts as the Delegation Router to assign
information such as the IPv6 prefix, DNS server address, SIP server address, and SNTP server
address to NGFW_B that acts as the Requesting Router. NGFW_B re-assigns obtained
information to PCs.
Figure 8-63 Network diagram of assigning IPv6 prefixes to users in delegation mode
DNS Server
Configuration Roadmap
1. Configure the DHCPv6 server (Delegation Router).
a. Enable the IPv6 packet forwarding function of NGFW_A, so that NGFW_A can send
and receive IPv6 packets.
b. Configure the DHCPv6 prefix pool in delegation mode and define that NGFW_A can
assign prefixes to DHCPv6 clients.
c. Configure the DHCPv6 address pool, associate it with the DHCPv6 prefix pool, and
define information such as the DNS server address that can be assigned by
NGFW_A to the DHCPv6 client.
d. Enable the DHCPv6 server function of interface GigabitEthernet 1/0/1, set the IPv6
address, and associate it with the DHCPv6 address pool, so that the interface can act
as the DHCPv6 server to provide services for the DHCPv6 client.
2. Configure the DHCPv6 client (Requesting Router).
a. Enable the IPv6 packet forwarding function of NGFW_B, so that NGFW_B can send
and receive IPv6 packets.
b. Enable the DHCPv6 client function and set an IPv6 address for interface
GigabitEthernet 1/0/2, so that the interface can act as the DHCPv6 client to obtain
information assigned by the DHCPv6 server.
c. Set an IPv6 address and configure Neighbor Discovery (ND), so that the interface can
assign prefixes to PCs.
Procedure
Step 1 Add interfaces to corresponding security zones and configure the security policy.
<NGFW_A> system-view
[NGFW_A] firewall zone trust
[NGFW_A-zone-trust] add interface GigabitEthernet 1/0/1
[NGFW_A-zone-trust] quit
[NGFW_A] security-policy
[NGFW_A-policy-security] rule name sec_policy_1
[NGFW_A-policy-security-rule-sec_policy_1] source-zone trust
[NGFW_A-policy-security-rule-sec_policy_1] source-zone local
[NGFW_A-policy-security-rule-sec_policy_1] destination-zone local
[NGFW_A-policy-security-rule-sec_policy_1] destination-zone trust
[NGFW_A-policy-security-rule-sec_policy_1] action permit
[NGFW_A-policy-security-rule-sec_policy_1] quit
[NGFW_A-policy-security] rule name sec_policy_2
[NGFW_A-policy-security-rule-sec_policy_2] source-zone trust
[NGFW_A-policy-security-rule-sec_policy_2] destination-zone dmz
[NGFW_A-policy-security-rule-sec_policy_2] action permit
[NGFW_A-policy-security-rule-sec_policy_2] quit
[NGFW_A-policy-security] quit
<NGFW_B> system-view
[NGFW_B] firewall zone trust
[NGFW_B-zone-trust] add interface GigabitEthernet 1/0/1
[NGFW_B-zone-trust] add interface GigabitEthernet 1/0/2
[NGFW_B-zone-trust] quit
You can implement other IPv6 configurations only after the IPv6 packet forwarding function is enabled on the
device.
[NGFW_A] ipv6
# Configure the DHCPv6 prefix pool. Create delegation prefix pool pool111, assign prefix
2000::/32, and set the delegating prefix length to 33.
[NGFW_A] dhcpv6 prefix-pool delegation-prefix pool111
[NGFW_A-dhcpv6-prefix-pool-pool111] prefix 2000::/32
[NGFW_A-dhcpv6-prefix-pool-pool111] delegating-prefix-length 33
[NGFW_A-dhcpv6-prefix-pool-pool111] quit
# Configure the DHCPv6 address pool. Create address pool pool222, associate it with the
DHCPv6 prefix pool, and configure the information about the DNS server, SIP server, and SNTP
server to be assigned.
[NGFW_A] dhcpv6 pool pool222
[NGFW_A-dhcpv6-pool-pool222] prefix-pool pool111
[NGFW_A-dhcpv6-pool-pool222] dns-server 1::1
[NGFW_A-dhcpv6-pool-pool222] dns-search-list example.com
[NGFW_A-dhcpv6-pool-pool222] sip-server address 2::2
[NGFW_A-dhcpv6-pool-pool222] sntp-server 3::3
[NGFW_A-dhcpv6-pool-pool222] quit
# Configure the basic IPv6 function of interface GigabitEthernet 1/0/1 and associate it to the
DHCPv6 address pool.
1. Enable the IPv6 server function and set IPv6 addresses for the interface.
[NGFW_A] interface GigabitEthernet 1/0/1
[NGFW_A-GigabitEthernet1/0/1] description connect-to-relay
[NGFW_A-GigabitEthernet1/0/1] ipv6 enable
[NGFW_A-GigabitEthernet1/0/1] dhcpv6 server enable
[NGFW_A-GigabitEthernet1/0/1] ipv6 address 3000::1/64
You can implement other IPv6 configurations only after the IPv6 packet forwarding function is enabled on the
device.
[NGFW_B] ipv6
# Enable the DHCPv6 client function of interface GigabitEthernet 1/0/2, set the IPv6 address of
the interface, and configure the interface to save prefix 2000:0:8000::/33 obtained from the
server to prefix pool abc.
# Set the IPv6 address of interface GigabitEthernet 1/0/1 and configure ND.
[NGFW_B] interface GigabitEthernet 1/0/1
[NGFW_B-GigabitEthernet1/0/1] description connect-to-pc
[NGFW_B-GigabitEthernet1/0/1] ipv6 enable
[NGFW_B-GigabitEthernet1/0/1] ipv6 address 2000::1/64
[NGFW_B-GigabitEthernet1/0/1] undo ipv6 nd ra halt
[NGFW_B-GigabitEthernet1/0/1] ipv6 nd ra prefix abc 3333::/64 500 300
----End
Configuration Verification
# On the PC, check whether an IPv6 global unicast address is automatically generated. This
example describes configurations on the PC installed with the Windows 7 Professional operating
system.
C:\> ipconfig/all
Windows IP Configuration
The information that is displayed shows that the client has obtained IPv6 global unicast addresses
2000::8000:3333:613f:773e:a9af:b520.
Configuration Scripts
Configuration script of NGFW_A:
#
ipv6
#
sysname NGFW_A
#
interface GigabitEthernet1/0/1
description connect-to-relay
ipv6 enable
ipv6 address 3000::1 64
dhcpv6 server enable
dhcpv6 pool pool222
#
dhcpv6 prefix-pool delegation-prefix pool111
prefix 2000::/32
delegating-prefix-length 33
#
dhcpv6 pool pool222
dns-search-list example.com
dns-server 1::1
sip-server address 2::2
sntp-server 3::3
prefix pool111
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/1
#
security-policy
rule name sec_policy_1
source-zone local
source-zone trust
destination-zone local
destination-zone trust
action permit
rule name sec_policy_2
source-zone trust
destination-zone dmz
action permit
#
return
return
Networking Requirements
The PC shown in Figure 8-64 runs Windows 7 Professional. NGFW_A functions as a DHCPv6
server, which assigns information to the PC. NGFW_B functions as a DHCPv6 relay agent,
which relays information between the PC and the DHCPv6 server.
Figure 8-64 Network diagram for configuring a NGFW as a DHCPv6 relay agent
SIP Server
3001::3
DNS Server SNTP Server
3001::2 3001::4
example.com
GE1/0/2
3001::1/64
GE1/0/1 GE1/0/2 DMZ
2000::1/64 3000::1/64
Untrust
Trust Untrust IPv6 Network
GE1/0/1
3000::2/64
PC Trust
NGFW_B NGFW_A
DHCPv6 Relay DHCPv6 Server
Configuration Roadmap
The configuration roadmap is as follows:
b. Configure a DHCPv6 address pool, and associate it with the DHCPv6 prefix pool, and
define parameters, such as a DNS server address that the DHCPv6 server can assign
to a DHCPv6 client.
c. Configure security policies.
2. Configure DHCPv6 relay.
a. Configure GigabitEthernet 1/0/2 to communicate with the DHCPv6 server.
b. Enable DHCPv6 relay on GigabitEthernet 1/0/1 and specify a DHCPv6 server address
to enable GigabitEthernet 1/0/1 to properly relay packets from the PC to the DHCPv6
server.
c. Configure security policies.
Procedure
Step 1 Choose Dashboard > System Information and enable IPv6 globally to allow the NGFW to
forward IPv6 packets.
Zone trust
Mode Route
IPv6
IP Address 3000::2/64
c. Click OK.
2. Configure GigabitEthernet 1/0/2.
a. Choose Network > Interface.
b. Click and set the following parameters for GE1/0/2.
Zone dmz
Mode Route
IPv6
IP Address 3001::1/64
c. Click OK.
3. Configure a DHCPv6 server.
a. Choose Network > DHCP Server > Settings.
b. Click Add.
c. Set the following parameters.
Type IPv6
Prefix 2000::/32
f. Click OK.
g. In Advanced, set the following parameters.
h. Click OK.
4. Configure a security policy to allow the PC to access a server in the DMZ and an IPv6
network in the Untrust zone.
a. Choose Policy > Security Policy > Security Policy.
b. Click Add and set the following parameters.
The following example provides basic security policy parameters. You can set other
parameters as needed.
Name policy_sec_1
Action Permit
c. Click OK.
Zone trust
Mode Route
IPv6
IP Address 2000::1/64
c. Click OK.
2. Configure GigabitEthernet 1/0/2.
a. Choose Network > Interface.
b. Click and set the following parameters for GE1/0/2.
Zone untrust
Mode Route
IPv6
IP Address 3000::1/64
c. Click OK.
Type IPv6
d. Click OK.
4. Configure a security policy to allow the PC to access the IPv6 network in the Untrust zone.
a. Choose Policy > Security Policy > Security Policy.
b. Click Add and set the following parameters.
The following example provides basic security policy parameters. You can set other
parameters as needed.
Name policy_sec_1
Action Permit
c. Click OK.
----End
Configuration Verification
# On the PC, verify that an IPv6 global unicast address is automatically generated. The following
example uses configurations on a PC running Windows 7 Professional.
C:\> ipconfig/all
Windows IP Configuration
The preceding command output shows that the PC has obtained an IPv6 global unicast address
2000::448e:2cc2:8ce3:cbe5.
Configuration Scripts
Configuration script for NGFW_A:
#
ipv6
#
sysname NGFW_A
#
interface GigabitEthernet1/0/1
ipv6 enable
ipv6 address 3000::1 64
dhcpv6 server enable
dhcpv6 pool gigabitethernet1_0_1
#
interface GigabitEthernet1/0/2
ipv6 enable
ipv6 address 3001::1 64
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/1
#
firewall zone dmz
set priority 50
add interface GigabitEthernet1/0/2
#
dhcpv6 prefix-pool address-prefix gigabitethernet1_0_1_1343810878
prefix 2000::/32
lifetime preferred-lifetime 1036800 valid-lifetime 1036800
#
dhcpv6 pool gigabitethernet1_0_1
dns-search-list
example.com
dns-server 3001::2
sip-server address 3001::3
sntp-server 3001::4
prefix-pool gigabitethernet1_0_1_1343810878
#
security-policy
rule name policy_sec_1
source-zone trust
destination-zone dmz
destination-zone local
destination-zone untrust
action permit
#
return
l RFC 3736: Stateless Dynamic Host Configuration Protocol (DHCP) Service for IPv6
l RFC 2462: IPv6 Stateless Address Autoconfiguration
l RFC 3633: IPv6 Prefix Options for Dynamic Host Configuration Protocol (DHCP) version
6
8.6.1 Overview
This section describes link aggregation.
Definition
Link aggregation refers to the technology used to bundle multiple physical interfaces into a
logical Ether-Trunk interface to increase link bandwidth. Member interfaces can be classified
into active and inactive interfaces. Interfaces forwarding data are active interfaces, while
interfaces that do not forward data are inactive interfaces.
Purpose
Link aggregation increases the link bandwidth and reliability.
Link aggregation supports a higher transmission rate than a single interface without upgrading
interfaces (for example, using FE interfaces to replace GE interfaces), which reduces hardware
upgrade costs.
Link aggregation increases link reliability. If a member interface that is transmitting traffic goes
down, traffic can be switched to another active member interface.
NOTICE
You must configure link aggregation before laying out cables, which prevents loops.
NGFW_A NGFW_B
Eth-Trunk
Port1 Port1
Port2 Port2
The two member interfaces share the traffic load and back up each other up, which prevents
congestion and improves link availability.
8.6.3 Mechanism
This section describes the link aggregation mechanism.
Introduction to LACP
Manual link aggregation, as a link aggregation technique, helps increase bandwidth by bundling
multiple physical interfaces into an Eth-Trunk interface. Nevertheless, the Eth-Trunk technique
is not good at fault detection. It can detect only link disconnections, but not other faults, such as
incorrect link connections. The Link Aggregation Control Protocol (LACP) is used to improve
fault tolerance of Eth-Trunk interfaces and supports M:N backup for Eth-Trunk interfaces, which
provides high reliability for trunk member links.
For instance, an aggregation link is established between NGFW_A and NGFW_B. Four Ethernet
interfaces are bundled into an Eth-Trunk interface and connect NGFW_A to interfaces on
NGFW_B. One Ethernet interface is incorrectly connected to an interface on NGFW_C. The
Eth-Trunk interface cannot detect the fault and sends data to NGFW_C. To prevent incorrect
data transmission, LACP can be enabled on both NGFWs. NGFW_A and NGFW_B performs
LACP negotiation before properly exchanging data with each other.
Basic Concepts
LACP provides a standard negotiation mechanism for switching devices. This mechanism
ensures that switching devices automatically create and enable aggregated links. After
aggregated links are created, LACP maintains the link status. If the status of an aggregated link
changes, LACP automatically adjusts or disables the link.
l LACP system priority
An LACP system priority is configured to distinguish priority levels of devices on both
ends of a link. In static LACP mode, both devices must select the same active member
interfaces. An active member inconsistency causes link aggregation group (LAG) to fail
to be established. To keep active member interfaces consistent at both ends, set a higher
priority for one end (the actor). The other end (the partner) selects active member interfaces
based on selection of the peer.
The smaller an LACP system priority value, the higher an LACP system priority. The device
with a smaller priority value functions as the actor. If the two ends of a link have the same
priority, the end with a lower MAC address functions as the actor.
l LACP interface priority
An LACP interface priority is set for a member interface to determine whether it can be
selected as an active member interface. The smaller the LACP interface priority value, the
higher the LACP interface priority.
l Active and inactive interfaces
Member interfaces can be classified into active and inactive interfaces. Active interfaces
forward services, but inactive interfaces do not.
If an active member link fails, a backup link changes from inactive to active.
l M:N backup
Interfaces working in static LACP mode negotiate parameters to determine active member
links. The static LACP mode is also called an M:N mode. M is the number of active links,
and N is the number of backup links. This mode provides high reliability and allows M
active links to load-balance services.
If one active link fails, LACP selects a backup link to replace the faulty link. This process
ensures that the actual bandwidth of aggregated link is still the sum of the bandwidth of M
links.
l LACP preemption
This function ensures that an interface with the highest LACP priority can be an active
interface. When an interface with the highest priority becomes inactive due to a failure and
then recovers, the interface can become active if the LACP preemption function is enabled.
If the LACP preemption function is disabled, the interface cannot become active.
After member interfaces are added to a trunk interface in static LACP mode, each end sends
LACPDUs to inform the peer of its system priority, MAC address, member interface priorities,
interface numbers, and keys. After the peer receives the parameters, it compares them with local
parameters and selects interfaces that can be aggregated. Then, LACP negotiation is performed
to select active interfaces and links. Figure 8-66 shows the process for establishing active links.
NGFW_A NGFW_B
Interface priority Eth-Trunk Interface priority
1 3
2 2
3 1
System priority 10 System priority 11
Step 1: Compare system priority
and determine the actor
NGFW_A NGFW_B
Interface priority Eth-Trunk Interface priority
1 3
2 2
3 1
Actor Partner
Step 2: Select active interfaces
according to the Actor
NGFW_A NGFW_B
Interface priority Eth-Trunk Interface priority
1 3
2 2
3 1
Actor Partner
In static LACP mode, a link switchover is triggered if a device at one end detects one of the
following events:
l An active link goes Down.
l LACP detects a link fault.
l If LACP preemption is enabled, the priority of a backup interface is changed to be higher
than that of the current active interface.
The backup link with the highest priority is switched to the active mode and forwards data.
Context
Link aggregation can be classified into the following two types:
l Layer 3 link aggregation
An Eth-Trunk works at the network layer. The Eth-Trunk aggregates links and forwards
packets at the network layer.
l Layer 2 link aggregation
An Eth-Trunk works at the data link layer. The Eth-Trunk aggregates links and forwards
packets at the data link layer.
Procedure
Step 1 Access the system view.
system-view
NOTE
Step 4 Set the working mode of the Eth-Trunk is to manual load balancing mode.
mode manual load-balance
----End
Follow-up Procedure
The IP address, maximum transmission unit (MTU), routing, and security functions are usually
configured to ensure the proper packets forwarding on a Layer 3 Eth-Trunk. Their configuration
details are not provided here.
Prerequisites
The Eth-Trunk interface must be already created.
Context
The following restrictions must be met before member interfaces are added to an Eth-Trunk:
l Only Layer 3 Ethernet interfaces can be added to a Layer 3 Eth-Trunk interface. Only Layer
2 Ethernet interfaces can be added to a Layer 2 Eth-Trunk interface
l Each Eth-Trunk interface can contain a maximum of eight physical member links. An
Ethernet interface can join only a single Eth-Trunk interface.
l When electrical and optical Ethernet interfaces are added to a single Eth-Trunk interface,
configure the link-layer attributes of the electrical interface to be the same as those of the
optical interface.
l Member interfaces cannot contain the security zone, VLAN, and IP address configurations
before being added to an Eth-Trunk interface.
l After an interface is added to an Eth-Trunk interface, some interface-specific services
cannot take effect. Re-enable them on the Eth-Trunk interface as required.
Procedure
Step 1 Access the system view.
system-view
----End
Follow-up Procedure
Run the display trunk-membership eth-trunk trunk-id command to display information about
Eth-Trunk member interfaces.
<NGFW> display trunk-membership eth-trunk 1
Trunk ID : 1
Used Status : VALID
TYPE : Ethernet
Working Mode : Load-balance
Working State : Normal
Number Of Ports In Trunk : 2
Number Of Up Ports In Trunk : 0
Operate Status : Down
Interface GigabitEthernet1/0/1, valid, operate down, weight=1,standby interface
NULL
Prerequisites
Before configuring a master/slave interface failover, you must add two member interfaces (and
you can add only two member interfaces) to an Eth-Trunk interface.
Context
After the master/slave failover is configured, traffic is forwarded by the master interface when
the master interface is working properly. If the master interface goes Down, traffic is switched
to the slave interface. The availability of the Eth-Trunk interface is improved.
NOTICE
Only Layer 3 Eth-Trunk interfaces support this function.
The master/slave interface failover can be implemented in the following two modes:
l auto: If a device detects that the link to the master interface is faulty or recovered, the
device automatically implements a switchover between master and slave interfaces.
l manual: If the link to the master interface is faulty or recovered, you need to manually
switch the data flow to the slave or master interface.
The default switchover mode is auto.
Procedure
Step 1 Access the system view.
system-view
Step 3 Configure the Eth-Trunk interface to work in master/slave mode and specify the master and
slave member interfaces.
port-master interface-type interface-number port-slave interface-type interface-
number
2. Optional: Enable the preemption function for the master interface of the Eth-Trunk
interface.
port-master preempt enable
preemption is disabled, the slave interface is still forwarding traffic after the master
interface goes Up.
l Configuring manual switchover
1. Enable the manual switchover mode of an Eth-Trunk interface.
master-slave switch mode manual
2. Manually switch traffic and specify the master and slave interfaces.
switch data-flow to { master-port | slave-port }
----End
Context
Link aggregation can be classified into the following two types:
l Layer 3 link aggregation
An Eth-Trunk interface works at the network layer. The Eth-Trunk interface aggregates
links and forwards packets at the network layer.
l Layer 2 link aggregation
An Eth-Trunk interface works at the data link layer. The Eth-Trunk interface aggregates
links and forwards packets at the data link layer.
Procedure
Step 1 Access the system view.
system-view
NOTE
----End
Context
The system automatically negotiates and determines the actor and partner based on LACP
priorities. The lower the LACP system priority value, the higher the LACP system priority. The
device with a lower priority value functions as the actor. If the two ends have the same priority,
the device with a lower MAC address as the actor. If Layer 2 link aggregation is enabled, the
MAC address of the device is used. If Layer 3 link aggregation is enabled, the MAC address of
the Eth-Trunk interface is used.
Procedure
Step 1 Access the system view.
system-view
l active: the active mode, in which the local device sends LACPDUs.
l passive: the passive mode, in which the local device does not send LACPDUs.
Devices of two ends of an Eth-Trunk interface cannot be set to passive mode at the same time.
----End
Context
Eth-Trunk member interfaces work in either active or inactive state. An interface changes from
inactive to active only after the active interface fails.
A NGFW uses either of the following two methods to select active interfaces:
Procedure
Step 1 Display the system view.
system-view
By default, active interfaces are selected based on their LACP priority values.
This command takes effect only when the active interfaces are selected based on their LACP
priority values.
----End
Context
When an interface with the highest priority becomes inactive due to a failure and then recovers,
the interface can become an active interface if the LACP preemption function is enabled.
The LACP preemption delay is the period of time during which an inactive interface waits before
it becomes active. The LACP preemption delay can be set to prevent the unstable transmission
of the whole link caused by frequent link status changes.
To ensure the smooth running of an Eth-Trunk interface, simultaneously enable or disable the
LACP preemption function on both ends of the Eth-Trunk interface.
Procedure
Step 1 Access the system view.
system-view
If the LACP preemption delay of a local device is different from that of a remote device, the
local device chooses a smaller value.
----End
Context
The following restrictions must be met before member interfaces are added to an Eth-Trunk:
l Only Layer 3 Ethernet interfaces can be added to a Layer 3 Eth-Trunk interface. Only Layer
2 Ethernet interfaces can be added to a Layer 2 Eth-Trunk interface
l Each Eth-Trunk interface can contain a maximum of eight physical member links. An
Ethernet interface can join only a single Eth-Trunk interface.
l When electrical and optical Ethernet interfaces are added to a single Eth-Trunk interface,
configure the link-layer attributes of the electrical interface to be the same as those of the
optical interface.
l Member interfaces cannot contain the security zone, VLAN, and IP address configurations
before being added to an Eth-Trunk interface.
l After an interface is added to an Eth-Trunk interface, some interface-specific services
cannot take effect. Re-enable them on the Eth-Trunk interface as required.
Procedure
Step 1 Access the system view.
system-view
----End
Follow-up Procedure
Run the display trunk-membership eth-trunk trunk-id command to display information about
Eth-Trunk member interfaces.
<NGFW> display trunk-membership eth-trunk 1
Trunk ID : 1
Used Status : VALID
TYPE : Ethernet
Working Mode : Load-balance
Working State : Normal
Number Of Ports In Trunk : 2
Number Of Up Ports In Trunk : 0
Operate Status : Down
Interface GigabitEthernet1/0/1, valid, operate down, weight=1,standby interface
NULL
Context
A local end informs the peer end of the timeout interval using LACP packets, and then the peer
end adjusts its interval at which LACP packets are sent based on the received timeout interval.
If a local end member interface cannot receive the LACP packets from the peer end after the
timeout interval elapses, the local interface goes Down and stops forwarding data. The local end
timeout interval falls into two types:
l Fast mode: The interval at which LACP packets are sent is 1 second, and the timeout interval
at which LACP packets are received is 3s.
l Slow mode: The interval at which LACP packets are sent is 30 second, and the timeout
interval at which LACP packets are received is 90s.
In fast mode, the response between two ends is quick, and more system resources are consumed.
In slow mode, the response is slow, and less system resources are consumed.
Procedure
Step 1 Access the system view.
system-view
Step 3 Set the timeout interval at which LACP packets are received.
lacp timeout { fast | slow }
----End
Context
Load balancing can be carried out in the following ways:
l Session-by-session load balancing:
– Layer-2 Eth-Trunk interface: Packets with the same source MAC address, destination
MAC address, source IP address, and destination IP address go through the same
member link.
– Layer-3 Eth-Trunk interface: Packets with the same source IP address and destination
IP address go through the same member link.
l Packet-by-packet load balancing: One packet travels out on one link and the next packet is
sent out on another link.
On an Eth-Trunk interface, the greater the proportion of the weight of a member interface to the
sum of weights of all member interfaces, the heavier the load over the member interface.
Procedure
l Configure the load-balancing mode.
1. Display the system view.
system-view
8.6.7 Setting Upper and Lower Thresholds for the Number of Active
Interfaces
By setting the upper and lower threshold for the number of active interfaces, you can flexibly
control the active interface selection of an Eth-Trunk interface.
Context
When the number of member interfaces in the Up state falls under the lower threshold, an Eth-
Trunk interface goes Down. Otherwise, the Eth-Trunk interface goes Up.
When the number of member interfaces in the Up state exceeds the upper threshold, the rest
interfaces function as backups. Otherwise, there is no backup interfaces.
NOTICE
The upper threshold can be set only in static LACP mode. If the upper thresholds on both ends
are different, the smaller upper threshold takes effect.
The upper threshold must be greater than the lower threshold.
For static LACP link aggregation, the M:N backup can be implemented if the number of the
member interfaces added into the Eth-Trunk interface exceeds the upper threshold.
Procedure
Step 1 Access the system view.
system-view
----End
Action Command
Display statistics about sent and display lacp statistics eth-trunk [ trunk-id
received LACP packets. [ interface interface-type interface-number ] ]
NOTICE
Cleared statistics cannot be restored. Exercise caution when performing the operation.
Table 8-106 lists the commands run in the user view to clear link aggregation statistics.
Action Command
Before enabling the debugging, you must run the terminal monitor command in the user view
to enable the terminal information display and the terminal debugging command in the user
view to terminal debugging information display functions.
NOTICE
Enabling the debugging deteriorates system performance. After the debugging is complete, run
the undo debugging all command to disable the debugging immediately.
Action Command
Networking Requirements
A company has two branches on LAN 1 and LAN 2. LAN 1 is connected to NGFW_A, and
LAN 2 is connected to NGFW_B, as shown in Figure 8-67.
A large amount of traffic continuously goes between LAN 1 and LAN 2. Links can be bundled
in to an Eth-Trunk interface to increase the link bandwidth. LAN 1 and LAN 2 are on the same
network segment 192.168.0.1/24.
GE1/0/1 GE1/0/1
GE1/0/2 GE1/0/2
Eth-Trunk 1 Eth-Trunk 1
GE1/0/3 GE1/0/3
Untrust Untrust
Trust Trust
LAN 1 LAN 2
Configuration Roadmap
The configuration roadmap is as follows:
1. Create a Layer-2 Eth-Trunk interface. Because LAN 1 and LAN 2 are on the same network
segment, the Layer-2 Eth-Trunk interface is used.
2. Switch a physical interface to Layer 2 mode and add the interface to the Eth-Trunk interface.
3. Assign interfaces to security zones and configure security policies.
Procedure
Step 1 Configure NGFW_A.
# Create a Layer-2 Eth-Trunk interface.
<NGFW_A> system-view
[NGFW_A] interface eth-trunk 1
[NGFW_A-Eth-Trunk1] portswitch
[NGFW_A-Eth-Trunk1] quit
[NGFW_A-zone-trust] quit
[NGFW_A] firewall zone untrust
[NGFW_A-zone-untrust] add interface eth-trunk 1
[NGFW_A-zone-untrust] quit
The configuration of NGFW_B is similar to that of NGFW_A. The configuration details are not
provided.
----End
Configuration Verification
View Eth-Trunk 1 information on NGFW_A.
<NGFW_A> display trunk-membership eth-trunk 1
Trunk ID : 1
Used Status : VALID
TYPE : Ethernet
Working Mode : Load-balance
Working State : Normal
Number Of Ports In Trunk : 2
Number Of Up Ports In Trunk : 2
Operate Status : Up
Interface GigabitEthernet1/0/1, valid, operate up, weight=1,standby interface NULL
The previous information shows that GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 have
already become member interfaces of Eth-Trunk 1.
Use a PC in LAN 1 and a PC in LAN 2 to ping each other. Check whether the two PCs can ping
each other. If they fail to ping each other, modify the configuration and try again.
Configuration Script
Configuration script for NGFW_A:
#
sysname NGFW_A
#
interface Eth-Trunk1
portswitch
port link-type access
#
interface GigabitEthernet1/0/1
portswitch
port link-type access
eth-trunk 1
interface GigabitEthernet1/0/2
portswitch
port link-type access
eth-trunk 1
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
firewall zone untrust
set priority 5
add interface Eth-Trunk1
#
security-policy
rule name policy_sec_1
source-zone trust
destination-zone untrust
action permit
rule name policy_sec_2
source-zone untrust
destination-zone trust
action permit
#
return
Networking Requirements
A company has two branches: LAN 1 and LAN 2. LAN 1 and LAN 2 are connected by
NGFW_A and NGFW_B, as shown in Figure 8-68.
A large amount of traffic is continuously transmitted between LAN 1 and LAN 2. Link
aggregation needs to be configured to increase link bandwidth. Meanwhile, link aggregation in
LACP mode uses 2:1 backup to enhance reliability. LAN 1 is on the network segment
10.1.1.0/24, and LAN 2 is on the network segment 10.1.3.0/24.
GE1/0/1 GE1/0/1
GE1/0/2 GE1/0/2
GE1/0/3 GE1/0/3
GE1/0/4 Eth-Trunk 1 Eth-Trunk 1
GE1/0/4
Trust Untrust Untrust
Trust
10.1.1.1/24 10.1.2.1/24 10.1.2.2/24
10.1.3.1/24
LAN 1 LAN 2
10.1.1.0/24 10.1.3.0/24
Configuration Roadmap
The configuration roadmap is as follows:
1. Create a Layer 3 Eth-Trunk interface that connects LAN 1 and LAN 2 across network
segments.
2. Configure link aggregation in LACP mode.
3. Add physical interfaces to the Eth-Trunk interface.
4. Set the upper limit of active interfaces to 2 to implement 2:1 backup.
5. Assign interfaces to security zones and configure security policies.
6. Configure reachable routes.
Procedure
Step 1 Configure NGFW_A.
[NGFW_A] security-policy
[NGFW_A-policy-security] rule name policy_sec_1
[NGFW_A-policy-security-rule-policy_sec_1] source-zone trust
[NGFW_A-policy-security-rule-policy_sec_1] source-address 10.1.1.0 24
[NGFW_A-policy-security-rule-policy_sec_1] destination-zone untrust
[NGFW_A-policy-security-rule-policy_sec_1] destination-address 10.1.3.0 24
[NGFW_A-policy-security-rule-policy_sec_1] action permit
[NGFW_A-policy-security-rule-policy_sec_1] quit
[NGFW_A-policy-security] rule name policy_sec_2
[NGFW_A-policy-security-rule-policy_sec_2] source-zone untrust
[NGFW_A-policy-security-rule-policy_sec_2] source-address 10.1.3.0 24
[NGFW_A-policy-security-rule-policy_sec_2] destination-zone trust
[NGFW_A-policy-security-rule-policy_sec_2] destination-address 10.1.1.0 24
[NGFW_A-policy-security-rule-policy_sec_2] action permit
[NGFW_A-policy-security-rule-policy_sec_2] quit
# Configure routes.
[NGFW_A] ip route-static 0.0.0.0 0 10.1.2.2
----End
Configuration Verification
View Eth-Trunk 1 information. The following example uses the command output of
NGFW_A.
<NGFW_A> display trunk-membership eth-trunk 1
Trunk ID : 1
Used Status : VALID
TYPE : Ethernet
Working Mode : Load-balance
Working State : Normal
Number Of Ports In Trunk : 3
Number Of Up Ports In Trunk : 2
Operate Status : Up
Interface GigabitEthernet1/0/1, valid, operate up, weight=1,standby interface NULL
The Number Of Ports in Trunk field value is 3, and the Number Of UP Ports in Trunk field
value is 2. This 2:1 backup complies with the configuration.
Use a PC in LAN 1 and a PC in LAN 2 to ping each other. Check whether the two PCs can ping
each other. If the ping fails, modify the configuration and try again.
Configuration Scripts
Configuration script for NGFW_A:
#
sysname NGFW_A
#
interface Eth-Trunk1
ip address 10.1.2.1 255.255.255.0
mode lacp-static
max active-linknumber 2
#
interface GigabitEthernet1/0/4
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1
eth-trunk 1
interface GigabitEthernet1/0/2
eth-trunk 1
interface GigabitEthernet1/0/3
eth-trunk 1
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/4
#
firewall zone untrust
set priority 5
add interface eth-trunk1
#
ip route-static 0.0.0.0 0 10.1.2.2
#
security-policy
rule name policy_sec_1
source-zone trust
destination-zone untrust
source-address 10.1.1.0 24
destination-address 10.1.3.0 24
action permit
rule name policy_sec_2
source-zone untrust
destination-zone trust
source-address 10.1.3.0 24
destination-address 10.1.1.0 24
action permit
#
return
Symptom
Figure 8-69 shows the typical networking of Eth-Trunk interfaces:
Manual Eth-Trunk interfaces are disconnected on the network shown in Figure 8-69.
GE1/0/2 GE1/0/2
Eth-Trunk1
100.1.1.2/24
Possible Causes
The possible causes are as follows:
l Cause one: Ethernet interfaces on NGFWs on both ends are not directly connected using
cables.
l Cause two: The member Eth-Trunk interfaces on both ends are in the Down state at the
physical layer.
l Cause three: The number of member links in the Up state is less than the lower threshold.
l Cause four: The numbers of interfaces added to Eth-Trunk interfaces on both ends are
inconsistent.
Fault Diagnosis
Figure 8-70 shows the process for troubleshooting the disconnection between Eth-Trunk
interfaces.
Are Ethernet
interfaces at both ends No Directly connect Yes
directly connected Ethernet interfaces at Is the fault rectified?
through the cable? both ends.
Yes No
Yes No
Seek technical
End
support
Procedure
l Cause one: Ethernet interfaces on NGFWs on both ends are not directly connected.
1. Check whether Ethernet interfaces on NGFWs on both ends are directly connected
using cables. If they are not connected, connect the Ethernet interfaces on two ends
using one cable.
NOTE
When the interfaces on both ends are directly connected, and the interfaces are in the Up state,
if you run the shutdown command on the Ethernet interface on one end, the status of the
Ethernet interface at the other end automatically changes from Up to Down.
l Cause two: The member Eth-Trunk interfaces on both ends are in the Down state at the
physical layer.
1. For details about how to troubleshoot Eth-Trunk interfaces, see 8.1.5.1 Physical
Status of an Electronic Ethernet Interface Cannot Be Up.
l Cause three: The number of member links in the Up state is less than the lower threshold.
In a single Eth-Trunk interface, the number of member links that are in the Up state affects
the status and bandwidth of the Eth-Trunk interface. When the number of member links in
the Up state is less than the lower threshold, the status of the Eth-Trunk interface goes
Down.
For example:
<NGFW> display trunk-membership eth-trunk 1
Trunk ID :
1
Used Status :
VALID
TYPE :
Ethernet
Working Mode : Load-
balance
Working State :
Normal
Number Of Ports In Trunk :
2
Number Of Up Ports In Trunk :
2
Operate Status :
Up
Interface GigabitEthernet1/0/1, valid,selected,operate
up,weight=1,standby interface NULL
The preceding bold information shows that two member interfaces added to the Eth-
Trunk interface are in the Up state.
