HUAWEI USG6000 Series & NGFW Module V100R001 Administrator Guide 04

HUAWEI USG6000 Series & NGFW Module
V100R001
Administrator Guide
Issue 04
Date 2015-07-30
HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2015. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://e.huawei.com
Issue 04 (2015-07-30) Huawei Proprietary and Confidential i

Copyright © Huawei Technologies Co., Ltd.
Administrator Guide About This Document
About This Document
Related Version
The following table lists the product versions related to this document.
Issue 04 (2015-07-30) Huawei Proprietary and Confidential ii

Product Name Version
The USG6000 series and NGFW V100R001C30SPC100

Module have the following
models:
l USG6300
– USG6306
– USG6308
– USG6310
– USG6320
– USG6330
– USG6350
– USG6360
– USG6370
– USG6380
– USG6390
l USG6500
– USG6507
– USG6530
– USG6550
– USG6570
l USG6600
– USG6620
– USG6630
– USG6650
– USG6660
– USG6670
– USG6680
l NGFW Module
– ET1D2FW00S00
– ET1D2FW00S01
– ET1D2FW00S02
Intended Audience
This document describes the features, configuration guide, and troubleshooting guide of the
NGFW in detail. This document focuses on how to manage the device on the Web UI, but
provides information on how to manage the device on the CLI to meet different user preferences.
Issue 04 (2015-07-30) Huawei Proprietary and Confidential iii

This document is intended for administrators who configure and manage NGFW. The
administrators must have good Ethernet knowledge and network management experience.
Feature Conventions
The following features may involve collecting users' communication contents. Huawei alone is
unable to collect or save the content of users' communications. It is suggested that you activate
the user data-related functions based on the applicable laws and regulations in terms of purpose
and scope of usage. You are obligated to take considerable measures to ensure that the content
of users' communications is fully protected when the content is being used and saved.
l The content security features such as antivirus, IPS, file blocking, data filtering, application
behavior control, mail filtering and URL filtering, may involve the collection of users'
communication contents such as the browsed websites and transmitted files. You are
advised to clear unnecessary sensitive information in a timely manner.
l Antivirus and IPS support packet capture to analyze data packets for viruses or intrusions.
However, the packet capture process may involve the collection of user's communication
content. The device provides dedicated audit administrators to obtain captured packets.
Other administrators do not have such permissions. Please keep the audit administrator
account safe and clear the packet capture history in time.
l The audit function is used to record online behaviors, including the collection or storage
of browsed web pages, BBS or microblog posts, HTTP/FTP file transfer, email receiving
and sending, and IM login and logout. The device provides dedicated audit administrators
to configure audit policies and view audit logs. Other administrators do not have such
permissions. Please keep the audit administrator account safe.
l Port mirroring and NetStream are vital to fault diagnosis and traffic statistics and analysis,
but may involve the collection of user's communication content. The product provides
permission control over such functions. You are advised to clear traffic records after fault
diagnosis and traffic analysis.
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Indicates an imminently hazardous situation which, if not

avoided, will result in death or serious injury.
Indicates a potentially hazardous situation which, if not

avoided, could result in death or serious injury.

avoided, may result in minor or moderate injury.
Issue 04 (2015-07-30) Huawei Proprietary and Confidential iv

Symbol Description

avoided, could result in equipment damage, data loss,
performance deterioration, or unanticipated results.
NOTICE is used to address practices not related to personal
injury.
NOTE Calls attention to important information, best practices and

tips.
NOTE is used to address information not related to personal
injury, equipment damage, and environment deterioration.
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention Description
Boldface The keywords of a command line are in boldface.
Italic Command arguments are in italics.
[] Items (keywords or arguments) in brackets [ ] are optional.
{ x | y | ... } Optional items are grouped in braces and separated by

vertical bars. One item is selected.
[ x | y | ... ] Optional items are grouped in brackets and separated by

vertical bars. One item is selected or no item is selected.
{ x | y | ... } * Optional items are grouped in braces and separated by

vertical bars. A minimum of one item or a maximum of all
items can be selected.
[ x | y | ... ] * Optional items are grouped in brackets and separated by

vertical bars. Several items or no item can be selected.
&<1-n> The parameter before the & sign can be repeated 1 to n times.
# A line starting with the # sign is comments.
GUI Conventions
The GUI conventions that may be found in this document are defined as follows.
Issue 04 (2015-07-30) Huawei Proprietary and Confidential v

Convention Description
Boldface Buttons, menus, parameters, tabs, window, and dialog titles

are in boldface. For example, click OK.
> Multi-level menus are in boldface and separated by the ">"

signs. For example, choose File > Create > Folder.
Update History
Updates between document issues are cumulative. Therefore, the latest document issue contains
all updates made in previous issues.
Updates in Issue 04 (2015-07-30) of Product Version V100R001C30SPC100

The fourth commercial release has the following updates.
l Feature Updates and Supports
Added What's New in V100R001C30SPC100 to introduce V100R001C30SPC100
feature changes on the basis of the V100R001C30.
l System
– Added the device module to the object permission control items of administrator roles
on the NGFW. For details, see Creating an Administrator Role.
– Added Web Example for Configuring Across-Layer-3 MAC Identification and CLI
Example for Configuring Across-Layer-3 MAC Identification.
l High Availability
– Added the support for automatic backup of static routes. For details, see Commands
and Status Information That Can Be Synchronized.
l Virtual System
– Added the function for configuring the DHCP server and DHCP relay in virtual systems.
For details, see Function Availability for Virtual Systems.
– Added DHCP Dynamic Address Lease and DHCP Static Address Lease in the
resource items that the root system administrator allocates to each virtual system. For
details, see Configuring a Resource Class Using the Web UI or Configuring a
Resource Class Using the CLI.
– Added DHCP Server in Popedom of new administrator roles in virtual systems. For
details, see Creating a Virtual System Administrator Using the Web UI.
l Networks
– Added Restrictions and Precautions of Intelligent Uplink Selection.
– Supported the configuration of the secondary DNS server for domain names to which
DNS transparent proxy does not apply. After the primary and secondary DNS server
addresses are specified for domain names to which DNS transparent proxy does not
apply, DNS requests are forwarded to the primary DNS server. If this server is down,
DNS requests are forwarded to the secondary DNS server. DNS requests will not be
forwarded to the DNS server set on the client. For details, see Configuring DNS
Issue 04 (2015-07-30) Huawei Proprietary and Confidential vi

Transparent Proxy Using the Web UI or Configuring DNS Transparent Proxy

Using the CLI.
l User and User Authentication
– Supported incremental synchronization for the import of users, user groups, or security
groups from an AD or LDAP server. For details, see Importing Users, User Groups,
or Security Groups from a Server Using the Web UI or Importing Users, User
Groups, or Security Groups from a Server Using the CLI.
– Supported the multi-choice of server paths for the import of users, user groups, or
security groups from an AD or LDAP server. A maximum of 16 sub-paths can be
selected. For details, see Importing Users, User Groups, or Security Groups from
a Server Using the Web UI or Importing Users, User Groups, or Security Groups
from a Server Using the CLI.
– Supported the configuration of multiple portal authentication servers and portal
authentication templates. For details, see Setting Global Parameters Using the Web
UI or Setting Global Parameters Using the CLI.
– Supported the configuration of LDAP server authentication filtering fields to allow users
to be authenticated. For details, see Configuring an LDAP Server Using the Web
UI or Configuring an LDAP Server Using the CLI.
l Object
– Added the device and device group objects. Devices or device groups can be referenced
in security policies for the control of a specific type of TSM SSO devices. For details,
see Devices and Device Groups.
l Security Policy and Content Security
– Added Web Example for Configuring Blacklist/Whitelist-based URL Filtering,
CLI Example for Configuring Blacklist/Whitelist-based URL Filtering, and CLI
Example for Configuring URL Category-based URL Filtering.
– Allowed you to configure access modes as matching conditions to implement access
mode-based control in TSM SSO scenarios. For details, see Configuring a Security
Policy.
– Allowed you to configure devices as matching conditions to implement device type-
based control in TSM SSO scenarios. For details, see Configuring a Security Policy.
– Supported the EICAR virus detection. The EICAR test file can be used to verify the
antivirus configuration. For details, see Web Example for Antivirus.
l PBR
Added Restrictions and Precautions of PBR.
l Bandwidth Management
– Added the public IP address matching function. Bandwidth can be limited for post-
Source NAT and pre-NAT Server public IP addresses. For details, see Configuring a
Traffic Policy Using the CLI.
– Changed the product implementation. When traffic is forwarded from the outbound
interface, the traffic exceeding the guaranteed bandwidth but below the maximum
bandwidth is limited by the interface bandwidth, but the traffic within the guaranteed
bandwidth is not limited by interface bandwidth. For details, see Interface
Bandwidth.
l VPN
Issue 04 (2015-07-30) Huawei Proprietary and Confidential vii

– Added Web Example for Configuring Branches to Use Different IDs and Pre-
shared Keys to Establish IPSec VPNs with the Headquarters.
– Added reverse route injection to DSVPN. The reverse route injection function can send
the private network address of a branch or cascade headquarters in an NHRP message
to the headquarters. The headquarters analyzes the NHRP message to obtain the private
network address of the branch or cascade headquarters and adds a static route to the
private subnet. For details, see Configuring Branches Using the Web UI, Configuring
the Headquarters Using the Web UI, Configuring Cascade Headquarters Using
the Web UI, Setting Route Parameters Using the CLI, and Example for
Configuring DSVPN in the Universal Application Scenario (Using Reverse Route
Injection for Route Advertisement and Learning).
– Added the Dialer interface and the interface obtaining IP addresses through DHCP to
the local interfaces for IPSec intelligent link selection. For details, see Configuring
IPSec Intelligent Link Selection Profiles.
l Security Protection
– Supported the configuration of DDoS attack defense using the CLI. For details, see
Configuring DDoS Attack Defense Using the CLI.
– Supported the query of blacklist logs on the web UI for fault locating. For details, see
Configuring the Blacklist Using the Web UI.
l Monitoring
– Added Restrictions and Precautions of Port Mirroring.
– Supported the configuration of packet capture on the web UI based on packet directions
and categories, enriching quintuple packet capture configuration means. For details, see
Configuring Quintuple Packet Capture Using the Web UI.
Updates in Issue 03 (2015-03-25) of Product Version V100R001C30

The third commercial release has the following updates.

Added What's New in V100R001C30 to introduce V100R001C30 feature changes on the
basis of the V100R001C20SPC700.
l System
– Added northbound API configurations. The client calls the northbound API of the
NGFW to communicate with the NGFW through HTTP/HTTPS. For details, see
Configuring Device Services.
– Added the location signature database. Users can download the location signature
database at https://sec.huawei.com for local upgrade. For details, see Overview.
– Added the support of License trial use. For details, see Applying For and Activating
a License Using the Web UI.
– The Web UI provides the causes and solutions of signature database update failures.
For details, see Maintaining the Update.
l High Availability
– Add sections CLI Example for Configuring Source NAT in a Load Balancing
Scenario (Active/Standby Devices Share the Same Address Pool) and CLI Example
Issue 04 (2015-07-30) Huawei Proprietary and Confidential viii

for Configuring Source NAT in a Load Balancing Scenario (Active/Standby

Devices Use Different Address Pools).
l Networks
– Added the round robin- and weighted round robin-based smart DNS functions. For
details, see Smart DNS.
Added the configuration for enabling and disabling the function of pushing information to
the Portal server. For details, see Setting Global Parameters Using the Web UI and
Setting Global Parameters Using the CLI.
– Added the support of configuring domain group as the matching condition. For details,
see Configuring a Security Policy.
– Added the support of importing users from AD or AD LDAP servers as the matching
condition. For details, see Configuring a Security Policy.
l Proxy Policy
Added the support of importing users from AD or AD LDAP servers as the matching
condition. For details, see Configuring Proxy Policies - TCP Proxy and Configuring
Proxy Policies - SSL Decryption.
condition. For details, see Configuring a Traffic Policy Using the Web UI.
l Quota Control Policy
condition. For details, see Configuring a Quota Control Policy Using the Web UI.
l VPN
– Added IPSec intelligent link selection. For details, see Web Example for Configuring
IPSec Intelligent Link Selection or CLI Example for Configuring IPSec Intelligent
Link Selection.
– Added the IKE user table. This table lists the mappings between remote IKE peer IDs
and pre-shared keys. In point-to-multi-point scenarios, when you configure IPSec for
the headquarters and the IKE peer has referenced the IKE user table, the NGFW will
search the IKE user table for the pre-shared key based on the peer ID during IKE
negotiation to complete the authentication. In this way, each branch can use different
IDs and pre-shared keys. For details, see CLI Example for Configuring Branches to
Use Different IDs and Pre-shared Keys to Establish IPSec VPNs with the
Headquarters.
– Added the static RRI function for configuring IPSec policies in IKE mode. In the IPSec
point-to-multipoint application scenario, after the static RRI function is enabled in the
branch office, routes destined to the private network of the headquarter will be
automatically generated. For details, see Configure an IKE-based IPSec Policy.
l SSL VPN
– Added the support for Windows 8.1 and Windows 2012 by the host check function. For
details, see Specifications.
Issue 04 (2015-07-30) Huawei Proprietary and Confidential ix

– Added OS login password check in the host check function. The NGFW checks whether
the terminal has set a login password. If not, terminal fails the rule check. For
configuration details, see Configuring the Host Check.
– Added the settings of the SSL version, encryption suite, and timeout duration and life
cycle of SSL sessions entries on the web UI. For configuration details, see Configuring
SSL.
l Security defense
– Added the ping proxy function. For configuration details, see Configuring Ping Proxy
Using the Web UI.
l Monitoring
Supported the display of system incremental statistics. For details, see Checking System
Statistics Using the Web UI and Displaying Global System Statistics Using the CLI.

The second commercial release has the following updates.

Added What's New in V100R001C20SPC700 to introduce V100R001C20SPC700
feature changes on the basis of the V100R001C20SPC200.
l System
– When the administrator accounts and passwords are not on the NGFW, but on a third-
party authentication server, the NGFW employs domain authentication to authenticate
this type of administrators. For details, see Creating an Administrator Account
(Server Authentication).
– Added the function of sending syslogs of the specified module to the specified log
server. For details, see Configuring the Output of Logs in Syslog Format.
– Added the function of sending session logs in syslog format to a syslog server. When
a syslog server and a binary log server are both specified on the NGFW, session logs
are sent both in binary and syslog formats to the respective log servers. For details, see
Configuring the Output of Logs in Syslog Format.
– Added upgrade through USB. For details, see Upgrade Through USB.
– Added SSL VPN client patch loading to the NGFW. For details, see Upgrading the
System Using the Web UI or Configuring the SSL VPN Client Patch Using the
CLI.
l High Availability
– Added the function of configuration consistency auto-check between active and standby
devices. For details, see Enabling Hot Standby.
l Virtual System
– Added Security Group in the resource items that the root system administrator allocates
to each virtual system. For details, see Configuring a Resource Class.
– When you create a virtual system administrator, the administrator@virtual system
name format is changed to the administrator@@virtual system name format. For
details, see Creating a Virtual System Administrator Using the Web UI or Creating
a Virtual System Administrator Using the CLI.
l Networks
Issue 04 (2015-07-30) Huawei Proprietary and Confidential x

– Added the function of specifying source addresses for DNS query packets. When the
NGFW initiates a DNS request to the DNS server, the NGFW can set the source address
or port of the DNS packet to prevent the DNS server from failing to respond to the query
due to route lookup failure. For details, see DNS Configuration Using the Web UI or
Configuring DNS Proxy Using the CLI.
– Added inner-VLAN proxy ARP to enable isolated PCs or routers in one VLAN to
communicate. For details, see Configuring Inner-VLAN Proxy ARP and Example
for Configuring Inner-VLAN Proxy ARP.
– Added the function of RADIUS SSO. The NGFW identifies and analyzes key packets
(accounting start packets, accounting update packets, and accounting end packets)
between users and the RADIUS server to obtain user authentication result and user-IP
address binding and implement access behavior control based on users, requiring no
second authentication. For details, see Configuring SSO Using the Web UI,
Configuring SSO Using the CLI, or Example for Configuring RADIUS SSO for
Internet Access Users.
– Added the function of security group-based user authentication and management. The
security groups on the AD and AD LDAP servers as well as the static/dynamic groups
on the Sun ONE LDAP server are usually used to control and manage the access of the
users in these groups to the resources and objects, such as networking sharing locations,
files, directories, and printers. The security group defined on the NGFW is a collective
name of the security groups on the AD and AD LDAP servers as well as the static/
dynamic groups on the Sun ONE LDAP server. The security group concept is introduced
as a horizontal organizational structure. Based on the horizontal organizational
structure, users with different organizational structures can be categorized into the same
security group for management. For details, see Creating Security Groups Using the
Web UI or Creating Security Groups Using the CLI, Importing Security Groups
from a CSV File Using the Web UI or Importing Security Groups from a CSV File
Using the CLI, and Importing Users, User Groups or Security Groups from a
Server Using the Web UI or Importing Users, User Groups or Security Groups
from a Server Using the CLI.
– Added the connection to Sun ONE LDAP servers. The Sun ONE LDAP server can
function as a third-party authentication server or an import server. You can import user
information on the Sun ONE LDAP server to the NGFW. For details, see Configuring
an LDAP Server Using the Web UI or Configuring an LDAP Server Using the
CLI.
– Separated the authentication server from the import server, breaking the limit that the
authentication server and import server must be the same type of servers. server is an
AD or AD LDAP server, the import server can be an AD, AD LDAP, or Sun ONE
LDAP server. If the authentication server is a Sun ONE LDAP server, the import server
can be another Sun ONE LDAP server. For details, see Authentication Server or
Example for Managing and Authenticating Internet Access Users Through Sun
ONE LDAP Server Import and AD Server Authentication.
– Added the function of customizing the authentication page title and link and the function
of switching languages (English and Chinese) on the authentication page. For details,
see Customizing an Authentication Web Page Using the Web UI or Customizing
an Authentication Web Page Using the CLI.
– Added a new action for processing authentication conflicts. When the NGFW does not
permit an account for multi-IP login and the account is discovered to have logged in at
Issue 04 (2015-07-30) Huawei Proprietary and Confidential xi

another IP address, the NGFW forcibly logs out the user that has logged in and permits
the user at the current IP address to log in with the same account. For details, see Setting
Global Parameters Using the Web UI or Setting Global Parameters Using the
CLI.
– Added the function of setting multi-IP login attributes for users in user groups and their
subgroups. That is, the NGFW can permit and deny multi-IP login from users in a user
group and its subgroups in a batch. For details, see Creating Users and User Groups
Using the Web UI or Creating Users and User Groups Using the CLI.
– The number of local users supported by the USG6650/6660/6670 and NGFW Module
is increased from 50,000 to 80,000. For details, see Specifications.
– Added the support of configuring domain group as the matching condition in an
authentication policy. For details, see Configuring an Authentication Policy Using
the Web UI or Configuring an Authentication Policy Using the CLI.
– Canceled the limitation that the AD SSO service program (ADSSO_Setup.exe) can be
installed only on the AD domain controller. In the new version, ADSSO_Setup.exe can
be installed on any PC in the AD domain, including the AD domain controller. For
details, see Configuring SSO Using the Web UI, Configuring SSO Using the CLI,
or Example for Configuring AD SSO for Internet Access Users (Plug-In Mode).
– Security policy: Added Example for Configuring Security Policies Based on IP
Addresses and Ports (Web) and Example for Configuring Security Policies Based
on IP Addresses and Ports (CLI).
– URL filtering: Added the configuration of domain name rules in blacklist, whitelist,
user-defined categories, and predefined categories. For details, see Configuring URL
Categories and Configuring URL Filtering.
– URL filtering: Added the configuration of URL filtering action mode to the strict or
loose mode. For details, see Configuring URL Filtering.
– File blocking: Added the configuration of the maximum number of decompression
layers and maximum file size in the global configuration of file blocking as well as the
actions in case the thresholds are exceeded. For details, see Global Configuration of
File Blocking.
– Application behavior control: Added the function of controlling the HTTP POST
operation content size. For details, see Configuring Application Behavior Control.
l Proxy Policy
Expanded the SSL decryption policies to proxy policies. Proxy policies support the
functions of the existing SSL decryption policies through policy actions and add the TCP
proxy function. For details, see Proxy Policy.
l PBR
Added the support of configuring domain group as the matching condition in a PBR rule.
For details, see Configuring PBR Using the Web UI, Configuring PBR Using the
CLI, and Example for Configuring Domain Name-Specific PBR.
– Added a command to set the maximum number of upstream, downstream, and all
connections. For details, see Configuring a Traffic Profile Using the CLI.
– Added the dynamic equal distribution of bandwidth for each IP address based on the
global maximum bandwidth and number of online IP addresses. For details, see
Issue 04 (2015-07-30) Huawei Proprietary and Confidential xii

Configuring a Traffic Profile Using the Web UI or Configuring a Traffic Profile

Using the CLI.
l VPN
– A non-Template or template IPSec policy group can be applied to two interfaces that
have routes with different priorities. For details, see Applying an IPSec Policy
Group.
– A copy button is added to the IPSec policy web page. For details, see Configuring an
IPSec Policy in Site-to-Site VPN and Configuring an IPSec Policy in Site-to-
Multisite VPN.
– Added KB0200: IPSec Troubleshooting Mind Map, FT0201: Fault Tree for the
IKE Negotiation Failure, FT0202: Fault Tree for Abnormal IPSec VPN Services,
and Troubleshooting Guide in the guide for troubleshooting IPSec.
l SSL VPN
– Added the support for Internet Explorer 10/11 by SSL VPN.
– Added the support for TLS 1.1 and TLS 1.2 regarding SSL VPN.
– Added the support for 64–bit Internet Explorer running SSL VPN.
For details, see Specifications.
l Security Protection
– IP-MAC binding: Added the support of IP-MAC binding checks for only the packets
that match a given ACL and are permitted by the ACL. For details, see Binding an IP
Address to a MAC Address Using the CLI.
l Monitoring
– You can obtain information about bank reminder behaviors from audit logs. For details,
see Audit Logs.
– Added the function of exporting quintuple packet capture contents in CSV format to an
administrator PC. For details, see Configuring Quintuple Packet Capture Using the
Web UI.

Initial commercial release.
Issue 04 (2015-07-30) Huawei Proprietary and Confidential xiii

Administrator Guide Contents
Contents
About This Document.....................................................................................................................ii

1 Feature Updates and Supports....................................................................................................1
1.1 What's New in V100R001C30SPC100..........................................................................................................................1
1.2 What's New in V100R001C30.......................................................................................................................................3
1.6 What's New in V100R001C20.....................................................................................................................................11
1.7 What's New in V100R001C10SPC100........................................................................................................................11
1.8 What's New in V100R001C10.....................................................................................................................................12
1.9 Feature Support.............................................................................................................................................................15
1.9.1 Hardware...................................................................................................................................................................16
1.9.2 System.......................................................................................................................................................................17
1.9.3 High Availability.......................................................................................................................................................26
1.9.4 Virtual System...........................................................................................................................................................28
1.9.5 Networks....................................................................................................................................................................29
1.9.6 Intelligent Uplink Selection.......................................................................................................................................40
1.9.7 Router........................................................................................................................................................................41
1.9.8 User and User Authentication....................................................................................................................................42
1.9.9 Object.........................................................................................................................................................................47
1.9.10 Security Policy and Content Security......................................................................................................................54
1.9.11 Proxy Policy............................................................................................................................................................62
1.9.12 Audit Policy.............................................................................................................................................................63
1.9.13 NAT Policy..............................................................................................................................................................64
1.9.14 PBR..........................................................................................................................................................................65
1.9.15 Bandwidth Management..........................................................................................................................................66
1.9.16 Quota Control Policy...............................................................................................................................................67
1.9.17 VPN.........................................................................................................................................................................68
1.9.18 SSL VPN.................................................................................................................................................................73
1.9.19 Security Protection..................................................................................................................................................75
1.9.20 IP Multicast..............................................................................................................................................................86
1.9.21 IPv6 Transition Technologies..................................................................................................................................87
Issue 04 (2015-07-30) Huawei Proprietary and Confidential xiv

1.9.22 Monitoring and System Diagnosis..........................................................................................................................88
2 Getting Started.............................................................................................................................94
2.1 Overview of the Next Generation Firewall..................................................................................................................94
2.1.1 Traditional Firewall...................................................................................................................................................94
2.1.2 Next Generation Firewall..........................................................................................................................................95
2.1.3 User............................................................................................................................................................................97
2.1.4 Policy.......................................................................................................................................................................103
2.1.5 Visualized Management and Maintenance..............................................................................................................108
2.1.6 IPv6..........................................................................................................................................................................112
2.1.7 More Information....................................................................................................................................................112
2.1.7.1 Packet Transfer Process........................................................................................................................................112
2.1.7.2 CLI........................................................................................................................................................................119
2.2 Deployment Scenario.................................................................................................................................................123
2.2.1 Scenario A: Layer-3 Gateway (Routing Mode).......................................................................................................125
2.2.2 Scenario B: Layer-2 Switch (Transparent Mode)....................................................................................................126
2.2.3 Scenario C: Hot Standby.........................................................................................................................................128
2.3 Logging In to the Web UI...........................................................................................................................................130
2.4 Web UI Basics............................................................................................................................................................132
2.5 Initial Configuration of Scenario A (Layer-3 Gateway).............................................................................................136
2.5.1 Data Collection........................................................................................................................................................136
2.5.2 The Startup Wizard..................................................................................................................................................138
2.5.3 Testing the Network Connection.............................................................................................................................142
2.6 Initial Configuration of Scenario B (Layer-2 Switch)................................................................................................143
2.6.1 Obtaining Data.........................................................................................................................................................143
2.6.2 Configuring Layer-2 Interfaces and VLANs...........................................................................................................145
2.6.3 Testing the Network Connection.............................................................................................................................148
2.7 Initial Configuration of Scenario C (Hot Standby)....................................................................................................148
2.7.1 Data Collection........................................................................................................................................................148
2.7.2 Hot Standby Configuration......................................................................................................................................151
2.7.3 Verifying the Network Connection and Active/Standby Switchovers....................................................................155
2.8 Registering an Account and Activating the License File...........................................................................................156
2.9 Updating the Signature Database...............................................................................................................................157
2.10 Configuring Security Services..................................................................................................................................158
2.10.1 Determining Security Service Scenarios...............................................................................................................158
2.10.2 Configuring Security Zones...................................................................................................................................162
2.10.3 Managing Intranet Users.......................................................................................................................................163
2.10.4 Configuring a NAT Policy....................................................................................................................................167
2.10.5 Configuring a Security Policy...............................................................................................................................171
2.11 Advanced Configuration...........................................................................................................................................176
2.11.1 Configure Policy-based Routing...........................................................................................................................177
2.11.2 Configuring VPN ..................................................................................................................................................177
Issue 04 (2015-07-30) Huawei Proprietary and Confidential xv

2.11.3 Configuring Bandwidth Policies...........................................................................................................................179

2.12 What's Next...............................................................................................................................................................180
2.12.1 Upgrading System Software..................................................................................................................................180
2.12.2 Creating Other Administrators..............................................................................................................................181
2.12.3 More Security Measures........................................................................................................................................182
2.12.4 Viewing Logs and Reports....................................................................................................................................184
2.12.5 Obtaining Help......................................................................................................................................................187
3 Wizard..........................................................................................................................................190
3.1 Startup Wizard............................................................................................................................................................190
4 Dashboard...................................................................................................................................196
4.1 Setting the Status Windows........................................................................................................................................196
4.2 Device Information.....................................................................................................................................................196
4.3 System Resource.........................................................................................................................................................198
4.4 System Information....................................................................................................................................................199
4.5 Traffic History............................................................................................................................................................201
4.6 License Information....................................................................................................................................................201
4.7 Alarm Information......................................................................................................................................................202
4.8 System Log List..........................................................................................................................................................202
4.9 Threat Log List...........................................................................................................................................................203
4.10 Log Storage Details..................................................................................................................................................203
4.11 Visual Management..................................................................................................................................................204
5 System..........................................................................................................................................208
5.1 Logging In to the Device for the First Time...............................................................................................................208
5.1.1 Logging In to the CLI Through the Console Port...................................................................................................208
5.1.2 Logging In to the Web UI Using HTTPS................................................................................................................212
5.2 Administrators............................................................................................................................................................214
5.2.1 Overview.................................................................................................................................................................214
5.2.1.1 Administrator Overview.......................................................................................................................................214
5.2.1.2 Administrator Interfaces Overview......................................................................................................................233
5.2.2 Configuring an Administrator Using the Web UI...................................................................................................235
5.2.2.1 (Optional) Creating an Administrator Role..........................................................................................................236
5.2.2.2 Creating an Administrator Account......................................................................................................................237
5.2.2.3 Configuring Device Services................................................................................................................................240
5.2.3 Configuring an Administrator Using the CLI..........................................................................................................242
5.2.3.1 (Optional) Creating an Administrator Role..........................................................................................................242
5.2.3.2 Creating an Administrator Account (Local Authentication)................................................................................243
5.2.3.3 Creating an Administrator Account (Server Authentication)...............................................................................245
5.2.3.4 (Optional) Configuring the Web UI.....................................................................................................................250
5.2.3.5 (Optional) Managing a CLI Administrator Interface............................................................................................252
5.2.3.6 Maintaining CLI Administrator Interfaces and Administrator Accounts.............................................................256
Issue 04 (2015-07-30) Huawei Proprietary and Confidential xvi

5.2.4 Configuration Examples..........................................................................................................................................257

5.2.4.1 Example for Logging in to the Web UI Using HTTPS (Default Certificate).......................................................257
5.2.4.2 Example for Logging In to the Web UI Using HTTPS (Specified Certificate)...................................................261
5.2.4.3 Example for Logging in to the CLI using the Telnet...........................................................................................265
5.2.4.4 Example for Logging in to the CLI Using STelnet (Password Authentication)...................................................268
5.2.4.5 Example for Logging In to the CLI Using STelnet (RSA Authentication)..........................................................274
5.2.4.6 Example for Configuring NGFW as a Client to Log in to Other Devices...........................................................285
5.2.5 Administrator FAQ..................................................................................................................................................287
5.2.6 Feature History........................................................................................................................................................287
5.3 Time............................................................................................................................................................................288
5.3.1 Configuring the System Time Using the Web UI...................................................................................................288
5.3.2 Configuring the System Time Using the CLI..........................................................................................................290
5.4 License Management..................................................................................................................................................290
5.4.1 Overview.................................................................................................................................................................290
5.4.2 Applying For and Activating a License Using the Web UI.....................................................................................294
5.4.3 Applying For and Activating a License Using the CLI...........................................................................................297
5.4.3.1 Applying For a License File.................................................................................................................................297
5.4.3.2 (Optional) Obtaining the License revocation code...............................................................................................298
5.4.3.3 Uploading a License File......................................................................................................................................298
5.4.3.4 Activating a License.............................................................................................................................................299
5.4.3.5 Displaying Information About a License.............................................................................................................300
5.4.3.6 Debugging a License............................................................................................................................................300
5.4.4 Feature History........................................................................................................................................................301
5.5 SNMP.........................................................................................................................................................................301
5.5.1 Overview.................................................................................................................................................................301
5.5.2 Application Scenarios..............................................................................................................................................303
5.5.3 Mechanism...............................................................................................................................................................304
5.5.4 Configuring SNMP Using the Web UI....................................................................................................................311
5.5.5 Configuring SNMP Using the CLI..........................................................................................................................315
5.5.5.1 Configuration Flow...............................................................................................................................................315
5.5.5.2 Configuring SNMPv1 or SNMPv2c.....................................................................................................................316
5.5.5.3 Configuring SNMPv3...........................................................................................................................................319
5.5.5.4 Configuring the Trap Function.............................................................................................................................323
5.5.5.5 Configuring Interface Index Persistence..............................................................................................................326
5.5.5.6 Displaying SNMP Configurations........................................................................................................................328
5.5.5.7 Debugging SNMP.................................................................................................................................................329
5.5.6.1 Example for Configuring the Communication Between the NGFW and the NMS Through SNMPv1..............329
5.5.6.2 Example for Configuring the Communication Between the NGFW and the NMS Through SNMPv2c.............333
5.5.6.3 Example for Configuring the Communication Between the NGFW and the NMS Through SNMPv3..............336
5.5.7 Feature History........................................................................................................................................................340
Issue 04 (2015-07-30) Huawei Proprietary and Confidential xvii

5.6 Across-Layer-3 MAC Identification..........................................................................................................................340

5.6.1 Overview.................................................................................................................................................................340
5.6.2 Configuring Across-Layer-3 MAC Identification Using the Web UI.....................................................................342
5.6.3 Configuring Across-Layer-3 MAC identification Using the CLI...........................................................................343
5.6.4.1 Web Example for Configuring Across-Layer-3 MAC Identification...................................................................345
5.6.4.2 CLI Example for Configuring Across-Layer-3 MAC Identification....................................................................347
5.6.5 Feature History........................................................................................................................................................350
5.7 Configuring Information Push....................................................................................................................................351
5.8 Setting Mail Service...................................................................................................................................................353
5.9 Logs, Trap Messages, and Debugging Messages.......................................................................................................354
5.9.1 Overview.................................................................................................................................................................354
5.9.1.1 Information Categorization...................................................................................................................................354
5.9.1.2 Information Output...............................................................................................................................................356
5.9.2 Configuring the Output of Logs, Trap Messages, and Debugging Messages Using the CLI.................................360
5.9.2.1 Configuring the Output of Logs in Syslog Format...............................................................................................360
5.9.2.2 Configuring the Output of Logs in Binary Format...............................................................................................363
5.9.2.3 Configuring the Output of Trap Messages...........................................................................................................364
5.9.2.4 Configure the Output of Debugging Messages....................................................................................................367
5.9.2.5 Maintaining Logs, Trap Messages, and Debugging Messages............................................................................368
5.9.3 Configuring Log Output Using the Web UI............................................................................................................370
5.9.4.1 Example for Enabling the Information Center to Send Logs to Log Hosts..........................................................372
5.9.4.2 Example for Enabling the Information Center to Send Debugging Messages to the Console.............................376
5.9.5 Change History........................................................................................................................................................377
5.10 File System...............................................................................................................................................................377
5.10.1 Overview...............................................................................................................................................................377
5.10.1.1 File System.........................................................................................................................................................377
5.10.1.2 File Transfer Mode.............................................................................................................................................379
5.10.2 Managing the File System.....................................................................................................................................380
5.10.3 Transferring Files..................................................................................................................................................383
5.10.3.1 Configuring the NGFW as an FTP Server..........................................................................................................384
5.10.3.2 Configuring the NGFW as an FTP Client..........................................................................................................385
5.10.3.3 Configuring the NGFW as an SFTP Server.......................................................................................................386
5.10.3.4 Configuring the NGFW as an SFTP Client........................................................................................................389
5.10.3.5 Configuring the NGFW as a TFTP Client..........................................................................................................392
5.10.4 Maintaining the File System..................................................................................................................................393
5.10.4.1 Displaying Information About the FTP Server and FTP Administrator............................................................393
5.10.4.2 Displaying Information About the SFTP Server and SFTP Administrator........................................................393
5.10.5 Configuration Examples........................................................................................................................................394
5.10.5.1 Example for Back Up Files................................................................................................................................394
Issue 04 (2015-07-30) Huawei Proprietary and Confidential xviii

5.10.5.2 Example for Configuring the NGFW as an FTP Server.....................................................................................395

5.10.5.3 Example for Configuring the NGFW as an FTP Client.....................................................................................397
5.10.5.4 Example for Configuring the NGFW as an SFTP Server (Password Authentication).......................................399
5.10.5.5 Example for Configuring the NGFW as an SFTP Server (RSA Authentication)..............................................403
5.10.5.6 Example for Downloading Files from the TFTP Server....................................................................................414
5.10.6 Feature History......................................................................................................................................................415
5.11 NTP...........................................................................................................................................................................416
5.11.1 Overview...............................................................................................................................................................416
5.11.2 Mechanism.............................................................................................................................................................416
5.11.3 Configuring Basic NTP Functions........................................................................................................................420
5.11.3.1 Configuring the NTP Primary Clock..................................................................................................................421
5.11.3.2 Configuring NGFW in Client/Server Mode for NTP.........................................................................................421
5.11.3.3 Configuring the NTP Peer Mode........................................................................................................................422
5.11.3.4 Configuring the NTP Broadcast Mode...............................................................................................................423
5.11.3.5 Configuring the NTP Multicast Mode................................................................................................................424
5.11.3.6 Disabling a Specific Interface From Receiving NTP Packets............................................................................425
5.11.4 Configuring the NTP Security Mechanisms..........................................................................................................425
5.11.4.1 Configuring NTP Access Permission Control....................................................................................................426
5.11.4.2 Enabling NTP Authentication............................................................................................................................426
5.11.4.3 Configuring NTP Authentication in Unicast Server/Client Mode.....................................................................427
5.11.4.4 Configuring NTP Authentication in Peer Mode.................................................................................................427
5.11.4.5 Configuring NTP Authentication in Broadcast Mode........................................................................................428
5.11.4.6 Configuring NTP Authentication in Multicast Mode.........................................................................................428
5.11.5 Maintaining NTP...................................................................................................................................................429
5.11.5.1 Checking NTP Configurations...........................................................................................................................429
5.11.5.2 Debugging NTP..................................................................................................................................................429
5.11.6.1 Example for Configuring NTP Authentication in Unicast Client/Server Mode.................................................430
5.11.6.2 Example for Configuring NTP Peer Mode.........................................................................................................434
5.11.6.3 Example for Configuring NTP Authentication in Broadcast Mode...................................................................436
5.11.6.4 Example for Configuring the NTP Multicast Mode...........................................................................................439
5.11.7 Feature History......................................................................................................................................................441
5.12 Update Center...........................................................................................................................................................442
5.12.1 Overview...............................................................................................................................................................442
5.12.2 Managing the Signature Database Using the Web UI...........................................................................................444
5.12.2.1 Scheduled Update...............................................................................................................................................444
5.12.2.2 Immediate Update...............................................................................................................................................446
5.12.2.3 Local Update.......................................................................................................................................................446
5.12.2.4 Version Rollback................................................................................................................................................447
5.12.2.5 Maintaining the Update......................................................................................................................................448
5.12.3 Managing the Signature Database Using the CLI.................................................................................................451
Issue 04 (2015-07-30) Huawei Proprietary and Confidential xix

5.12.3.1 Installation Mode................................................................................................................................................452

5.12.3.2 Scheduled Update...............................................................................................................................................453
5.12.3.3 Immediate Update...............................................................................................................................................455
5.12.3.4 Local Update.......................................................................................................................................................456
5.12.3.5 Version Rollback................................................................................................................................................458
5.12.3.6 Version Restore..................................................................................................................................................458
5.12.3.7 Maintaining the Update......................................................................................................................................459
5.12.4 Feature History......................................................................................................................................................460
5.13 System Upgrade........................................................................................................................................................460
5.13.1 Upgrading the System Using the Web UI.............................................................................................................460
5.13.2 Upgrading the System Using the CLI....................................................................................................................463
5.13.2.1 Upgrading System Software...............................................................................................................................463
5.13.2.2 Using Patches for System Upgrade....................................................................................................................465
5.13.2.3 Configuring the SSL VPN Client Patch.............................................................................................................467
5.13.3 Feature History......................................................................................................................................................470
5.14 Configuration File.....................................................................................................................................................470
5.14.1 Overview...............................................................................................................................................................470
5.14.2 Managing Configuration Files Using the Web UI.................................................................................................472
5.14.3 Managing Configuration Files Using the CLI.......................................................................................................474
5.14.3.1 Updating the Configuration File.........................................................................................................................474
5.14.3.2 Specifying a Configuration File for the Next Startup.........................................................................................475
5.14.3.3 Saving the Current Configuration.......................................................................................................................475
5.14.3.4 Using the Configuration File for Disaster Recovery..........................................................................................476
5.14.3.5 Clearing a Configuration File.............................................................................................................................477
5.14.3.6 Comparing Configuration Files..........................................................................................................................478
5.14.3.7 Checking the Configuration Files.......................................................................................................................478
5.14.4 Feature History......................................................................................................................................................479
5.15 Restart.......................................................................................................................................................................479
5.15.1 Overview...............................................................................................................................................................479
5.15.2 Restarting the System Using the Web UI..............................................................................................................480
5.15.3 Restarting the System Using the CLI....................................................................................................................480
5.15.4 Feature History......................................................................................................................................................481
5.16 Upgrade Through USB.............................................................................................................................................481
5.16.1 Overview...............................................................................................................................................................481
5.16.2 Restrictions and Precautions..................................................................................................................................482
5.16.3 Manually Upgrading System Software and Configuration File............................................................................482
5.16.4 Upgrading System Software and Configuration File (No Configuration File on the NGFWs)............................483
5.16.4.1 Preparation for the Upgrade...............................................................................................................................483
5.16.4.2 Upgrading System Software and Configuration file (No Configuration File on the NGFW)............................485
5.16.5 Automatically Upgrading System Software and Configuration File (A Configuration File Available on the
NGFW).............................................................................................................................................................................486
5.16.5.1 Preparation for the Upgrade...............................................................................................................................486
Issue 04 (2015-07-30) Huawei Proprietary and Confidential xx

5.16.5.2 Automatically Upgrading System Software and Configuration File (A Configuration File Available on the
NGFW).............................................................................................................................................................................492
5.16.6 Feature History......................................................................................................................................................493
5.17 NQA..........................................................................................................................................................................493
5.17.1 Overview...............................................................................................................................................................493
5.17.1.1 Introduction to NQA...........................................................................................................................................493
5.17.1.2 NQA Server and NQA Client.............................................................................................................................494
5.17.2 Mechanism.............................................................................................................................................................495
5.17.3 Setting ICMP Test Parameters..............................................................................................................................501
5.17.4 Setting DHCP Test Parameters..............................................................................................................................503
5.17.5 Setting the FTP Download Test Parameters..........................................................................................................504
5.17.6 Setting the FTP Upload Test Parameters...............................................................................................................506
5.17.7 Setting HTTP Test Parameters..............................................................................................................................508
5.17.8 Setting the DNS Test Parameters..........................................................................................................................510
5.17.9 Setting Traceroute Test Parameters.......................................................................................................................511
5.17.10 Setting the SNMP Query Test Parameters..........................................................................................................513
5.17.11 Configuring the TCP Test....................................................................................................................................514
5.17.11.1 Configuring the TCP Server.............................................................................................................................514
5.17.11.2 Configuring the TCP Client..............................................................................................................................514
5.17.12 Configuring the UDP Test...................................................................................................................................516
5.17.12.1 Configuring the UDP Server............................................................................................................................516
5.17.12.2 Configuring the UDP Client.............................................................................................................................517
5.17.13 Configuring the Jitter Test...................................................................................................................................518
5.17.13.1 Configuring the NQA Server for the Jitter Test...............................................................................................518
5.17.13.2 Configuring the NQA Client for the Jitter Test................................................................................................519
5.17.14 Setting the Parameters for an LSP Ping Test in the LDP Tunnel........................................................................521
5.17.15 Creating an NQA Test Group..............................................................................................................................523
5.17.16 Setting General NQA Test Parameters................................................................................................................525
5.17.17 Setting Round-Trip Delay Thresholds.................................................................................................................526
5.17.18 Setting the Unidirectional Delay Threshold........................................................................................................527
5.17.19 Configuring the Trap Function............................................................................................................................528
5.17.19.1 Sending Trap Messages When Tests Failed.....................................................................................................528
5.17.19.2 Sending Trap Messages When Probes Failed...................................................................................................528
5.17.19.3 Sending Trap Messages When Probes Are Complete......................................................................................529
5.17.19.4 Sending Trap Messages When the Transmission Delay Exceeds the Threshold.............................................529
5.17.20 Maintaining NQA................................................................................................................................................529
5.17.20.1 Restarting an NQA Test Instance.....................................................................................................................529
5.17.20.2 Clearing NQA Statistics...................................................................................................................................530
5.17.20.3 Debugging NQA...............................................................................................................................................530
5.17.21 Configuration Examples......................................................................................................................................531
5.17.21.1 Example for Performing an ICMP Test............................................................................................................531
5.17.21.2 Example for Performing a DHCP Test.............................................................................................................532
Issue 04 (2015-07-30) Huawei Proprietary and Confidential xxi

5.17.21.3 Example for Performing an FTP Download Test.............................................................................................534

5.17.21.4 Example for Performing an FTP Upload Test..................................................................................................535
5.17.21.5 Example for Performing an HTTP Test...........................................................................................................538
5.17.21.6 Example for Performing a DNS Test...............................................................................................................539
5.17.21.7 Example for Performing a Traceroute Test......................................................................................................540
5.17.21.8 Example for Performing an SNMP Test...........................................................................................................542
5.17.21.9 Example for Performing a TCP Test................................................................................................................544
5.17.21.10 Example for Performing a UDP Test.............................................................................................................546
5.17.21.11 Example for Performing an LSP Ping Test in the LDP Tunnel.....................................................................547
5.17.21.12 Example for Configuring an NQA Test Group..............................................................................................549
5.17.21.13 Example for Sending a Trap Message When the Transmission Time Exceeds the Threshold......................552
5.17.22 Feature Reference................................................................................................................................................556
5.17.22.1 Feature History.................................................................................................................................................556
5.17.22.2 Standards and Protocols....................................................................................................................................556
5.18 LLDP........................................................................................................................................................................557
5.18.1 Overview...............................................................................................................................................................557
5.18.2 Configuring Basic LLDP Functions......................................................................................................................557
5.18.2.1 Enabling the LLDP Function..............................................................................................................................557
5.18.2.2 Configuring the LLDP Working Mode..............................................................................................................557
5.18.2.3 (Optional) Setting the Interface Initialization Latency.......................................................................................558
5.18.2.4 (Optional) Configuring the Advertisable TLVs.................................................................................................558
5.18.2.5 (Optional) Setting the Management Address.....................................................................................................559
5.18.2.6 (Optional) Setting Other LLDP Parameters.......................................................................................................560
5.18.3 Maintaining LLDP.................................................................................................................................................561
5.18.3.1 Clearing LLDP Statistics....................................................................................................................................561
5.18.3.2 Displaying LLDP Configurations.......................................................................................................................561
5.18.4 Example for Configuring LLDP............................................................................................................................562
5.18.5 Feature History......................................................................................................................................................564
5.19 PMTU.......................................................................................................................................................................564
5.19.1 Overview...............................................................................................................................................................564
5.19.2 Discovering the PMTU..........................................................................................................................................565
5.19.3 Example for Discovering the PMTU.....................................................................................................................566
5.19.4 Feature History......................................................................................................................................................568
5.20 NetStream.................................................................................................................................................................568
5.20.1 Overview...............................................................................................................................................................568
5.20.2 Mechanism.............................................................................................................................................................569
5.20.3 NetStream Basic Configurations...........................................................................................................................573
5.20.3.1 Enabling NetStream ...........................................................................................................................................573
5.20.3.2 Configuring the Output Format of Packets.........................................................................................................574
5.20.3.3 Configuring the Output of Statistics...................................................................................................................574
5.20.4 Configuring the Aggregated Statistics on Traffic Flows.......................................................................................575
Issue 04 (2015-07-30) Huawei Proprietary and Confidential xxii

5.20.4.1 Enabling NetStream for an Interface..................................................................................................................575

5.20.4.2 Configuring Aggregation....................................................................................................................................575
5.20.4.3 Configuring the Format of the Output Statistics................................................................................................576
5.20.5 Configuring the Traffic Statistics on the Vlanif Interface.....................................................................................577
5.20.5.1 Enabling NetStream on a Vlanif Interface..........................................................................................................577
5.20.5.2 Configuring the Format of the Output Statistics................................................................................................577
5.20.6 Setting NetStream Parameters...............................................................................................................................578
5.20.6.1 Configuring NetStream Sampling......................................................................................................................578
5.20.6.2 Configuring the Aging Time for Flows..............................................................................................................579
5.20.6.3 Configuring Parameters for Refreshing the Template........................................................................................579
5.20.7 Maintaining NetStream..........................................................................................................................................580
5.20.7.1 Displaying the NetStream Configurations..........................................................................................................580
5.20.7.2 Clearing the NetStream Statistics.......................................................................................................................581
5.20.7.3 Debugging NetStream........................................................................................................................................581
5.20.8.1 Example for Collecting the Statistics on Unicast Traffic Flows........................................................................582
5.20.8.2 Example for Collecting Statistics on Aggregated Traffic Flows........................................................................584
5.20.8.3 Example for Configuring NetStream on a Vlanif Interface................................................................................588
5.20.9 Feature History......................................................................................................................................................590
5.21 Agile Network..........................................................................................................................................................590
5.21.1 Overview...............................................................................................................................................................590
5.21.3 Connecting the NGFW to the Controller...............................................................................................................595
5.21.4 Viewing the Configurations Delivered by the Controller.....................................................................................596
5.21.5 Configuring Agile Network Services....................................................................................................................598
5.21.5.1 Configuring the Firewall to Provide L2TP Over IPSec Access Services and Implement Identity Authentication
and Permission Control for L2TP Users in a Service Mobility Scenario.........................................................................599
5.21.5.2 Configuring the Firewall to Provide SSL VPN Access Services and Implement Identity Authentication and
Permission Control for SSL VPN Users in a Service Mobility Scenario.........................................................................615
5.21.5.3 Configuring the Firewall to Prioritize VIP Users' Services and Implement Bandwidth Management in a Service
Mobility Scenario.............................................................................................................................................................632
5.21.5.4 Enabling the Firewall to Provide Content Security Check Services in the Service Chain Scenario..................645
5.21.6 Reference...............................................................................................................................................................657
5.21.6.1 Specifications......................................................................................................................................................657
5.21.6.2 Feature History...................................................................................................................................................658
5.21.6.3 Standards and Protocols......................................................................................................................................658
6 High Availability.......................................................................................................................659
6.1 Hot Standby................................................................................................................................................................659
6.1.1 Overview.................................................................................................................................................................659
6.1.2 Application Scenario...............................................................................................................................................660
Issue 04 (2015-07-30) Huawei Proprietary and Confidential xxiii

6.1.2.1 Active/Standby Mode...........................................................................................................................................660

6.1.2.2 Load Balancing.....................................................................................................................................................664
6.1.3 Mechanism...............................................................................................................................................................668
6.1.4 Analysis of Typical Hot Standby Networks............................................................................................................675
6.1.4.1 Networking 1: Service Interfaces of Each NGFW Working at Layer 3 and Directly Connecting to Switches
..........................................................................................................................................................................................675
6.1.4.2 Networking 2: Service Interfaces of Each NGFW Working at Layer 3 and Directly Connecting to Routers.....679
6.1.4.3 Networking 3: Service Interfaces of Each NGFW Working at Layer 2 and Directly Connecting to Switches
..........................................................................................................................................................................................681
6.1.4.4 Networking 4: Service Interfaces of Each NGFW Working at Layer 2 and Directly Connecting to Routers.....683
6.1.5 Restrictions and Precautions....................................................................................................................................684
6.1.6 Configuring Hot Standby Using the Web UI..........................................................................................................686
6.1.7 Configuring Hot Standby Using the CLI.................................................................................................................693
6.1.7.1 Configuration Flow...............................................................................................................................................693
6.1.7.2 Configuring VRRP Groups..................................................................................................................................693
6.1.7.3 Configure Interface Monitoring............................................................................................................................697
6.1.7.4 Configuring VLAN Monitoring...........................................................................................................................699
6.1.7.5 Configuring Heartbeat Interfaces.........................................................................................................................701
6.1.7.6 Enabling Hot Standby...........................................................................................................................................704
6.1.7.7 Configuring the Backup Mode.............................................................................................................................707
6.1.7.8 Configuration Verification...................................................................................................................................711
6.1.8.1 Active/Standby Networking in Which the Service Interfaces of Each NGFW Work at Layer 3 and Are Directly
Connected to Switches......................................................................................................................................................714
6.1.8.2 Load Balancing Networking in Which the Service Interfaces of Each NGFW Work at Layer 3 and Are Directly
Connected to Switches......................................................................................................................................................720
6.1.8.3 Active/Standby Networking in Which the Service Interfaces of Each NGFW Work at Layer 3 and Are Directly
Connected to Routers........................................................................................................................................................725
6.1.8.5 Active/Standby Networking in Which the Service Interfaces of Each NGFW Work at Layer 3 with Routers as
Upstream Devices and Switches as Downstream Devices...............................................................................................738
6.1.8.6 Load Balancing Networking in Which the Service Interfaces of Each NGFW Work at Layer 3, with Routers as
Upstream Devices and Switches as Downstream Devices...............................................................................................745
6.1.9 Troubleshooting.......................................................................................................................................................758
6.1.9.1 Services Are Interrupted Because of Inconsistent Numbers of Eth-Trunk Member Interfaces on the Firewalls
Working in Load Balancing Mode...................................................................................................................................758
6.1.9.2 Automatic Configuration Synchronization Fails Because of an Incorrect Device Configuration Sequence ......760
6.1.9.3 Automatic Configuration Synchronization Fails Because of Redundant Configurations on the Standby Firewall
..........................................................................................................................................................................................760
6.1.9.4 Standby Firewall Switches to Active after Receiving Attack Packets ................................................................761
Issue 04 (2015-07-30) Huawei Proprietary and Confidential xxiv

6.1.9.5 Service Interface of the Active Firewall Does not Change Its Status Because the Standby Firewall Is Faulty
..........................................................................................................................................................................................762
6.1.9.6 Active/Standby Switchover Occurs when a VRRP Group Is Added ..................................................................763
6.1.9.7 Active/Standby Switchover Fails Because of Incorrect HRP Track Configuration ............................................765
6.1.9.8 Services Are Temporarily Interrupted After Preemption Because an Interface on a Switch Cannot Forward Packets
Immediately After Recovery............................................................................................................................................766
6.1.9.9 Packet Loss Occurs Due to VRID Conflict..........................................................................................................768
6.1.9.10 The NAT Traffic Is Interrupted After Active/Standby Switchover....................................................................768
6.1.9.11 Services Are Interrupted After the Upstream Switch Restarts Because the Preemption Delay Is Too Short
..........................................................................................................................................................................................770
6.1.10 Reference...............................................................................................................................................................771
6.1.10.1 Commands and Status Information That Can Be Synchronized........................................................................771
6.1.10.2 Feature History...................................................................................................................................................773
6.1.10.3 Standards and Protocols......................................................................................................................................774
6.1.11 Hot Standby FAQ..................................................................................................................................................774
6.1.11.1 FAQs on Failures................................................................................................................................................774
6.1.11.2 FAQs on Configurations.....................................................................................................................................777
6.1.11.3 FAQs on Mechanism..........................................................................................................................................778
6.1.11.4 FAQs on Specifications......................................................................................................................................780
6.1.11.5 FAQs on Miscellaneous Issues...........................................................................................................................781
6.2 Bypass.........................................................................................................................................................................782
6.2.1 Overview.................................................................................................................................................................782
6.2.2 Restrictions and Precautions....................................................................................................................................783
6.2.3 Bypass Function of the Electrical Interface.............................................................................................................783
6.2.3.1 Configuring the Electrical Bypass Using the Web...............................................................................................783
6.2.3.2 Configuring the Electrical Bypass Using the CLI................................................................................................785
6.2.4 Feature History........................................................................................................................................................786
6.3 Link-group..................................................................................................................................................................786
6.3.1 Introduction.............................................................................................................................................................786
6.3.2 Configuring Link-group..........................................................................................................................................787
6.3.3 Feature History........................................................................................................................................................788
6.4 IP-link.........................................................................................................................................................................788
6.4.1 Introduction.............................................................................................................................................................788
6.4.3 Configuring IP-Link................................................................................................................................................790
6.4.4 Configuring the Interworking Between IP-Link and Other Function.....................................................................791
6.4.4.1 Configuring the Interworking Between IP-Link and Dual-system Hot Backup..................................................791
6.4.4.2 Configuring the Interworking Between IP-Link and Static Routes.....................................................................793
6.4.4.3 Configuring the Interworking between PBR and IP-Link....................................................................................793
6.4.4.4 Configuring the Interworking between DHCP and IP-Link.................................................................................794
6.4.5 Maintaining IP-Link................................................................................................................................................795
Issue 04 (2015-07-30) Huawei Proprietary and Confidential xxv

6.4.6.1 Example for Configuring the Interworking Between IP-Link and Dual-system Hot Backup.............................796
6.4.6.2 Example for Configuring the Interworking between Static Route and IP-Link...................................................802
6.4.6.3 Example for Configuring the Interworking between PBR and IP-Link...............................................................805
6.4.6.4 Example for Configuring the Interworking between DHCP and IP-Link............................................................810
6.4.7 Feature History........................................................................................................................................................813
6.5 BFD............................................................................................................................................................................814
6.5.1 Introduction.............................................................................................................................................................814
6.5.2.1 Interworking Between BFD and OSPF................................................................................................................814
6.5.2.2 Interworking Between BFD and Static Routes.....................................................................................................816
6.5.2.3 Interworking Between BFD and FRR..................................................................................................................817
6.5.2.4 Interworking Between BFD and DHCP...............................................................................................................818
6.5.2.5 Interworking Between BFD and PBR..................................................................................................................819
6.5.2.6 Interworking Between BFD and Hot Standby......................................................................................................820
6.5.3 Mechanism...............................................................................................................................................................821
6.5.3.1 BFD Packet...........................................................................................................................................................821
6.5.3.2 BFD Mechanism...................................................................................................................................................825
6.5.3.3 BFD Session Management...................................................................................................................................828
6.5.4 Manually Configuring a Static BFD Session..........................................................................................................831
6.5.4.1 Creating a Static BFD Session..............................................................................................................................831
6.5.4.2 (Optional) Adjusting Session Detection Parameters............................................................................................834
6.5.4.3 (Optional) Configuring Auto-negotiation of Static Discriminators.....................................................................837
6.5.4.4 (Optional) Configuring the Session Demand Mode.............................................................................................839
6.5.4.5 (Optional) Configuring Session Descriptions.......................................................................................................840
6.5.4.6 (Optional) Configuring the Priority for Sending BFD Packets............................................................................842
6.5.4.7 (Optional) Configuring the BFD WTR Time.......................................................................................................843
6.5.5 Adjusting BFD Global Parameters..........................................................................................................................844
6.5.5.1 Delaying the Up State Change of the BFD Session.............................................................................................844
6.5.5.2 Configuring the Default Multicast Address for One-hop BFD............................................................................845
6.5.5.3 Enabling Passive Echo..........................................................................................................................................846
6.5.6 Configuring the Interworking Between BFD and Other Function..........................................................................847
6.5.6.1 Configuring BFD-OSPF Interworking.................................................................................................................847
6.5.6.2 Configuring the Interworking between BFD and Static Routes...........................................................................849
6.5.6.3 Configuring BFD-FRR Interworking...................................................................................................................850
6.5.6.4 Configuring BFD-DHCP Interworking................................................................................................................851
6.5.6.5 Configuring BFD-PBR Interworking...................................................................................................................852
6.5.6.6 Configuring the Interworking between BFD and Hot Standby............................................................................854
6.5.7 Maintaining BFD.....................................................................................................................................................855
6.5.8.1 Example for Configuring BFD-OSPF Interworking............................................................................................857
6.5.8.2 Example for Configuring Interworking Between BFD and Static Routes...........................................................863
Issue 04 (2015-07-30) Huawei Proprietary and Confidential xxvi

6.5.8.3 Example for Configuring BFD-FRR Interworking..............................................................................................867

6.5.8.4 Example for Configuring BFD-DHCP Interworking...........................................................................................870
6.5.8.5 Example for Configuring BFD-PBR Interworking..............................................................................................874
6.5.8.6 Example for Configuring the Interworking Between BFD and Hot Standby......................................................881
6.5.9 Feature Reference....................................................................................................................................................886
6.5.9.1 Feature History.....................................................................................................................................................886
6.5.9.2 Reference Standards and Protocols......................................................................................................................886
7 Virtual System............................................................................................................................888
7.1 Overview....................................................................................................................................................................888
7.2 Application Scenarios.................................................................................................................................................888
7.3 Mechanism..................................................................................................................................................................890
7.3.1 Virtual System and Administrator...........................................................................................................................890
7.3.2 Virtual System Resource Allocation.......................................................................................................................892
7.3.3 Virtual System Traffic Sorting................................................................................................................................894
7.3.4 Communication Between Virtual Systems..............................................................................................................896
7.4 Restrictions and Precautions.......................................................................................................................................901
7.5 Deploying a Virtual System Using the Web UI.........................................................................................................903
7.5.1 Enabling the Virtual System Function.....................................................................................................................903
7.5.2 Configuring a Resource Class.................................................................................................................................904
7.5.3 Creating a Virtual System and Allocating Resources.............................................................................................906
7.5.4 Enabling Communication Between a Virtual System and the Root System...........................................................908
7.5.5 Enabling Communication Between Virtual Systems..............................................................................................910
7.5.6 Creating a Virtual System Administrator................................................................................................................914
7.6 Deploying a Virtual System Using the CLI................................................................................................................917
7.6.1 Enabling the Virtual System Function.....................................................................................................................917
7.6.2 Configuring a Resource Class.................................................................................................................................917
7.6.3 Creating a Virtual System and Allocating Resources.............................................................................................920
7.6.4 Enabling Communication Between a Virtual System and the Root System...........................................................921
7.6.5 Enabling Communication Between Virtual Systems..............................................................................................923
7.6.6 Creating a Virtual System Administrator................................................................................................................925
7.7 Configuring Virtual System Services.........................................................................................................................928
7.8 Configuration Examples.............................................................................................................................................931
7.8.1 Web Example for Configuring Virtual Systems to Isolate Enterprise Departments (Layer-3 Access, Virtual Systems
Sharing the WAN Interface of the Root System).............................................................................................................932
7.8.2 Web Example for Configuring Virtual Systems to Isolate Enterprise Departments (Layer-3 Access, Virtual Systems
Having Independent WAN Interfaces).............................................................................................................................946
7.8.3 Web Example for Configuring Virtual Systems to Isolate Enterprise Departments (Layer-2 Access)..................956
7.8.4 Web Example for Configuring Virtual Systems on a Cloud Computing Gateway.................................................967
7.9 References..................................................................................................................................................................979
7.9.1 Specifications...........................................................................................................................................................979
7.9.2 Function Availability for Virtual Systems...............................................................................................................979
7.9.3 Feature History........................................................................................................................................................984
Issue 04 (2015-07-30) Huawei Proprietary and Confidential xxvii

8 Networks.....................................................................................................................................985
8.1 Interface and Interface Pair.........................................................................................................................................985
8.1.1 Overview.................................................................................................................................................................985
8.1.2 Configuring Interfaces and Interface Pairs Using the Web UI................................................................................997
8.1.2.1 Configuring a Layer 3 Ethernet Interface.............................................................................................................997
8.1.2.2 Configuring a Layer 2 Ethernet Interface...........................................................................................................1005
8.1.2.3 Configuring a Layer 3 Ethernet Subinterface.....................................................................................................1009
8.1.2.5 Configuring a VLAN Interface...........................................................................................................................1018
8.1.2.6 Configuring an Eth-Trunk Interface...................................................................................................................1025
8.1.2.7 Configuring a Loopback Interface......................................................................................................................1035
8.1.2.8 Configuring the Tunnel Interface.......................................................................................................................1036
8.1.2.9 Configuring an Interface Pair.............................................................................................................................1039
8.1.3 Configuring Interfaces and Interface Pairs Using the CLI....................................................................................1039
8.1.3.5 Configuring a VLAN Interface...........................................................................................................................1050
8.1.3.6 Configuring an Eth-Trunk Interface...................................................................................................................1053
8.1.3.7 Configuring the Combo Interface.......................................................................................................................1056
8.1.3.8 Configuring a Loopback Interface......................................................................................................................1057
8.1.3.9 Configuring a Null Interface...............................................................................................................................1058
8.1.3.10 Configuring an Interface Pair...........................................................................................................................1059
8.1.3.11 Maintaining Interfaces......................................................................................................................................1059
8.1.4.1 Example for Accessing the Internet Using a Static IPv4 Address......................................................................1060
8.1.4.2 Example for Accessing the Internet Using DHCP.............................................................................................1063
8.1.4.3 Example for Accessing the Internet Using IPv4 PPPoE....................................................................................1067
8.1.4.4 Example for Configuring Static IPv6 Addresses for Devices to Communicate.................................................1071
8.1.4.5 Example for Configuring VLAN Interfaces to Allow VLANs to Communicate...............................................1073
8.1.4.6 Example for Configuring VLANs on Layer 3 Subinterfaces to Allow the VLANs to Communicate...............1077
8.1.4.7 Example for Configuring VLAN Trunk Interfaces to Enable VLANs on Different Network Segments to
Communicate..................................................................................................................................................................1080
8.1.5 Troubleshooting for Interface Faults.....................................................................................................................1083
8.1.5.1 Physical Status of an Electronic Ethernet Interface Cannot Be Up....................................................................1083
8.1.5.2 Physical Status of an Optical Interface Cannot Be Up.......................................................................................1087
8.1.6 Feature History......................................................................................................................................................1093
8.2 Security Zones..........................................................................................................................................................1093
8.2.1 Overview...............................................................................................................................................................1093
8.2.2 Mechanism.............................................................................................................................................................1094
8.2.3 Zone Configuration Using the Web UI.................................................................................................................1096
Issue 04 (2015-07-30) Huawei Proprietary and Confidential xxviii

8.2.4 Zone Configuration Using the CLI........................................................................................................................1097

8.2.5 Feature History......................................................................................................................................................1099
8.3 DNS..........................................................................................................................................................................1100
8.3.1 Overview...............................................................................................................................................................1100
8.3.2 Mechanism.............................................................................................................................................................1100
8.3.2.1 DNS....................................................................................................................................................................1100
8.3.2.2 DNS Client.........................................................................................................................................................1102
8.3.2.3 DNS Proxy..........................................................................................................................................................1103
8.3.2.4 DDNS.................................................................................................................................................................1103
8.3.2.5 DNS Transparent Proxy......................................................................................................................................1104
8.3.2.6 Smart DNS..........................................................................................................................................................1109
8.3.4 DNS Configuration Using the Web UI..................................................................................................................1116
8.3.4.1 DNS....................................................................................................................................................................1116
8.3.4.2 Configuring DDNS.............................................................................................................................................1118
8.3.4.3 Configuring DNS Transparent Proxy.................................................................................................................1119
8.3.4.4 Configuring Single-Server Smart DNS..............................................................................................................1122
8.3.4.5 Configuring Multi-Server Smart DNS...............................................................................................................1126
8.3.5 Configuring DNS Using the CLI...........................................................................................................................1131
8.3.5.1 Configuring the DNS Client...............................................................................................................................1131
8.3.5.2 Configuring DNS Proxy.....................................................................................................................................1133
8.3.5.3 Configuring DDNS.............................................................................................................................................1135
8.3.5.4 Configuring DNS Transparent Proxy.................................................................................................................1136
8.3.5.5 Configuring Single-Server Smart DNS..............................................................................................................1138
8.3.5.6 Configuring Multi-Server Smart DNS...............................................................................................................1140
8.3.5.7 Maintaining DNS................................................................................................................................................1142
8.3.6.1 Web Example for Configuring DNS..................................................................................................................1145
8.3.6.2 Web Example for Configuring DDNS...............................................................................................................1146
8.3.6.3 Web Example for Configuring DNS Transparent Proxy....................................................................................1148
8.3.6.4 Web Example for Configuring Single-server Smart DNS in ISP Egress Mode................................................1154
8.3.6.5 Web Example for Configuring Multi-server Smart DNS in ISP Egress Mode..................................................1157
8.3.7 Feature Reference..................................................................................................................................................1161
8.3.7.1 Feature History...................................................................................................................................................1161
8.3.7.2 Reference Standards and Protocols....................................................................................................................1161
8.4 DHCP........................................................................................................................................................................1161
8.4.1 Overview...............................................................................................................................................................1161
8.4.2 Application Scenario.............................................................................................................................................1162
8.4.3 Mechanism.............................................................................................................................................................1165
8.4.4 DHCP Configuration Using the Web UI...............................................................................................................1173
8.4.4.1 Configuring a DHCP Server...............................................................................................................................1173
Issue 04 (2015-07-30) Huawei Proprietary and Confidential xxix

8.4.4.2 Configuring DHCP Relay...................................................................................................................................1179

8.4.4.3 Monitoring DHCP..............................................................................................................................................1180
8.4.5 DHCP Configuration Using the CLI.....................................................................................................................1181
8.4.5.1 Configuring a DHCP Server...............................................................................................................................1181
8.4.5.2 Configuring DHCP Relay...................................................................................................................................1198
8.4.5.3 Configuring a DHCP Client...............................................................................................................................1200
8.4.5.4 Maintaining DHCP.............................................................................................................................................1203
8.4.6.1 Example for Configuring a DHCP Server..........................................................................................................1208
8.4.6.2 Example for Configuring a Global Address Pool-based DHCP Server(Using the Layer-3 Ethernet Interface)
........................................................................................................................................................................................1211
8.4.6.3 Example for Configuring a Global Address Pool-based DHCP Server(Using Subinterfaces)..........................1218
8.4.6.4 Example for Configuring DHCP Relay..............................................................................................................1225
8.4.7.1 Specifications......................................................................................................................................................1230
8.4.7.2 Feature History...................................................................................................................................................1230
8.5 DHCPv6....................................................................................................................................................................1231
8.5.1 Overview...............................................................................................................................................................1231
8.5.2 Mechanism.............................................................................................................................................................1232
8.5.3 DHCPv6 Configuration Using the Web UI...........................................................................................................1236
8.5.3.1 Configuring a DHCPv6 Server...........................................................................................................................1236
8.5.3.2 Configuring DHCPv6 Relay...............................................................................................................................1239
8.5.3.3 Monitoring DHCPv6..........................................................................................................................................1240
8.5.4 DHCPv6 Configuration Using the CLI.................................................................................................................1241
8.5.4.1 Configuring a DHCPv6 Server...........................................................................................................................1241
8.5.4.2 Configuring DHCPv6 Relay...............................................................................................................................1249
8.5.4.3 Configuring a DHCPv6 Client...........................................................................................................................1251
8.5.4.4 Maintaining DHCPv6.........................................................................................................................................1253
8.5.5.1 Example for Configuring a DHCPv6 Server......................................................................................................1254
8.5.5.2 Example for Configuring the DHCPv6 Server with the Authentication Function.............................................1259
8.5.5.3 Example for Configuring the IPv6 Prefix Assignment in DHCPv6-PD Mode..................................................1263
8.5.5.4 Example for Configuring a DHCPv6 Relay Agent............................................................................................1268
8.5.6.1 Feature History...................................................................................................................................................1274
8.6 Link Aggregation......................................................................................................................................................1275
8.6.1 Overview...............................................................................................................................................................1275
8.6.2 Application Scenario.............................................................................................................................................1276
8.6.3 Mechanism.............................................................................................................................................................1276
8.6.4 Configuring Link Aggregation in Manual Mode..................................................................................................1278
Issue 04 (2015-07-30) Huawei Proprietary and Confidential xxx

8.6.4.1 Configuring the Eth-Trunk to Work in Manual Mode.......................................................................................1279

8.6.4.2 Adding Member Interfaces to an Eth-Trunk Interface.......................................................................................1279
8.6.4.3 (Optional) Configuring the Master/Slave Mode for a Layer 3 Eth-Trunk Interface..........................................1280
8.6.5 Configuring Link Aggregation in Static LACP Mode..........................................................................................1282
8.6.5.1 Configuring the Eth-Trunk to Work in Static LACP Mode...............................................................................1282
8.6.5.2 Configuring the Actor.........................................................................................................................................1283
8.6.5.3 Configuring the Active Interfaces Selection Method.........................................................................................1283
8.6.5.4 Enabling LACP Preemption...............................................................................................................................1284
8.6.5.5 Adding Member Interfaces to an Eth-Trunk Interface.......................................................................................1285
8.6.5.6 Setting a Timeout Interval at which LACP Packets Are Received....................................................................1286
8.6.6 Configuring the Load Balancing Mode.................................................................................................................1287
8.6.7 Setting Upper and Lower Thresholds for the Number of Active Interfaces..........................................................1288
8.6.8 Maintaining Link Aggregation..............................................................................................................................1288
8.6.8.1 Displaying Link Aggregation Configuration......................................................................................................1289
8.6.8.2 Clearing Link Aggregation Statistics.................................................................................................................1289
8.6.8.3 Debugging the Eth-Trunk Interface....................................................................................................................1290
8.6.9.1 Example for Configuring Link Aggregation in Manual Mode...........................................................................1290
8.6.9.2 Example for Configuring Link Aggregation in LACP Mode.............................................................................1293
8.6.10 Troubleshooting Link Aggregation Faults..........................................................................................................1296
8.6.10.1 Connection Between Manual Eth-Trunk Interfaces Is Disconnected...............................................................1296
8.6.10.2 Eth-Trunk Interface Working in LACP Mode Cannot Go Up.........................................................................1300
8.6.10.3 No Member Interfaces of an Eth-Trunk Interface Working in LACP Mode Can Become the Active Interface
........................................................................................................................................................................................1301
8.6.11.1 Feature History.................................................................................................................................................1302
8.6.11.2 Reference Standards and Protocols..................................................................................................................1302
8.7 PPP............................................................................................................................................................................1302
8.7.1 Overview...............................................................................................................................................................1302
8.7.2 Mechanism.............................................................................................................................................................1303
8.7.3 Configuring PPP....................................................................................................................................................1308
8.7.3.1 Encapsulating the Interface with PPP.................................................................................................................1308
8.7.3.2 Configuring PAP Authentication........................................................................................................................1309
8.7.3.3 Configuring CHAP Authentication....................................................................................................................1310
8.7.3.4 Setting PPP Negotiation Parameters...................................................................................................................1311
8.7.3.5 Configuring the Polling Interval.........................................................................................................................1315
8.7.3.6 Preventing the Peer Host Route from Being Added to the Local Routing Table as a Direct Route..................1315
8.7.4 Maintaining PPP....................................................................................................................................................1316
8.7.4.1 Displaying the PPP Configuration......................................................................................................................1316
8.7.4.2 Debugging PPP...................................................................................................................................................1316
8.7.5.1 Feature History...................................................................................................................................................1317
Issue 04 (2015-07-30) Huawei Proprietary and Confidential xxxi


8.8 PPPoE.......................................................................................................................................................................1318
8.8.1 Overview...............................................................................................................................................................1318
8.8.2 Mechanism.............................................................................................................................................................1318
8.8.3 Configuring the IPv4 PPPoE Server......................................................................................................................1320
8.8.3.1 Configuring a PPPoE Server..............................................................................................................................1320
8.8.3.2 Configuring PPPoE Parameters..........................................................................................................................1322
8.8.4 Configuring an IPv4 PPPoE Client.......................................................................................................................1322
8.8.5 Configuring an IPv6 PPPoE Client.......................................................................................................................1324
8.8.6 Maintaining PPPoE................................................................................................................................................1326
8.8.6.1 Displaying the PPPoE Configuration.................................................................................................................1326
8.8.6.2 Debugging PPPoE..............................................................................................................................................1326
8.8.6.3 Clearing Statistics About PPPoE Sessions.........................................................................................................1327
8.8.6.4 Resetting a PPPoE Session.................................................................................................................................1327
8.8.7.1 Example for Configuring IPv4 PPPoE...............................................................................................................1328
8.8.7.2 Example for Configuring an IPv6 PPPoE Client (Stateless Address Autoconfiguration).................................1332
8.8.7.3 Example for Configuring an IPv6 PPPoE Client for DHCPv6-PD Address Assignment..................................1334
8.8.8.1 Feature History...................................................................................................................................................1337
8.9 MAC Address Table.................................................................................................................................................1338
8.9.1 Overview...............................................................................................................................................................1338
8.9.2 Configuring a MAC Address Table.......................................................................................................................1340
8.9.3 (Optional) Configuring a Limit Rule for Learning MAC Addresses....................................................................1341
8.9.4 Maintaining the MAC Address Table...................................................................................................................1342
8.9.5 Example for Configuring the MAC Address Table...............................................................................................1342
8.9.6 Feature History......................................................................................................................................................1343
8.10 ARP........................................................................................................................................................................1344
8.10.1 Overview.............................................................................................................................................................1344
8.10.2 Mechanism...........................................................................................................................................................1345
8.10.3 Configuring Static ARP.......................................................................................................................................1350
8.10.4 Optimizing Dynamic ARP...................................................................................................................................1351
8.10.5 Configuring Proxy ARP......................................................................................................................................1354
8.10.5.1 Configuring Routed Proxy ARP.......................................................................................................................1354
8.10.5.2 Configuring Inner-VLAN Proxy ARP.............................................................................................................1355
8.10.6 Configuring Gratuitous ARP...............................................................................................................................1356
8.10.6.1 Configuring the Learning of Gratuitous ARP Packets.....................................................................................1356
8.10.6.2 Configuring the Sending of Gratuitous ARP Packets......................................................................................1357
8.10.7 Configuring Authorized ARP..............................................................................................................................1357
8.10.8 Maintaining ARP.................................................................................................................................................1358
Issue 04 (2015-07-30) Huawei Proprietary and Confidential xxxii

8.10.8.1 Displaying ARP Configuration........................................................................................................................1358

8.10.8.2 Clearing ARP Entries.......................................................................................................................................1359
8.10.8.3 Debugging ARP................................................................................................................................................1359
8.10.9.1 Example for Configuring Static ARP...............................................................................................................1360
8.10.9.2 Example for Configuring Proxy ARP..............................................................................................................1362
8.10.9.3 Example for Configuring Inner-VLAN Proxy ARP.........................................................................................1365
8.10.10 Troubleshooting ARP Faults.............................................................................................................................1368
8.10.11 Feature Reference..............................................................................................................................................1372
8.10.11.1 Feature History...............................................................................................................................................1372
8.10.11.2 Reference Standards and Protocols................................................................................................................1372
8.11 VLAN.....................................................................................................................................................................1373
8.11.1 Overview.............................................................................................................................................................1373
8.11.2 Mechanism...........................................................................................................................................................1374
8.11.3 Configuring a VLAN...........................................................................................................................................1381
8.11.3.1 Basic VLAN Configurations............................................................................................................................1381
8.11.3.2 Configuring VLANIF Interfaces to Enable VLANs to Communicate.............................................................1384
8.11.3.3 Configuring Layer 3 Subinterfaces to Enable VLANs to Communicate.........................................................1384
8.11.3.4 Configuring Inter-VLAN Communication Using Layer 2 Subinterfaces........................................................1385
8.11.4 Maintaining a VLAN...........................................................................................................................................1386
8.11.5.1 Feature History.................................................................................................................................................1386
8.12 DHCP Snooping.....................................................................................................................................................1387
8.12.1 Overview.............................................................................................................................................................1387
8.12.2 Mechanism...........................................................................................................................................................1389
8.12.3 Configuring Defense Against Attacks Initiated by a Bogus DHCP Server........................................................1398
8.12.3.1 Configuring a Layer 2 Interface to Defend Against Attacks Initiated by a Bogus DHCP Server...................1398
8.12.3.2 Configuring a Layer 3 Interface to Defend Against Attacks Initiated by a Bogus DHCP Server...................1399
8.12.4 Configuring Defense Against Man-in-the-Middle and IP/MAC Spoofing Attacks............................................1400
8.12.4.1 Configuring a Layer 2 Interface to Defend Against Man-in-the-Middle and IP/MAC Spoofing Attacks.......1401
8.12.4.2 Configuring a Layer 3 Interface to Defend Against Man-in-the-Middle and IP/MAC Spoofing Attacks.......1403
8.12.5 Configuring Defense Against Attacks Launched by Changing the CHADDR Value........................................1405
8.12.5.1 Configuring Defense on the Layer 2 Interfaces Against Attacks by Changing CHADDRs............................1405
8.12.5.2 Configuring Defense on the Layer 3 Interfaces Against Attacks by Changing CHADDRs............................1406
8.12.6 Configuring Defense Against Attacks by Sending Bogus Packets for Extending IP Leases..............................1408
8.12.6.1 Configuring Defense on the Layer 2 Interfaces Against Attacks by Sending Bogus Packets for Extending IP Leases
........................................................................................................................................................................................1408
8.12.6.2 Configuring Defense on the Layer 3 Interfaces Against Attacks by Sending Bogus Packets for Extending IP Leases
........................................................................................................................................................................................1410
8.12.7 Configuring Alarms Used to Discard Packets.....................................................................................................1412
8.12.8 Maintaining DHCP Snooping..............................................................................................................................1413
Issue 04 (2015-07-30) Huawei Proprietary and Confidential xxxiii

8.12.8.1 Maintaining a DHCP Snooping Binding Table................................................................................................1413

8.12.8.2 Debugging the DHCP Snooping Function.......................................................................................................1414
8.12.9 Example for Configuring DHCP Snooping.........................................................................................................1415
8.12.10.1 Feature History...............................................................................................................................................1420
8.12.10.2 Reference Standards and Protocols................................................................................................................1420
8.13 IPv6 Neighbor Discovery.......................................................................................................................................1420
8.13.1 Overview.............................................................................................................................................................1421
8.13.2 Mechanism...........................................................................................................................................................1422
8.13.2.1 IPv6 ND............................................................................................................................................................1422
8.13.2.2 IPv6 SEND.......................................................................................................................................................1425
8.13.3 Configuring IPv6 ND..........................................................................................................................................1427
8.13.3.1 Configuring a Static Neighbor..........................................................................................................................1427
8.13.3.2 Configuring RA Message Advertisement.........................................................................................................1427
8.13.3.3 Configuring RA Message Parameters..............................................................................................................1428
8.13.3.4 Configuring DAD.............................................................................................................................................1431
8.13.3.5 Configuring Stateless Address Autoconfiguration...........................................................................................1432
8.13.4 Configuring IPv6 SEND......................................................................................................................................1433
8.13.4.1 Configuring the CGA.......................................................................................................................................1433
8.13.4.2 Adjusting Parameters for Authenticating Timestamps.....................................................................................1435
8.13.4.3 Configuring Router Authorization....................................................................................................................1436
8.13.5 Maintaining ND...................................................................................................................................................1437
8.13.5.1 Displaying IPv6 ND Configuration..................................................................................................................1437
8.13.5.2 Clearing IPv6 ND Information.........................................................................................................................1437
8.13.5.3 Debugging IPv6 ND.........................................................................................................................................1438
8.13.6.1 Example for Configuring Stateless Address Autoconfiguration......................................................................1438
8.13.6.2 Example for Configuring SEND......................................................................................................................1443
8.13.7.1 Feature History.................................................................................................................................................1446
8.14 IP Performance.......................................................................................................................................................1447
8.14.1 Overview.............................................................................................................................................................1447
8.14.2 Improving IPv4 Performance..............................................................................................................................1447
8.14.2.1 Verifying the Source IPv4 Address..................................................................................................................1447
8.14.2.2 Forwarding Broadcast Packet...........................................................................................................................1448
8.14.2.3 Configuring ICMP Attributes...........................................................................................................................1449
8.14.2.4 Configuring TCP Attributes.............................................................................................................................1449
8.14.3 Improving IPv6 Performance..............................................................................................................................1451
8.14.3.1 Configuring ICMPv6 Attributes.......................................................................................................................1451
8.14.3.2 Configuring TCPv6 Attributes.........................................................................................................................1452
Issue 04 (2015-07-30) Huawei Proprietary and Confidential xxxiv

8.14.3.3 Configuring Load Balancing for the IPv6 Traffic Transmission......................................................................1452

8.14.3.4 Configuring a PMTU........................................................................................................................................1453
8.14.4 Maintaining IP Performance................................................................................................................................1454
8.14.4.1 Checking IP Performance Configuration.........................................................................................................1455
8.14.4.2 Clearing IP Performance Statistics...................................................................................................................1456
8.14.4.3 Debugging IP Performance..............................................................................................................................1456
8.14.5 Feature History....................................................................................................................................................1458
9 Intelligent Uplink Selection..................................................................................................1459

9.1 Overview..................................................................................................................................................................1459
9.2 Restrictions and Precautions.....................................................................................................................................1459
9.3 Mechanism................................................................................................................................................................1460
9.3.1 Intelligent Uplink Selection Overview..................................................................................................................1460
9.3.2 ISP Address Library Link Selection......................................................................................................................1464
9.3.3 Intelligent Uplink Selection Mode........................................................................................................................1466
9.3.4 Link Health Check.................................................................................................................................................1471
9.4 Configuring Intelligent Uplink Selection Using the Web UI..................................................................................1473
9.4.1 Configuration Flow................................................................................................................................................1473
9.4.2 Configuring the ISP Address Library Link Selection...........................................................................................1479
9.4.3 Configuring Link Health Check............................................................................................................................1481
9.4.4 Configuring Global Route Selection Policies........................................................................................................1483
9.5 Configuring Intelligent Uplink Selection on the CLI...............................................................................................1490
9.5.1 Configuration Flow................................................................................................................................................1491
9.5.2 Configuring the ISP Address Library Link Selection...........................................................................................1497
9.5.3 Configuring Link Health Check............................................................................................................................1499
9.5.4 Configuring Global Route Selection Policies........................................................................................................1502
9.6 Maintaining Intelligent Uplink Selection.................................................................................................................1506
9.7 Configuration Examples...........................................................................................................................................1507
9.7.1 Web Example for Configuring ISP Address Library Link Selection....................................................................1508
9.7.2 CLI Example for Configuring ISP Address Library Link Selection.....................................................................1513
9.7.3 Web Example for Configuring Load Balancing by Link Bandwidth....................................................................1517
9.7.4 Web Example for Configuring Load Balancing by Link Weight..........................................................................1520
9.7.5 Web Example for Configuring Active/Standby Backup by Link Priority............................................................1524
9.7.6 Web Example for Configuring Load Balancing by Link Priority.........................................................................1533
9.8 Feature Reference.....................................................................................................................................................1538
9.8.1 Feature History......................................................................................................................................................1538
10 Router.......................................................................................................................................1540
10.1 Routing Basics........................................................................................................................................................1540
10.1.1 Overview.............................................................................................................................................................1540
10.1.2 Checking the Routing Table Using the Web UI..................................................................................................1544
10.1.3 Route Basic Configuration-CLI...........................................................................................................................1545
10.1.3.1 Configuring the Global Router ID....................................................................................................................1545
Issue 04 (2015-07-30) Huawei Proprietary and Confidential xxxv

10.1.3.2 Configuring the Load Balancing of Equal-Cost Routes...................................................................................1545

10.1.3.3 Configuring the IP-Prefix List..........................................................................................................................1547
10.1.3.4 Configuring FRR..............................................................................................................................................1548
10.1.3.5 Managing the Routing Table............................................................................................................................1550
10.2 IP Static Route........................................................................................................................................................1553
10.2.1 Overview.............................................................................................................................................................1553
10.2.2 Configuring Static Route Using the Web UI.......................................................................................................1555
10.2.3 Configuring Static Route-CLI.............................................................................................................................1556
10.2.3.1 Configuring an IPv4 Static Route.....................................................................................................................1556
10.2.3.2 Configuring an IPv6 Static Route.....................................................................................................................1557
10.2.3.3 Checking Static Route Configuration...............................................................................................................1559
10.2.4 Exmaple: Configuring IPv4 Static Route............................................................................................................1559
10.2.5 Feature History....................................................................................................................................................1564
10.3 RIP..........................................................................................................................................................................1564
10.3.1 Overview.............................................................................................................................................................1564
10.3.2 Mechanism...........................................................................................................................................................1565
10.3.3 RIP Configuration Using the Web UI.................................................................................................................1571
10.3.4 RIP Configuration Using the CLI........................................................................................................................1577
10.3.4.1 Configuration Flow...........................................................................................................................................1577
10.3.4.2 Configuring Basic RIP Functions.....................................................................................................................1578
10.3.4.3 Controlling RIP Routing Information...............................................................................................................1581
10.3.4.4 Optimizing a RIP Network...............................................................................................................................1588
10.3.4.5 Maintaining RIP...............................................................................................................................................1596
10.3.5 Example for Configuring RIP to Connect Network Devices..............................................................................1597
10.3.6 Troubleshooting for RIP Faults...........................................................................................................................1607
10.3.6.1 Failure in Receiving RIP Routes......................................................................................................................1607
10.3.6.2 Failure in Sending RIP Routes.........................................................................................................................1613
10.3.7.1 Feature History.................................................................................................................................................1619
10.4 OSPF.......................................................................................................................................................................1619
10.4.1 Overview.............................................................................................................................................................1619
10.4.2 Mechanism...........................................................................................................................................................1620
10.4.2.1 OSPF Fundamentals.........................................................................................................................................1620
10.4.2.2 OSPF Areas......................................................................................................................................................1630
10.4.2.3 Neighbors and Adjacencies..............................................................................................................................1633
10.4.2.4 Network Types and DR Election......................................................................................................................1638
10.4.2.5 OSPF Default Routes and Route Aggregation.................................................................................................1641
10.4.2.6 OSPF Packet Authentication............................................................................................................................1643
10.4.2.7 Multi-Process and Multi-Instance....................................................................................................................1644
10.4.3 OSPF Configuration Using the Web UI..............................................................................................................1644
Issue 04 (2015-07-30) Huawei Proprietary and Confidential xxxvi

10.4.4 OSPF Configuration Using the CLI....................................................................................................................1657

10.4.4.2 Configuring Basic OSPF Functions.................................................................................................................1659
10.4.4.3 Configuring OSPF Areas..................................................................................................................................1661
10.4.4.4 Configuring the Attributes of OSPF on Different Types of Networks.............................................................1664
10.4.4.5 Controlling OSPF Routing Information...........................................................................................................1667
10.4.4.6 Adjusting and Optimizing OSPF Networks.....................................................................................................1675
10.4.4.7 Improving OSPF Network Security.................................................................................................................1687
10.4.4.8 Maintaining OSPF............................................................................................................................................1689
10.4.5.1 Example for Configuring OSPF to Implement Connectivity Between Intranet Devices.................................1691
10.4.5.2 Example for Configuring OSPF in the Dual-System Hot Backup Scenario....................................................1708
10.4.6 Troubleshooting for OSPF Faults........................................................................................................................1717
10.4.6.1 Failure in Establishing OSPF Neighbor Relationships.....................................................................................1717
10.4.7.1 Feature History.................................................................................................................................................1723
10.5 BGP........................................................................................................................................................................1724
10.5.1 Overview.............................................................................................................................................................1724
10.5.2 Mechanism...........................................................................................................................................................1726
10.5.2.1 Basic Principles of BGP...................................................................................................................................1726
10.5.2.2 BGP Route Attributes.......................................................................................................................................1729
10.5.2.3 Policies for BGP Route Selection and Advertisement.....................................................................................1740
10.5.2.4 Route Aggregation............................................................................................................................................1742
10.5.2.5 Route Reflector.................................................................................................................................................1743
10.5.2.6 BGP Confederation...........................................................................................................................................1748
10.5.2.7 BGP Route Dampening....................................................................................................................................1750
10.5.2.8 BGP Security....................................................................................................................................................1751
10.5.3 Configuring BGP Using the Web UI...................................................................................................................1751
10.5.4 Configuring BGP Using the CLI.........................................................................................................................1753
10.5.4.1 Configuration Flow of BGP.............................................................................................................................1753
10.5.4.2 Configuring Basic BGP Functions...................................................................................................................1755
10.5.4.3 Controlling BGP Routing Information.............................................................................................................1757
10.5.4.4 Configuring BGP Route Attributes..................................................................................................................1768
10.5.4.5 Optimizing a BGP Network.............................................................................................................................1777
10.5.4.6 Configuring BGP Security................................................................................................................................1784
10.5.4.7 Maintaining BGP..............................................................................................................................................1785
10.5.5.1 Example for Configuring Basic BGP Functions..............................................................................................1788
10.5.5.2 Example for Configuring BGP to Import IGP Routes.....................................................................................1799
10.5.6 Troubleshooting BGP..........................................................................................................................................1807
Issue 04 (2015-07-30) Huawei Proprietary and Confidential xxxvii

10.5.6.1 Failure in Establishing BGP Peers....................................................................................................................1807

10.5.6.2 Route Loss During the Exchange of Update Messages Between BGP Peers..................................................1810
10.5.7 Reference.............................................................................................................................................................1813
10.5.7.1 Feature History.................................................................................................................................................1813
10.6 IS-IS........................................................................................................................................................................1813
10.6.1 IS-IS Overview....................................................................................................................................................1813
10.6.2 Principles.............................................................................................................................................................1814
10.6.2.1 IS-IS Address Structure....................................................................................................................................1814
10.6.2.2 IS-IS Area.........................................................................................................................................................1816
10.6.2.3 IS-IS Network Types........................................................................................................................................1819
10.6.2.4 IS-IS Neighbor Relationships...........................................................................................................................1821
10.6.2.5 Process of Exchanging IS-IS LSPs...................................................................................................................1823
10.6.2.6 IS-IS for IPv6....................................................................................................................................................1827
10.6.2.7 Multi-process and Multi-instance.....................................................................................................................1828
10.6.3 IS-IS Configuration Flow....................................................................................................................................1828
10.6.4 Configuring Basic IS-IS Functions......................................................................................................................1830
10.6.5 Configuring IS-IS Attributes on Different Types of Networks...........................................................................1831
10.6.5.1 Configuring a Network Type for an IS-IS Interface.........................................................................................1831
10.6.5.2 Configuring a DIS Priority for an Interface......................................................................................................1832
10.6.6 Controlling IS-IS Routing Information...............................................................................................................1833
10.6.6.1 Setting a Cost for an IS-IS Interface.................................................................................................................1833
10.6.6.2 Setting a Preference Value for IS-IS................................................................................................................1836
10.6.6.3 Configuring IS-IS Route Summarization.........................................................................................................1838
10.6.6.4 Configure IS-IS to Generate a Default Route...................................................................................................1838
10.6.6.5 Controlling IS-IS Route Import from a Level-2 Area into a Level-1 Area......................................................1839
10.6.6.6 Configuring IS-IS to Filter Received Routes...................................................................................................1840
10.6.6.7 Configuring IS-IS to Import External Routes...................................................................................................1841
10.6.7 Adjusting and Optimizing IS-IS..........................................................................................................................1842
10.6.7.1 Configuring Timers for IS-IS Packets..............................................................................................................1842
10.6.7.2 Setting LSP Parameters....................................................................................................................................1844
10.6.7.3 Configuring a Level for an IS-IS Interface.......................................................................................................1848
10.6.7.4 Suppressing an Interface from Receiving or Sending IS-IS Packets................................................................1849
10.6.7.5 Setting SPF Parameters....................................................................................................................................1850
10.6.7.6 Configuring LSP Fast Flooding........................................................................................................................1851
10.6.7.7 Configuring IS-IS Dynamic Hostname Mapping.............................................................................................1852
10.6.7.8 Configuring an LSDP Overload Bit for an IPv4 IS-IS Device.........................................................................1853
10.6.7.9 Enabling the Logging Function for Adjacency Status......................................................................................1854
10.6.8 Configuring Basic IPv6 IS-IS Functions.............................................................................................................1855
10.6.8.1 Enabling IPv6 IS-IS in a Process and on an Interface......................................................................................1855
10.6.8.2 Configuring an IPv6 Route Cost on an Interface.............................................................................................1857
Issue 04 (2015-07-30) Huawei Proprietary and Confidential xxxviii

10.6.8.3 Configuring IPv6 IS-IS Route Attributes.........................................................................................................1857