2. Run the display current-configuration interface Eth-Trunk command to display
the lower threshold configured on the Ethernet interface.
For example:
<NGFW> display current-configuration interface eth-trunk
#
interface Eth-Trunk1
ip address 10.11.1.1 255.255.0.0
least active-linknumber 2
#
The preceding bold information indicates the lower threshold of the link (that is in the
Up state) of the Eth-Trunk interface.
3. If the number of member interfaces that are in the Up state is less than the lower
threshold, reduce the lower threshold.
l Cause four: The numbers of interfaces added to the Eth-Trunk interface are inconsistent.
1. As the Eth-Trunk interface must be configured symmetrically on devices on both ends,
run the display trunk-membership eth-trunk trunk-id command to display the
numbers of the members (that are in the Up state) of the Eth-Trunk interface on both
ends.
2. Check whether the numbers of the members that are in the Up state are consistent.
When the Ethernet interfaces on both ends are directly connected, the interfaces on
both ends are in the Up or Down state. Check whether an Ethernet interface is added
to the Eth-Trunk interface.
For example:
<NGFW> display trunk-membership eth-trunk 1
Trunk ID :
1
Used Status :
VALID
TYPE :
Ethernet
Working Mode : Load-
balance
Working State :
Normal
Number Of Ports In Trunk :
2
Number Of Up Ports In Trunk :
2
Operate Status :
Up
Interface GigabitEthernet1/0/1, valid,selected,operate
up,weight=1,standby interface NULL
The preceding bold information shows that two member interfaces added to the Eth-
Trunk interface are in the Up state.
----End
Symptom
An Eth-Trunk link connects two devices that support LACP. When LACP runs on both devices,
the Eth-Trunk link cannot be Up.
Possible Causes
Cause one: The number of member interfaces is less than the lower threshold.
Cause two: The Eth-Trunk interfaces on both ends of the link are in passive mode and therefore
do not send LACP packets proactively.
Procedure
Step 1 Cause one: The number of member interfaces is less than the lower threshold.
Run the display trunk-membership eth-trunk command to display information about Eth-
Trunk member interfaces.
Run the display this command in the Eth-Trunk interface view to view the lower threshold (the
default value is 1). Check whether the number of member interfaces is less than the lower
threshold.
l If the number of member interfaces is greater than the lower threshold, go to Cause two.
l If the number of member interfaces is less than the lower threshold, run the least active-
linknumber command to change the lower threshold.
Step 2 Cause two: The Eth-Trunk interfaces on both ends of the link are in passive mode and therefore
do not send LACP packets proactively.
Run the display this command in the Eth-Trunk interface view to check whether the interfaces
on both ends are in passive mode.
----End
Symptom
No member interfaces of an Eth-Trunk interface working in LACP mode can become the active
interface.
Possible Causes
The configurations of the interfaces conflict. Therefore, some member interfaces cannot become
the active interfaces.
Procedure
Step 1 Check the interface configurations.
l The interface type must be the same. For example, GE interfaces can be bound only to GE
interfaces, not to 10GE interfaces.
Run the display this command in each interface view and check whether the interface
configurations are consistent. Modify the configuration if any inconsistency is found.
----End
IEEE 802.3AD: IEEE Std 802.3ad - 2005 IEEE Standard for Link Aggregation operation, Link
Aggregation Control, Link Aggregation Control Protocol, Marker protocol and Configuration
capabilities and restrictions
8.7 PPP
This section describes Point-to-Point Protocol (PPP) concepts and how to configure PPP.
8.7.1 Overview
The Point-to-Point Protocol (PPP) is a data link-layer protocol used to transmit and encapsulate
network layer packets on point-to-point (P2P) links.
Definition
A P2P connection is a simple WAN connection. Link layer protocols for PPP links are as follows:
l PPP: supports both synchronous and asynchronous transmission.
l High-level Data Link Control protocol (HDLC): only supports synchronous transmission.
l Link Control Protocol (LCP): used to establish, monitor, and terminate data links.
l Network Control Protocol (NCP): used to establish and configure different network layer
protocols and negotiate the format and type of packets transmitted over data links.
l Authentication protocols: include Password Authentication Protocol (PAP) and Challenge-
Handshake Authentication Protocol (CHAP).
Objective
Located at the data link layer of the Open Systems Interconnection (OSI) model, PPP supports
both synchronous or asynchronous full-duplex links to transmit data. PPP is widely used because
it has the following advantages:
l Provides user authentication.
l Supports synchronous and asynchronous communications.
l Is easily expanded.
8.7.2 Mechanism
This section describes the mechanism of Point-to-Point Protocol (PPP).
l Link Control Protocol (LCP): establishes, monitors, and tears down PPP data links and
determines data link layer parameters, such as the maximum receive unit (MRU) and
authentication mode.
l Network Control Protocol (NCP): used by devices to negotiate formats and types of packets
transmitted on data links and IP addresses.
PPP-enabled devices on two ends of a link must send LCP packets to set up a P2P link.
After the LCP configuration parameters have been negotiated, the two communicating devices
choose the authentication mode according to the authentication parameters in the Configure-
Request packets.
By default, the devices on the two ends do not authenticate each other. After the negotiation of
the LCP configuration parameters, the devices negotiate NCP configuration parameters without
any authentication. After all the negotiations, the two devices on the P2P link can transmit
network-layer packets, and the whole link is available.
A link is torn down and a PPP session ends if one of the following situations occurs:
l The device on either end receives an LCP or an NCP Terminate frame that aims at closing
the link.
l The physical layer cannot detect a carrier.
l The network administrator shuts down the link.
NCP does not have the capability to close a link. The packets used to close the link are generated
during the LCP negotiation phase or application session phase.
Figure 8-71 shows the setup process of a PPP session and status transition.
UP OPENED
Dead Establish Authenticate
SUCCESS/NONE
FAIL FAIL
DOWN CLOSING
Terminate Network
l the Link Establishment phase is the first phase to set up a PPP link.
l LCP negotiation is performed, during which the working mode, MRU, authentication
mode, magic number, and asynchronous character mapping are negotiated. The working
mode can be Single-link PPP (SP) or Multilink PPP (MP). If the LCP negotiation is
successful, the LCP status turns to Opened.
l If no authentication is configured, the communicating devices directly enter the NCP
negotiation phase. If authentication is configured, the communicating devices enter the
Authentication phase and perform CHAP or PAP authentication.
l If the authentication fails, the devices enter the Terminate phase and disconnect the link,
and LCP status becomes Down. If the authentication is successful, the devices enter the
NCP negotiation phase. The LCP status remains Opened, while the NCP status changes
from Inital to Starting.
l The devices run an NCP protocol to negotiate parameters. The NCP suite includes the
Internet Protocol Control Protocol (IPCP), Multiprotocol Label Switching Control Protocol
(MPLSCP), and Open System Interconnection Control Protocol (OSCICP). Devices run
IPCP to negotiate IP addresses. A network layer protocol is selected during NCP
negotiation. The network layer protocol sends packets over the PPP link only after
negotiation of the network layer protocol is successful.
l The PPP link remains in Up until an LCP or NCP frame is generated to close the link or
traffic is interrupted.
After a link is torn down, the link returns to the Link Dead phase. In real-world situations,
this state does not last long and is only used to detect the existence of a peer device.
l Link Establishment phase
The Link Establishment phase is the most complex PPP phase.
The two devices on both ends of a PPP link exchange packets, which do not include network
layer protocol parameters. Both devices enter the Authentication or Network-Layer
Protocol phase.
In the Link Establishment phase, the LCP state machine changes twice:
– If the link is Up, the physical layer sends an Up event in a packet to the data link layer.
The data link layer changes the LCP status to Request-Sent. LCP then sends Configure-
Request packets to configure a data link.
– After one end receives the Configure-Ack packet, the LCP status changes to Opened.
The link enters the next phase.
Note that the link configurations on both ends are mutually independent. In the Link
Establishment phase, devices discard non-LCP packets.
l Authentication phase
Authentication is performed before devices on both ends enter the Network-Layer Protocol
phase.
PPP authentication is disabled by default. To enable authentication, specify an
authentication protocol in the Link Establishment phase.
PPP authentication is used on the following two types of links:
– Non-leased lines between hosts and devices
– Leased lines
PPP provides the following two authentication modes:
– PAP: Password Authentication Protocol
– CHAP: Challenge-Handshake Authentication Protocol
The authentication mode used is determined based on negotiation performed during the
Link Establishment phase. Link quality detection is also performed in the Link
Establishment phase. According to the PPP protocol, detection delays the authentication
process within a specified period of time.
The link control protocol, authentication protocol, and quality detection packets are
supported in the Authentication phase. The packets of other types are discarded. If a device
receives a Configure-Request packet in the Authentication phase, the link restores the Link
Establishment phase.
l Network-Layer Protocol phase
Network protocols, such as IP, IPX, and AppleTalk, are negotiated using NCPs, which can
be enabled or disabled during any phase. After an NCP state machine turns to Opened, PPP
links can transmit network layer packets.
If a device receives a Configure-Request packet in the Network-Layer Protocol phase, the
device and its peer device enter the Link Establishment phase.
l Termination phase
PPP can terminate links at any time. In addition, a network administrator can manually
disconnect links. Carrier connection loss, authentication failures, or link-quality detection
failures can cause link disconnections. When devices exchange LCP Terminate frames
during the Link Establishment phase, the link in question is torn down. Therefore, NCP
does not need to close a PPP link.
PAP
PAP supports two-way handshake authentication and simple passwords. The authentication
process is performed in the Link Establishment phase.
After the Link Establishment phase is complete, the user name and password of a supplicant are
repeatedly sent to the authenticator until authentication is successful or the link is ended.
PAP authentication is the optimal option when a password transmitted in plain text must be used
to simulate logging into a remote host.
Authenticated Authenticator
Authenticate-Request
Authenticate-Ack
Authenticate-Nak
1. The supplicant sends the local user name and password to the authenticator.
2. The authenticator checks the user list for the user name and whether the password is correct
and returns an appropriate response.
PAP is an unsecured protocol. Simple passwords are sent over links. After a PPP link is
established, the supplicant repeatedly sends the user name and password until authentication is
complete, which could leave the system vulnerable to malicious attacks.
CHAP
CHAP is a three-way handshake authentication protocol. CHAP authentication only allows user
names to be transmitted over a network. Compared with PAP, CHAP provides higher security
because passwords are not transmitted.
CHAP authentication is generally performed before the link is set up. However, it can be
performed at any time using CHAP negotiation packets.
After the Link Establishment phase ends, an authenticator sends a Challenge packet to a
supplicant. After performing the "one-way hash" algorithm, the supplicant returns a calculated
value to the authenticator.
The authenticator compares the value it itself has calculated using the hash algorithm with the
value provided by the supplicant. If the two values match, authentication is successful. If the
values do not match, the authentication fails, and the link is torn down.
Authenticated Authenticator
Challenge
Response
Success
Failure
l Unidirectional: One end acts as the authenticator, while the other end acts as a supplicant.
l Bidirectional: Two ends act as both the authenticator and supplicant.
There are two possible scenarios for unidirectional CHAP authentication: the authenticator is
configured with a user name and the authenticator is not configured with a user name.
Configuring a user name for the authenticator is recommended for improved connection security.
l When the authenticator is configured with a user name, the authentication process is as
follows:
1. The authenticator sends a randomly generated Challenge packet and the host name to
the supplicant.
2. The supplicant searches for the local password in the local user list according to the
user name of the authenticator. Based on the found password and the Challenge packet,
a supplicant obtains a value calculated using the message digest algorithm 5 (MD5)
algorithm. The supplicant then sends its host name and the calculated value in a
response packet to the authenticator.
3. After receiving the response packet, the authenticator searches for the supplicant's
password in the local user list based on the supplicant's host name.
l When the authenticator is not configured with a user name, the authentication process is as
follows:
1. The authenticator sends the Challenge packet to a supplicant.
2. The supplicant uses the message digest algorithm 5 (MD5) algorithm to calculate a
value based on the local password and the Challenge packet. The supplicant then sends
its host name and the calculated value in a response packet to the authenticator.
3. The authenticator searches for the supplicant's password in the local user list based on
the supplicant's host name.
Procedure
Step 1 Display the system view.
system-view
----End
Prerequisites
A NGFW functions as an authenticator and uses PAP to authenticate its peer. PAP authentication
is performed locally on the authenticator or on a remote authentication server. To implement
PAP authentication, configure user accounts and the authentication mode. If remote
authentication is used, configure an authentication server as well. For more information about
PAP authentication, see Users and Authentication.
Context
PAP uses simple passwords and is the least secure authentication protocol. After a PPP link is
established, the device to be authenticated repeatedly sends a user name and a password until
authentication is complete. During PAP authentication, the transmitted user name and password
are susceptible to interception.
Procedure
l Configure an authenticator to authenticate the peer end in PAP mode.
1. Display the system view.
system-view
3. Configure the local end to authenticate its peer end in PAP mode.
ppp authentication-mode [ chap ] pap
3. Enable the local end to be authenticated by the peer end in PAP mode and send a PAP
user name and a password.
Prerequisites
A NGFW functioning as an authenticator supports local and remote authentication. If local
authentication is used, you must configure a user account and an authentication mode. If remote
authentication is used, you must also configure an authentication server. For more information,
see Users and Authentication.
If the NGFW is a supplicant, you must configure a user name, authentication mode, and an
authentication server if a user name is configured on the authenticator. For more information,
see Users and Authentication.
Context
Devices enabled with CHAP authentication only transmit user names over a network. CHAP
supports higher security than the Password Authentication Protocol (PAP) because passwords
are not transmitted.
By default, Point-to-Point Protocol (PPP) packets are not authenticated using CHAP.
Procedure
l Configure an authenticator to use CHAP to authenticate the peer end when the user name
is specified.
NOTE
When an authenticator sets a user name, the authenticator must set the same password the same as
that for the authenticated end.
– Configure a NGFW that authenticates a peer end.
1. Display the system view.
system-view
l Configure the authenticator to authenticate the peer end in CHAP mode if the user name
is not specified.
During authentication, the authenticator searches locally configured AAA user names. If
the user name and password configured on the peer interface match those on the local end,
authentication succeeds.
– Configure a NGFW that authenticates a peer end.
1. Display the system view.
system-view
4. Set a password for the peer end to use CHAP to authenticate the local end.
ppp chap password cipher password
Context
l Negotiation timeout period: If no response is received from the peer end within a specified
interval during PPP negotiation, PPP resends a negotiation request.
l IP address negotiation: implemented in two modes based on device roles:
– Client: When PPP is enabled on an interface, the interface IP address is not specified,
and the IP address of the peer end is specified, you can configure the IP address
negotiation function for the local interface. The local interface is assigned an IP address
by the peer end during PPP negotiation. The configuration is applicable when a
NGFW accesses the Internet through an ISP network and obtains an IP address assigned
by the ISP.
– Server: Before a server assigns an IP address to a peer device, you must configure a
local IP address pool in the authentication domain view, specify the range of IP
addresses in the address pool, and determine the address pool used by an interface in
the interface view.
l DNS server address negotiation: You can implement both DNS server address negotiation
and PPP address negotiation on a NGFW simultaneously. The NGFW can be configured
with a DNS server address assigned by or provided for the peer end.
A network access server (NAS) can allocate IP addresses to PPP users through PPP address
negotiation. The address allocation rules are as follows:
In the above three cases, both the global address pool and domain address pool are traversed for one time.
If all the addresses in the specified global address pool or the domain address pool are used, the NAS no
longer traverses the address pool for an available IP address and directly returns an invalid IP address
0.0.0.0.
The following addresses cannot be configured as valid start or end addresses of an address pool:
l Class A addresses X.255.255.255 and X.0.0.0
l Class B addresses X.X.255.255 and X.X.0.0
l Class C addresses X.X.X.25 and X.X.X.0
If the address pool contains these addresses, the addresses cannot be allocated.
Procedure
l Set the negotiation timeout.
1. Access the system view.
system-view
2. Select either of the following methods to assign an IP address to the peer device.
– Configure a global IP address pool to assign IP addresses to PPP users.
a. Access the AAA view.
aaa
g. Prevent the client from using its own IP address when the server is
configured to assign an IP address to it.
ppp ipcp remote-address forced
h. Specify the IP address pool that is used when IP addresses are assigned to
users.
remote address pool [ pool-number ]
quit
g. Prevent the client from using its own IP address when the server to assign
an IP address to it.
ppp ipcp remote-address forced
h. Specify the IP address pool that is used when IP addresses are assigned to
users.
remote address pool [ pool-number ]
– When the device serves as the client, perform the following steps:
1. Access the system view.
system-view
3. Specify the IP address of the DNS server for the peer end.
ppp ipcp dns primary-dns-address [ secondary-dns-address ]
By default, the NGFW does not provide the DNS server address for the peer end.
– When the device serves as the client, perform the following steps:
1. Access the system view.
system-view
3. Configure the local end to request the peer end for the IP address of the DNS server.
ppp ipcp dns request
4. Enable the device to use any DNS server address proposed by the peer end.
ppp ipcp dns admit-any
By default, the DNS server address proposed by the peer end is not accepted.
l Set the negotiation WINS server address.
1. Access the system view.
system-view
3. Enable the device to use any WINS server address proposed by the peer end.
ppp ipcp nbns request
By default, the device does not request for the IP address of the WINS server from
the peer end.
Context
If the network delay is long or congestion is serious, you can lengthen the polling interval to
reduce network flapping.
During the settings of polling intervals, ensure that the settings on both ends are identical.
Procedure
Step 1 Access the system view.
system-view
----End
8.7.3.6 Preventing the Peer Host Route from Being Added to the Local Routing
Table as a Direct Route
You can decide whether a peer host route is added to the local routing table as a direct route.
Context
A PPP link does not strictly require that the peer and local routes exist on the same network
segment. Two ends of the PPP link on different network segments can communicate. In addition,
the peer host route on a different network segment is automatically added to local routing table
of direct routes.
However, when one end is configured with an incorrect IP address, the other end automatically
adds the incorrect peer host route to the local routing table of direct routes. As a result, the
incorrect routing information is advertised across the network.
Procedure
Step 1 Access the system view.
system-view
Step 3 Prevent the peer host route from being added to the local routing table as a direct route.
ppp peer hostroute-suppress
NOTE
The local routing table does not contain the peer host route as a direct route after the ppp peer hostroute-
suppress command is performed.
----End
You can display the PPP configurations by run the command listed in Table 8-108 in any view.
Action Command
Before enabling the debugging, you must run the terminal monitor command in the user view
to enable the terminal information display and the terminal debugging command in the user
view to terminal debugging information display functions.
NOTICE
Enabling the debugging deteriorates system performance. After the debugging is complete, run
the undo debugging all command to disable the debugging immediately.
Action Command
Enable the debugging of all PPP information. debugging ppp all [ verbose ] [ interface
interface-type interface-number ]
Enable the debugging of PPP control debugging ppp { ccp | chap | ipcp | lcp |
protocols. mplscp | osicp | pap } { all | error | event |
packet [ verbose ] | state } [ interface
interface-type interface-number ]
Enable the debugging of PPP EAP packets. debugging ppp eap { all | error | event |
packet | state }
Enable the debugging of PPP core events. debugging ppp core event [ interface
interface-type interface-number ]
8.8 PPPoE
This section describes Point-to-Point Protocol over Ethernet (PPPoE) concepts and how to
configure PPPoE, as well as provides configuration examples.
8.8.1 Overview
PPPoE describes the method used to set up PPPoE sessions and encapsulate Point-to-Point
Protocol (PPP) datagram over the Ethernet. These functions require a point-to-point (P2P)
relationship between the peers instead of the multi-point relationships that are available in the
Ethernet and other multi-access environments.
Definition
PPP provides a standard method for transporting multi-protocol datagrams over point-to-point
links. Although PPP is widely used, it does not apply to an Ethernet. Therefore, the PPPoE
technology was introduced. PPPoE is an extension to PPP and applies PPP to an Ethernet.
PPPoE connects a network of Ethernet hosts to a remote access device to gain access to the
Internet. PPPoE allows you to perform access control and accounting on a per-host basis. PPPoE
is widely used because it is highly cost-effective. A common application scenario for PPPoE is
constructing a network in a residential area.
Purpose
PPPoE performs the following functions when multiple users access a server using PPP links:
l Provides cost effective access services for users and allows a few or no configuration
changes. An Ethernet is the most cost-effective networking mode.
l Allows a service provider to connect multiple hosts at a remote site to the same access
server and supports access control and accounting functions in a way similar to dial-up
services using PPP.
PPPoE enables a bridged access server to connect multiple hosts on a network to a remote access
server.
NOTE
A NGFW currently supports IPv4 PPPoE server and client functions and IPv6 client functions.
8.8.2 Mechanism
This section describes the Point-to-Point Protocol over Ethernet (PPPoE) mechanism.
PPPoE works in the client/server mode. PPPoE provides point-to-point connectivity over
Ethernet networks by encapsulating PPP packets in Ethernet frames.
Figure 8-74 shows the process for establishing an IPv4 PPPoE connection.
PADI
PADO
Discovery
phase PADR
PADS
Discovery Phase
After the Discovery phase is complete, both ends of a connection obtain the PPPoE Session_ID
and peer Ethernet address. The PPPoE Session_ID and peer Ethernet address together define a
unique PPPoE session.
1. A host broadcasts a PPPoE Active Discovery Initial (PADI) packet within a local Ethernet.
This packet contains service information required by the host.
NOTE
4. The server generates a unique session identifier to identify a PPPoE session. Then, the
server sends this session identifier in a PPPoE Active Discovery Session-confirmation
(PADS) packet to the host.
If the server successfully sends and the host received the PADS packet, both the server and
host enter the PPPoE Session phase.
Session Phase
The host encapsulates a PPP packet as the payload of a PPPoE frame into an Ethernet frame
before sending the Ethernet frame to its peer. The Ethernet frame carries a Session_ID
determined at the Discovery phase and a peer MAC address. The PPP packet section in the frame
begins at the Protocol ID. An Ethernet packet is a unicast packet.
In the Session phase, either the host or server may send PPPoE Active Discovery Terminate
(PADT) packets to instruct the other to end this session.
Prerequisites
PPPoE authentication works in either local or remote mode. You must configure a user account
and an authentication mode to implement authentication. If remote authentication is used, you
must also configure an authentication server. For more information, see Users and
Authentication.
A PPPoE server uses address pools to allocate IP addresses to many clients. The ip pool
command creates an address pool.
Context
You can use PPPoE to allow many hosts on a single Ethernet to connect to a peer server and
create PPPoE sessions to implement access control and the accounting.
NOTICE
A NGFW serves both as a PPPoE server to provide local access services and as a Layer 2
Tunneling Protocol (L2TP) access concentrator (LAC) to provide remote dial-up services. After
a PPPoE server is started and LAC configuration is implemented on the NGFW, L2TP
configuration takes precedence over PPPoE server configuration. For example, if a user name
is set to user123 in both L2TP and PPPoE configurations, the NGFW initiates a dial-up using
the user name user123 and performs L2TP authentication, not PPPoE authentication.
Procedure
Step 1 Configure a Virtual-Template (VT) interface.
A PPPoE server communicates with its clients using a VT interface. If no IP address is specified
on a client, the PPPoE server allocates an IP address to the client. The IP address to be allocated
must be specified on the VT interface.
1. Display the system view.
system-view
3. Set an IP address.
ip address ip-address { mask | mask-length }
7. Optional: Set an IP address of the DNS server for the peer end.
ppp ipcp dns primary-dns-address [ secondary-dns-address ]
The server name identifies a service type required by a client. If the server name is rejected by
the client, the client replies with service error information to the server. Upon receipt, the server
terminates the connection to the client.
l The interface must be bound to the VT interface before you configure the PPPoE server name
on the server interface.
l After specifying the PPPoE server name, restart the interface to allow the clients to be
reconnected.
----End
Context
After configuring PPPoE, configure PPPoE parameters as required to optimize links. The
configurations include:
l Log the PPPoE user status changes.
l Specify the maximum number of PPPoE sessions that can be set up using a local MAC
address.
l Specify the maximum number of PPPoE sessions that can be set up using a peer MAC
address.
l Specify the maximum number of PPPoE sessions that can be set up on the local system.
Procedure
l Log PPPoE user status changes.
1. Access the system view.
system-view
2. Specify the maximum number of sessions that can be created using a local MAC
address.
pppoe-server max-sessions local-mac number
l Set the maximum number of sessions that can be created using a local MAC address.
1. Access the system view.
system-view
2. Specify the maximum number of sessions that can be created using a local MAC
address.
pppoe-server max-sessions local-mac number
l Set the maximum number of sessions that can be created using a peer MAC address.
1. Access the system view.
system-view
2. Specify the maximum number of sessions that can be created using a peer MAC
address.
pppoe-server max-sessions remote-mac number
l Set the maximum number of sessions that can be created in the system.
1. Access the system view.
system-view
2. Specify the maximum number of sessions that can be created in the system is specified.
pppoe-server max-sessions total number
----End
Context
Before establishing a PPPoE session, configure a dialer interface and its dialer bundle.
Each PPPoE session maps to a single dialer bundle, and each dialer bundle maps to a single
dialer interface. A PPPoE session can be created using a dialer interface.
Procedure
Step 1 Display the system view.
system-view
Step 4 It is recommended that both PAP and CHAP user names and passwords be specified on the
client. Configure an authentication mode using either of the following methods:
l Configure PAP authentication.
Specify a PAP user name and a password.
ppp pap local-user user-name password cipher password
– Set a password for the peer end to use CHAP to authenticate the local end.
ppp chap password cipher password
NOTE
The IP address negotiated by the device is a host IP address with a 32-digit mask. If the device needs to
communicate with other PPPoE clients, run the ip route-static command to manually configure the static
route to the network segment.
NOTE
The same group-number value must be specified in the dialer-rule and dialer-group commands.
Step 11 Create a PPPoE session and specify the dialer bundle for the session.
pppoe-client dial-bundle-number number [ no-hostuniq ] [ idle-timeout seconds
[ queue-length packets ] ] [ ipv4 | ipv6 ]
----End
Context
Before establishing a PPPoE session, configure a dialer interface and its dialer bundle.
Each PPPoE session maps to a single dialer bundle, and each dialer bundle maps to a single
dialer interface. A PPPoE session can be created using a dialer interface.
The way a dialer interface obtains an IPv6 address depends on the application scenario of an
IPv6 PPPoE client.
l When a device serves as a client that needs to access the Internet, the dialer interface can
obtain an IPv6 address using one of the following methods:
– Stateless address autoconfiguration
– DHCPv6
l When a device serves as a gateway, the device supports the following functions:
– (Optional) Obtains an IPv6 address using stateless address autoconfiguration.
– Obtains a prefix using DHCPv6-PD and assigns prefixes to intranet users.
Procedure
Step 1 Display the system view.
system-view
Step 2 Create a dialer interface and display the dialer interface view.
interface dialer number
Step 3 Configure an authentication mode. The server may use PAP or CHAP authentication.
Configuring both PAP and CHAP user names and passwords is recommended.
l Configure PAP authentication.
Specify a PAP user name and a password.
ppp pap local-user user-name password cipher password
– Configure the DHCPv6 client to obtain an IPv6 address from the server.
dhcpv6 client ia-address [ ipv6-address ] [ rapid-commit | unicast-option ] *
2. Configure the DHCPv6 client to obtain an IPv6 prefix from the server.
dhcpv6 client ia-prefix prefix-name prefix-name [ prefix-address/prefix-
length ] [ rapid-commit | unicast-option ] *
----End
Follow-up Procedure
After the configurations are complete, the device obtains an IPv6 address or prefix.
l To view the obtained IPv6 address or prefix, run either of the following commands:
– display ipv6 auto-configuration prefix all: displays the IPv6 prefix and the derived
IPv6 address that the device uses stateless address autoconfiguration to obtain.
– display dhcpv6 client { all | interface interface-type interface-number }: displays the
IPv6 address that the device uses DHCPv6 to obtain.
l If the device serves as a gateway and uses DHCPv6-PD to obtain a prefix, the device uses
RA messages to assign prefixes to intranet users.
1. Run the display dhcpv6 client { all | interface interface-type interface-number }
command to view the IPv6 address obtained by the DHCPv6 client.
2. Run the undo ipv6 nd ra halt command in the interface view to enable RA
advertisement.
3. Run the ipv6 nd ra prefix { ipv6-address ipv6-prefix-length | [ prefix-name ] ipv6-
prefix/ipv6-prefix-length } valid-lifetime preferred-lifetime [ no-autoconfig ] [ off-
link ] command in the interface view to configure a prefix in an RA message.
Action Command
NOTICE
Enabling the debugging deteriorates system performance. After the debugging is complete, run
the undo debugging all command to disable the debugging immediately.
Action Command
NOTICE
Cleared PPPoE statistics cannot be recovered. Exercise caution when performing this operation.
You can run the command in Table 8-112 in the user view to clear PPPoE statistics.
Action Command
You can run the command in Table 8-113 in the user view to reset a PPPoE session.
Action Command
Reset a session on a PPPoE client and re- reset pppoe-client { all | dial-bundle-
establish a session later. number number }
Networking Requirements
As shown in Figure 8-75, NGFW_A functions as a PPPoE client, and NGFW_B functions as a
PPPoE server. NGFW_B assigns an IP address to NGFW_A allowing PCs on networks A and
B to communicate.
NGFW_B (server) runs PAP to authenticate NGFW_A (client). The user name is set to usera,
and the password is set to Password1. NGFW_B assigns NGFW_A an IP address 10.2.0.2.
GE1/0/1
NetworkA NetworkB
GE1/0/3 GE1/0/1 GE1/0/3
10.3.0.1/24 PPPoE Client 10.4.0.1/24
PPPoE
PC Server PC
Procedure
Step 1 # Configure NGFW_B.
# Configure interfaces and assign them to security zones.
<NGFW_B> system-view
[NGFW_B] interface GigabitEthernet 1/0/1
[NGFW_B-GigabitEthernet1/0/1] quit
[NGFW_B] firewall zone untrust
[NGFW_B-zone-untrust] add interface GigabitEthernet 1/0/1
[NGFW_B-zone-untrust] quit
[NGFW_B] interface GigabitEthernet 1/0/3
[NGFW_B-GigabitEthernet1/0/3] ip address 10.4.0.1 24
[NGFW_B-GigabitEthernet1/0/3] quit
NOTE
PAP is not a secure protocol, and CHAP is recommended.
[NGFW_B] interface virtual-template 1
[NGFW_B-Virtual-Template1] ppp authentication-mode pap
The command is used to configure the PPP authentication mode on the local end.
Confirm that the peer end adopts the corresponding PPP authentication. Continue[Y/
N]: y
[NGFW_B-Virtual-Template1] ip address 10.2.0.1 24
[NGFW_B-Virtual-Template1] remote address pool 1
[NGFW_B-Virtual-Template1] quit
[NGFW_B] firewall zone untrust
[NGFW_B-zone-untrust] add interface virtual-template 1
[NGFW_B-zone-untrust] quit
----End
Example
After completing the configuration, check statistics about PPPoE session packets.
l Check statistics about PPPoE packets of the PPPoE server.
[NGFW_B] display pppoe-server session all
SID Intf State OIntf RemMAC LocMAC
1 Virtual-Template1:0 UP GE1/0/1 0022.a100.11ab 0018.82cf.ebed
Configuration Scripts
Configuration script for NGFW_A:
#
dialer-rule 1 ip permit
#
sysname NGFW_A
#
interface Dialer1
link-protocol ppp
ppp pap local-user usera password cipher %$%$UQ"HLOehx>*n^PPqyBQVaNE<%$%
$
ip address ppp-negotiate
dialer user usera
dialer-group 1
dialer bundle 1
#
interface GigabitEthernet1/0/1
pppoe-client dial-bundle-number 1 ipv4
interface GigabitEthernet1/0/3
ip address 10.3.0.1 255.255.255.0
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
add interface dialer 1
#
ip route-static 10.4.0.0 24 dialer 1
#
security-policy
rule name policy_sec_1
source-zone trust
destination-zone untrust
source-address 10.3.1.0 24
destination-address 10.4.1.0 24
action permit
rule name policy_sec_2
source-zone untrust
destination-zone trust
source-address 10.4.1.0 24
destination-address 10.3.1.0 24
action permit
#
return
Networking Requirements
The NGFW shown in Figure 8-76 functions as an IPv6 PPPoE client and uses stateless address
autoconfiguration to obtain an IPv6 address from an IPv6 PPPoE server.
GE1/0/1 GE0/0/1
Trust 3001::1/64 IPv6
Network
NGFW
IPv6 PPPoE Server
IPv6 PPPoE Client
Configuration Roadmap
The configuration roadmap is as follows:
1. Create a PPPoE session and bind it to GigabitEthernet 1/0/1 of the NGFW to enable the
interface to access an IPv6 network.
2. Create a PPPoE user on a PPPoE server.
3. Enable stateless address autoconfiguration on NGFW so that a dialer interface can
automatically obtain an IPv6 address.
4. Configure a global unicast address for GigabitEthernet 1/0/1 on the PPPoE server and
enable RA advertisement to advertise the IPv6 prefix to GigabitEthernet 1/0/1 of the
NGFW using a router advertisement (RA) message.
Procedure
Step 1 Configure the NGFW.
# Configure the NGFW as an IPv6 PPPoE client.
<NGFW> system-view
[NGFW] interface Dialer1
[NGFW-Dialer1] link-protocol ppp
[NGFW-Dialer1] ppp pap local-user admin-example password cipher Admin@123
[NGFW-Dialer1] dialer user admin-example
[NGFW-Dialer1] dialer bundle 1
[NGFW-Dialer1] quit
# Enable IPv6.
[NGFW] ipv6
Step 2 Configure a PPPoE server. The actual configuration varies depending on devices.
# Create a PPPoE user and set the user name to admin-example and the password to
Admin@123, which are the same as those specified on the PPPoE client.
# Set the global unicast address to 3001::1/64 for the interface that directly connects the PPPoE
server to the PPPoE client.
# Enable RA message advertisement.
----End
Configuration Verification
1. After complete the configuration, run the display ipv6 auto-configuration prefix
command on the NGFW. The NGFW has obtained an IPv6 address with a prefix
3001::/64.
2. The PPPoE client can access the IPv6 network.
Configuration Script
#
sysname NGFW
#
ipv6
#
interface Dialer1
link-protocol ppp
ppp pap local-user admin-example password cipher (TT8F]Y\5SQ=^Q`MAF4<1!!
dialer user admin-example
dialer bundle 1
ipv6 enable
ipv6 address auto link-local
ipv6 address autoconfig
#
interface GigabitEthernet1/0/1
pppoe-client dial-bundle-number 1 ipv6
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/1
add interface Dialer 1
#
return
8.8.7.3 Example for Configuring an IPv6 PPPoE Client for DHCPv6-PD Address
Assignment
This section provides an example for configuring an IPv6 PPPoE client for DHCPv6-PD Address
Assignment. A NGFW functions as an IPv6 PPPoE client and obtains an IPv6 prefix before
assigning the prefix to PCs attached to the NGFW. After obtaining the IPv6 addresses, the PCs
can access IPv6 networks.
Networking Requirements
The NGFW shown in Figure 8-77 functions as an IPv6 PPPoE client and uses DHCPv6-PD to
obtain an IPv6 prefix from an IPv6 PPPoE server. The NGFW then connects PCs to the IPv6
network.
Figure 8-77 Networking diagram for configuring an IPv6 PPPoE client (for DHCPv6-PD
address assignment)
PC
NGFW
IPv6 PPPoE Server
IPv6 PPPoE Client
Configuration Roadmap
The configuration roadmap is as follows:
1. Create a PPPoE session and bind it to GigabitEthernet 1/0/1 of the NGFW to enable the
interface to access an IPv6 network.