10.6.9 Improving IS-IS Network Security......................................................................................................................1860
10.6.9.1 Configuring Area or Domain Authentication...................................................................................................1860
10.6.9.2 Configuring Interface Authentication...............................................................................................................1861
10.6.10 Maintaining IS-IS..............................................................................................................................................1862
10.6.11 Feature History..................................................................................................................................................1865
10.7 Routing Policy........................................................................................................................................................1865
10.7.1 Overview.............................................................................................................................................................1865
10.7.2 Configuring the Route-Policy..............................................................................................................................1868
10.7.2.1 Creating a Routing Policy.................................................................................................................................1868
10.7.2.2 Configuring the If-Match Clause......................................................................................................................1869
10.7.2.3 Configuring the Apply Clause..........................................................................................................................1870
10.7.2.4 Applying Filters to Received, Advertised and Imported Routes......................................................................1872
10.7.2.5 Configuring the Delay for Applying the Routing Policy.................................................................................1873
10.7.2.6 Maintaining the Routing Policy........................................................................................................................1874
10.7.3 Example for Applying the Routing Policy When Importing Routes...................................................................1875
10.7.4 Feature History....................................................................................................................................................1878
10.8 RIPng......................................................................................................................................................................1879
10.8.1 Overview.............................................................................................................................................................1879
10.8.2 Mechanism...........................................................................................................................................................1879
10.8.3 Configuration Flow..............................................................................................................................................1882
10.8.4 Configuring Basic RIPng Functions....................................................................................................................1883
10.8.5 Controlling RIPng Routing Information..............................................................................................................1885
10.8.5.1 Setting a RIPng Priority....................................................................................................................................1885
10.8.5.2 Setting an Additional Metric on an Interface...................................................................................................1886
10.8.5.3 Setting the Maximum Number of Equal-Cost RIPng Routes...........................................................................1887
10.8.5.4 Configuring RIPng Route Summarization.......................................................................................................1888
10.8.5.5 Configuring RIPng to Advertise the Default Route.........................................................................................1889
10.8.5.6 Configuring RIPng to Import External Routes.................................................................................................1889
10.8.5.7 Configuring RIPng to Filter Received and Advertised Routes........................................................................1890
10.8.6 Adjusting and Optimizing the RIPng Network...................................................................................................1891
10.8.6.1 Setting RIPng Timers.......................................................................................................................................1891
10.8.6.2 Configuring Split Horizon and Poison Reverse...............................................................................................1893
10.8.6.3 Enabling the Zero Field Check for RIPng Packets...........................................................................................1894
10.8.7 Maintaining RIPng..............................................................................................................................................1895
10.8.8 Example for Configuring RIPng to Connect Network Devices..........................................................................1896
10.8.9.1 Feature History.................................................................................................................................................1902
10.9 OSPFv3...................................................................................................................................................................1902
10.9.1 Overview.............................................................................................................................................................1902
Issue 04 (2015-07-30) Huawei Proprietary and Confidential xxxix

10.9.2 Mechanism...........................................................................................................................................................1903
10.9.3 OSPFv3 Configuration Using the Web UI..........................................................................................................1907
10.9.4 OSPFv3 Configuration Using the CLI................................................................................................................1912
10.9.4.2 Configuring Basic OSPFv3 Functions.............................................................................................................1913
10.9.4.3 Configuring OSPFv3 Areas..............................................................................................................................1915
10.9.4.4 Controlling OSPFv3 Routing Information.......................................................................................................1917
10.9.4.5 Adjusting and Optimizing OSPFv3 Networks.................................................................................................1921
10.9.4.6 Maintaining OSPFv3........................................................................................................................................1928
10.9.5 Example for Configuring OSPFv3 to Connect Network Devices.......................................................................1930
10.9.6.1 Feature History.................................................................................................................................................1946
10.10 BGP4+..................................................................................................................................................................1947
10.10.1 Overview...........................................................................................................................................................1947
10.10.2 BGP4+ Configuration Flow...............................................................................................................................1947
10.10.3 Configuring the Basic Functions of BGP4+......................................................................................................1949
10.10.4 Controlling BGP4+ Routing Information..........................................................................................................1951
10.10.4.1 Configuring BGP4+ to Advertise Local IPv6 Routes....................................................................................1951
10.10.4.2 Configuring BGP4+ to Import and Filter External Routes.............................................................................1953
10.10.4.3 Configuring to Send the Default Route to the Peer........................................................................................1954
10.10.4.4 Configuring the Advertisement Policy of Routing Information.....................................................................1956
10.10.4.5 Configuring the Receiving Policy of Routing Information............................................................................1957
10.10.4.6 Configuring BGP4+ Route Dampening.........................................................................................................1959
10.10.5 Configuring the Routing Attributes of BGP4+..................................................................................................1960
10.10.5.1 Configuring the Priority of BGP4+................................................................................................................1960
10.10.5.2 Setting the Preferred Value of BGP4+ Routing Information.........................................................................1961
10.10.5.3 Set the Default Local_Pref Attribute Value of the Local Host.......................................................................1963
10.10.5.4 Configuring the MED Attribute.....................................................................................................................1964
10.10.5.5 Configuring the Next_Hop Attribute..............................................................................................................1965
10.10.5.6 Configuring the AS_Path Attribute................................................................................................................1967
10.10.5.7 Configuring the BGP4+ Community..............................................................................................................1969
10.10.6 Adjusting and Optimizing BGP4+....................................................................................................................1971
10.10.6.1 Configuring the Timer of the Peer..................................................................................................................1971
10.10.6.2 Setting the Sending Interval of Update Packets.............................................................................................1973
10.10.6.3 Setting the Maximum Number of Equal-Cost Routes of BGP4+..................................................................1974
10.10.6.4 Configuring the BGP4+ Soft Reset................................................................................................................1976
10.10.6.5 Configuring the BGP4+ Peer Group..............................................................................................................1977
10.10.6.6 Configuring the BGP4+ Router Reflector......................................................................................................1980
10.10.6.7 Configuring the BGP4+ Confederation..........................................................................................................1982
10.10.7 Maintaining BGP4+...........................................................................................................................................1984
Issue 04 (2015-07-30) Huawei Proprietary and Confidential xl

10.10.8 Configuration Examples....................................................................................................................................1986

10.10.8.1 Example for Configuring Basic BGP4+ Functions........................................................................................1987
10.10.9 Reference...........................................................................................................................................................1992
10.10.9.1 Feature History...............................................................................................................................................1992
10.10.9.2 Standards and Protocols..................................................................................................................................1992
10.11 MPLS....................................................................................................................................................................1993
10.11.1 Overview...........................................................................................................................................................1993
10.11.2 Mechanism.........................................................................................................................................................1993
10.11.2.1 Background of MPLS.....................................................................................................................................1994
10.11.2.2 Basic Concepts of MPLS................................................................................................................................1994
10.11.2.3 MPLS Architecture.........................................................................................................................................1998
10.11.2.4 Structure of an MPLS Network......................................................................................................................1999
10.11.2.5 MPLS Ping/Traceroute...................................................................................................................................2000
10.11.2.6 Static LSPs......................................................................................................................................................2002
10.11.2.7 Basic Concepts of MPLS LDP.......................................................................................................................2002
10.11.2.8 Basic Concepts of LDP Sessions....................................................................................................................2004
10.11.2.9 LDP Discovery...............................................................................................................................................2005
10.11.2.10 Establishing an LDP Session........................................................................................................................2005
10.11.2.11 Maintaining LDP Sessions...........................................................................................................................2007
10.11.3 Configuring MPLS Basic Function...................................................................................................................2007
10.11.3.1 Configuring MPLS Basic Function................................................................................................................2008
10.11.3.2 Optimizing MPLS...........................................................................................................................................2009
10.11.3.3 Configuring the IP TTL Copy Function.........................................................................................................2011
10.11.4 Configuring Static LSPs....................................................................................................................................2013
10.11.4.1 Configuring Static LSPs.................................................................................................................................2013
10.11.4.2 Maintaining Static LSPs.................................................................................................................................2015
10.11.5 Configuring MPLS LDP....................................................................................................................................2016
10.11.5.1 Configuring MPLS LDP Sessions..................................................................................................................2016
10.11.5.2 Configuring LDP LSP....................................................................................................................................2022
10.11.5.3 Configuring the LDP Multi-Instance..............................................................................................................2027
10.11.5.4 Maintaining MPLS LDP.................................................................................................................................2028
10.11.6 Reference...........................................................................................................................................................2030
10.11.6.1 Feature History...............................................................................................................................................2031
11 User and User Authentication.............................................................................................2032

11.1 Overview................................................................................................................................................................2032
11.2 Application Scenario..............................................................................................................................................2033
11.2.1 Internet Access Users Access Internet Resources or Intranet Resources............................................................2033
11.2.2 Remote Access Users Access Intranet Resources Using SSL VPN....................................................................2039
11.2.3 Remote Access Users Access Intranet Resources Using L2TP VPN..................................................................2041
11.2.4 Remote Access Users Access Intranet Resources Using IPSec VPN.................................................................2043
Issue 04 (2015-07-30) Huawei Proprietary and Confidential xli

11.2.5 Remote Access Users Access Intranet Resources Using PPPoE........................................................................2044

11.3 Mechanism..............................................................................................................................................................2046
11.3.1 User Organizational Structure.............................................................................................................................2046
11.3.2 Authentication.....................................................................................................................................................2051
11.3.2.1 Overall Authentication Flow............................................................................................................................2051
11.3.2.2 Authentication Triggering................................................................................................................................2052
11.3.2.3 Authentication Policy.......................................................................................................................................2059
11.3.2.4 Authentication Domain.....................................................................................................................................2061
11.3.2.5 Authentication Server.......................................................................................................................................2063
11.4 Restrictions and Precautions...................................................................................................................................2068
11.5 Configuring User Management and Authentication Using the Web UI.................................................................2069
11.5.2 Configuring an Authentication Domain..............................................................................................................2075
11.5.3 Configuring Users, User Groups or Security Groups..........................................................................................2081
11.5.3.1 Creating Users and User Groups......................................................................................................................2081
11.5.3.2 Creating Security Groups.................................................................................................................................2087
11.5.3.3 Importing Users and User Groups from a CSV File........................................................................................2090
11.5.3.4 Importing Security Groups from a CSV File....................................................................................................2091
11.5.3.5 Importing Users, User Groups, or Security Groups from a Server..................................................................2092
11.5.4 Configuring Authentication Options...................................................................................................................2099
11.5.4.1 Setting Global Parameters................................................................................................................................2100
11.5.4.2 Configuring SSO..............................................................................................................................................2103
11.5.4.3 Customizing an Authentication Web Page.......................................................................................................2108
11.5.5 Configuring an Authentication Policy.................................................................................................................2109
11.5.6 Configuring an Authentication Server.................................................................................................................2112
11.5.6.1 Configuring a RADIUS Server.........................................................................................................................2112
11.5.6.2 Configuring an HWTACACS Server...............................................................................................................2115
11.5.6.3 Configuring an AD Server................................................................................................................................2118
11.5.6.4 Configuring an LDAP Server...........................................................................................................................2121
11.5.6.5 Configuring a SecurID Server..........................................................................................................................2125
11.5.6.6 Configuring a TSM Server...............................................................................................................................2127
11.5.7 Monitoring User Management and Authentication.............................................................................................2128
11.6 Configuring User Management and Authentication Using the CLI.......................................................................2131
11.6.2 Configuring an Authentication Domain..............................................................................................................2137
11.6.3 Configuring Users, User Groups or Security Groups..........................................................................................2141
11.6.3.1 Creating Users and User Groups......................................................................................................................2141
11.6.3.2 Creating Security Groups.................................................................................................................................2145
11.6.3.3 Importing Users and User Groups from a CSV File........................................................................................2146
11.6.3.4 Importing Security Groups from a CSV File....................................................................................................2148
11.6.3.5 Importing Users, User Groups, or Security Groups from a Server..................................................................2149
Issue 04 (2015-07-30) Huawei Proprietary and Confidential xlii

11.6.4 Configuring Authentication Options...................................................................................................................2154

11.6.4.1 Setting Global Parameters................................................................................................................................2154
11.6.4.2 Configuring SSO..............................................................................................................................................2158
11.6.4.3 Customizing an Authentication Web Page.......................................................................................................2164
11.6.5 Configuring an Authentication Policy.................................................................................................................2165
11.6.6 Configuring an Authentication Server.................................................................................................................2167
11.6.6.1 Configuring a RADIUS Server.........................................................................................................................2167
11.6.6.2 Configuring an HWTACACS Server...............................................................................................................2169
11.6.6.3 Configuring an AD Server................................................................................................................................2171
11.6.6.4 Configuring an LDAP Server...........................................................................................................................2173
11.6.6.5 Configuring a SecurID Server..........................................................................................................................2175
11.6.6.6 Configuring a TSM Server...............................................................................................................................2176
11.6.7 Performing Management Routines......................................................................................................................2177
11.7 User Access Scenarios............................................................................................................................................2180
11.8 Configuration Examples.........................................................................................................................................2183
11.8.1 Web Example for Configuring Local Authentication on Internet Access Users.................................................2183
11.8.2 CLI Example for Configuring Local Authentication on Internet Access Users..................................................2195
11.8.3 CLI Example for Configuring Authentication Exemption for Internet Access Users (Bidirectionally Binding Users
to IP and MAC Addresses).............................................................................................................................................2202
11.8.4 Web Example for Configuring AD SSO for Internet Access Users (Plug-In Mode)..........................................2207
11.8.5 CLI Example for Configuring AD SSO for Internet Access Users (Plug-In Mode)...........................................2224
11.8.6 Web Example for Configuring AD SSO for Internet Access Users (No-Plug-In Mode)...................................2239
11.8.7 CLI Example for Configuring AD SSO for Internet Access Users (No-Plug-In Mode).....................................2248
11.8.8 Web Example for Configuring TSM SSO for Internet Access Users (User-Initiated Authentication)...............2256
11.8.9 CLI Example for Configuring TSM SSO for Internet Access Users (User-Initiated Authentication)................2264
11.8.10 Web Example for Configuring TSM SSO for Internet Access Users (Redirected Authentication).................2271
11.8.11 CLI Example for Configuring TSM SSO for Internet Access Users (Redirected Authentication)...................2281
11.8.12 Web Example for Configuring RADIUS SSO for Internet Access Users.........................................................2288
11.8.13 Web Example for Configuring a RADIUS Server to Implement Authentication on Internet Access Users
........................................................................................................................................................................................2295
11.8.14 Web Example for Managing and Authenticating Internet Access Users Through Sun ONE LDAP Server Import
and AD Server Authentication.......................................................................................................................................2306
11.8.15 Web Example for Configuring Local Authentication on Remote Access Users Using SSL VPN...................2317
11.8.16 Web Example for Configuring Local Authentication on Remote Access Users Using L2TP VPN in Automatic
LAC Dial-up Mode.........................................................................................................................................................2322
11.8.17 Web Example for Configuring Local Authentication on Remote Access Users Using L2TP VPN in NAS-Initiated
Mode...............................................................................................................................................................................2330
11.8.18 Web Example for Configuring Local Authentication on Remote Access Users Using IPSec VPN.................2336
11.8.19 Web Example for Configuring Local Authentication on Remote Access Users Using PPPoE........................2343
11.9 Troubleshooting User Management and Authentication........................................................................................2348
11.9.1 Bidirectionally Bound Users Who Are Exempted from Authentication Cannot Access Network Resources
........................................................................................................................................................................................2348
11.9.2 Users Who Are Authenticated Using AD SSO Cannot Access Network Resources..........................................2350
Issue 04 (2015-07-30) Huawei Proprietary and Confidential xliii

11.9.3 Users Who Are Authenticated Using TSM SSO Cannot Access Network Resources........................................2353
11.10 Reference..............................................................................................................................................................2354
11.10.1 Specifications.....................................................................................................................................................2354
11.10.2 Feature History..................................................................................................................................................2356
11.10.3 Standards and Protocols.....................................................................................................................................2358
12 Object.......................................................................................................................................2360
12.1 Address and Address Group...................................................................................................................................2360
12.1.1 Overview.............................................................................................................................................................2360
12.1.2 Configuring an Address and Address Group Using the Web UI........................................................................2361
12.1.3 Configuring an Address and Address Group Using the CLI...............................................................................2362
12.1.4 Reference.............................................................................................................................................................2363
12.1.4.1 Specifications....................................................................................................................................................2363
12.1.4.2 Feature History.................................................................................................................................................2364
12.2 Domain Group........................................................................................................................................................2364
12.2.1 Overview.............................................................................................................................................................2364
12.2.2 Configuring Domain Groups Using the Web UI.................................................................................................2365
12.2.3 Configuring Domain Groups Using the CLI.......................................................................................................2366
12.2.4 Reference.............................................................................................................................................................2366
12.2.4.1 Specifications....................................................................................................................................................2366
12.2.4.2 Feature History.................................................................................................................................................2367
12.3 Region and Region Group......................................................................................................................................2367
12.3.1 Overview.............................................................................................................................................................2367
12.3.2 Restrictions and Precautions................................................................................................................................2369
12.3.3 Configuring Regions and Region Groups Using the Web UI.............................................................................2370
12.3.3.1 Modifying a Predefined Region.......................................................................................................................2370
12.3.3.2 Creating a User-Defined Region......................................................................................................................2370
12.3.3.3 Creating a Region Group..................................................................................................................................2371
12.3.4 Configuring Regions and Region Groups Using the CLI....................................................................................2372
12.3.4.1 Modifying a Predefined Region.......................................................................................................................2372
12.3.4.2 Creating a User-Defined Region......................................................................................................................2373
12.3.4.3 Creating a Region Group..................................................................................................................................2374
12.3.5 Reference.............................................................................................................................................................2375
12.3.5.1 Specifications....................................................................................................................................................2375
12.3.5.2 Feature History.................................................................................................................................................2376
12.4 Service and Service Group.....................................................................................................................................2376
12.4.1 Overview.............................................................................................................................................................2376
12.4.2 Configure a Service Object and Service Group Using the Web UI....................................................................2377
12.4.3 Configuring a Service Object and Service Group Using the CLI.......................................................................2379
12.4.4 Reference.............................................................................................................................................................2380
12.4.4.1 Specifications....................................................................................................................................................2380
12.4.4.2 Feature History.................................................................................................................................................2381
Issue 04 (2015-07-30) Huawei Proprietary and Confidential xliv

12.5 Application and Application Group.......................................................................................................................2381

12.5.1 Overview.............................................................................................................................................................2381
12.5.2 Mechanism...........................................................................................................................................................2382
12.5.4 Predefined Application........................................................................................................................................2386
12.5.5 Configuring a User-Defined Application............................................................................................................2388
12.5.6 Configuring an Application Group......................................................................................................................2390
12.5.7 Reference.............................................................................................................................................................2391
12.5.7.1 Specifications....................................................................................................................................................2392
12.5.7.2 Feature History.................................................................................................................................................2392
12.5.8 Application FAQ.................................................................................................................................................2392
12.6 Devices and Device Groups...................................................................................................................................2393
12.6.1 Overview.............................................................................................................................................................2393
12.6.2 Configuring Devices and Device Groups - Using the Web UI..........................................................................2393
12.6.3 Configuring Devices and Device Groups - CLI..................................................................................................2395
12.6.4 Feature History....................................................................................................................................................2396
12.7 Certificate...............................................................................................................................................................2396
12.7.1 Overview.............................................................................................................................................................2396
12.7.2 Application Scenario...........................................................................................................................................2397
12.7.3 Mechanism...........................................................................................................................................................2399
12.7.3.1 Cryptography....................................................................................................................................................2399
12.7.3.2 PKI/CA.............................................................................................................................................................2403
12.7.3.3 Digital Certificates............................................................................................................................................2405
12.7.4 Configuring Certificates Using the Web UI........................................................................................................2408
12.7.4.1 Local Certificate...............................................................................................................................................2408
12.7.4.2 CA Certificates.................................................................................................................................................2413
12.7.4.3 CRL..................................................................................................................................................................2414
12.7.4.4 Certificate Filtering...........................................................................................................................................2416
12.7.5 Configuring Certificates Using the CLI..............................................................................................................2416
12.7.5.2 Creating RSA Key Pairs...................................................................................................................................2419
12.7.5.3 Configuring Entity Information........................................................................................................................2421
12.7.5.4 Using SCEP to Request Certificates Online.....................................................................................................2422
12.7.5.5 Requesting Certificates Offline........................................................................................................................2424
12.7.5.6 Installing Certificates........................................................................................................................................2426
12.7.5.7 Configuring Certificate Updates.......................................................................................................................2427
12.7.5.8 Configuring CRLs............................................................................................................................................2429
12.7.5.9 Configuring OCSP............................................................................................................................................2432
12.7.5.10 Configuring Certificate Attribute-Based Access Control...............................................................................2434
12.7.5.11 Displaying and Maintaining Certificates........................................................................................................2435
Issue 04 (2015-07-30) Huawei Proprietary and Confidential xlv

12.7.6.1 Web Example for Using SCEP to Apply For a Certificate Online..................................................................2436
12.7.6.2 CLI Example for Using SCEP to Apply For a Certificate Online....................................................................2439
12.7.6.3 Web Example for Applying For a Certificate Offline......................................................................................2448
12.7.6.4 CLI Example for Applying For a Certificate Offline.......................................................................................2452
12.7.7 Reference.............................................................................................................................................................2459
12.7.7.1 Specifications....................................................................................................................................................2459
12.7.7.2 Feature History.................................................................................................................................................2459
12.8 Schedule..................................................................................................................................................................2459
12.8.1 Overview.............................................................................................................................................................2460
12.8.2 Configuring a Schedule Using the Web UI.........................................................................................................2461
12.8.3 Configuring a Schedule Using the CLI...............................................................................................................2462
12.8.4 Maintaining Schedules........................................................................................................................................2463
12.8.5 Feature History....................................................................................................................................................2463
12.9 ACL........................................................................................................................................................................2463
12.9.1 Overview.............................................................................................................................................................2463
12.9.2 Mechanism...........................................................................................................................................................2463
12.9.3 Configuring ACLs...............................................................................................................................................2465
12.9.3.1 Creating a Basic ACL.......................................................................................................................................2465
12.9.3.2 Creating an Advanced ACL.............................................................................................................................2467
12.9.3.3 Creating a MAC Address-based ACL..............................................................................................................2470
12.9.4 Maintaining ACLs...............................................................................................................................................2472
12.9.5 Feature History....................................................................................................................................................2473
12.10 IPv6 ACL..............................................................................................................................................................2473
12.10.1 IPv6 ACL Overview..........................................................................................................................................2473
12.10.2 Mechanism.........................................................................................................................................................2473
12.10.3 Configuring IPv6 ACLs.....................................................................................................................................2475
12.10.3.1 Creating a Basic IPv6 ACL............................................................................................................................2475
12.10.3.2 Creating an Advanced IPv6 ACL...................................................................................................................2476
12.10.4 Maintaining IPv6 ACLs.....................................................................................................................................2478
12.10.5 Feature History..................................................................................................................................................2479
13 Security Policy and Content Security................................................................................2480

13.1 Security Policy........................................................................................................................................................2480
13.1.1 Overview.............................................................................................................................................................2480
13.1.2 Application Scenarios..........................................................................................................................................2481
13.1.3 Security Policy Mechanism.................................................................................................................................2484
13.1.5 Configuration Guide............................................................................................................................................2490
13.1.6 Configuring a Security Policy.............................................................................................................................2494
13.1.7 Redundant Policy Analysis..................................................................................................................................2500
13.1.8 Policy Matching Analysis....................................................................................................................................2502
Issue 04 (2015-07-30) Huawei Proprietary and Confidential xlvi

13.1.9 Application Policy Tuning...................................................................................................................................2503

13.1.10.1 Web Example for Configuring Security Policies Based on Users and Applications.....................................2510
13.1.10.2 Web Example for Configuring Security Policies Based on IP Addresses and Ports......................................2515
13.1.10.3 CLI Example for Configuring Security Policies Based on IP Addresses and Ports.......................................2525
13.1.10.4 Web Example for Configuring Security Policies for Bypass Detection.........................................................2530
13.1.11 Troubleshooting Security Policy.......................................................................................................................2532
13.1.11.1 Intranet Users Can Access the Internet but Cannot Watch Online Videos....................................................2532
13.1.11.2 The NGFW Fails to Detect a Virus Detected on a PC...................................................................................2533
13.1.12 Feature History..................................................................................................................................................2534
13.1.13 Security Policy FAQ..........................................................................................................................................2535
13.2 Antivirus.................................................................................................................................................................2535
13.2.1 Overview.............................................................................................................................................................2535
13.2.3 Mechanism...........................................................................................................................................................2536
13.2.5 Configuring Antivirus..........................................................................................................................................2540
13.2.6 Web Example for Antivirus.................................................................................................................................2543
13.2.7 Troubleshooting Antivirus...................................................................................................................................2548
13.2.7.1 Antivirus Does Not Take Effect.......................................................................................................................2548
13.2.8.1 Specifications....................................................................................................................................................2549
13.2.8.2 Feature History.................................................................................................................................................2550
13.2.9 Antivirus FAQ.....................................................................................................................................................2550
13.3 Intrusion Prevention...............................................................................................................................................2551
13.3.1 Overview.............................................................................................................................................................2551
13.3.3 Mechanism...........................................................................................................................................................2553
13.3.5 Configuring Intrusion Prevention........................................................................................................................2559
13.3.5.1 Configuring Signatures.....................................................................................................................................2559
13.3.5.2 Configuring Intrusion Prevention.....................................................................................................................2568
13.3.6 Intrusion Prevention............................................................................................................................................2573
13.3.7 Managing Intrusion Prevention...........................................................................................................................2580
13.3.8 Troubleshooting Intrusion Prevention.................................................................................................................2580
13.3.8.1 Intrusion Prevention Is Configured but Fails to Block Attacks........................................................................2580
13.3.9.1 Specifications....................................................................................................................................................2583
13.3.9.2 Feature History.................................................................................................................................................2583
Issue 04 (2015-07-30) Huawei Proprietary and Confidential xlvii

13.3.10 Intrusion Prevention FAQ.................................................................................................................................2584

13.4 URL Filtering.........................................................................................................................................................2584
13.4.1 Overview.............................................................................................................................................................2584
13.4.3 Mechanism...........................................................................................................................................................2585
13.4.3.1 URL Format......................................................................................................................................................2585
13.4.3.2 URL Matching Mode........................................................................................................................................2586
13.4.3.3 URL Filtering Mode.........................................................................................................................................2588
13.4.3.4 URL Filtering Mechanism................................................................................................................................2589
13.4.5 Configuring URL Filtering..................................................................................................................................2592
13.4.5.1 Configuring URL Categories............................................................................................................................2592
13.4.5.2 Configuring URL Filtering...............................................................................................................................2596
13.4.6.1 Web Example for Configuring URL Category-based URL Filtering..............................................................2600
13.4.6.2 CLI Example for Configuring URL Category-based URL Filtering...............................................................2612
13.4.6.3 Web Example for Configuring Blacklist/Whitelist-based URL Filtering........................................................2623
13.4.6.4 CLI Example for Configuring Blacklist/Whitelist-based URL Filtering.........................................................2632
13.4.7 Managing URL Filtering.....................................................................................................................................2640
13.4.8 Troubleshooting URL Filtering...........................................................................................................................2640
13.4.8.1 URL Filtering Is Configured But Does Not Take Effect..................................................................................2640
13.4.8.2 URL Filtering Blocks Access to Authorized Websites....................................................................................2642
13.4.9.1 Specifications....................................................................................................................................................2644
13.4.9.2 Feature History.................................................................................................................................................2645
13.5 File Blocking..........................................................................................................................................................2646
13.5.1 Overview.............................................................................................................................................................2646
13.5.3 Mechanism...........................................................................................................................................................2647
13.5.5 Global Configuration of File Blocking................................................................................................................2650
13.5.6 Configuring File Blocking...................................................................................................................................2651
13.5.7 Example for Configuring File Blocking..............................................................................................................2654
13.5.8 Troubleshooting File Blocking............................................................................................................................2661
13.5.8.1 File Blocking Does Not Take Effect................................................................................................................2661
13.5.8.2 Transfer of Legitimate Files Is Affected by File Blocking...............................................................................2662
13.5.9.1 Feature History.................................................................................................................................................2663
13.5.10 File Blocking FAQ............................................................................................................................................2664
Issue 04 (2015-07-30) Huawei Proprietary and Confidential xlviii

13.6 Data Filtering..........................................................................................................................................................2664

13.6.1 Overview.............................................................................................................................................................2664
13.6.3 Mechanism...........................................................................................................................................................2667
13.6.5 Configuring Data Filtering..................................................................................................................................2670
13.6.5.1 Configuring a Keyword Group.........................................................................................................................2670
13.6.5.2 Configuring Data Filtering...............................................................................................................................2672
13.6.6 Example for Configuring Data Filtering.............................................................................................................2676
13.6.7 Troubleshooting Data Filtering...........................................................................................................................2687
13.6.7.1 Data Filtering Does Not Take Effect................................................................................................................2687
13.6.7.2 Transmission of Normal Content Is Affected by Data Filtering......................................................................2688
13.6.8.1 Specifications....................................................................................................................................................2690
13.6.8.2 Feature History.................................................................................................................................................2691
13.6.9 Data Filtering FAQ..............................................................................................................................................2691
13.7 Application Behavior Control................................................................................................................................2692
13.7.1 Overview.............................................................................................................................................................2692
13.7.4 Configuring Application Behavior Control.........................................................................................................2695
13.7.5 Application Behavior Control.............................................................................................................................2697
13.7.6.1 Specifications....................................................................................................................................................2704
13.7.6.2 Feature History.................................................................................................................................................2705
13.8 Mail Filtering..........................................................................................................................................................2706
13.8.1 Overview.............................................................................................................................................................2706
13.8.4 Mail Filtering Technologies................................................................................................................................2708
13.8.4.1 Mechanism for Sending and Receiving Email.................................................................................................2709
13.8.4.2 Anti-Spam.........................................................................................................................................................2711
13.8.4.3 Mail Content Filtering......................................................................................................................................2713
13.8.5 Configuring Mail Filtering..................................................................................................................................2715
13.8.5.2 Configuring a Mail Address Group..................................................................................................................2716
13.8.5.3 Configuring Anti-Spam....................................................................................................................................2718
13.8.5.4 Configuring Anonymous Mail Check..............................................................................................................2721
13.8.5.5 Configuring Mail Address Checks...................................................................................................................2724
Issue 04 (2015-07-30) Huawei Proprietary and Confidential xlix

13.8.5.6 Configuring Mail Attachment Control.............................................................................................................2731

13.8.6 Example for Configuring Mail Filtering.............................................................................................................2733
13.8.7 Troubleshooting Mail Filtering...........................................................................................................................2739
13.8.7.1 Handling Massive Junk Email Received by Intranet Users..............................................................................2739
13.8.7.2 Certain Email Being Treated As Junk Email....................................................................................................2740
13.8.8.1 Specifications....................................................................................................................................................2749
13.8.8.2 Feature History.................................................................................................................................................2749
13.8.9 Mail Filtering FAQ..............................................................................................................................................2750
14 Proxy Policy............................................................................................................................2751
14.1 TCP Proxy..............................................................................................................................................................2751
14.1.1 Overview.............................................................................................................................................................2751
14.1.3 Configuring Proxy Policies - TCP Proxy............................................................................................................2753
14.1.4 Example for Configuring TCP Proxy..................................................................................................................2755
14.1.5 Reference.............................................................................................................................................................2758
14.1.5.1 Feature History.................................................................................................................................................2758
14.2 SSL Decryption......................................................................................................................................................2759
14.2.1 Overview.............................................................................................................................................................2759
14.2.2 Mechanism...........................................................................................................................................................2760
14.2.4 Configuring SSL Decryption...............................................................................................................................2766
14.2.4.1 Configuring SSL Decryption Certificates........................................................................................................2766
14.2.4.2 Configuring Proxy Policies - SSL Decryption.................................................................................................2769
14.2.4.3 Configuring an SSL Host Name Whitelist.......................................................................................................2772
14.2.5 Example for Configuring SSL Decryption..........................................................................................................2773
14.2.6 Reference.............................................................................................................................................................2779
14.2.6.1 Feature History.................................................................................................................................................2779
15 Audit Policy and Audit Profile...........................................................................................2781

15.1 Overview................................................................................................................................................................2781
15.3 Mechanism..............................................................................................................................................................2782
15.5 Configuring the Audit Function.............................................................................................................................2784
15.5.1 Configuring the Audit Profile..............................................................................................................................2784
15.5.2 Configuring an Audit Policy................................................................................................................................2787
15.6 Example for Configuring the Audit Function.........................................................................................................2789
15.7 Reference................................................................................................................................................................2793
Issue 04 (2015-07-30) Huawei Proprietary and Confidential l

15.7.1 Feature History....................................................................................................................................................2793

15.7.2 Specifications.......................................................................................................................................................2794
15.8 Audit Policy and Audit Profile FAQ......................................................................................................................2794
16 NAT Policy..............................................................................................................................2795
16.1 Overview................................................................................................................................................................2795
16.2.1 Intranet Users Access the Internet.......................................................................................................................2797
16.2.2 Internet Users Access Intranet Servers................................................................................................................2797
16.2.3 Intranet Users Access an Intranet Server Using the Server's Public IP Address.................................................2798
16.2.4 Mobile Terminals Access Wireless Networks.....................................................................................................2799
16.3 Mechanism..............................................................................................................................................................2799
16.3.1 NAT Workflow....................................................................................................................................................2800
16.3.2 Source NAT.........................................................................................................................................................2802
16.3.3 Server Mapping...................................................................................................................................................2805
16.3.4 Destination NAT..................................................................................................................................................2807
16.3.5 NAT ALG............................................................................................................................................................2808
16.5 Configuring NAT Policy Using the Web UI..........................................................................................................2810
16.5.1 Configuring Source NAT....................................................................................................................................2811
16.5.2 Configuring Server Mapping...............................................................................................................................2815
16.6 Configuring NAT Policy Using the CLI................................................................................................................2821
16.6.1 Configuring Source NAT....................................................................................................................................2821
16.6.2 Configuring Static Mapping................................................................................................................................2825
16.6.3 Configuring Server Load Balancing....................................................................................................................2832
16.6.4 Configuring Destination NAT.............................................................................................................................2835
16.6.5 Configuring a NAT ALG....................................................................................................................................2837
16.6.6 Maintaining NAT................................................................................................................................................2838
16.7.1 Web Example for Configuring a Source NAT Policy in Address Pool Mode on a NGFW That Connects Intranet
Users to the Internet........................................................................................................................................................2840
16.7.2 CLI Example for Configuring a Source NAT Policy in Address Pool Mode on a NGFW That Connects Intranet
16.7.3 Web Example for Configuring a Source NAT Policy in Outbound Interface Mode on a NGFW That Connects
Intranet Users to the Internet..........................................................................................................................................2852
16.7.4 CLI Example for Configuring a Source NAT Policy in Outbound Interface Mode on a NGFW That Connects Intranet
16.7.5 Web Example for Configuring Static Mapping on a NGFW That Connects Internet Users to Intranet Servers
........................................................................................................................................................................................2860
16.7.6 CLI Example for Configuring Static Mapping on a NGFW That Connects Internet Users to Intranet Servers
........................................................................................................................................................................................2867
16.7.7 Web Example for Configuring Static Mapping on a NGFW That Connects Internet Users to Intranet Servers
(Bidirectional NAT).......................................................................................................................................................2870
Issue 04 (2015-07-30) Huawei Proprietary and Confidential li

16.7.8 CLI Example for Configuring Static Mapping on a NGFW That Connects Internet Users to Intranet Servers
(Bidirectional NAT).......................................................................................................................................................2878
16.7.9 Web Example for Configuring Static Mapping on a NGFW That Connects Internet Users to Intranet Servers (Sticky
Load Balancing).............................................................................................................................................................2882
16.7.10 CLI Example for Configuring Static Mapping on a NGFW That Connects Internet Users to Intranet Servers (Sticky
Load Balancing).............................................................................................................................................................2888
16.7.11 Web Example for Configuring a NGFW to Allow Intranet Users to Access an Intranet Server Using a Public IP
Address...........................................................................................................................................................................2892
16.7.12 CLI Example for Configuring a NGFW to Allow Intranet Users to Access an Intranet Server Using a Public IP
Address...........................................................................................................................................................................2900
16.7.13 Web Example for Configuring Server Load Balancing....................................................................................2905
16.7.14 CLI Example for Configuring Server Load Balancing......................................................................................2910
16.7.15 CLI Example for Configuring Interface-based Static Server Mapping and DDNS..........................................2914
16.7.16 Web Example for Configuring Transparent NAT.............................................................................................2918
16.7.17 CLI Example for Configuring Transparent NAT..............................................................................................2924
16.7.18 CLI: Example for Configuring Source NAT in a Load Balancing Scenario (Active and Standby Devices Share
One Address Pool)..........................................................................................................................................................2928
16.7.19 CLI: Example for Configuring Source NAT in a Load Balancing Scenario (Active and Standby Devices Use
Different Address Pools)................................................................................................................................................2936
16.8 Troubleshooting NAT Policy.................................................................................................................................2946
16.8.1 Intranet Users Cannot Access the Internet After a Source NAT Policy Is Configured on a NGFW..................2946
16.8.2 Internet Users Cannot Access Intranet Servers After Static Mapping Is Configured on a NGFW.....................2949
16.9 Feature Reference...................................................................................................................................................2952
16.9.1 Feature History....................................................................................................................................................2952
16.9.2 Standards and Protocols.......................................................................................................................................2952
16.10 NAT FAQs...........................................................................................................................................................2953
17 PBR...........................................................................................................................................2957
17.1 Overview................................................................................................................................................................2957
17.3 Mechanism..............................................................................................................................................................2958
17.4 Configuring PBR Using the Web UI......................................................................................................................2960
17.5 Configuring PBR Using the CLI............................................................................................................................2969
17.6.1 Web Example for Configuring User-Specific PBR.............................................................................................2974
17.6.2 CLI Example for Configuring User-Specific PBR..............................................................................................2978
17.6.3 Web Example for Configuring Protocol-Specific PBR.......................................................................................2981
17.6.4 CLI Example for Configuring Protocol-Specific PBR........................................................................................2984
17.6.5 Web Example for Configuring Source IP Address-Specific PBR......................................................................2987
17.6.6 CLI Example for Configuring Source IP Address-Specific PBR........................................................................2991
17.6.7 Web Example for Configuring Domain Name-Specific PBR.............................................................................2993
17.6.8 Web Example for Configuring IPv6-to-IPv4 Policy-based Routing...................................................................2999
17.6.9 CLI Example for Configuring IPv6-to-IPv4 Policy-based Routing....................................................................3009
17.6.10 Web Example for Configuring ISP Address Library Intelligent Uplink Selection...........................................3013
Issue 04 (2015-07-30) Huawei Proprietary and Confidential lii

17.7 Feature History.......................................................................................................................................................3022
18 Bandwidth Management......................................................................................................3023
18.1 Overview................................................................................................................................................................3023
18.2 Application Scenarios.............................................................................................................................................3024
18.3 Mechanism..............................................................................................................................................................3026
18.3.1 Process.................................................................................................................................................................3026
18.3.2 Traffic Profile......................................................................................................................................................3027
18.3.3 Traffic Policy.......................................................................................................................................................3029
18.3.4 Interface Bandwidth............................................................................................................................................3031
18.5 Configuring Bandwidth Management Using the Web UI......................................................................................3032
18.5.1 Configuring a Traffic Profile...............................................................................................................................3032
18.5.2 Configuring a Traffic Policy................................................................................................................................3035
18.6 Configuring Bandwidth Management Using the CLI............................................................................................3040
18.6.1 Configuring a Traffic Profile...............................................................................................................................3040
18.6.2 Configuring a Traffic Policy................................................................................................................................3043
18.6.3 Enabling the Log Function..................................................................................................................................3047
18.6.4 Maintaining the Bandwidth Management Function............................................................................................3047
18.7.1 Web Example for Implementing Bandwidth Management on a NGFW on the Intranet Border........................3048
18.7.2 Example for Implementing Bandwidth Management on a NGFW on the Intranet Border.................................3058
18.7.3 Web Example for Implementing Bandwidth Management on a NGFW Within an Intranet..............................3067
18.7.4 Example for Implementing Bandwidth Management on a NGFW Within an Intranet.......................................3075
18.7.5 Web Example for Implementing Bandwidth Management on a NGFW on the IDC Border..............................3083
18.7.6 Example for Implementing Bandwidth Management on a NGFW on the IDC Border......................................3088
18.8 References..............................................................................................................................................................3092
18.8.1 Feature History....................................................................................................................................................3092
18.8.2 Standards and Protocols.......................................................................................................................................3093
19 Quota Control Policy............................................................................................................3094

19.1 Overview................................................................................................................................................................3094
19.2 Application Scenarios.............................................................................................................................................3094
19.3 Configuring a Quota Control Policy Using the Web UI........................................................................................3095
19.3.1 Configuring a Quota Control Policy....................................................................................................................3095
19.3.2 User Quota Management.....................................................................................................................................3097
19.4 Configuring a Quota Control Policy Using the CLI...............................................................................................3098
19.4.1 Configuring the Quota Profile.............................................................................................................................3098
19.4.2 Configuring a Quota Control Policy....................................................................................................................3099
19.4.3 Maintenance.........................................................................................................................................................3100
19.5 Web Example for Managing Quota for Enterprise Employees..............................................................................3101
19.6 Example: Managing Quota for Enterprise Employees...........................................................................................3104
19.7 Feature History.......................................................................................................................................................3107
Issue 04 (2015-07-30) Huawei Proprietary and Confidential liii

20 VPN..........................................................................................................................................3109
20.1 VPN Overview.......................................................................................................................................................3109
20.1.1 Introduction.........................................................................................................................................................3109
20.2 IPSec.......................................................................................................................................................................3117
20.2.1 Overview.............................................................................................................................................................3117
20.2.2.1 Connection of LANs Through VPN.................................................................................................................3118
20.2.2.2 Remote VPN Access of Mobile Users.............................................................................................................3123
20.2.2.3 IPSec Redundancy Design................................................................................................................................3124
20.2.2.4 Application of IPSec Multiple Instances..........................................................................................................3129
20.2.3 IPSec Framework................................................................................................................................................3130
20.2.3.1 Overview of the Protocol Framework..............................................................................................................3130
20.2.3.2 Encapsulation Mode.........................................................................................................................................3131
20.2.3.3 Security Protocol..............................................................................................................................................3134
20.2.3.4 Encryption........................................................................................................................................................3136
20.2.3.5 Verification.......................................................................................................................................................3138
20.2.3.6 Key Exchange...................................................................................................................................................3140
20.2.4 IPSec Security Association..................................................................................................................................3141
20.2.4.1 SA Overview....................................................................................................................................................3141
20.2.4.2 IKEv1 SA Negotiation......................................................................................................................................3143
20.2.4.3 IKEv2 SA Negotiation Process........................................................................................................................3148
20.2.5 IPSec Extension Mechanism...............................................................................................................................3151
20.2.5.1 L2TP over IPSec Mechanism...........................................................................................................................3151
20.2.5.2 GRE over IPSec Mechanism............................................................................................................................3153
20.2.5.3 Application and Mechanism of IPSec on Transitioning Networks..................................................................3153
20.2.7 Configuring IPSec Using the Web UI.................................................................................................................3157
20.2.7.1 Configuring an IPSec Policy in Site-to-Site VPN............................................................................................3157
20.2.7.2 Configuring an IPSec Policy in Site-to-Multisite VPN....................................................................................3166
20.2.7.3 Configuring IPSec Intelligent Link Selection..................................................................................................3176
20.2.7.4 Monitoring IPSec Tunnels................................................................................................................................3187
20.2.8 Configuring IKE-Enabled IPSec Using the CLI.................................................................................................3188
20.2.8.2 Defining Data Flows to Be Protected...............................................................................................................3189
20.2.8.3 Configuring an IKE Proposal...........................................................................................................................3193
20.2.8.4 Configuring IKE Peers.....................................................................................................................................3195
20.2.8.5 (Recommended) Configuring IKE Peer Detection...........................................................................................3204
20.2.8.6 Configuring an IPSec Proposal.........................................................................................................................3207
20.2.8.7 Configuring IPSec Intelligent Link Selection Profiles.....................................................................................3208
20.2.8.8 Configure an IKE-based IPSec Policy..............................................................................................................3211
Issue 04 (2015-07-30) Huawei Proprietary and Confidential liv

20.2.8.9 Configure a Template IPSec Policy..................................................................................................................3214

20.2.8.10 Applying an IPSec Policy Group....................................................................................................................3218
20.2.8.11 (Optional) Configuring NAT Traversal..........................................................................................................3220
20.2.8.12 (Optional) Set IKE SA Lifetime.....................................................................................................................3223
20.2.8.13 (Optional) Set IPSec SA Lifetime..................................................................................................................3225
20.2.8.14 (Optional) Disabling Unencrypted and Decrypted Packets Inspections.........................................................3228
20.2.8.15 (Optional) Configuring IPSec Anti-Replay Window.....................................................................................3229
20.2.8.16 Verifying the Configuration...........................................................................................................................3231
20.2.9 Configuring Manual IPSec Policies Using the CLI.............................................................................................3232
20.2.9.2 Defining Data Flows to Be Protected...............................................................................................................3232
20.2.9.3 Configuring an IPSec Proposal.........................................................................................................................3234
20.2.9.4 Configuring an IPSec Policy............................................................................................................................3236
20.2.9.5 Applying an IPSec Policy/Policy Group..........................................................................................................3240
20.2.9.6 Verifying the Configuration.............................................................................................................................3242
20.2.10 Maintaining an IPSec Tunnel............................................................................................................................3242
20.2.11.1 Example for Configuring Manual Site-to-Site IPSec VPN............................................................................3245
20.2.11.2 Example for Configuring Dynamic Site-to-Site IPSec VPN Using Pre-shared Key Authentication.............3249
20.2.11.3 Example for Configuring Dynamic Site-to-Site IPSec VPN Using Certificate Authentication....................3262
20.2.11.4 Example for Enabling PPPoE Users at A Branch Office to Access the Headquarters Using the Domain Name
of the DDNS Server........................................................................................................................................................3275
20.2.11.5 Example for Configuring IPSec VPN Between the Headquarters and Branch Offices Using Non-Template
Policies............................................................................................................................................................................3291
20.2.11.6 Example for Configuring IPSec VPN Between the Headquarters and Branch Offices Using Template Policies
........................................................................................................................................................................................3308
20.2.11.7 Example for Configuring IPSec VPN Between the Headquarters and Branch Offices Using Template Policies
and Non-Template Policies............................................................................................................................................3325
20.2.11.8 Example for Configuring IPSec VPN with NAT Traversal...........................................................................3344
20.2.11.9 Example for Configuring the IPSec Gateway with the NAT Function..........................................................3356
20.2.11.10 Example for Configuring Site-to-Site L2TP over IPSec VPN.....................................................................3370
20.2.11.11 Example for Configuring Site-to-Site GRE over IPSec VPN......................................................................3381
20.2.11.12 Web Example for Configuring L2TP over IPSec VPN for Users that Dial Up to the Headquarters Using the
VPN Client.....................................................................................................................................................................3395
20.2.11.13 CLI Example for Configuring L2TP over IPSec VPN for Users that Dial Up to the Headquarters Using the
VPN Client.....................................................................................................................................................................3407
20.2.11.14 Web Example for Configuring L2TP over IPSec VPN for Users to Access the Headquarters Using the Windows
L2TP Client....................................................................................................................................................................3420
20.2.11.15 CLI Example for Configuring L2TP over IPSec VPN for Users to Access the Headquarters Using the Windows
L2TP Client....................................................................................................................................................................3432
20.2.11.16 CLI Example for Mobile Employees Using IPSec to Access the Headquarters..........................................3445
20.2.11.17 Example for Configuring IPSec Gateway Redundancy...............................................................................3451
20.2.11.18 Example for Configuring Link Backup for an IPSec Tunnel.......................................................................3468
Issue 04 (2015-07-30) Huawei Proprietary and Confidential lv

20.2.11.19 Example for Configuring IPSec in the Same VPN Instance........................................................................3480

20.2.11.20 Example for Configuring IPSec in Different VPN Instances.......................................................................3489
20.2.11.21 Example for Configuring IPSec Gateway Load Balancing Without Tunnel Redundancy..........................3499
20.2.11.22 Example for Configuring IPSec Gateway Load Balancing With Routers Connected in the Upstream and
Downstream....................................................................................................................................................................3510
20.2.11.23 Example for Configuring IPSec Gateway Load Balancing With Switches Connected in the Upstream and
Downstream....................................................................................................................................................................3527
20.2.11.24 Example for Configuring IPSec 6over4 (Transport Mode)..........................................................................3542
20.2.11.25 Example for Configuring IPSec 6over4 (Tunnel Mode)..............................................................................3550
20.2.11.26 Example for Configuring IPSec 4over6 (Transport Mode)..........................................................................3557
20.2.11.27 Example for Configuring IPSec 4over6 (Tunnel Mode)..............................................................................3563
20.2.11.28 Web Example for Configuring IPSec Intelligent Link Selection.................................................................3570
20.2.11.29 CLI Example for Configuring IPSec Intelligent Link Selection..................................................................3584
20.2.11.30 Web Example for Configuring Branches to Use Different IDs and Pre-shared Keys to Establish IPSec VPNs
with the Headquarters.....................................................................................................................................................3594
20.2.11.31 CLI Example for Configuring Branches to Use Different IDs and Pre-shared Keys to Establish IPSec VPNs
with the Headquarters.....................................................................................................................................................3612
20.2.12 Troubleshooting IPSec......................................................................................................................................3625
20.2.12.1 KB0200: IPSec Troubleshooting Mind Map..................................................................................................3625
20.2.12.2 FT0201: Fault Tree for the IKE Negotiation Failure.....................................................................................3626
20.2.12.2.1 ISAKMP Packet Encapsulation...................................................................................................................3626
20.2.12.2.2 IKEv1 Phase 1 Negotiation.........................................................................................................................3630
20.2.12.2.3 IKEv1 Phase 2 Negotiation.........................................................................................................................3637
20.2.12.2.4 IKEv1 NAT Traversal Negotiation.............................................................................................................3638
20.2.12.2.5 IKEv2 Negotiation.......................................................................................................................................3641
20.2.12.2.6 Fault Tree for IKE Negotiation Failures......................................................................................................3643
20.2.12.3 FT0202: Fault Tree for Abnormal IPSec VPN Services................................................................................3644
20.2.12.3.1 IPSec Packet Forwarding Workflow...........................................................................................................3644
20.2.12.3.2 IPSec Mechanism........................................................................................................................................3645
20.2.12.3.3 Analysis on IPSec Failures .........................................................................................................................3647
20.2.12.3.4 Analysis on Poor IPSec Service Quality.....................................................................................................3648
20.2.12.3.5 Fault Tree for Abnormal IPSec Services.....................................................................................................3649
20.2.12.4 Troubleshooting Guide...................................................................................................................................3650
20.2.12.4.1 TG0201: No Data Flow to Trigger the IKE Negotiation.............................................................................3650
20.2.12.4.2 TG0202: IKE SA Negotiation Failure.........................................................................................................3654
20.2.12.4.3 TG0203: IPSec SA Negotiation Failure......................................................................................................3658
20.2.12.4.4 TG0204: Only One Endpoint Can Initiate and Successfully Establish a Tunnel........................................3661
20.2.12.4.5 TG0205: After an Unexpected Restart of one Endpoint, Only This Endpoint Can Successfully Initiate a Tunnel
........................................................................................................................................................................................3663
20.2.12.4.6 TG0206: The Tunnel is Established, but VPN Services Are Interrupted ...................................................3664
20.2.12.4.7 TG0207: The Tunnel is Established, but the VPN Service Quality Is Poor................................................3668
20.2.12.5 Troubleshooting Cases...................................................................................................................................3669
Issue 04 (2015-07-30) Huawei Proprietary and Confidential lvi

20.2.12.5.1 IPSec Tunnel Negotiation Cannot Be Triggered Because the Post-NAT Address Does Not Match the ACL
When IPSec and NAT Are Deployed on One NGFW...................................................................................................3669
20.2.12.5.2 IPSec VPN Negotiation Fails Because the Secondary Address Cannot Trigger the IKE Peer...................3671
20.2.12.5.3 IPSec SA Negotiation Fails.........................................................................................................................3672
20.2.12.5.4 After One Endpoint Restarts, the Other Endpoint Does Not Delete the Original Tunnel and Consequently
Cannot Communicate Through the Tunnel....................................................................................................................3675
20.2.12.5.5 IPSec VPN Fails due to ACL Mismatch on Both Endpoints......................................................................3676
20.2.12.5.6 A New Tunnel Replaces an Existing Tunnel...............................................................................................3678
20.2.12.5.7 File Downloading Through IPSec Tunnel Fails Because Fragments Cannot Be Processed.......................3682
20.2.12.5.8 A Branch Office Fails to Communicate With the Headquarters Because of ACL Rule Mismatch............3685
20.2.12.5.9 Unavailable VPN Because Data Flows Match the Reverse Session on the NAT Server............................3687
20.2.12.5.10 Unavailable VPN Because the Carrier Blocks IPSec Packets...................................................................3688
20.2.12.5.11 TC0210: Troubleshooting an IPSec Failure Using the Diagnosis Center.................................................3689
20.2.12.5.12 TC0212: Mobile PCs Fail to Negotiate IPSec Tunnels in IKEv2 Mode ..................................................3692
20.2.13 Reference...........................................................................................................................................................3701
20.2.13.1 Specifications..................................................................................................................................................3701
20.2.13.2 Feature History...............................................................................................................................................3702
20.2.14 IPSec FAQ.........................................................................................................................................................3705
20.3 L2TP.......................................................................................................................................................................3707
20.3.1 Overview.............................................................................................................................................................3707
20.3.2.1 NAS-Initiated VPN...........................................................................................................................................3709
20.3.2.2 Automatic LAC Dial-up...................................................................................................................................3711
20.3.2.3 Client-Initiated VPN.........................................................................................................................................3711
20.3.3 Mechanism...........................................................................................................................................................3712
20.3.3.1 Tunnel and Session Establishment...................................................................................................................3712
20.3.3.2 Packet Encapsulation........................................................................................................................................3719
20.3.3.3 Authentication Modes.......................................................................................................................................3722
20.3.5 Configuring L2TP Using the Web UI.................................................................................................................3723
20.3.5.1 Configuring a LAC...........................................................................................................................................3723
20.3.5.2 Configuring an LNS.........................................................................................................................................3727
20.3.5.3 Monitoring L2TP..............................................................................................................................................3730
20.3.6 Configuring L2TP Using the CLI........................................................................................................................3731
20.3.6.2 Configuring a LAC...........................................................................................................................................3734
20.3.6.3 Configuring an LNS.........................................................................................................................................3739
20.3.6.4 Maintaining L2TP.............................................................................................................................................3746
20.3.7.1 Example for Configuring a NAS-Initiated L2TP VPN....................................................................................3748
20.3.7.2 Example for Configuring an Automatic LAC Dial-up L2TP Tunnel...............................................................3757
Issue 04 (2015-07-30) Huawei Proprietary and Confidential lvii

20.3.7.3 Example for Configuring a Client-Initiated L2TP VPN..................................................................................3768

20.3.8 Troubleshooting L2TP.........................................................................................................................................3778
20.3.8.1 A User Fails to Dial In to the LNS Through L2TP..........................................................................................3778
20.3.8.2 Service Interruption in the Case of Successful L2TP Dial-up on a PC............................................................3780
20.3.9.1 Specifications....................................................................................................................................................3783
20.3.9.2 Feature History.................................................................................................................................................3783
20.3.10 L2TP FAQs........................................................................................................................................................3784
20.4 L2TP over IPSec.....................................................................................................................................................3788
20.4.1 Configuring L2TP over IPSec.............................................................................................................................3788
20.5 GRE........................................................................................................................................................................3798
20.5.1 Overview.............................................................................................................................................................3799
20.5.3 Configuring GRE Using the Web UI..................................................................................................................3802
20.5.4 Configuring GRE Using the CLI.........................................................................................................................3807
20.5.5.1 Example for Configuring the Static Route-based GRE Tunnel........................................................................3811
20.5.5.2 Example for Configuring the OSPF-based GRE Tunnel..................................................................................3816
20.5.6 Reference.............................................................................................................................................................3822
20.5.6.1 Feature History.................................................................................................................................................3822
20.5.7 GRE FAQ............................................................................................................................................................3822
20.6 DSVPN...................................................................................................................................................................3823
20.6.1 Overview.............................................................................................................................................................3823
20.6.2 Mechanism...........................................................................................................................................................3824
20.6.2.1 Basic Concepts and Mechanism.......................................................................................................................3825
20.6.2.2 MGRE Tunnel Establishment Between Spokes and the Hub...........................................................................3826
20.6.2.3 MGRE Tunnel Establishment Between Spokes (Normal Mode).....................................................................3827
20.6.2.4 MGRE Tunnel Establishment Between Spokes (Shortcut Mode)....................................................................3829
20.6.3.1 Universal Scenario............................................................................................................................................3831
20.6.3.2 Active/Standby Hub Backup............................................................................................................................3832
20.6.3.3 Hub Load Balancing.........................................................................................................................................3833
20.6.3.4 Cascade Scenario..............................................................................................................................................3834
20.6.5 Configuring DSVPN Using the Web UI.............................................................................................................3835
20.6.5.1 Configuring Branches.......................................................................................................................................3836
20.6.5.2 Configuring the Headquarters..........................................................................................................................3843
20.6.5.3 Configuring Cascade Headquarters..................................................................................................................3845
20.6.5.4 Monitoring........................................................................................................................................................3849
Issue 04 (2015-07-30) Huawei Proprietary and Confidential lviii

20.6.6 Configuring DSVPN Using the CLI ...................................................................................................................3849

20.6.6.1 Setting Tunnel Parameters................................................................................................................................3849
20.6.6.2 Setting Route Parameters..................................................................................................................................3852
20.6.6.3 (Optional) Configuring IPSec Profiles.............................................................................................................3855
20.6.6.4 Maintaining DSVPN.........................................................................................................................................3856
20.6.7.1 Example for Configuring DSVPN in the Universal Application Scenario (Route Advertisement and Learning
Through OSPF)...............................................................................................................................................................3857
20.6.7.2 Example for Configuring DSVPN in the Universal Application Scenario (Using Reverse Route Injection for Route
Advertisement and Learning).........................................................................................................................................3865
20.6.7.3 Example for Configuring DSVPN with IPSec Enabled...................................................................................3872
20.6.7.4 Example for Configuring Active/Standby Hub Backup...................................................................................3883
20.6.7.5 Example for Configuring Hub Load Balancing...............................................................................................3892
20.6.7.6 Example for Configuring DSVPN in the Cascade Scenario............................................................................3905
20.6.8 Troubleshooting DSVPN.....................................................................................................................................3919
20.6.8.1 A Spoke Fails to Establish a Static MGRE Tunnel with the Hub....................................................................3919
20.6.8.2 Spokes Fail to Establish Dynamic MGRE Tunnels Between Each Other.......................................................3920
20.6.9.1 Specifications....................................................................................................................................................3921
20.6.9.2 Feature History.................................................................................................................................................3921
20.7 BGP MPLS IP VPN Configuration........................................................................................................................3922
20.7.1 Introduction to BGP/MPLS IP VPN...................................................................................................................3922
20.7.2 Mechanism...........................................................................................................................................................3923
20.7.2.1 Basic Concepts of BGP/MPLS IP VPN...........................................................................................................3924
20.7.2.2 Hub and Spoke..................................................................................................................................................3927
20.7.2.3 Inter-AS VPN...................................................................................................................................................3928
20.7.2.4 HoVPN.............................................................................................................................................................3931
20.7.2.5 Sham Link.........................................................................................................................................................3934
20.7.2.6 Multi-VPN-Instance CE...................................................................................................................................3935
20.7.2.7 Interconnection Between VPNs and the Internet..............................................................................................3937
20.7.3 VPN Instance Configuration...............................................................................................................................3938
20.7.3.1 Creating a VPN Instance..................................................................................................................................3938
20.7.3.2 Binding an Interface with the VPN Instance....................................................................................................3939
20.7.3.3 Configuring Route Attributes of a VPN Instance.............................................................................................3940
20.7.4 Configuring Basic BGP/MPLS IP VPN Functions.............................................................................................3949
20.7.4.1 Configuring a VPN Instance.............................................................................................................................3949
20.7.4.2 Binding an Interface to a VPN Instance...........................................................................................................3950
20.7.4.3 Configuring MP-IBGP Between PEs...............................................................................................................3951
20.7.4.4 Configuring a Routing Protocol Between PEs and CEs...................................................................................3952
20.7.5 Configuring Tunnel Policies for a BGP/MPLS IP VPN.....................................................................................3953
20.7.5.1 Creating a Tunnel Policy..................................................................................................................................3953
Issue 04 (2015-07-30) Huawei Proprietary and Confidential lix

20.7.5.2 Applying a Tunnel Policy.................................................................................................................................3954

20.7.6 Configuring Hub and Spoke................................................................................................................................3954
20.7.6.1 Configuring a VPN Instance.............................................................................................................................3954
20.7.6.2 Configuring Route Attributes of the VPN Instance..........................................................................................3955
20.7.6.3 Binding an Interface to a VPN Instance...........................................................................................................3956
20.7.6.4 Configuring MP-IBGP Between a Hub-PE and a Spoke-PE...........................................................................3957
20.7.6.5 Configuring Route Exchange Between PEs and CEs.......................................................................................3958
20.7.7 Configuring Inter-AS VPN Option A..................................................................................................................3959
20.7.8 Configuring Inter-AS VPN Option B..................................................................................................................3959
20.7.8.1 Configuring MP-IBGP Between a PE and an ASBR.......................................................................................3960
20.7.8.2 Configuring MP-EBGP Between ASBRs........................................................................................................3960
20.7.8.3 Configuring a Routing Policy for sending and receiving VPN Routing Information......................................3961
20.7.8.4 Storing VPN Instance Information on the ASBR.............................................................................................3963
20.7.8.5 Configuring a Routing Protocol Between a CE and a PE................................................................................3963
20.7.9 Configuring Inter-AS VPN Option C..................................................................................................................3964
20.7.9.1 Enabling the Labeled IPv4 Route Exchange....................................................................................................3964
20.7.9.2 Configuring a Routing Policy to Control Label Distribution...........................................................................3965
20.7.9.3 Establishing an MP-EBGP Peer Relationship Between PEs............................................................................3966
20.7.9.4 Configuring the Routing Protocol Between CE and PE...................................................................................3968
20.7.10 Configuring HoVPN..........................................................................................................................................3968
20.7.10.1 Specifying a UPE............................................................................................................................................3968
20.7.10.2 Advertising Default Routes of a VPN Instance..............................................................................................3970
20.7.11 Configuring Multi-VPN-Instance CE................................................................................................................3970
20.7.11.1 Configuring the OSPF Multi-Instance on the Multi-Instance CE..................................................................3970
20.7.11.2 Configuring the OSPF Multi-Instance on the PE...........................................................................................3971
20.7.11.3 Canceling Loop Detection on a Multi-Instance CE........................................................................................3972
20.7.12 Configuring an OSPF Sham Link......................................................................................................................3973
20.7.12.1 Configuring the Loopback Address of the Sham Link...................................................................................3973
20.7.12.2 Advertising Routes to the End Address of a Sham Link................................................................................3974
20.7.12.3 Creating a Sham Link.....................................................................................................................................3975
20.7.13 Connecting a VPN to the Internet......................................................................................................................3976
20.7.13.1 Configuring a Static Route from a CE to the Public Network.......................................................................3976
20.7.13.2 Configuring a Static Route from a PE to the Public Network........................................................................3977
20.7.13.3 Configuring a Static Route to a VPN on a Public Network Router...............................................................3977
20.7.14 Maintaining BGP/MPLS IP VPN......................................................................................................................3977
20.7.14.1 Performing MPLS Ping/Traceroute Tests......................................................................................................3978
20.7.14.2 Displaying the Running Status of BGP/MPLS IP VPN.................................................................................3979
20.7.14.3 Clearing BGP Statistics of a VPN Instance....................................................................................................3984
20.7.14.4 Resetting BGP Connections...........................................................................................................................3984
20.7.14.5 Debugging the BGP/MPLS IP VPN Information...........................................................................................3985
Issue 04 (2015-07-30) Huawei Proprietary and Confidential lx

20.7.15.1 Example for Configuring a BGP/MPLS IP VPN...........................................................................................3986

20.7.16.1 Feature History...............................................................................................................................................3997
21 SSL VPN..................................................................................................................................3999
21.1 Overview................................................................................................................................................................3999
21.3 Mechanism..............................................................................................................................................................4002
21.3.1 Overall Flow........................................................................................................................................................4002
21.3.2 Local Certificate Authentication..........................................................................................................................4003
21.3.3 User Authentication.............................................................................................................................................4005
21.3.4 Web Proxy...........................................................................................................................................................4010
21.3.5 File Sharing..........................................................................................................................................................4013
21.3.6 Port Forwarding...................................................................................................................................................4013
21.3.7 Network Extension..............................................................................................................................................4014
21.5 Configuring SSL VPN............................................................................................................................................4016
21.5.1 Preparing for Configuration.................................................................................................................................4017
21.5.2 Using the SSL VPN Configuration Guide...........................................................................................................4019
21.5.2.1 Creating a Virtual Gateway..............................................................................................................................4020
21.5.2.2 Configuring SSL...............................................................................................................................................4024
21.5.2.3 Configuring Web Proxy....................................................................................................................................4025
21.5.2.4 Configuring File Sharing..................................................................................................................................4027
21.5.2.5 Configuring Port Forwarding...........................................................................................................................4028
21.5.2.6 Configuring Network Extension.......................................................................................................................4030
21.5.2.7 Configuring the Host Check.............................................................................................................................4031
21.5.2.8 Configuring Role Authorization/Users.............................................................................................................4038
21.5.3 Configuring the Cache Clearing..........................................................................................................................4039
21.5.4 Configuring Certificate Filtering.........................................................................................................................4042
21.5.5 Customizing Virtual Gateway Login UI.............................................................................................................4044
21.6 Logging In to the SSL VPN Gateway....................................................................................................................4045
21.7 Monitoring SSL VPN Services...............................................................................................................................4049
21.8.1 Example for Enabling Employees on the Move to Remotely Access Intranet Servers Through a NGFW Enabled
with the Web Proxy Service...........................................................................................................................................4051
21.8.2 Example for Enabling Partners to Remotely Access Intranet Files Through a NGFW Enabled with the File Sharing
Service............................................................................................................................................................................4055
21.8.3 Example for Enabling Employees at Customer Service Centers to Remotely Access Intranet Servers Through a
NGFW Enabled with the Port Forwarding Service........................................................................................................4059
21.8.4 Example for Enabling Employees Working at Home to Remotely Access Intranet Resources Through a NGFW
Enabled with the Network Extension Service................................................................................................................4063
21.9 Troubleshooting SSL VPN Services......................................................................................................................4067
Issue 04 (2015-07-30) Huawei Proprietary and Confidential lxi

21.9.1 A Message "The Web page cannot be displayed" Appears When a PC Attempts to Log In to the SSL VPN Gateway
on a NGFW.....................................................................................................................................................................4067
21.9.2 A PC Displays a Message "Invalid user, incorrect password or the user is locked." After a User Enters a User Name
and Password Before Logging In to an SSL VPN Gateway..........................................................................................4068
21.9.3 The Prompt "Your Certificate Is Invalid. Please Provide a Valid Certificate!" Is Displayed.............................4069
21.9.4 A User Cannot Access a Web Proxy Resource Even Though the Resource Is Displayed on the Web UI for an SSL
VPN Gateway.................................................................................................................................................................4072
21.9.5 Failed to Enable the Network Extension Function..............................................................................................4073
21.9.6 An Internet User Cannot Access Intranet Resources After the Network Extension Service Is Enabled............4075
21.9.7 A User Cannot Access Intranet Resources Through a NGFW Enabled with the Port Forwarding Service.......4077
21.9.8 A User Fails to Access a File Sharing Resource.................................................................................................4078
21.10 Feature Reference.................................................................................................................................................4080
21.10.1 Specifications.....................................................................................................................................................4080
21.10.2 Feature History..................................................................................................................................................4086
21.10.3 Standards and Protocols.....................................................................................................................................4087
21.11 SSL VPN FAQ.....................................................................................................................................................4087
22 Security Protection................................................................................................................4090
22.1 Attack Defense.......................................................................................................................................................4090
22.1.1 Overview.............................................................................................................................................................4090
22.1.3 Mechanism...........................................................................................................................................................4092
22.1.3.1 DDoS Attack Defense......................................................................................................................................4092
22.1.3.2 DDoS Attack Defense Threshold.....................................................................................................................4103
22.1.3.3 Single-Packet Attack Defense..........................................................................................................................4103
22.1.4 Configuring Attack Defense Using the Web UI..................................................................................................4112
22.1.4.1 Configuring Anti-DDoS...................................................................................................................................4112
22.1.4.2 Configuring the Defense Against Single-Packet Attacks.................................................................................4115
22.1.5 Configuring the Defense Against Attacks Using the CLI...................................................................................4117
22.1.5.1 Configuring DDoS Attack Defense..................................................................................................................4117
22.1.5.1.1 Setting DDoS Attack Defense Parameters....................................................................................................4117
22.1.5.1.2 Configuring SYN Flood Attack Defense.......................................................................................................4118
22.1.5.1.3 Configuring UDP Flood Attack Defense.......................................................................................................4119
22.1.5.1.4 Configuring ICMP Flood Attack Defense.....................................................................................................4121
22.1.5.1.5 Configuring HTTP Flood Attack Defense.....................................................................................................4121
22.1.5.1.6 Configuring HTTPS Flood Attack Defense..................................................................................................4122
22.1.5.1.7 Configuring DNS Request Flood Attack Defense.........................................................................................4123
22.1.5.1.8 Configuring DNS Reply Flood Attack Defense............................................................................................4123
22.1.5.1.9 Configuring SIP Flood Attack Defense.........................................................................................................4124
22.1.5.1.10 Configuring ARP Flood Attack Defense.....................................................................................................4125
22.1.5.1.11 Configuring Threshold Learning.................................................................................................................4125
22.1.5.2 Configuring Single-Packet Attack Defense......................................................................................................4126
22.1.5.2.1 Configuring IP Address Sweep Attack Defense............................................................................................4127
Issue 04 (2015-07-30) Huawei Proprietary and Confidential lxii

22.1.5.2.2 Configuring Port Scan Attack Defense.........................................................................................................4128

22.1.5.2.3 Configuring Smurf Attack Defense...............................................................................................................4129
22.1.5.2.4 Configuring Land Attack Defense.................................................................................................................4129
22.1.5.2.5 Configuring Fraggle Attack Defense.............................................................................................................4130
22.1.5.2.6 Configuring IP Fragment Packet Attack Defense.........................................................................................4131
22.1.5.2.7 Configuring IP-spoofing Attack Defense......................................................................................................4131
22.1.5.2.8 Configuring ARP Spoofing Attack Defense.................................................................................................4132
22.1.5.2.9 Configuring Ping of Death Attack Defense...................................................................................................4133
22.1.5.2.10 Configuring TCP Packet Flag Bit Attack Defense......................................................................................4134
22.1.5.2.11 Configuring Teardrop Attack Defense........................................................................................................4134
22.1.5.2.12 Configuring WinNuke Attack Defense.......................................................................................................4135
22.1.5.2.13 Configuring Large ICMP Packet Attack Defense.......................................................................................4136
22.1.5.2.14 Configuring ICMP Redirection Packet Attack Defense..............................................................................4137
22.1.5.2.15 Configuring ICMP Unreachable Packet Attack Defense............................................................................4137
22.1.5.2.16 Configuring Attack Defense Against IP Packets with the Route Record Option........................................4138
22.1.5.2.17 Configuring Attack Defense Against IP Packets with the Source Routing Option.....................................4138
22.1.5.2.18 Configuring Tracert Packet Attack Defense................................................................................................4139
22.1.5.2.19 Configuring Attack Defense Against IP Packets with the Timestamp........................................................4140
22.1.5.2.20 Configuring Illegitimate Access Attack Defense........................................................................................4140
22.1.6 Example for Configuring DDoS Attack Defense................................................................................................4141
22.1.7 Feature History....................................................................................................................................................4143
22.2 Ping Proxy..............................................................................................................................................................4143
22.2.1 Overview.............................................................................................................................................................4144
22.2.2 Configuring Ping Proxy Using the Web UI........................................................................................................4144
22.2.3 Configuring Ping Proxy Using the CLI...............................................................................................................4145
22.2.4.1 Specifications....................................................................................................................................................4146
22.2.4.2 Feature History.................................................................................................................................................4146
22.3 Blacklist..................................................................................................................................................................4146
22.3.1 Overview.............................................................................................................................................................4146
22.3.2 Configuring the Blacklist Using the Web UI......................................................................................................4149
22.3.3 Configuring the Blacklist Using the CLI.............................................................................................................4151
22.3.4 Feature History....................................................................................................................................................4153
22.4 IP-MAC Binding....................................................................................................................................................4154
22.4.1 Overview.............................................................................................................................................................4154
22.4.2 Mechanism...........................................................................................................................................................4154
22.4.4 Binding an IP Address to a MAC Address Using the Web UI............................................................................4160
22.4.5 Binding an IP Address to a MAC Address Using the CLI..................................................................................4161
22.4.6 Feature History....................................................................................................................................................4163
22.5 ASPF.......................................................................................................................................................................4163
Issue 04 (2015-07-30) Huawei Proprietary and Confidential lxiii

22.5.1 Overview.............................................................................................................................................................4164
22.5.2 Mechanism...........................................................................................................................................................4164
22.5.3 Configuring ASPF Using the Web UI.................................................................................................................4168
22.5.4 Configuring ASPF Using the CLI.......................................................................................................................4169
22.5.5 Example for Configuring ASPF..........................................................................................................................4171
22.5.6 Feature History....................................................................................................................................................4174
22.6 Configuring MAC Address-based Packet Filtering................................................................................................4175
22.7 URPF......................................................................................................................................................................4176
22.7.1 Overview.............................................................................................................................................................4176
22.7.2 Mechanism...........................................................................................................................................................4177
22.7.3 Configuring URPF on an Interface......................................................................................................................4180
22.7.4 Example for Configuring URPF..........................................................................................................................4181
22.7.5 Feature History....................................................................................................................................................4183
22.8 GTP.........................................................................................................................................................................4184
22.8.1 Overview.............................................................................................................................................................4184
22.8.2 Configuration Procedures....................................................................................................................................4187
22.8.3 Configuring a GTP Policy...................................................................................................................................4188
22.8.3.1 Creating a GTP Policy......................................................................................................................................4188
22.8.3.2 Configuring the GTP Content Filtering............................................................................................................4189
22.8.3.3 Configuring the GTP Type Filtering................................................................................................................4190
22.8.3.4 Configuring the GTP Length Filtering.............................................................................................................4192
22.8.3.5 Configuring the GTP IE Filtering.....................................................................................................................4193
22.8.3.6 Configuring the Extension Header-based Filtering of GTP Messages.............................................................4196
22.8.3.7 Configuring the GTP Packet Log Function......................................................................................................4196
22.8.3.8 Applying the GTP Policy.................................................................................................................................4198
22.8.4 Configuring the Defense Against GTP Overbilling Attacks...............................................................................4199
22.8.5 Configuring the GTP-in-GTP Filtering Function................................................................................................4201
22.8.6 Configuring the GTP Limitation Function..........................................................................................................4201
22.8.7 Managing GTP....................................................................................................................................................4202
22.8.7.1 Configuring the GTP Status Check Function...................................................................................................4202
22.8.7.2 Setting the GTP Aging Time............................................................................................................................4203
22.8.7.3 Configuring the GTP Tunnel Log Function.....................................................................................................4204
22.8.7.4 Configuring the GTP Statistics Function..........................................................................................................4204
22.8.7.5 Setting the Digits of the MNC..........................................................................................................................4205
22.8.8.1 Example for Configuring the GTP Policy........................................................................................................4205
22.8.8.2 Example for Configuring the Defense Against GTP Overbilling Attacks.......................................................4208
22.8.9 Feature History....................................................................................................................................................4214
22.9 IDS Interworking....................................................................................................................................................4214
22.9.1 Overview.............................................................................................................................................................4214
22.9.2 Configuring the Interworking with IDS Using the Web UI................................................................................4215
Issue 04 (2015-07-30) Huawei Proprietary and Confidential lxiv

22.9.3 Configuring the Interworking with IDS Using the CLI......................................................................................4216

22.9.3.1 Configuring the Interworking with IDS...........................................................................................................4216
22.9.3.2 Maintaining IDS Interworking.........................................................................................................................4217
22.9.4 Example for Configuring the Interworking with IDS.........................................................................................4218
22.9.5 Feature History....................................................................................................................................................4221
22.10 Terminal Security Management (Interworking with the TSM)............................................................................4221
22.10.1 Overview...........................................................................................................................................................4221
22.10.2 Mechanism.........................................................................................................................................................4221
22.10.2.1 Concept of Terminal Security and Introduction to the TSM..........................................................................4222
22.10.2.2 Introduction to the Working Principle of the SACG......................................................................................4223
22.10.2.3 Deployment Modes of the SACG...................................................................................................................4225
22.10.3 Configurating TSM Using the Web UI.............................................................................................................4230
22.10.3.1 Settings...........................................................................................................................................................4230
22.10.3.2 Policy..............................................................................................................................................................4233
22.10.3.3 Role.................................................................................................................................................................4236
22.10.3.4 Privileged User...............................................................................................................................................4236
22.10.3.5 Monitor...........................................................................................................................................................4236
22.10.4 Configurating TSM Using the CLI....................................................................................................................4237
22.10.4.1 Configuring the Connection Between the SACG and TSM Controller.........................................................4237
22.10.4.2 Managing Users and Roles.............................................................................................................................4241
22.10.4.3 Configuring User-defined Policies.................................................................................................................4242
22.10.4.4 Maintaining TSM...........................................................................................................................................4245
22.10.5.1 Web Example for Configuring the Interworking with the TSM in Off-line Mode........................................4247
22.10.5.2 CLI Example for Configuring the Interworking with the TSM in Off-line Mode.........................................4265
22.10.5.3 Web Example for Configuring the Interworking with the TSM in In-line Mode..........................................4284
22.10.5.4 CLI Example for Configuring the Interworking with the TSM in In-line Mode...........................................4302
22.10.6 Feature History..................................................................................................................................................4319
23 IP Multicast.............................................................................................................................4320
23.1 Guide for Configuring Multicast............................................................................................................................4320
23.2 IP Multicast Overview............................................................................................................................................4323
23.2.1 Introduction to IP Multicast.................................................................................................................................4323
23.2.1.1 Basic Concepts of IP Multicast........................................................................................................................4324
23.2.1.2 Advantages and Applications of IP Multicast..................................................................................................4325
23.2.1.3 Models of IP Multicast.....................................................................................................................................4327
23.2.2 Implementation Mechanism of IP Multicast.......................................................................................................4327
23.2.2.1 Basic Architecture of IP Multicast...................................................................................................................4327
23.2.2.2 Multicast Addresses..........................................................................................................................................4328
23.2.2.3 Multicast Protocols...........................................................................................................................................4330
23.3 IGMP Snooping Configuration..............................................................................................................................4332
23.3.1 Introduction to IGMP Snooping..........................................................................................................................4332
Issue 04 (2015-07-30) Huawei Proprietary and Confidential lxv

23.3.2 Enabling IGMP Snooping...................................................................................................................................4337

23.3.3 Configuring the IGMP Snooping Version...........................................................................................................4338
23.3.4 Configuring the IGMP Snooping Port.................................................................................................................4339
23.3.4.1 Setting the Aging Time for Dynamic Router Port............................................................................................4339
23.3.4.2 Configuring the Static Router Port...................................................................................................................4340
23.3.4.3 Configuring the Static Member Port................................................................................................................4341
23.3.4.4 Configuring the Prompt Leave of Port.............................................................................................................4342
23.3.5 Configuring the IGMP Snooping Query and Response......................................................................................4343
23.3.6 Configuring the Proactive Sending of IGMP Query Packets to Non-router Ports..............................................4345
23.3.7 Enabling the Router-Alert Option Check for IGMP Snooping ..........................................................................4346
23.3.8 Configuring the IGMP Snooping Policy.............................................................................................................4347
23.3.8.1 Configuring the Multicast Group Policy for VLAN........................................................................................4347
23.3.8.2 Configuring the SSM Policy for IGMP Snooping............................................................................................4348
23.3.9 Configuring the IGMP Snooping Proxy..............................................................................................................4349
23.3.10 Maintaining IGMP Snooping............................................................................................................................4350
23.3.10.1 Clearing the Group Information of IGMP Snooping......................................................................................4350
23.3.10.2 Monitoring the Running Status of IGMP Snooping.......................................................................................4350
23.3.10.3 Debugging IGMP Snooping...........................................................................................................................4351
23.3.11 Example for Configuring IGMP Snooping.......................................................................................................4352
23.3.12 Feature History..................................................................................................................................................4355
23.4 IGMP Configuration...............................................................................................................................................4355
23.4.1 IGMP Overview..................................................................................................................................................4355
23.4.1.1 IGMP Overview...............................................................................................................................................4355
23.4.1.2 Working Mechanism of IGMPv1.....................................................................................................................4356
23.4.1.3 Improvement of IGMPv2.................................................................................................................................4357
23.4.1.4 Improvement of IGMPv3.................................................................................................................................4358
23.4.1.5 Introduction to SSM Mapping..........................................................................................................................4360
23.4.2 Configuring the IGMP Function..........................................................................................................................4362
23.4.2.1 Enabling IP Multicast Routing.........................................................................................................................4362
23.4.2.2 Enabling the IGMP Function............................................................................................................................4363
23.4.2.3 Configuring the IGMP Version........................................................................................................................4364
23.4.2.4 Adding Interfaces to the Multicast Group Statically........................................................................................4366
23.4.2.5 Configure the Range of Multicast Groups that the Interface Is Allowed to Join.............................................4366
23.4.2.6 Configuring the Fast Leaving of IGMP............................................................................................................4368
23.4.2.7 Enabling the Router-Alert Option Check.........................................................................................................4369
23.4.3 Configuring the Query and Response of IGMP..................................................................................................4371
23.4.3.1 Setting the Parameters of the IGMPv1 Querier................................................................................................4371
23.4.3.2 Configuring the Query and Response of IGMPv2 or IGMPv3........................................................................4372
23.4.4 Configuring SSM Mapping.................................................................................................................................4375
23.4.5 Maintaining IGMP...............................................................................................................................................4377
23.4.5.1 Clearing the Group Information of IGMP........................................................................................................4377
Issue 04 (2015-07-30) Huawei Proprietary and Confidential lxvi

23.4.5.2 Monitoring the Running Status of IGMP.........................................................................................................4377

23.4.5.3 Debugging IGMP.............................................................................................................................................4378
23.4.6 Example for Configuring Basic IGMP Functions...............................................................................................4379
23.4.7 Feature History....................................................................................................................................................4383
23.5 PIM-DM Configuration..........................................................................................................................................4384
23.5.1 Introduction to PIM-DM.....................................................................................................................................4384
23.5.1.1 PIM-DM Overview...........................................................................................................................................4384
23.5.1.2 How PIM-DM Works.......................................................................................................................................4385
23.5.2 Configuring Basic PIM-DM Functions...............................................................................................................4388
23.5.2.2 Enabling PIM-DM............................................................................................................................................4389
23.5.3 Adjusting Multicast Source Control Parameters.................................................................................................4391
23.5.3.1 Setting the Source Lifetime..............................................................................................................................4391
23.5.3.2 Configuring Source Address Filtering Rules....................................................................................................4392
23.5.4 Adjusting Hello Message Parameters..................................................................................................................4392
23.5.4.1 Setting the Interval for Sending Hello Messages.............................................................................................4393
23.5.4.2 Configuring the Maximum Delay for Sending Hello Messages......................................................................4394
23.5.4.3 Setting the Neighbor Relationship Timeout.....................................................................................................4395
23.5.4.4 Configuring the Generation ID Option of Hello Messages..............................................................................4396
23.5.5 Adjusting Prune Control Parameters...................................................................................................................4397
23.5.5.1 Setting the Holdtime of Interface Prune Status................................................................................................4397
23.5.5.2 Setting the Interval for Sending Join/Prune Messages.....................................................................................4398
23.5.5.3 Configuring the Prune Delay............................................................................................................................4399
23.5.5.4 Configuring the Prune Rejection Time.............................................................................................................4400
23.5.5.5 Adjusting the Specifications of Join/Prune Messages......................................................................................4402
23.5.6 Adjusting the Status Refresh Message Parameters..............................................................................................4403
23.5.6.1 Enabling the Status Refresh Function .............................................................................................................4403
23.5.6.2 Setting the Interval for Sending Status Refresh Messages...............................................................................4404
23.5.6.3 Setting the Time for Receiving the Next Status Refresh Message...................................................................4404
23.5.6.4 Setting the TTL of the Status Refresh Message...............................................................................................4405
23.5.7 Adjusting Graft Control Parameters....................................................................................................................4406
23.5.7.1 Setting the Interval for Retransmitting Graft Messages...................................................................................4406
23.5.8 Adjusting Assert Control Parameters..................................................................................................................4407
23.5.8.1 Setting the Assert Holdtime..............................................................................................................................4407
23.5.9 Maintaining PIM-DM..........................................................................................................................................4409
23.5.9.1 Clearing Statistics on PIM Control Messages..................................................................................................4409
23.5.9.2 Monitoring the PIM-DM Running Status.........................................................................................................4409
23.5.9.3 Debugging PIM-DM.........................................................................................................................................4410
23.5.10 Example for Configuring the Multicast Network Based on PIM-DM..............................................................4411
23.5.11 Feature History..................................................................................................................................................4416
23.6 PIM-SM Configuration...........................................................................................................................................4416
Issue 04 (2015-07-30) Huawei Proprietary and Confidential lxvii

23.6.1 Introduction to PIM-SM......................................................................................................................................4416

23.6.1.1 PIM-SM Overview...........................................................................................................................................4416
23.6.1.2 Mechanism of PIM-SM....................................................................................................................................4418
23.6.1.3 PIM-SM BSR Management Domain................................................................................................................4424
23.6.1.4 Principles for Implementing PIM-SSM............................................................................................................4426
23.6.2 Enabling PIM-SM................................................................................................................................................4429
23.6.2.2 Enabling PIM-SM.............................................................................................................................................4430
23.6.3 Configuring a PIM-SM Multicast Network.........................................................................................................4431
23.6.3.1 Configuring a PIM-SM Network Based on a Dynamic RP..............................................................................4431
23.6.3.2 Configuring a PIM-SM Network Based on a Static RP...................................................................................4434
23.6.3.3 Configuring a PIM-SM Network Based on BSR Management Domains........................................................4435
23.6.4 Configuring a PIM-SSM Network......................................................................................................................4439
23.6.5 Configuring the Switchover from RPT to SPT...................................................................................................4440
23.6.6 Adjusting the C-RP and C-BSR Control Parameters..........................................................................................4442
23.6.6.1 Adjusting C-RP Parameters..............................................................................................................................4442
23.6.6.2 Adjusting C-BSR Parameters...........................................................................................................................4443
23.6.6.3 Configuring the BSR Service Boundary..........................................................................................................4445
23.6.6.4 Configuring a Legitimate BSR Address Range................................................................................................4445
23.6.6.5 Configuring a Legitimate C-RP Address Range..............................................................................................4446
23.6.7 Adjusting Multicast Source Control Parameters.................................................................................................4447
23.6.7.1 Setting the Source Time to Live.......................................................................................................................4448
23.6.7.2 Configuring Source Address Filtering Rules....................................................................................................4448
23.6.8 Adjusting Hello Message Parameters..................................................................................................................4449
23.6.8.1 Specifying the Interval for Sending the Hello Messages..................................................................................4450
23.6.8.2 Configuring the Maximum Delay for Sending Hello Messages......................................................................4451
23.6.8.3 Setting the timeout for Neighbor Relationship.................................................................................................4452
23.6.8.4 Configuring the Generation ID Option of Hello Messages..............................................................................4453
23.6.8.5 Setting the Control Parameters of Candidate DRs...........................................................................................4454
23.6.9 Adjusting Source Registration Control Parameters.............................................................................................4456
23.6.9.1 Configuring PIM-SM Register Messages.........................................................................................................4456
23.6.9.2 Configuring PIM-SM Registration Suppression..............................................................................................4457
23.6.10 Adjusting Prune Control Parameters.................................................................................................................4458
23.6.10.1 Configuring the Holdtime of Interface Prune Status......................................................................................4458
23.6.10.2 Setting the Interval for Sending Join/Prune Messages...................................................................................4460
23.6.10.3 Configuring the Prune Delay..........................................................................................................................4460
23.6.10.4 Setting the Prune Rejection Time...................................................................................................................4462
23.6.10.5 Adjusting the Specifications of Join/Prune Messages....................................................................................4463
23.6.11 Adjusting Assert Control Parameters................................................................................................................4464
23.6.11.1 Configuring the Assert Holdtime...................................................................................................................4464
23.6.12 Maintaining PIM-SM........................................................................................................................................4466
Issue 04 (2015-07-30) Huawei Proprietary and Confidential lxviii

23.6.12.1 Clearing PIM Control Message Statistics.......................................................................................................4466

23.6.12.2 Monitoring the PIM-SM Running Status.......................................................................................................4466
23.6.12.3 Debugging PIM-SM.......................................................................................................................................4467
23.6.13.1 Example for Configuring the PIM-SM Network............................................................................................4469
23.6.13.2 Example for Configuring a PIM-SM Network Based on BSR Management Domains.................................4475
23.6.13.3 Example for Configuring SPT Switchover in a PIM-SM Domain.................................................................4486
23.6.13.4 Example for Configuring a PIM-SSM Multicast Network............................................................................4491
23.6.14 Feature History..................................................................................................................................................4496
23.7 MSDP Configuration..............................................................................................................................................4497
23.7.1 Introduction to MSDP.........................................................................................................................................4497
23.7.1.1 MSDP Overview...............................................................................................................................................4497
23.7.1.2 MSDP Peers......................................................................................................................................................4497
23.7.1.3 Applying a Mesh Group...................................................................................................................................4499
23.7.1.4 RPF Rule of SA Message.................................................................................................................................4500
23.7.1.5 Realizing the Inter-Domain Multicast of PIM-SM Domains Through MSDP Peers ......................................4501
23.7.1.6 Configuring the Anycast RP of in the PIM-SM Domain Through MSDP Peers.............................................4502
23.7.2 Configuring the PIM-SM Inter-Domain Multicast..............................................................................................4504
23.7.2.1 Configuring the PIM-SM Inter-Domain Multicast in the AS...........................................................................4504
23.7.2.2 Configuring the Inter-AS Multicast Based on BGP Routes.............................................................................4507
23.7.2.3 Configuring the Inter-AS Multicast Based on Static RPF Peers......................................................................4509
23.7.3 Configuring the Anycast RP in the PIM-SM Domain.........................................................................................4511
23.7.3.1 Configuring the Anycast RP Based on Static RPs...........................................................................................4511
23.7.3.2 Configuring the Anycast RP Based on Dynamic RPs......................................................................................4514
23.7.4 Managing the Connections of MSDP Peers........................................................................................................4518
23.7.4.1 Controlling the Sessions of MSDP Peers.........................................................................................................4518
23.7.4.2 Adjusting the Retry Cycle of the Connections of MSDP Peers.......................................................................4519
23.7.5 Configuring the SA Cache...................................................................................................................................4519
23.7.5.1 Enabling or Disabling the SA Message Cache Function..................................................................................4520
23.7.5.2 Setting the Maximum Number of the (S, G) Entries in the Cache...................................................................4521
23.7.6 Configuring an SA Request.................................................................................................................................4522
23.7.6.1 Configuring the Sending of SA Request Messages..........................................................................................4522
23.7.6.2 Configuring the Filtering Rules of SA Request Messages...............................................................................4523
23.7.7 Configuring the Content of the SA Message.......................................................................................................4524
23.7.7.1 Configuring the Encapsulation of the Multicast Data Packets in the SA Message..........................................4524
23.7.7.2 Configuring the TTL Threshold Encapsulated in the Multicast Data Packets of the SA Message..................4525
23.7.8 Configuring the Filtering Rules for SA Messages...............................................................................................4526
23.7.8.1 Configuring the Creation Rule for SA Messages.............................................................................................4526
23.7.8.2 Configuring the Receiving Rule for SA Messages...........................................................................................4527
23.7.8.3 Configuring the Forwarding Rule for SA Messages........................................................................................4528
23.7.9 Maintaining MSDP..............................................................................................................................................4529
Issue 04 (2015-07-30) Huawei Proprietary and Confidential lxix

23.7.9.1 Clearing the Statistics on MSDP Peers.............................................................................................................4529

23.7.9.2 Clearing the (S, G) Information Cached in the SA Cache................................................................................4529
23.7.9.3 Monitoring the Running Status of MSDP........................................................................................................4530
23.7.9.4 Debugging MSDP.............................................................................................................................................4530
23.7.10.1 Example for Configuring the PIM-SM Inter-Domain Multicast in the AS....................................................4531
23.7.10.2 Example for Configuring the Inter-AS Multicast Based on BGP Routes......................................................4540
23.7.10.3 Example for Configuring the Inter-AS Multicast Through Static RPF Peers................................................4547
23.7.10.4 Example for Configuring the Anycast RP......................................................................................................4554
23.7.10.5 Example for Configuring the SA Message Filtering Mechanism..................................................................4561
23.7.11 Feature History..................................................................................................................................................4567
23.8 Multicast Routing and Forwarding Configuration.................................................................................................4568
23.8.1 Multicast Routing and Forwarding Overview.....................................................................................................4568
23.8.1.1 Multicast Routing and Forwarding...................................................................................................................4568
23.8.1.2 RPF Check Mechanism....................................................................................................................................4568
23.8.1.3 Static Multicast Route......................................................................................................................................4571
23.8.1.4 Applying GRE Tunnels to Multicast Forwarding............................................................................................4573
23.8.2 Configuring the Multicast Static Route...............................................................................................................4574
23.8.3 Configuring the Multicast Routing Policy...........................................................................................................4575
23.8.3.1 Configuring the Longest Match for Multicast Routes......................................................................................4575
23.8.3.2 Configuring Multicast Load Balancing............................................................................................................4577
23.8.4 Configuring the Multicast Forwarding Range.....................................................................................................4578
23.8.4.1 Configuring the Multicast Forwarding Boundary............................................................................................4578
23.8.4.2 Setting the TTL Threshold for Multicast Forwarding......................................................................................4579
23.8.4.3 Prohibiting an Interface from Receiving Multicast Packets.............................................................................4581
23.8.5 Configuring the Capacity of a Multicast Forwarding Table................................................................................4582
23.8.5.1 Setting the Maximum Number of Entries in a Multicast Forwarding Table....................................................4582
23.8.5.2 Setting the Maximum Number of Downstream Nodes of Multicast Forwarding Entries................................4583
23.8.6 Multicast Routing and Forwarding Maintenance................................................................................................4584
23.8.6.1 Clearing Multicast Forwarding Entries and Routing Entries...........................................................................4584
23.8.6.2 Monitoring the Status of Multicast Routing and Forwarding...........................................................................4585
23.8.6.3 Debugging Multicast Forwarding and Routing................................................................................................4586
23.8.7.1 Example for Configuring the Multicast Static Route to Change the RPF Route.............................................4587
23.8.7.2 Example for Configuring the Multicast Static Route to Connect the RPF Route............................................4591
23.8.8 Feature History....................................................................................................................................................4596
24 IPv6 Transition Technologies.............................................................................................4597

24.1 NAT64....................................................................................................................................................................4597
24.1.1 Introduction.........................................................................................................................................................4597
24.1.2 Configuring NAT64 Using the Web UI..............................................................................................................4601
24.1.3 Configuring NAT64 Using the CLI.....................................................................................................................4605
Issue 04 (2015-07-30) Huawei Proprietary and Confidential lxx

24.1.3.1 Configuring a NAT64 Prefix............................................................................................................................4605