2. Create a PPPoE user on a PPPoE server.
3. Enable stateless address autoconfiguration on NGFW so that the dialer interface can
automatically obtain an IPv6 address and an IPv6 prefix and assign the prefix to the PCs
on the intranet.
4. Configure an address pool on the PPPoE server for DHCPv6-PD address assignment.
Procedure
Step 1 Configure the NGFW.
# Enable IPv6.
[NGFW] ipv6
# Enable the DHCPv6 client to obtain IPv6 prefix 2001::1/64 and save the prefix in prefix pool
abc.
Step 2 Configure a PPPoE server. The configuration varies with devices. The configuration details are
not provided.
# Create a PPPoE user with a user name admin-example and a password Admin@123, which
are the same as those on the PPPoE client.
# Configure a delegated prefix pool.
----End
Configuration Verification
1. If the configurations are successful, a PC can obtain an IPv6 address with the prefix 2001::.
2. Check whether a PC can access the IPv6 network. If the PC can access the IPv6 network,
the configuration is successful. If the PC fails to access the IPv6 network, modify the
configuration and try again.
Configuration Script
#
sysname NGFW
#
ipv6
#
interface Dialer1
link-protocol ppp
ppp pap local-user admin-example password cipher (TT8F ] Y\5SQ=^Q`MAF4<1!!
dialer user admin-example
dialer bundle 1
ipv6 enable
ipv6 address auto link-local
ipv6 address autoconfig
dhcpv6 client enable
dhcpv6 client ia-prefix prefix-name abc 2001::1/64
#
interface GigabitEthernet1/0/1
pppoe-client dial-bundle-number 1 ipv6
#
interface GigabitEthernet1/0/3
undo ipv6 nd ra halt
ipv6 nd ra prefix abc 2001::1/64
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
add interface Dialer 1
#
security-policy
rule name policy_sec_1
source-zone trust
destination-zone untrust
action permit
rule name policy_sec_2
source-zone untrust
destination-zone trust
action permit
#
return
8.9.1 Overview
A MAC address table is an interface-based Layer 2 forwarding table. It stores information about
the MAC addresses learned by a device.
l Static MAC address entry: manually configured. It can be added or deleted manually and
never ages. Using static MAC address entries can reduce broadcast traffic on a network.
MAC address entries apply to networks where devices are seldom changed.
l Dynamic MAC address entry: manually configured by a user or learned by a device. It ages
after the specified aging time elapses.
l Blackhole MAC address entry: a special type of MAC addresses manually configured.
After receiving a packet whose source or destination MAC address is a blackhole MAC
address, the device discards the packet.
Table 8-114 lists the classifications and features of MAC address entries.
Figure 8-78 shows how the NGFW learns MAC addresses. In the MAC address table on the
NGFW, MAC A and MAC B map to port 1, and MAC C and MAC D map to port 2. A data
frame whose destination MAC address is MAC C, and source MAC address is MAC A is to
travels from port 1 to port 2 on the NGFW.
1. When the data frame arrives at the NGFW, the NGFW analyzes the source MAC address
in the data frame and searches for the matching address in the MAC address table.
2. As the MAC address entry already exists in the MAC address table, the NGFW updates
the entry.
3. The NGFW then checks the destination MAC address of the data frame.
4. As the destination address entry also already exists in the MAC address table and maps to
port 2, the NGFW forwards the data frame through port 2.
MAC A MAC C
MAC B MAC D
Port 1 Port 2
NGFW
When forwarding packets, the NGFW takes the following measures based on the mapping
between the destination MAC address in the received packet and the entry in the MAC address
table:
l If a mapping entry exists, the NGFW directly forwards the packet through the
corresponding port.
l If no mapping entry exists, the NGFW forwards the packet in broadcast mode.
After the broadcast packet is sent, the following situations may occur:
– The packet reaches the device with the destination MAC address. The destination device
replies to the broadcast packet, and the MAC address of the destination device is
included in the reply packet (namely, the source MAC address of the reply packet).
After receiving the reply packet, the NGFW learns the source MAC address of the reply
packet and adds the MAC address to the MAC address table.
Therefore, packets with the source MAC address of the reply packet as the destination
MAC address are directly forwarded based on the entry.
– The packet cannot reach the device with the destination MAC address, the NGFW
broadcasts the packet.
Prerequisites
Interfaces mapped to the MAC addresses in the MAC address table work in Layer 2 mode.
Procedure
Step 1 Display the system view.
system-view
l To configure MAC address entries in the interface view, perform the following steps:
1. Display the interface view.
interface interface-type interface-number
The value can be 0s or ranges from 30s to 65535s. If the seconds parameter is set to 0, a MAC
address entry never ages.
----End
Context
A limit rule for learning dynamic MAC addresses is applicable to insecure networks with fixed
access users, such as cell access network or intranet that lacks security management.
When the number of access users reaches the upper limit, the MAC addresses of new users
cannot be learned, and the packets of the new users are discarded.
NOTICE
Before configuring a limit rule for learning dynamic MAC addresses, if learned MAC addresses
exist on the port, run the undo mac-address dynamic command in the system view to clear the
MAC addresses. If this command is not run, the limit rule cannot function properly.
Procedure
Step 1 Access the system view.
system-view
----End
Action Command
Display the limit rules for learning display mac-limit [ interface-type interface-
MAC addresses. number ]
Networking Requirements
GigabitEthernet 1/0/3 on a NGFW works at Layer 2 and is connected to a server with MAC
address 00e0-fa33-dc51 on the network shown in Figure 8-79.
To help prevent the NGFW from flooding the server with packets, a static MAC address entry
is configured on the NGFW. This entry maps MAC address 00e0-fa33-dc51 to both
GigabitEthernet 1/0/3 and VLAN1, to which GigabitEthernet 1/0/3 is assigned. The NGFW
sends packets destined for the server out of GigabitEthernet 1/0/3, instead of flooding the server
with packets.
NGFW Server
MAC:00E0-FA33-DC51
Procedure
Step 1 Display the system view.
<NGFW> system-view
----End
Configuration Script
#
sysname NGFW
#
interface GigabitEthernet1/0/3
portswitch
port link-type access
mac-address static 00e0-fa33-dc51 GigabitEthernet1/0/3 vlan 1
#
return
8.10 ARP
This section describes Address Resolution Protocol (ARP) concepts and how to configure ARP,
as well as provides configuration examples.
8.10.1 Overview
The Address Resolution Protocol (ARP) is at the link layer of the TCP/IP protocol suite. An
Ethernet device must support ARP. ARP dynamically map Layer 3 IP addresses and Layer 2
Medium Access Control (MAC) addresses.
Definition
ARP maps IP addresses to MAC addresses. ARP entries are classified as static and dynamic
ARP entries. In addition, ARP provides extension application functions, such as proxy ARP and
gratuitous ARP.
Objective
Each host or router in a local area network (LAN) has a 32-bit IP address for communicating
with other hosts. IP addresses are independent of hardware addresses. On an Ethernet, a host or
a router transmits Ethernet frames based on 48-bit MAC addresses. A MAC address is also called
a physical or hardware address. It is allocated to an Ethernet interfaces when a device is produced.
In actual networking, MAC and IP addresses must be mapped using an address resolution
mechanism.
l Dynamic ARP
ARP dynamically resolves an IP address into an Ethernet MAC address based on ARP
packets. No network administrator interference is required.
l Static ARP
Static ARP establishes a fixed mapping between the IP and MAC addresses, which cannot
be dynamically adjusted on a host or router. Network administrator interference is required.
l Proxy ARP
Also called routed proxy ARP. If a host is not configured with a default gateway address,
the host can send an ARP Request packet to request the destination host MAC address.
After the device enabled with proxy ARP receives the packet, it sends an ARP Reply packet
containing its own MAC address so that internal hosts on different physical networks but
on the same network segment can communicate.
l Gratuitous ARP
Gratuitous ARP checks existing IP addresses and declares new MAC addresses.
l Authorized ARP
Authorized ARP, valid on only devices enabled with the DHCP server function, applies
when the DHCP server and DHCP client reside on the same network segment to prevent
attackers from forging the IP addresses or MAC addresses of legitimate DHCP clients to
launch attacks.
8.10.2 Mechanism
This section describes the mechanism of the Address Resolution Protocol (ARP).
1. ARP request
Host A shown in Figure 8-80 knows only the IP address of host B. Host A broadcasts an
ARP request packet to request the MAC address of host B.
Ethernet
ARP Request
Host A Host B
2. ARP reply
All hosts on the network, including host B, receive the ARP request packet. Only host B
responds to the ARP request packet. Host B shown in Figure 8-81 sends an ARP reply
packet carrying a local MAC address to host A.
Host A obtains host B's MAC address and uses this MAC address to communicate with
host B.
Ethernet
ARP Reply
Host A Host B
Static ARP
Static ARP supports the fixed mappings between IP and MAC addresses. Hosts and routers
involved cannot change mappings dynamically. Static ARP is configured manually by network
administrators.
l A gateway on a local network segment is used to forward packets with destination addresses
on other network segments.
l Packets with invalid IP addresses can be filtered out by binding these IP addresses to a
nonexistent MAC address.
l IP addresses are bound to MAC addresses to defend against attacks, such as ARP flood
attacks.
Static ARP entries have a higher priority than dynamic ARP entries. When you configure a static
ARP entry for an IP address that maps to a dynamic ARP entry in the ARP table, the static ARP
entry replaces the dynamic ARP entry.
Proxy ARP
Proxy ARP is a technique by which a device on a given network answers the ARP queries for
a network address that is not on that network.
Proxy ARP has the following features:
l All processes are performed on ARP Subnet Gateways. Hosts on the networks have no
change.
l Any host faces a standard IP network, not a subnet.
l Proxy ARP affects only the ARP high-speed caches on hosts, not the ARP high-speed
caches or routing tables on gateways.
l After proxy ARP is enabled, a small ARP aging time should be set to rapidly invalidate
invalid ARP entries to reduce the number of packets that are sent to routers but the routers
cannot forward.
The NGFW supports two proxy ARP modes:
l Routed proxy ARP
Allows communication between hosts or routers in the same network segment but on
different physical networks.
In actual situations, if no default gateway address is set on a host connected to a router (the
proxy to this network is unknown), the router cannot forward data for this host. Routed
proxy ARP can resolve this issue. The host sends an ARP request (to request the MAC
address of the destination host), the proxy ARP-enabled router uses its MAC address to
return an ARP reply.
l Inner-VLAN proxy ARP
Allows communication between hosts or routers in the same VLAN configured with user
isolation.
If two users belong to one VLAN and the VLAN is configured with user isolation, inner-
VLAN proxy ARP must be enabled on the interface associated with the VLAN for
communication between the users.
As shown in Figure 8-82, HOST_A and HOST_B are attached to the NGFW. The interfaces
connecting the NGFW to the hosts belong to VLAN 10, and the hosts are isolated on the
switch. The hosts cannot communicate at Layer 2. You can enable inner-VLAN proxy ARP
on the interfaces of the NGFW to resolve this issue. If the NGFW receives an ARP request
that is not destined for itself, it does not discard the packet. Instead, it searches the ARP
table for an ARP entry related to HOST_B. If the ARP entry is found, the NGFW sends its
MAC address to HOST_A and forwards the packets from HOST_A to HOST_B. In this
manner, the NGFW serves as a proxy for HOST_B.
NGFW
GE1/0/2
VLANIF10
Switch
Host_A Host_B
VLAN 10
Dynamic ARP
Dynamic ARP dynamically and automatically resolves IP addresses into Ethernet MAC
addresses. Dynamic ARP does not require the involvement of an administrator.
A NGFW creates or updates an ARP entry if a received ARP packet satisfies any of the following
conditions:
l The ARP packet carries a non-broadcast source address that is on the same network segment
as the inbound interface address. The ARP packet is bound for the IP address of the inbound
interface.
l The ARP packet carries a non-broadcast source address that is on the same network segment
as the inbound interface address. The ARP packet is bound for the virtual IP address of a
Virtual Router Redundancy Protocol (VRRP) backup group created on the inbound
interface.
l The ARP packet is bound for an address in a Network Address Translation (NAT) address
pool configured on the inbound interface.
If the source IP address of the received ARP packet maps to an ARP entry of the inbound
interface, the NGFW also updates the ARP entry.
Gratuitous ARP
Gratuitous ARP enables a device to send an ARP Request packet to its own IP address. Gratuitous
ARP provides the following functions:
l IP address conflicts: If a device receives no reply to a gratuitous ARP request packet, the
device has a unique IP address. If the device receives an ARP reply packet in response to
a gratuitous ARP request packet, there is an IP address conflict.
l New MAC address advertising: If a device has its NIC replaced and its MAC address is
changed, the device sends a gratuitous ARP to notify all hosts of the MAC address update
before the ARP entry aging time elapses.
Authorized ARP
Authorized ARP allows a DHCP server to automatically add an ARP entry that contains the
MAC and IP addresses of the client after assigning an IP address to the client.
Context
A static ARP entry is manually added. It does not age and cannot be overwritten by a dynamic
ARP entry. Static ARP entries are valid as long as the device works properly.
Static ARP entries improve communication security. Static ARP entries ensure communication
between a local device and a specified device using the specified MAC address. Attackers cannot
modify the mapping between IP and MAC addresses in static ARP entries.
Procedure
Step 1 Access the system view.
system-view
l To configure a common static ARP entry in a virtual local area network (VLAN), perform
the following steps:
– Configure a static ARP entry.
arp static ip-address mac-address vid vlan-id
If the interface of a specified VLAN is bound to a virtual private network (VPN), the
device can automatically associate the configured static ARP entry with the VPN. This
command is applicable to port-based VLANs.
– Bind the static entry to a VPN instance.
arp static ip-address mac-address [ vpn-instance vpn-instance-name ] vid vlan-
id
This command is applicable to a sub-interface that supports VLAN and can be bound to
a VPN instance.
l To configure a static ARP entry in a VPN instance, run:
arp static ip-address mac-address vpn-instance vpn-instance-name
----End
Example
# Map the Ethernet MAC address 0022-a101-2259 to the IP address 192.168.0.1.
<NGFW> system-view
[NGFW] arp static 192.168.0.1 0022-a101-2259
Follow-up Procedure
Run the display arp static command to view the static ARP entry.
<NGFW> display arp static
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/PVC
------------------------------------------------------------------------------
192.168.0.1 0022-a101-2259 S
------------------------------------------------------------------------------
Total:1 Dynamic:0 Static:1 Interface:0 Authorized:0 SNMP:
0
The TYPE field displays S, which indicates a static ARP entry. If the EXPIRE (M) field is null,
the entry does not age.
Context
If the device needs to update ARP entries frequently, reduce the aging timeout period of ARP
entries and increase the aging detection frequency.
Procedure
Step 1 Access the system view.
system-view
Step 3 Set the timeout period for aging dynamic ARP entries.
arp expire-time expire-times
Each time the aging time of a dynamic ARP entry elapses, the device sends an ARP probe packet
to the peer device. If the device does not receive an ARP Reply packet from the peer device after
sending a maximum number of probe packets, it deletes the ARP entry.
For example, the aging time of dynamic ARP entries is 60s, and the maximum number of ARP
probe packets to be sent is 6. After 60s since an ARP entry is generated, the device sends an
ARP probe packet every 5s. If the device does not receive any response after sending six ARP
probe packets, it deletes the ARP entry. Therefore, the actual aging time of the ARP entry is 90s
(60 + 6 x 5).
If the number of aging detection times is set to 0, the device deletes dynamic ARP entries
immediately when the entries age.
If the multicast MAC address learning function is disabled, the NGFW can learn only unicast
MAC addresses from ARP packets.
On the network shown in Figure 8-83, the NGFW works at Layer 3 and the switch works at
Layer 2. The server cluster has a virtual IP address and a virtual MAC address which is a multicast
address. The NGFW needs the virtual MAC address of the server cluster in order to forward
service packets from clients to the server cluster. Enable MAC address learning on interface
GigabitEthernet1/0/2 so that the NGFW can learn this address.
Client
GE 1/0/1
NGFW
GE 1/0/2
Switch
Virtual IP: 10.10.10.1
Virtual MAC: 0100-5e00-0001
Server cluster
To enhance network availability, you can deploy two NGFWs to implement dual-system hot
backup, as shown in Figure 8-84. A routing loop is formed if multicast MAC address learning
is enabled on the NGFWs in dual-system hot backup deployment. The following example
explains how the routing loop is formed on Switch_Active.
1. NGFW_Active (the active firewall) encapsulates the MAC address of the server cluster
into a service packets from a client, and forwards the packet to Switch_Active.
2. Switch_Active broadcasts this packet. Switch_Standby receives the broadcast packet and
forwards it to NGFW_Standby (the standby firewall).
3. NGFW_Standby looks up the routing table and ARP table and sends the packet back to
Switch_Active.
4. Switch_Active receives the packet and broadcasts it again. Then NGFW_Active receives
the packet again.
This process repeats and the same packet is sent forth and back between the active and
standby NGFWs, forming a routing loop. In addition, the server cluster receives duplicate
packets because Switch_Active broadcasts the packet repeatedly.
Figure 8-84 Firewalls in dual-system hot backup learning the MAC address
client
GE1/0/1 GE1/0/1
NGFW_Active NGFW_Standby
GE1/0/2 GE1/0/2
Switch_Active
Switch_Standby
Virtual IP: 10.10.10.1
Virtual MAC: 0100-5e00-0001
Server cluster
To resolve the routing loop problem, configure MAC address-based packet filtering on both
active and standby NGFWs as follows:
1. Run the system-view command to access the system view.
2. Run the acl 4001 command to access the ACL view
3. Run the rule deny dest-mac 0100-5e00-0001 FFFF-FFFF-FFFF command to create a
MAC address-based ACL rule.
The dest-mac parameter specifies the virtual MAC address of the server cluster. This
example uses 0100-5e00-0001 as the virtual MAC address.The Mask is FFFF-FFFF-FFFF.
4. Run the interface GigabitEthernet 1/0/2 to access the interface view.
5. Run the firewall ethernet-frame-filter 4001 inbound command to apply a MAC address-
based packet filter.
With the preceding configurations, the active and standby NGFWs filter out the packets from
Switch_Active by the ACL rule, preventing the routing loop problem.
----End
Follow-up Procedure
Run the display arp interface command to view all ARP entries on an interface.
<NGFW> display arp interface GigabitEthernet 1/0/2
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/PVC
------------------------------------------------------------------------
192.168.1.11 0000-0a41-0201 I GE1/0/2
192.168.1.1 0000-0a41-0200 15 D GE1/0/2
-------------------------------------------------------------------------
Total:2 Dynamic:1 Static:0 Interface:1 Authorized:0 SNMP:
0
If the TYPE field is I in an ARP entry, the entry contains the mapping between the local IP and
MAC addresses of the interface. If the EXPIRE (M) field is null, the entry does not age. If the
TYPE field is D, the entry is dynamically learned and ages in 15 minutes.
Prerequisites
Before configuring routed proxy ARP, set an IP address for the interface enabled with routed
proxy ARP. For details on how to set the IP address, see 8.1 Interface and Interface Pair.
The IP address of the interface must be in the same network segment as the IP address of the
LAN host connected to the interface.
Context
Two physical networks of an enterprise belong to one IP network but different subnets (separated
by a router). To allow communication between these physical networks, you can enable routed
proxy ARP on the interfaces connecting the router to the physical networks.
The network IDs in the IP addresses of hosts on the subnets must be the same. No default gateway
needs to be configured on the hosts.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number [ .subinterface-number ]
Step 3 Run:
arp-proxy enable
----End
Follow-up Procedure
Run the display arp interface command to view ARP entries on the interface.
<NGFW> display arp interface GigabitEthernet 1/0/2
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/PVC
------------------------------------------------------------------------
10.10.1.1 0022-a101-b5db I GE1/0/2
10.10.1.2 0021-97cf-2238 20 D GE1/0/2
-------------------------------------------------------------------------
Total:2 Dynamic:1 Static:0 Interface:1 Authorized:0 SNMP:
0
Prerequisites
Before configuring proxy ARP, set an IP address for the interface enabled with proxy ARP. For
details on how to set the IP address, see 8.1 Interface and Interface Pair.
The IP address of the interface must be in the same network segment as the IP address of the
LAN host connected to the interface.
Context
If two users belong to one VLAN and the VLAN is configured with user isolation, inner-VLAN
proxy ARP must be enabled on the interface associated with the VLAN for communication
between the users.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number [ .subinterface-number ]
Step 3 Run:
arp-proxy inner-sub-vlan-proxy enable
----End
Follow-up Procedure
Run the display arp interface command to view ARP entries on the interface.
<NGFW> display arp interface GigabitEthernet 1/0/2
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/PVC
------------------------------------------------------------------------
10.10.10.65 0022-a111-1112 I GE1/0/2
10.10.10.1 0018-8244-5566 20 D GE1/0/2
10.10.10.250 0018-8244-5566 20 D GE1/0/2
-------------------------------------------------------------------------
Total:3 Dynamic:2 Static:0 Interface:1 Authorized:0 SNMP:
0
Prerequisites
Before configuring gratuitous ARP, set the IP address of the interface enabled with gratuitous
ARP. For details on how to set the IP address, see 8.1 Interface and Interface Pair.
Context
If an ARP entry matches the source IP address of ARP packets, the device updates this dynamic
ARP entry, regardless of the learning of gratuitous ARP packets.
Procedure
Step 1 Access the system view.
system-view
----End
Prerequisites
Before configuring gratuitous ARP, set the IP address of the interface enabled with gratuitous
ARP. For details on how to set the IP address, see 8.1 Interface and Interface Pair.
Context
A device functions as a gateway to send gratuitous ARP packets (using the IP address of the
gateway as the destination IP address) to update the gateway MAC address of valid ARP entries,
which ensures that packets are forwarded to the gateway and prevents malicious interception by
attackers.
Procedure
Step 1 Access the system view.
system-view
After this function is enabled, the device sends gratuitous ARP packets every 60 seconds by
default. To customize the interval, set interval.
----End
Prerequisites
Before enabling authorized ARP, complete the DHCP server configuration.
Context
Authorized ARP, valid on only devices enabled with the DHCP server function, applies when
the DHCP server and client reside on the same network segment, not in the DHCP relay scenario.
Authorized ARP prevents a DHCP server from dynamically learning illegitimate ARP
responses. Only clients to which the DHCP server assigns IP addresses can add ARP entries
(called authorized ARP entries) automatically based on ARP response packets. If an attacker
forges the IP or MAC address of a legitimate DHCP client to originate an ARP request, the IP
or MAC address does not match authorized ARP entries recorded by the gateway (the DHCP
server), and no response is returned. In this way, the attacker fails to access the network by
forging a legitimate IP or MAC address.
Authorized ARP entries do not age. After DHCP clients apply for logouts, their authorized ARP
entries are automatically deleted from the ARP table.
The priorities of authorized ARP entries are higher than those of dynamic ARP entries, but lower
than those of static ARP entries. A new authorized ARP entry overrides the duplicate dynamic
ARP entry, but not the static ARP entry. However, the authorized ARP entry can be overridden
by a duplicate static ARP entry.
Procedure
Step 1 Access the system view.
system-view
----End
Action Command
NOTE
Static ARP entries cannot be restored after being deleted. Exercise caution when you delete static ARP
entries.
Table 8-117 list the commands to clearing ARP entries. You need to perform this action in the
user view.
Action Command
Clear ARP entries in the reset arp [ all | dynamic [ ip-address ip-address [ vpn-
ARP mapping table. instance { vpn-instance-name | public } ] ] | interface interface-
type interface-number | static ]
NOTICE
Enabling the debugging deteriorates system performance. After the debugging is complete, run
the undo debugging all command to disable the debugging immediately.
For details on the description of the debugging command, see Debugging Reference.
Table 8-118 lists the commands to debug ARP information.
Action Command
Networking Requirements
A NGFW shown in Figure 8-85 connects departments of a company, and each department joins
different VLANs. Hosts in the headquarters office and a file backup server are allocated manually
configured IP addresses. Hosts in departments dynamically obtain IP addresses using DHCP.
Hosts in the marketing department can access the Internet and are often attacked by ARP packets.
Attackers attack the NGFW and modify dynamic ARP entries on the NGFW. As a result,
communication between hosts in the headquarters and external devices is interrupted, and hosts
in departments fail to access the file backup server. The company requires that static ARP entries
be configured on the NGFW. Static ARP allows hosts in the headquarters to communicate with
external devices and hosts in departments to access the file backup server.
Trust PC_A
GE1/0/2
10.10.10.10/24 10.10.1.1/24
GE1/0/3 0021-97cf-2238
Marketing GE1/0/4 VLAN10
VLAN20 10.10.1.20/24
Headquarters
department office
GE1/0/5
VLAN30 NGFW
10.10.2.0/24 10.10.1.0/24
VLAN 20 VLAN 10
R&D
department
10.10.3.0/24
VLAN 30
Configuration Roadmap
The configuration roadmap is as follows:
NOTE
This example describes only ARP-related configurations, but not other configurations, such as DHCP.
1. Configure static ARP entries of hosts in the headquarters on the NGFW to prevent ARP
attack packets from altering ARP entries, which prevents communication interruptions.
2. Configure static ARP entries of the file backup server on the NGFW to prevent ARP attack
packets from altering ARP entries, which prevents failures in accessing the file backup
server.
Procedure
Step 1 Configure static ARP entries for the host in the headquarters.
# Configure static ARP entries for hosts in the headquarters. The following example uses the
configuration on PC_A. In the static ARP entry, PC_A IP address 10.10.1.1 is mapped to the
MAC address 0021-97cf-2238, and the VLAN ID is 10.
[NGFW] arp static 10.10.1.1 0021-97cf-2238 vid 10
Step 2 Configure a static ARP entry for the file backup server.
# Configure a static ARP entry for the file backup server to map the IP address 10.10.10.1/24
to the MAC address 0025-1185-8C21.
[NGFW] arp static 10.10.10.1 0025-1185-8C21
----End
Configuration Verification
1. Run the display arp static command on the NGFW to view static ARP entries.
[NGFW] display arp static
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/PVC
------------------------------------------------------------------------------
10.10.1.1 0021-97cf-2238 S
10/-
10.10.1.2 0021-97cf-2239 S
10/-
10.10.1.3 0021-97cf-2240 S
10/-
10.10.10.1 0025-1185-8c21 S
------------------------------------------------------------------------------
Total:4 Dynamic:0 Static:4 Interface:0 Authorized:0
SNMP:0
Configuration Script
#
sysname NGFW
#
vlan batch 1 10 20 30
#
interface Vlanif 10
ip address 10.10.1.20 255.255.255.0
#
interface GigabitEthernet1/0/2
ip address 10.10.10.10 255.255.255.0
#
interface GigabitEthernet1/0/3
portswitch
port link-type access
port access vlan 10
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/2
add interface GigabitEthernet1/0/3
add interface GigabitEthernet1/0/4
add interface GigabitEthernet1/0/5
#
arp static 10.10.1.1 0021-97cf-2238 vid 10
arp static 10.10.10.1 0025-1185-8C21
#
return
Networking Requirements
Branches A and B of a company shown in Figure 8-86 are located in different cities. Multiple
routing devices are deployed between branches, and routes are reachable. IP addresses of the
routing devices are on the same network segment 10.10.0.0/16. Branches A and B belong to
different broadcast domains and cannot communicate on a LAN. Hosts of branches with default
gateway addresses cannot communicate across network segments.
The company requires that branches A and B communicate without changing host
configurations.
Trust Trust
GE1/0/3 GE1/0/3
Branch A 10.10.1.1/24 10.10.2.1/24 Branch B
Configuration Roadmap
The configuration roadmap is as follows:
NOTE
This example describes only ARP-related configurations, but not configurations, such as routes between
branches A and B.
Procedure
Step 1 Configure NGFW_A.
----End
Configuration Verification
# Select host_A in branch A and select host_B in branch B. Run the ping command on host_A
to ping host_B. The ping is successful.
C:\Documents and Settings\Administrator>ping 10.10.2.2
# View the ARP table of host_A. You can see that the MAC address of host_B is the MAC
address of GigabitEthernet 1/0/3 on NGFW_A.
C:\Documents and Settings\Administrator>arp -a
Interface: 10.10.1.2 --- 0x3
Internet Address Physical Address Type
10.10.1.1 00-22-a1-01-b5-db dynamic
10.10.2.2 00-22-a1-01-b5-db dynamic
# View the ARP table of host_B. You can see that the MAC address of host_A is the MAC
address of GigabitEthernet 1/0/3 on NGFW_B.
C:\Documents and Settings\Administrator>arp -a
Configuration Scripts
Configuration script for NGFW_A:
#
sysname NGFW_A
#
interface GigabitEthernet1/0/3
ip address 10.10.1.1 255.255.255.0
arp-proxy enable
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
return
Networking Requirements
As shown in Figure 8-87, a switch connects to GigabitEthernet 1/0/2 on the NGFW. VLAN 10
is set on GigabitEthernet 1/0/2.
Host_A and Host_B are attached to the switch. The interfaces connecting the switch to the hosts
belong to one VLAN but are isolated.
Inner-VLAN proxy ARP can be enabled on GigabitEthernet 1/0/2 of the NGFW to allow Host_A
to communicate with Host_B.
NGFW
GE1/0/2
VLANIF10
10.10.1.12/24
Trust
Switch
Host_A Host_B
10.10.1.10/24 10.10.1.100/24
VLAN 10
Configuration Roadmap
NOTE
This example focuses on ARP-related configurations. Port isolation and switch-related configurations are
not described.
1. Create a VLAN and a VLANIF interface on the NGFW and set an IP address for
GigabitEthernet 1/0/2.
2. Enable inner-VLAN proxy ARP on GigabitEthernet 1/0/2 of the NGFW.
Procedure
Step 1 Create a VLAN and a VLANIF interface on the NGFW and set an IP address for GigabitEthernet
1/0/2.
NOTE
The gateway address of Host_A must be the IP address of a VLANIF interface. Host_A and Host_B
configurations are not described in detail.
[NGFW] interface vlanif 10
[NGFW-Vlanif10] ip address 10.10.1.12 255.255.255.0
[NGFW-Vlanif10] quit
----End
Configuration Verification
# Host_A and Host_B can ping through each other.
C:\Documents and Settings\Administrator>ping 10.10.1.100
Configuration Script
#
sysname NGFW
#
vlan batch 10
#
interface GigabitEthernet1/0/2
portswitch
port link-type trunk
port trunk vlan 10 tagged
#
interface Vlanif 10
ip address 10.10.1.12 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/2
#
return
Symptom
Figure 8-88 shows the typical networking, The connection and configuration of physical links
are correct. The interface is in Up state, but cannot ping the remote device.
GE1/0/3
NGFW Router
Possible Causes
VLAN attributes are incorrect.
Fault Diagnosis
Yes
Yes Is it a Vlanif No Check the ARP entries of the
Are remote ARP entries
learned? interface? specified Vlanif interface
No
Yes
Yes
Procedure
Step 1 Run the display arp command and check whether remote ARP entries are learned.
<NGFW> display arp
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/PVC
------------------------------------------------------------------------------
10.1.196.208 0018-8239-1e63 I GE1/0/3
10.1.196.20 0021-97cf-cfc1 16 D GE1/0/3
10.1.196.4 001e-90a0-154f 16 D GE1/0/3
If ARP packets are correctly sent and received, the following information is displayed.
*0.1090420 NGFW ARP/7/arp_send:Send an ARP Packet, operation : 1, send
er_eth_addr : 0018-8239-1e63,sender_ip_addr : 10.1.196.208, target_eth_addr :
00e0-4c84-0b04, target_ip_addr : 10.1.196.2
If the remote end can be pinged, both request and reply packets are displayed. If a fault occurs,
only the request packets are displayed, or none of the request or reply packets is displayed.
If packets are properly sent and received by the upper layer, run the debugging ethernet packet
arp interface GigabitEthernet 1/0/3 command and check whether packets are properly sent at
the data link layer.
<NGFW> debugging ethernet packet arp interface GigabitEthernet 1/0/3
<NGFW> terminal monitor
Info:Current terminal monitor is on
<NGFW> terminal debugging
Info:Current terminal debugging is on
The previous information shows that ARP request packets are properly sent at the data link layer.
Go to Step 3.
Step 3 Check whether statistics about sent and received packets are correct.
Run the display this interface command in the interface view or the display interface interface-
type interface-number command in any view to view packet statistics.
If either of the following fault occurs, record the locating process, debugging information (that
is displayed), and statistics about the interface, and contact technical support personnel.
l The upper layer does not send or incorrectly sends ARP request or replay packets.
l The upper layer correctly sends ARP request or reply packets, but the data link layer does
not send or incorrectly sends ARP packets.
l The upper layer correctly sends ARP request or reply packets, and the data link layer properly
sends and receives these packets. The interface, however, does not collect statistics about
sent and received packets.
On the Vlanif interface, synchronously update host routes. Run the display fib command to
check whether the FIB table is updated. On physical interfaces and other logical interface, skip
this step.
<NGFW> display fib
Fib Flags: B - blackhole, D - dynamic, G - gateway, H - host, S - static
U - up
------------------------------------------------------------------------------
FIB Table:
Total number of Routes : 4
Destination/Mask Nexthop Flag TimeStamp Interface TunnelID
10.2.0.1/32 10.2.0.1 HU t[77] InLoop0 0x0
10.2.0.0/8 10.2.0.1 U t[77] InLoop0 0x0
10.3.1.1/32 10.2.0.1 HU t[105] InLoop0 0x0
10.3.1.0/24 10.3.1.1 U t[105] GE1/0/3 0x0
NOTE
Collect information, preserve the faulty scenario, and contact technical support personnel in either of the
following situations:
l ARP entries on the main processing unit (MPU) of the Vlanif interface are inconsistent with those on
a line interface processing unit (LPU).
l ARP entries are consistent but host routes are not updated.
Step 5 Check whether ICMP packets are properly sent and received.
1. Run the debugging ip packet acl acl-number command in the user view and check
information about both sent and received IP packets.
2. Run the debugging ip icmp command and collect more information to locate the fault.
----End
8.11 VLAN
This section describes virtual local area network (VLAN) concepts and how to configure a
VLAN, as well as provides configuration examples.
8.11.1 Overview
The virtual local area network (VLAN) technology adds a VLAN tag to the traditional Ethernet
frame header to identify the VLAN in a data packet.
Definition
A LAN is divided into several logical "LANs" (VLANs), with each VLAN functioning as a
broadcast domain.
Objective
The following problems occur in a traditional LAN:
l Conflicts occur if more than one node attempts to send messages at the same time.
l The information from any node is sent to all other nodes. A method is required to send a
message that is destined for a node or multiple nodes, instead of all nodes.
l Information security is reduced because all hosts share the same transmission channel.
With the growth of computers on a network, the collisions increase, and network efficiency
deteriorates. As a result, collision areas form in the network. The Ethernet network uses the
Carrier Sense Multiple Access/Collision Detect (CSMA/CD) to detect collisions, which cannot
completely remove the collision impact.
The Ethernet network is also a broadcast network. If a large number of computers send
information at the same time, broadcast traffic consumes a great deal of bandwidth.
Therefore, two problems occur in the traditional network: collision area and broadcast area. In
addition, the traditional network cannot ensure information security.
To expand a traditional LAN to accommodate more computers and to prevent collisions, the
following methods are introduced:
l Bridge
l Layer 2 switch
Bridges and switches forward information from an inbound interface to an outbound interface
in switching mode. Collisions occurs only on ports and do not affect the shared media.
NOTE
The introduction of switches into the networking solves the problem of the collision area using
the Layer 2 rapid switching. This, however, does not ensure information security caused by the
broadcast domain problem.
To reduce broadcast storms, the hosts that do not need to access each other must be isolated from
each other. Routers select a route based on IP addresses. Therefore, using a router to connect
two network segments can effectively control the broadcast problems. Routers, however, are
costly. In this case, the VLAN is introduced.
The VLAN technology divides a LAN into logical "LANs" (VLANs), with each VLAN
functioning as a broadcast area. Hosts in each VLAN communicate with each other in the same
way as hosts in a LAN. VLANs cannot interact with each other directly. Therefore, broadcast
packets are transmitted within a single VLAN.
VLANs can improve data security. For example, different enterprise clients rent a building and
require developing their own LANs. The total cost of LANs is high. If all clients share a LAN,
information security cannot be guaranteed.
VLANs allow different clients to share a LAN and improves information security.
Router
VLAN-A
VLAN-B
VLAN-C
As shown in Figure 8-90, the network is a typical VLAN application. Three switches are placed
at sites. This is more or less the same as different floors in a building. Each switch is connected
to three PCs. These PCs belong to three VLANs, which are enclosed by dashed blocks. Each
VLAN corresponds to an enterprise client.
8.11.2 Mechanism
This section describes the virtual local area network (VLAN) mechanism.
l Type field: a 16–bit frame type. The value 0x8100 indicates an 802.1q tagged frame, which
is discarded by devices that do not support the 802.1q standard.
l PRI field: a 3-bit priority value of a frame. The value ranges from 0 to 7. The greater the
value, the higher the priority. If a switch is blocked, the switch preferentially forwards
packets with high priorities.
l Canonical format indicator (CFI) field: This field is 1 bit long. The value 1 indicates the
non-canonical format, and the value 0 indicates the canonical format.
l VID field: specifies the ID of a VLAN to which a frame belongs. This field is 12 bits long.
Link Types
VLAN links are classified into the following types:
l Access links: connect switches to hosts. The access links shown in Figure 8-92 connect
switches to PCs and transmit untagged Ethernet frames.
l Trunk links: connect switches. The trunk links shown in Figure 8-92 connect switches and
transmit tagged Ethernet frames.
Access Link
Trunk Link
VLAN2
VLAN3
Port Types
Ports only on some devices can identify VLAN frames defined in 802.1q. Based on their ability
of identifying VLAN frames, the ports are classified into the following types:
l Access ports
Access ports are switch ports that connect hosts only along access links. An access port has
the following characteristics:
– Only allows frames tagged with access port PVIDs to pass through. A PVID is a default
VLAN ID.
– Sends untagged Ethernet frames to the peer device.
l Trunk ports
Trunk ports connect a local switch to other switches. In other words, trunk ports can only
connect to trunk links. A trunk port has the following characteristics:
– Allows tagged frames of many VLANs to pass through.
– Only removes a tag with a default VLAN ID from a frame before sending the frame.
l Hybrid ports
Hybrid ports are switch ports that connect a local switch to hosts and to other switches.
Hybrid ports can be connected to both access and trunk links. A hybrid port allows tagged
frames of different VLANs to pass through and removes tags from some VLAN frames
before forwarding the frames.
VLAN Classification
VLANs can be classified into the following types:
l Port-based VLANs
A computer belongs to a VLAN that is connected to a network device port on the computer.
This method allows hosts to be easily grouped into VLANs. If a host of a VLAN is moved
to another place, the VLAN needs to be reconfigured.
l MAC address-based VLANs
Devices are allocated to VLANs based on MAC addresses of network interface cards.
VLAN settings remain even if hosts are moved to other places. All hosts within a VLAN
must be configured.
l Network layer protocol-based VLANs
Devices are allocated to VLANs based on network layer protocols. For example, hosts
running IP are grouped into a VLAN, and hosts running IPX are grouped into another
VLAN.
The device processes frames based on the type of ports that receive the frames. Table 8-119
describes VLAN packet processing on different port types of a device.
Access port 1. Checks whether the frame carries a VLAN Removes the PVID from
tag: the frame before sending
l If the frame does not carry a VLAN tag, it.
the port adds its PVID to the frame and
goes to step 2.
l If the frame carries a VLAN tag with a
PVID, the device goes to step 2. If the
tag does not contain a PVID, the port
discards the frame.
2. The device selects an outbound port based
on the destination MAC address and VLAN
ID carried in the frame.
Trunk port 1. Checks whether the frame carries a VLAN Checks the VLAN
tag: attribute of the port:
l If the frame is not tagged, the port adds l If the frame carries a
its PVID to the frame and goes to step VLAN tag that
2. contains the port
l If the frame carries a VLAN tag, the port PVID, the port
checks whether the VLAN ID in the tag removes the tag from
is permitted. If the VLAN ID is the frame before
permitted, the switch goes to step 2. If sending the frame.
the VLAN ID is not permitted, the port l If the frame carries a
discards the frame. VLAN tag that does
2. The device selects an outbound port based not contain the port
on the destination MAC address and VLAN PVID, and the port
ID carried in the frame. supports the VLAN
ID, the port sends the
frame as it is. If the
port does not support
the VLAN tag with a
non-PVID, the port
discards the frame.
Hybrid port 1. Checks whether the frame carries a VLAN Checks the VLAN
tag: attribute of the port:
l If the frame is not tagged, the port adds l If the port supports the
its PVID to the frame and goes to step tagged frame, the port
2. checks which type of
l If the frame carries a VLAN tag, the port outgoing frame can be
checks whether the VLAN ID in the tag sent:
is permitted. If the VLAN ID is – If it permits
permitted, the device goes to step 2. If untagged outgoing
the VLAN ID is not permitted, the port frames, the port
discards the frame. removes the tag
2. The device selects an outbound port based from the frame
on the destination MAC address and VLAN before sending the
ID carried in the frame. frame.
NOTE – If it permits tagged
Trunk and hybrid ports use the same rules to process outgoing frames, it
received data frames. sends the frame as
it is.
l If the port does not
support tagged frames,
the port discards it.
NOTE
If a hybrid port permits
untagged frames, the hybrid
port removes the VLAN
Tag field the same as the
PVID Tag field from a
frame before sending it.
If a hybrid port permits
tagged frames, the hybrid
port still removes the VLAN
Tag field the same as the
PVID Tag field from a
frame before sending it.
Intra-VLAN Communication
Hosts on a VLAN in the same area can directly communicate with each other. Hosts on the same
VLAN but in different areas (with multiple devices between them) can communicate with each
other using trunk links.
Figure 8-93 shows that hosts in the same department of an enterprise communicate with each
other across two NGFWs. Each department belongs to a specific VLAN. You can configure
trunk links to isolate service data of different departments to ensure data communication within
a department.
NGFW_A NGFW_B
Trunk Link
Inter-VLAN Communication
Hosts of different VLANs use VLAN interfaces or Ethernet subinterfaces to communicate with
each other.
VLANIF100 VLANIF200
VLAN100 VLAN200
– Layer 2 Ethernet interfaces connect the NGFW to PCs and are added to separate VLANs.
– Each interface on the NGFW can be connected to a single PC, which causes low data
transmission efficiency.
l Inter-VLAN communication using Ethernet subinterfaces
Unlike VLAN interfaces, Ethernet subinterfaces on a switch connect multiple PCs to a
single interface of a NGFW to implement inter-VLAN communication.
Figure 8-95 shows hosts of two departments attached to a NGFW. Hosts in one department
belong to VLAN5, and host in the other department belong to VLAN6. You can configure
two subinterfaces on a single physical interface and add these subinterfaces to separate
VLANs. This approach allows VLANs to communicate with each other using a single
physical interface on a NGFW.
NGFW
GE1/0/0
GE1/0/0.1 VLAN5
GE1/0/0.2 VLAN6
Switch
VLAN5 VLAN6
Prerequisites
An interface has been switched to Layer 2 mode.
Context
IEEE 802.1q defines the following types of VLAN interfaces based on the ability of identifying
VLAN frames:
l Access ports
Access ports are ports that connect a switch to hosts. Access ports are connected only to
access links. An access port provides the following characteristics:
– Only frames tagged with a PVID of an access port can pass through the access port.
– Ethernet frames sent by an access port to a peer device never carry VLAN tags.
l Trunk ports
A trunk port connects a switch to another switch. A trunk port can only connect to a trunk
link. A trunk port provides the following characteristics:
– The trunk port allows tagged frames from multiple VLANs to pass through.
– Before a trunk port sends a tagged frame with a PVID, the trunk port removes the VLAN
tag from the frame. Frames sent by a trunk port do not carry tags only in this case.
l Hybrid ports
Hybrid ports are ports that connect a switch to hosts and other switches. Hybrid ports can
be connected to both access and trunk links. A hybrid port allows tagged frames of different
VLANs to pass through. An outbound hybrid port can remove tags of some VLAN frames
before sending the VLAN frames.
Procedure
l Configure an access port in the VLAN view.
1. Display the system view.
system-view
If a VLAN already exists, running this command directly displays the VLAN view.
3. Specify interfaces that can be added to the VLAN.
port interface-type { interface-number1 [ to interface-number2 ] } &<1-10>
If a VLAN already exists, running this command directly displays the VLAN view.
3. Display the Layer 2 Ethernet interface view in the system view.
interface interface-type interface-number
If a VLAN already exists, running this command directly displays the VLAN view.
3. Display the Layer 2 Ethernet interface view in the system view.
interface interface-type interface-number
If a VLAN already exists, running this command directly displays the VLAN view.
3. Display the Layer 2 Ethernet interface view in the system view.
interface interface-type interface-number
----End
Context
You can create a VLANIF interface on a configured VLAN. The VLANIF interface functions
as a Layer 3 physical interface to implement Layer 3 features, such as IP address settings and
data communications among different VLANs.
Inter-VLAN communication through VLANIF interfaces applies only when the hosts in each
VLAN are located in different network segments. If the hosts of VLANs are located in the same
network segment, inter-VLAN communication can be implemented through Layer 2 interfaces.
For details, see 8.11.3.4 Configuring Inter-VLAN Communication Using Layer 2
Subinterfaces.
Procedure
Step 1 Access the system view.
system-view
Step 2 Create a VLANIF interface and access the VLANIF interface view.
interface vlanif vlan-id
If a VLANIF interface already exists, the VLANIF interface view is directly displayed after this
command is run.
Before you create a VLANIF interface, the VLAN must exist.
Step 3 Assign an IP address to the VLANIF interface.
ip address ip-address { mask | mask-length } [ sub ]
The IP addresses of different VLANIF interfaces must be on different network segments so that
users on different VLANs can communicate.
----End
Context
The most direct method for inter-VLAN communication is connecting VLANs to different Layer
3 interfaces to route the packets between VLANs. However, this method requires physical
interfaces. In contrast, creating Ethernet subinterfaces can avoid the use of more physical
interfaces.
Ethernet and Eth-Trunk interfaces support subinterfaces.
You can configure multiple subinterfaces on a single physical interface and ensure that each
subinterface is assigned to a specific VLAN. VLANs can communicate after being connected
to only as single physical interface.
Inter-VLAN communication through Layer 3 subinterfaces applies only when the hosts in each
VLAN are located in different network segments. If the hosts of VLANs are located in the same
Procedure
Step 1 Access the system view.
system-view
Step 3 Set the encryption type and the VLAN ID of the subinterface.
vlan-type dot1q vlan-id
The subinterface and its main interface can be on the same primary network segment but must
use different subnet masks.
----End
Context
The device supports creating subinterfaces on Layer 2 Ethernet and Layer 2 Eth-Trunk interfaces.
Using a subinterface to terminate a VLAN allows for inter-VLAN forwarding.
Procedure
Step 1 Run the system-view command to access the system view.
Step 4 Add the subinterfaces created in Step 3 to a same VLAN so that the subinterfaces can
communicate.
1. Run the vlan vlan-id command to create a VLAN and access the VLAN view.
2. Run the port interface-type interface-number.subinterface-number command to add the
subinterfaces created in Step 3 to a same VLAN.
Subinterfaces must be added to the same VLAN to communicate with each other.
----End
You can check the VLAN configuration by running the commands listed in Table 8-120 in any
view.
Action Command
Display information about the VLANs that display port vlan [ interface-type interface-
are allowed to pass through a trunk interface. number ]
8.12.1 Overview
DHCP snooping defends against the attacks launched using DHCP messages.
Definition
The Dynamic Host Configuration Protocol (DHCP) snooping, a DHCP security feature, filters
untrusted DHCP messages by creating and maintaining a binding table. This binding table
contains the following items:
l MAC addresses
l IP addresses
l IP leases
l Binding types
l VLAN IDs
l Interface information
DHCP snooping acts as a firewall between a DHCP client and a DHCP server.
Objective
DHCP snooping is used to prevent the following problems:
l DHCP denial of service (DoS) attacks
l Bogus DHCP server attacks
l Address Resolution Protocol (ARP) middleman attacks
l IP/MAC spoofing attacks
DHCP snooping can apply to both Layer 2 and Layer 3 interfaces as shown in Figure 8-96 and
Figure 8-97.
L3 network
Untrusted
User network
DHCP
snooping L3
enable network
Trusted
Untrusted
DHCP relay
L2
network DHCP server
User network
8.12.2 Mechanism
This section describes the mechanism of Dynamic Host Configuration Protocol (DHCP)
snooping.
DHCP client
DHCP pseudo server
To prevent bogus DHCP server attacks, configure DHCP snooping, which works in either trusted
or untrusted mode.
You can configure a trusted or untrusted physical or VLAN interface. DHCPRESPONSE
messages (Offer, ACK, or NAK messages) received by an untrusted interface are directly
discarded to prevent bogus DHCP server attacks. Figure 8-99 shows DHCP snooping that works
in trusted or untrusted mode.
Untrusted
DHCP pseudo
server
Middleman Attacks
A middleman sends a packet carrying its own MAC address and the IP address of a DHCP server.
Upon receipt, the client learns the IP and MAC addresses and considers the middleman as a
DHCP server and sends all packets to the middleman, not the DHCP server. After receiving the
packets, the middleman forwards the packet carrying its own MAC and IP addresses to the server.
The DHCP server learns the IP and MAC address and considers the middleman a client. The
DHCP server sends packets to the middleman, not the client. Figure 8-100 shows a middleman
attack.
A middleman relays data between the DHCP server and client. The DHCP server and client
assume that they have exchanged packets with each other.
Middleman
(2) (1)
10.1.1.2/32
MAC:2-2-2
10.1.1.3/32 10.1.1.2/32
MAC:3-3-3 MAC:2-2-2
Attacker DHCP client
A DHCP snooping binding table can be used to prevent IP/MAC spoofing and middleman
attacks.
When an interface receives an ARP or IP packet, the interface matches the source IP and MAC
addresses of the packet with entries in a local DHCP snooping binding table. Packets that match
the entries are forwarded, whereas unmatched packets are discarded. Figure 8-102 shows data
transmission based on a DHCP snooping binding table.
ARP packets or IP packets sent by clients with static IP addresses are discarded. This is because
these clients do not obtain IP addresses by sending DHCPREQUEST messages, and no DHCP
snooping binding entry exists for them. As a result, these clients are prevented from accessing
the network illegally. To allow the users with statically allocated IP addresses to access the
network, configuring a static DHCP snooping binding table is mandatory.
Similarly, packets from a client that embezzle a legal IP address of other clients are discarded.
The client does not obtain IP addresses by sending DHCPREQUEST messages. Hence the MAC
address and interface information in the DHCP snooping binding table corresponding to the IP
address are inconsistent with those of the embezzler. In this way, these clients are prevented
from accessing the network illegally.
Entries in a DHCP snooping binding table are classified into the following types:
l Static entries: manually configured on a NGFW. These entries can only be manually
deleted.
l Dynamic entries: automatically learned by a NGFW using DHCP snooping. These entries
age after IP address leases expire.
Dynamic entries in a DHCP snooping binding table are automatically generated based on
DHCPACK messages sent by a DHCP server. The procedure for generating dynamic entries is
as follows:
l On a Layer 2 device:
– An Option 82-enabled Layer 2 device receives a DHCPREQUEST message and
appends Option 82 to the message. The Layer 2 device determines an outbound interface
to which a DHCPRESPONSE message is sent based on Option 82 and generates a
DHCP snooping binding entry.
– An Option 82-disabled Layer 2 device identifies interface information in messages
based on a MAC address table.
l On a Layer 3 device
A device obtains the IP address of an untrusted interface assigned by a DHCP server, the
MAC address of the interface, and the interface through which messages pass by monitoring
Filename-128 bytes
DHCP Options
To prevent DoS attacks, enable DHCP snooping to check the CHADDR field in a
DHCPREQUEST message. If the CHADDR field matches the source MAC address in the frame
header, the message is forwarded. If the CHADDR field does not match the source MAC address,
the message is discarded.
Option 82
l Format of a packet with an Option 82 field
Option 82 is a DHCP Relay Agent Information option that records location information
about a DHCP client. It is a special field contained in a DHCP message.
When a DHCPREQUEST message sent by a DHCP client passes through a DHCP relay
agent, the relay agent adds an Option 82 field to this DHCPREQUEST message. Upon
receipt, a DHCP server replies with a DHCPRESPONSE message containing the same
Option 82 field to the DHCP relay agent. The DHCP relay agent then determines for which
interface the DHCPRESPONSE message is destined based on the Option 82 field.
Figure 8-104 shows the format of a DHCP message with Option 82 field.
82 N i1 i2 i3 i4 i5 … iN
1 N a1 a2 a3 a4 a5 … aN
2 N b1 b2 b3 b4 b5 … bN
9 N c1 c2 c3 c4 c5 … cN
Discover
Discover+Option82
Offer+Option82
Offer
Request
Request+Option82
Ack+Option82
Ack
Data exchange
Discover
Discover+Option8
2
Offer+Option82
Offer
Request
Request+Option82
Ack+Option82
Ack
Data exchange
l Option 82 implementation
After the Option 82 function is enabled, a DHCP relay agent must check whether an Option
82 field is carried in a DHCPREQUEST message sent by a client.
– If the DHCPREQUEST message contains an Option 82 field, the agent checks the mode
Option 82 information was added in:
– Rebuild mode: The agent does not trust the Option 82 field contained in the received
message and modifies Sub-option 1 contained in the Option 82 field.
– Insert mode: The agent trusts the Option 82 field contained in a received message
and does not need to modify Sub-option 1 contained in the Option 82 field. The agent
checks whether there is Sub-option 9. If Sub-option 9 is not contained, the agent
adds Sub-option 9 to the message. If the message contains Sub-option 9, the agent
checks whether this option contains the Device Identifier field. If there is no Device
Identifier field, the agent adds the field that follows the manufacturer information
field in the message.
– If the DHCPREQUEST message does not contain an Option 82 field, the agent adds an
Option 82 field with Sub-option 1, regardless of the Insert or Rebuild mode.
The agent checks whether the message contains Sub-option 1 or Sub-option 9 and whether
a sub-option contains the Device Identifier field. If the message contains Sub-option 1 or
Sub-option 9 or if a sub-option contains the Device Identifier field, the agent properly parses
the Option 82 field. It strips the Device Identifier field off Sub-option 1 or Sub-option 9
before forwarding the DHCPRESPONSE message.
Prerequisites
Before preventing a bogus DHCP server attack on a Layer 2 interface, configure a DHCP server.
Context
NOTE
Procedure
Step 1 Access the system view.
system-view
DHCP messages sent by the trusted VLAN and interface are all forwarded properly.
----End
Follow-up Procedure
l Run the display dhcp snooping global command to view global DHCP snooping
information.
l Run the display dhcp snooping { vlan vlan-id [ interface interface-type interface-
number ] } command to view DHCP snooping information on a specified interface.
Prerequisites
Before preventing a bogus DHCP server attack on a device, complete the following tasks:
Context
Note the following issues
l When DHCP snooping is disabled, only the VLAN or interface connected to a DHCP server
is trusted by default.
l When DHCP snooping is enabled, the VLAN or interface connected to a DHCP server is
untrusted by default.
The device discards messages sent by the untrusted VLAN or interface. To configure the
VLAN or interface to be trusted, run the dhcp snooping trusted command.
Procedure
Step 1 Access the system view.
system-view
Enable DHCP snooping globally before enabling DHCP snooping on a Layer 3 interface.
l Ethernet interfaces
l Ethernet sub-interfaces
l Vlanif interfaces
l Layer 3 Eth-Trunk interfaces
----End
Follow-up Procedure
l Run the display dhcp snooping global command to view global DHCP snooping
information.
l Run the display dhcp snooping interface interface-type interface-number command to
view DHCP snooping information on a specified interface.
Prerequisites
Before preventing the man-in-the-middle and IP/MAC spoofing attacks on a Layer 2 Interface,
configure a DHCP server.
Context
Dynamic entries in the DHCP snooping binding table do not need to be manually configured.
They are automatically generated after DHCP snooping is enabled. Static entries must be
manually configured.
NOTE
l If an IP address is dynamically assigned to a client, a device automatically learns the MAC address of
the client and generates an IP and MAC binding entry. This binding table requires no configuration.
l If an IP address is statically assigned to a client, a device cannot automatically learn the MAC address
of the client or generate an IP and MAC binding entry. You need to create IP and MAC binding table
manually.
If you do not create an IP and MAC binding table manually, the following two cases may occur:
l If the device is configured to forward packets without matching entries, packets from all
static IP addresses are forwarded, and all static clients can access the DHCP server properly.
By default, the device forwards mismatching packets.
l If the device is configured to discard packets without matching entries, packets from all
static IP addresses are discarded, and no static clients can access the DHCP server.
After receiving an ARP or an IP packet, the interface matches its source IP and MAC addresses
with entries in the DHCP snooping binding table and verify information about the MAC, IP,
interface and VLAN.
Procedure
Step 1 Access the system view.
system-view
Option 82 is appended to DHCP messages if the original DHCP message is not appended
with Option 82. If the original DHCP message is appended with Option 82, the original
Option 82 is forcibly removed, and new Option 82 is appended.
A binding table with accurate interface information can be created after Option 82 is enabled.
If there is no matching entry for a packet in the DHCP snooping binding table, the device
processes the packet using a user-defined method.
----End
Follow-up Procedure
l Run the display dhcp snooping global command to view global DHCP snooping
information.
l Run the display dhcp snooping bind-table { ip-address ip-address | mac-address mac-
address | vlan vlan-id [ interface interface-type interface-number ] | static | dynamic |
all } command to view information about the DHCP snooping binding table.
l Run the display dhcp snooping { vlan vlan-id [ interface interface-type interface-
number ] } command to view DHCP snooping information on a specified interface.
l Run the display dhcp option82 { [ vlan vlan-id ] interface interface-type interface-
number } command to view the Option 82 status.
l Statistics about the discarded ARP, IP, and DHCP packets are displayed.
l Interface names and the matching MAC and IP addresses in the DHCP snooping binding
table are displayed.
<NGFW> display dhcp snooping vlan 100 interface GigabitEthernet 1/0/1
dhcp snooping enable interface GigabitEthernet
1/0/1
Prerequisites
Before preventing the man-in-the-middle and IP/MAC spoofing attacks on a Layer 3 Interfaces,
complete the following tasks:
Context
Dynamic entries in the DHCP snooping binding table do not need to be manually configured.
They are automatically generated after DHCP snooping is enabled. Static entries must be
manually configured.
NOTE
l If an IP address is dynamically assigned to a client, a device automatically learns the MAC address of
the client and generates an IP and MAC binding entry. This binding table requires no configuration.
l If an IP address is statically assigned to a client, a device cannot automatically learn the MAC address
of the client or generate an IP and MAC binding entry. You need to create IP and MAC binding table
manually.
If you do not create an IP and MAC binding table manually, the following two cases may be
encountered:
l If the device is configured to forward packets without matching entries, packets from all
static IP addresses are forwarded, and all static clients can access the DHCP server properly.
By default, the device forwards mismatching packets.
l If the device is configured to discard packets without matching entries, packets from all
static IP addresses are discarded, and no static clients can access the DHCP server.
After receiving an ARP or an IP packet, the interface matches its source IP and MAC addresses
with entries in the DHCP snooping binding table and verify information about the MAC, IP,
interface and VLAN.
Procedure
Step 1 Access the system view.
system-view
Enable DHCP snooping globally before enabling DHCP snooping on a Layer 3 interface.
l Ethernet interfaces
l Ethernet sub-interfaces
l VlanIf interfaces
l Eth-Trunk interfaces
Option 82 is appended to DHCP messages if the original DHCP message is not appended
with Option 82. If the original DHCP message is appended with Option 82, the original
Option 82 is forcibly removed, and new Option 82 is appended.
A binding table with accurate interface information can be created after Option 82 is enabled.
If there is no matching entry for a packet in the DHCP snooping binding table, the device
processes the packet using a user-defined method.
----End
Follow-up Procedure
l Run the display dhcp snooping global command to view global DHCP snooping
information.
l Run the display dhcp snooping bind-table { ip-address ip-address | mac-address mac-
address | vlan vlan-id [ interface interface-type interface-number ] | static | dynamic |
all } command to view information about the DHCP snooping binding table.
l Run the display dhcp snooping interface interface-type interface-number command to
view DHCP snooping information on an interface.
l Run the display dhcp option82 interface interface-type interface-number command to
view the Option 82 status.
dhcp snooping
trusted
Procedure
Step 1 Access the system view.
system-view
Step 6 Enable the device to check CHADDRs of packets from a specified VLAN.
dhcp snooping check dhcp-chaddr enable interface interface-type interface-number
----End
Follow-up Procedure
l Run the display dhcp snooping global command to view global DHCP snooping
information.
l Run the display dhcp snooping { vlan vlan-id [ interface interface-type interface-
number ] } command to view DHCP snooping information on an interface.
Prerequisites
Before preventing the attacker from changing CHADDR through a Layer 3 device, complete
the following tasks:
Procedure
Step 1 Access the system view.
system-view
Enable DHCP snooping globally before enabling DHCP snooping on a Layer 3 interface.
l Ethernet interfaces
l Ethernet sub-interfaces
l Vlanif interfaces
l Layer 3 Eth-Trunk interfaces
Enable checking CHADDRs. The device compares the CHADDR field in the received DHCP
Request message with the source MAC address in the frame header. If they are inconsistent, the
received DHCP request message is considered as an attack packet and is directly discarded.
----End
Follow-up Procedure
l Run the display dhcp snooping global command to view global DHCP snooping
information.
l Run the display dhcp snooping { interface interface-type interface-number } command
to check DHCP snooping information on a specified interface.
Context
The dynamic entries in the DHCP snooping binding table require no configuration. They are
automatically generated when Enable DHCP snooping. The static entries, however, require to
be manually configured.
NOTE
l If the IP address is dynamically assigned to the client, the device automatically learns the MAC address
of the client and generates IP and MAC binding table. This binding table requires no configuration.
l If the IP address is statically assigned to the client, the device cannot automatically learn the MAC
address of the client and the IP/MAC binding table cannot be generated. You need to create IP and
MAC binding table manually.
If you do not create an IP and MAC binding table manually, the following two cases may be
encountered:
l If the packet without a matching entry is set to be forwarded, packets from all static IP
addresses are forwarded and all static clients can access the DHCP server properly. By
default, the device forwards mismatching packets.
l If the packet without a matching entry is set to be discarded, packets from all static IP
addresses are discarded, and no static clients can access the DHCP server.
After receiving an ARP or an IP packet, the interface matches its source IP and MAC addresses
with entries in the DHCP snooping binding table and verify information about the MAC, IP,
interface and VLAN.
Procedure
Step 1 Access the system view.
system-view
Step 4 Enable the check of the rate at which DHCP messages are sent.
dhcp snooping check dhcp-rate enable
Step 8 Enable the device to check DHCP Request messages from a specified VLAN.
dhcp snooping check dhcp-request enable [ interface interface-type interface-
number ]
If the original message does not carry Option 82, Option 82 is appended to DHCP messages.
If the message carries Option 82, Sub-option 9 is added to DHCP messages.
l Enable the device to forcibly add Option 82 into packets, run:
dhcp option82 rebuild enable interface interface-type interface-number
Option 82 is appended to DHCP messages if the original DHCP message is not appended
with Option 82. If the original DHCP message is appended with Option 82, the original
Option 82 is forcibly removed, and new Option 82 is appended.
A binding table with accurate interface information can be created after Option 82 is enabled.
----End
Follow-up Procedure
l Run the display dhcp snooping global command to view global DHCP snooping
information.
l Run the display dhcp snooping bind-table { ip-address ip-address | mac-address mac-
address | vlan vlan-id [ interface interface-type interface-number ] | static | dynamic |
all } command to view information about the DHCP snooping binding table.
l Run the display dhcp snooping { vlan vlan-id [ interface interface-type interface-
number ] } command to view DHCP snooping information on an interface.
l Run the display dhcp option82 { [ vlan vlan-id ] interface interface-type interface-
number } command to view the Option 82 status.
l Statistics about the discarded ARP, IP, and DHCP packets are displayed.
l Interface names and their matching MAC addresses and IP addresses in the DHCP snooping
binding table are displayed.
<NGFW> display dhcp snooping vlan 100 interface GigabitEthernet 1/0/1
dhcp snooping enable interface GigabitEthernet 1/0/1
dhcp snooping check dhcp-request enable interface GigabitEthernet 1/0/1
arp total 0
ip total 0
dhcp-request total 0
chaddr&src mac total 0
dhcp-reply total 0
Prerequisites
Before preventing the attacker from sending bogus messages for extending IP leases, complete
the following tasks:
Context
The dynamic entries in the DHCP snooping binding table require no configuration. They are
automatically generated when Enable DHCP snooping. The static entries, however, require to
be manually configured.
NOTE
l If the IP address is dynamically assigned to the client, the device automatically learns the MAC address
of the client and generates IP and MAC binding table. This binding table requires no configuration.
l If the IP address is statically assigned to the client, the device cannot automatically learn the MAC
address of the client and the IP/MAC binding table cannot be generated. You need to create IP and
MAC binding table manually.
If you do not create an IP and MAC binding table manually, the following two cases may occur:
l If the packet without a matching entry is set to be forwarded, packets from all static IP
addresses are forwarded and all static clients can access the DHCP server properly. By
default, the device forwards mismatching packets.
l If the packet without a matching entry is set to be discarded, packets from all static IP
addresses are discarded, and no static clients can access the DHCP server.
After receiving an ARP or an IP packet, the interface matches its source IP and MAC addresses
with entries in the DHCP snooping binding table and verify information about the MAC, IP,
interface and VLAN.
Procedure
Step 1 Access the system view.
system-view
Step 4 Enable the check of the rate at which DHCP messages are sent.
dhcp snooping check dhcp-rate enable
l Ethernet interfaces
l Ethernet sub-interfaces
l Vlanif interfaces
l Layer 3 Eth-Trunk interfaces
Step 7 Enable the device to check DHCP Request messages sent by a specified interface.
dhcp snooping check dhcp-request enable
Option 82 is appended to DHCP messages if the original DHCP message is not appended
with Option 82. If the original DHCP message is appended with Option 82, the original
Option 82 is forcibly removed, and new Option 82 is appended.
A binding table with accurate interface information can be created after Option 82 is enabled.
----End
Follow-up Procedure
l Run the display dhcp snooping global command to view global DHCP snooping
information.
l Run the display dhcp snooping bind-table {ip-address ip-address | mac-address mac-
address | static | dynamic | all } command to view information about the DHCP snooping
binding table.
l Run the display dhcp snooping interface interface-type interface-number command to
view DHCP snooping information on the interface.
l Run the display dhcp option82 interface interface-type interface-number command to
view the Option 82 status.
Prerequisites
Before configuring alarms about discarded packets, complete the following tasks:
Procedure
Step 1 Access the system view.
system-view
Step 4 Set the alarm threshold of the maximum number of discarded packets.
----End
Follow-up Procedure
l Run the display dhcp snooping global command to view global DHCP snooping
information.
l Run the display dhcp snooping { interface interface-type interface-number | vlan vlan-
id [ interface interface-type interface-number ] } command to view DHCP snooping
information on a specified interface.
Action Command
Display Option82 information. display dhcp option82 [ vlan vlan-id ] interface interface-
type interface-number
Display information about display dhcp snooping [ vlan vlan-id ] interface interface-
DHCP snooping on a specific type interface-number
interface.
Action Command
Resetting the DHCP snooping binding table results in information loss in the binding table. Perform the
resetting of the DHCP snooping binding table with caution.
Table 8-123 lists the commands run in the system view to maintain a DHCP snooping binding
table.
Action Command
Before enabling the debugging, you must run the terminal monitor command in the user view
to enable the terminal information display and the terminal debugging command in the user
view to terminal debugging information display functions.
NOTICE
Enabling the debugging deteriorates system performance. After the debugging is complete, run
the undo debugging all command to disable the debugging immediately.
Action Command
Networking Requirements
DHCP clients access the DHCP relay agent on the network shown in Figure 8-108. DHCP
snooping needs to be configured on Layer 3 interfaces GigabitEthernet 1/0/1 and GigabitEthernet
1/0/2 on NGFW. The interface on the DHCP client side is untrusted, and the interface on the
DHCP server agent side is trusted.
DHCP client1 uses the dynamically allocated IP address, and DHCP client2 uses the statically
configured IP address.
Figure 8-108 Networking diagram for configuring DHCP snooping on the device
DHCP Server
10.11.1.2/24
Trusted
GE1/0/2
NGFW
10.11.1.1/24
DHCP Relay
Trust
GE1/0/1
Untrusted 10.1.1.254/24
Trust
Switch
DHCP client2
DHCP
IP:10.1.1.1/24
client1
mac:00e0-fc5e-008a
Configuration Roadmap
The configuration roadmap is as follows:
1. Enable DHCP snooping globally and in the interface view.
2. Configure interfaces to be trusted or untrusted to prevent bogus DHCP server attacks.
3. Configure DHCP snooping binding tables and enable matching ARP packets, IP packets,
and DHCPREQUEST messages with entries in the DHCP snooping tables to prevent
middleman attack or IP/MAC address attacks and bogus DHCP messages to extend IP
leases.
4. Configure CHADDR check to prevent attackers from changing CHADDRs in the
messages.
5. Configure Option 82 and create a binding table covering accurate interface information.
6. Configure the sending of alarms to the network management station (NMS).
Procedure
Step 1 Configure basic DHCP relay function.
# Assign an IP address to GigabitEthernet 1/0/2.
<NGFW> system-view
[NGFW] sysname DHCP-Relay
# Configure the sub-interface on which the DHCP relay agent is to be enabled and configure the
IP address and mask for the sub-interface. Ensure that the sub-interface and the DHCP client
must be at the same network segment.
[DHCP-Relay] interface GigabitEthernet 1/0/1
[DHCP-Relay-GigabitEthernet1/0/1] ip address 10.1.1.254 24
[DHCP-Relay-GigabitEthernet1/0/1] dhcp select relay
[DHCP-Relay-GigabitEthernet1/0/1] ip relay address 10.11.1.2
[DHCP-Relay-GigabitEthernet1/0/1] quit
# Configure the interface on the DHCP server side to be trusted and enable DHCP snooping on
all interfaces on the DHCP client side. If the interfaces on the DHCP client side are not set to
be trusted, they are untrusted by default after DHCP snooping is enabled. Configuring trusted
or untrusted interfaces prevents bogus DHCP server attacks.
[DHCP-Relay-GigabitEthernet1/0/2] dhcp snooping trusted
[DHCP-Relay-GigabitEthernet1/0/2] quit
Step 4 Enable the interface to check specified types of packets and configure DHCP snooping binding
tables.
# Check ARP and IP packets on the interfaces on the DHCP client side to prevent IP/MAC
spoofing attacks.
[DHCP-Relay] interface GigabitEthernet 1/0/1
[DHCP-Relay-GigabitEthernet1/0/1] dhcp snooping check arp enable
[DHCP-Relay-GigabitEthernet1/0/1] dhcp snooping check ip enable
# Enable the interfaces on the DHCP client side to check DHCPREQUEST messages to prevent
attackers from sending bogus DHCP messages to extend IP leases.