24.1.3.2 Configuring Dynamic NAT64 Mapping..........................................................................................................4606
24.1.3.3 Configuring Static NAT64 Mapping................................................................................................................4610
24.1.3.4 Maintaining NAT64.........................................................................................................................................4611
24.1.4.1 Example for Configuring Dynamic NAT64 on a device That Allows an IPv6 Host to Initiate a Connection to an
IPv4 Network..................................................................................................................................................................4613
24.1.4.2 Example for Configuring Static NAT64 Mapping on a device That Allows an IPv4 Host to Initiate a Connection
to an IPv6 Network.........................................................................................................................................................4618
24.1.5 References...........................................................................................................................................................4620
24.1.5.1 Feature History.................................................................................................................................................4620
24.2 IPv6 over IPv4 Tunnel............................................................................................................................................4621
24.2.1 Overview.............................................................................................................................................................4621
24.2.2 Configuring an IPv6 over IPv4 Tunnel...............................................................................................................4623
24.2.2.2 Configuring an IPv6 over IPv4 Manual Tunnel...............................................................................................4625
24.2.2.3 Configuring an IPv6 over IPv4 GRE Tunnel...................................................................................................4628
24.2.2.4 Configuring an IPv6 over IPv4 Automatic Tunnel..........................................................................................4631
24.2.2.5 Configuring a 6to4 Tunnel...............................................................................................................................4634
24.2.2.6 Configuring a 6RD Tunnel...............................................................................................................................4638
24.2.2.7 Configuring an ISATAP Tunnel.......................................................................................................................4644
24.2.3 Maintaining the IPv6 over IPv4 Tunnel..............................................................................................................4647
24.2.3.1 Displaying the Configurations of the IPv6 over IPv4 Tunnel..........................................................................4647
24.2.4.1 Example for Configuring the IPv6 over IPv4 Manual Tunnel.........................................................................4648
24.2.4.2 Example for Configuring the IPv6 over IPv4 GRE Tunnel.............................................................................4653
24.2.4.3 Example for Configuring the IPv6 over IPv4 Automatic Tunnel....................................................................4658
24.2.4.4 Example for Configuring the 6to4 Tunnel (6to4 Network-6to4 Network)......................................................4662
24.2.4.5 Example for Configuring the 6to4 Tunnel (6to4 Network-IPv6 Network)......................................................4667
24.2.4.6 Example for Configuring the 6RD Tunnel (6RD Domain-6RD Domain).......................................................4673
24.2.4.7 Example for Configuring the 6RD Tunnel (6RD Domain-IPv6 Network)......................................................4680
24.2.4.8 Example for Configuring the ISATAP Tunnel.................................................................................................4687
24.2.5 Reference.............................................................................................................................................................4692
24.2.5.1 Feature History.................................................................................................................................................4692
24.3 IPv4 over IPv6 Tunnel............................................................................................................................................4692
24.3.1 Overview.............................................................................................................................................................4692
24.3.2 Configuring an IPv4 over IPv6 Tunnel...............................................................................................................4693
24.3.2.1 Configuring a Tunnel Interface........................................................................................................................4693
24.3.2.2 Configuring Routes Through the Tunnel..........................................................................................................4694
24.3.2.3 Configuring IPv4 over IPv6 Tunnel Options...................................................................................................4695
Issue 04 (2015-07-30) Huawei Proprietary and Confidential lxxi

24.3.3 Maintaining IPv4 over IPv6 Tunnel....................................................................................................................4695

24.3.3.1 Displaying IPv4 over IPv6 Tunnel Configurations..........................................................................................4696
24.3.4 Example for Configuring an IPv4 over IPv6 Tunnel..........................................................................................4696
24.3.5 Reference.............................................................................................................................................................4701
24.3.5.1 Feature History.................................................................................................................................................4701
25 Monitoring..............................................................................................................................4703
25.1 Logs and Reports....................................................................................................................................................4703
25.1.1 Overview.............................................................................................................................................................4703
25.1.3 Viewing Logs......................................................................................................................................................4705
25.1.3.1 Traffic Logs......................................................................................................................................................4705
25.1.3.2 Threat Logs.......................................................................................................................................................4708
25.1.3.3 URL Logs.........................................................................................................................................................4712
25.1.3.4 Content Logs.....................................................................................................................................................4715
25.1.3.5 Operation Logs.................................................................................................................................................4718
25.1.3.6 System Logs.....................................................................................................................................................4720
25.1.3.7 User Activity Logs............................................................................................................................................4721
25.1.3.8 Policy Matching Logs.......................................................................................................................................4723
25.1.3.9 Mail Filtering Logs...........................................................................................................................................4725
25.1.3.10 Audit Logs......................................................................................................................................................4729
25.1.4 Viewing Reports..................................................................................................................................................4732
25.1.4.1 Customizing Reports........................................................................................................................................4733
25.1.4.2 Report Subscription..........................................................................................................................................4733
25.1.4.3 Traffic Reports..................................................................................................................................................4734
25.1.4.4 Threat Reports..................................................................................................................................................4738
25.1.4.5 URL Reports.....................................................................................................................................................4741
25.1.4.6 Policy Matching Reports..................................................................................................................................4742
25.1.4.7 File Blocking Reports.......................................................................................................................................4744
25.1.4.8 Data Filtering Reports......................................................................................................................................4745
25.1.5.1 Example of Configuring Report Subscription..................................................................................................4747
25.1.6 Reference.............................................................................................................................................................4752
25.1.6.1 Feature History.................................................................................................................................................4752
25.2 Traffic Map.............................................................................................................................................................4752
25.3 Threat Map.............................................................................................................................................................4755
25.4 Session Table and Persistent Connection...............................................................................................................4756
25.4.1 Overview.............................................................................................................................................................4757
25.4.2 Mechanism...........................................................................................................................................................4757
25.4.3 Checking the Session Table Using the Web UI..................................................................................................4762
Issue 04 (2015-07-30) Huawei Proprietary and Confidential lxxii

25.4.3.1 Checking the Session Table..............................................................................................................................4762

25.4.3.2 Configuring Stateful Inspection........................................................................................................................4764
25.4.4 Configuring the Session Table Using the CLI.....................................................................................................4765
25.4.4.1 Configuring an Aging Time for the Session Table...........................................................................................4765
25.4.4.2 Checking the Session Table..............................................................................................................................4766
25.4.4.3 Clearing a Session Table..................................................................................................................................4769
25.4.4.4 Configuring Stateful Inspection........................................................................................................................4772
25.4.5 Configuring Persistent Connection Using the CLI..............................................................................................4773
25.4.5.1 Setting an Aging Time for a Persistent Connection.........................................................................................4773
25.4.5.2 Enabling Persistent Connection........................................................................................................................4773
25.4.6 Example for Setting an Aging Time of the Session Table and Configuring Persistent Connection...................4775
25.4.7 Feature History....................................................................................................................................................4778
25.5 Server Map.............................................................................................................................................................4778
25.5.1 Overview.............................................................................................................................................................4779
25.5.2 Mechanism...........................................................................................................................................................4779
25.5.3 Configuring the Server Map................................................................................................................................4786
25.5.3.1 Checking the Server Map.................................................................................................................................4786
25.5.3.2 Clearing the Server Map...................................................................................................................................4790
25.5.4 Feature History....................................................................................................................................................4791
25.6 System Statistics.....................................................................................................................................................4791
25.6.1 Overview.............................................................................................................................................................4791
25.6.2 Checking System Statistics Using the Web UI...................................................................................................4792
25.6.3 Checking System Statistics Using the CLI..........................................................................................................4794
25.6.3.1 Displaying Global System Statistics.................................................................................................................4794
25.6.3.2 Viewing the Traffic Statistics of an Interface or a Device...............................................................................4796
25.6.3.3 Checking Statistics on New Connections.........................................................................................................4797
25.6.3.4 Maintaining System Statistics..........................................................................................................................4798
25.6.4 Feature History....................................................................................................................................................4799
25.7 System Diagnosis...................................................................................................................................................4799
25.7.1 Overview.............................................................................................................................................................4799
25.7.2 Diagnosis Center..................................................................................................................................................4800
25.7.2.1 Overview..........................................................................................................................................................4800
25.7.2.2 Configuring the Diagnosis Center Using the Web UI......................................................................................4801
25.7.2.3 Configuring the Diagnosis Center Using the CLI............................................................................................4808
25.7.3 Port Mirroring......................................................................................................................................................4810
25.7.3.1 Overview..........................................................................................................................................................4810
25.7.3.2 Restrictions and Precautions.............................................................................................................................4811
25.7.3.3 Enabling Port Mirroring...................................................................................................................................4811
25.7.4 Quintuple Packet Capture....................................................................................................................................4812
25.7.4.1 Overview..........................................................................................................................................................4812
25.7.4.2 Configuring Quintuple Packet Capture Using the Web UI..............................................................................4813
Issue 04 (2015-07-30) Huawei Proprietary and Confidential lxxiii

25.7.4.3 Configuring Quintuple Packet Capture Using the CLI....................................................................................4815

25.7.4.4 Example for Configuring Quintuple Packet Capture.......................................................................................4816
25.7.5 Collecting Quintuple Packet Discarding Statistics..............................................................................................4818
25.7.6 Feature History....................................................................................................................................................4820
Issue 04 (2015-07-30) Huawei Proprietary and Confidential lxxiv

Administrator Guide 1 Feature Updates and Supports
1 Feature Updates and Supports
1.1 What's New in V100R001C30SPC100
Hardware
l Changed the matching power adapter of the USG6320 from 60 W to 36 W.
l Changed the BOM code of the 10GE optical module with an 80 km transmission distance
from 02310JFE to 02310SNN, and the corresponding external model from
LE2MXSC80FF0 to SFP-10G-ZR.
System
l Administrators: Added the device module to the object permission control items of
administrator roles on the NGFW.
High Availability
l Added the support for automatic backup of static routes.
Virtual System
l Added the function for configuring the DHCP server and DHCP relay in virtual systems.
l Added DHCP Dynamic Address Lease and DHCP Static Address Lease in the resource
items that the root system administrator allocates to each virtual system.
l Added DHCP Server in Popedom of new administrator roles in virtual systems.
Networks
l DNS: Supported the configuration of the secondary DNS server for domain names to which
DNS transparent proxy does not apply. After the primary and secondary DNS server
addresses are specified for domain names to which DNS transparent proxy does not apply,
DNS requests are forwarded to the primary DNS server. If this server is down, DNS requests
are forwarded to the secondary DNS server. DNS requests will not be forwarded to the
DNS server set on the client.
Issue 04 (2015-07-30) Huawei Proprietary and Confidential 1

User and User Authentication

l Supported incremental synchronization for the import of users, user groups, or security
groups from an AD or LDAP server.
l Supported the multi-choice of server paths for the import of users, user groups, or security
groups from an AD or LDAP server. A maximum of 16 sub-paths can be selected.
l Supported the configuration of multiple portal authentication servers and portal
authentication templates.
l Supported the configuration of LDAP server authentication filtering fields to allow users
to be authenticated.
Object
l Devices and Device Groups: Added the device and device group objects. Devices or device
groups can be referenced in security policies for the control of a specific type of TSM SSO
devices.
Security Policy and Content Security

l Security Policy: Allowed you to configure access modes as matching conditions to
implement access mode-based control in TSM SSO scenarios.
l Security Policy: Allowed you to configure devices as matching conditions to implement
device type-based control in TSM SSO scenarios.
l Antivirus: Supported the EICAR virus detection. The EICAR test file can be used to verify
the antivirus configuration.
Bandwidth Management
l Added the public IP address matching function. Bandwidth can be limited for post-Source
NAT and pre-NAT Server public IP addresses.
l Changed the product implementation. When traffic is forwarded from the outbound
interface, the traffic exceeding the guaranteed bandwidth but below the maximum
bandwidth is limited by the interface bandwidth, but the traffic within the guaranteed
bandwidth is not limited by interface bandwidth.
VPN
l IPSec: Added the Dialer interface and the interface obtaining IP addresses through DHCP
to the local interfaces for IPSec intelligent link selection.
l DSVPN: Added reverse route injection to DSVPN. The reverse route injection function
can send the private network address of a branch or cascade headquarters in an NHRP
message to the headquarters. The headquarters analyzes the NHRP message to obtain the
private network address of the branch or cascade headquarters and adds a static route to
the private subnet.
Security Protection
l Attack Defense: Supported the configuration of DDoS attack defense using the CLI.
l Blacklist: Supported the query of blacklist logs on the web UI for fault locating.

Monitoring
l Quintuple Packet Capture: Supported the configuration of packet capture on the web UI
based on packet directions and categories, enriching quintuple packet capture configuration
means.
1.2 What's New in V100R001C30
Hardware
l Added the USG6306/6308 and USG6507.
System
l Admin: Added northbound API configurations. The client calls the northbound API of the
NGFW to communicate with the NGFW through HTTP/HTTPS.
l License Management: Added the support of License trial use. The system provides a two-
month trial license that provides such functions as antivirus, intrusion prevention, and URL
remote query.
l Update Center: Added the location signature database. Users can download the location
signature database at https://sec.huawei.com for local upgrade to enhance the NGFW's
capability in locations of IP addresses.
l Update Center: The Web UI provides the causes and solutions of signature database update
failures.
l Information Push Configuration: The method for configuring push information changes.
Originally, you can edit and modify push information on the Web UI. Now, you must first
export the push information template, edit push information in the template, and import the
template to the device.
Networks
l Smart DNS: Added the round robin- and weighted round robin-based smart DNS functions.

l Portal Authentication: Added the configuration for enabling and disabling the function of
pushing information to the Portal server.

l Security Policy: Added the support of importing users from AD or AD LDAP servers as
the matching condition.
l Security Policy: Added the support of configuring domain group as the matching condition.
Proxy Policy
l TCP Proxy: Added the support of importing users from AD or AD LDAP servers as the
matching condition.
l SSL Decryption: Added the support of deleting domain names in predefined SSL domain
name whitelist.

l SSL Decryption: Added the support of deleting domain names in predefined SSL domain
name whitelist.
l Traffic Policy: Added the support of importing users from AD or AD LDAP servers as the
matching condition.
Quota Control Policy

l Quota Control Policy: Added the support of importing users from AD or AD LDAP servers
as the matching condition.
VPN
l Added IPSec intelligent link selection.
l Added the IKE user table. This table lists the mappings between remote IKE peer IDs and
pre-shared keys. In point-to-multi-point scenarios, when you configure IPSec for the
headquarters and the IKE peer has referenced the IKE user table, the NGFW will search
the IKE user table for the pre-shared key based on the peer ID during IKE negotiation to
complete the authentication. In this way, each branch can use different IDs and pre-shared
keys.
l Added the static RRI function for configuring IPSec policies in IKE mode. In the IPSec
point-to-multipoint application scenario, after the static RRI function is enabled in the
branch office, routes destined to the private network of the headquarter will be
automatically generated.
l Changed the default value of traffic volume-based lifetime for IPSec SA from 1843200 KB
to 200000000 KB.
SSL VPN
l Added the support for Windows 8.1 and Windows 2012 by the host check function.
l Added OS login password check in the host check function. The NGFW checks whether
the terminal has set a login password. If not, terminal fails the rule check.
l Added the settings of the SSL version, encryption suite, and timeout duration and life cycle
of SSL sessions entries on the web UI.
Security Protection
l Ping Proxy: Added the ping proxy function. The NGFW can respond to massive ping
requests in the place of the server to ease the burden of the server.
Monitoring
l System Statistics: Supported the display of system incremental statistics.

Hardware
l The AC power module of the USG6680 is increased from 350 W to 700 W, which greatly
improves the power load capability for interface expansion.
l The 1 U device
(USG6306/6308/6330/6350/6360/6370/6380/6390/6507/6530/6550/6570/6620/6630)
and 3 U device (USG6650/6660/6670/6680) can be mounted in a 19-inch standard cabinet
through adjustable guide rails.
System
l Administrators: When the administrator accounts and passwords are not on the NGFW, but
on a third-party authentication server, the NGFW employs domain authentication to
authenticate this type of administrators. After the administrators are authenticated, they can
manage the NGFW based on the permission that the authentication server specifies.
l Log output: Added the function of sending syslogs of the specified module to the specified
log server, enhancing log storage flexibility.
l Log output: Added the function of sending session logs in syslog format to a syslog server.
When a syslog server and a binary log server are both specified on the NGFW, session logs
are sent both in binary and syslog formats to the respective log servers.
l Upgrade through USB: Added automatic upgrade through USB. As a result, the
administrators do not need to repeatedly run the upgrade command on the NGFW to
upgrade one or multiple NGFWs. Using USB simplifies the upgrade process and improves
the NGFW version upgrade efficiency.
l System upgrade: Added SSL VPN client patch loading to the NGFW. By loading client
patch files on the NGFW, you can update SSL VPN client components such as the separate
client installation package, client management program installation package, client Internet
Explorer control, and client certificate filtering plug-in. When the updated client accesses
the virtual gateway, the virtual gateway automatically updates the installed components on
the client.
High Availability
l Hot standby: Added the function of configuration consistency auto-check between active
and standby devices and check result logging.
Virtual System
l Added Security Group in the resource items that the root system administrator allocates
to each virtual system. Limiting the security group number of each virtual system prevents
a virtual system from preempting too much resources from other virtual systems.
l The NGFW identifies the administrators of different authentication domains and virtual
systems based on the fact whether the accounts that the administrators use to log in to the
NGFW carry an @ sign. To distinguish authentication domains and virtual systems, the
NGFW determines that the account with one @ sign belongs to the administrator of an
authentication domain, and the account with two @ signs belongs to the administrator of
a virtual system. For example, username@domainname@@vsysname stands for user
username that is authenticated by the domainname domain in virtual system vsysname.
Therefore, when you create a virtual system administrator, the administrator@virtual
system name format is changed to the administrator@@virtual system name format.

Networks
l Interface: Added virtual MAC enabling for subinterfaces. In this way, you do not need to
manually enable or disable subinterfaces because the MAC addresses of the upstream and
downstream switches are not refreshed after active/standby switchover.
l DNS: Added the function of specifying source addresses for DNS query packets. When the
NGFW initiates a DNS request to the DNS server, the NGFW can set the source address
or port of the DNS packet to prevent the DNS server from failing to respond to the query
due to route lookup failure.
l ARP: Added inner-VLAN proxy ARP to enable isolated PCs or routers in one VLAN to
communicate.

l Added the function of RADIUS SSO. The NGFW identifies and analyzes key packets
(accounting start packets, accounting update packets, and accounting end packets) between
users and the RADIUS server to obtain user authentication result and user-IP address
binding and implement access behavior control based on users, requiring no second
authentication.
l Added the function of security group-based user authentication and management. The
security groups on the AD and AD LDAP servers as well as the static/dynamic groups on
the Sun ONE LDAP server are usually used to control and manage the access of the users
in these groups to the resources and objects, such as networking sharing locations, files,
directories, and printers. The security group defined on the NGFW is a collective name of
the security groups on the AD and AD LDAP servers as well as the static/dynamic groups
on the Sun ONE LDAP server. The security group concept is introduced as a horizontal
organizational structure. Based on the horizontal organizational structure, users with
different organizational structures can be categorized into the same security group for
management.
l Added the connection to Sun ONE LDAP servers. The Sun ONE LDAP server can function
as a third-party authentication server or an import server. You can import user information
on the Sun ONE LDAP server to the NGFW.
l Separated the authentication server from the import server, breaking the limit that the
authentication server and import server must be the same type of servers. server is an AD
or AD LDAP server, the import server can be an AD, AD LDAP, or Sun ONE LDAP server.
If the authentication server is a Sun ONE LDAP server, the import server can be another
Sun ONE LDAP server.
l Added the function of customizing the authentication page title and link and the function
of switching languages (English and Chinese) on the authentication page to meet web page
customization requirements.
l Added a new action for processing authentication conflicts. When the NGFW does not
permit an account for multi-IP login and the account is discovered to have logged in at
another IP address, the NGFW forcibly logs out the user that has logged in and permits the
user at the current IP address to log in with the same account.
l Added the function of setting multi-IP login attributes for users in user groups and their
subgroups. That is, the NGFW can permit and deny multi-IP login from users in a user
group and its subgroups in a batch.
l Expanded the specifications of local uses on the USG6650/6660/6670 and NGFW Module
to 80,000.

l Added the support of configuring domain group as the matching condition in an

authentication policy.
l Canceled the limitation that the AD SSO service program (ADSSO_Setup.exe) can be
installed only on the AD domain controller. In the new version, ADSSO_Setup.exe can be
installed on any PC in the AD domain, including the AD domain controller. This change
is compatible with all existing versions and meets customers' high security requirements
on the AD domain controller about not installing any external programs.

l Antivirus: Added the antivirus whitelist function.NGFW does not perform virus detection
on whitelisted files. You can configure this function only on the CLI.
l URL filtering: Added the configuration of domain name rules in blacklist, whitelist, user-
defined categories, and predefined categories.
l URL filtering: Added the configuration of URL filtering action mode to the strict or loose
mode.
l File blocking: Changed the default action in the global configuration of file blocking from
Alert to Allow.
l File blocking: Added the configuration of the maximum number of decompression layers
and maximum file size in the global configuration of file blocking as well as the actions in
case the thresholds are exceeded.
l Application behavior control: Added the function of controlling the HTTP POST operation
content size. The alert and block thresholds can be set to effectively control the content
sizes in HTTP POST operations.
Proxy Policy
Expanded the SSL decryption policies to proxy policies. Proxy policies support the functions of
the existing SSL decryption policies through policy actions and add the TCP proxy function.
l When the policy action is SSL decryption, the NGFW decrypts the SSL traffic meeting the
specified policy and implements content security checks and audit on the decrypted traffic.
l When the policy action is TCP proxy, the NGFW functions as a TCP proxy for the traffic
matching the specified policy. The NGFW isolates the networks on both sides at the TCP
layer, blocks the direct access between both sides, and can effectively block illegitimate
access and malicious attacks.
l When the policy action is no proxy, the NGFW neither functions as a TCP proxy nor
decrypts the traffic.
Audit Policy and Audit Profile

l Added the function of bank reminder audit. You can configure this function only on the
CLI.
PBR
Added the support of configuring domain group as the matching condition in a PBR rule.

l Added a command to set the maximum number of upstream, downstream, and all
connections.
l Added the dynamic equal distribution of bandwidth for each IP address based on the global
maximum bandwidth and number of online IP addresses.
VPN
l IPSec: An IKE or template security policy group can be applied to two interfaces that have
routes with different priorities. At a time, only one interface can establish an IPSec tunnel
with the peer. Otherwise, services may fail.
l IPSec: Added the function of copying IPSec policies on the web UI. You can copy an IPSec
policy and change the name, local port, peer address, local address, and data flow to be
encrypted to simplify policy configurations and improve usability.
SSL VPN
l Added the support for Internet Explorer 10/11 by SSL VPN.
l Added the support for TLS 1.1 and TLS 1.2 regarding SSL VPN.
l Added the support for 64–bit Internet Explorer running SSL VPN.
Security Protection
l IP-MAC binding: Added the support of IP-MAC binding checks for only the packets that
match a given ACL and are permitted by the ACL. You can configure this function only
on the CLI.
Monitoring
l Audit logs: You can obtain information about bank reminder behaviors from audit logs.
l Quintuple packet capture: Added the function of exporting quintuple packet capture
contents in CSV format to an administrator PC.
Network
The root system supports a maximum of 100 security zones which is changed from the maximum
of 32.
SSL Decryption
Added the SSL certificate whitelist function.

l Added the session authentication mode for TSM SSO. Users can directly access HTTP
services, and the NGFW redirects the HTTP requests to the TSM portal authentication page.

l Added the function of importing the organizational structure of new TSM SSO users from
a server to the NGFW.
l Added the function of preferentially using the server organizational structure for policy
management when new TSM SSO users are temporary.
Hardware
Based on V100R001C20, V100R001C20SPC100 provides the following hardware model
extensions:
l Added the desktop USG6310.
l Added the 1 U models of the USG6330, USG6350, USG6360, USG6530, USG6620, and
USG6630.
Refer to hardware for more details on the hardware models of V100R001C20SPC100.
System
l Added SecurID two-factor authentication of administrators. The password comprises a
static PIN code and a dynamic Token serial number.
l Deleted the original license deactivation function. Before you update a license file, run the
license revoke command to restore the original license file to the trial use state and obtain
a revoke code. Then use the revoke code to apply for a new license.
l Deleted intranet update from signature database upgrade and added signature database
upgrade through a proxy server.
Network
l Added interface off-line detection configuration on the interface configuration page on the
web UI. After you enable the off-line detection mode, the NGFW will implement content
security checks on the packets received from the interface and discard the packets after
checking.
l Added the function of creating Tunnel interfaces that use IPSec for encapsulation on the
interface configuration page on the web UI to implement IPSec tunneling.
l Added the DNS transparent proxy function. On a multi-ISP network, the NGFW changes
the destination addresses of DNS requests and forwards the DNS requests to different ISPs
to implement traffic load balancing.
l Added the smart DNS function. When an enterprise deploys a server for external users to
access and the DNS server is also deployed on the intranet, the NGFW modifies the DNS
reply packets so that the users of each ISP can have the corresponding ISP address.
Intelligent Uplink Selection

l Launched the intelligent uplink selection (multi-ISP) scheme. The NGFW automatically
selects routes based on link bandwidths, weights, and priorities.
l Integrated policy-based routing into the intelligent uplink selection page (Network >
Router > Intelligent Uplink Selection) on the web UI as a method of link selection based

on user-defined conditions. Intelligent uplink selection based on policy-based routes has a

higher priority than global intelligent uplink selection.
l Added multi-ISP link selection to policy-based routing. Then the NGFW can automatically
selects routes based on link bandwidths, weights, and priorities when the traffic matches
specific policy-based routes.
l Added the link health check function. Then the NGFW can checks link availability based
on multiple protocols.
SSL Decryption
Added SSL decryption policies to decrypt the SSL traffic that matches a specific decryption
policy and implement content security checks on the decrypted traffic. The NGFW supports
content security checks only for HTTPS.

l Added the support for independent user accounts in different authentication domains. Users
who belong to multiple authentication domains can use only one name. When creating a
user or user group, you must specify its authentication domain on the user organizational
structure.
l Added the support for the AD SSO no-plug-in mode. In this mode, the device listens to
authentication packets sent from the AD server to users to obtain user login information.
l Expanded the levels of hierarchical policies from 2 to 4.
l Added the per-IP and per-user guaranteed bandwidth.
l Added the dynamic even allocation of bandwidth for each IP address based on the global
guaranteed bandwidth and number of online IP addresses.
l Changed the web UI for configuring interface bandwidth to Network > Interface, which
is more intuitive.
Quota Control Policy

Added quota control policies to control users' Internet access traffic and time to prevent
bandwidth abuse and improve productivity.
SSL VPN
l Added the functions of port forwarding, file sharing, and terminal security.
l Changed group-specific permission control to role-based permission control, added users/
groups to roles, and associated accessible resources.
Security Protection
Added the IDS interworking function. Then the IDS device notifies the NGFW to block the
detected intrusion behaviors if any.
Added the ATIC interworking function. After detecting any DDoS attacks, the NGFW reports
traffic anomaly logs to the ATIC server.

Monitoring
Added traffic policy-specific reports in the traffic reports to guide administrators through traffic
policy optimization.
System
Add the agile network function. Connecting the NGFW to the Controller and the configurations
delivered by the controller.
Virtual System
l Added New Session Rate in the resource items that the root system administrator allocates
to each virtual system. The new session rate indicates the number of new sessions a virtual
system can create in one second. Limiting the new session rate of each virtual system
prevents a virtual system from preempting too much resources from other virtual systems.

l Added the support of adding a new user for AD SSO to a specified local user group.
Object
l Domain group: A domain group is a collection of domain names. Currently, domain groups
are used only as the matching conditions of traffic policies.
l Schedule: A schedule can be accurate to seconds.

l Security policy: A security policy can specify source and destination IP addresses through
wildcards.
l Security policy: A security policy supports user-defined policy-based persistent links and
session aging time.
l URL filtering: Added the function of changing the DSCP priorities of the HTTP packets
that access different categories of URLs, so that other network devices can take
differentiated actions on the traffic to different URLs.
l Added object domain group matching conditions of traffic policies. After you configure
domain groups, the NGFW can limit the bandwidth of the traffic from or to the IP addresses
corresponding to the domain names in the domain group.

Security Protection
l Attack defense: Adding the traffic limiting for the defense against UDP flood attacks. The
NGFW uses the traffic limiting technology to limit the UDP packets to the same destination
address within a threshold. It directly discards excess UDP packets to avoid network
congestion.
l Attack defense: Added the advanced source detection for the defense against HTTP flood
attacks. After advanced source detection HTTP flood attack defense is enabled, users are
prompted to enter verification codes when they use browsers to access HTTP resources.
On botnets, verification codes fail to be entered. Therefore, advanced source detection is
more effective in attack defense than the basic mode. However, users must enter verification
codes manually, which affects users' Internet access experience.
l Attack defense: Added the illegitimate access attack defense function. If a packet matches
the security policy and is blocked by the content security check, the packet is considered
as an illegitimate access attack. When the number of illegitimate access packets from a
specific source IP address reaches the threshold in a period of time, the NGFW blocks the
packets and blacklists the IP address. All follow-up packets from this IP address are
discarded to achieve better security defense effects and improve the performance of the
intelligent awareness engine.
l Blacklist: Added the Illegitimate Aaccess attack type in the dynamic blacklist.
Monitoring
l Session table: Added the support of session ID or security policy-based session table
checking and clearing.
Hardware
Based on V100R001C00, V100R001C10 provides the following hardware model extensions:
l Desktop-installed and 1U-high USG6000 NGFW products are newly provided.

l NGFW modules, or firewall service processing boards, are newly provided for Huawei
S7700/9700/12700 switches.
Refer to 1.9.1 Hardware for more details on the hardware models of V100R001C10.
System
l For hard disk-supported models, an alarm threshold can be newly set for log storage, which
means an alarm log will be generated upon a log storage excess.
l For hard disk-supported models, the way of processing logs upon full storage can be newly
configured so that the logs are overwritten (default) or discarded.
l Across-Layer-3 MAC address identification is newly supported. When a Layer-3 network
device is between the NGFW and intranet PCs, the NGFW can still learn the MAC address
of the intranet PCs, which enable the NGFW to identify network traffic of users control
network behaviors and permissions by MAC addresses.

High availability
l Hot standby: Hot standby for IPv6 is newly provided; hot standby is newly supported for
DHCP servers and DHCP relays.
l IP-Link: IP-Link for IPv6 is newly provided.
Virtual System
l A virtual system administrator can newly log in to the CLI by means of Telnet and STelnet.
V100R001C00 allows only login on the Web UI.
l Certain functions can be newly virtualized, including user and authentication, bandwidth
policy, audit policy, policy-based routing (PBR), application and application group, region
and region group, SSL VPN, IP-Link, IP-MAC binding, blacklist, DHCP, and content
security. Refer to 7.9.2 Function Availability for Virtual Systems for the functions
supported by virtual systems.
Network
l Sub-interface: Layer 2 Ethernet sub-interfaces and Eth-Trunk sub-interfaces are newly
supported.
l Layer 2 interface pair: Layer 2 interface pairs are newly supported and each pair has two
Layer 2 interfaces. Packets come in from one interface and go out from the paired one,
without the need to search the MAC forwarding table. Interface pairs are mainly used for
connecting NGFW modules and switches through Layer 2 interfaces.
Object
l Region and region group: This feature is newly provided to combine IP addresses by
location. Region and region groups are used to control policies and view log reports by
location.
Security policies, audit policies, bandwidth policies, and authentication policies can be
configured by location.
l Certificate: Users can online apply for certificates on the Web UI. V100R001C00 allows
only offline certification application on the Web UI.

l Security policy: Smart Policy is newly provided to simplify manual operations by the
system administrator. SmartPolicy includes policy redundancy analysis, policy matching
analysis, and policy tuning based on application risks. Policy tuning based on application
risks auto-generates security policies by application type to provide deep content
protection.
When configuring security policies using the CLI, the system administrator can directly
use service protocol to reference a TCP/UDP port in the security policy to simplify user-
defined service configurations.
l Anti-virus: Heuristic detection is newly provided, which detects virus-likely files.
l Intrusion prevention: A blacklist is added in the signature exception action so that users
with malicious intentions and hosts under frequent attacks are auto-isolated.
l URL filtering: URL filtering by HTTPS is newly provided and the local server query
function is deleted.

l File blocking: Filtering by encrypted file types like DOC_ENC and PPT_ENC is newly
provided.
l IPv6 content security: Content security detection is newly provided for IPv6 traffic.
Audit policy
Auditing on QQ login/logout events is newly provided.
VPN
l IPSec
– IPSec is newly applicable in load balancing of hot standby. V100R001C00 allows IPSec
only in backup of hot standby.
– IPSec is newly applicable to IPv6 networks.
– IPSec is newly applicable to IPv6 over IPv4 and IPv4 over IPv6.
– RSA digital envelop authentication (rsa-de) is newly provided for authentication-
method of the IKE security proposal.
– Several encryption and authentication algorithms, instead of one, can be newly selected.
When several encryption and authentication algorithms are selected, the system
automatically negotiates with the peer to select one. The SHA2 authentication algorithm
is newly provided. Refer to 20.2 IPSec for details.
– Three new groups are added for DH Group of the IKE security proposal and PFS of the
IPSec security policies, that is, group14, group15, and group16.
– The IPSec configuration process is optimized to simplify configurations by the system
administrator.
– The IPSec configuration Web UI is re-designed. On the new Web UI, IPSec can be
configured for point-to-point or point-to-multipoint application, and the auto-
negotiation function is provided to simplify configurations.
– A new IKEv1 exchange mode is newly provided for IKE peers, that is, auto in
exchange-mode { main | aggressive | auto }. When the device works as a sender,
the main mode applies; when the device works as a receiver, both main and
aggressive modes apply.
– A new packet encapsulation mode is newly provided for the IPSec security proposal,
that is, auto in encapsulation-mode { transport | tunnel | auto }. When the device
works as a sender, the tunnel mode applies; when the device works as a receiver,
both the transport and tunnel modes apply.
– When IPSec security policies are configured using a template, the reverse-route
enable function is newly available, which generates static routes leading to branch
nodes on the HQ device.
– When IPSec security policies are configured using a template, the security acl
public-ip-transparent function is newly available, which eliminates the need to
specify data flows to be protected.
l DSVPN
Dynamic smart virtual private network (DSVPN) is newly provided to dynamically create
tunnels between branch nodes. Without DSVPN, accesses between branch nodes have to
be transferred by HQ.

l SSL VPN
– An SSL VPN configuration wizard is provided on the Web UI to simplify configurations
by the system administrator.
– Several virtual gateways, instead of one, are newly supported. Services are independent
among the virtual gateways.
– An independent network extension client is newly provided to enable access to Intranet
by installing a VPN Agent, without any need of configurations. Terminal users can log
in on the virtual gateway UI, download and install the client.
– The virtual gateway UI can be newly customized for terminal users, addressing
individual needs.
IPv6
Hot standby, IP-Link, IPSec, and content security are newly applicable to IPv6.
Monitoring
l Log report
– Email subscription to reports is newly provided.
– File blocking and data filtering reports are newly provided.
– More report types are provided for customizing reports.
l Traffic and threat map
Traffic and threat maps are newly provided to display global distribution of traffic and
threats, according to which the system administrator can take control measures.
l System diagnosis
Packet capture and discarded packet statistics based on quintuple (source and destination
IP addresses, source and destination port numbers, and protocol number) are newly
provided on the Web UI.
l Session table
Session tables can be newly viewed by source and destination security zones.
l Traffic statistics
The display all-traffic function is newly provided to display the total traffic at all physical
interfaces from the time of system start or traffic clearance to the time of statistics.
1.9 Feature Support

1.9.1 Hardware
Version USG6000 Series NGFW Module
V100R001C30 l Desktop-installed models: l ET1D2FW00S00

USG6310/USG6320 l ET1D2FW00S01
l 1U-high models: USG6306/ l ET1D2FW00S02
USG6308/USG6330/
USG6350/USG6360/ Applicable to Huawei
USG6370/USG6380/ S7700/9700/12700 switches of
USG6390, USG6507/ V200R005C00 or later.
USG6530/USG6550/
USG6570, USG6620/USG6630
l 3U-high models: USG6650/
USG6660/USG6670/USG6680
USG6306, USG6308, USG6507
are newly provided.

SPC100 USG6310/USG6320 l ET1D2FW00S01
USG6350/USG6360/
USG6370/USG6380/ Applicable to Huawei
USG6390, USG6530/ S7700/9700/12700 switches of
USG6550/USG6570, V200R005C00 or later.
USG6620/USG6630
l 3U-high models: USG6650/
USG6660/USG6670/USG6680
USG6310, USG6330/USG6350/
USG6360/, USG6530, USG6620/
USG6630 are newly provided.

USG6320 l ET1D2FW00S01
USG6380/USG6390,
USG6550/USG6570 Applicable to Huawei
S7700/9700/12700 switches of
l 3U-high models: USG6650/ V200R005C00 or later.
USG6660/USG6670/USG6680
Except USG6650/USG6660/
USG6680, all the other models are
newly provided.
V100R001C00 3U-high models: USG6650/ -

USG6660/USG6680

1.9.2 System
Device Management
Feature USG6310 USG6306 USG6650 NGFW
USG6320 USG6308 USG6660 Modulea
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Login on the Yes Yes Yes Yes

Web UI (HTTP/
HTTPS)
Login through Yes Yes Yes Yes

the console port

Telnet

STelnet

API
Role-based Yes Yes Yes Yes

administrator
permission
control
Administrator Yes Yes Yes Yes

authentication
mode (local,
RADIUS,
HWTACACS,
AD, LDAP, or
SecurID)

a: The NGFW module supports redirecting to its console port through a switch.
System Time
USG6320 USG6308 USG6660 Module
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Manual setting Yes Yes Yes Yes
Network time Yes Yes Yes Yes

protocol (NTP)

License Management
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
License Yes Yes Yes Yes

management
Across-Layer-3 MAC address identification

USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Across-Layer-3 Yes Yes Yes Yes

MAC address
identification

SNMP/LLDP
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
SNMP v1 Yes Yes Yes Yes
SNMP v2c Yes Yes Yes Yes
SNMP v3 Yes Yes Yes Yes
LLDP Yes Yes Yes Yes

Mail Service
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
SMTP email No Yes Yes No

server setting
Log/Alarm/Debugging Information Output

USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Syslog output Yes Yes Yes Yes
Binary log Yes Yes Yes Yes

output


USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Alarm Yes Yes Yes Yes

information
output
Debugging Yes Yes Yes Yes

information
output
File System
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
CF card Yes Yes Yes No


USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Hard disk No Yes Yes No
EUSB No No No Yes
FTP/SFTP Yes Yes Yes Yes
TFTP Yes Yes Yes Yes

Update Center
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Intrusion Yes Yes Yes Yes

prevention
signature
database update
Virus signature Yes Yes Yes Yes

database update
Application Yes Yes Yes Yes

identification
signature
database update
Region Yes Yes Yes Yes

identification
signature
database update

NQA
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
NQA Yes Yes Yes Yes
PMTU
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
PMTU Yes Yes Yes Yes

discovery

NetStream
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
NetStream Yes Yes Yes Yes
1.9.3 High Availability

USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Dual-system hot Yes Yes Yes Yes

standby (IPv6/
IPv4)


USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Electronic No Yes Yes No

interface-based
bypass
Link-group Yes Yes Yes Yes
IP-link
Interworking Yes Yes Yes Yes

between dual-
system hot
standby and IP-
Link

between static
routing and IP-
Link

between PBR
and IP-Link

between DHCP
and IP-Link
BFD

between BFD
and static
routing


USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630

between BFD
and OSPF

between BFD
and FRR

between BFD
and DHCP

between BFD
and PBR

between BFD
and dual-system
hot standby
1.9.4 Virtual System


USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Layer 3 virtual Yes Yes Yes Yes

system
Layer 2 virtual Yes Yes Yes Yes

system
Resource Yes Yes Yes Yes

allocation
Virtual system Yes Yes Yes Yes

administrator
Access between Yes Yes Yes Yes

virtual systems
Access between Yes Yes Yes Yes

the root system
and virtual
systems
NOTE
Refer to 7.9.2 Function Availability for Virtual Systems for the list of virtual system functions.
1.9.5 Networks

Interface
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Layer 3 Ethernet Yes Yes Yes Yes

interface and
subinterface
Layer 2 Ethernet Yes Yes Yes Yes

interface and
subinterface
Vlanif interface Yes Yes Yes Yes
Eth-Trunk Yes Yes Yes Yes

interface and
subinterface
Virtual template Yes Yes Yes Yes

(VT) interface
Tunnel interface Yes Yes Yes Yes
Dialer interface Yes Yes Yes Yes
Null interface Yes Yes Yes Yes
Loopback Yes Yes Yes Yes

interface
Interface pair Yes Yes Yes Yes

Security Zone
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Default security Yes Yes Yes Yes

zone (local,
trust, DMZ, or
untrust)
User-defined Yes Yes Yes Yes

security zones

DNS
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
IPv4/IPv6 DNS Yes Yes Yes Yes

client
IPv4/IPv6 DNS Yes Yes Yes Yes

proxy
DDNS Yes Yes Yes Yes
DNS Yes Yes Yes Yes

Transparent
Proxy
Smart DNS Yes Yes Yes Yes

DHCP
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
IPv4/IPv6 Yes Yes Yes Yes

DHCP server

DHCP relay

DHCP client

DHCP Snooping
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
DHCP server Yes Yes Yes Yes

snooping attack
MITM attack Yes Yes Yes Yes
IP/MAC Yes Yes Yes Yes

spoofing attack
DoS attack Yes Yes Yes Yes

based on
CHADDER
changes
Forged DHCP Yes Yes Yes Yes

reletting packet
attack

Link Aggregation
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Manual link Yes Yes Yes Yes

aggregation
(Eth-Trunk
interface)
LACP link Yes Yes Yes Yes

aggregation

PPP
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
PPP Yes Yes Yes Yes
PPPoE
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
IPv4 PPPoE Yes Yes Yes Yes

server

PPPoE client

MAC Address Table

USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
MAC address Yes Yes Yes Yes

table
ARP
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Static ARP Yes Yes Yes Yes
Dynamic ARP Yes Yes Yes Yes
Proxy ARP Yes Yes Yes Yes


USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Gratuitous ARP Yes Yes Yes Yes
Authorized Yes Yes Yes Yes

ARP
IPv6 Neighbor Discovery

USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
IPv6 ND Yes Yes Yes Yes
IPv6 SEND Yes Yes Yes Yes

VLAN
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
VLAN basics Yes Yes Yes Yes
Inter-VLAN Yes Yes Yes Yes

communication
through
VLANIF

communication
through Layer 3
subinterfaces

communication
through Layer 2
subinterfaces

IP Performance
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
IPv4 source Yes Yes Yes Yes

address
verification
Broadcast Yes Yes Yes Yes

packet
forwarding

ICMP attribute
IPv4/IPv6 TCP Yes Yes Yes Yes

attribute
Packet fragment Yes Yes Yes Yes

processing
(discard, buffer
or forward)
1.9.6 Intelligent Uplink Selection


USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
ISP Address Yes Yes Yes Yes

Library Link
Selection
Link Health Yes Yes Yes Yes

Check
Global Route Yes Yes Yes Yes

Selection
Policies
1.9.7 Router


USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
IPv4/IPv6 static Yes Yes Yes Yes

route
RIP Yes Yes Yes Yes
OSPF Yes Yes Yes Yes
BGP Yes Yes Yes Yes
IS-IS Yes Yes Yes Yes
RIPng Yes Yes Yes Yes
OSPFv3 Yes Yes Yes Yes
BGP4+ Yes Yes Yes Yes

routing policy
FRR Yes Yes Yes Yes
VPN instance Yes Yes Yes Yes
MPLS Yes Yes Yes Yes
Equal cost Yes Yes Yes Yes

multipath
(ECMP)
1.9.8 User and User Authentication

Internet Access User Authentication Modes

USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Local Yes Yes Yes Yes

authentication
Active directory Yes Yes Yes Yes

(AD) single
sign-on (SSO)
Terminal Yes Yes Yes Yes

security
management
(TSM) SSO
RADIUS SSO Yes Yes Yes Yes
RADIUS Yes Yes Yes Yes

authentication
HWTACACS Yes Yes Yes Yes

authentication
AD Yes Yes Yes Yes

authentication
LDAP Yes Yes Yes Yes

authentication
SecurID Yes Yes Yes Yes

authentication
No Yes Yes Yes Yes

authentication

VPN Access User Authentication Modes

USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630

authentication

authentication

authentication
AD Yes Yes Yes Yes

authentication

authentication

authentication

User, User Group and Security Group

USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Creating users Yes Yes Yes Yes

and user groups
Creating Yes Yes Yes Yes

security groups
Importing users Yes Yes Yes Yes

and user groups
from a CSV file
Importing Yes Yes Yes Yes

security groups
from a CSV file
Importing and Yes Yes Yes Yes

synchronizing
users and user
groups from the
AD, LDAP, or
TSM server
Importing and Yes Yes Yes Yes

synchronizing
users and
security groups
from the AD,
AD LDAP, or
Sun ONE LDAP
server


USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Auto-adding Yes Yes Yes Yes

authenticated
users without a
real device
Customizing Yes Yes Yes Yes

terminal user
authentication
pages

Authentication Server
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
RADIUS server Yes Yes Yes Yes

server
AD server Yes Yes Yes Yes
LDAP server Yes Yes Yes Yes
SecurID Server Yes Yes Yes Yes
TSM server Yes Yes Yes Yes
1.9.9 Object

Address and Address Group

USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
IPv4 address Yes Yes Yes Yes
IPv6 address Yes Yes Yes Yes
Address group Yes Yes Yes Yes
Domain Group
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Domain Group Yes Yes Yes Yes

Region and Region Group

USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Pre-defined Yes Yes Yes Yes

region

region
Region group Yes Yes Yes Yes

Service and Service Group

USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Predefined Yes Yes Yes Yes

service

service
Service group Yes Yes Yes Yes

Application and Application Group

USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630

application

application
Application Yes Yes Yes Yes

group
Port mapping Yes Yes Yes Yes

Schedule
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Periodic time Yes Yes Yes Yes

range
Absolute time Yes Yes Yes Yes

range

Certificate
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Creating, Yes Yes Yes Yes

importing, or
exporting RSA
key pairs
Online applying Yes Yes Yes Yes

for a certificate
using the SCEP
protocol
Offline Yes Yes Yes Yes

applying for a
certificate
Certificate Yes Yes Yes Yes

update
Verifying Yes Yes Yes Yes

certificates
using CRL
Verifying Yes Yes Yes Yes

certificates
using OCSP

attribute-based
access control

ACL
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
IPv4/IPv6 basic Yes Yes Yes Yes

ACL

advanced ACL
MAC address- Yes Yes Yes Yes

based ACL
1.9.10 Security Policy and Content Security

Security Policy
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Configuring Yes Yes Yes Yes

security policies
manually
Configuring Yes Yes Yes Yes

security policy
based on
templates
Policy No Yes Yes No

redundancy
analysis
Policy matching No Yes Yes No

analysis
Policy tuning No Yes Yes No

based on
application risks

Antivirus
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
File transfer Yes Yes Yes Yes

protocol virus
detection
(HTTP/FTP)
Email protocol Yes Yes Yes Yes

virus detection
(SMTP/POP3/
IMAP)
File sharing Yes Yes Yes Yes

protocol virus
detection (NFS/
SMB)

Intrusion Prevention
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630

signature

signature
URL Filtering
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
HTTP/HTTPS Yes Yes Yes Yes

URL filtering


USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630

URL categories

URL categories
Blacklist Yes Yes Yes Yes
Whitelist Yes Yes Yes Yes

File Blocking
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Blocking file Yes Yes Yes Yes

transfer and
recording
alarms

Data Filtering
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Transfer file Yes Yes Yes Yes

name and
content filtering
Search keyword Yes Yes Yes Yes

filtering
Webpage Yes Yes Yes Yes

content and
network registry
submission
filtering
Twitter and Yes Yes Yes Yes

poster filtering
Mail title, body, Yes Yes Yes Yes

attachment
name, and
attachment
content filtering

Application Behavior Control

USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
HTTP behavior Yes Yes Yes Yes

control
FTP behavior Yes Yes Yes Yes

control
Mail Filtering
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Anti-spam Yes Yes Yes Yes


USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Anonymous Yes Yes Yes Yes

email filtering
Email address Yes Yes Yes Yes

filtering
Attachment size Yes Yes Yes Yes

and count
filtering
1.9.11 Proxy Policy


USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
TCP proxy Yes Yes Yes Yes
SSL decryption Yes Yes Yes Yes
SSL decryption Yes Yes Yes Yes

certificate
SSL certificate Yes Yes Yes Yes

whitelist
function
1.9.12 Audit Policy


USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
HTTP behavior Yes Yes Yes Yes

audit
FTP behavior Yes Yes Yes Yes

audit
Email-related Yes Yes Yes Yes

behavior audit
QQ login and Yes Yes Yes Yes

logout behavior
audit
Bank reminder Yes Yes Yes Yes

audit
1.9.13 NAT Policy


USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Source NAT Yes Yes Yes Yes
Server static Yes Yes Yes Yes

mapping
(address
mapping)
Server load- Yes Yes Yes Yes

balancing
(SLB)
Destination Yes Yes Yes Yes

NAT
NAT ALG Yes Yes Yes Yes
1.9.14 PBR


USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
IPV4 policy- Yes Yes Yes Yes

based routing
IPv6 policy- Yes Yes Yes Yes

based routing
Intelligent Yes Yes Yes Yes

uplink selection
based on policy-
based routes
1.9.15 Bandwidth Management


USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Interface Yes Yes Yes Yes

bandwidth
Total Yes Yes Yes Yes

guaranteed
bandwidth
Total maximum Yes Yes Yes Yes

bandwidth
Dynamic equal Yes Yes Yes Yes

distribution
Per-IP-address Yes Yes Yes Yes

or per-user
maximum
bandwidth
Maximum Yes Yes Yes Yes

connections
Per-IP-address Yes Yes Yes Yes

or per-user
connections
Remarking Yes Yes Yes Yes

packet priority
Bandwidth Yes Yes Yes Yes

multiplexing
1.9.16 Quota Control Policy


USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Quota Control Yes Yes Yes Yes

Policy
User Quota Yes Yes Yes Yes

Management
1.9.17 VPN

IPSec
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
IPSec in manual Yes Yes Yes Yes

mode
IPSec based on Yes Yes Yes Yes

IKE1
negotiation
IPSec based on Yes Yes Yes Yes

IKE2
negotiation
L2TP over Yes Yes Yes Yes

IPSec
GRE over IPSec Yes Yes Yes Yes
IPSec tunnel Yes Yes Yes Yes
IPSec hot Yes Yes Yes Yes

standby
IPSec multi- Yes Yes Yes Yes

instance
IPv6 IPSec Yes Yes Yes Yes

L2TP
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
LNS Yes Yes Yes Yes
LAC Yes Yes Yes Yes
NAS-initiated Yes Yes Yes Yes

L2TP VPN
Establishing a Yes Yes Yes Yes

tunnel by LAC
automatic dial-
up
Client-initiated Yes Yes Yes Yes

VPN
L2TP multi- Yes Yes Yes Yes

Instance

GRE
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Static route- Yes Yes Yes Yes

based GRE
tunnel
Dynamic route- Yes Yes Yes Yes

based GRE
tunnel

DSVPN
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
MGRE tunnel Yes Yes Yes Yes
Maintaining Yes Yes Yes Yes

public addresses
of branch nodes
using NHRP
Static route- Yes Yes Yes Yes

based DSVPN
Dynamic route- Yes Yes Yes Yes

based DSVPN

BGP/MPLS IP VPN
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
BGP/MPLS IP Yes Yes Yes Yes

VPN
1.9.18 SSL VPN

USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Multiple virtual Yes Yes Yes Yes

gateways
Web proxy Yes Yes Yes Yes


USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Network Yes Yes Yes Yes

extension
File Sharing Yes Yes Yes Yes
Port Forwarding Yes Yes Yes Yes
Host Check Yes Yes Yes Yes
Cache Clearing Yes Yes Yes Yes
Login page Yes Yes Yes Yes

customizing for
virtual gateways
User Authentication

authentication

authentication
AD Yes Yes Yes Yes

authentication

authentication

authentication

authentication


USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Certificate- Yes Yes Yes Yes

based
anonymous
authentication

challenge
authentication
1.9.19 Security Protection

Attack Defense
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Anti-DDoS
SYN flood Yes Yes Yes Yes

attack defense
UDP flood Yes Yes Yes Yes

attack defense
ICMP flood Yes Yes Yes Yes

attack defense
HTTP flood Yes Yes Yes Yes

attack defense
HTTPS flood Yes Yes Yes Yes

attack defense
DNS request Yes Yes Yes Yes

flood attack
defense
DNS response Yes Yes Yes Yes

flood attack
defense
SIP flood attack Yes Yes Yes Yes

defense
Single-Packet Attack Defense
IP address Yes Yes Yes Yes

sweep attack
defense


USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Port scan attack Yes Yes Yes Yes

defense
IP-spoofing Yes Yes Yes Yes

attack defense
IP fragment Yes Yes Yes Yes

packet attack
defense
Teardrop attack Yes Yes Yes Yes

defense
Smurf attack Yes Yes Yes Yes

defense
Ping of death Yes Yes Yes Yes

attack defense
Fraggle attack Yes Yes Yes Yes

defense
WinNuke attack Yes Yes Yes Yes

defense
Land attack Yes Yes Yes Yes

defense
Fraggle attack Yes Yes Yes Yes

defense
ARP spoofing Yes Yes Yes Yes

attack defense


USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Large ICMP Yes Yes Yes Yes

packet attack
defense
ICMP Yes Yes Yes Yes

unreachable
packet attack
defense
ICMP Yes Yes Yes Yes

redirection
packet attack
defense
Tracert packet Yes Yes Yes Yes

attack defense
Attack defense Yes Yes Yes Yes

against IP
packets with the
source routing
option

against IP
packets with the
route record
option

against IP
packets with the
timestamp


USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Illegitimate Yes Yes Yes Yes

access attack
defense
Other
ATIC Yes Yes Yes Yes

Interworking
Ping Proxy
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Ping Proxy Yes Yes Yes Yes

Blacklist
USG6308 USG6660 Module
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Static blacklist Yes Yes Yes Yes
Dynamic Yes Yes Yes Yes

blacklist

IP-MAC Binding
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Single binding Yes Yes Yes Yes
Batch binding Yes Yes Yes Yes
Application Specific Packet Filter (ASPF)

USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Multi-channel Yes Yes Yes Yes

protocol ASPF


USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
ActiveX Yes Yes Yes Yes

blocking and
Java blocking
ASPF

protocol ASPF

MAC Address-Based Packet Filtering

USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
MAC address- Yes Yes Yes Yes

based packet
filtering
URPF
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
IPv4 URPF Yes Yes Yes Yes
IPv6 URPF Yes Yes Yes Yes

GTP
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
GTP packet Yes Yes Yes No

filtering
Defense against Yes Yes Yes No

GTP overbilling
attacks
GTP-in-GTP Yes Yes Yes No

filtering
Limiting on the Yes Yes Yes No

traffic and
number of
tunnels

Interworking with the IDS

USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630

with the IDS

Interworking with the TSM

USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Receiving Yes Yes Yes Yes

access control
policies
distributed by
TSM
User-defining Yes Yes Yes Yes

TSM
interworking
policies
TSM server Yes Yes Yes Yes

status check and
emergency
channel
1.9.20 IP Multicast


USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
IGMP snooping Yes Yes Yes Yes
IGMP snooping Yes Yes Yes Yes

proxy
IGMP Yes Yes Yes Yes
PIM-DM Yes Yes Yes Yes
PIM-SM Yes Yes Yes Yes
MSDP Yes Yes Yes Yes
Multicast Yes Yes Yes Yes

routing and
forwarding
1.9.21 IPv6 Transition Technologies


USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
NAT64 Yes Yes Yes Yes
IPv6 over IPv4 Yes Yes Yes Yes

tunnel
IPv4 over IPv6 Yes Yes Yes Yes

tunnel
1.9.22 Monitoring and System Diagnosis

Log Report
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Viewing logs on the Web UI
Traffic log No Yes Yes Yes
Threat log No Yes Yes Yes
URL log No Yes Yes Yes
Content log No Yes Yes Yes
Operation log No Yes Yes Yes
System log No Yes Yes Yes
User activity log No Yes Yes Yes
Policy matching No Yes Yes Yes

log
Mail filtering No Yes Yes Yes

log
Audit log No Yes Yes No
Viewing reports on the Web UI
Report No Yes Yes No

customizing
Email No Yes Yes No

subscription to
reports
Traffic report No Yes Yes Yes


USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Threat report No Yes Yes Yes
URL report No Yes Yes Yes
Policy matching No Yes Yes Yes

report
File blocking No Yes Yes Yes

report
Data filtering No Yes Yes Yes

report
Map
Traffic map No Yes Yes Yes
Threat map No Yes Yes Yes

Session table and server map

USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Session table Yes Yes Yes Yes
Server-map Yes Yes Yes Yes
Status detection Yes Yes Yes Yes

mechanism
Persistent Yes Yes Yes Yes

connection

System Statistics
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
Global system Yes Yes Yes Yes

statistics
Total traffic at Yes Yes Yes Yes

all physical
interfaces
statistics
Historical Yes Yes Yes Yes

traffic statistics
by interface or
system
Statistics on Yes Yes Yes Yes

new
connections

System Diagnosis
USG6330 USG6670
USG6350 USG6680
USG6360
USG6370
USG6380
USG6390
USG6507
USG6530
USG6550
USG6570
USG6620
USG6630
IPSec diagnosis Yes Yes Yes Yes
Web page Yes Yes Yes Yes

diagnosis
Packet tracing Yes Yes Yes Yes
Ping and Tracert Yes Yes Yes Yes

Diagnosis
(IPv6/IPv4)
Information Yes Yes Yes Yes

collection
Packet Yes Yes Yes Yes

capturing based
on quintuple
Statistics on Yes Yes Yes Yes

packet
discarding
based on
quintuple
Port mirroring Yes Yes Yes Yes

Administrator Guide 2 Getting Started
2 Getting Started
2.1 Overview of the Next Generation Firewall

This section describes the background from which the next generation firewall was developed
and important concepts to help you better understand the firewall.
2.1.1 Traditional Firewall

Traditional firewalls control traffic based on the 5-tuple of packets, which cannot prevent
security risks on networks in the new trend of network development.
As network security devices, traditional firewalls are usually deployed at network borders. These
firewalls use the following mechanisms to filter and forward packets:
l Determine the services of packets based on the protocol and source or destination port. For
example, the service of the TCP packet that uses port 21 is FTP service, and that of the
TCP packet that uses port 80 is HTTP service. Traditional firewalls control packets by port
to enable or disable certain network services.
l Check the validity of packets based on the IP addresses to determine whether to forward
or drop the packets.
l Use the 5-tuple (source and destination IP addresses, source and destination ports, and
protocol) to define a data flow. Deeming that all packets of a data flow have the same
security level, a traditional firewall checks the validity of only the first packet of a data
flow. If the first packet passes the validity check, the firewall establishes a session and
forwards the subsequent packets based on the session.
However, traditional firewalls are no longer capable of resolving the following problems that
emerge on networks.
l Port-based service identification cannot:

– Manage unknown applications, such as P2P applications, that use an ephemeral or
random port.
– Manage the web-based services that use the same protocol but have different security
levels, such as web-based email, games, video streaming, and instant messaging, which
all use HTTP and port 80.

– Control illegitimate online behaviors under the cover of a legitimate service. For
example, a hacker exploits the vulnerabilities of a web browser to break into a computer.
l IP-based traffic control cannot:
– Defend networks against distributed denial of service (DDoS) attacks that are launched
using zombie hosts.
– Prevent network spoofing and permission interception carried out by forging source IP
addresses.
– Control the permissions of users who use varied IP addresses, such as mobile workers
and teleworkers.
l Flow-based validity check on the first packet cannot:
– Continuously protect the network, for example, by blocking the worms, viruses, or
Trojan horses that are unintentionally downloaded during network access.
– Detect and manage application-layer protocols, for example, by controlling file transfer
to prevent information leaks.
2.1.2 Next Generation Firewall

The next generation firewall implements in-depth detection on applications and contents to
enhance network security.
Overview
To help enterprises tackle security problems that emerge during network development, Huawei
launches the next generation firewall, the USG6000 series (NGFW for short).
For current networks, a port and protocol can no longer represent an application. Catering to this
trend, Huawei NGFW implements in-depth detection on applications and contents to provide
enhanced security defense capabilities. Though the first packet is secure, subsequent packets
may not be. To resolve this problem and improve detection efficiency, the NGFW provides the
one-time scanning and real-time detection mechanisms.
l In one-time scanning, the NGFW uses Intelligent Awareness Engine (IAE) for all security
functions to scan the packets once and extract all necessary data, including the application,
content, and potential threats contained in the traffic. Even with all security functions
enabled, the device performance will not deteriorate significantly.
l In real-time detection, the NGFW uses high-performance Intelligent Awareness Engine
(IAE) to inspect all data packets in real time. The NGFW constantly discovers and blocks
risks to secure the network.
The NGFW identifies thousands of applications and defends networks against application-layer
network intrusions, worms, viruses, Trojan horses, and other attacks. The NGFW uses only one
policy to implement all security functions on every data flow. You can reference the following
security profiles in a security policy.
Security Description
Profile
Antivirus The NGFW scans files transmitted over the network for viruses and
generates alarms or blocks the virus-infected files based on the action
specified in the antivirus profile.

Security Description
Profile
Intrusion The NGFW monitors or analyzes system events to detect and take specific
Prevention actions on intrusions in real time.
URL Filtering The NGFW controls access to URLs to regulate users' online behaviors.
Data Filtering The NGFW blocks the traffic that contains sensitive and confidential
information to prevent information leaks and disclosure.
File Blocking The NGFW blocks the specified types of files to prevent information leaks
and reduce the risk of malicious code execution and virus infection over
an intranet.
Application The NGFW controls common HTTP and FTP behaviors, such as HTTP
Behavior or FTP file upload and download, HTTP POST, web browsing, and
Control Internet access using an HTTP proxy.
Mail Filtering The NGFW filters spam mail, and filters emails based on the addresses of
the email senders and receivers, as well as the size and number of email
attachments.
For existing networks, traffic control by IP address alone is not accurate. To accurately control
traffic, the NGFW provides authentication management over users and uses the 7-tuple-based
security policies. (7-tuple refers to the source and destination IP addresses, source and destination
ports, service, application, and user.)
l A single NGFW provides sufficient firewall functionality for you to create, manage, and
authenticate intranet users and implement permission control and security checks. If an
intranet already has a user management system, such as an Active Directory (AD) server,
RADIUS server, HWTACACS server, LDAP server, or SecurID server, the NGFW can
synchronize user information from that system. The NGFW can also synchronize users'
online information with an AD, LDAP, or TSM server in real time. For details on user
authentication, see 2.1.3 User.
l With its user management and application identification capabilities, the NGFW uses 7-
tuple-based security policies to implement packet filtering and content security monitoring
on specific traffic of specific users, which helps enterprises adapt to changing networks
and meet the requirements of networks with varied IP addresses, such as mobile office
networks. For details on security policies, see 2.1.4 Policy.
The NGFW also supports:
l Intuitive management and maintenance

You can configure and diagnose functions and monitor their operating statuses on the Web
UI of the NGFW. The Web UI also provides diversified logs and reports for you to learn
the network status and adjust device configurations accordingly. For details on the Web
UI, see 2.1.5 Visualized Management and Maintenance.
l IPv6
For details, see 2.1.6 IPv6.

How to Deploy the Next Generation Firewall Using the Administrator Guide
For optimum understanding, read this Administrator Guide in the order illustrated in the
following figure, which is also the order to deploy the NGFW.
Read "Getting Select one from the

For beginners Refer to the Read the following chapters to
Started" to learn three common
and fast guide for fast learn more about the available
about the basic application
deployment initialization. functions.
knowledge. scenarios.
Configure the Read "Panel" Read "System" Read "High Availability"

system for the to learn about the to learn about how to configure basic to learn about how to configure
device to work current status of the device parameters and system dual-system hot backup and
properly. device. management functions. other high availability functions.
Read "Network" Read "VPN" and "SSL Read "IPv6 Transition

Configure the to learn about how Read "IP Routing" VPN" Technologies" and "IP
network to to configure to learn about how to to learn about how to Broadcast"
enable network network-layer configure routing establish tunnels between to learn about how to
communication. protocols and basic protocols. private networks over the configure advanced
network functions. Internet. network-layer protocols.
Configure Read "Object"

objects to Read "User to learn about how to create objects, such as addresses, applications, and schedules.
manage the and
common factors Authenticati
referenced in all on"
Read "Security
policies. to learn about Read "NAT Read Read
Policy and Profile" Read
how to form a Policies" "Policy- "Security
to learn about how "Bandwidth
user to learn about Based Defense"
to configure Management"
authentication how to Routing" to learn about
security policies to to learn about
system and configure NAT to learn about how to
associate users, how to configure
configure policies to how to configure
Configure addresses, traffic policies
authentication conceal configure attack defense
policies to applications, and interface
policies to intranet IP policy-based and blacklist to
secure the schedules, and bandwidths and
obtain user addresses and routes to defend against
network and profiles and assign network
information reduce the control traffic DDoS attacks
manage the determine the bandwidths to
from the usage of forwarding in and common
traffic. solution for prevent network
traffic. public IP multi-ISP single-packet
protecting each congestion.
addresses. networks. attacks.
traffic flow.
Read "Logs and Reports" to:

Routing View logs to learn about the key events happened on the device and the network.
Read "Monitoring"
operation and View reports to learn about the statistics on and trend of traffic and threats.
to learn fault location.
maintenance You can configure new policies and fine-tune configurations based on the logs
and reports.
2.1.3 User
The concept of user has been introduced into the next generation firewall which implements
traffic security defense and traffic management by user to improve the flexibility and accuracy
of security functions.
Why Deploy Security Policies by User

Enterprises encounter the following problems with rapid network development, especially in
mobile networks.

l Because employees and network devices can change frequently, using static IP addresses
compromises management efficiency. Using IP addresses that are dynamically assigned
through DHCP resolves this problem, but this solution does not ensure the unique mapping
between employees and IP addresses and cannot control traffic based on IP addresses.
l Mobile working and teleworking have become popular. In such cases, IP addresses of
employees become random.
l Network applications, such as the remote desktop, require a network device to implement
different security policies. For example, on a public server, different security policies must
be applied to grant different permissions to employees A and B for them to access the
enterprise server.
Because of these limitations, employees are required to enter their user names and passwords to
log in to a network device. After they are authenticated, they are granted network permissions
based on their user groups. This has become a common way for enterprises to manage their
networks.
User Management on the NGFW

To manage a large number of users on a network, the NGFW uses a tree structure to represent
an enterprise, as shown in Figure 2-1.
Figure 2-1 User/User group tree organizational structure
Authentication domain default

(default group)
User group: Marketing R&D

parent group department department
User group: Product Product

team 1 team 2
child group
Employee Employee Employee

User A C
Guest
D
l Authentication domain (root group)

The top node of the tree-shaped organizational structure is "authentication domain," which
is also considered the root group. The subordinates of an authentication domain can be user
groups or users. The default authentication domain equals the /default root group. You can
plan users and user groups for this domain.
If multiple domains are required, you can plan other authentication domains. Each
authentication domain is an independent tree-shaped organizational structure. One user
name can be used in different authentication domains.
On the NGFW, an authentication domain, which is at the top of the tree-shaped
organizational structure, determines the authentication mode of users in the domain. For
details, see Authentication Policy and Authentication Domain.
l User and user group
Users are the data objects in user management. A user is a person who is authorized to
access network resources. After an employee enters his or her user name and password on

a host and is authenticated, the NGFW deems the traffic from and to the host to belong to
that employee.
Usually, all members of a department or team have the same network access permissions.
You can create user groups and grant network permissions based on user groups for user
management efficiency.
Sometimes, one user belongs to multiple teams. On the NGFW, you can add a user to a
maximum of three user groups. In the Figure 2-1 example, employee C belongs to product
teams 1 and 2.
l Parent group, and child group
An enterprise usually has a hierarchical organizational structure, and a department has
multiple subordinate entities. To ensure that subordinates have the basic network access
permissions of the department, the NGFW supports user group embedding. The subordinate
user group is called a child group, and the user group that contains a child group is called
a parent group. Parent and child groups are relative concepts. In Figure 2-1, the /default
group is the parent group of the marketing department and R&D department, and the R&D
department is a child group of the /default group. The R&D department is also the parent
group of product teams 1 and 2.
When you configure users and user groups on the NGFW, the NGFW can grant network access
permissions to a host based on a user or its user group. A certain policy is applied on the user
and user group to grant permission.
User-Based Authentication and Permission Control

On the NGFW, users can be Internet access users or remote access users. Internet access users
access network resources directly through the NGFW, whereas remote access users must first
access the NGFW through VPN to access intranet resources. The authentication modes vary by
user type, as shown in Figure 2-2.
l Internet access users (scheme A of phase one in Figure 2-2)

Internet access users are users who access network resources from an intranet, such as
employees on an enterprise intranet. When they access network resources, the NGFW
authenticates them to obtain the mapping between users and IP addresses and then identifies
users by IP address.
l Remote access users (schemes B, C, and D of phase one in Figure 2-2)
Remote access users are users who access intranet resources from the Internet, such as
employees at branch offices or employees on the move. In common cases, the NGFW
verifies the identities of remote access users to prevent unauthorized access.
After the NGFW authenticates a remote access user, the user can access intranet resources.
You can determine whether to perform a second authentication on remote access users. A
second authentication ensures the legitimacy of remote access users. If a second
authentication is required, the NGFW pushes an authentication web page to users after they
are authenticated to access the NGFW. Users must enter user names and passwords again
to access intranet resources. For the two authentications, the user names and passwords can
be the same or different.

Figure 2-2 User authentication and permission control system

Phase one: The user enters the user Phase two: The device Phase three: The
name and password. verifies the user device allows the user
information. to access the intranet
and applies policies
to the user's traffic.
A-1: Use SSO and the

AD or TSM server to A: AD or TSM A: Security policy
A: The Packet filtering
user synchronize user synchronization
information. Antivirus
connects Intrusion prevention
to the URL filtering
intranet Data filtering
directly. A-2: Push a Web login File blocking
page. Application behavior
control
Mail filtering
B: Use the user information provided in
SSL VPN. B: Local
authentication
B: Traffic policy
Bandwidth limit
C: The C-1: Use the user Connection number
user information provided in limit
accesse L2TP VPN.
s the
intranet C: Policy-based
through routing
C-2: Perform a second
L2TP
authentication.
VPN.
C: Server
authentication D: Audit policy
HTTP behavior audit
D: Perform resource access authentication FTP behavior audit
after the user accesses the intranet Email behavior audit
through IPSec VPN.
The following table describes the phases and schemes of user-based authentication and
permission control shown in Figure 2-2.
Table 2-1 User authentication and permission control system
Phase Scheme Description
Phase one: A user A-1: If the user If an AD or TSM server has been deployed
enters his or her user connects directly to on the intranet to authenticate users, users
name and password. the intranet, the must enter their user names and passwords to
The user enters the NGFW uses single log in to the Windows system or TSM client.
user name and sign-on (SSO) and You can enable SSO on the NGFW for the
password. The the active directory system to use the information about these
NGFW compares the (AD) or TSM server users.
user name and to synchronize user
password with the information.
records on the
A-2: Push a Web The user connects directly to the intranet but
NGFW.
login page. SSO is not used. When the user accesses a
web page for the first time, the NGFW pushes
a Web login page, requiring the user to enter
a user name and password.

B: The NGFW uses The user enters a user name and password on
the user information the virtual gateway page to access the intranet
provided in SSL through SSL VPN. The NGFW can use the
VPN. user information directly.
C-1: The NGFW The user enters a user name and password to
uses the user connect to the intranet through L2TP VPN.
information The NGFW can use the user information
provided in L2TP directly.
VPN.
C-2: Perform a After a user connects to the intranet through

second L2TP VPN and accesses a web page for the
authentication on a first time, the NGFW pushes a Web login
user after the user page, requiring the user to enter a user name
connects to the and password.
intranet through
L2TP VPN.
D: The NGFW After a user connects to the intranet through

implements network IPSec VPN and accesses a web page for the
resource access first time, the NGFW pushes a Web login
authentication upon page, requiring the user to enter a user name
users' IPSec VPN and password.
access. When EAP is used for authentication, the
NGFW uses the user information used during
VPN access, but does not implement re-
authentication.
Phase two: The A: AD or TSM If you use scheme A-1 in phase one and the
NGFW verifies user synchronization: user is authenticated using the AD or TSM
information. synchronizes user server, the NGFW can synchronize the
The NGFW verifies information with the authentication result from the AD or TSM
the obtained user AD or TSM server in server. No further authentication is required.
information to real time.
determine whether
B: Local You can create users and save their
the user is legitimate
authentication: The information to the local database. After a user
and whether to allow
NGFW compares enters user information, the NGFW compares
the user to access the
user information the information with the records in the
intranet.
with records on the database.
NGFW.
C: Server The NGFW can interwork with AD,

authentication: The RADIUS, LDAP, HWTACACS, SecurID
NGFW interworks and TSM authentication servers. Functioning
with an as an agent, the NGFW sends user
authentication information to the authentication server and
server. receives the authentication result from the
server.

Phase three: The A: Security policy Security policies control network access
NGFW allows the permissions of users and secure their network
user to access the access. You can apply security policies to
network and applies control resources, such as IP addresses, ports,
policies on and applications accessible to a user, as well
subsequent traffic. as to detect and protect the user's network
The column to the traffic.
right lists the user-
based policies. For B: Traffic policy Traffic policies control users' network
details on these bandwidths and the number of connections.
policies, see 2.1.4 You can allocate bandwidth and control the
Policy. number of connections by user level to avoid
network congestion and ensure positive user
A user that provides
experience on the network.
correct login
information is C: Policy-based PBR specifies the interface that forwards user
legitimate and is routing (PBR) traffic. You can enable PBR for the traffic of
granted network a specified user to flow to a specified
access permission. network. PBR takes priority over the routing
You can configure table.
different policies for
users and user groups D: Audit policy Audit policies are used for the NGFW to audit
to control the users' online behaviors. You can apply audit
accessible network policies according to the local laws and
resources, security regulations or the regulations of your
measures to take, and company to record network behaviors. For
bandwidths. details on user privacy declaration, see About
This Document.
Authentication Policy and Authentication Domain

You can use an authentication policy and authentication domain to determine the following:
l Whether a user must be authenticated to access an intranet.

Some users are exempted from authentication to access the intranet. They are granted
network access permissions without entering a user name and password. You can configure
an authentication policy to determine whether a user must be authenticated.
For exempted users, the NGFW cannot obtain their information. Therefore, the NGFW
implements security defense based on the IP addresses of the hosts used by the users. You
can assign static IP addresses to these users and bind the IP addresses with MAC addresses.
When such a user uses a specific host to access the intranet, the user obtains a specific IP
address. The NGFW can then apply a specific policy based on this IP address.
Note that for exempted users, the traffic logs and reports record only their host IP addresses,
but not their user names.
l Which authentication scheme to apply to authenticate a user.
You can configure authentication domains to control the schemes for user authentication.
For example, for L2TP VPN users shown in Figure 2-2 to access the NGFW, you can

configure authentication domains to determine whether to push an authentication web page

to the users for a second authentication.
Figure 2-3 shows the process for authenticating users based on the authentication policy and
authentication domain.
Figure 2-3 Authentication flow

Trigger for an
authentication
AD SSO
Interwork with the AD server.
Internet
access user
TSM SSO
Interwork with the TSM server.
Internet Authentication
access user policy
Authentication
No Obtain information about the
exemption
authentication bidirectional binding of users
and IP/MAC addresses.
Internet
access user Redirected
authentication
Authentication
Internet
access user User-initiated
Local Local
authentication
authentication user/group
Internet Authentication
access user server
Authentication
RADIUS complete.
server
HWTACACS
server Secondary
authentication
Access Server No
AD server ?
user authentication
Yes
Trigger for an
LDAP server
authentication
SecurID
Authentication server
domain
Second authentication on access users
2.1.4 Policy
As an important configuration item for the next generation firewall, a policy maps the traffic
matching conditions with the actions to take for the matched traffic, which facilitates device
configuration and management.
Overview
The NGFW supports the policies listed in the following table.

Table 2-2 Policy overview
Policy Description
Security policy Security policies control the accessible resources, such as IP addresses,
ports, and applications for users or hosts as well as detect and protect the
network traffic.
After you classify network traffic in security policies once, you can enable
different security functions for each traffic class to simplify the
configuration.
NAT policy NAT policies translate the source IP addresses or ports and destination IP
addresses or ports according to certain rules to alleviate the lack of IPv4
addresses.
Policy-based PBR enables the traffic of a specific user to flow to a specific network.
routing (PBR) PBR takes priority over the routing table and provides guidance for
accurate traffic forwarding.
Traffic policy Traffic policies control bandwidths for a network or host. You can allocate
bandwidths and control the connection numbers of different traffic to avoid
network congestion and ensure positive user experience.
Quota Control Quota control policies control the Internet access traffic and duration of
Policy users to prevent bandwidth abuse and productivity reduction arising from
the long Internet access duration.
Authentication Authentication policies determine whether a user requires authentication.

policy Special users can be exempted from authentication to access the intranet.
Proxy policy The NGFW supports TCP and SSL proxy functions. When the action of a
proxy policy is set to TCP proxy, the NGFW will implement TCP proxy
for the traffic matching the policy. If the action of a proxy policy is set to
SSL decryption, the NGFW will implement SSL proxy for the traffic
matching the policy and then decrypt the SSL traffic.
Audit policy Audit policies monitor users' online behaviors. You can apply audit
policies according to local laws and regulations or your company
regulations to record user's online behaviors.
A policy contains multiple rules. Each rule contains multiple data items that are classified as
condition, action, or option. The following figure uses the security policy as an example.

Figure 2-4 Items in a security policy rule
Policy A
Condition Action Option
Source
Source zone Content
address / Enable the
rule1 Destination
Destination
User Application Service Schedule Action security
zone profile log function.
address
rule2 …
l Condition
Conditions are used to filter packets. For example, source IP addresses or destination IP
addresses of packets, users who send packets, and applications of the packets can all be
specified as conditions. A packet matches a rule only when the packet matches all
conditions in the rule. Then the NGFW processes the packet based on the action or option
specified in the rule.
Items in a condition are existing data objects on the NGFW. You can define objects, such
as IP address ranges, users, and applications in advance on the NGFW and reference them
in policies to avoid duplicate configurations.
You can specify multiple objects for each condition.
NOTE
The items specified in a condition are logically ANDed. A packet matches a rule only when the packet
attributes match all items in the rule. The objects specified for one item in a condition are logically
ORed. A packet attribute matches the item as long as the packet attribute matches one object. For
example, three IP address ranges are defined in advance as objects A, B, and C. If A, B, and C are
applied to item source IP address in a condition, a packet matches the condition as long as the source
IP address of the packet matches any address among A, B, and C.
l Action
The NGFW takes an action on the packets that match the conditions. The action can be
allow, block, or content security checks. Actions vary with policies.
l Option
You can configure additional options for a rule, such as whether to enable the log function
and whether to apply this rule.
If a policy contains multiple rules, packets are matched to the rules in the list from top to bottom
on the Web UI. If the packets match all conditions of a rule, the NGFW implements the rule's
action and option on the packets. To make packet matching more efficient and precise, configure
policy rules from the most specific to the most general.
Object
An object is a set of data items that are defined in advance and can be referenced in policies or
features. You can define objects in a centralized data plan to simplify configurations.
The following table lists the most common and most important objects used on the NGFW.

Table 2-3 Overview of objects
Object Description
Address Object address is a set of IP addresses or MAC addresses. The object

address has two types:
l Address: defines a subnet or a range of contiguous IP addresses or a
set of MAC addresses.
l Address group: references addresses or other address groups. You can
also add new subnets or ranges of contiguous IP addresses or MAC
addresses to an address group. Therefore, an address group may be a
large set of discontiguous IP addresses or addresses.
Region Object region is a set of IP addresses categorized by geographical location.

The object region has two types:
l Region: includes predefined and user-defined regions. Each region is
a set of public IP addresses for the current region.
l Region group: references predefined regions, user-defined regions, and
other region groups. You can use the region group to control multiple
regions.
Service Object service is a set of TCP/UDP ports or ICMP parameter rules.

Network applications or communication protocols use specific TCP/UDP
ports or ICMP packets to communicate. Therefore, you can define services
to match these network applications or protocols. The object service has
two types:
l Service: specifies a network application or communication protocol.
The NGFW has multiple common services that are predefined on the
device, such as HTTP and FTP services. You can define new services.
You can also specify the source or destination port of TCP or UDP
packets, the type or field of ICMP packets, and the protocol of IP
packets, to identify the traffic with the specified characteristics and then
apply policies to manage the traffic.
l Service group: references multiple predefined or user-defined services.
Using a service group, you can apply the same policy to different
services.
Application Object application is a set of application attributes. The ports or packet

types of application-layer applications can vary. Therefore, the NGFW
uses certain application attributes to match traffic to identify applications.
The object application has two types:
l Application: The NGFW provides thousands of predefined common
applications which are adequate for application identification. The
predefined applications are updated when the SA signature database is
updated. You can define new applications as well. For details on user-
defined applications, see 12.5 Application and Application Group.
l Application group: references multiple predefined or user-defined
applications. Using an application group, you can apply the same policy
to different applications.

Object Description
User Object user is the basis of authentication and configuration of user-based

policies. Before you enable authentication and configure a policy, you
must create users and user groups if the NGFW uses local authentication.
If the NGFW uses a third-party server for remote authentication of users,
you must import the user and user group information to the NGFW. For
details on the user concept, see 2.1.3 User.
Schedule Object schedule is a set of time ranges. Schedule controls the valid time
ranges of a policy or feature. Therefore, the NGFW can apply different
policies at different time. Object schedule has two types:.
l Periodic schedule: specifies a fixed time range within a week that
repeats in one-week intervals. You can configure periodic schedules
for policies that take effect periodically, such as the policies that take
effect on work days or non-work days.
l One-time schedule: specifies a single time range with specific start and
end times. You can configure one-time schedules for policies that take
effect temporarily or at a specified time, such as a policy that takes
effect on holidays.
Security profile Security profile is a special object for security policies. This object is a
set of content security check and protection rules. You can use a security
profile to define the threats for a security function to identify, as well as
the countermeasures. Each security function has respective security
profiles. You can configure a security policy and reference multiple
security profiles for one traffic flow to implement multi-dimensional
content security checks and protection for this data flow. For details on
security policies and security profiles, see 2.1.2 Next Generation
Firewall.
Policy Execution Sequence

When multiple policies are applied, you need to make clear which policy the NGFW executes
first, especially when NAT policies interwork with other policies. NAT policies translate packet
IP addresses or ports, and the translation results affect the setting of other policy rules. Therefore,
to set accurate conditions, you must understand the sequence in which the NGFW applies
policies.
The following figure illustrates the policy execution sequence and packet forwarding process
on the NGFW.
Figure 2-5 shows the NAT processing:
l NAT server processing is given a higher priority.

l Source NAT is divided into two processes. In the first process, the device looks up source
NAT polices after security policies, and records the address translation information in the
session table. In the second process, the device translate the source IP addresses and
forwards the packets.

Therefore, when you configure policy-based routing and authentication, security, and bandwidth
management policy rules, you need to specify the pre-source NAT IP address as the source IP
address and the mapped inside IP address of the server as the destination IP address.
Figure 2-5 Policy matching sequence

Receive Forward packets
packets Authentic Source (Source NAT processing)
Server Security Proxy Quota Bandwidth
PBR ation NAT
mapping policy policy control policy management
policy policy
For details on the policy execution sequence and packet forwarding process, see 2.1.7.1 Packet
Transfer Process.
2.1.5 Visualized Management and Maintenance

The NGFW provides a web interface to implement visualized management and maintenance.
Wizards
The system provides the Startup Wizard to guide a beginner through initiating the device quickly
to access the Internet.
With Startup Wizard, you can set the device name, administrator password, system time, Internet
access parameters, and LAN parameters. For details about how to use Startup Wizard, see 3.1
Startup Wizard.
Logs and Reports

Logs and reports help administrators perform system maintenance and management, such as
identifying the cause of packet loss, locating faults, querying security events occurring on the
network, and analyzing bandwidth usage. With these information, administrators can learn about
the network status and optimize system configuration in time.
Table 2-4 describes the logs provided by the NGFW.
Table 2-4 Logs
Log Description
Traffic log Records overall network traffic information by user or application, current
network bandwidth usage, and effective security policies.
Threat log Records detection and defense of network threats, such as AV, worms,
Trojan horses, spyware, and DDoS attacks.
The threat log helps administrators learn about network threat events and
adjust security policies or take defensive measures in a timely manner.
URL log URL logs provide statistics on requested URLs. You can view URL logs
to check why access to some URLs is allowed, blocked or allowed with
an alert record.

Log Description
Content log Records alarms and blocks related to file blocking, content filtering, and
application behavior control, such as alarms generated when intranet users
transfer files and send or receive emails, and blocks for denying access to
websites.
The content log helps administrators learn about content-related activities
of intranet users and causes of alarms and blocks.
Operate log Records login, logout, and configuration operations performed by all
administrators.
The operate log helps administrators learn about system management
history.
System log Records system running information and hardware environment

information.
The system log helps administrators learn about system running status and
locate faults.
User activity log Records user online information, such as the login time, the IP address and
MAC address used to log in, and online duration.
The user activity log helps administrators learn about online user activities
and take actions for risky user logins or network access.
Policy matching Records the traffic that triggers the policies defined in the system.
log The policy matching log helps administrators optimize policies and locate
faults.
Mail filtering Records the protocol types used by users to send and receive emails, size
log of a single attachment in an email, number of attachments in an email, and
reasons why valid emails are blocked.
The mail filtering logs help you locate faults in email services.
Audit log Records the Internet access behaviors defined in audit policies.
Table 2-5 describes the reports provided by the NGFW.
Table 2-5 Reports
Report Description
Traffic report Provides network traffic information based on analysis of the flow log.
The flow report helps administrators learn about the current network traffic
and make traffic management policies.
Threat report Provides network threat information based on analysis of the threat log.
The threat report offers information about the top threat activities,
attackers, and victims and helps administrators take preventive measures.

Report Description
URL report Provides information about access to URLs from intranet users based on
analysis of the URL log.
The URL report helps administrators locate the top users who have
unauthorized URL access activities and the URLs or sites that are
frequently accessed by intranet users. Based on these information,
administrators can make URL filtering policies.
File blocking Provides information based on analysis of the file blocking report. The file
report blocking report generates a vivid report with multiple dimensions and
helps administrators know commonly transferred file types on the network.
Based on these information, administrators can make file blocking
policies.
Data filtering Provides information based on analysis of the data filtering report. The
report data filtering report generates a vivid report with multiple dimensions and
helps administrators know commonly used key words in files and
applications. Based on these information, administrators can make data
filtering policies.
Policy matching Provides policy matching information based on analysis of the policy
report matching log.
The policy matching report helps administrators find out policy
configuration issues and optimize policies in a timely manner.
Visualized Diagnosis
The visualized diagnosis function helps implement quick fault location when a network fault
occurs or the system is not running properly. The visualized diagnosis function incorporates
comprehensive cases for the same type of faults, helping administrators quickly locate the fault
from all possible causes. The visualized diagnosis function also provides diagnosis results and
troubleshooting suggestions.
Table 2-6 describes the diagnoses provided by the NGFW.

Table 2-6 Diagnoses
Diagnosis Description
IPSec diagnosis IPSec access fault diagnosis can be performed by:

l Data flow: The system selects IPSec policies based on data flow
conditions specified by the administrator and attempts to initiate a
request for establishing an IPSec tunnel. The system then traces the
whole access process and identifies the access failure.
l Interface: The system selects IPSec policies based on the interfaces to
which the IPSec policies apply and attempts to initiate a request for
establishing an IPSec tunnel. The system then traces the whole access
process and identifies the access failure.
l IP address: The system waits for a request initiated from the peer
gateway for establishing an IPSec tunnel. The request carries the IP
address of the peer gateway. The system then traces the whole access
process and identifies the access failure.
Web page The administrator enters the IP address of an intranet terminal and the URL
diagnosis to be accessed. The system simulates an access request, traces the whole
access process, and identifies the access failure.
Packet tracing The system traces the transmission of packets based on the data flow
conditions specified by the administrator and identifies the transmission
failure.
Ping The system pings the specified destination IP address based on the ping
packet setting and returns the ping operation result. This diagnosis verifies
whether the destination IP address is reachable.
Tracert The system pings the routing devices along the route to the specified
destination IP address in sequence based on the Tracert setting and returns
the ping operation results. This diagnosis helps determine the location
where a network fault occurs.
Diagnosis info The system allows administrators to collect various information, such as
the clock, version, and configuration information, by simply clicking the
mouse. The collected information can be saved as a .txt file, exported, and
transferred to technical support engineers for fault diagnosis.
Quintuple The system captures packet header information in specified data flows for
packet capture fault location and analysis based on packet capture parameters configured
by administrators.
Quintuple The system calculates number of packets in data flows matching 5-tuple
packet parameters configured by administrators, including number of received or
discarding discarded fragments, number of received or discarded non-fragments, and
statistics number of forwarded packets. This diagnosis locates faults and checks
whether the device forwards or discard packets. If the device discards
packets, you have to use other methods to further analyze the reason of
packet discarding.

2.1.6 IPv6
Internet Protocol version 6 (IPv6), which resolves problems such as IPv4 running out of
addresses, will be the mainstream Internet protocol used on future networks. This section
describes the issues involved in deploying IPv6 networks and the support for IPv6 offered by
the NGFW.
To build an IPv6 network, the following two issues must be resolved:
l With the use of IPv6 addresses, various IP protocols need to be upgraded to ensure
communication between IPv6 hosts and to eliminate the congenital efficiency and security
defects of IPv4 networks.
l Technologies need to be provided to smooth the transition of IPv4 toward IPv6. Seamless
transition is required to ensure communication of IPv6 hosts over IPv4 networks or
communication between IPv6 and IPv4 hosts.
The NGFW supports IPv4, IPv6, a series of IPv6-related protocols, and security detection for
IPv6 traffic, which resolves the issue above. The supported IPv6 protocols and functions are as
follows:
l Protocols used to construct IPv6 LANs, such as ICMPv6 (see 8.14.3 Improving IPv6
Performance), DNSv6 (see 8.3 DNS), DHCPv6 (see 8.5 DHCPv6), and PPPoEv6 (see
8.8 PPPoE)
l IPv6 routing protocols, such as IPv6 static routing protocols (see 10.2 IP Static Route),
RIPng (see 10.8 RIPng), OSPFv3 (see 10.9 OSPFv3), BGP4+ (see 10.10 BGP4+), and
PBR (see 17 PBR)
l IPv4-to-IPv6 transition protocols, such as IPv6 over IPv4 (see 24.2 IPv6 over IPv4
Tunnel), IPv4 over IPv6 (see 24.3 IPv4 over IPv6 Tunnel), and NAT64 (see 24.1
NAT64)
l IPv6 network deployment technologies, such as IPv6 hot standby (see 6.1 Hot Standby)
and IPv6 IPSec (see 20.2 IPSec)
l IPv6 common object, such as IPv6 address object (see 12.1 Address and Address
Group) and IPv6 ACL (see 12.10 IPv6 ACL)
l Security detection technologies for IPv6 traffic, such as IPv6 traffic application
identification (see 12.5 Application and Application Group), IPv6 security policies and
content security detection (see 13 Security Policy and Content Security), and IPv6 anti-
DDoS (see 22 Security Protection)
l IPv6 bandwidth management (see 18 Bandwidth Management) for IPv6 traffic
management and control
2.1.7 More Information

This section describes the packet transfer process and the command line interface (CLI) of the
NGFW. It helps you further understand how the NGFW works.
2.1.7.1 Packet Transfer Process

This section describes how a packet is processed and transmitted to the destination. It helps you
better understand the configuration rules and skills.

Packet Transfer Process

A network device implements traffic processing by recognizing, forwarding, discarding, or
modifying single packets. The NGFW processes packets based on the packet type and policies
configured. Figure 2-6 shows a typical process in which an IP packet is transmitted over the
network.

Figure 2-6 Packet transfer process

Basic processing before
Receive a session table query
packet.
Perform MAC Incoming interface

address Query the next-hop
interface. VLAN IP/MAC binding bandwidth
filtering. threshold
Layer 2
interface Layer 3
Is next-hop interface
Resolve the interface Remove the Resolve the IP Single-packet
frame header. a layer-2 or layer- frame header. packet header. attack defense
3 interface?
No Yes
Will a session be
established?
Establish a session for Session entries Establish

the first packet. refreshed a session.
Stateful Server load Update the

inspection Routing table
balancing online user list.
Authentication Perform flow-

Blacklist policy Routing table based attack
defense.
First packet Security policy Perform

Sever-map processing matching and stateful
packet filtering inspection.
Security policy Yes

Server matching and
mapping Blacklist Are session
packet filtering entries refreshed?
No
Source NAT
Online user list policy matching User redirection
Server load
balancing
Application Limit on the

association number of
table connections
Establish a
session.
VPN
Outgoing interface
Bandwidth Security policy Source NAT bandwidth
policy processing processing IPSec
threshold
L2TP
Forward the
Virus Intrusion packet.
prevention prevention URL filtering
GRE
Content Application
File filtering filtering activity control
SSL
Email filtering Content

security
During the packet transfer process, some fields in a packet need to be changed to implement
certain features. For example, the NGFW changes the source or destination IP address carried
in an IP packet in the network address translation (NAT) process. While in the security policy
matching or routing table query process, the NGFW selects policies based on the IP address.
Server address mapping is performed before security policy matching and routing table query,

and source NAT is performed after security policy matching and routing table query, as shown
in Figure 2-6. If an Internet user wants to access an intranet server, two NATs are performed
for the access request:
l During server address mapping, the NGFW changes the destination IP address carried in
the packet to the private IP address of the server to be accessed.
l During source NAT, the NGFW changes the source IP address to a private IP address that
belongs to the same network segment as the server.
Then, the NGFW queries the routing table for the route to the next-hop interface based on the
private IP address. When configuring security policies, you must configure the source IP address
as a public IP address for the Internet user and configure the destination IP address as the real
private IP address of the server.
During the packet transfer process, packet processing varies depending on the packet type and
data configuration. Not all packets will be processed in the same way as illustrated in Figure
2-6. The whole process can be divided into three phases:
1. Basic Processing Before Session Table Query

2. Session Table Query and Security Checks
3. Packet Forwarding
Basic Processing Before Session Table Query

The objective of the basic processing is to resolve the frame header and IP packet header carried
in a packet. The packet header information will be used to perform basic security checks. The
NGFW first determines whether the next-hop interface is a layer 2 or layer 3 interface.
l If it is a layer 3 interface, the NGFW queries the routing table based on the destination IP
address carried in the packet and determines the next-hop interface. After the packet is
resolved and the header information is removed from the packet, the packet is forwarded
to the next hop for processing.
l If it is a layer 2 interface, the NGFW first determines whether the packet needs to be
forwarded over different VLANs. If the packet does not need to be forwarded over different
VLANs, the NGFW queries the next-hop interface in the MAC address table based on the
destination MAC address carried in the packet. If the packet needs to be forwarded over
different VLANs, the NGFW obtains the VLAN ID and then obtains the sub interface or
VLAN-IF interface based on the VLAN ID. The sub interface or VLAN-IF interface is a
virtual layer 3 interface. Then, the NGFW queries the routing table based on the destination
address carried in the packet and determines the next-hop interface.
After the required information is obtained and the header information is removed from the
packet, the packet is forwarded to the next hop for processing.
Table 2-7 describes the features used in this phase.
Table 2-7 Features involved in basic processing
Feature Description
MAC address Filters packets based on the source and destination MAC addresses carried
filtering in the frame header.