[DHCP-Relay-GigabitEthernet1/0/1] dhcp snooping check dhcp-request enable
# Enable checking CHADDRs on the interfaces on the DHCP client side to prevent attackers
from changing CHADDRs in the messages.
[DHCP-Relay-GigabitEthernet1/0/1] dhcp snooping check dhcp-chaddr enable
If you use the static IP address, configure static DHCP snooping entries.
[DHCP-Relay-GigabitEthernet1/0/1] dhcp snooping bind-table static ip-address
10.1.1.1 mac-address 00e0-fc5e-008a
[DHCP-Relay-GigabitEthernet1/0/1] quit
# Set the rate of sending DHCPREQUEST messages to the protocol stack to prevent excessive
DHCPREQUEST messages.
[DHCP-Relay] dhcp snooping check dhcp-rate 90
[DHCP-Relay] dhcp snooping check dhcp-rate enable
Step 7 Configure behaviors to process packets that do not match the entries.
# Configure the global behaviors to process ARP and IP packets that do not match the entries.
[DHCP-Relay] dhcp snooping nomatch-packet arp action discard
[DHCP-Relay] dhcp snooping nomatch-packet ip action discard
# Configure behaviors to process the ARP and IP packets that do not match the entries on the
interface.
[DHCP-Relay] interface GigabitEthernet 1/0/1
[DHCP-Relay-GigabitEthernet1/0/1] dhcp snooping nomatch-packet arp action discard
[DHCP-Relay-GigabitEthernet1/0/1] dhcp snooping nomatch-packet ip action discard
----End
Result
l Run the display dhcp snooping global command on the DHCP relay agent. You can see
that DHCP snooping is enabled in the system and interface views. You can also view
statistics about alarms sent to the NMS.
[DHCP-Relay] display dhcp snooping global
dhcp snooping enable
Configuration Script
#
dhcp snooping enable
dhcp snooping nomatch-packet ip action discard
dhcp snooping nomatch-packet arp action discard
dhcp snooping check dhcp-rate enable
dhcp snooping check dhcp-rate 90
dhcp snooping check dhcp-rate alarm threshold 40
#
sysname DHCP-Relay
#
interface GigabitEthernet1/0/1
ip address 10.1.1.254 255.255.255.0
ip relay address 10.11.1.2
dhcp select relay
dhcp snooping enable
dhcp snooping check arp enable
8.13.1 Overview
IPv6 Neighbor Discovery (ND) defines a group of messages and processes for discovering
neighboring nodes. The IPv6 Secure Neighbor Discovery (SEND) protocol is an enhancement
of IPv6 ND.
Definition
The IPv6 NDP uses Internet Control Message Protocol version 6 (ICMPv6) messages to discover
neighbors. NDP functions include neighbor discovery, router discovery (RD), and ICMP
redirection.
SEND uses a set of new ND options to implement the authorization delegation discovery process,
address ownership proof mechanism, and message verification, which secures neighbor
discovery.
Purpose
ND does not provide any security mechanisms and is vulnerable to the following threats:
l NS/NA spoofing
Neighbor Solicitation/Advertisement Spoofing (NS/NA spoofing) is similar to IPv4 ARP
spoofing. An attacker sends NS/NA messages containing a forged link-layer address to
update the neighbor cache of a target node. Consequently, the target node sends packets to
the forged address.
l DAD attack
On networks where the hosts obtain their addresses using stateless address
autoconfiguration, an attacker can respond every duplicate address detection (DAD)
attempt made by the host to launch an attack. If the attacker claims the address, the host
will never be able to obtain an address.
l Redirect attack
An attacker uses the link-layer address of the default gateway of a target node as a source
address to send a Redirect message to the target node. The message carries a nonexistent
next-hop address for the target node. Upon receiving the messagept, the target node sends
packets to the nonexistent next-hop address. As a result, the packets fail to reach their
destinations.
l Parameter spoofing
An attacker impersonates a local router and sends a forged Router Advertisement (RA)
message to a target node. The forged RA message contains a fake network prefix with a
set autonomous flag. After the message arrives, the target node performs stateless address
autoconfiguration and uses the fake prefix to generate an IPv6 address. When the target
node uses this IPv6 address as a source address to communicate with other hosts, the traffic
destined for the target node is discarded by the local router.
l Replay attack
An attacker intercepts valid messages and replays them later to send expired messages to
a target node.
SEND effectively defends against these security threats to secure neighbor discovery.
8.13.2 Mechanism
This section describes the IPv6 ND and SEND mechanisms.
8.13.2.1 IPv6 ND
IPv6 neighbor discovery (ND) uses ICMPv6 messages to implement address resolution, verify
neighbor reachability, detect duplicate addresses, discover routers and prefixes, automatically
assign addresses, and perform the redirection function.
Before assigning an IPv6 address to a single node, a router checks whether the address is
available and unique and perform either of the following operations:
l If the node is a host, the router notifies the host of the ideal next-hop address for forwarding
messages to a specific destination address.
l If the node is another router, the router advertises its address, address prefix, and other
parameters to the router.
Before forwarding a IPv6 message, the node verifies the data link layer address of its neighbor
node and its reachability.
Neighbor Solicitation
IPv6 source: 3000::1
Dest: ff02::1:ff 00:0002
Link source: 00e0-fe20-1f66
Dest: 3333-ff00-0002
Neighbor Advertisement
IPv6 source: 3000::2
Dest: 3000::1
Link source: 00e0-fe20-1f67
Dest: 00e0-fe20-1f66
1. If an IPv6 address is specified for a node, the node sends the NS message to check whether
the address is used by any neighbor.
2. When receiving the message, a neighbor node checks whether the same IPv6 address exists.
If the local IPv6 address exists, the neighbor node replies a NA message that contains the
IPv6 address to the source node.
3. After the source node receives the reply message from the neighbor, the source node
considers that the IPv6 address is used by the neighbor. If the source node does not receive
the reply message from the neighbor, the IPv6 address is available.
Neighbor Discovery
The IPv6 ND function, similar to the IPv4 Address Resolution Protocol (ARP) function, resolves
neighbor addresses and detect neighbor reachability using NS and NA messages.
To obtain the data link layer address of another node on the same local link, a node sends an
ICMPv6 NS message of Type 135, which is similar to an IPv4 ARP request message. The
ICMPv6 NS message is transmitted using a multicast address, not a broadcast address. Only the
solicited node that has an IP address with the lest significant 24 bits the same as that of the
multicast address can receive the NS message, which minimizes broadcast storms. The
destination node adds its data link layer address to an NA message.
The NS message is also used to check the reachability of the neighbor with a known data link
layer address. The IPv6 NA message is sent in response to the IPv6 NS message. After receiving
the ICMPv6 NS message, the destination node replies with an ICMPv6 NA message of Type
136 on the local link. After the ICMPv6 NA message is received, the source and destination
nodes can communicate. A node also sends an NA message if its data link layer address on the
local link is changed.
Router Discovery
The RD function locates neighbor routing devices and learns the prefixes and parameters for
address autoconfiguration. The IPv6 RD function is implemented using the following
mechanism:
l Router solicitation
When no unicast address is specified for a host (for example, when the system is just
restarted), the host sends an RS message. The RS message helps the router quickly
implement autoconfiguration without waiting for an RA message sent by the IPv6 routing
device. The IPv6 RS message is an ICMPv6 message of Type 133.
l Router advertisement
After IPv6 RA is configured on interfaces of a routing device, the routing device
periodically sends an RA message. After receiving an RS message from an IPv6 node on
the local link, a routing device replies with an RA message. The IPv6 RA message is sent
to the multicast address (FF02::1) of all nodes or to the IPv6 unicast address of the node
that sends the RS message. The IPv6 RA message is an ICMPv6 message of Type 134. The
IPv6 RA message includes the following contents:
– Whether address autoconfiguration is enabled or disabled
– Supported autoconfiguration type, stateless or stateful
– One or multiple local link prefixes: The nodes on the local link can implement address
autoconfiguration using these prefixes.
– Lifecycle of an advertised prefix of the local link
– Whether the router that sends an RA message can serve as a default routing device. If
the router serves as a default routing device, the time (in seconds) for the router serving
as the default routing device is included.
– Other information about the host, including the hop limit and MTU specified for
messages initiated by the host.
The IPv6 node on the local link receives an RA message and obtains the default routing
device, prefix list, and other settings.
Address Autoconfiguration
By using RA messages and identifying each prefix, a routing device can instruct the host how
to implement the address autoconfiguration. For example, the routing device can configure the
host to use the stateful (DHCPv6) address setting or stateless address autoconfiguration.
If the stateless address autoconfiguration is used and an RA message arrives, the host
automatically generates an IPv6 address by using the prefix and local interface ID carried in the
message and sets the default routing device.
Redirection
A redirection message notifies a host of the ideal next-hop IPv6 address to the destination.
Similar to IPv4, the IPv6 routing device sends a redirection message to only redirect the message
to a better routing device. The node that receives the redirection message sends subsequent
messages to the new routing device. The routing device sends the redirection message only for
the unicast flow. The redirection message is only sent to and processed by the node (host) that
initiates the redirection message.
SEND, enhanced IPv6 ND, introduces the following new types of message and extension fields:
CGA
A CGA is an IPv6 address that a node uses a public key and the hash algorithm to generate. A
node discards packets that fail CGA authentication to defend against spoofing attacks. CGAs
are used with the RSA signature mechanism to protect packet integrity.
The procedure for generating a CGA and an RSA signature on a node is as follows:
5. Forges a packet with the CGA as a source IP address, fills the CGA parameters data structure
in the CGA option, assigns the packet a private key, and fills a signature in the RSA option.
After receiving a packet with CGA and RSA options, a node authenticates the packet as follows:
1. Obtains the CGA parameter data structure from the CGA option.
2. Computes a hash value based on the CGA parameters data structure, with the least
significant 64 bits as the network ID.
3. Checks whether the generated network ID matches that in the source IP address of the
packet.
4. Obtains the public key from the CGA parameter data structure to authenticate the RSA
signature.
After a CGA is generated, ND packets to be sent by the interface must meet the following
requirements:
l NS (excluding DAD messages), NA, RA, and Redirect messages carry CGAs as source
addresses.
l NS, NA, RA, and Redirect messages carry the following options:
– CGA option: contains the CGA parameter data structure.
– RSA option: contains signatures.
– Timestamp option: the number of seconds elapsed since January 1, 1970, 00:00 UTC
time.
l The NS message carries the Nonce option that contains a random number. The NA message
responding to the NS message also carries the same Nonce option.
Timestamp
A SEND-enabled node uses timestamps carried in ND messages to defend against replay attacks
during non-NS/NA message transmission. After receiving ND messages, the node checks for
message mis-sequence on RFC 3971 and discards incorrect messages.
Nonce
Nonce is a random value that serves as a label of a current session. Nonce is used to defend
against replay attacks during NS/NA message transactions. A node generates a random value
and adds it to NS messages before sending the NS messages to request link-layer addresses of
other nodes. After receiving the NS messages, the receivers send NA messages that carry the
same random value in the received NS messages.
Router Authorization
To prevent attackers from sending packets in the name of routers, SEND introduces CPS and
CPA messages to verify router identities.
Routers must apply for certificates from the Certificate Authority (CA). The certificates contain
routers' identity information, public keys, and CA digital signatures.
In the stateless address autoconfiguration scenario, after receiving an RA message, a host sends
a CPS message to request the certificate of a router. The router responds by sending its certificate
in a CPA message. After receiving the CPA message, the host attempts to authenticate the
certificate and considers the router as a default router only after the certificate is successfully
authenticated.
Prerequisites
Before configuring a static neighbor, configure the IPv6 address for an interface.
Procedure
Step 1 Access the system view.
system-view
----End
Follow-up Procedure
Run the display ipv6 neighbors command to check the cache of the neighbor information
containing neighbors' IPv6 addresses and the specified interfaces.
<NGFW> display ipv6 neighbors GigabitEthernet 1/0/1
IPv6 Addr: FE80::222:A1FF:FE01:B23C Link-layer: 0022-a101-b23c
State : STALE Interface : GE1/0/1
Age : 3 VLAN : -
-----------------------------------------------------------------------------
Total:2 Dynamic:1 Static:1
Procedure
Step 1 Access the system view.
system-view
By default, the maximum interval is 600 seconds, and the minimum interval is 200 seconds. The
maximum interval cannot be shorter than the minimum interval.
----End
Follow-up Procedure
Run the display ipv6 interface command to view the interval at which RA messages are
advertised.
<NGFW> display ipv6 interface GigabitEthernet 1/0/1
GigabitEthernet1/0/1 current state : UP
IPv6 protocol current state : UP
IPv6 is enabled, link-local address is FE80::222:A1FF:FE00:2259
Global unicast address(es):
2001:1::1:1, subnet is 2001:1::/64
2002:1::222:A1FF:FE00:2259, subnet is 2002:1::/64
Joined group address(es):
FF02::1:FF01:1
FF02::9
FF02::1:FF00:2259
FF02::2
FF02::1
MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND retransmit interval is 1000 milliseconds
ND advertised reachable time is 0 (unspecified)
ND advertised retransmit interval is 0 (unspecified)
ND router advertisement max interval 600 seconds, min interval 200 seconds
ND router advertisements live for 1800 seconds
Hosts use stateless autoconfig for addresses
Context
Table 8-125 lists the description of parameters in an RA message.
Parameter Description
Router Lifetime Time elapses since a router advertising RA messages functions as the
default router.
A host determines whether to use a router that advertises RA messages
as the default router based on the lifetime of the router in the RA
messages.
Procedure
Step 1 Access the system view.
system-view
By default, the prefix of RA messages is not configured. The IPv6 address of the interface that
sends RA messages is used as a prefix.
Step 5 Set the autoconfiguration flag bit for obtaining an IPv6 address to 1.
ipv6 nd autoconfig managed-address-flag
By default, the flag bit is set to 0, which enables a host to use stateless autoconfiguration to
obtain its IPv6 address.
If the flag bit is set to 1, the host uses stateful autoconfiguration to obtain its IPv6 address.
Step 6 Set the autoconfiguration flag bit for obtaining information excluding an IPv6 address.
ipv6 nd autoconfig other-flag
By default, the flag bit is set to 0, which enables a host to use stateless autoconfiguration to
obtain other information.
If the flag bit is set to 1, a host uses stateful autoconfiguration to obtain other information..
The interval at which RA messages are advertised must be less than or equal to the life duration.
----End
Follow-up Procedure
Run the display ipv6 interface command to view RA message parameters.
<NGFW> display ipv6 interface GigabitEthernet 1/0/1
GigabitEthernet1/0/1 current state : UP
IPv6 protocol current state : UP
IPv6 is enabled, link-local address is FE80::222:A1FF:FE00:2259
Global unicast address(es):
2001:1::1:1, subnet is 2001:1::/64
2002:1::222:A1FF:FE00:2259, subnet is 2002:1::/64
Joined group address(es):
FF02::1:FF01:1
FF02::9
FF02::1:FF00:2259
FF02::2
FF02::1
MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND retransmit interval is 1000 milliseconds
ND advertised reachable time is 30000 milliseconds
ND advertised retransmit interval is 1000 milliseconds
ND router advertisement max interval 600 seconds, min interval 200 seconds
ND router advertisements live for 1800 seconds
Hosts use DHCP to obtain routable addresses.
Hosts use DHCP to obtain other configuration.
Context
DAD is a process of IPv6 automatic address configuration. You can configure the number of
DAD messages that can be sent.
After obtaining an IPv6 address, an interface sends a DAD request message to its neighbor. If
no response is received within a period specified using the ipv6 nd ns retrans-timer command,
the interface continues to send a request message. If the number of sending times exceeds the
specified upper limit, and no response is received, the IPv6 address is considered valid.
Procedure
Step 1 Access the system view.
system-view
Step 3 Set the number of times when DAD messages can be sent.
ipv6 nd dad attempts value
The default value is 1. The value 0 indicates that no DAD message is sent.
----End
Follow-up Procedure
Run the display ipv6 interface command to view the number of DAD messages that can be
sent.
<NGFW> display ipv6 interface GigabitEthernet 1/0/1
GigabitEthernet1/0/1 current state : UP
IPv6 protocol current state : UP
IPv6 is enabled, link-local address is FE80::222:A1FF:FE00:2259
Global unicast address(es):
2001:1::1:1, subnet is 2001:1::/64
2002:1::222:A1FF:FE00:2259, subnet is 2002:1::/64
Joined group address(es):
FF02::1:FF01:1
FF02::9
FF02::1:FF00:2259
FF02::2
FF02::1
MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND retransmit interval is 1000 milliseconds
ND advertised reachable time is 30000 milliseconds
ND advertised retransmit interval is 1000 milliseconds
ND router advertisement max interval 600 seconds, min interval 200 seconds
ND router advertisements live for 1800 seconds
Hosts use DHCP to obtain routable addresses.
Hosts use DHCP to obtain other configuration.
Prerequisites
Before you configure stateless address autoconfiguration, complete the following tasks:
l Enable the IPv6 forwarding on an interface, configure a link-local address, and bring the
interface Up. For details, see 8.1 Interface and Interface Pair.
l Configure a global unicast address or link-local address, specify a prefix for RA
advertisement, and enable RA advertisement on a peer router. For details, see 8.13.3.2
Configuring RA Message Advertisement and 8.13.3.3 Configuring RA Message
Parameters.
NOTE
The prefix advertised in RA messages must be 64 bits or shorter for stateless address
autoconfiguration.
Procedure
Step 1 Access the system view.
system-view
----End
Follow-up Procedure
# Run the display ipv6 auto-configuration prefix all command to view IPv6 prefixes and
derived IPv6 addresses of all interfaces.
<NGFW> display ipv6 auto-configuration prefix all
Current Total Autoconfig Prefix Number: 1
-----------------------------------------------------------------------------
Index : 1
Interface name : GigabitEthernet1/0/1
Prefix : 3001::/64
IPv6 address : 3001::200:5EFF:FE5C:8900
Preferred Lifetime(sec) : 604800
Preferred Lifetime Left(sec): 604750
Valid Lifetime(sec) : 2592000
Valid Lifetime Left(sec) : 2591950
Link-local address of router: FE80::200:5EFF:FE87:4003
-----------------------------------------------------------------------------
The preceding command output shows that the automatically obtained Prefix is 3001::/64. The
IPv6 address derived from the prefix is 3001::200:5EFF:FE5C:8900.
After the IPv6 address is obtained, the device automatically creates a default route to the peer
device.
# Run the display ipv6 auto-configuration default-route-table command to view the default
routing information.
<NGFW> display ipv6 auto-configuration default-route-table
Current Total Autoconfig Default Route Number: 1
-----------------------------------------------------------------------------
Index : 1
Interface name : GigabitEthernet1/0/1
Cur Hop Limit : 64
MTU : 1500
Reachable Time(ms) : 30000
Retrans Timer(ms) : 1000
Router Lifetime(sec) : 1800
Router Lifetime Left(sec) : 1599
Route Preference : 65
Link-local address of router: FE80::200:5EFF:FE87:4003
-----------------------------------------------------------------------------
# Run the display ipv6 routing-table or display ipv6 fib command to view the default routing
information. The output is not provided here.
Context
The CGA is an IPv6 address generated using a public key and the hash algorithm. Nodes discard
packets that fail CGA authentication, which defends against spoofing attacks. The Revist-
Shamir-Adleman Algorithm (RSA) can be used to protect packet integrity.
The procedure for generating the CGA and RSA signature on a node is as follows:
After receiving a packet with CGA and RSA options, a node authenticates the packet as follows:
1. Obtains the CGA parameters data structure from the CGA option.
2. Computes the hash value based on the CGA parameters data structure, with the last 64-bit
of the value as a network ID.
3. Check whether the generated network ID matches that in the source IP address of the packet.
4. Obtains the public key from the CGA parameters data structure to authenticate the RSA
signature.
After CGAs are generated, the interface sends ND packets based on the following rules:
l The CGA is a source IP address of the NS (excluding DAD messages), NA, RA, and
Redirect messages sent by the interface.
l The NS, NA, RA, and Redirect messages sent by the interface all carry the following
information:
– CGA option: contains the CGA parameters data structure
– RSA option: contains signatures.
– Timestamp option: the number of seconds since January 1, 1970, 00:00 UTC. This value
represents the current time of the device.
l The NS message sent by the interface carries the Nonce option containing a random number.
The NA message replied by the interface also carries the Nonce option containing the Nonce
value in the received NS message.
NOTE
Procedure
Step 1 Access the system view.
system-view
NOTICE
After the command is executed, you are prompted to enter the length of host key. To enhance
security, the length of host key is recommended to be longer than 1024 bits.
ipv6 cga-parameters { create label key-label [ sec-level value ] | destroy label key-label }
The value parameter specifies the security level of CGA parameters. The value can be 0 or 1.
The default value is 0. The larger the value is, the higher the security level of CGA parameters
is, and the longer it takes to generate CGA parameters.
After the command is executed, CGA parameter file key-label.cga.params is generated based
on the RSA public and private key pairs, specified security level, and algorithm in RFC 3972,
and saved to the hda1:/.
Before running this command, you must run the ipv6 enable command on the interface.
For RA and Redirect messages, CGAs must be generated for the link-local addresses of
interfaces.
After the interface is configured to work in full SEND mode, the system discards the ND packets
without the CGA, RSA, Timestamp, or Nonce option.
If this command is not executed, the system properly processes the received ND packets without
the CGA, RSA, Timestamp, or Nonce option. In other words, the device can communicate with
the node to which the SEND function is not applied.
----End
Context
According to the timestamp authentication mechanism in RFC 3971, Delta and Fuzz parameters
are used to defend against replay attacks. By default, the Delta value is 300s and the Fuzz value
is 1s. You can adjust the two parameters to control defense effects. The larger the values, the
looser the defense.
Procedure
Step 1 Access the system view.
system-view
----End
Prerequisites
A CA certificate and a local certificate are applied for and saved on the storage media on a
NGFW.
Context
After the certificate for the interface is configured, the interface replies the CPA message
containing the certificate information to the CPS message sent by the host. After receiving the
CPA message, the host authenticates the certificate. The host regards the router as the default
one only when the certificate passes the authentication.
Procedure
Step 1 Display the system view.
system-view
The cert-filename parameter specifies the name of a local certificate saved on a storage media.
The value is a string of 1 to 64 characters.
----End
8.13.5 Maintaining ND
After configuring IPv6 ND, you can run the display commands to view the related configuration.
You can also clear configuration information or enable the debugging function if necessary.
Action Command
Display IPv6 neighbor display ipv6 neighbors [ ipv6-address | [ vid vlan-id ] interface-
information in the type interface-number ]
cache.
Display the IPv6 prefix display ipv6 auto-configuration prefix all { all | interface
automatically obtained interface-type interface-number }
by an interface.
Table 8-127 list the commands run in the user view to reset IPv6.
Action Command
Clear IPv6 neighbor reset ipv6 neighbors { all | dynamic | static | vid vlan-id [ interface-
entries in the cache. type interface-number ] | interface-type interface-number }
Clear the IPv6 prefix reset ipv6 auto-configuration prefix { all | interface interface-
automatically obtained type interface-number }
by the interface.
NOTICE
Enabling the debugging deteriorates system performance. After the debugging is complete, run
the undo debugging all command to disable the debugging immediately.
For details on the description of the debugging commands, see Debugging Reference.
Table 8-128 lists the commands to debug IPv6 information.
Networking Requirements
NGFW_A and NGFW_B are connected on the network shown in Figure 8-110. GigabitEthernet
1/0/1 on NGFW_A automatically obtains an IPv6 address to communicate with NGFW_B.
NGFW_A NGFW_B
Configuration Roadmap
The configuration roadmap is as follows:
Procedure
Step 1 Configure NGFW_A.
# Enable IPv6.
<NGFW> system-view
[NGFW] sysname NGFW_A
[NGFW_A] ipv6
# Enable IPv6.
<NGFW> system-view
[NGFW] sysname NGFW_B
[NGFW_B] ipv6
----End
Configuration Verification
1. If the configurations are successful, the prefix obtained by NGFW_A is 3001::/64.
# Display the prefix obtained automatically by NGFW_A.
[NGFW_A] display ipv6 auto-configuration prefix all
Current Total Autoconfig Prefix Number:
1
-----------------------------------------------------------------------------
Index :
1
Interface name : GigabitEthernet1/0/1
Prefix :
3001::/64
IPv6 address :
3001::200:5EFF:FEB5:400
Preferred Lifetime(sec) :
604800
Preferred Lifetime Left(sec):
604750
Valid Lifetime(sec) :
2592000
Valid Lifetime Left(sec) :
2591950
Link-local address of router:
FE80::200:5EFF:FE87:4003
-----------------------------------------------------------------------------
Index :
1
Interface name : GigabitEthernet1/0/1
Cur Hop Limit :
64
MTU :
1500
Reachable Time(ms) :
30000
Retrans Timer(ms) :
1000
Router Lifetime(sec) :
1800
Router Lifetime Left(sec) :
1599
Route Preference :
65
Link-local address of router:
FE80::200:5EFF:FE87:4003
-----------------------------------------------------------------------------
2. Display the IPv6 address of GigabitEthernet 1/0/1. The IPv6 address prefix is 3001::/64.
Run the display this ipv6 interface command to view the IPv6 address of GigabitEthernet
1/0/1.
[NGFW_A] interface GigabitEthernet 1/0/1
[NGFW_A-GigabitEthernet1/0/1] display this ipv6 interface
GigabitEthernet1/0/1 current state : UP
IPv6 protocol current state :
UP
IPv6 is enabled, link-local address is
FE80::200:5EFF:FEB5:400
Global unicast address
(es):
3001::200:5EFF:FEB5:400, subnet is
3001::/64
Joined group address
(es):
FF02::1:FFB5:400
FF02::2
FF02::1
MTU is 1500
bytes
ND DAD is enabled, number of DAD attempts:
1
ND reachable time is 30000
milliseconds
ND retransmit interval is 1000
milliseconds
Hosts use stateless autoconfig for addresses
3. Display default routes in the IPv6 FIB table. The destination address is ::.
# Run the display ipv6 fib command to view the default routes in the IPv6 FIB table.
[NGFW_A] display ipv6 fib
FIB
Table:
Total number of Routes :
5
Destination: :: PrefixLength : 0
NextHop : FE80::200:5EFF:FE87:4003 Flag :
GSU
Label : NULL Tunnel Token :
0
PortIndex : 1 Tunnel ID :
0
TimeStamp : Date- 17:10:2011, Time- 14:40:14 reference :
1
Interface : GigabitEthernet1/0/1
IP6Token :
0x0
Configuration Scripts
Configuration script for NGFW_A:
#
sysname NGFW_A
#
ipv6
#
interface GigabitEthernet1/0/1
ipv6 enable
Networking Requirements
The NGFW shown in Figure 8-111 functions as a default router for a host on a local link and
is connected to an extranet. The NGFW has the following interfaces:
l GigabitEthernet 1/0/1 belongs to the Trust zone and connects to a local IPv6 link.
l GigabitEthernet 1/0/2 belongs to the Untrust zone and connects to the extranet.
Host
NGFW
Procedure
Step 1 Configure a CGA.
# Adjust parameters for authenticating the timestamp on GigabitEthernet 1/0/1. Set the Delta
value to 100s and the Fuzz value to 20s.
[NGFW-GigabitEthernet1/0/1] ipv6 nd secured timestamp delta 100 fuzz 20
# Configure the certificate for GigabitEthernet 1/0/1. In the following example, a local certificate
device.cer is saved to the storage media.
[NGFW-GigabitEthernet1/0/1] ipv6 nd secured local-certificate filename device.cer
----End
Configuration Script
#
sysname NGFW
#
ipv6
#
interface GigabitEthernet1/0/1
ipv6 enable
ipv6 cga-parameters cga
ipv6 nd secured timestamp delta 100 fuzz 20
8.14 IP Performance
This section describes IP performance parameter concepts and how to configure the parameters.
8.14.1 Overview
On specific networks, IPv4/IPv6 parameters must be adjusted to achieve optimal network
performance.
IPv4 Performance
You can achieve better performance by adjusting parameters of some IPv4 features in different
application scenarios.
IPv4 performance optimization can be performed only after a device is enabled with specific
functions, such as the interface maximum transmission unit (MTU), Internet Control Message
Protocol (ICMP) function, and TCP attributes.
ICMP messages are used by either the IP layer or the higher layer protocol (TCP or UDP). ICMP
error messages require your attention.
IPv6 Performance
Because 32-bit IPv4 addresses may be exhausted, 128-bit IPv6 addresses are increasingly used.
Most IPv6 applications are the same as IPv4 applications. Only some commands, interface
configurations, and parts of applications are different.
IPv6 PMTU
The problem that different networks have different maximum transmission units (MTU) can be
solved in the following ways:
The path MTU (PMTU) discovery mechanism aims to discover a proper MTU value on a path
from between the source and destination nodes.
Context
IP spoofing enables an attacker changes its own IP address into that of an intranet user or a
trusted external user to obtain information without authorization.
Source IP address verification: After receiving an IP packet, an interface verifies the source IP
address of the packet. If the source IP address does not belong to the network segment on which
the interface resides, the packet is discarded; otherwise, the packet is allowed to pass. Source IP
address verification helps defend against IP spoofing attacks.
Procedure
Step 1 Access the system view.
system-view
If the source IP address of a received packet contains a 31-bit mask, a node considers an IP
address with a 31-bit mask valid, without checking the source IP address.
----End
Context
If the device is allowed to receive and forward broadcast packets with destination IP addresses
on the specific network where the interface resides, a hacker can use these packets to attack the
network system. By default, the device cannot receive or forward broadcast packets with the
destination IP addresses on the network segment, on which the interface resides.
Procedure
Step 1 Display the system view.
system-view
----End
Context
ICMP error packets are used to notify a device of anomalies for control and management.
By default, a device is disabled from sending ICMP redirect, destination unreachable packets
(except those require fragmentation but are configured with the non-fragmentation bit), and
timeout packets.
NOTE
If a device is disabled from sending ICMP timeout packets, the device does not send ICMP timeout packet
with expired TTLs, but is able to send ICMP timeout packets with reassembly timed out.
Procedure
Step 1 Access the system view.
system-view
Step 3 Enable the device to send ICMP destination unreachable packets, except those packets that
require fragmentation but carry the non-fragmentation bit.
ip unreachables enable
Step 4 Enable the device to send ICMP destination unreachable packets that require fragmentation but
are configured but with a non-fragmentation bit.
ip df-unreachables enable
----End
Context
The TCP attributes are as follows:
l SYN-WAIT timer
TCP starts the SYN-WAIT timer before sending SYN packets. If no response packets are
received after the SYN-WAIT timer expires, a TCP connection is terminated.
l FIN-WAIT timer
The FIN-WAIT timer starts after a TCP connection changes from FIN_WAIT_1 to
FIN_WAIT_2. If no FIN packets are received after the FIN-WAIT timer expires, a TCP
connection is terminated. If FIN packets are received, the TCP connection changes to the
TIME_WAIT state. If non-FIN packets are received, TCP restarts the SYN-WAIT timer
upon receiving the last non-FIN packet and terminates the TCP connection after the SYN-
WAIT timer expires.
l TCP sliding window size
The TCP sliding window size is size of the buffer for sent and received packets on a TCP
socket.
l MSS
The MSS of a TCP packet is the maximum length allowed for a TCP packet sent from the
peer end to the local end. After a TCP connection is established, both ends notify each other
of their MSSs in TCP packets. After recording the peer end's MSS, the local end only sends
TCP packets smaller than the MSS. If a TCP packet from the peer end is smaller than the
local end's MSS, the packet is not segmented; otherwise, the peer end must send the packet
after segmenting it.
NOTICE
Modifying TCP attributes greatly affects the packet forwarding. Exercise caution when
performing this operation. Unless otherwise specified, use the default values.
Procedure
Step 1 Access the system view.
system-view
The MSS is equal to the interface MTU deducted by 40 bytes (20-byte IP header and 20-byte
TCP header). If Point-to-Point Protocol over Ethernet (PPPoE) dialup is used, additional 8 bytes
(PPPoE header) must be deducted. The interface MTU deducted by 48 bytes is the MSS value.
For example:
If the interface MTU changes from 1500 bytes to 1450 bytes, the new MSS must be 1410 bytes.
If the interface MTU is 1500 and PPPoE dialup is used, the MSS must be set to 1452 bytes (1500
- 20 - 20 - 8).
NOTE
The firewall tcp-mss command only takes effect on subsequent TCP connections, not established ones.
----End
Context
ICMPv6 error packets can be classifiedinto the following types:
Procedure
Step 1 Access the system view.
system-view
Step 2 Set the capacity of the token bucket and refreshing cycle for sending ICMPv6 error packets.
ipv6 icmp-error { bucket bucket-size | ratelimit interval } *
----End
Context
For details on the SYN-Wait timer, FIN-Wait timer, and buffer size of TCP attributes, see
8.14.2.4 Configuring TCP Attributes.
Procedure
Step 1 Access the system view.
system-view
----End
Context
When data flows to a specific destination IPv6 address are distributed on multiple links, the
packets of the same data flow are sent on the same link. A link is selected for the data flow based
on one of the following modes:
l Hash mode: The system uses the hash algorithm to calculate a value based on source and
destination IPv6 addresses and port numbers before selecting a link.
l Weightrr mode: The system uses the weighted round robin algorithm to distribute packets
to interfaces based on the weights assigned to the interfaces.
l Polling mode: Available links are selected sequentially to forward packets.
Procedure
Step 1 Access the system view.
system-view
----End
The MTU on an interface determines whether IP packets on the interface need to be fragmented.
The default value of the MTU on an interface varies with the interface type.
----End
Follow-up Procedure
If the IPv6 MTU value is changed, run the shutdown command and the undo shutdown
command in the interface view to make the configuration take effect.
Run the display ipv6 interface command to view the current IPv6 MTU on the interface.
<NGFW> display ipv6 interface GigabitEthernet 1/0/1
GigabitEthernet1/0/1 current state : UP
IPv6 protocol current state : UP
IPv6 is enabled, link-local address is FE80::222:A1FF:FE00:2259
Global unicast address(es):
2001:1::1:1, subnet is 2001:1::/64
Joined group address(es):
FF02::1:FF01:1
FF02::1:FF00:2259
FF02::2
FF02::1
MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
----End
Follow-up Procedure
Run the display ipv6 pathmtu command to view information about static PMTU entries.
<NGFW> display ipv6 pathmtu static
IPv6 Destination Address ZoneID PathMTU LifeTime(M) Type
2001:1::1:2 0 1500 - Static
-------------------------------------------------------------------------------
Static: 1
----End
Follow-up Procedure
Run the display ipv6 pathmtu dynamic command to view information about the dynamic
PMTU entries.
<NGFW> display ipv6 pathmtu dynamic
IPv6 Destination Address ZoneID PathMTU LifeTime(M) Type
fe80::12 0 1300 40 Dynamic
-------------------------------------------------------------------------------
Total: 1 Dynamic: 1 Static: 0
Action Command
Display the TCP display tcp status [ [ task-id task-id ] [ socket-id socket-id ] |
connection status. [ local-ip ipv4-address ] [ local-port local-port-number ] [ remote-
ip ipv4-address ] [ remote-port remote-port-number ] ]
Display all current display ip socket [ monitor ] [task-id task-id socket-id socket-id
socket information. | sock-type socket-type ]
Display all PMTU display ipv6 pathmtu { ipv6-address | all | dynamic | static }
entries.
Table 8-130 list the commands run in the user view to clear IP performance statistics.
Action Command
Before enabling the debugging, you must run the terminal monitor command in the user view
to enable the terminal information display and the terminal debugging command in the user
view to terminal debugging information display functions.