Feature Description
VLAN Prevents flood of Ethernet frames over local area networks (LANs).
IP/MAC Verifies packets based on the IP address and MAC address carried in
address packets, filters out invalid packets, and prevents IP spoofing and ARP
binding attacks.
Incoming Discards packets when the bandwidth usage over the interface exceeds the
interface specified threshold.
bandwidth
threshold
Single-packet Performs packet validity and security checks based on the single-packet
attack defense attack defense types after obtaining the packet header information and
filters out attack packets.
Session Table Query and Security Checks

The NGFW implements most of security functions in this phase. The NGFW processes a packet
depending on whether there are matched session entries:
l No Matched Session Entries

If there are no matched session entries, the packet will be treated as the first packet of a
flow.
1. The NGFW triggers the stateful inspection mechanism to verify whether the packet
meets the conditions for establishing a session.
2. If yes, the NGFW obtains information, such as the user and application type of the
flow, which cannot be obtained from the packet header.
NOTE
The information about the user and application type of a flow cannot be obtained by analyzing
a single packet.
To obtain multiple packets of this flow, the NGFW identifies the users who need authentication
but have not logged in based on authentication policies and pushes the authentication page to
the users. If the authentication is successful for a user, the NGFW analyzes the packets sent
from the user and obtains the application type of the flow.
During the analysis process, the NGFW establishes a session with empty application
information based on the first packet. After the analysis is complete, the NGFW updates the
session entries and adds the application type to the packet. After the application type is
determined, the policies matching the flow may change, which in turn affects the further
processing of the packet.
Figure 2-6 shows the basic packet processing sequence and is for reference only.
3. The NGFW queries the routing table based on the destination address carried in the
packet and obtains the next-hop interface information. Then, the NGFW obtains the
destination security zone information based on the next-hop interface information.
4. After obtaining the source and destination address information, the NGFW performs
an authentication for the user.

5. If the authentication is successful, the NGFW searches for security policies based on
the user information and source and destination address information. If a match is
found, the NGFW proceeds according to the matched security policy.
If a session is allowed, the NGFW labels the flow based on the content security profile
associated with the security policy. If a session is not allowed, the NGFW discards
the packet.
6. If the number of sessions does not reach the threshold, the NGFW establishes a session
for this packet. The packet will be processed by the transfer module, and the
subsequent packets of this flow will be processed in a way as described in the Matched
Session Entries Exist section.
l Matched Session Entries Exist
If matched session entries are found, a session will be established for the first packet after
a series of route query and security checks are performed. Subsequent packets that match
the session entries will skip over the process through which the first packet goes. This
mechanism increases the processing efficiency of the NGFW.
The subsequent packets will trigger the update of the online user list to keep the users who
have flows online.
Then, the packets will go through flow-based attack defense and stateful inspection, and
be processed by the transfer module.
A secure first packet does not indicate that subsequent packets are also secure; therefore,
the NGFW performs constant security checks for a flow. During this process, session entries
will be updated if application information is identified, the user goes offline or online,
security risks are detected in content security checks, or system configuration is modified.
Once the session entries are updated, the NGFW will recheck the flow and take related
processing. However, only the features that determine the packet processing methods are
involved in the recheck process. The recheck process is still simpler than the processing of
the first packet. In addition, updates of session entries do not frequently occur. This
mechanism ensures constant protection of flows while avoiding serious impact on
processing efficiency.
Table 2-8 Features involved in first packet processing and subsequent packet processing
Feature Description
Features Involved in First Packet Processing
Stateful For TCP and ICMP protocol packets, only the first packets trigger the
inspection session establishment.
mechanism
Blacklist Rapidly filters packets based on the source or destination IP address and
user information carried in the packets.
Server-map An important entry for server mapping and multi-channel protocol data
forwarding.
Server Maps private IP addresses of intranet servers to public IP addresses for

mapping Internet users.

Feature Description
Online user list Records online user information, such as the mapping between users and
IP addresses, the time when a session is established, and online duration.
Application Records the application information about flows.

association
table
Routing table Records routing information, which determines the interface through
which a packet is forwarded.
Authentication Determines whether to perform authentication for a flow and obtain the
policy user information based on the IP address and security zone information
carried in a packet.
First packet Pushes the authentication page to users who need authentication.
processing
Security policy Allows flows to be filtered based on the security policies specified.
Source NAT Looks up the source NAT policy, and records the address translation
policy information in the session table, but does not translate the IP address of
the packets.
Limit on the Controls the number of concurrent sessions supported by the system.
number of
connections
Features Involved in Subsequent Packet Processing
Flow-based Detects attacks that can be identified by analyzing multiple packets of a

attack defense flow.
Server load Distributes the packets addressed to the same destination to different
balancing servers for processing based on the bandwidth usage. Therefore, during
subsequent packet processing, the server load balancing configuration is
also an important factor for determining the next-hop interface.
Packet Forwarding
In this phase, the NGFW provides constant security protection for flows and ensures that packets
are forwarded to the destination.
1. The NGFW checks the bandwidth usage and determines whether to forward or discard the
packet based on bandwidth policies.
2. The NGFW performs content security filtering based on the content security profile
associated with the security policies.
3. The NGFW translates the source IP address based on NAT policies.
4. The NGFW determines whether to forward the packet to a VPN tunnel based on VPN
configuration. If yes, the NGFW determines the VPN tunnel and encrypts and encapsulates
the packet to be forwarded.

5. The NGFW determines the next-hop interface based on the results obtained from the MAC
address table or routing table. The NGFW adjusts the traffic rate based on the bandwidth
threshold specified for the interface.
6. The NGFW sends the packet to the interface.
Table 2-9 Features involved in packet forwarding
Feature Description
Bandwidth Prevents network congestions.

policy
Security policy Checks packets for security risks and performs filtering in real time.
Source NAT Translates the source IP addresses of the packets so that intranet users can
policy access the Internet.
VPN Implements secure connection between private networks over the Internet.
The NGFW supports various VPN technologies, such as L2TP, IPSec, and
SSL, to meet different requirements.
Outgoing Enables packets to be discarded when the bandwidth usage over the
interface outgoing interface exceeds the specified threshold.
bandwidth
threshold
2.1.7.2 CLI
The command-line interface (CLI) can be used to implement certain advanced functions that
cannot be implemented through the Web UI. This section describes the CLI of the NGFW and
basic skills of using the CLI.
CLI Structure and Views

The Web UI of the NGFW helps administrators implement most of functions. However, certain
advanced functions can be implemented only through the CLI. The NGFW provides an
independent CLI, which can implement all NGFW functions. However, it is recommended that
only system administrators use the CLI because the CLI is more complex than a graphical user
interface (GUI).
The NGFW adopts a layered structure, in which all commands are registered under related views.
A large number of commands are organized through different command views, which help
administrators remember and use command lines. Generally, an administrator can run a
command only after entering the related view. Figure 2-7 shows the CLI views and related
commands if the following commands are executed in sequence:
Login authentication
Username:admin
Password:
<sysname>

<sysname> system-view
00:33:32 2012/05/20
Enter system view, return user view with Ctrl+Z.
[sysname] interface GigabitEthernet 1/0/1
00:33:35 2012/05/20
[sysname-GigabitEthernet1/0/1] ip address 10.1.1.1 24
00:33:37 2012/05/20
[sysname-GigabitEthernet1/0/1] quit
00:33:38 2012/05/20
[sysname] quit
00:33:39 2012/05/20
<sysname> quit
Login authentication
Username:
Figure 2-7 CLI layered structure
Log in to the CLI.
Access the user

view.
Run the system-view command.
Access the system

view. Run the interface GigabitEthernet 1/0/1
command.
Access the Ethernet
interface view. Run the ip address command.
Set an IP address for the

Ethernet interface.
Return to the Ethernet

interface view.
Return to the Run the quit command.

system view.
Return to the user Run the quit command.

view.
Run the quit command.

Return to the CLI.
Different views have different command prompts, which help administrators determine the
current view. For example, after you enter the system view, the command prompts change from
angle brackets (<>) to square brackets ([]). After you enter the Ethernet interface view, the
command prompt contains the name of the interface to be configured, for example, [sysname-
GigabitEthernet1/0/1].
All the commands are defined with user authority. Administrators of different levels can run
different commands. For example, level 1 administrators can only enter the user view and query
system status and information. They cannot run the system-view command to enter the system
view or configure data.
To quit the current view, run the quit command.

This section describes only the basic knowledge of command lines. For more information, see
the Command Reference and the configuration of each feature (sections ended with "-CLI") in
the Administrator Guide.
CLI Login Methods

Table 2-10 describes the methods that can be used to log in to the CLI.
Table 2-10 CLI login methods
Method Description
Log in to the When the NGFW fails to start or fails to connect to the network, you can
CLI through the log in to the CLI only through the Console port to rectify faults. This is the
Console port most secure way to log in to the CLI.
To log in to the CLI through the Console port, perform the following steps:
1. Use a serial cable to connect a serial port on the administrator's PC and
the Console port on the main control board of the NGFW.
2. Start HyperTerminal on the PC (which runs Windows) or any other
third-party program that supports Console.
3. Select the serial port used, and set parameters as follows to set up a
connection:
l Bits per second: 9600
l Data bits: 8
l Parity: None
l Stop bits: 1
l Flow control: None
4. Click OK.
The copyright information is displayed in the HyperTerminal.
5. Enter the user name and password, modify the default password as
prompted to log in to the CLI.
The default user name is admin, and the default password is
Admin@123.
For more information, see 5.1.1 Logging In to the CLI Through the
Console Port.
Log in to the Telnet allows you to remotely log in to a CLI through an Ethernet port.
CLI using For more information, see 5.2.4.3 Example for Logging in to the CLI
Telnet using the Telnet.
NOTICE
During Telnet login, data and passwords are transmitted in plaintext mode, causing
security risks. To secure data transmission, use STelnet instead.
Log in to the STelnet also allows you to remotely log in to a CLI through an Ethernet
CLI using port. However, STelnet offers higher security than Telnet because STelnet
STelnet uses encrypted packets. For details about how to use STelnet to log in to
the CLI, see 5.2.4.5 Example for Logging In to the CLI Using STelnet
(RSA Authentication).

Method Description
Log in to the Log in to the Web UI, and click CLI Console on the lower right of the
CLI through the page. Then, click any place in the black background to log in to the CLI.
CLI console on For details about how to log in to the Web UI, see 2.3 Logging In to the
the Web UI Web UI.
Basic Skills
Table 2-11 describes the basic skills that help you efficiently run commands on the CLI.
Table 2-11 Basic skills
Skill Description
Obtaining help To obtain help information about a command line, enter ? on the CLI.
information l To obtain information about all the commands that can be executed on
about a a view, enter ? on the current view.
command line <sysname> ?
User view commands:
backup-configuration Indicate backup configuration file
for system startup
cd Change current directory
clock Specify the system clock
---- More ----
l To obtain information about all the keywords that may follow a

keyword in a command, enter ? after the keyword.
<sysname> language-mode ?
Chinese Chinese environment
English English environment
l To obtain information about all the keywords that start with a letter or
a character string in a command, enter ? after the letter or character
string.
<sysname> display f?
fastfeeling fib file-block file-
detect
firewall fragment-reassemble ftp-server ftp-users
Command-line Command-line completion allows you to type the first few characters of a
completion command and press Tab to fill in the rest of the item. If there are multiple
matches and the current completion is not correct, you can press Tab
repeatedly till the correct keyword is displayed.
<sysname> display f #Press Tab.#
<sysname> display firewall #Press Tab.#
<sysname> display fib #Press Tab.#
<sysname> display fragment-reassemble #After the correct
keyword is displayed, press the space bar, and enter the next
keyword.#

Skill Description
Error messages If the command line entered contains incorrect keywords, the system
displays an error information and stops executing the command after you
press Enter.
The common error messages are as follows:
l Unrecognized command: The command line does not exist. It may
contain incorrect commands or keywords.
l Wrong parameter: The parameter type is invalid, for example, the
parameter value exceeds the value range or a character string is entered
for a numeral parameter.
l Incomplete command: The command is incomplete.
l Too many parameters: The command contains unnecessary
parameters.
l Ambiguous command: Multiple commands match the information
entered. This error message is always displayed when a shortened
version of a command that has more than one interpretation was
specified on the command line.
Shortcut keys l Ctrl+C: stops displaying information on the screen. When you locate
for screen the required information from a long list that cannot be displayed on a
display single screen, you can press Ctrl+C to stop displaying the subsequent
information and return to the previous view.
l Space bar: displays the next screen.
l Return key: displays the next line.
Shortcut keys The system stores ten latest historical commands for each administrator
for invoking who has logged in to the CLI. The following shortcut keys can be used to
historical invoke historical commands:
commands l Up arrow key or Ctrl+P: invokes the previous command.
l Down arrow key or Ctrl+N: invokes the next command.
You can search from the ten historical commands by pressing the shortcut
keys multiple times.
2.2 Deployment Scenario

The position and deployment mode of the NGFW determine the network topology, IP address
allocation, and features to be deployed. Therefore, establish a clear data plan before the
deployment.
The initial configuration varies depending on the deployment scenario. Determine the
deployment scenario before initial configuration. Table 2-12 describes different deployment
scenarios:

Table 2-12 Selecting a deployment scenario
Initial Network Deployment Plan Deployment Scenario

Environment
The existing network has no Deploy one NGFW as the 2.2.1 Scenario A: Layer-3
gateways. gateway. Gateway (Routing Mode)
Deploy two NGFWs that 2.2.3 Scenario C: Hot

work in hot backup mode. Standby
The existing network has one Deploy one NGFW to 2.2.1 Scenario A: Layer-3
gateway. replace the existing gateway. Gateway (Routing Mode)
Transparently deploy a 2.2.2 Scenario B: Layer-2

NGFW between the existing Switch (Transparent
gateway and the intranet. Mode)
Deploy two NGFWs that 2.2.3 Scenario C: Hot

work in hot backup mode to Standby
replace the existing gateway.
The existing network has one Deploy one NGFW as the hot 2.2.3 Scenario C: Hot
NGFW. backup of the existing Standby
NGFW to improve
reliability.
Figure 2-8 shows the deployment scenarios.
Figure 2-8 Deployment scenarios

Scenario A: Layer-3 gateway Scenario B: Layer-2 switch
(routing mode) (transparent mode)
Marketing Server
Server department
Intranet
R&D
Intranet department
Egress
NGFW
NGFW gateway
Egress gateway
Scenario C: dual-system
hot backup
Legend:
NGFW_A Subnet
Intranet
NGFW_B
VLAN

2.2.1 Scenario A: Layer-3 Gateway (Routing Mode)

In this scenario, the NGFW is deployed as a Layer-3 gateway, so service interfaces work at
Layer 3, the network layer, to ensure secure communication between the intranet and the Internet.
The IP addresses of these Layer-3 interfaces must belong to different subnets. Each Layer-3
interface connects to a separate subnet, and the NGFW forwards packets between these subnets.
When dealing with traditional firewalls, the deployment is often referred to as routing mode.
In this scenario, service interfaces work at Layer 3, the network layer.
In this scenario, the IP address of each service interface is generally used as the default gateway
address for all the PCs on the subnet. Therefore, when deploying a NGFW as a Layer-3 gateway,
you may need to change the original network topology, routing data, and gateway configurations
on the PCs. When deploying a NGFW to replace the existing gateway, you are advised to use
the original gateway configurations related to the network layer protocols, such as IP addresses,
routing protocols, and DHCP. This eliminates the need to change the configurations of adjacent
devices.
When deployed as a Layer-3 gateway between the intranet and the Internet as shown in Figure
2-9, the NGFW also needs to translate between private addresses on the intranet and public
addresses on the Internet. When dealing with traditional firewalls, the deployment is often
referred to as NAT mode. The NGFW implements routing and NAT if the service interfaces
work at Layer 3, and implements transparent transmission if the service interfaces work at Layer
2.
The NGFW can be configured with both Layer-3 interfaces to implement Layer-3 gateway
functions and Layer-2 interfaces to implement Layer-2 bridging functions.
When deployed as a Layer-3 gateway, the NGFW provides more functions, improved packet
processing mechanisms, and enhanced security defense capabilities. The initial configuration
procedure is based on the deployment in Figure 2-9.
Figure 2-9 Layer-3 gateway networking
DMZ
Server
10.2.0.0/24
Trust GE1/0/2 Untrust

10.2.0.1/24
GE1/0/1
Intranet 1.1.1.1/24
10.3.0.0/24 GE1/0/3
10.3.0.1/24
NGFW GE0/0/0
192.168.0.1/24
Administrator
192.168.0.2/24
The deployment procedure is as follows:

Step Operation Description
1 5.1.2 Logging Log in to the NGFW Web UI.

In to the Web
UI Using
HTTPS
2 2.4 Web UI Become familiar with the web-based configuration basics before
Basics performing the initial configuration on the Web UI.
3 2.5 Initial Configure basic Internet access using the Startup Wizard.
Configuration
of Scenario A
(Layer-3
Gateway)
4 2.8 Registering Activate the purchased licenses online.

an Account and
Activating the
License File
5 2.9 Updating Update the embedded signature database to obtain the latest
the Signature content security defense capabilities.
Database
6 2.10 Perform basic security service configurations. Security services

Configuring are the core services of the NGFW. You can select functions or
Security adjust parameters according to this section.
Services
7 2.11 Advanced Perform advanced configurations for the NGFW. You can
Configuration configure functions based on site requirements.
8 2.12 What's Perform maintenance and management operations. You can

Next obtain information about the common operations following the
initial configuration, product documents, and more information
about the NGFW in 2.12 What's Next.
2.2.2 Scenario B: Layer-2 Switch (Transparent Mode)

The NGFW can be deployed as a Layer-2 switch to implement Layer-2 switching and security
defense without changing the existing network topology.
In this deployment scenario, service interfaces work at Layer 2, the data-link layer. In this
deployment, the NGFW is deployed as a switch that connects to the existing gateway without
changing the network topology and configuration. Therefore, this deployment is also called the
transparent mode.
The NGFW implements routing and NAT if the service interfaces work at Layer 3, and
implements transparent switch if the service interfaces work at Layer 2.
The NGFW can be configured with both Layer-3 interfaces to implement Layer-3 gateway
functions and Layer-2 interfaces to implement Layer-2 switching functions.

When deployed as a Layer-2 switch, the NGFW transparently connects to the network without
changing the network topology and configurations of adjacent devices and implements MAC
address-based traffic control for subnets. However, if all interfaces work at Layer 2, the device
cannot access extranets and cannot implement database updates. Therefore, reserve some
Layer-3 interfaces. For example, reserve the management interface as a Layer-3 interface to
allow the administrator to log in to the device. The initial configuration procedure is based on
the deployment in Figure 2-10.
Figure 2-10 Layer-2 switch networking
Trust Untrust
Marketing
department
10.3.0.2 to
10.3.0.99
Intranet
10.3.0.0/24 GE1/0/2
VLAN100 NGFW
R&D GE1/0/3
department VLAN200
10.3.0.100 to GE1/0/1 10.3.0.1/24
10.3.0.253 VLAN100
GE0/0/0
VLAN200
192.168.0.1/24
Administrator
192.168.0.2/24

In to the Web
UI Using
HTTPS
3 2.6 Initial Set the interface working mode and configure Layer-2 services,
Configuration such as VLAN.
of Scenario B
(Layer-2
Switch)
4 2.8 Registering Activate the purchased licenses online.

an Account and
Activating the
License File

the Signature content security defense capabilities.
Database

Services
Configuration configure required functions based on site requirements.

2.2.3 Scenario C: Hot Standby

The hot standby mechanism implements uninterrupted service transmission to ensure high
availability.
In this deployment, two NGFWs working in hot backup mode are deployed to enhance system
availability. If one NGFW fails, the other takes over service processing, ensuring service
continuity.
The configuration of hot standby varies according to:
l Interface working mode: Layer 2 or Layer 3

l Devices connected to the NGFW: routers or switches
l Hot standby mode: active/standby mode or load-balancing mode
NOTE
l Active/Standby mode: Only one NGFW works at a time. If the active NGFW fails, the standby
NGFW becomes active and forwards all traffic.
l Load-balancing mode: Two NGFWs work at the same time. If one NGFW fails, the other forwards all
traffic.
This section describes the most common deployment scenario in which service interfaces work
at Layer 3, upstream and downstream devices are routers, and the two NGFWs work in load-
balancing mode. The initial configuration procedure is based on the deployment in Figure
2-11. For details about other scenarios, see 6.1 Hot Standby.

Figure 2-11 Hot standby networking

GE0/0/0
Trust 192.168.0.1/24 Untrust
GE1/0/3 GE1/0/1
10.3.0.1/24 10.2.0.1/24
GE1/0/7
NGFW_A
10.10.0.1/30
Intranet
GE1/0/7
10.10.0.2/30 NGFW_B
GE1/0/3 GE1/0/1
10.3.1.1/24 10.2.1.1/24
GE0/0/0
192.168.0.254/24
Administrator
192.168.0.2/24

In to the Web
UI Using
HTTPS
3 2.7 Initial Plan and configure hot standby. You need to complete only the
Configuration initial configuration on both NGFWs. Subsequent service
of Scenario C configurations are performed on one NGFW and are
(Hot Standby) automatically synchronized to the other NGFW.
4 2.8 Registering Activate the purchased licenses online. In hot standby

an Account and networking, you must activate the licenses of both NGFWs.
Activating the
License File
the Signature content security defense capabilities. In hot standby networking,
Database you must update the signature databases of both NGFWs.

Services
Configuration configure required functions based on site requirements.


2.3 Logging In to the Web UI

By default, the device allows an administrator to log in to the NGFW web UI using HTTPS.
Prerequisites
The browser on the administrator PC must meet any of the following requirements:
l Internet Explorer: version 6.0 to 9.0

l Firefox (recommended): version 10.0 or later
l Chrome: version 17.0 or later
NOTE
When using Internet Explorer, you are advised to version 7.0 or later.
Procedure
Step 1 Connect the network interface of the administrator PC to management interface GigabitEthernet
0/0/0 using network cables or layer-2 switches.
NOTE
The USG6310/6320 does not have any management interface. You need to connect GigabitEthernet 0/0/0 to the
network interface of the PC.
Step 2 Set the IP address of the administrator PC, within a range from 192.168.0.2 to 192.168.0.254.

Step 3 Open the browser on the administrator PC. In the address box, enter the default IP address of
the GigabitEthernet 0/0/0 (https://192.168.0.1:8443).
NOTE
If the address is http://192.168.0.1, the device automatically uses the more secure HTTPS to access the
web UI.
If the browser displays a notification for an insecure certificate, you can continue the browsing. For security,
you are advised to configure the specified certificate after logging in to the device. For details, refer to
5.2.4.2 Example for Logging In to the Web UI Using HTTPS (Specified Certificate).
Click Open Source Software Notice in the web login page, you can check the related information about
the open source software notice.
Step 4 On the login page, enter the default user name admin and password Admin@123 of the system
administrator. Click Login.

NOTE
You can also use default audit administrator account audit-admin (password Admin@123) to log in to
the device.
After three consecutive login failures, the web UI is automatically locked out for 10 minutes to forbid any
user login.
Step 5 Changing the password of the default administrator account. Click OK to access the web UI.
NOTE
To enhance security, a password must meet the minimum strength requirements, that is, the password needs
to contain at least three types of the following characters: uppercase letters (A to Z), lowercase letters (a
to z), digits (0 to 9), and special characters, such as exclamation points (!), at signs (@), number signs (#),
dollar signs ($), and percent (%).
Please keep the new password you entered safe for your next login.
----End
Follow-up Procedure
Use HTTPS to log in to the web UI for management and configuration. You can also create more
administrators. For details, refer to 5.2 Administrators.
2.4 Web UI Basics

This section describes the common elements of the Web UI and their uses.
Functional Areas
The NGFW Web UI is divided into five functional areas:

Figure 2-12 Web UI functional areas
Tabs Buttons
Operation
area
Navigation
tree CLI console
Table 2-13 Description of functional areas
Area Description
Buttons l Current user: displays the online administrator.

l Commit: applies the changes to security profiles.
l Save: saves all configurations in the profile to avoid data loss after reset.
l Help: displays the online help of the current page.
l About: displays the current software version and copyright
information.
l Modify Password: changes the password of the current administrator.
l Logout: securely logs out of the system.
Tabs Based on the deployment roadmap laid out in 2.1.2 Next Generation
Firewall, the NGFW is divided into six modules:
l System: used to configure the basic information about the NGFW to
enable the NGFW to work.
l Network: used to configure network layer protocols to ensure Internet
access.
l Object: used to create common objects that can be referenced by
multiple policies to simplify policy configuration.
l Policy: used to configure multiple service policies to control traffic
forwarding and prevent network threats, ensuring network security.
l Monitor: used to display system logs and reports which provide
visibility into the device and network status and facilitate policy
making and configuration adjustment.
l Dashboard: used to display system information in real time and
monitors whether the system is running properly.
Navigation tree After you click a tab, the corresponding menus are displayed in the
navigation tree. You can click a menu to configure functions.

Area Description
Operation area After you choose a menu, the configuration page is displayed in the
operation area.
CLI console The Web UI provides a CLI console for you to configure advanced
functions. To use the CLI console, perform the following operations:
l To display the CLI, click CLI Console on the lower right corner.
l To start command configuration, click the black background of the
CLI.
l To minimize the CLI, click the title bar of the CLI.
To the upper right of the CLI are three buttons, which have the following
functions:
l : disconnects from the CLI and releases related system session
resources. After disconnection, you can click the black background to
reconnect to the CLI.
l : clears the information displayed on the current CLI without
disconnecting the CLI.
l : minimizes the CLI. You can also click the title bar to minimize the
CLI.
Configuration List Tables

You can configure multiple entries for one function to control different traffic. These entries are
displayed in tables on the Web UI. Each table consists of four areas:
Figure 2-13 Table areas

Icons Query area
Entry area
Page navigation toolbar

Table 2-14 Table areas
Area Description
Icons You can use the following icons to manage table entries:
l Add: creates a configuration entry.
Click Add to access the configuration page of the function. After an
entry is created, it is displayed in the table.
l Delete: deletes one or more entries.
Select one or more entries and click Delete to delete them.
To select all entries, select the check box to the left of the table header.
NOTICE
Deleting certain entries may adversely affect traffic. Therefore exercise caution
when you delete entries.
Referenced entries can be deleted only after you remove their references from
other features.
Predefined entries cannot be deleted, which ensures system and network
security. These entries have low priorities and therefore do not affect user-
defined entries.
l Copy: clones an existing entry.
Select an entry, click Copy, and change certain parameters, such as
name, to differentiate the new entry from the original.
l Move: adjusts entry priorities. Entries in certain tables are prioritized
and displayed in descending order of priority. Once an entry is matched,
the traffic matching process ends.
Select an entry and click Move to move it above or below another entry.
l Insert: adds a new entry above the current entry.
Select an entry and click Insert to insert a new entry above the selected
entry. The new entry takes priority over the selected entry.
l Enable: batch enabled the selected entries.
l Disable: batch disabled the selected entries.
Query area The search function helps rapidly locate an entry to be modified among
multiple entries. Tables generally provide two search methods:
l Search: Enter or select search conditions (generally the entry name)
and click Search. The system filters entries based on the search
conditions.
l Advanced Search: Click Advanced Search and set the search
conditions in the dialog box that is displayed to precisely filter entries.
Entry area The entry area displays all existing entries. Each entry is displayed in
columns for easy search and comparison.
An edit button is displayed to the right of each entry for entry
modification. To modify an entry that has grayed out parameters, clone
the entry, change the parameters, save the entry, and delete the original
entry.

Area Description
Page navigation The page navigation toolbar allows you to switch to another page and set
toolbar the number of entries per page.
Number of
Previous page Total Last page
entries per page
First Current Next

page page page
Selecting the check box to the left of the table header selects only the entries
on the current page. Therefore, the page locating area is useful when you
delete entries.
2.5 Initial Configuration of Scenario A (Layer-3 Gateway)

This section describes how to perform initial configuration after determining the deployment
scenario and installing the NGFW to implement proper network communication.
2.5.1 Data Collection

Collect and plan data, such as the interfaces and IP addresses of each network devices, based on
the deployment scenario.
Context
Before starting the initial configuration, collect and record the configuration data required for
the network plan. The example values given in the following tables are based on the networking
in 2.2.1 Scenario A: Layer-3 Gateway (Routing Mode).
Procedure
Step 1 Plan the IP addresses and security zones of the WAN, DMZ, and LAN interfaces as follows:
Item Description and Example Actual Value
WAN The interface connected to the Internet. WAN interface:

interfa Obtain the public IP address of the WAN l Interface: _______________
ce interface from the Internet Service
Provider(ISP). l IP address: ___.___.___.___/___
Parameter example: l Security zone: _______________
l Interface: GigabitEthernet 1/0/1

l IP address: 1.1.1.1/24
l Security zone: Untrust

DMZ The interface connected to the subnet DMZ interface:

interfa where the servers reside. Plan the private l Interface: _______________
ce subnet for the DMZ interface.
l IP address: ___.___.___.___/___
Parameter example:
l Security zone: _______________
l Security zone: DMZ
LAN The interface connected to the intranet. LAN interface

interfa Plan the private subnet for the LAN l Interface: _______________
ce interface.
l IP address: ___.___.___.___/___
Parameter example:
l Security zone: _______________
l Security zone: Trust
Step 2 Collect the ISP's service information.

l If the WAN interface uses a static IP address to access the Internet, specify the IP addresses
of the default gateway and DNS server. Contact the ISP for these parameters.
l If the WAN interface uses PPPoE dial-up to access the Internet, set the PPPoE user name
and password. Contact the ISP for these parameters.
In this section, a static IP address is used as an example.
IP addresses of Example l Default gateway:

the default l Default gateway: 1.1.1.254 ___.___.___.___
gateway and l Primary DNS server:
DNS server l Primary DNS server: 10.2.0.70
___.___.___.___
l Secondary DNS server:
10.2.0.71 l Secondary DNS server:
___.___.___.___
User name and - l User Name: _______________

password for l Password: _______________
PPPoE dial-up
Step 3 Collect the device registration information.

Activation The Activation Password is written ____________________________

Password on the license authorization ______________
certificate in hard copy or on the
CD-ROM delivered with the
product. The Activation Password
consists of 21 characters, including
digits, letters, and hyphens (-).
Example: ON00002809-
A550EXXXXX
ESN The Equipment Serial Number ____________________________

(ESN) uniquely identifies a device. ______________
Log in to the Web UI, and click the
Dashboard tab. The ESN is
displayed in System Information.
Example:
210235G6RSXXXXXXXXXX
License file Log in to the http:// -

app.huawei.com/isdp and obtain
the license file according to the
procedure in the system help or
displayed information.
----End
2.5.2 The Startup Wizard

The Startup Wizard helps you quickly set the basic parameters.
Context
This section uses the networking data in 2.2.1 Scenario A: Layer-3 Gateway (Routing
Mode) and planned data in 2.5.1 Data Collection to describe how to use the Startup Wizard.
The actual data may vary with site configuration.
Procedure
Step 1 The system displays the Startup Wizard upon your first login. If the Startup Wizard is not
displayed, choose System > Wizard > Startup Wizard.
Step 2 On the welcome page, click Next.
Step 3 Set the host name, change the administrator password, and click Next.
The host name uniquely identifies a device on a network.

Step 4 Set the system time, and click Next.
Step 5 Set WAN Mode to Static IP, and click Next.
Step 6 Select a WAN interface, set its IP address, and set the IP addresses of the default gateway and
DNS servers. Then click Next.

Step 7 Set the IP address of the LAN interface and click Next.
Step 8 Enable DHCP for the LAN, use the default IP address range, and click Next. This IP address
range is the subnet where the LAN interface resides.

Step 9 Confirm the configured information, select Do not display this page upon the next login at
the lower left corner, and click Apply.
Step 10 Click Finish after a message is displayed indicating that the initial configuration is complete.
----End

Follow-up Procedure
By default, the wizard enables a security policy for the interzone between the Trust zone and
Untrust zone. This policy allows all Intranet users to access the Internet. For security, you are
recommended to configure a security policy to strictly control data flows accessing the Internet.
For details see 2.10.5 Configuring a Security Policy.
2.5.3 Testing the Network Connection

This section describes how to verify the connection between the intranet and the Internet after
the initial configuration is complete.
Procedure
Step 1 Choose Monitor > Diagnosis Center to verify whether the NGFW is connected to the Internet.
Step 2 Click Ping.
Step 3 In Host Name or IP Address, enter a URL, for example, www.example.com, and click Ping.
The system displays the ping result.
l The NGFW is connected to the Internet if information similar to the following is displayed:
PING www.example.com (192.0.43.10): 56 data bytes, press CTRL_C to
break
Reply from 192.0.43.10: bytes=56 Sequence=1 ttl=239 time=392
ms
ms
ms
ms
ms
--- www.example.com ping statistics

---
5 packet(s)
transmitted
5 packet(s)
received
0.00% packet
loss
round-trip min/avg/max = 345/392/499 ms
l If the NGFW is not connected to the Internet, troubleshoot the fault based on the errors as
follows:

Error Description
Error: Ping: unknown host This error message indicates that the domain name is
www.example.com not correctly resolved. This indicates that the DNS
server is not configured or incorrectly configured.
Therefore, the NGFW cannot communicate with the
DNS server.
Obtain the correct DNS server address from the ISP.
Choose Network > DNS > DNS to configure the
DNS server. For details, see 8.3 DNS.
Request time out The domain name is resolved into a correct IP

address, but no echo reply is received from this IP
address. This indicates that the NGFW is not
connected to the Internet. Run the Startup Wizard
or contact the ISP to resolve the problem.
Step 4 After the NGFW is connected to the Internet, try to access a website from a host on the intranet
to check whether the intranet is connected to the Internet.
l If yes, the intranet is connected to the Internet. The initial configuration is complete.
l If no, choose Monitor > Diagnosis Center, click Web Page Diagnosis, enter the IP address
of the intranet host and the URL to be accessed, and click Diagnose. Troubleshoot faults
based on the diagnosis information.
----End
2.6 Initial Configuration of Scenario B (Layer-2 Switch)

You can deploy the NGFW as a Layer-2 switch by setting the NGFW interfaces to work at Layer
2.
2.6.1 Obtaining Data

Collect and plan data, such as interfaces and VLAN of each network device, based on the
deployment scenario.
Context
Before starting the initial configuration, collect and record the configuration data based on the
network plan. The example values given in the following tables are based on the networking in
2.2.2 Scenario B: Layer-2 Switch (Transparent Mode).
Procedure

Categ Example Value Actual Value

ory
Interfa Parameter examples: Interface for connecting to the egress

ce for l Interface ID:GigabitEthernet 1/0/1 gateway:
conne l Interface ID: _______________
cting l Interface type: trunk
to the l VLAN: 100 and 200 l Interface type: trunk
egress l Security zone: Untrust l VLAN: _______________
gatew l Security zone: _______________
ay
Interfa Parameter examples: Interface for connecting to the M&S

ce for l Interface ID:GigabitEthernet 1/0/2 department
cting l Interface type: access
to the l VLAN: 100 l Interface type: access
marke l Security zone: Trust l VLAN: ______
ting & l Security zone: _______________
sales
(M&S
)
depart
ment
Interfa Parameter examples: Interface for connecting to the R&D

ce for l Interface ID:GigabitEthernet 1/0/3 department
cting l Interface type: access
to the l VLAN: 200 l Interface type: access
resear l Security zone: Trust l VLAN: ______
ch and l Security zone: _______________
develo
pment
(R&D
)
depart
ment
Step 2 Collect device registration information.


A550EXXXXX

Example:

----End
2.6.2 Configuring Layer-2 Interfaces and VLANs

By setting the interface working mode to switching mode, you can use Layer-2 interfaces to
transparently access the network.
Context
This section uses the networking data in 2.2.2 Scenario B: Layer-2 Switch (Transparent
Mode) and planned data in 2.6.1 Obtaining Data as examples to describe how to use the Startup
Wizard. The actual data may vary with site configuration.
Procedure
Step 1 Log in to the web page.
NOTE
The system displays the Startup Wizard upon your first login. Layer-2 access cannot be configured using the
Startup Wizard. Therefore, select Do not display this page upon the next login in the lower left corner in the
Startup Wizard and click Cancel to exit the Startup Wizard.
Step 2 Choose Network > Interface.
Step 3 In the interface list, click for GE1/0/1 and set the following parameters of GE1/0/1. Retain
the default values for other parameters.

Zone untrust
Mode Switching
Connection Type Trunk
Trunk VLAN ID 1, 100, and 200
Default VLAN ID 1
Step 4 Click OK.
Step 5 Refer to steps 3 and 4 to set the following parameters of the GE1/0/2 interface.
Zone trust
Mode Switching
Connection Type Access
Access VLAN ID 100
Step 6 Refer to steps 3 and 4 to set the following parameters of the GE1/0/3 interface.
Zone trust
Mode Switching
Access VLAN ID 200
Step 7 Choose Object > Address > Address.
Step 8 Click Add. Based on the following parameters, create an address object to specify the IP address
segment for the M&S department
Name address_marketing
IP/Range or MAC 10.3.0.2-10.3.0.99
Step 9 Click OK.
Step 10 Click Add. Based on the following parameters, create an address object to specify the IP address
segment for the R&D department. Then, click OK.
Name address_research
IP/Range or MAC 10.3.0.100-10.3.0.253
Step 11 Choose Policy > Security Policy > Security Policy.

Step 12 Click Add. Based on the following parameters, create a security policy to allow for the
communication between the M&S department host and the egress gateway.
Name policy_sec_marketing
Source Zone trust
Destination Zone untrust
Source Address/Region address_marketing
Destination Address/ any

Region
Action Permit
Step 13 Click OK.
Step 14 Click Add. Based on the following parameters, create a security policy to allow for the
communication between the R&D department host and the egress gateway. Then, click OK.
Name policy_sec_research
Source Zone trust
Source Address/Region address_research

Region
Action Permit
----End
Follow-up Procedure
To enable the communication between hosts on a VLAN and between different VLANs, you
must set the required VLAN parameters on the egress gateway connected to the NGFW. For the
parameter setting procedure, refer to the document matching the egress gateway that you use.
When you set the parameters, meet the following requirements:
1. The interface for connecting the egress gateway to the NGFW must support access from
VLAN100 and VLAN200. To enable this, use either of the following methods based on
the site requirement:
l If a Layer-2 interface is used, set its working mode to Trunk mode to allow for the access
from VLAN100 and VLAN200.
l If a Layer-3 interface is used, create two subinterfaces on it and add the subinterfaces
to VLAN100 and VLAN200 separately.
2. Set the IP addresses and routing information of the Vlanif interfaces for VLAN100 and
VLAN200 so VLAN100 and VLAN200 can communicate with each other.

2.6.3 Testing the Network Connection

This section describes how to test the connection between the intranet and the Internet after the
initial configuration is complete.
Procedure
Step 1 Verify that the NGFW is properly connected to the Internet.
No IP address can be set for an interface that is switched to Layer 2. If all the interfaces of the
NGFW work at Layer 2, the NGFW cannot communicate with other IP addresses. To test whether
the NGFW has been initialized successfully, you can test whether the hosts on the intranet can
properly connect to the Internet. If they can properly connect to the Internet, the NGFW has
been initialized successfully.
Step 2 Verify that the egress gateways connected to the NGFW are correctly connected to the Internet.
Then, check whether you can visit a website from a host on the intranet.
l If yes, the intranet is connected to the Internet, and the initial configuration is complete.
l If no, choose Monitor > Diagnosis Center and click Web Page Diagnosis. Enter the IP
address of the host and the URL to the website. Then, click Diagnose. Troubleshoot the
problem based on the diagnosis results until the host can properly connect to the Internet.
----End
2.7 Initial Configuration of Scenario C (Hot Standby)

In scenario C, two NGFWs are deployed in hot standby mode. When one NGFW fails, the other
NGFW rapidly takes over services, ensuring service continuity.
2.7.1 Data Collection

The network topology and address allocation are key to hot standby networks and must be
planned before configuration.
Context
Before starting the initial configuration, collect and record the configuration data based on the
network plan. The example values given in the following tables are based on the networking in
2.2.3 Scenario C: Hot Standby.
Procedure

WAN interface The interface connected to the WAN interface on NGFW_A:

Internet. The WAN interfaces on l Interface: _______________
both NGFWs must have the same
port number. Obtain two public IP l IP address: ___.___.___.___/
addresses from the ISP. ___
WAN interface on NGFW_A: l Security zone:

_______________
WAN interface on NGFW_B:
l Interface: _______________
l IP address: ___.___.___.___/
WAN interface on NGFW_B: ___
l Interface: GigabitEthernet 1/0/1 l Security zone:
l IP address: 10.2.1.1/24 _______________
LAN interface The interface connected to the LAN interface on NGFW_A:

intranet. Plan the private subnets for l Interface: _______________
the LAN interfaces on both
NGFWs. The LAN interfaces on l IP address: ___.___.___.___/
both NGFWs must be consistent. ___
LAN interface on NGFW_A: l Security zone:

_______________
LAN interface on NGFW_B:
l Interface: _______________
l IP address: ___.___.___.___/
LAN interface on NGFW_B: ___
l Interface: GigabitEthernet 1/0/3 l Security zone:
l IP address: 10.3.1.1/24 _______________

Heartbeat Transfers heartbeat packets and Heartbeat interface on NGFW_A:

interface configuration backup information l Interface: _______________
between the two NGFWs. On each
NGFW, configure a dedicated l IP address: ___.___.___.___/
interface as the heartbeat interface ___
and plan a private subnet for it. The l Security zone:
heartbeat interfaces on both _______________
NGFWs must be configured with Heartbeat interface on NGFW_B:
the same port number and belong to
l Interface: _______________
the same subnet.
l IP address: ___.___.___.___/
Heartbeat interface on NGFW_A:
___
l Security zone:
l IP address: 10.10.0.1/24 _______________
Heartbeat interface on NGFW_B:
l IP address: 10.10.0.2/24
Step 2 Collect the device registration information.

A550EXXXXX

Example:


NOTE
In hot standby scenarios, you must apply for a license for each NGFW.
Step 3 Plan the management interface data.
Management The IP addresses of the default Management interface on

interface management interfaces on both NGFW_A:
NGFWs are 192.168.0.1. When the l Interface: GigabitEthernet 0/0/0
IP addresses of the management
interfaces on both NGFWs are the l IP address: 192.168.0.1/24
same, you can log in to only one of l Security zone: Trust
them at a time. To enable concurrent Management interface on
login to both of them, change one of NGFW_B:
the two IP addresses.
l GigabitEthernet 0/0/0
Management interface on
l IP address: ___.___.___.___/
NGFW_A:
___
l IP address: 192.168.0.1/24
Management interface on
NGFW_B:
l IP address: 192.168.0.254/24
----End
2.7.2 Hot Standby Configuration

After configuring hot standby, most services need to be configured only on the active NGFW.
The standby NGFW automatically synchronizes service configurations with the active
NGFW.
Context
This section uses the networking data in 2.2.3 Scenario C: Hot Standby and planned data in
2.7.1 Data Collection to describe how to configure hot standby. The actual data may vary with
site configuration.
Hot standby configurations consist of three parts:
1. Configure different interface IP address data for the two NGFWs.

2. Configure hot standby and OSPF data for each NGFW.

3. Configure service data only on the active NGFW. The standby NGFW automatically
synchronizes service configurations with the active NGFW.
The configuration procedures on both NGFWs must use the same port number. The tables in
this section list the parameters of both NGFWs for comparison.
Procedure
Step 1 The system automatically displays the Startup Wizard upon your first login. The Startup
Wizard does not apply to hot standby scenarios. Select Do not display this page upon the next
login at the lower left corner and click Cancel to exit the Startup Wizard.
Step 2 Set the IP addresses for the interfaces.

1. Choose Network > Interface.
2. In the interface list, click for GE1/0/1, and set the following parameters of GE1/0/1.
Retain the default values for the other parameters.
Parameter NGFW_A NGFW_B
Zone untrust untrust
Mode Route Route
IPv4
Connection Type Static IP Static IP
IP Address 10.2.0.1/24 10.2.1.1/24
3. Click OK.
4. Repeat Step 2.1 to Step 2.3 to set the following parameters of the GE1/0/3 interface.
Zone trust trust
Mode Route Route
IPv4
IP Address 10.3.0.1/24 10.3.1.1/24
5. Repeat Step 2.1 to Step 2.3 to set the following parameters of the GE1/0/7 interface.
Zone dmz dmz
Mode Route Route
IPv4

IP Address 10.10.0.1/30 10.10.0.2/30
6. Change the default IP address of the management interface on NGFW_B to avoid IP address
conflicts. This setting allows you to log in to both NGFWs at the same time. Repeat the
preceding steps to change the following parameters of the GE0/0/0 interface on
NGFW_B.
NOTICE
Changing the IP address of the management interface disconnects you from the Web UI.
Therefore, after changing the IP address, access http://192.168.0.254 again to log in to
NGFW_B.
Parameter NGFW_B
Zone trust
Mode Route
IPv4
Connection Type Route
IP Address 192.168.0.254/24
Step 3 Configure OSPF routes to enable active/standby switchovers and route adjustment in the event
of network failures.
1. Choose Network > Router > OSPF.
2. Click Add to configure OSPF processes using the following parameters. Retain the default
values for the other parameters.
Type OSPFv2 OSPFv2
Process ID 1 1
3. Click OK.
4. Click of process 1 in OSPF Process List.

5. Choose Basic Configuration > Area Settings.
6. Click Add to add an upstream subnet using the following parameters.

Area 0 0
IP Network 10.2.0.0 10.2.1.0
Mask/Wildcard 0.0.0.255 0.0.0.255

Mask
7. Click OK.
8. Repeat Step 3.1 to Step 3.7 to add downstream subnets in Area 0 of Process 1 using the
following parameters.
Area 0 0
IP Network 10.3.0.0 10.3.1.0
Mask/Wildcard 0.0.0.255 0.0.0.255

Mask
9. Click Close to return to the OSPF Process List.
Step 4 Configure hot standby.

1. Choose System > High Availability > Dual-System Hot Backup.
2. Click Edit to set the following parameters.
Dual-System Hot Enable Enable

Backup
Working Mode Load balancing Load balancing
Heartbeat Interface GE1/0/7 GE1/0/7
Peer IP 10.10.0.2 10.10.0.1
Proactive Enable Enable

Preemption
Configure Interface Monitoring
Add selected Select Select

monitored interface
to the monitored
interface group
GE1/0/1 Select Select
GE1/0/3 Select Select

3. Click OK.
----End
Follow-up Procedure
To facilitate rapid identification of network faults and traffic switchover, configure OSPF for
the upstream and downstream routers of the NGFW. For details, see the router documentation.
The OSPF configuration includes the following operations:
1. Create OSPF process 1 on the four routers that are connected to the NGFWs.
2. In area 0 of OSPF process 1, add the subnets directly connected to the routers. For example,
add subnets 1 and 2 on router A, subnets 2 and 3 on router B, subnets 4 and 5 on router C,
and subnets 5 and 6 on router D.
D A
6 1
NGFW_A
Intranet 5 2
NGFW_B
4 3
C B
2.7.3 Verifying the Network Connection and Active/Standby

Switchovers
This section describes how to verify the network connection between the intranet and the Internet
and that active/standby switchover functions properly in the event of network failures.
Procedure
Step 1 Log in to NGFW_A and NGFW_B. Choose System > High Availability > Dual-System Hot
Backup, and check whether the two NGFWs are set to work in active/standby mode or load-
balancing mode.
In Monitored Item, if Current Working Mode is Load Balancing, hot standby is configured
correctly.
Step 2 Verify that the NGFWs are properly connected to the Internet.
Step 3 Verify that the egress gateways connected to the NGFWs are correctly connected to the Internet.
Then, check whether you can access a website from a host on the intranet.
l If yes, the intranet is connected to the Internet. The initial configuration is complete.
l If no, choose Monitor > Diagnosis Center, click Web Page Diagnosis, enter the IP address
of the intranet host and the URL to be accessed, and click Diagnose. Troubleshoot faults
based on the diagnosis information.