NOTICE
Enabling the debugging deteriorates system performance. After the debugging is complete, run
the undo debugging all command to disable the debugging immediately.
For details on the description of the debugging commands, see Debugging Reference.
Action Command
Enable the UDP packet debugging udp packet [ local-ip src-address ] [ local-port src-
debugging. port ] [ remote-ip dest-address ] [ remote-port dest-port ]
debugging udp packet [ task-id task-id ] [ socket-id socket-id ]
Enable the TCP packet debugging tcp packet [ local-ip src-address ] [ local-port src-
debugging. port ] [ remote-ip dest-address ] [ remote-port dest-port ]
debugging tcp packet [ task-id task-id ] [ socket-id socket-id ]
[ flag flag-number ]
Enable the TCP event debugging tcp event [ local-ip local-address ] [ local-port local-
debugging. port ] [ remote-ip remote-address ] [ remote-port remote-port ]
debugging tcp event [ task-id task-id ] [ socket-id socket-id ]
Enable the TCP MD5 debugging tcp md5 [ local-ip src-address ] [ local-port src-port ]
authentication [ remote-ip dest-address ] [ remote-port dest-port ]
debugging. debugging tcp md5 [ task-id task-id ] [ socket-id socket-id ]
Enable the RAWIP debugging rawip packet [ local-ip src-address ] [ remote-ip dest-
packet debugging. address ] [ protocol protocol-number ] [ verbose verbose-
number ]
debugging rawip packet [ task-id task-id ] [ socket-id socket-id ]
[ verbose verbose-number ]
9.1 Overview
This section describes the definition and objective of intelligent uplink selection.
Definition
When multiple links are available to the destination network, the NGFW can select the outbound
interface dynamically based on the specified link bandwidths, weights, priorities, or
automatically detected link quality to improve user experience and maximize the usage of link
bandwidths.
Objective
When the egress device of an enterprise has multiple links for load balancing, usually the egress
device randomly selects a link to forward the traffic regardless of the actual bandwidth and status
of each link. If the traffic volume is large, some links may be congested, and the others may be
idle, which causes a waste of link resources. When a link has poor transmission quality, Internet
access may fail, which compromises user experience. The user cannot select specific link to
forward the traffic. Therefore, there might be extra charges.
The intelligent uplink selection function enables the NGFW to forward traffic to each link based
on the specified link selection mode and dynamically tunes the link selection result in real time
to maximize the efficiency of link resources and improve user experience.
Precautions
The intelligent uplink selection cannot be used together with the IP spoofing attack defense or
URPF function. If the IP spoofing attack defense or URPF function is enabled, the NGFW may
discard packets.
9.3 Mechanism
This section describes the mechanisms of intelligent uplink selection, ISP address library link
selection, and link health check.
Background
As shown in Figure 9-1, an enterprise usually deploys multiple links at the network egress to
ensure Internet access stability and availability. This, to a certain extent, achieved the desired
effects. However, because the egress device does not evaluate the link performance differences
and real-time status, many problems may occur in actual application scenarios.
l If each link has different bandwidths, the links with large bandwidths may be idle, and the
links with small bandwidth may be congested.
l Because each ISP link provides different transmission quality and requires different service
charges, the enterprise sometimes needs to ensure service quality and sometimes to use the
link with a low charge. However, equal traffic distribution fails to meet these requirements.
l If the link between the egress device and destination device fails or the service on the
destination device is unavailable but the traffic is forwarded to the faulty link or destination
device with unavailable service, the access fails.
Internet
NGFW
Intelligent uplink selection on the NGFW can resolve the preceding problem in multi-egress link
selection scenarios on the basis of ensuring network stability and availability. Intelligent uplink
selection comprises global route selection and intelligent uplink selection based on policy-based
routes. The two link selection modes can be used at the same time without producing any
conflicts because they take effect in a certain order during link selection.
When forwarding traffic, the NGFW looks up the policy-based routes, detailed routes, and
default route in sequence to match traffic. Detailed routes are the most common routes, including
dynamic and static routes. When traffic matches a route, the NGFW forwards the traffic on the
route (ECMP routes are not considered here). However, traffic forwarding on such routes is
based on the packet destination address and fails to provide differentiated services. Therefore,
policy-based routes are used to forward traffic based on information, such as the source address,
destination address, and service type. If the traffic does not match any policy-based route or
detailed route, the NGFW forwards the traffic on the default route to prevent packet discarding.
If multiple outbound interfaces are available for traffic forwarding when the traffic matches a
policy-based route, intelligent uplink selection based on policy-based routes is used. If multiple
default routes are available for traffic forwarding when the traffic matches a default route, global
route selection is used.
Intelligent uplink selection is a policy-based route selection technology. You can configure
intelligent uplink selection modes based on the specific requirements to implement desired traffic
distribution effects. The NGFW supports four intelligent uplink selection modes:
l Load balancing by link bandwidth: The NGFW forwards traffic to each link based on the
link bandwidth ratio. This mode maximizes the link bandwidth efficiency.
l Load balancing by link weight: The NGFW forwards traffic to each link based on the link
weight ratio. This mode controls the ratio of traffic to be forwarded to each link and uses
specific links to forward more traffic, which maximizes the efficiency of all link resources
and enterprise interests and improves user experience.
l Active/Standby backup by link priority: The NGFW preferentially use the link with the
highest priority to transmit traffic and all the other links as backup links or load balancing
links. This mode preferentially uses some link to forward traffic, improving forwarding
availability and user experience.
l Load balancing by link quality: Intelligent uplink selection based on policy-based routes
supports load balancing by link quality, but global route selection does not. The NGFW
tunes traffic distribution dynamically based on real-time traffic transmission quality. You
can use packet loss ratio, delay, and/or jitter to evaluate the traffic transmission quality of
a link to select the link with the best quality for traffic forwarding.
ISP1
Client NGFW
ISP2
Policy-based Intelligent Quality
route/Default route uplink selection detection
3
Query the link
health status.
4
Link quality probe
6
5
Save the quality
detection result.
Intelligent uplink
selection result
7
Service request packet
8
The intelligent uplink selection process illustrated in Figure 9-2 is described as follows:
1. If you have configured Link Health Check, the NGFW will send probe packets to the
probed device to check whether the link between the local end and the destination network
is reachable. When the NGFW requires intelligent uplink selection, link health check will
report the real-time link status to facilitate forwarding availability improvement. If you
have not configured link health check, the NGFW considers all links as available.
2. When a service request from a client reaches the NGFW, the NGFW forwards the traffic
based on the route that the traffic matches.
3. If the traffic matches a policy-based route or default route and multiple outbound interfaces
are available for traffic forwarding, the NGFW needs to determine the optimal outbound
interface for forwarding the traffic (intelligent uplink selection).
4. Before intelligent uplink selection, the NGFW checks whether the link of each outbound
interface is available. Faulty links do not participate in intelligent uplink selection. The
NGFW uses link health check results to determine whether a link is available.
5. When intelligent uplink selection mode is set to load balancing by link quality, the
NGFW sends link quality probe packets to the service server on health links to obtain the
transmission quality information of each link. In other intelligent uplink selection modes,
link health check is not required.
6. The NGFW saves link health check results in a link quality detection table. When receiving
follow-up traffic destined to the same service server, the NGFW selects a link based on the
information in the link quality detection table. When the link quality detection table ages
and service traffic reaches the NGFW, the NGFW triggers link quality probing again.
7. The NGFW calculates based on the specified intelligent uplink selection mode to obtain
link selection result.
8. The NGFW uses the specified outbound interface to forward service request packets based
on the link selection result.
9. The service server sends reply packets to the client.
ISP address library link selection is also called ISP link selection. When the NGFW functions
as an egress gateway and connects to multiple ISP networks, you can enable ISP address library
link selection on the NGFW to forward the traffic to a specific ISP network from the
corresponding outbound interface. This ensures that the traffic is forwarded on the shortest path.
As shown in Figure 9-3, the NGFW has two ISP links to the Internet. If an intranet user accesses
Server2 on ISP2 network and the NGFW has ECMP routes, the NGFW can forward the access
traffic from two different paths to Server2. Apparently, path 2 is not the best path, and path 1 is
the most desired path.
After you configure ISP address library link selection and intranet users access Server1 or
Server2, the NGFW selects an outbound interface based on the ISP network of the destination
address to forward the traffic from the shortest path to the server, as shown in path 3 and path 1
in Figure 9-3.
Server 1
ISP1
Line3: shortest path
NGFW
Intranet
Line2: detour
Server 2
Before you configure ISP address library link selection, you need to write the IP addresses of
each ISP network to a .csv file (ISP address file) and import these files to the NGFW. For
descriptions and requirements on writing ISP address files, see Figure 9-4.
The NGFW provides the ISP address files of the following carriers upon delivery:
The predefined and imported ISP address files are saved in the same folder named isp, and the
path is hda1:/isp/. Each ISP address file will automatically generate an ISP address group after
being imported. The ISP address group contains all IP addresses in the ISP address file. You can
reference the address group as the source or destination address in policy-based routes.
After you bind an outbound interface to an ISP name, the NGFW will generate static routes in
a batch to the ISP network. The destination is an IP address in the ISP address file, and the next
hop is the gateway address specified on the outbound interface. These static routes are called
ISP routes. They have the same priority as common static routes, and the default priority is 60.
Apparently, compared with manual collection of massive routes, using ISP address library link
selection is more convenient. Associating an outbound interface with an ISP name equals to
creating an ISP interface group and binding an interface to the ISP interface group. Both the
interface or ISP interface group can function as intelligent uplink selection member interfaces.
NOTE
You can view ISP route entries in the routing table, whose protocol is identified as ISP. However, the
NGFW will not automatically generate the command (ip route-static) for batch ISP route generation.
To improve traffic forwarding reliability, ISP address library link selection can function with
Link Health Check to ensure that traffic is not forwarded to faulty links. If the health check
result indicates that a link is faulty, the NGFW will delete the ISP route entry. Therefore, traffic
will neither match this route nor being forwarded to the faulty link. When the link recovers, the
ISP route entry is created again, and traffic can be forwarded on this route.
NOTE
Unless otherwise specified, the concepts of "interface" and "interface link" are the same when you configure
the intelligent uplink selection mode. You need to configure link bandwidths, weights, and priorities of
interfaces on the NGFW.
The bandwidth here is the bandwidth specified for each interface on the NGFW. Generally
speaking, you need to set a proper bandwidth for each link based on the actual link or interface
bandwidth. The NGFW forwards traffic to each link based on the bandwidth ratio. Therefore,
the link with larger bandwidth forwards more traffic, and the link with less bandwidth forwards
less traffic, but the efficiency of all links are maximized.
As shown in Figure 9-5, the NGFW has three different ISP links. The bandwidth for ISP1 link
is 200M, and those for ISP2 and ISP3 are both 100M. Therefore, the bandwidth ratio is 2:1:1.
After the NGFW has forwarded traffic for a while, the traffic statistics show that the history
traffic of each link accounts for 50%, 25%, and 25% of the total traffic. That is, the ratio of traffic
on each link is in proportion with the bandwidth ratio.
To ensure that the links are not overloaded, you can set an overload protection threshold for each
link (90% for all links). When the bandwidth usage of a link reaches 90%, the NGFW no longer
forwards traffic to this link and implements load balancing based on the bandwidth ratio of the
links that are not overloaded. When all links are overloaded, the NGFW continues to forward
traffic based on the bandwidth ratio of all links.
Internet
NGFW
performance" does not mean the link with the fastest forwarding speed, but the link that best
meets enterprise interests. Therefore, you need to set proper weight for each link based on the
actual conditions. The NGFW forwards traffic to each link based on the weight ratio. Therefore,
the link with larger weight forwards more traffic, and the link with smaller weight forwards less
traffic, but all links are used in a manner to maximize link efficiency.
As shown in Figure 9-6, the NGFW has three different ISP links. The weights of ISP1, ISP2,
and ISP3 links are respectively 5, 3, and 2. The weight ratio is 5:3:2. After the NGFW has
forwarded traffic for a while, the traffic statistics show that the history traffic of each link
accounts for 50%, 30%, and 20% of the total traffic. That is, the ratio of traffic on each link is
in proportion with the weight ratio.
To ensure that the links are not overloaded, you can set an overload protection threshold for each
link (90% for all links). When the bandwidth usage of a link reaches 90%, the NGFW no longer
forwards traffic to this link and implements load balancing based on the weight ratio of the links
that are not overloaded. When all links are overloaded, the NGFW continues to forward traffic
based on the weight ratio of all links.
Internet
NGFW
interface preferentially to forward traffic. If no overload protection threshold is specified for the
active interface, the NGFW will not use other links to transmit traffic even if the link is
overloaded. The standby interface with the second highest priority is activated to substitute the
active interface only after the link of the active interface fails. Other backup interfaces remain
backup. This condition is called active/standby backup.
To improve transmission reliability, you can set an overload protection threshold for each
interface. When the active interface is overloaded, the NGFW will use the standby interface with
the second highest priority to share the traffic load with the active interface. If both the active
interface and the standby interface with the highest priority are overloaded, the interface with
the highest priority among the other standby interfaces is activated to forward traffic. This
scenario is called load balancing.
As shown in Figure 9-7, the NGFW has three different ISP links. The priorities of ISP1, ISP2,
and ISP3 links are respectively 8, 3, and 1. ISP1 link has the highest priority. An overload
protection threshold of 90% is set for each link. The NGFW uses ISP1 link preferentially to
forward traffic. When the bandwidth usage of ISP1 link reaches 90%, ISP2 link is activated to
share traffic with ISP1 link. When both ISP1 and ISP2 links are overloaded, ISP3 link is activated
to share traffic with ISP1 and ISP2 links. If the three links are all overloaded, the NGFW will
forward traffic to the three links based on the bandwidth ratio, not by link priority.
Internet
NGFW
For some special scenarios, you may need to disable standby interfaces and enable them only
when the active interface is faulty or overloaded. In this case, you can enable the function of
disabling standby interfaces. In this case, the standby interfaces cannot forward any traffic. In
contrast, the standby interfaces in previous scenarios can transmit other types of traffic, such as
the traffic from the Internet to the intranet, if they are not selected as the forwarding interface.
If an enterprise has multiple ISP links and the NGFW needs to dynamically adjust traffic
forwarding based on real-time traffic transmission quality of the link, you can set the link
selection mode to load balancing by link quality.
The NGFW preferentially uses the link with the best quality to forward traffic. Packet loss ratio,
delay, and jitter are three parameters for the NGFW to evaluate link quality. You can set one or
more parameters as required. Among the three parameters, packet loss ratio is the most important.
If the packet loss ratio, delay, and jitter of two links are different, the NGFW considers the link
with a smaller packet loss ratio as the higher quality link.
The NGFW sends ICMP link quality probe packets to the specified device on the ISP network,
calculates the values of each link quality parameter based on the probe and reply packets, and
estimates the ISP link quality. Table 9-1 lists the methods for calculating each link quality
parameter.
To simplify the configuration and relieve the probing impacts on device performance, the
NGFW can use the probe result of a specific IP address on a subnet as the result for the subnet.
You can determine the size of the subnet as required.
The link quality probe result is stored in the link quality probe table. When the NGFW receives
traffic, it firstly checks whether the traffic can be forwarded based on the entries in the probe
table. If no, the NGFW starts a link quality probe. After a link quality probe entry ages out, the
link quality probe can be triggered again by intelligent uplink selection. For the services with
high quality requirements, the NGFW can probe the link quality continuously. In this case, the
probe table is periodically updated, and you can learn the real-time link status and make
adjustment accordingly.
If an overload protection threshold is set for each link and the link with the highest quality is
overloaded, the link is excluded from intelligent uplink selection, and the NGFW will select the
link with the second highest quality to forward the traffic. When all links are overloaded, the
NGFW uses only the link with the highest quality to forward subsequent traffic.
As shown in Figure 9-8, the NGFW has three different ISP links. The NGFW sends five probe
packets to the specified device on each ISP network. No packet is dropped on ISP1 link, two
packets are dropped on ISP2 link, and ISP3 link does not have any reply packets. Therefore, the
NGFW determines that the ISP1 link has the highest quality and uses ISP1 link preferentially
to forward traffic, until the probe entry is not aged out. If you set an overload protection threshold
for each link and the bandwidth usage of ISP1 link reaches the threshold, IPS1 link is excluded
from intelligent uplink selection, and the NGFW will use the link with the second highest quality
(ISP2 link) to forward subsequent traffic.
Internet
NGFW
Link health check is to probe the link availability and adjust traffic distribution based on probe
results to guarantee service quality.
With the increasing volumes of network traffic, the devices at network egresses are facing greater
and greater challenges. Enterprises usually expand link bandwidths to ensure access stability
and reliability. An enterprise usually obtains egress links from multiple ISPs to meet different
ISP network access requirements. However, the increase of egress links brings about a series of
problems:
If the preceding problems cannot be resolved, the multiple egress links fail to implement the
functions that they are supposed to implement, and the enterprises fail to obtain the interests that
they are supposed to obtain from the huge investments in link bandwidth expansion. The link
health check function provides evidence to resolve the preceding problems. The NGFW enables
the link health check function to monitor the health condition of each link and make proper
adjustments to ensure that only healthy links are used for traffic forwarding. This ensures access
stability and reliability.
As shown in Figure 9-9, three outbound interfaces on the NGFW connect to the Internet through
different ISP networks. The users can access resources on the Internet through any of these
outbound interfaces. To check the health status of links connected to these outbound interfaces,
the NGFW sends probe packets to devices on the ISP networks. If a link is available, the
NGFW can receive a response packet from the connected device. To prevent misjudgment
caused by the fault of a detected device, the NGFW can send probe packets to multiple devices
through one outbound interface. The NGFW determines a link available only if the number of
response packets received through the link reaches the specified value. As shown in Figure
9-9, the final probe results indicate that the links though the ISP1 and ISP2 networks are faulty.
Therefore, the NGFW uses the link through the ISP3 network to forward traffic destined for the
Internet. The NGFW sends probe packets constantly to detect the status of each link. When a
link recovers, the NGFW will use it again for traffic forwarding.
Client
ISP1
NGFW
ISP2
Intranet
ISP3
Client
Server
Service traffic
Health check traffic
As shown in Table 9-2, the NGFW sends probe packets to destination devices using different
protocols based on the device types. Then the NGFW analyzes the reply packets to evaluate the
availability of the links.
Protocol Principle
ICMP The NGFW sends an ICMP request to a device through a link. If the ICMP
response packet returned by the device contains the same Identifier and
Sequence Number fields as the request, the NGFW considers the link
available.
TCP The NGFW sends a TCP connection request to the specified device. If the
connection is established, the link is available, and the NGFW will send an
RST packet to close the TCP connection.
HTTP After the TCP three-way handshake, the NGFW uses HTTP to send a
request to the specified device to obtain the specified destination root
directory. If the NGFW receives an HTTP reply packet, the link is available,
and the NGFW will send an RST packet to close the TCP connection.
DNS The NGFW uses DNS to send a device a request with the query name of
www.huawei.com. If the Transaction ID field in the response packet is the
same as that in the request, the NGFW considers the link to the device
available.
Start
2 (Optional) Create a The NGFW checks the health of links based on the
Configuring Link link link health check group. Only healthy links can be
Health Check health used to forward traffic.
check
group.
Set the You must set a gateway address for each intelligent
gateway uplink selection member interface. Then the
address. NGFW will automatically generate default routes.
Step 3 Click Import, create a carrier, and import the ISP address file of the carrier, as shown in Figure
9-11. For parameter descriptions, see Table 9-4.
Parameter Description
Repeat the preceding operations to import multiple ISP address files. Note that the NGFW does
not allow the import of empty files.
Step 7 Select Multi-egress options and configure the ISP route function, as shown in Figure 9-12. For
parameter descriptions, see Table 9-5.
Parameter Description
Carrier Select a carrier from the drop-down list. Usually, the carrier of
the link connecting to the outbound interface is selected.
Carrier Route After you enable the ISP route function, the NGFW will generate
static routes in a batch to the ISP network. In the generated static
routes, the destination is an IP address in the ISP address file, and
the next hop is the gateway address specified on the outbound
interface. These static routes are called ISP routes. They have the
same priority as common static routes, and the default priority is
60.
Choose Network > Router > Routing Table. You can view the
generated ISP route entries.
Parameter Description
(Optional) Link Health Select an existing link health check group to check the health of
Check the link.
To improve traffic forwarding reliability, ISP address library link
selection can function with link health check to ensure that traffic
is not forwarded to faulty links. If the health check result
indicates that a link is faulty, the NGFW will delete the ISP route
entry. Therefore, traffic will neither match this route nor being
forwarded to the faulty link. When the link recovers, the ISP route
entry is created again, and traffic can be forwarded on this route.
----End
----End
Step 3 Configure link health check, as shown in Figure 9-13. Table 9-6 describes the parameters.
Parameter Description
Minimum Minimum number of active links for the link health check group.
number of
active nodes
Detection node
Click Add, set probe packet parameters, and click OK.
Parameter Description
If the interface is an intelligent uplink selection member interface, apply the link health check
group on the interface. The following section describes the procedure for applying a link health
check group. For configuration details of intelligent uplink selection, see Configuring Global
Route Selection Policies.
----End
Prerequisites
l To specify an outbound interface for an ISP, configure the ISP Address Library.
l To check the link health of the outbound interface, create a link healthcheck group.
Procedure
Step 1 Choose Network > Interface.
The interface is an intelligent uplink selection member interface. Before you add a member
interface for intelligent uplink selection, you need to configure the interface first.
Step 3 Optional: Complete basic interface settings, such as setting the IP address and subnet mask and
assigning the interface to a security zone. The details are omitted.
Step 4 Select Multi-egress options and configure the intelligent uplink selection member interface, as
shown in Figure 9-14. For parameter descriptions, see Table 9-7.
Table 9-7 Parameters for configuring intelligent uplink selection member interfaces
Parameter Description
(Optional) Carrier Select a carrier from the drop-down list. Usually, the carrier of
the link connecting to the outbound interface is selected.
After you select a carrier for the intelligent uplink selection
member interface, the interface is added to the ISP interface
group.
(Optional) Carrier Route After you enable the ISP route function, the NGFW will generate
static routes in a batch to the ISP network. The destination is an
IP address in the ISP address file, and the next hop is the gateway
address specified on the outbound interface. These static routes
are called ISP routes. They have the same priority as common
static routes, and the default priority is 60.
Choose Network > Router > Routing Table. You can view the
generated ISP route entries.
Parameter Description
(Optional) Default Route If default routes are enabled, the NGFW automatically generates
a default route with the next hop being the gateway address set
on its interface. If default routes are disabled, the NGFW does
not automatically generate default routes.
(Optional) Link Health Select an existing link health check group from the drop-down
Check list to check the health of the link.
The NGFW selects a link from only healthy links.
Step 7 Optional: Click the Interface Group tab and bind intelligent uplink selection member interfaces
to a common interface group, as shown in Figure 9-15. For parameter descriptions, see Table
9-8.
Table 9-8 Parameters for binding member interfaces to a common interface group
Parameter Description
Step 9 Click the Global Route Selection Policy tab and then click Edit.
Step 10 Optional: On the Configure Global Route Selection Policy page, you can choose whether to
enable DNS Transparent Proxy. For configuration details, see Configuring DNS
Transparent Proxy.
Step 11 Select a link selection mode from the Selection Mode drop-down list.
NOTE
After the link selection mode is configured, subsequent traffic that passes through the NGFW will be
forwarded on the basis of link selection policies. For earlier traffic, the session is not aged. Therefore, such
traffic is not immediately forwarded on the basis of link selection policies. You can run the reset firewall
session table command to manually clear the session entry or wait until the session ages.
The service will be interrupted after you clear the session entry. Therefore, exercise caution when you
perform this operation. You can clear the session entry only after you confirm that services will not be
affected.
l When Selection Mode is Load balancing based on link bandwidth, Figure 9-16 shows
the configuration page. For parameter descriptions, see Table 9-9.
Parameter Description
l When Selection Mode is Load balancing based on link weights, Figure 9-17 shows the
configuration page. For parameter descriptions, see Table 9-10.
Parameter Description
l When Selection Mode is Active/standby backup based on link priorities, Figure 9-18
shows the configuration page. For parameter descriptions, see Table 9-11.
Parameter Description
Standby interface After you enable this function, the status of all standby
automatic shutdown interfaces become Down. If the active interface is overloaded
(interface overload protection must be configured) or becomes
Down, the standby interface with the highest priority becomes
Up, but all the other standby interfaces remain Down. When
the active interface and the standby interface with the highest
priority are both overloaded or become Down, the standby
interface with the second highest priority becomes Up.
Parameter Description
----End
Follow-up Procedure
After the configuration is complete, you can click the Global Route Selection Policy tab to
view the health status of the link ( indicates that the link is available, and indicates that
the link is unavailable) and the traffic statistics in the last five minutes, as shown in Figure
9-19.
Upstream Traffic Percentage and Downstream Traffic Percentage stand for the percentage
of actual traffic transmitted on an interface to the bandwidth threshold (the bandwidth threshold
is the interface bandwidth multiplies the overload protection threshold). When the actual traffic
transmitted on the interface reaches or exceeds the bandwidth threshold, the values of Upstream
Traffic Percentage and Downstream Traffic Percentage are 100%.
Start
2 (Optional) Create a The NGFW checks the health of links based on the
Configuring Link link link health check group. Only healthy links can be
Health Check health used to forward traffic.
check
group.
Set the You must set a gateway address for each intelligent
gateway uplink selection member interface. If the no-
address. route parameter is configured, the NGFW does not
automatically generate default routes. If the no-
route parameter is not configured, then the
NGFW automatically generates default routes.
Prerequisites
An ISP address file is ready. For details on how to make an ISP address file, see ISP Address
Library Link Selection.
Procedure
Step 1 Import the ISP address file.
Use FTP, SFTP, or TFTP to upload the ISP address file to the NGFW. For details on how to
upload the file, refer to the file system chapter in the File System.
system-view
Step 4 Configure the mapping between the ISP name and ISP address file.
Each ISP name corresponds to only one ISP address file, but one ISP address file can correspond
to multiple ISP names.
After you run this command, the NGFW uses the ISP address file to generate an ISP address
group. Content of the address group cannot be modified directly, but you can modify the ISP
address file and import it again to modify the address group. You can reference the ISP address
group in policy-based routes as the source or destination address.
Step 5 Add interfaces to the interface group that references the ISP name and deliver ISP routes.
When an interface group references the ISP name, the interface added to the interface group is
the interface bound to the ISP name, and the interface is considered as belonging to the ISP.
After you deliver ISP routes, the NGFW will generate static routes in a batch to the ISP network.
The destination is an IP address in the ISP address file, and the next hop is the gateway address
specified on the outbound interface.
Step 6 Optional: Access the view of the interface bound in step 5 and apply the link health check group
to the interface.
----End
Follow-up Procedure
Run the rename isp old-name new-name command to change the ISP name.
Run the isp delete filename file-name command to delete an ISP address file.
NOTICE
If an interface has generated ISP routes, you cannot run the isp delete filename file-name
command to delete the corresponding ISP address file.
If an ISP address file is deleted by the delete [ /unreserved ] filename command by mistake,
import an ISP address file with the same name to ensure that ISP address library link selection
functions properly.
Run the display isp { name isp-name | all } command to view the ISP address file information.
<sysname> display isp all
isp information(total number: 5)
isp name: "china mobile"
file name: china-mobile.csv
next-hop: GigabitEthernet1/0/2, 10.1.10.10
status: enable
------------------------------------------------------------
------------------------------------------------------------
Run the display ip routing-table command to display the generated ISP routes. In the routing
table, the entries with protocol ISP are the routes that the ISP address library function generates.
Prerequisites
l The IP address of the target device for link health check is available.
l The source IP address of probe packets is available. For example, use a public IP address
as the source IP address if the destination device is on the Internet.
Procedure
Step 1 Access the system view.
system-view
Step 2 Create a link health check group and access its view.
If you do not set an ID for a link health check group when creating it, the NGFW assigns an ID
to it.
The probed member is the destination device on the other side of the link, and ip-address is its
IP address.
Step 4 Set the minimum number of active links for the link health check group.
By default, the minimum number of active links is 1. That is, the link health check group is Up
as long as one link is Up.
The link health check group enters the Down state if the number of active links is less than the
minimum number of active links.
tx-interval interval-time
times time
If the number of consecutive probe failures reaches the upper limit (time), the NGFW considers
the link unavailable and changes its status to Down.
quit
Use an available and routable IP address (public or private) based on network deployment as
the source IP address of probe packets. You can use the IP address of the interface where the
link health check group resides or an IP address in the source NAT address pool as the IP address
of the detection source.
If you do not set the IP address of the detection source, the NGFW will use the interface IP
address as the IP address of the detection source. If multiple IP addresses are specified for the
interface, the NGFW selects the IP address on the same subnet as the gateway address as the IP
address of the detection source.
One interface can apply only one link health check group, one one link health check group can
be applied to multiple interfaces.
----End
Example
The NGFW connects to five devices through GE1/0/1. The IP addresses of the devices are
10.3.3.3 to 10.3.3.7. Link health check is performed on the links connected to these devices.
10.3.3.10 is used as the source IP address of probe packets. The NGFW sends an ICMP probe
packet every 3 seconds. When the number of consecutive probe failures on a link reaches 4, the
NGFW considers the link Down. When the number of active links is less than 2, the NGFW
considers the GE1/0/1 link unavailable.
# Set the minimum number of active links for the link health check group.
[sysname-healthcheck-link-group-1] least active-linknumber 2
# Set the interval between sending probe packets and the maximum number of consecutive probe
failures.
[sysname-healthcheck-link-group-1] tx-interval 3
[sysname-healthcheck-link-group-1] times 4
[sysname-healthcheck-link-group-1] quit
Follow-up Procedure
Run the rename healthcheck link-group { group-id | group-name } new-group-name command
to change the name of the link health check group.
Table 9-13 shows the description of the display healthcheck link-group command output.
Item Description
Current Total Healthcheck Link-group Number of link health check groups on the
Number NGFW.
Item Description
Run the display healthcheck link [ destination ip-address ] [ protocol { icmp | http | dns |
tcp } ] [ app-id app-id-number ] [ verbose ] command to view information about link health
check.
[sysname] display healthcheck link
Current Total Number : 1
ID AppID Destination IP Protocol/Port State Out Interface
1 1 10.3.3.3 icmp/0 up GE1/0/1
2 1 10.3.3.4 icmp/0 up GE1/0/1
3 1 10.3.3.5 icmp/0 up GE1/0/1
4 1 10.3.3.6 icmp/0 up GE1/0/1
5 1 10.3.3.7 icmp/0 up GE1/0/1
Table 9-14 shows the description of the display healthcheck link command output.
Item Description
Prerequisites
l To specify an outbound interface for an ISP, configure the ISP Address Library.
l To check the link health of the outbound interface, create a Link Health Check Group.
Context
After the link selection mode is configured, subsequent traffic that passes through the NGFW
will be forwarded on the basis of link selection policies. For earlier traffic, the session is not
aged. Therefore, such traffic is not immediately forwarded on the basis of link selection policies.
You can run the reset firewall session table command to manually clear the session entry or
wait until the session ages.
NOTICE
The service will be interrupted after you clear the session entry. Therefore, exercise caution
when you perform this operation. You can clear the session entry only after you confirm that
services will not be affected.
Procedure
Step 1 Access the system view.
system-view
The interface is an intelligent uplink selection member interface. Before you add a member
interface for intelligent uplink selection, you need to configure the interface first.
Step 3 Optional: Complete basic interface settings, such as setting the IP address and subnet mask and
assigning the interface to a security zone. The details are omitted.
You must set a gateway address for the interface if the interface functions as an intelligent uplink
selection member interface. If the no-route parameter is configured, the firewall does not
automatically generate default routes. If the no-route parameter is not configured, the firewall
automatically generates a default route with the next hop being the gateway address set for the
interface.
The link health check group must already exist. One interface can apply only one link health
check group, one one link health check group can be applied to multiple interfaces.
Step 6 Optional: Set link bandwidth and overload protection threshold for the interface.
When the interface is an intelligent uplink selection member interface, you can set bandwidth
and overload protection threshold for the link of the interface. If the link is overloaded, that is,
the bandwidth usage reaches the specified threshold, the member interface no longer participates
in intelligent uplink selection, and the NGFW selects an outbound interface from those that are
not overloaded. If the bandwidth usage of the overloaded link is smaller than threshold, the
member interface participates again in intelligent uplink selection. When all member interfaces
are overloaded, the NGFW will forward traffic based on the specified intelligent uplink selection
mode, regardless of whether the links are overloaded.
NOTE
When you set the intelligent uplink selection mode to load balancing by link bandwidth, you must set
bandwidth for the member interfaces, and you are advised to set overload protection threshold. When you
set the intelligent uplink selection mode to other modes, you are advised to set link bandwidth and overload
protection threshold to achieve the best effects.
quit
You can use the following methods to bind a member interface to an interface group:
l After you create a common interface group, bind member interfaces to the common interface
group.
interface-group name interface-group-name
interface-group interface-group-name interface interface-type interface-number
An interface group is a group of intelligent uplink selection member interfaces. Adding an
interface group equals to adding member interfaces in a batch.
l Reference an ISP name as the interface group name, create an ISP interface group, and bind
member interfaces to the ISP interface group. Then the member interface is considered as
belonging to the ISP. You can choose whether to deliver ISP routes on an interface.
interface-group isp isp-name interface interface-type interface-number [ route { enable |
disable } ]
multi-interface
Step 10 Set the intelligent uplink selection mode of the global route selection policy.
The intelligent uplink selection mode determines the standard of link selection. The global route
selection policy supports three link selection modes:
l Load balancing by link bandwidth: Load balancing by link bandwidth is the default intelligent
uplink selection mode. The NGFW forwards traffic to each link based on the link bandwidth
ratio.
l Load balancing by link weight: The NGFW forwards traffic to each link based on the link
weight ratio.
l Active/Standby backup by link priority: The NGFW preferentially use the link with the
highest priority to transmit traffic and all the other links as backup links or load balancing
links.
The NGFW selects outbound interfaces from only intelligent uplink selection member interfaces.
You need to set related parameters for the member interfaces based on the specified intelligent
uplink selection mode.
l When you set the intelligent uplink selection mode to load balancing by link bandwidth, you
need to set bandwidth for the member interfaces. To implement interface overload protection,
you also need to set the overload protection threshold. When the link bandwidth usage reaches
the threshold, the NGFW will no longer use the link for traffic transmission, but uses a link
that is not overloaded.
l Member interface weight: When you set the intelligent uplink selection mode to load
balancing by link weight, you need to set weight for the member interfaces. If you do not set
the weight, the default weight is 1.
l Member interface priority: When you set the intelligent uplink selection mode to active/
standby backup by link priority, you need to set priority for the member interface. If you do
not set the priority, the default priority is 1.
Step 12 Optional: Set the parameter for intelligent uplink selection hashing.
The default parameter for intelligent uplink selection hashing are the source IP address (source-
ip) and the destination IP address (destination-ip).
If multiple outbound interfaces are available for intelligent uplink selection, the NGFW will
select one of the interfaces as the outbound interface based on the hash result. For example, when
the intelligent uplink selection mode is load balancing by link bandwidth and the links of the
two interfaces have the same bandwidth and are both not overloaded, the NGFW will select one
of the interfaces as the outbound interface based on the hash result.
When you set the intelligent uplink selection mode to active/standby backup by link priority,
the interface with the highest priority is the active interface, and all the other interfaces are
standby interfaces. After you run this command, the status of all standby interfaces become
down. If the active interface is overloaded (interface overload protection must be configured)
or becomes down, the standby interface with the highest priority becomes up, but all the other
standby interfaces remain down. When the active interface and the standby interface with the
highest priority are both overloaded or become Down, the standby interface with the second
highest priority becomes Up.
----End
Follow-up Procedure
Run the rename interface-group old-name new-name command to change the interface group
name.
Action Command
Choose Network > Router > Intelligent Uplink Selection and click the Carrier Address
Library tab. You can view the ISP address library configurations, as shown in Figure 9-21.
Action Command
Display link health check group display healthcheck link-group [ group-id | group-
configurations. name | interface interface-type { interface-number |
interface-number.subinterface-number } ]
[ verbose ]
Choose Object > Link Health Check on the web UI. You can view the link health check
configurations, as shown in Figure 9-22.
Networking Requirements
As shown in Figure 9-24, the NGFW is deployed at the network egress as the security gateway.
The enterprise has two links connected respectively to ISP1 and ISP2.
l The enterprise requires that packets to Server 1 be forwarded on ISP1 link and packets to
Server 2 be forwarded on ISP2 link.
l When one link is faulty, follow-up traffic will be forwarded on the other link to ensure
transmission availability.
Figure 9-24 Networking diagram for configuring ISP address library link selection
Server 1 Server 2
3.3.3.3/32 9.9.9.9/32
Internet
ISP1 ISP2
GE1/0/1 GE1/0/7
1.1.1.1/24 2.2.2.2/24
NGFW
Configuration Roadmap
1. Make two ISP address files, isp1_network.csv and isp2_network.csv, write Server 1 IP
address 3.3.3.3/32 into isp1_network.csv and Server 2 IP address 9.9.9.9/32 into
isp2_network.csv, and upload the two ISP address files to the NGFW.
2. Configure the link health check function and create a link health check group respectively
for ISP1 and ISP2.
3. Set interface IP addresses, security zones, and gateway addresses. After you set a gateway
address, the NGFW automatically generates a default route.
4. Apply link health check groups on the interfaces. If the health check result indicates that a
link is faulty, the NGFW will delete the ISP route entry. Therefore, traffic will neither match
this route nor being forwarded to the faulty link.
5. Configure ISP address library link selection to forward packets destined for Server 1 from
ISP1 link and packets destined for Server 2 link from ISP2 link.
Procedure
Step 1 Choose Network > Router > Intelligent Uplink Selection.
Step 2 Click the Carrier Address Library tab, then click Import, and set the following parameters.
Name isp1_network
Address Library File Click Browser and select the ISP1 address file to be uploaded.
Name isp2_network
Address Library File Click Browser and select the ISP2 address file to be uploaded.
Step 7 In Link Health Check List, click Add and create a link health check group for ISP1 link as
follows:
NOTE
Step 9 Click Add again and create a link health check group for ISP2 link as follows:
Step 12 Click of interface GE1/0/1, complete basic interface settings as follows, configure ISP
address library link selection, and apply the link health check group on the interface:
Step 14 Click of interface GE1/0/3 and set the interface IP address and security zones as follows:
Step 16 Click of interface GE1/0/7, complete basic interface settings as follows, configure ISP
address library link selection, and apply the link health check group on the interface:
Step 19 Click Add to configure a security policy between the Trust and Untrust zones to allow intranet
users to access extranet resources. It is assumed that the intranet user network segment is
10.3.0.0/24. Set parameters as follows:
----End
Configuration Verification
Choose Network > Router > Routing Table and verify ISP route information.
Configuration Script
#
interface GigabitEthernet1/0/1
ip address 1.1.1.1 255.255.255.0
gateway 1.1.1.254
healthcheck link-group isp1_health
#
interface GigabitEthernet1/0/3
ip address 10.3.0.1 255.255.255.0
#
interface GigabitEthernet1/0/7
ip address 2.2.2.2 255.255.255.0
gateway 2.2.2.254
healthcheck link-group isp2_health
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
add interface GigabitEthernet1/0/7
#
security-policy
rule name policy_sec_trust_untrust
source-zone trust
destination-zone untrust
action permit
source-address 10.3.0.0 24
#
isp name isp1_network
isp name isp1_network set filename isp1_network.csv
isp name isp2_network
isp name isp2_network set filename isp2_network.csv
#
interface-group isp isp1_network interface GigabitEthernet1/0/1 route enable
interface-group isp isp2_network interface GigabitEthernet1/0/7 route enable
#
healthcheck link-group 1 isp1_health
destination 3.3.10.10 protocol TCP destination-port 10001
destination 3.3.10.11 protocol TCP destination-port 10002
healthcheck link-group 2 isp2_health
destination 9.9.20.20 protocol TCP destination-port 10003
destination 9.9.20.21 protocol TCP destination-port 10004
#
return
Networking Requirements
As shown in Figure 9-25, the NGFW is deployed at the network egress as the security gateway.
The enterprise has two links connected respectively to ISP1 and ISP2.
l The enterprise requires that packets to Server 1 be forwarded on ISP1 link and packets to
Server 2 be forwarded on ISP2 link.
l When one link is faulty, follow-up traffic will be forwarded on the other link to ensure
transmission availability.
Figure 9-25 Networking diagram for configuring ISP address library link selection
Server 1 Server 2
3.3.3.3/32 9.9.9.9/32
Internet
ISP1 ISP2
GE1/0/1 GE1/0/7
1.1.1.1/24 2.2.2.2/24
NGFW
Configuration Roadmap
1. Make two ISP address files, isp1_network.csv and isp2_network.csv, write Server 1 IP
address 3.3.3.3/32 into isp1_network.csv and Server 2 IP address 9.9.9.9/32 into
isp2_network.csv, and upload the two ISP address files to the NGFW.
2. Configure the link health check function and create a link health check group respectively
for ISP1 and ISP2.
3. Set interface IP addresses, security zones, and gateway addresses. After you set a gateway
address, the NGFW automatically generates a default route.
4. Apply link health check groups on the interfaces. If the health check result indicates that a
link is faulty, the NGFW will delete the ISP route entry. Therefore, traffic will neither match
this route nor being forwarded to the faulty link.
5. Configure ISP address library link selection to forward packets destined for Server 1 from
ISP1 link and packets destined for Server 2 link from ISP2 link.
Procedure
Step 1 Switch to the directory hda1:/isp, upload the ISP address files to this directory, and use SFTP
to transfer the files. Details are omitted.
Step 2 Create ISP name isp1_network for ISP1 and ISP name isp2_network for ISP2 and associate
them with the corresponding ISP address files.
<NGFW> system-view
[NGFW] isp name isp1_network
[NGFW] isp name isp1_network set filename isp1_network.csv
[NGFW] isp name isp2_network
[NGFW] isp name isp2_network set filename isp2_network.csv
Step 3 Create a link health check group for ISP1 and ISP2 links separately.
[NGFW] healthcheck link-group 1 isp1_health
[NGFW-healthcheck-link-group-1] destination 3.3.10.10 protocol TCP destination-
port 10001
[NGFW-healthcheck-link-group-1] destination 3.3.10.11 protocol TCP destination-
port 10002
[NGFW-healthcheck-link-group-1] quit
[NGFW] healthcheck link-group 2 isp2_health
[NGFW-healthcheck-link-group-2] destination 9.9.20.20 protocol TCP destination-
port 10003
[NGFW-healthcheck-link-group-2] destination 9.9.20.21 protocol TCP destination-
port 10004
[NGFW-healthcheck-link-group-2] quit
Step 4 Configure interface IP addresses and gateway addresses and bind them to specific link health
check groups.
[NGFW] interface GigabitEthernet 1/0/1
[NGFW-GigabitEthernet1/0/1] ip address 1.1.1.1 255.255.255.0
[NGFW-GigabitEthernet1/0/1] gateway 1.1.1.254
[NGFW-GigabitEthernet1/0/1] healthcheck link-group isp1_health
[NGFW-GigabitEthernet1/0/1] quit
[NGFW] interface GigabitEthernet 1/0/3
[NGFW-GigabitEthernet1/0/3] ip address 10.3.0.1 255.255.255.0
[NGFW-GigabitEthernet1/0/3] quit
[NGFW] interface GigabitEthernet 1/0/7
[NGFW-GigabitEthernet1/0/7] ip address 2.2.2.2 255.255.255.0
[NGFW-GigabitEthernet1/0/7] gateway 2.2.2.254
[NGFW-GigabitEthernet1/0/7] healthcheck link-group isp2_health
[NGFW-GigabitEthernet1/0/7] quit
Step 6 Configure a security policy between the Trust and Untrust zones to allow intranet users to access
extranet resources. It is assumed that the intranet user network segment is 10.3.0.0/24.
[NGFW] security-policy
[NGFW-policy-security] rule name policy_sec_trust_untrust
Step 7 Add interfaces to ISP interface groups and deliver ISP routes.
[NGFW] interface-group isp isp1_network interface GigabitEthernet1/0/1 route
enable
[NGFW] interface-group isp isp2_network interface GigabitEthernet1/0/7 route
enable
----End
Configuration Script
#
interface GigabitEthernet1/0/1
ip address 1.1.1.1 255.255.255.0
gateway 1.1.1.254
healthcheck link-group isp1_health
#
interface GigabitEthernet1/0/3
ip address 10.3.0.1 255.255.255.0
#
interface GigabitEthernet1/0/7
ip address 2.2.2.2 255.255.255.0
gateway 2.2.2.254
healthcheck link-group isp2_health
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/1
add interface GigabitEthernet1/0/7
#
security-policy
rule name policy_sec_trust_untrust
source-zone trust
destination-zone untrust
action permit
source-address 10.3.0.0 24
#
isp name isp1_network
isp name isp1_network set filename isp1_network.csv
isp name isp2_network
isp name isp2_network set filename isp2_network.csv
#
interface-group isp isp1_network interface GigabitEthernet1/0/1 route enable
interface-group isp isp2_network interface GigabitEthernet1/0/7 route enable
#
healthcheck link-group 1 isp1_health
destination 3.3.10.10 protocol TCP destination-port 10001
destination 3.3.10.11 protocol TCP destination-port 10002
healthcheck link-group 2 isp2_health
destination 9.9.20.20 protocol TCP destination-port 10003
destination 9.9.20.21 protocol TCP destination-port 10004
#
return
Networking Requirements
As shown in Figure 9-26, an enterprise has a 100M link connected to ISP1 and a 50M link
connected to ISP2.
l The enterprise requires that traffic be forwarded to ISP1 and ISP2 links based on the
bandwidth ratio to ensure that bandwidth resources are used to the greatest extent.
l When one ISP link is overloaded (the threshold is 90%), follow-up traffic will be forwarded
on the other ISP link to ensure access availability.
Internet
ISP1 ISP2
GE1/0/1 GE1/0/7
1.1.1.1 2.2.2.2
Link bandwidth: 100M Link bandwidth: 50M
Overload protection Overload protection
threshold: 95% threshold: 90%
NGFW
Configuration Roadmap
The enterprise requires traffic distribution by bandwidth ratio. Therefore, set the intelligent
uplink selection mode to load balancing by link bandwidth. To ensure that the NGFW can
forward traffic to other links when the one link is overloaded, set bandwidth and overload
protection threshold for the interface.
Procedure
Step 1 Choose Network > Interface.
Step 2 Click of interface GE1/0/1, complete basic interface settings, and set the bandwidth and
overload protection threshold as follows:
NOTE
When the outbound interface is an intelligent uplink selection member interface, you must select Multi-
egress options.
Step 4 Click of interface GE1/0/7, complete basic interface settings, and set the bandwidth and
overload protection threshold as follows:
Step 7 Click the Global Route Selection Policy tab, click Edit, and configure a global route selection
policy as follows:
----End
Configuration Verification
Choose Network > Router > Intelligent Uplink Selection. On the Global Route Selection
Policy tab, you can view traffic statistics in the last five minutes, as shown in Figure 9-27.
Configuration Script
#
interface GigabitEthernet1/0/1
ip address 1.1.1.1 255.255.255.0
gateway 1.1.1.254
bandwidth ingress 100000 threshold 95
bandwidth egress 100000 threshold 95
#
interface GigabitEthernet1/0/7
ip address 2.2.2.2 255.255.255.0
gateway 2.2.2.254
bandwidth ingress 50000 threshold 90
bandwidth egress 50000 threshold 90
#
multi-interface
add interface GigabitEthernet1/0/1
add interface GigabitEthernet1/0/7
mode proportion-of-bandwidth
#
return
Networking Requirements
As shown in Figure 9-28, an enterprise has a 50M link connected to ISP1. However, this link
delivers poor forwarding performance. Therefore, the enterprise rents a 150M link from ISP2,
which delivers good performance.
l The enterprise requires that the ISP2 link forward 80% of the traffic and ISP1 link forward
20% of the traffic to improve the Internet access experience of most users.
l When one link is overloaded (the threshold is 90%), follow-up traffic will be forwarded on
the other link to ensure transmission availability.
Internet
ISP1 ISP2
GE1/0/1 GE1/0/7
Link weight: 1 1.1.1.1 2.2.2.2 Link weight: 4
Link bandwidth: 50M Link bandwidth: 150M
Overload protection Overload protection
threshold: 90% threshold: 90%
NGFW
Configuration Roadmap
The enterprise requires that the traffic ratio on ISP2 and ISP1 links is 4:1. Therefore, set the
intelligent uplink selection mode to load balancing by link weight and set the weights of ISP2
and ISP1 links respectively to 4 and 1. To ensure that the NGFW can forward traffic to other
links when the one link is overloaded, set bandwidth and overload protection threshold for the
interface.
Procedure
Step 1 Choose Network > Interface.
Step 2 Click of interface GE1/0/1, complete basic interface settings, and set the bandwidth and
overload protection threshold as follows:
NOTE
When the outbound interface is an intelligent uplink selection member interface, you must select Multi-
egress options.
Step 4 Click of interface GE1/0/7, complete basic interface settings, and set the bandwidth and
overload protection threshold as follows:
Step 7 Click the Global Route Selection Policy tab, click Edit, and configure a global route selection
policy as follows:
----End
Configuration Verification
Choose Network > Router > Intelligent Uplink Selection. On the Global Route Selection
Policy tab, you can view traffic statistics in the last five minutes, as shown in Figure 9-29.
Configuration Script
#
interface GigabitEthernet1/0/1
ip address 1.1.1.1 255.255.255.0
gateway 1.1.1.254
bandwidth ingress 50000 threshold 90
bandwidth egress 50000 threshold 90
#
interface GigabitEthernet1/0/7
ip address 2.2.2.2 255.255.255.0
gateway 2.2.2.254
bandwidth ingress 150000 threshold 90
bandwidth egress 150000 threshold 90
#
multi-interface
add interface GigabitEthernet1/0/1
add interface GigabitEthernet1/0/7 weight 4
mode proportion-of-weight
#
return
Networking Requirements
As shown in Figure 9-30, an enterprise has two 50M links connected to ISP1 and one 10M link
connected to ISP2.
l The enterprise requires that the two ISP1 links be used preferentially to forward Internet
access traffic and ISP2 link be used only when both ISP1 links are faulty.
l The tax declaration service is forwarded on the ISP2 link preferentially. When the ISP2
link is faulty, the tax declaration service is forwarded on the ISP1 link.
Internet
ISP1 ISP2
GE1/0/0 GE1/0/7
1.1.1.1 2.2.2.2
GE1/0/1
1.1.2.2
NGFW
GE1/0/3
10.3.0.1
Configuration Roadmap
The enterprise needs to use ISP1 link preferentially. Therefore, set the global intelligent uplink
selection mode to load balancing by link priority and set the priorities of ISP1 and ISP2 links
respectively to 2 and 1. The tax declaration service needs to use the ISP2 link preferentially.
Therefore, configure intelligent uplink selection based on policy-based routes for the tax
declaration application, set the link selection mode to active/standby backup by link priority,
and set the priority of ISP2 link to 2 and priorities of two ISP1 links to 1. To ensure that the
NGFW can use the standby interface link to forward traffic when the active interface link is
faulty, configure the link health check function.
for interface group ifgrp1 and interface GE1/0/7. The priorities of both GE1/0/0 and
GE1/0/1 are the same as that of interface group ifgrp1.
4. Configure intelligent uplink selection based on policy-based routes.
Configure a policy-based route for the tax declaration application, set the intelligent uplink
selection mode to active/standby backup by link priority, and set priorities for interface
group ifgrp1 and interface GE1/0/7.
Procedure
Step 1 Choose Object > Link Health Check.
Step 2 In Link Health Check List, click Add and create a link health check group for ISP1 link as
follows:
NOTE
Step 4 Click Add again and create a link health check group for ISP2 link as follows:
Step 7 Click of interface GE1/0/0, complete basic interface settings as follows, and apply the link
health check group on the interface:
Step 9 Click of interface GE1/0/1, complete basic interface settings as follows, and apply the link
health check group on the interface:
Step 11 Click of interface GE1/0/7, complete basic interface settings as follows, and apply the link
health check group on the interface:
Step 13 Click of interface GE1/0/3 and set the interface IP address and security zones as follows:
Step 16 On the Interface Group tab, click Add, and add interfaces GE1/0/0 and GE1/0/1 to interface
group ifgrp1.
Step 18 Click the Global Route Selection Policy tab, click Edit, and configure a global route selection
policy as follows:
Step 20 On the Policy Route tab, click Add, and configure a policy-based route as follows.
UD_tax_system is a user-defined application, corresponding to the tax declaration application.
For details on how to configure a user-defined application, see Configuring a User-Defined
Application.
Configuration Verification
Choose Network > Router > Intelligent Uplink Selection. On the Global Route Selection
Policy tab, you can view the health status of each link and the traffic statistics in the last five
minutes, as shown in Figure 9-31.
Choose Network > Router > Intelligent Uplink Selection. On the Policy Route tab, you can
view the configured policy-based routes, as shown in Figure 9-32.
Configuration Script
#
interface GigabitEthernet1/0/0
ip address 1.1.1.1 255.255.255.0
gateway 1.1.1.254
healthcheck link-group isp1_health
#
interface GigabitEthernet1/0/1
ip address 1.1.2.2 255.255.255.0
gateway 1.1.2.254
healthcheck link-group isp1_health
#
interface GigabitEthernet1/0/7
ip address 2.2.2.2 255.255.255.0
gateway 2.2.2.254
healthcheck link-group isp2_health
#
interface GigabitEthernet1/0/3
ip address 10.3.0.1 255.255.255.0
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
firewall zone untrust
set priority 5
add interface GigabitEthernet1/0/0
add interface GigabitEthernet1/0/1
add interface GigabitEthernet1/0/7
#
interface-group name ifgrp1
interface-group ifgrp1 interface GigabitEthernet1/0/0
interface-group ifgrp1 interface GigabitEthernet1/0/1
#
policy-based-route
rule name tax_system
ingress-interface GigabitEthernet1/0/3
application app UD_tax_system
action pbr egress-interface multi-interface
add interface-group ifgrp1
add interface GigabitEthernet1/0/7 priority 2
mode priority-of-userdefine
#
multi-interface
add interface-group ifgrp1 priority 2
add interface GigabitEthernet1/0/7
mode priority-of-userdefine
#
healthcheck link-group 1 isp1_health
destination 3.3.10.10 protocol TCP destination-port 10001
Networking Requirements
As shown in Figure 9-33, an enterprise has a 50M link connected to ISP1 and a 10M link
connected to ISP2.
l The enterprise requires that ISP1 link be used preferentially for traffic forwarding. When
ISP1 link is faulty or overloaded (the threshold is 90%), ISP2 link can be used for traffic
forwarding.
l ISP2 link is charged by traffic (such as the 3G network). Therefore, you need to set ISP2
link to Down when the active interface link works properly.
Internet
ISP2
ISP1 3G network
GE1/0/1 GE1/0/7
1.1.1.1 2.2.2.2
Link bandwidth: 50M Link bandwidth: 10M
Overload protection Overload protection
threshold: 90% threshold: 90%
NGFW
Configuration Roadmap
The enterprise needs to use ISP1 link preferentially. Therefore, set the intelligent uplink selection
mode to load balancing by link priority and set the priorities of ISP1 and ISP2 links respectively
to 2 and 1. To ensure that ISP2 link is Up only when transmitting traffic, you need to configure
the standby interface automatic shutdown function. To ensure that the NGFW can use other links
to forward traffic when a link is faulty or overloaded, you need to configure link health check
and link overload protection functions.
Procedure
Step 1 Choose Object > Link Health Check.
Step 2 In Link Health Check List, click Add and create a link health check group for ISP1 link as
follows:
NOTE
Step 4 Click Add again and create a link health check group for ISP2 link as follows:
Step 7 Click of interface GE1/0/1, complete basic interface settings, apply the link health check
group on the interface, and set the bandwidth and overload protection threshold as follows:
Step 9 Click of interface GE1/0/7, complete basic interface settings, apply the link health check
group on the interface, and set the bandwidth and overload protection threshold as follows:
Step 12 Click the Global Route Selection Policy tab, click Edit, and configure a global route selection
policy as follows:
----End
Configuration Verification
Choose Network > Router > Intelligent Uplink Selection. On the Global Route Selection
Policy tab, you can view the health status of each link and the traffic statistics in the last five
minutes, as shown in Figure 9-34.
Configuration Script
#
interface GigabitEthernet1/0/1
ip address 1.1.1.1 255.255.255.0
gateway 1.1.1.254
bandwidth ingress 50000 threshold 90
bandwidth egress 50000 threshold 90
healthcheck link-group isp1_health
#
interface GigabitEthernet1/0/7
ip address 2.2.2.2 255.255.255.0
gateway 2.2.2.254
bandwidth ingress 10000 threshold 90
bandwidth egress 10000 threshold 90
healthcheck link-group isp2_health
#
multi-interface
standby-interface status down
add interface GigabitEthernet1/0/7
add interface GigabitEthernet1/0/1 priority 2
mode priority-of-userdefine
#
healthcheck link-group 1 isp1_health
destination 3.3.10.10 protocol TCP destination-port 10001
destination 3.3.10.11 protocol TCP destination-port 10002
healthcheck link-group 2 isp2_health
destination 9.9.20.20 protocol TCP destination-port 10003
destination 9.9.20.21 protocol TCP destination-port 10004
#
return
10 Router
10.1.1 Overview
Multiple route protocols are applicable to the router. You can manually set the priority of routes
except the direct route to affect the route protocol selection of the router.
The lengths of route segments differ with the size of networks. As a result, for different networks,
the number of route segments can be multiplied by a weighting coefficient, and the number of
weighted route segments is to measure the length of the path. If a router is regarded as the node
on the network, and a route segment on the Internet is regarded as a link on the network, the
route selection on the Internet is similar to that on a simple network. Sometimes, it is not optimum
to adopt the route with the minimum number of route segments. For example, the route passing
through three high-speed LAN segments may be much more rapid than that passing through two
low-speed MAN segments.
Routing Table
The routing table plays a key role in the packet forwarding of a router. Each router has a routing
table. In the table, each routing entry specifies the interface (on the router) through which packets
destined to a subnet or host are sent to the next router on the route, or sent to the destination host
that is directly connected to the network without passing through other routers.
Based on the sources, routes in the routing table are generally classified into the following
categories:
l Routes identified by link-layer protocols (also called interface routes or direct routes).
l Static routes configured by the network administrator manually.
l Routes identified by dynamic routing protocols.
According to the application range, the routing protocols can be divided into the following types:
l Interior Gateway Protocol (IGP): runs inside an AS, such as RIP, OSPF, and IS-IS.
l Exterior Gateway Protocol (EGP): runs between different ASs, such as BGP.
According to the algorithm type, the routing protocols can be divided into the following types:
l Distance-Vector Routing Protocol: includes RIP and BGP (BGP is also called Path-Vector).
l Link-State Routing Protocol: includes OSPF and IS-IS.
The preceding algorithms mainly differ in the methods of route discovery and route calculation.
Route Priority
Different routing protocols (including the static route) can learn different routes to the same
destination, but not all these routes are optimal. At a time, only one routing protocol determines
the optimal route to a destination. To select the optimal route, each of these routing protocols
(including the static route) is configured with priority. When multiple routing information
sources coexist, the route learned by the routing protocol with the highest priority becomes the
optimal route (the smaller the value is, the higher the priority is). Routing protocols and the
default priority of the routes learned by the protocols are shown in Table 10-1.
In Table 10-1, 0 indicates the direct route, and 255 indicates any route learned from unreliable
sources. The smaller the value is, the higher the priority is.
Table 10-1 Routing protocols and their default priority of the routes
DIRECT 0
OSPF 10
IS-IS 15
STATIC 60
RIP 100
IBGP 255
EBGP 255
UNKNOWN 255
Except for direct routes, the priority of the routing protocols can be manually configured. In
addition, the priority for each static route can be distinct.
NOTICE
The ECMP routes must be from the same routing protocol. If the routes are learned from
different routing protocols, they cannot become ECMP routes even when their costs are
the same.
The device supports a maximum of 8 equal-cost routes.
l Route Backup
Configure multiple routes to the same destination, and specify different priorities for those
routes to implement route backup. The route with the highest priority serves as the active
route, whereas all the other routes serve as the backup routes.
FRR
In Fast ReRoute (FRR), when a fault is detected at the physical or link layer, the forwarding
module rapidly responds to the fault and forwards packets through a backup link. In this manner,
the impact of the link fault on services is minimized.
NOTE
Currently, the device supports only IP FRR, not FRR in the Multiprotocol Label Switching (MPLS)
environment. Unless otherwise specified, FRR refers to IP FRR.
On traditional IP networks, the forwarding device such as the router detects the fault of the link
at the lower layer and then the routing module re-selects an available route (also called route
convergence). This takes a route calculation period (several seconds). Second-level convergence
is intolerable for services that are sensitive to packet loss and delay. This results in service
interruption. For example, Voice Over IP (VoIP) services can be interrupted up to about 50 ms.
Catering for such requirements, FRR is launched to implement millisecond-level switchover,
minimizing fault impacts.
FRR must interwork with the detection mechanism at the physical or link layer. Currently, the
device supports only interworking with the BFD mechanism.
As shown in Figure 10-1, two links exist between Router_A and Router_B. The active link is
Link_A (Router_A > Router_C > Router_B) and the standby link is Link_B (Router_A >
Router_D > Router_B).
A BFD session is created between Router_A and Router_B. When the active link is faulty, BFD
notifies FRR of the message. Then FRR rapidly switches the traffic to the standby link.
Link_A
Router_A Router_B
Link_B
BFD session
Router_D
Context
NOTE
You can view only the active routes in the routing table.
Procedure
Step 1 Choose Network > Router > Routing Table.
Step 2 Configure the search conditions.
Parameter Description
Protocol/Destination (Mask) Select the protocol type when you query routes by
protocol.
l All: Query routes of all protocols.
l Direct: Query only the direct routes.
l Static: Query only the static routes.
l UNR: Query only user network routes.
l BGP: Query only the BGP routes.
l OSPF: Query only the OSPF routes.
l RIP: Query only RIP routes.
l ISP: Query only ISP (carrier) routes.
Enter the destination IP address and mask when you
query routes by destination address and mask. If you
do not enter a mask, the route to a specific host is
displayed.
----End
Context
The global router ID to be configured must be different from other router IDs on the network.
Generally, the router ID is set to the IP address of an interface on the router.
Procedure
Step 1 Access the system view.
system-view
router id router-id
----End
Follow-up Procedure
Run the display router id command to query the configured router ID.
<NGFW> system-view
[NGFW] router id 192.168.1.205
[NGFW] display router id
RouterID:192.168.1.205
Prerequisites
You must configure equal-cost routes before configuring equal cost multi-path (ECMP) load
balancing. For details on how to configure static equal-cost routes, see 10.2 IP Static Route.
Context
The NGFW supports:
NOTICE
Load balancing can be implemented only on pure-router networks. Do not enable any functions
irrelevant to routers, such as packet filtering, NAT, UTM, and user management in load
balancing scenarios.
By default, the NGFW performs per-flow load balancing based on the hash value of the source
and destination IP addresses.
Procedure
l Configure the per-flow load balancing.
1. Access the system view.
system-view
2. Select an algorithm for per-flow load balancing as required: (select either of them)
– Select the hash algorithm for link selection.
load-balance multi-interface flow [ hash { destination-ip | destination-port |
source-ip | source-port } * ]
– Select the round robin algorithm for link selection.
a. Access the interface view.
interface interface-type interface-number
b. Specify the load balancing weight.
route weight weight-value
The larger the weight is, the heavier the traffic on the interface. By default,
the weight value is 1.
l Configure the per-packet load balancing.
1. Access the system view.
system-view
2. Configure per-packet load balancing for forwarding IP packets.
load-balance packet
3. Access the interface view.
The larger the weight is, the heavier the traffic on the interface. By default, the weight
value is 1.
----End
During the matching, the system checks every entry in turn based on the index number in
ascending order. As long as the routing information matches one entry, the filtering list is passed,
and other entries are no longer matched.
system-view
An IPv4–prefix list is identified by its list name. Each prefix list contains multiple entries. Each
entry independently specifies a matching range in the format of network prefix and identifies
the range with an index number. For example, the following is a prefix list named abcd:
#
ip ip-prefix abcd index 10 permit 10.0.192.0 8
ip ip-prefix abcd index 20 permit 172.17.1.0 24
During the matching, the system checks every entry in turn based on the index number in
ascending order. As long as the routing information matches one entry, the filtering list is passed,
and other entries are no longer matched.
If all entries are in deny mode, no routes can pass this filtering list. You are advised to define
an permit 0.0.0.0/0 greater-equal 0 less-equal 32 entry after the multiple entries in the deny
mode to allow all the other IPv4 routes to pass the IP-prefix filtering.
NOTE
If you define more than one IP-prefix entry, at least one entry should be in permit mode.
----End
During the matching, the system checks every entry in turn based on the index number in
ascending order. As long as the routing information matches one entry, the filtering list is passed,
and other entries are no longer matched.
system-view
An IPv6–prefix list is identified by its list name. Each prefix list contains multiple entries. Each
entry independently specifies a matching range in the format of network prefix and identifies
the range with an index number. For example, the following is a prefix list named abcd:
#
ip ipv6-prefix abcd index 10 permit 1:: 64
ip ipv6-prefix abcd index 20 permit 2:: 64
During the matching, the system checks every entry in turn based on the index number in
ascending order. As long as the routing information matches one entry, the filtering list is passed,
and other entries are no longer matched.
If all entries are in deny mode, no routes can pass this filtering list. You are advised to define
an permit :: 0 less-equal 128 entry after the multiple entries in the deny mode to allow all the
other IPv6 routes to pass the IP-prefix filtering.
NOTE
If you define more than one IPv6 prefix entry, at least one entry should be in permit mode.
----End
Step 1 Run:
system-view
Step 2 Run:
route-policy route-policy-name { permit | deny } node node
Step 3 Optional: Configure the matching conditions of the standby link. For details, see 10.7.2.2
Configuring the If-Match Clause.
Route backup matching conditions consist of a series of if-match commands. If no matching
condition is specified, FRR sets all routes to backup ones. If any matching conditions are
specified, only matched routes serve as backup ones.
Step 4 Run:
apply backup-interface interface-type interface-number
Step 5 Run:
apply backup-nexthop ip-address
----End
Enabling FRR
To protect public network routes, perform configurations in the system view; to protect private
network routes, perform configurations in the VPN instance view. Configurations in the system
view are independent of those in the VPN instance view.
Only one policy can be configured within the time period; otherwise, new configurations
overwrite previous ones.
When FRR in load balancing mode is enabled and links are normal, traffic is forwarded in load
balancing mode. When one equal-cost link is faulty, traffic is forwarded over the other normal
link.
Step 1 Run:
system-view
Step 2 Run:
ip reroute
Step 4 Run:
ip frr route-policy route-policy-name
FRR is enabled.
----End
Table 10-2 and Table 10-3 list the commands for displaying the configurations of IP routes.
Action Command
Display the routes to the specified display ip routing-table ip-address [ mask | mask-
destination IP address. length ] [ longer-match ] [ verbose ]
Display the routes to the addresses display ip routing-table ip-address1 { mask1 | mask-
in the specified destination IP length1 } ip-address2 { mask2 | mask-length2 }
address range. [ verbose ]
Display the routes defined in the display ip routing-table acl acl-number [ verbose ]
specified basic ACL.
Display the route learned using the display ip routing-table protocol protocol
specified protocol. [ inactive | verbose ]
Action Command
Action Command
Display the routes to the specified display ipv6 routing-table ipv6-address prefix-
destination IP address. length [ longer-match ] [ verbose ]
Display the routes to the addresses display ipv6 routing-table ipv6-address1 prefix-
in the specified destination IP length ipv6-address2 prefix-length } [ verbose ]
address range.
Display the routes defined in the display ipv6 routing-table acl acl-number
specified basic ACL. [ verbose ]
Display the route filtered by the display ipv6 routing-table ip-prefix ipv6-prefix-
specified prefix list. name [ verbose ]
Display the route learned using the display ipv6 routing-table protocol protocol
specified protocol. [ inactive | verbose ]
Table 10-4 lists the commands for displaying the information about the routing management
module.
Action Command
Clearing Routes
If you need to manually add a route, perform the following actions to clear the dynamic routes.
Statistics on cleared routes cannot be restored. Exercise caution before you clear any routes.
Table 10-5 lists the commands for clearing routes. Perform these actions in the user view.
Action Command
Clear the dynamic route from the reset ip routing-table [ vpn-instance vpn-instance-
routing table. name ] { ip-address [ mask | mask-length ] | all }
Clear the statistics in the IPv6 reset ipv6 routing-table statistics protocol { all |
routing table. protocol }
Before you enable the debugging function, you must run the terminal monitor and terminal
debugging commands in the user view to enable the terminal information display and terminal
debugging information display functions, so that the debugging information can be displayed
on the terminal.
NOTICE
Enabling the debugging function affects the system performance. Therefore, after debugging,
you need to run the undo debugging all command to disable the debugging function.
Table 10-6 lists the commands for debugging the routing management module.
Action Command
Enable IPv4 debugging for debugging rm ipv4 { im | urt | usr | msr | rcom [ ip-
routing management. prefix ip-prefix-name ] | rr }
Enable IPv6 debugging for debugging rm ipv6 { im | urt | usr | rcom [ ipv6-prefix
routing management. ipv6-prefix-name ] | rr }
10.2.1 Overview
The static route implements accurate control over route selection on the network. However, once
the network changes or fails, you needs to re-configure the static route manually.
The disadvantage of the static route is that when a fault occurs or the topology is changed on a
network, the static route cannot automatically adapt itself to the change. You must re-configure
the route manually.
The IPv6 static route, similar to the IPv4 static route, needs the administrator's manual
configuration, and applies to certain simply-structured IPv6 networks.
The IPv6 static route uses the IPv6 address as the next hop, while the IPv4 static route uses the
IPv4 address as the next hop. In addition, only the IPv4 static route supports the VPN instance.
Default Route
The default route is a special route. You can manually configure the default route, but sometimes,
dynamic routing protocols, such as OSPF and IS-IS, can generate the default route.
The default route is used only when no suitable routing entry is matched. In the routing table,
the destination IP address and subnet mask of the default route are both 0.0.0.0. The destination
IP address of the IPv6 default route is ::/0 (the mask length is 0).
If the destination IP address of a packet cannot match any entry in the routing table, the packet
adopts the default route. If no default route exists and the destination IP address of the packet is
not in the routing table, the NGFW discards the packet, and an ICMP packet is returned to the
source end to report that the destination IP address or network is unroutable.
You must specify next-hop addresses for all routing entries. When sending a packet, the router
first searches the matched route in the routing table based on the destination address. The link
layer can find the corresponding link-layer address and forward the packet only when the next
hop address is specified.
l For Point-to-Point (P2P) interfaces, if you specify the outgoing interface, the next-hop
address is also specified. The address of the peer interface connected to this interface is the
next-hop address.
l For the NBMA interface that supports point-to-multipoint networks, you have to not only
configure IP routing but also set up the secondary route at the link layer, that is, the mapping
between the IP address and the link-layer address. In this circumstance, set the next-hop IP
address.
l For the Ethernet interface that functions as a broadcast interface, multiple next hops exist.
Therefore, you have to specify the next-hop IP address.
l For the virtual-template interface that can be associated with multiple Virtual Access
Interface (VAI), multiple next hops exist. Therefore, you have to specify the next-hop IP
address.
Step 2 Under Configure Default Priority, enter the default priority for static routes in Default
Priority.
----End
Parameter Description
Parameter Description
Monitoring
----End
Context
By default, no static IPv4 route is configured.
l When both the destination IP address and the mask are set to 0.0.0.0, the route is a default
route.
l During the configuration of static routes, you can specify the next hop and the outgoing
interface or specify either of them based on actual situations.
– For point-to-point interface, you can specify either the outgoing interface or the next
hop.
– For NBMA, Ethernet, and Virtual-template interfaces, the next hop must be specified.
You can set different priority levels for the static routes. This enables you to apply the routing
policies flexibly.
l Configure multiple routes to the same destination and specify the same priority for all routes
to implement load balancing. This feature is referred to as equal cost multipath (ECMP).
l Configure multiple routes to the same destination and specify different priorities for those
routes to implement route backup. The route with the highest priority serves as the active
route, whereas all the other routes serve as the backup routes.
Procedure
Step 1 Access the system view.
system-view
Step 2 Optional: Set the default priority for the static route.
ip route-static default-preference preference
By default, the priority of the static route is 60.
If you do not specify the priority, the static route uses the default priority. The reset default
priority is valid for only new IPv4 static routes.
Step 3 Configure the IPv4 static route.
ip route-static ip-address { mask | mask-length } { nexthop-address | interface-type interface-
number [ nexthop-address ] | vpn-instance vpn-instance-name nexthop-address }
[ preference preference ] [ track ip-link link-id ] [ track bfd-session cfg-name ]
[ description description ]
ip route-static vpn-instance source-vpn-name destination-ip-address { mask | mask-length }
{ nexthop-address [ public ] | interface-type interface-number [ nexthop-address ] | vpn-
instance destination-vpn-name nexthop-address } [ preference preference ] [ track ip-link
link-id ] [ track bfd-session cfg-name ] [ description text ]
track ip-link link-id: binding the configured IP-link items to specific static routes.
track bfd-session cfg-name: configuring BFD to interwork with a static route and bind a BFD
session to the static route. This helps detect link status and provides a detection mechanism for
static routes.
----End
Prerequisites
Before you configure an IPv6 static route, complete the following tasks:
l Set the parameters and IPv6 addresses of link-layer protocols for the interface and change
the status of the link protocol to Up.
l Add the related interfaces to security zones and configure the interzone packet-filtering
rules.
Context
To configure an IPv6 static route, note the following:
Procedure
Step 1 Access the system view.
system-view
When configuring a static route, you can specify the outgoing interface or next-hop address
based on the actual condition.
l If the outgoing interface is a PPP interface, specify the outgoing interface only.
l If the outgoing interface is a broadcast interface, you must specify the next-hop address.
If you do not specify parameter preference, the default priority of the static route is 60.
----End
Table 10-7 shows the commands for checking the static route configuration.
Table 10-7 Checking the IPv4 and IPv6 static route information
Action Command
Networking Requirements
Figure 10-3 shows the IP addresses and masks of each NGFW interface and host. Static routes
must be configured to ensure the communication between any two hosts.
PC2
10.1.2.2/24
GE1/0/3
10.1.2.1/24
GE1/0/1 GE1/0/2
10.1.5.2/24 10.1.4.5/30
NGFW_B
NGFW_A NGFW_C
GE1/0/1 GE1/0/1
10.1.5.1/24 10.1.4.6/30
GE1/0/2 GE1/0/2
10.1.1.1/24 10.1.3.1/24
PC1 PC3
10.1.1.2/24 10.1.3.2/24
Item Data
Item Data
Configuration Roadmap
Perform the following procedures to configure IPv4 static routes:
Procedure
l Configure NGFW_A.
1. Complete interface settings, such as IP address and security zone.
a. Choose Network > Interface.
b. Click of GigabitEthernet1/0/1 and set the following parameters:
Zone trust
IPv4
IP Address 10.1.5.1/24
c. Click OK.
d. Repeat the preceding steps to set the parameters of GigabitEthernet1/0/2.
Zone trust
IPv4
IP Address 10.1.1.1/24
Destination IP 0.0.0.0/0.0.0.0
address/mask
Next-hop 10.1.5.2
c. Click OK.
l Configure NGFW_B.
1. Complete interface settings, such as IP address and security zone.
a. Choose Network > Interface.
b. Click of GigabitEthernet1/0/1 and set the following parameters:
Zone trust
IPv4
IP Address 10.1.5.2/24
c. Click OK.
d. Repeat the preceding steps to set the parameters of GigabitEthernet1/0/2.
Zone trust
IPv4
IP Address 10.1.4.5/30
Zone trust
IPv4
IP Address 10.1.2.1/24
Destination IP 10.1.1.0/24
address/mask
Next-hop 10.1.5.1
c. Click OK.
d. Click Add and set the parameters as follows:
Destination IP 10.1.3.0/24
address/mask
Next-hop 10.1.4.6
e. Click OK.
l Configure NGFW_C.
1. Complete interface settings, such as IP address and security zone.
a. Choose Network > Interface.
b. Click of GigabitEthernet1/0/1 and set the following parameters:
Zone trust
IPv4
IP Address 10.1.4.6/30
c. Click OK.
d. Repeat the preceding steps to set the parameters of GigabitEthernet1/0/2.
Zone trust
IPv4
IP Address 10.1.3.1/24
Destination IP 0.0.0.0/0.0.0.0
address/mask
Next-hop 10.1.4.5
c. Click OK.
l Configure hosts.
Set the default gateway to 10.1.1.1 for PC1, 10.1.2.1 for PC2, and 10.1.3.1 for PC3.
l Verify the configuration.
----End
10.3 RIP
This section describes Routing Information Protocol (RIP) concepts and how to configure
RIP, as well as provides configuration examples.
10.3.1 Overview
The Routing Information Protocol (RIP) applies to small and simply structured networks. RIP
is a routing protocol based on the distance vector and uses hop counts to measure distances to
destinations. There are two RIP versions: RIP-1 and RIP-2.
Definition
RIP is a simple Interior Gateway Protocol (IGP) and works based on the Distance-Vector (DV)
algorithm. It exchanges routing information using User Datagram Protocol (UDP) packets. RIP
uses port 520.
Purpose
As an earliest IGP, RIP is used in small and simply structured networks such as campus networks
and regional networks. Unlike static routes, RIP automatically adapts to network topology
changes.
Implementing RIP is simple. Configuring and maintaining RIP are easier than the Open Shortest
Path First (OSPF) and Intermediate System-to-Intermediate System (IS-IS) protocols.
Therefore, RIP is widely used.
10.3.2 Mechanism
This section describes the RIP mechanism.
RIP Timers
RIP is controlled by the following timers:
Age In the aging time, routers still send Update packets, even though they
do not receive any routing update.
When the age timer times out, but the garbage-collect timer does not
time out, the route sends the Update packet of metric value 16 every
30 seconds.
Garbage-Collect After the garbage-collect timer times out, the entry is removed from
the routing table.
1. After RIP is enabled on a router, the router sends request messages to the neighboring
router.
l If RIP is configured as RIP-2, the router sends request messages to the multicast address
224.0.0.9.
l if RIP is configured as RIP-1, the router sends request messages to the broadcast address.
The export policies of RIP routes on the interface at sending side are as follows:
– When the address of the route to be advertised and the IP address of the interface
are in the same major network segment, if the length of their masks are same, then
the route is advertised with the same mask length, and if the length of their masks
are not same, the route is advertised with the mask length of the major network
segment.
– If the address of the route and the IP address of the sending interface are not in the
same major network segment, the route is advertised with the aggregated major
network segment mask of the route.
2. After the neighboring RIP router receives the request message, it sends a response message
that carries the information about its local routing table. At the same time, the router starts
calculating routes.
If RIP is configured to RIP-1, the route is filtered according to the following import policy
on the interface at the receiving side :
l The received routes are compared with the mask on the interface. If the address of the
received route and the IP address of the interface are in the same major network segment,
then the route is received according to the mask on the interface. If the route address
and the IP address of the interface are not in the same natural network segment, the route
is received according to the major network segment mask of the route.
l If the directly connected subnet route of the same network segment exists in the routing
table of the local router, the route is received. If the directly connected subnet route of
the same network segment does not exist in the routing table of the local router, the
route is rejected.
3. The router modifies the local routing table after it receives the response message from its
neighbor.
If RIP is configured to RIP-1, the mask of the route can be viewed in the following case.
Figure 10-4 shows the networking diagram of RIP-1.
10.2.1.0/24
GE1/0/1 GE1/0/1
10.1.1.1/24 10.1.1.2/24
10.2.2.0/24
RouterA RouterB
10.3.1.0/24
RouterA and RouterB run RIP-1. The RIP-1 packet does not carry the mask. Therefore,
only through the address of the outgoing interface can RouterA and RouterB obtain the
mask of the route to be sent. The routing table of RouterB, however, is as follows:
<RouterB> display rip 1 route
Route Flags: R - RIP, T - TRIP
P - Permanent, A - Aging, S - Suppressed, G - Garbage-collect
----------------------------------------------------------------------------
Peer 10.1.1.1 on GigabitEthernet1/0/1
Destination/Mask Nexthop Cost Tag Flags Sec
10.0.0.0/8 10.1.1.1 1 0 RA 12
10.2.1.0/24 10.1.1.1 1 0 RA 12
10.3.1.0/24 10.1.1.1 1 0 RA 12
In the routing table of RouterB, 10.2.1.0/24 and 10.3.1.0/24 are subnet addresses with
masks; therefore, the route is not advertised according to the natural network segment
10.0.0.0/8.
This is because the mask of GigabitEthernet1/0/1 on RouterA is 24. The mask of the
network segment to which the route is sent is also 24. The route and the network segment
belong to the same natural network segment (10.0.0.0). Therefore, the route is advertised
with the mask.
If RouterA and RouterB are configured with RIP-2, view the routing table of RouterB as
below:
<RouterB> display rip 1 route
Route Flags: R - RIP, T - TRIP
P - Permanent, A - Aging, S - Suppressed, G - Garbage-collect
----------------------------------------------------------------------------
Peer 10.1.1.1 on GigabitEthernet1/0/1
Destination/Mask Nexthop Cost Tag Flags Sec
10.2.1.0/24 10.1.1.1 1 0 RA 26
10.3.1.0/24 10.1.1.1 1 0 RA 26
10.2.2.0/24 10.1.1.1 1 0 RA 26
As shown in the preceding display, all entries have masks. This is because RIP-2 packet
carries the mask information.
Process of RIP Route Calculation
After a router receives a response packet, the router modifies its local routing table, and then
sends a triggered update to its neighboring routers to broadcast the updated routing information.
After the neighboring routers receive the triggered update, they send the triggered update to their
neighboring routers. After a serial of triggered updates are broadcast, each router can obtain and
keep the latest routing information.
RIP processes the routes that time out by using the aging mechanism to ensure the validity of
routes. The local RIP router, therefore, advertises the local routing table to its neighboring routers
periodically. After receiving Update packets, the neighboring routers update their local routing
tables. All RIP routers repeat this process.
In RFC 2453, only the plain-text authentication is defined. For details of the MD5 authentication, refer to
RFC2082 "RIP-2 MD5 Authentication".
Split horizon
The principle of split horizon is that a route learnt by RIP on an interface is not sent to neighbors
from the interface. This reduces bandwidth consumption and avoids route loops.
As shown in Figure 10-5, RouterB sends a route to 10.0.0.0 to RouterA and RouterA does not
send the route back to RouterB.
RouterA RouterB
10.0.0.0/2
Poison Reverse
The principle of poison reverse is that RIP sets the cost of the route learnt from an interface of
a neighbor to 16 (specifying the route as unreachable) and then sends the route from the interface
back to the neighbor. In this way, RIP can delete useless routes from the routing table of the
neighbor.
RouterA RouterB
10.0.0.0/2
As shown in Figure 10-6, if poison reverse is not configured, RouterB sends RouterA a route
that is learnt from RouterA and the cost of the route from RouterA to network 10.0.0.0 is 1. If
the route from RouterA to network 10.0.0.0 is unreachable and RouterB keeps sending RouterA
routes to network 10.0.0.0 because RouterB fail to receive the route update packet from RouterA,
a route loop forms.
If RouterA sends RouterB a message that the route is unreachable after receiving a route from
RouterB, RouterB no longer learns the reachable route from RouterA, thus avoiding route loops.
If both poison reverse and split horizon are configured, simple split horizon (the route learnt
from an interface is not sent back through the interface) is replaced by poison reverse.
Triggered Update
Triggered update occurs when the local routing information changes and the local router
immediately notifies its neighbors of the changes of routing information by sending the triggered
update packet.
Triggered update shortens the network convergence time. When the local routing information
changes, the local router immediately notifies its neighbors of the changes of routing information
rather than waiting for periodical update.
As shown in Figure 10-7, when network 10.4.0.0 is unreachable, RouterC learns the information
first. Usually, the route update message is sent to neighbors every 30s. If the update message of
RouterB is sent to RouterC when RouterC is waiting for the route update message, RouterC
learns the faulty route to network 10.4.0.0 from RouterB. In this case, the routes from RouterB
or RouterC to network 10.4.0.0 point to RouterC or RouterB respectively, thus forming a route
loop. If RouterC detects a network fault and immediately sends a route update message to
RouterB before the new update interval reaches. Consequently, the routing table of RouterB is
updated in time, and routing loops are avoided.
There is another mode of triggering updates: The next hop of the route is unavailable because
the link is faulty. The local router needs to notify neighboring router about the unreachability of
this route. This is done by setting the cost of the route as 16 and advertising the route. This is
also called route-withdrawal.
Route Aggregation
When different subnet routes in the same natural network segment are transmitted to other
network segments, these routes are aggregated into one route of the same segment. This process
is called route aggregation. RIP-1 packets do not carry mask information, so RIP-1 can advertise
only the routes with natural masks. RIP-2 packets carry mask information, so RIP-2 supports
subnetting.
RIP-2 route aggregation can improve extendibility and efficiency and minimize the routing table
of a large-scale network.
For the routers that support the VPN, each RIP process is associated with a specific VPN instance.
In this case, all the interfaces attached to the RIP process should be associated with the RIP-
process-related VPN instance.
Parameter Description
Parameter Description
Update Interval Indicates the interval of updating packets regularly in the RIP
route.
Garbage Collection Time Indicates the interval for collecting RIP garbage routes.
Enable Default Route Configures the default route for the situation that packets cannot
find corresponding routing entries in the routing table.
Default Route Cost Indicates the metric value of the default route.
This parameter is available when Enable Default Route is
enabled.
Source Address Verifies the source IP address of a received RIP route update
Verification packet.
Host Route Indicates that host routes can be added to the routing table.
If the new RIP process is displayed on the page, the operation succeeds.
----End
Step 3 In the RIP Process ID:ID navigation tree, choose Basic Configuration > Network Settings.
If the new network segment is displayed on the page, the operation succeeds.
----End
Step 3 In the RIP Process ID:ID navigation tree, choose Basic Configuration > Interface Settings.
Parameter Description
Authentication Mode Indicates the mode in which the interface authenticates packets.
l NONE: indicates that authentication is not performed on
packets.
l Simple: indicates that simple authentication is performed on
packets.
l MD5: indicates that MD5 authentication is performed on
packets.
Advanced Settings
Receiving of RIP Packets Indicates that the interface is allowed to receive RIP update
packets.
Sending of RIP Packets Indicates that the interface is allowed to send RIP update packets.
Parameter Description
Anti-Loop Mechanism Split Horizon: indicates that the interface does not send the
routes received by the interface.
Poison Reverse: RIP learns the route of the packet from an
interface, sets the route cost to 16 (unreachable), and sends the
packet to the neighbor router through the original interface.
Sending Mode The RIP-2 packets can be transferred in two modes: broadcast
and multicast.
Receiving Offset Indicates the metric value added when the interface receives
routes.
Sending Offset Indicates the metric value added when the interface sends routes.
Sending Interval Indicates the interval for the interface to send update packets.
Maximum Sending Indicates the number of update packets allowed on the interface
Packets each time.
----End
Step 3 In the RIP Process ID:ID navigation tree, choose Advanced > Route Import.
Parameter Description
Parameter Description
Process ID The routing protocol process ID needs to be specified when the route type
is ospf, rip, or isis.
If the new route import configuration is displayed on the page, the operation succeeds.
----End
Step 3 In the RIP Process ID:ID navigation tree, choose Advanced > Route Filter.
Parameter Description
Filter Type Indicate the route filter type of the RIP. After this parameter is
set, it cannot be changed.
l Import: indicates that the RIP filters received routing
information.
l Export: indicates that the RIP filters advertised routing
information.
Route Type Advertise routes by the route type based filtering. This parameter
is required when the filter type is export. After this parameter is
set, it cannot be changed.
Process ID Specifies the process ID for OSPF, RIP, and ISIS. After this
parameter is set, it cannot be changed.
Interface Name Advertises routes by the egress based filtering. After this
parameter is set, it cannot be changed.
Either route type based filtering or egress based filtering can be
selected.
Parameter Description
Filter Mode Indicates the route filter mode. You can configure the mode to
either of the following:
l IP-Prefix: sets a matching rule based on the IP prefix list. It
is used for filtering routes according to the prefixes of
destination IP addresses.
l ACL: sets a matching rule based on the ACL. It is used for
filtering routes according to destination IP addresses.
Source Address Indicates the source IP address for filtering routes or the name of
the source address/address group.
You can select an existed address/address group or create a new
address/address group.
Schedule Indicates the time range during which route filtering takes effect.
You can select an existed time range or create a new time range.
Action Indicates the action taken by the device towards the route.
l permit: indicates the action configured by the policy is
performed on the route.
l deny: indicates that the action configured by the policy is not
performed on the route.
If the new route filtering policy is displayed on the page, the operation succeeds.
----End
To use the RIP as a routing protocol on a network that does not support broadcasting or
multicasting, you need to specify a RIP peer manually.
Step 3 In the RIP Process ID:ID navigation tree, choose Advanced > Peer Settings.
If the new RIP peer is displayed on the page, the operation succeeds.
----End
Step 3 In the RIP Process ID:ID navigation tree, choose Advanced > Passive Interface.
If the new passive interface is displayed on the page, the operation succeeds.
----End
Table 10-10 shows the RIP configuration tasks, including both the mandatory and optional
items.
Mandatory items are used to implement the interconnection of RIP networks, and optional items
are used to control and adjust RIP networks.
Control the receiving and Configuring RIP to Advertise Default Routes Optional
advertising of RIP routes.
Configuring RIP to Import External Routes Optional
Prerequisites
Before configuring basic RIP functions, complete the following tasks:
Context
To implement proper RIP operation, set the process ID of each RIP router, the network segment
of the interface, and RIP version number.
Procedure
Step 1 Access the system view.
system-view
Step 2 Enable the RIP process and access the RIP view.
If you run RIP-related commands in the interface view before enabling RIP, the configurations
take effect only after RIP is enabled.
RIP supports the multi-instance service, and the RIP process can be associated with a VPN
instance. You can configure the vpn-instance vpn-instance-name parameter to associate a RIP
process with a VPN instance.
network network-address
RIP runs only on the interfaces of the specified network segment. RIP does not send, receive,
or forward routes for other interfaces. After enabling RIP, you must specify a network address
of a natural network segment.
NOTE
Different network segments on the same physical interface must be assigned to a single RIP process.
Step 4 By default, an interface receives both RIP-1 and RIP-2 packets and only sends RIP-1 packets.
You can configure a RIP-2 interface to send packets in broadcast and multicast modes
simultaneously. If the RIP version number on the interface is not set, the global version number
is used.
l Set the global RIP version number.
version { 1 | 2 }
l Set the RIP version number on an interface.
1. Access the system view.
system-view
2. Access the interface view.
interface interface-type interface-number
3. Set the RIP version number.
rip version { 1 | 2 [ broadcast | multicast ] }
----End
Follow-up Procedure
Run the display rip [ process-id | vpn-instance vpn-instance-name ] command. You can view
the current running status and configuration information. The command output shows that two
VPN instances are running. One is a public network instance, and the other is VPN-
Instance-1.
<NGFW> display rip
Public VPN-instance
RIP process : 1
RIP version : 1
Preference : 100
Checkzero : Enabled
Default-cost : 0
Summary : Enabled
Hostroutes : Enabled
Maximum number of balanced paths : 3
Update time : 30 sec Age time : 180 sec
Suppress time : 0 sec Garbage-collect time : 120 sec
Silent interfaces : None
Default Route : Disabled
Verify-source : Enabled
Networks :
172.4.0.0
Configured peers : None
Number of routes in database : 4
Number of interfaces enabled : 3
Triggered updates sent : 3
Number of route changes : 6
Number of replies to queries : 1
Private VPN-instance name : VPN-Instance-1
RIP process : 2
RIP version : 1
Preference : 100
Checkzero : Enabled
Default-cost : 0
Summary : Enabled
Hostroutes : Enabled
Maximum number of balanced paths : 3
Update time : 30 sec Age time : 180 sec
Suppress time : 0 sec Garbage-collect time : 120 sec
Silent interfaces : None
Default Route : Disabled
Verify-source : Enabled
Networks :
192.4.5.0
Configured peers : None
Number of routes in database : 0
Number of interfaces enabled : 0
Triggered updates sent : 0
Number of route changes : 0
Number of replies to queries : 0
Total count for 2 process :
Number of routes in database : 3
Number of interfaces enabled : 2
Number of routes sendable in a periodic update : 6
Number of routes sent in last periodic update : 4
Run the display rip process-id route command to view all routes of a specified RIP process.
<NGFW> display rip 1 route
Route Flags: R - RIP
A - Aging, S - Suppressed, G - Garbage-collect
----------------------------------------------------------------------------
Peer 192.4.5.1 on GigabitEthernet1/0/1
Destination/Mask Nexthop Cost Tag Flags Sec
172.4.0.0/16 192.4.5.1 1 0 RA 15
192.13.14.0/24 192.4.5.1 2 0 RA 15
192.4.5.0/24 192.4.5.1 1 0 RA 15
----End
Follow-up Procedure
Run the display current-configuration interface interface-type interface-number command.
You can verify that interface information is correctly configured and that routing entries are
compliant with the plan on a related router.
<NGFW> display current-configuration interface GigabitEthernet 1/0/1
#
interface GigabitEthernet1/0/1
ip address 10.18.196.205 255.255.255.0
rip metricin 2
#
The RIP network is planned, and the task of 10.3.4.2 Configuring Basic RIP Functions is
complete.
Context
Since multiple dynamic routing protocols may run on a router at the same time, the routing
information sharing and selection among routing protocols must be taken into consideration.
The system sets a priority level for each routing protocol. When different protocols carry the
same route, the routing protocol with higher priority is selected. By default, the RIP priority is
100.
Procedure
system-view
Step 2 Enable the RIP process and access the RIP view.
rip [ process-id ]
----End
Follow-up Procedure
Run the display rip [ process-id ] command. You can check the RIP priority.
<NGFW> display rip 1
Public VPN-instance
RIP process : 1
RIP version : 1
Preference : 100
Checkzero : Enabled
Default-cost : 0
Summary : Enabled
Hostroutes : Enabled
Maximum number of balanced paths : 6
Update time : 30 sec Age time : 180 sec
Suppress time : 0 sec Garbage-collect time : 120 sec
Silent interfaces : None
Default Route : Disabled
Verify-source : Enabled
Networks :
10.0.0.0
Configured peers : None
Number of routes in database : 0
Number of interfaces enabled : 0
Triggered updates sent : 0
Number of route changes : 0
Number of replies to queries : 0
The RIP network is planned, and the task of 10.3.4.2 Configuring Basic RIP Functions is
complete.
Context
A RIP router can be configured to advertise default routes, which minimizes the impacts of route
changes on a RIP network and improves network performance.
A RIP router that generates a default route does not receive the default route from its neighboring
RIP router.
Procedure
system-view
Step 2 Enable the RIP process and access the RIP view.
rip [ process-id ]
You can configure a router to advertise a default route with the specified metric to its RIP
neighbors. The default metric value is 0.
----End
Follow-up Procedure
Run the display rip [ process-id ] command. You can see that Default Route in the specified
RIP process is set to Enabled. You can view the specified metric.
[NGFW] display rip 1
Public VPN-instance
RIP process : 1
RIP version : 1
Preference : 100
Checkzero : Enabled
Default-cost : 0
Summary : Enabled
Hostroutes : Enabled
Maximum number of balanced paths : 6
Update time : 30 sec Age time : 180 sec
Suppress time : 0 sec Garbage-collect time : 120 sec
Silent interfaces : None
Default Route : Enabled Default Route Cost : 4
Verify-source : Enabled
Networks :
10.18.0.0 10.12.0.0
10.0.0.0
Configured peers : None
Number of routes in database : 6
Number of interfaces enabled : 2
Triggered updates sent : 7
Number of route changes : 2
Number of replies to queries : 1
The RIP network is planned, and the task of 10.3.4.2 Configuring Basic RIP Functions is
complete.
Context
In some scenarios, a router enabled with RIP is connected to other routers, but does not send
updates to these routers. In this case, you can prevent the interface from sending update packets.
Procedure
system-view
2. Enable the RIP process and access the RIP view.
rip [ process-id ]
3. Perform one of the following operations to set the interface status to be silent as
needed:
– To set all interfaces are set to be silent, run:
silent-interface all
– To disable an interface from sending Update packets., run:
silent-interface interface-type interface-number
You can set an interface to be silent. The interface receives update packets to only
update its routing table. The priority of silent-interface is higher than that of rip
output configured on the interface. By default, an interface does not work in the silent
state.
l Configure a router in interface view (with a lower priority).
1. Access the system view.
system-view
2. Access the interface view.
This command enables you to determine whether to send RIP Update packets for an
interface. This command has a priority lower than that of the silent-interface
command. By default, an interface is allowed to send RIP Update packets.
----End
Follow-up Procedure
Run the display rip [ process-id ] command and verify that the specified interface is in
suppression state.
Run the display ip routing-table command and verify that routing entries are compliant with
the plan.
The RIP network is planned, and the task of 10.3.4.2 Configuring Basic RIP Functions is
complete.
Context
You need to import external routes to the RIP routing table on a router to ensure communication
using different routing protocols.
Procedure
system-view
Step 2 Enable the RIP process and access the RIP view.
rip [ process-id ]
default-cost cost
If no cost is specified when external routes are imported, the default cost is used.
If RIP has to advertise routing information of other protocols, you can specify protocol to filter
the specific routing information. If protocol is not specified, the router filter all routing
information, including the imported routes and local RIP routes (equivalent to direct routes).
NOTE
RIP regulates the tag length of 16 bits, whereas other protocols regulate the tag length of 32 bits. If the
routes of other protocols are imported and the tag is used in the routing policy, ensure that the length of
the tag does not exceed 65535. Otherwise, the routing policy becomes invalid, and the matching result is
incorrect.
----End
Follow-up Procedure
Run the display ip routing-table command and verify that routing entries are correctly
imported.
The RIP network is planned, and the task of 10.3.4.2 Configuring Basic RIP Functions is
complete.
Context
In some scenarios, the router enabled with RIP is connected to other routers, but does not receive
the updates from these routers. You can prevent the interface from receiving update packets.
Procedure
system-view
----End
Follow-up Procedure
Run the display ip routing-table command and verify that routing entries are compliant with
the plan.
The RIP network is planned, and the task of 10.3.4.2 Configuring Basic RIP Functions is
complete.
Context
In certain cases, routers may receive a large number of host routes from the same network
segment. These routes do not help with routing but consume mass resources. You can configure
RIP to prevent routers from receiving host routes, which helps save network resources.
NOTE
Preventing routers from receiving host routes is only valid for RIPv2, not RIPv1.
Procedure
----End
Follow-up Procedure
Run the display rip [ process-id ] command and verify that routers are prevented from receiving
host routes in the RIP process.
Run the display ip routing-table command and verify that routing entries are compliant with
the plan.
----End
Follow-up Procedure
Run the display ip routing-table command on the related router and its neighbors to and verify
that routing entries are compliant with the plan.
NOTE
l Timer values can be adjusted based on network performance, and the timers must be configured on all
routers running RIPng, which prevents unnecessary network traffic or network routing flapping.
l Incorrect settings of these four timer values may cause unstable routing.
update is smaller than age, and suppress is smaller than garbage-collect.
For example, if update is greater than garbage-collect, and the RIP route changes within the update
time, the router cannot notify neighbors.
l The RIP timer values take effect dynamically after being modified.
----End
Follow-up Procedure
Run the display rip [ process-id ] command to view timer information of a specified RIP process.
<NGFW> display rip 1
Public VPN-instance
RIP process : 1
RIP version : 1
Preference : 100
Checkzero : Enabled
Default-cost : 0
Summary : Enabled
Hostroutes : Enabled
Maximum number of balanced paths : 6
Update time : 30 sec Age time : 180 sec
Suppress time : 0 sec Garbage-collect time : 120 sec
Silent interfaces : None
Default Route : Disabled
Verify-source : Enabled
Networks : None
Configured peers : None
Number of routes in database : 0
Number of interfaces enabled : 0
Triggered updates sent : 0
Number of route changes : 0
Number of replies to queries : 0
Setting the Interval at Which Packets Are Sent and the Maximum Number of Sent
Packets
Prerequisite
The RIP network is planned, and the task of 10.3.4.2 Configuring Basic RIP Functions is
complete.
Context
When there are a large number of routes on a router, sending all route updates at a time imposes
great pressure on network bandwidths. You can set the interval at which update packets are sent
and the number of the update packets to be transmitted to prevent mass RIP packets from
affecting actual services.
Procedure
system-view
Step 3 Set the interval at which Update packets are sent and the maximum number of packets sent each
time on the interface.
----End
Follow-up Procedure
Verify that the RIP network status is compliant with the plan.
<NGFW> display current-configuration interface GigabitEthernet 1/0/1
#
interface GigabitEthernet1/0/1
ip address 10.18.196.205 255.255.255.0
rip pkt-transmit interval 80 number 40
#
The RIP network is planned, and the task of 10.3.4.2 Configuring Basic RIP Functions is
complete.
Context
Split horizon and poison reverse help prevent routing loops on a RIP network.
l Split horizon: a route learned from an interface by RIP is not advertised to neighboring
routers connected to this interface.
l Poison reverse: After learning a route from an interface, RIP sets the route cost to 16
(unreachable) and sends the route back to the neighboring routers. This method clears
useless information in the routing table.
On non-broadcast multiple access (NBMA) networks enabled with frame relay and X.25, if no
subinterface is used, disable split horizon to allow the router to correctly advertise routing
information. If both poison reverse and split horizon are configured, only poison reverse takes
effect.
Procedure
system-view
rip split-horizon
rip poison-reverse
----End
Follow-up Procedure
The RIP network is planned, and the task of 10.3.4.2 Configuring Basic RIP Functions is
complete.
Context
To improve RIP network security, RIP Update packets must be checked, including the zero field
check and source IP address check.
Procedure
system-view
Step 2 Enable the RIP process and access the RIP view.
rip [ process-id ]
checkzero
Some fields in a RIP-1 packet must be 0s, and they are called zero fields. RIP-1 checks the zero
fields on receiving a packet. If the value of any zero field is not 0, the packet is not processed.
This command does not take effect on RIP-2 packets because RIP-2 packets contain no zero
fields.
By default, the zero field check is enabled.
Step 4 Specify the source address check for RIP Update packets.
verify-source
After receiving a packet, RIP checks whether the source IP address of the Update packet is in
the same network segment with the interface of a RIP process on the router. If the source Ip
address and the interface address are in different network segments, the packet fails the check
and is not processed.
By default, the source address check is enabled.
----End
Follow-up Procedure
Run the display rip [ process-id ] command to view the Checkzero and Verify-source function
status.
<NGFW> display rip 1
Public VPN-instance
RIP process : 1
RIP version : 2
Preference : 100
Checkzero : Enabled
Default-cost : 0
Summary : Enabled
Hostroutes : Enabled
Maximum number of balanced paths : 6
Update time : 30 sec Age time : 180 sec
Suppress time : 0 sec Garbage-collect time : 120 sec
Silent interfaces : None
Default Route : Disabled
Verify-source : Enabled
Networks :
10.18.0.0
Configured peers : None
Number of routes in database : 2
Number of interfaces enabled : 1
Triggered updates sent : 0
Number of route changes : 0
Number of replies to queries : 0
Procedure
system-view
Step 2 Enable the RIP process and access the RIP view.
rip [ process-id ]
peer ip-address
----End
Follow-up Procedure
Run the display rip [ process-id ] command to view the configurations of a specified RIP
process.
<NGFW> display rip 1
RIP process : 1
RIP version : 1
Preference : 100
Checkzero : Enabled
Default-cost : 0
Summary : Enabled
Hostroutes : Enabled
Maximum number of balanced paths : 6
Update time : 30 sec Age time : 180 sec
Suppress time : 0 sec Garbage-collect time : 120 sec
Silent interfaces : None
Default Route : Disabled
Verify-source : Enabled
Networks : None
Configured peers :
10.112.80.22
Number of routes in database : 0
Number of interfaces enabled : 0
Triggered updates sent : 0
Number of route changes : 0
Number of replies to queries : 0
The RIP network is planned, and the task of 10.3.4.2 Configuring Basic RIP Functions is
complete.
Context
If a router has several routes with the same destination IP address and priority, all the routes are
used. If no routes have higher priorities than these routes, the router sends packets with the
specific destination IP address over all equal-cost routes, which implements the load balancing.
You can set the maximum number of equal-cost routes to be added to the routing table.
Procedure
system-view
Step 2 Enable the RIP process and access the RIP view.
rip [ process-id ]
Step 3 Set the maximum number of equal-cost routes.
maximum load-balancing number
----End
Follow-up Procedure
Run the display rip [ process-id ] command and verify that the configuration of Maximum
number of balanced paths takes effect.
Run the display ip routing-table command and verify that there are multiple equal-cost routes
to the same destination in the routing table.
<NGFW> display rip 1
RIP process : 1
RIP version : 1
Preference : 100
Checkzero : Enabled
Default-cost : 0
Summary : Enabled
Hostroutes : Enabled
Maximum number of balanced paths : 3
Update time : 30 sec Age time : 180 sec
Suppress time : 0 sec Garbage-collect time : 120 sec
Silent interfaces : None
Default Route : Disabled
Verify-source : Enabled
Networks : None
Configured peers : None
Number of routes in database : 0
Number of interfaces enabled : 0
Triggered updates sent : 0
Number of route changes : 0
Number of replies to queries : 0
system-view
2. Enable the RIP process and access the RIP view.
rip [ process-id ]
3. Enable RIP-2 automatic route summarization.
summary
NOTE
Automatic route summarization does not take effect on interfaces that are configured with split
horizon or poison reverse.
l Configure RIP-2 to advertise the aggregation address.
1. Access the system view.
system-view
2. Access the interface view.
----End
Follow-up Procedure
Run the display ip routing-table command on a router to check whether routing entries are
compliant with the plan.
The RIP network is planned, and the task of 10.3.4.2 Configuring Basic RIP Functions is
complete.
Context
To improve RIP network security, you can configure authentication on the router that runs RIP-2
to safeguard packet transmission.
Procedure
system-view
----End
Follow-up Procedure
Action Command