Step 4 Disable the service interface on one NGFW, for example, GE1/0/1 on NGFW_A. Check whether
the active/standby switchover is successful.
1. Log in to NGFW_A. Choose Network > Interface.
2. Deselect Enable for GE1/0/1 to disable GE1/0/1.
3. Choose System > High Availability > Dual-System Hot Backup. In Monitored Item of
NGFW_A, ensure that Current State is Standby.
4. Log in to NGFW_B. Check its status in the same way. Ensure that Current State is
Active.
5. Enable the GE1/0/1 interface of NGFW_A. Verify that the state of NGFW_A changes to
Active and that of NGFW_B changes to Standby.
If the states of both NGFWs are normal, the active/standby switchover is successful.
Step 5 Restart one NGFW, and check whether the active/standby switchover can be performed
successfully.
1. Log in to NGFW_A. Choose System > Setup > Restart. Enter the administrator's password
and click Save and Restart to restart NGFW_A.
2. When NGFW_A is being restarted, log in to NGFW_B, and check its status. Under normal
conditions, the status is Active.
3. After NGFW_A restarts, verify that the state of NGFW_A changes to Active and that of
NGFW_B changes to Standby.
If the states of both NGFWs are normal, the active/standby switchover is successful.
----End
2.8 Registering an Account and Activating the License File

This section describes how to register an account with the Huawei support website and activate
the license file online. After the license is activated, the functions under the license control can
be used.
Context
After registering an account with the Huawei support website, you can obtain more information
about technical support and software updates.
For details about how to obtain the activation password and ESN of the NGFW, see Data
Collection in the initialization process.
Procedure
Step 1 Register an account with Huawei support website.
1. Enter http://support.huawei.com/enterprise in the address box of the browser.
2. Click Register at the upper right corner.
3. Enter the registration information. All information is mandatory. The system checks the
registration information and provides real-time feedback.
4. Select I understand and agree to comply with Huawei terms and conditions. and click
Register.

Step 2 After the registration is complete, the system sends an email to the registered mail box. Click
the activation link in the email to activate the account. After that, you can obtain documents and
software updates from the website.
Step 3 Activate the license file in either of the following ways:

l Online automatic activation: This method is recommended when the NGFW can connect
to the Internet.
NOTE
To implement online automatic activation, you need to configure the DNS server and enable the DNS
service.
1. On the Web UI, choose System > License Management.

2. Set License Activation Mode to Automatic Online Activation, and enter the
activation password (for example, ON00002809-A550EXXXXX) in License
Authorization Code.
3. Click Activate. The NGFW automatically connects to the license center to apply for
a license file and activate it.
l Local manual activation: This method is recommended when the device cannot connect to
the Internet. You must manually obtain a license file and upload it to the NGFW to activate
it.
1. Log in to the license self-service system http://app.huawei.com/isdp.
2. Obtain the license file according to the procedure in the system help or displayed
information. When you apply for the license file, you need to provide activation
password (for example, ON00002809-A550EXXXXX) and ESN (for example,
210235G6RSXXXXXXXXXX).
3. On the Web UI, choose System > License Management.
4. Set License Activation Mode to Local Manual Activation.
5. Click Browse and select the license file.
6. Click Activate to upload the license file and activate it.
Step 4 After an activation success message is displayed, check whether the license authorization
information is correct. If you have any problem, contact Huawei technical support.
----End
2.9 Updating the Signature Database

Before configuring content security functions, update the signature database to obtain the latest
applications, virus signatures, and threat identification capabilities to enhance the NGFW
security defense capabilities.
Context
You can update the signature database with any of the following methods:
l Scheduled Update: The system automatically connects to the update server and updates the
signature database at a specified time.

l Update Immediately: The system performs a signature database update immediately after
it connects to the update server.
l Update Locally: Download a signature database file from the security center https://
sec.huawei.com to the administrator PC. Then upload the file to the NGFW to update the
signature database. This method applies when the NGFW cannot directly connect to the
Internet.
You are advised to perform an immediate update of the signature database when you initially
begin using the NGFW. After that, enable scheduled update.
Procedure
Step 1 Choose System > Update Center.
Step 2 Click Update Immediately for each signature database, and click OK in the dialog box
displayed to perform an immediate signature database update.
Step 3 After the immediate update is complete, click Server IP Address:sec.huawei.com to the right
of the Update Center List, and set the time for the scheduled update. You are advised to perform
scheduled update at off-peak hours.
----End
2.10 Configuring Security Services

This section describes how to configure security services to comprehensively enhance network
security and effectively control traffic forwarding.
2.10.1 Determining Security Service Scenarios

This section describes how to determine the security service scenarios and features to configure
based on the position and key services of the NGFW.
Configuring excessive security functions may bring the following problems:
l Overloads the NGFW and compromises forwarding efficiency.

l Results in conflicting security rules that mitigate defense capabilities.
l Compromises fault isolation and resolution efficiency.
You can determine the functions to be configured based on the position and defense methods of
the NGFW and the protected objects. This section describes four typical security service
scenarios for your reference.

Position Protected Scenario Description

on the Object
Network
Network Intranet Border Deploy the NGFW as a gateway at the network egress
egress PCs protection to protect the traffic between the Internet and intranet
for large- PCs or small servers against intrusions, attacks, and
and other threats to the intranet.
medium- Server
sized
enterprise
s DMZ
Intranet
Trust Untrust
In this scenario, the recommended security functions

are as follows:
l Define the Internet as an Untrust zone and the
intranet as a Trust zone. If a dedicated server farm
exists, define a DMZ for those servers.
l Set up an intranet user management system to
control Internet access behaviors by user.
l Configure NAT to allow only authorized users to
access the Internet.
l Configure security policies to implement
antivirus, URL filtering, file blocking, data
filtering, and application behavior control for
interzones.


on the Object
Network
Intranet Border Deploy the NGFW as a gateway at the egress of the

servers protection IDC network and server farm to protect intranet
for data servers against intrusions, attacks, and other security
centers risks.
Hacker
Server
Trust Untrust User

are as follows:
intranet as a Trust zone.
l Configure NAT server to allow clients on
extranets to access intranet servers.
intrusion prevention, antivirus, file blocking, data
filtering, application behavior control, and mail
filtering on mail servers for interzones.
l Establish a user management system to control
user rights on accessing intranet hosts.
l Configure anti-DDoS on the WAN interface.


on the Object
Network
Communic VPN Deploy the NGFW as a VPN gateway at the intranet

ation remote egress to set up VPN tunnels with other VPN
traffic access and gateways, PCs, mobile phones, and tablets and
between mobile protect the communication traffic in between. This
two office scenario is usually used with border protection for
networks automatio large- and medium-sized enterprises. This section
n describes only this scenario for clarity.
Headquarters
Branch
office

are as follows:
intranet as a Trust zone.
l Configure the VPN function to encrypt traffic
between the local and remote networks.
l Authenticate hosts that access through VPNs.
intrusion prevention, antivirus, file blocking, and
data filtering for the interzone between the
security zone where the local network resides and
that where the remote network resides.
l Enable user behavior audit.


on the Object
Network
Inside the Intranet Intranet Deploy the NGFW at the convergence of different
network hosts control subnets to prevent the spread of security threats, such
and as worms and viruses, over the intranet. In addition,
security the NGFW controls traffic between subnets to avoid
isolation information leaks.
Marketing
department
Marketing
R&D
department
1
Egress gateway
R&D
department
2
Research Untrust

are as follows:
l Divide the subnets of different security levels into
different security zones to implement security
zone-based defense. Add the subnets of the same
security level to the same security zone to
implement subnet-based defense.
l Configure security policies between security
zones or subnets to implement antivirus, file
blocking, and data filtering.
intrusion prevention, antivirus, file blocking, data
filtering, URL filtering, and application behavior
control between the intranet and the Internet.
2.10.2 Configuring Security Zones

This section describes how to assign interfaces to different security zones to classify different
networks connected by these interfaces. You can deploy security services based on security
zones.
Context
A security zone is a set of the networks connected by interfaces. Dividing the networks connected
by interfaces into different security zones simplifies configurations, minimizes security checks,
and enhances system processing efficiency.

When you configure security policies between interfaces or subnets, the number of security
policies increases with the number of interfaces. However, the traffic between certain interfaces
does not require security policies.
Therefore, assign networks of the same security level to the same security zone and configure
security policies between security zones to minimize the number of security policies needed.
In most cases, the intranet is defined as the Trust zone, the server farm as the DMZ, and the
Internet as the Untrust zone in descending order of priority. If the intranet has multiple subnets
of different security levels, you can create more security zones to isolate them.
Procedure
Step 1 Choose Network > Zone.
Step 2 Click Add.

To add interfaces to a predefined or custom security zone, click of the security zone.
Step 3 Set the basic parameters of the security zone.
Parameter Description
Zone Name Name of the security zone.
Priority Priority of the security zone. A larger value indicates a higher

priority. The priority value cannot be the same as that of another
security zone.
Description Description of the security zone for easy management.
Step 4 Select the required interface in the Un-Added Interface list, and click to add the interface
to the Added Interface list.
NOTE
You can select multiple interfaces while holding down Ctrl.
An interface can be assigned to only one security zone. Therefore, the Un-Added Interface list
displays only interfaces that are not assigned to any security zone. To change the security zone
an interface is assigned to, choose Network > Interface and change the Zone parameter.
Step 5 Click OK.
----End
2.10.3 Managing Intranet Users

To implement user-based security control, create and organize users on the NGFW or purpose-
built server and configure authentication policies on the NGFW.
Context
The following table describes the process for authenticating intranet users and the configuration
to be performed for each procedure.

Proce Description Configuration

dure
1 When receiving packets from a user, the Configure an authentication policy to

NGFW determines whether to determine the data flows to be
authenticate the user based on the authenticated.
source/destination IP address of the data
flow for the packets. If yes, the NGFW
requests the user to provide user
authentication information.
2 For data flows that need to be Perform the following steps to save user
authenticated, the NGFW pushes an authentication information locally:
authentication web page to the browser 1. Configure users and user groups and
on the user's computer, asking the user save user information locally.
to enter the user name and password. The
NGFW verifies the entered user name 2. Configure an authentication domain
and password against the records saved and set NONE for the authentication
locally or on a third-party authentication server. Then, the locally saved user
server. information is used for user
authentication.
Perform the following steps to save user
authentication information on a third-
party authentication server:
1. Configure information about the
third-party authentication server.
2. Configure users and user groups and
import user information from the
server to the NGFW. The purpose of
the import operation is to save the
user organizational structure on the
NGFW, which helps configure
security policies in the future.
3. Configure an authentication domain
and bind user groups with the
authentication server. The NGFW
forwards the user names and
passwords provided by users to the
authentication server. The
authentication server verifies the user
names and passwords, and the
NGFW only receives the user
authentication result sent from the
authentication server.

Proce Description Configuration

dure
3 If user authentication is successful, the Configure various policies based on

NGFW associates the IP addresses of users. If a user logs out or does not
network terminals with users. generate any traffic within the preset
time, the association between the user
and IP address is automatically
terminated. The user needs to re-log in
when attempting to access the network
again.
Procedure
Step 1 Configure an authentication policy.
1. Choose Policy > Authentication Policy.
2. Click Add.
3. Set the name and description of a authentication policy based on the parameters described
in the following table.
Parameter How to Set
Name Enter the name of the authentication policy.
Description Provide additional information about the authentication

policy, which helps the system administrator understand the
applicability of the authentication policy.
4. Configure information about data flows that need to be controlled based on the parameters
described in the following table.
Source Zone Select the source security zone for a data flow. If there are no
constraints on security zones, select any for this parameter.
Destination Zone Select the destination security zone for a data flow. If there
are no constraints on security zones, select any for this
parameter.
Source Address/Region Select or enter the source IP address or MAC address of a

data flow.
Destination Address/ Select or enter the destination IP address or MAC address of

Region a data flow.
5. Specify Action to determine whether to authenticate a data flow.

l auth: authenticates the data flow.

l no-auth: does not authenticate the data flow.

no-auth applies to configuring some special clients. For example, to authenticate all
the hosts in the network segment 192.168.1.0/24 except for the host with the IP address
192.168.1.2, configure a no-auth policy with a high priority for the host with the IP
address 192.168.1.2 and then an auth policy with a low priority for all hosts in the
network segment 192.168.1.0/24.
6. Click OK.
Step 2 Optional: Configure an authentication server.
Supported authentication servers include RADIUS, HWTACACS, AD, LDAP, SecurID and
TSM servers. Choose Object > Authentication Server. On the page that is displayed, add an
authentication server based on the site requirements. For details, see 11.5.6 Configuring an
Authentication Server.
Step 3 Configure users and user groups.
Use any of the following methods:
l Manually create users and user groups on the NGFW.

l Define users and user groups in a .csv file and import the .csv file to the NGFW.
l Import users and user groups from a third-party authentication server to the NGFW.
The first two methods save all user information (including user names and passwords) and the
organizational structure of user groups on the NGFW, while the third method saves user names
and the organizational structure of user groups, but not user passwords. Choose Object >
User > User/Group. On the page that is displayed, create a user and user group based on the
site requirements. For details, see 11.5.3 Configuring Users, User Groups or Security
Groups.
Step 4 Configure an authentication domain.

1. Choose Object > User > Authentication Domain.
2. Click Add.
3. Set the basic parameters for an authentication domain based on the parameters described
Name Enter the name of an authentication domain.
Description Provide additional information about the authentication

domain, which helps the system administrator understand the
applicability of the authentication domain.

Access Control l Allow VPN Access: If you select Allow VPN Access,
clients on remote networks can use user information of
this authentication domain to connect to the intranet
through L2TP over IPSec VPNs or SSL VPNs or IPSec
VPNs with EAP authentication.
l Allow Policy-Specific User Control: If you select Allow
Policy-Specific User Control, the authentication domain
can be used to implement authentication on Internet
access users.
l Allow Administrator Access: If you select Allow
Administrator Access, the authentication domain can be
used to implement authentication on administrators.
Associate Group Same Name of Domain
4. Select users and user groups as well as the authentication server based on the parameters
Authentication Server Select an authentication server from the drop-down list box.
Users and user groups that you have selected in
Authentication User/Group are authenticated using this
authentication server. If users and user groups are imported
from a third-party authentication server, select the third-party
authentication server. If local authentication is to be
implemented, select NONE.
5. Click OK.
----End
2.10.4 Configuring a NAT Policy

Network Address Translation (NAT) technology addresses the shortage of public IP addresses
when private network users are accessing the Internet. NAT also hides private IP addresses,
making the system less vulnerable to attacks.
Context
If the NGFW functions as an egress gateway, NAT is generally configured on it to translate
between public and private IP addresses. As a result, numerous hosts in a private network can
use a small number of public IP addresses to securely access the Internet. Server mapping (also
called NAT Server) is also configured when users outside a private network need to access
servers inside the private network.
Private IP addresses are translated into public IP addresses using either of the following modes:

l Address pool mode: This mode is used when multiple public IP addresses are available for
use. In this mode, a NAT address pool must be created to delimit the range of usable public
IP addresses.
l Outbound interface address mode: This mode is used when only the public IP address of
the public network interface on the NGFW is available for use. (The public network
interface refers to the interface connecting to the Internet.) All hosts in a private network
directly use this public IP address to securely access the Internet. This mode is preferred
when the IP address of the public network interface is dynamically assigned, but not a static
IP address.
Procedure
Step 1 Optional: Configure a NAT address pool.
1. Choose Policy > NAT Policy > Source NAT > NAT Address Pool.
2. Click Add.
3. Configure basic information about the NAT address pool based on the parameters described
Name Enter the name of the NAT address pool.
Description Provide additional information about the NAT address pool,

which helps the system administrator understand the
applicability of the NAT address pool.
4. In IP Address Range, enter the start and end IP addresses.
If you select Allow PAT, the source IP address and source port number for packets are
both translated during the IP address translation process so that more hosts in a private
network can use the same public IP addresses to securely access the Internet.
5. Click OK.
Step 2 Configure a source NAT policy.

1. Choose Policy > NAT Policy > Source NAT > Source NAT.
2. Click Add.
3. Configure basic information about the source NAT policy based on the parameters
Name Enter the name of the source NAT policy.
Description Provide additional information about the source NAT policy,

which helps the system administrator understand the
applicability of the source NAT policy.
4. Configure a direction for traffic that needs NAT.

Source Zone Select the security zone where hosts in a private network
reside.
Destination Type Select the desired destination type for the traffic that needs
NAT. Two options are available:
l Destination Zone. If you select Destination Zone, all
traffic flowing from the source zone to the destination
zone is translated using NAT. Note that you also need to
select a destination zone from the Destination Zone drop-
down list box at the lower area.
l Outbound Interface: If you select Outbound
Interface, all traffic flowing from the source zone to the
outbound interface is translated using NAT. Note that you
also need to select an interface from the Outbound
Interface drop-down list box at the lower area.
5. Configure an address translation rule based on the parameters described in the following
table.
Before NAT
Source Address Enter or select the source IP address or MAC address of the
traffic that needs NAT, that is, the private IP address or MAC
address of a host in a private network.
Destination Address Enter or select the public IP address or MAC address that the
host in the private network needs to access.
Service Name of a service or service group. The service or service

group indicates the protocol type of the traffic. After you
specify the service or service group, the NGFW translates the
addresses only for traffic of the specified service or service
group.
Action l NAT: If you select NAT, NAT is performed for data

flows.
l NO NAT: If you select NO NAT, NAT is not performed
for data flows.
NO NAT applies to configuring some special clients. For
example, to translate network addresses for traffic from
all the hosts in the network segment 192.168.1.0/24
except for the host with the IP address 192.168.1.2,
configure a NO NAT policy with a high priority for the
host with the IP address 192.168.1.2 and then a NAT
policy with a low priority for all hosts in the network
segment 192.168.1.0/24.

After NAT
Source Address l IP Addresses in the IP Address Pool: If you select IP

Addresses in the IP Address Pool, the public IP address
contained in the NAT address pool is used as the source
IP address for traffic that is processed with NAT.
l Outbound Interface IP Address: If you select
Outbound Interface IP Address, the public IP address
of the outbound interface is used as the source IP address
for traffic that is processed with NAT.
Address Pool This parameter is available when IP Addresses in the IP

Address Pool is selected for Source Address. Select a NAT
address pool from the drop-down list box.
6. Click OK.
Step 3 Optional: Configure an intranet-server-to-public-IP-address mapping rule so that hosts on the

public network can directly access intranet servers.
1. Choose Policy > NAT Policy > Server Mapping.
2. Click Add.
3. Configure basic information about the intranet-server-to-public-IP-address mapping rule
based on the parameters described in the following table.
Name Enter the name of the mapping rule.
Type l Static Mapping: If you select Static Mapping, each

intranet server is mapped to an individual public IP
address.
l Server Load-Balancing: If you select Server Load-
Balancing, multiple intranet servers are mapped to the
same public IP address. Traffic destined for the public IP
address is routed to specific intranet servers through
algorithms.
4. Configure a Static Mapping rule based on the parameters described in the following table.
Public IP Address Enter the start IP address of a usable public IP address range.
Intranet servers are one-to-one mapped to public IP
addresses; therefore, the number of intranet servers
determines the end IP addresses.

Private IP Address Enter the start and end IP addresses of the private IP address
segment for the intranet servers that need to be mapped. If
only one intranet server is available, you do not need to enter
the end IP address.
5. Configure a Server Load-Balancing rule based on the parameters described in the

following table.
Public IP Address Enter a usable public IP address.
Traffic Distribution l Round Robin: If you select Round Robin, traffic is

Mode evenly distributed to intranet servers.
l Weighted Round Robin: If you select Weighted Round
Robin, traffic is distributed to intranet servers based on
weights.
l Source Address Hash: If you select Source Address
Hash, traffic is processed using the hash algorithm so that
traffic with the same source IP address is distributed to
the same intranet server for processing.
Intranet Server List Click Add. In the dialog box that is displayed, add an intranet
server, including its private IP address, weight, and whether
to check its health, and click Weight Value.
6. Click OK.
----End
2.10.5 Configuring a Security Policy

Security policies configured for traffic can control traffic forwarding and implement user-,
application- and content-based traffic detection and management.
Context
Security policies are the core security function of the NGFW and must be properly planned.
Security policies are deployed based on traffic. Therefore, you need to classify traffic based on
the created security zones and users before deploying security policies. Traffic is generally
classified into the following types:
l Traffic generated when private network employees from different departments in the Trust
zone access the Internet in the Untrust zone. You can configure a security policy for each
department.
l Traffic generated when private network employees from different departments in the Trust
zone access intranet servers in the DMZ zone. You can configure a security policy for each
department.

l Traffic generated when common Internet users in the Untrust zone access an enterprise's
intranet servers in the DMZ zone. You can configure a security policy for each intranet
server.
l Traffic generated when employees on the move or at branches use VPN technology to
access intranet resources in Trust and DMZ zones. Such traffic can be isolated from
common Internet user traffic based on the private IP addresses or user accounts assigned
to employees on the move or at branches. You can configure a security policy for each user
group or branch.
Each security policy may use different security profiles depending on network topologies and
management requirements. For details, see 2.10.1 Determining Security Service Scenarios.
The following example describes how to configure a default security policy that uses all profiles
in order to control the Internet access rights of a private network user group named research.
The research user group has been created during 2.10.3 Managing Intranet Users. For details
about security policies, see 13.1.6 Configuring a Security Policy.
NOTE
The device has default security policy templates for common office scenarios. You can select an exiting
template when creating a security policy (choose Policy > Security Policy > Security Policy > Add), and
the device automatically configures settings, such as application category, time range, action, and content
security measures.
Procedure
Step 1 Configure an antivirus profile.
1. Choose Object > Security Profiles > Anti-Virus.
2. Click the default antivirus profile named default and verify its details. If you have no special
requirements, directly select it.
3. Click OK.
Step 2 Configure an intrusion prevention profile.

1. Choose Object > Security Profiles > Intrusion Prevention.
2. Click the default intrusion prevention profile named default and verify its details. If you
have no special requirements, directly select it. (The default profile contains all supported
signatures.)
3. Click OK.
Step 3 Configure a URL filtering profile.

1. Choose Object > Security Profiles > URL Filtering.
2. Verify that Connection Status of the URL Category Server is connected. If Connection
Status of the URL Category Server is not connected, check the network connectivity
between the NGFW and the Internet and ensure that the network connectivity is proper.
Click Add. In the dialog box that is displayed, set parameters based on the following table.
Use the default values for other parameters.
Name default
Default Action Allow
URL Filtering Level Low

3. Click OK.
Step 4 Configure a file blocking profile.

1. Choose Object > Security Profiles > File Blocking.
2. Click Add. In the dialog box that is displayed, enter default in Name.
3. In File Blocking Rules, click Add. In the dialog box that is displayed, create a rule that
forbids users to upload Microsoft Office files, compressed files, or code files. See the
following table for the parameters related to creating this rule.
Name rule1
Application all
File Type Select Document File, Compressed File, and Code File.
Direction Upload
Action Block
4. Click OK.
5. In File Blocking Rule, click Add again. In the dialog box that is displayed, create a rule
that forbids users to download executable files, compressed files, or audio and video files.
See the following table for the parameters related to creating this rule.
Name rule2
Application all
File Type Select Executable File, Compressed File, and Video and
Audio File.
Direction Download
Action Block
6. Click OK to complete the creation of the file blocking rule.

7. Click OK.
Step 5 Configure a data filtering profile.

1. Choose Object > Security Profiles > Data Filtering.
2. Click Add. In the dialog box that is displayed, enter default in Name.
3. In Data Filtering Rules, click Add. In the dialog box that is displayed, create a rule that
enables the NGFW to generate an alarm when private network users are uploading data
that contains confidential keywords, such as bank card numbers, social insurance numbers,
and ID numbers. See the following table for the parameters related to creating this rule.
Name rule1

KeywordGroup Click New KeywordGroup. On the page that is displayed,

enter keyword1 as the keyword group name, set the weight
of all the selected keywords in Keyword List to 1, and click
OK. A keyword group is successfully created.
Application all
File Type all
Direction Upload
Action Alert
4. Click OK to complete the creation of the data filtering rule.

5. Click OK.
Step 6 Configure an application behavior control profile.

1. Choose Object > Security Profiles > Application Behavior Control.
2. Click Add. In the dialog box that is displayed, set parameters based on the following table.
Name default
HTTP Behavior Control
HTTP POST Permit
HTTP Web Browsing Permit
HTTP Proxy Permit
HTTP File Upload Permit

Leave Alarming Threshold empty and set Blocking
Threshold to 20480. After that, a file that exceeds 20 MB is
rejected when being uploaded in HTTP mode.
HTTP File Download Permit

Leave Alarming Threshold and Blocking Threshold
empty.
FTP Behavior Control
FTP File Upload Permit

Leave Alarming Threshold empty and set Blocking
Threshold to 20480. After that, a file that exceeds 20 MB is
rejected when being uploaded in FTP mode.
FTP File Download Permit

Leave Alarming Threshold and Blocking Threshold
empty.
FTP File Deletion Permit

3. Click OK.
Step 7 Configure a mail filtering profile.

1. Choose Object > Security Profiles > Mail Filtering > Anti-Spam.
2. Select Enable for Anti-Spam Function.
3. In the RBL Filtering Profile group box, click Add. In the dialog box that is displayed, set
parameters based on the following table.
Name rbl server
Server Query Set cbl.anti-spam.org.cn
Action Block
Reply Code Any Reply Code
4. Click OK.
5. Choose Object > Security Profiles > Mail Filtering > Mail Content Filtering.
Name default
Anti-Spam Select it.
Send Anonymous Mail Alarm
Receive Anonymous Alarm

Mail
Attachment Size and Quantity Control
Upper Limit of Select it and set it to 10.

Sending Attachments
Upper Limit of Select it and set it to 10.

Receiving
Attachments
Limiting on Sent Select it and set it to 20480.

Attachment Size
Limiting on Received Select it and set it to 20480.

Attachment Size
7. Click OK.
Step 8 Configure a security policy and associate security configurations with data flows.
1. Choose Policy > Security Policy > Security Policy.

Name policy_sec_research
Source Zone trust
Source Address/ any

Region

Region
User research
Service any
Application any
Schedule any
Action Permit
Content Security
Anti-Virus default
Intrusion Prevention default
URL Filtering default
File Blocking default
Data Filtering default
Application Behavior default

Control
Mail Filtering default
Record Policy Deselect it.

Matching Log
Record Session Log Deselect it.
3. Click OK.
----End
2.11 Advanced Configuration

After deploying basic network and security services, you can configure other advanced features
based on the site requirements.

2.11.1 Configure Policy-based Routing

Policy-based routing (PBR) is a technique that controls packet routing and forwarding based on
the defined policies. This technique is used in many scenarios to specify the outbound interface
or next hop for traffic.
Most network devices determine how to forward packets based on routing tables (that is, a
routing table mechanism). In the routing table mechanism, the destination IP address is a primary
criterion that indicates the destination to which packets will be forwarded.
As a mechanism used to make routing decisions based on the defined policies, PBR provides
more factors that determine how to forward packets, thereby controlling packet forwarding more
flexibly. These factors include the inbound interface, source and destination security zones,
source and destination IP addresses, users, services, and applications. PBR takes precedence
over but does not replace the routing table mechanism. PBR helps forward traffic of some special
services.
PBR is often deployed on gateway devices to support multi-carrier access.
As shown in Figure 2-14, an enterprise connects to the Internet through two ISP links. An
administrator can configure PBR to properly use the two links as follows:
l User or IP address-based routing: allows certain users or IP addresses to use only specified
ISP link. For example, departments that require high access speed connect to the Internet
through ISP1 (higher bandwidth), and other departments connect to the Internet through
ISP2 (lower bandwidth).
l Application or protocol-based routing: allows service traffic of certain applications or
protocols to pass only through the specified ISP link. For example, the traffic of voice and
video applications passes through ISP1, and the traffic of data applications passes through
ISP2.
Figure 2-14 Using PBR to automatically distribute traffic to different carriers
ISP1
Intranet
ISP2
To add a piece of PBR, choose Network > Router > Intelligent Uplink Selection and click the
Policy Route tab. For details, see 17 PBR.
2.11.2 Configuring VPN

Virtual Private Network (VPN) technology securely connects multiple private networks together
across the Internet. The following provides general information about VPN technology.
Many enterprises have dispersed branches and want to securely connect them together. Using
traditional leased-lines is costly and inflexible. As such, VPN was proposed to resolve this branch
interconnection issue facing enterprises.

VPN technology securely connects different private networks across the Internet, eliminating
the need to deploy dedicated networks and therefore reducing deployment costs. VPN
technology has the following characteristics:
l Private: VPN users feel no difference in using VPNs or traditional private networks. The
resources in a VPN are separated from the resources in the underlying bearer network and
cannot be used by users in other VPNs. VPNs also offer sufficient security measures to
ensure that internal information is free from external interference.
l Virtual: Users in a VPN communicate with each other through public networks (often called
VPN backbone networks). These public networks are used by other non-VPN users at the
same time. As such, VPN users actually obtain a logical private network.
VPN is also easy to deploy and therefore supports mobile workstyle requirements in new network
buildouts.
Different VPN networks are built, depending on network environments and communications
requirements. VPN networks are generally classified into the following two types:
l Site-to-site VPN
VPN tunnel
Network 1 Network 2
A site-to-site VPN has a VPN tunnel established between two LANs (for example, networks
1 and 2 in the figure above). Networks 1 and 2 use fixed gateways to connect to the Internet.
They can send access requests to each other. Site-to-site VPNs apply to chain supermarkets,
government agencies, and banks.
Site-to-site VPNs often use the following technologies:
– IPSec: implements tunnel encryption and protects data security.
– L2TP: implements user authentication. However, tunnel encryption is not supported.
– L2TP over IPSec: combines L2TP with IPSec and therefore implements both tunnel
encryption and user authentication.
– GRE over IPSec: encapsulates and encrypts multicast data. Multicast data is
encapsulated using GRE and then IPSec, because IPSec cannot directly encapsulate
multicast data.
– DSVPN: establishes tunnels dynamically between branches to implement direct
communication between branch users.
l Client-to-site VPN
VPN tunnel
Intranet
A client-to-site VPN has a VPN tunnel established between the client and the intranet. The
IP address of the client is fixed, and access requests are sent only from the client to the
intranet, but not from the intranet to the client. Client-to-site VPNs apply to employees on
the move or at branches who use smartphones or laptops to access the headquarters.
Client-to-site VPNs often use the following technologies:

– SSL VPN: uses a web browser to access VPNs, eliminating the need to install a client.
SSL VPNs feature easy and flexible usage and refined rights control.
– IPSec (IKEv2): implements tunnel encryption and user authentication. The client must
support the Internet Key Exchange (IKEv2) protocol.
– L2TP: implements user authentication. However, tunnel encryption is not supported.
– L2TP over IPSec: combines L2TP with IPSec and therefore implements both tunnel
encryption and user authentication.
2.11.3 Configuring Bandwidth Policies

Network congestion may be caused by many factors, such as P2P traffic flooding and an increase
in the number of intranet users. Bandwidth policies allow bandwidth resources to be properly
allocated based on users or applications, which prevents network congestion.
User experience will be seriously affected if bandwidth is not available on the network.
Therefore, it is important to control the bandwidth and number of connections over the network.
Bandwidth usage increases as the P2P traffic and number of intranet users rise. Increasing
demands for bandwidth, however, cannot be satisfied by adding network bandwidth unlimitedly.
Proper bandwidth allocation and control are required to ensure optimal user experience.
You can configure bandwidth policies to perform bandwidth management on network devices.
Bandwidth management includes the following means:
l Guaranteed bandwidth
Sufficient bandwidth is reserved for key services. When the traffic is heavy, the system
discards the packets for non-critical services based on the available bandwidth and system
processing capability.
l Bandwidth limit
The bandwidth for non-critical services is limited to prevent non-critical services from
using too much bandwidth.
l Connection limit
The maximum number of service connections can be set to ensure efficient use of session
resources and prevent a specific service from overusing bandwidth resources.
The NGFW implements the following types of bandwidth control:
l Controls the guaranteed bandwidth and maximum bandwidth in the upstream and
downstream directions of a flow.
l Controls the maximum bandwidth for each IP address or user involved in a flow.
l Controls the maximum number of concurrent connections for a flow.
l Controls the maximum number of concurrent connections for each IP address or user
involved in a flow.
l Reprioritizes the packets in a flow to enable the next hop to process the flow based on the
priorities.
l Controls the maximum receive bandwidth and transmit bandwidth of an interface.
The following describes the functions that implement bandwidth management:
l Bandwidth channel is a bandwidth management solution that can be repeatedly referenced

by bandwidth policies. It helps simplify data configuration. Various thresholds for

bandwidth control or the number of connections can be configured. During service

deployment, you may need to configure different bandwidth policies but the same
thresholds for different flows. In this case, you can configure a bandwidth channel with all
required thresholds, enable bandwidth policies to reference this bandwidth channel, and
associate the bandwidth policies with different flows. For details about how to configure a
bandwidth channel, see 18.5.1 Configuring a Traffic Profile. For details about how to
configure a bandwidth policy, see 18.5.2 Configuring a Traffic Policy.
l Interface bandwidth, a flow control mechanism independent of bandwidth policies, controls
receive bandwidth and transmit bandwidth over interfaces. The incoming traffic over an
interface is controlled based on the incoming bandwidth threshold. Then, the traffic within
the threshold is processed based on bandwidth policies. The processed traffic is forwarded
over the interface based on the outgoing bandwidth threshold. For details about how to
configure interface bandwidth, see 8.1 Interface and Interface Pair.
For more information about traffic management, see 18 Bandwidth Management.
2.12 What's Next

This section describes common operations following the initial configuration and how to obtain
help from Huawei.
2.12.1 Upgrading System Software

An upgrade enables the system provide more functions and higher reliability.
Prerequisites
You have downloaded the latest system software from http://support.huawei.com/
enterprise to the administrator PC.
Context
The system restarts after the upgrade. Therefore, upgrade the system software only in off-peak
hours.
Each officially released system software version has a set of release documents, which describe
the updates in the new version, upgrade procedures, and precautions. Download the release
documents when you download the system software, and read them carefully before the upgrade.
The upgrade operations described in this section are general operations. During the system
upgrade, follow the operations described in the upgrade guide for the system software that you
use.
Procedure
Step 1 Choose System > System Upgrade.
Step 2 Click One-touch Version Upgrade.
Step 3 Click Export to export the log information, alarm information, and profiles to the administrator
PC for a backup.

Step 4 Click Browse, and locate the latest system software file on the administrator PC.
Step 5 Select Set it to next-startup software and restart the system.
Step 6 Click Next.
The system uploads the system software and sets it as the next startup software. When the setting
is complete, the system restarts.
The upgrade is complete.
----End
2.12.2 Creating Other Administrators

You can create other administrators to implement rights-based management and increase
management efficiency.
Context
The system has the following default roles:
l System-admin
The system-admin role has full system rights. The administrator of this type can create
other administrators and perform advanced operations such as changing passwords. The
system-admin administrator cannot be deleted.
The default user admin is a system-admin administrator and has full system rights. The
initial password of admin is Admin@123. You are advised to change this password during
the initial configuration.
l device-admin
The device-admin role has fewer rights than the system-admin role. The device-admin role
can perform most of the system operations except advanced operations such as creating
administrators. For the sake of security, you are advised to create a device-admin
administrator to perform feature configuration and service maintenance.
l device-admin (monitor)
The device-admin (monitor) administrator can only query system configuration
information and running status. You can create an administrator of this type to query logs
and reports and perform routine maintenance.
l audit-admin
The audit-admin administrator can only perform traffic auditing.
The system-admin administrator can define roles. For more information about administrators
and roles, see 5.2 Administrators.
Procedure
Step 1 Choose System > Admin > Administrator.
Step 2 Click Add, and create a device-admin administrator based on the following data.
User Name admin_device

Authentication Type Local authentication
Password Admin_device@123
Confirm Password Admin_device@123
Role device-admin
Step 3 Click OK.
Step 4 Click Add, and create a device-admin (monitor) administrator based on the following data.
User Name admin_read
Password Admin_read@123
Confirm Password Admin_read@123
Role device-admin (monitor)
Step 5 Click Add, and create an audit-admin administrator based on the following data.
User Name admin_audit
Password Admin_audit@123
Confirm Password Admin_audit@123
Role audit-admin
----End
2.12.3 More Security Measures

The NGFW provides security functions, such as blacklist and attack defense.
DDoS Attack Defense

A Distributed Denial of Service (DDoS) attack is one of the most common attacks over networks.
An attacker uses zombie hosts to send a large number of malicious attack packets to a target.
When the network links to the target are congested and system resources are exhausted, the target
fails to provide services to its intended users.
The servers (DNS servers and web servers) deployed in large and midsize enterprises and data
centers are exposed to DDoS attacks, such as SSYN flood, UDP flood, ICMP flood, HTTP flood,
HTTPS flood, DNS flood, and SIP flood. The NGFW provides the following mechanisms to
defend against DDoS attacks:

l Threshold-based control
A DDoS attack is successful when the attack traffic volume exceeds the server processing
capability. With traffic thresholds specified, the NGFW discards packets when the traffic
volume has reached the thresholds, ensuring that the traffic to be processed is within the
server's capability (for details, see 22.1.4.1 Configuring Anti-DDoS).
l Packet validity check
To avoid checks, DDoS attackers always construct packets and use forged IP addresses.
The NGFW checks the authenticity and validity of received packets and filters out invalid
packets. This helps decrease the traffic volume while ensuring continuous transmission of
valid packets.
The NGFW performs packet validity checks when the traffic volume has reached the
threshold. For details about how the checks work for each type of attack, see 22.1.3.1 DDoS
Attack Defense.
It is important to set appropriate thresholds during the deployment of the DDoS attack defense.
To help you deploy the DDoS attack defense, the NGFW provides the threshold learning function
in addition to default thresholds. With the threshold learning function, the NGFW automatically
calculates an appropriate threshold based on the traffic data in normal conditions. The beginners
can use this function to determine the thresholds. For details about the threshold learning
function, see 22.1.3.2 DDoS Attack Defense Threshold.
In addition to DDoS attack defense, the NGFW provides defense against traditional single-
packet attacks and scanning attacks. However, these types of attacks can be easily prevented as
the server OS security has been enhanced. Therefore, you do not need to deploy defense against
single-packet attacks or scanning attacks on the NGFW. For details about mechanisms of the
single-packet attack defense and scanning attack defense, see 22.1.3.3 Single-Packet Attack
Defense. For details about how to configure these defenses, see 22.1.4.2 Configuring the
Defense Against Single-Packet Attacks.
Blacklist
The blacklist feature allows the packets from the listed entries to be discarded. Compared with
policy-based packet filtering, the blacklist feature is simpler and easier to use. It can be used to
rapidly filter out packets from specific users or IP address.
The blacklist feature allows simple matching conditions and helps increase processing
efficiency. Used in the initial phase of the packet processing process, the blacklist feature filters
out a large number of risky packets in the early stage, increasing the processing efficiency.
Generally, traditional firewalls perform packet filtering only based on source IP addresses. The
NGFW offers packet filtering based on users, source IP addresses, or destination IP addresses.
For details about the blacklist feature, see 22.3 Blacklist. For details about how to configure this
feature, see 22.3.2 Configuring the Blacklist Using the Web UI.
IP-MAC Binding
The IP-MAC binding feature applies to layer-2 networking. It prevents users from changing the
host IP addresses. If this feature is enabled, the NGFW checks the mapping between the source
IP address and source MAC address carried in a packet. The NGFW will discard the packet if
the check fails. For details about the IP-MAC binding feature, see 22.4 IP-MAC Binding.

Other Security Features

Feature Description
22.5 ASPF The Application Specific Packet Filter (ASPF) feature

implements application layer and transport specific packet
filtering. The NGFW checks the application layer information
carried in a packet, obtains related information, and creates
session entries to ensure normal communication between
applications.
22.7 URPF The Unicast Reverse Path Forwarding (URPF) feature prevents
source address proofing.
22.8 GTP The GPRS Tunneling Protocol (GTP) feature implements secure
packet data transmission over the General Packet Radio Service
(GPRS) network.
2.12.4 Viewing Logs and Reports

When the NGFW operates for a period of time, you can view its logs and reports to know about
the traffic data and security status of the current network and modify service settings based on
this information.
The logs and reports of each service module help administrators learn about user activities,
maintain system security, monitor network running in real time, diagnose network faults, and
identify potential security risks so that administrators can prepare appropriate control policies.
The following table lists various types of logs and how they guide administrators through system
security maintenance.
Log Type Information to View Guiding Significance
Traffic log Source and destination IP If detecting any source users, source and
addresses, source users, destination IP addresses, and applications for
applications and protocols, which heavy traffic is generated, administrators
and whether security and can take the following measures:
bandwidth policies take l Add the source users and source and
effect destination IP addresses to the blacklist.
l Change security policies for the related
users.
l Change the matching conditions and actions
for security or bandwidth policies.

Threat log Threat types and names, IP Administrators can take the following
addresses of attackers and measures as required:
victims, users, applications l Add attackers' IP addresses and users to the
and protocols, and matched blacklist.
security policies and profiles
l Change security policies or modify the
content defined in security profiles.
URL log Visited URLs, URL Administrators can take the following
categories, matched security measures as required:
policies, and URL filter l If detecting that some users or source IP
profiles addresses visit non-work-related websites,
add the source IP addresses to the blacklist
or change these users' security policies.
l If detecting that certain URLs are blocked
by mistake, change security policies or
modify the content defined in security
profiles.
Content log Names and types of files Administrators can take the following
transmitted by users, and measures based on the alarms generated during
security policies and profiles transmission, blocked files and data, and user
matching the transmitted behaviors:
files and data l Add the related source and destination IP
addresses to the blacklist or change these
users' security policies.
l Change security policies or modify the
content defined in security profiles.
Operation Administrators' login IP This type of log helps administrators monitor

log addresses and methods and various operations on the NGFW. If detecting
their operations after logins any misoperations performed by using an
administrator's IP address, other administrators
can add this IP address to the blacklist.
System log System alarms, user logins This type of log helps administrators know
and logouts, system running, about device running status and locate faults if
and blacklist information any.
User Active users and their home This type of log helps administrators monitor
activity log groups, IP and MAC user activities and login exceptions on the
addresses for user logins, current network and analyze the reasons for
users' authentication and failed user activities so administrators can
access modes, users' online modify user settings or take other measures.
and lockout durations, and
users' activities and results

Policy Traffic attributes, such as This type of log helps administrators know
matching source and destination IP about which users and applications generate
log addresses, source users, traffic and status of matched policies so that
applications, and protocols, administrators can determine whether these
and matched security policies are correct and change any
policies inappropriate policies.
Mail Type and filtering type of This type of log helps administrators know
filtering log mail filtering. Traffic about which status of mail filtering so that
attributes, such as source administrators can determine whether these
and destination zone, source policies are correct and change any
addresses, destination users, inappropriate policies.
source port and destination
port.
Audit log Websites, microblogs, and To prevent non-work-related behaviors and

BBS posts visited by users, behaviors that may lead to information leak,
file uploads through HTTP you can modify audit policies and audit or
and FTP, commands run security profiles.
through FTP, and email
sending and receiving
The following table lists various types of reports and how they guide administrators through
system security maintenance.
Report Information to View Guiding Significance

Type
Traffic Traffic trends and rankings By viewing traffic logs and reports,
report in terms of the following administrators can know about which users,
dimensions: Source applications, and source and destination IP
Address, Destination addresses have generated excessive traffic
Address, User, within a specified period, and matched security
Application, Application and bandwidth policies. This information helps
Category, and Application administrators prepare appropriate traffic
Sub Category management policies.
Threat Threat count trends and By viewing threat logs and reports,
report rankings in terms of the administrators can know about the most
following dimensions: common threat categories, application
Threat Type, Application, categories, and regular network attackers and
User, Attacker, Victim, victims. This information helps administrators
Threat Name, Virus take appropriate security measures.
Name, and Attack Defense

Report Information to View Guiding Significance

Type
URL report URL access count trends By viewing URL logs and reports,
and rankings in terms of the administrators can know about the URLs
following dimensions: URL frequently visited by intranet users and
Category, Website, User, categories of these URLs. This information
Source Address, and helps administrators prepare appropriate URL
Destination Address filter policies.
File File blocking match count By viewing file blocking logs and reports,
blocking trends and rankings in terms administrators can know about commonly
report of the File Type dimension. transferred file types on the network and make
file blocking policies.
Data Data filtering match count By viewing data filtering logs and reports,
filtering trends and rankings in terms administrators can know about commonly used
report of the Keyword Group key words in files and applications and make
dimension. data filtering policies.
Policy Policy matching count By viewing policy matching logs and reports,
matching trends and rankings in terms administrators can know about the match count
report of Security Policy of the policies. This information helps
administrators analyze whether policies take
effect so they can formulate better policies
based on analysis results. If a fault occurs, an
administrator can observe the match count of
each policy. If the match count of a policy
increases, this policy matches the traffic so that
the administrator can locate incorrect settings.
2.12.5 Obtaining Help

If encountering any problems during device use, you can use any of the following methods to
obtain help.
Related Documentation
Obtain the related documentation from the http://support.huawei.com/enterprise. The
following table lists the related documentation.
Documentation Description
Quick Start This document describes how to quickly install and initialize the
NGFW and applies to the initial device deployment.
Product This document describes the overview, networking, features, technical

Description specifications, and standard compliance of the NGFW.

Documentation Description
Hardware Guide This document describes product hardware and how to install and
maintain it.
Administrator This document describes the principles, application scenarios, and

Guide configuration methods for all the software features of the NGFW.
Typical This document describes typical configuration examples of the

Configuration NGFW.
Examples
Security This document describes the security hardening methods and

Hardening Guide suggestions of the NGFW.
Troubleshooting This document describes how to locate and troubleshoot the common
faults that may occur during device running.
Command This document describes all the commands that the NGFW supports
Reference and how to use them to configure and maintain the NGFW.
Log Reference This document describes all the logs that may be generated for the
NGFW, including log meanings, log parameter descriptions, generation
reasons, and handling suggestions. Logs help administrators track
device running, analyze network status, and locate fault causes,
providing a sound basis for fault diagnosis and device maintenance.
Alarm Reference This document describes all the alarms related to the NGFW, including
alarm meanings, attributes, parameters, influence on the system,
possible causes, handling methods, clearance methods, and references.
Debugging This document describes the methods for using common debugging
Reference commands and provides sample debugging output as well as solutions.
The debugging commands are used to track service running status and
functions as important tools for maintaining the NGFW and locating
faults.
Communication This document describes the communication relationships between

Matrix devices, including the port used for communication, protocol, IP
address, authentication mode, and port usage.
Glossary This document lists all the terms, acronyms, and abbreviations used in
all the related documentation.
Online Help
When using the NGFW, you can click Help in the upper right corner on the web interface to
obtain the entire online help or click the question mark in the upper right corner in the dialog
box to obtain the help topic for the current page. The online help provides common procedures
and parameter descriptions for the current page.
To quickly browse and toggle between help topics, use the help tree.

To quickly locate the desired task in the current help topic, click the link for the task under the
help topic.
Technical Support
If you have encountered any problems that you cannot resolve by referring to the related
documentation, contact technical support personnel in the local branch offices of Huawei.
For contacts in the local branch offices of Huawei, visit the following website: http://
support.huawei.com/enterprise

Administrator Guide 3 Wizard
3 Wizard
3.1 Startup Wizard

The quick wizard assists you in completing basic device configurations and connecting the
device to the Internet. This section describes parameters for each step and the operations of the
wizard.
Welcome to Startup Wizard

After you access the quick wizard, the Welcome to Startup Wizard is displayed first.
Step 1 Choose System > Wizard > Startup Wizard.
Step 2 Click Next.

NOTE
By default, the Welcome to Startup Wizard page is displayed after the successful login. If you do not want to
enter the Startup Wizard page after login, select Do not display this page upon the next login on the lower
left of the page. Upon the next login, the Dashboard page is directly displayed.
----End
Basic Configuration
Step 1 In Basic Configuration, enter or select parameters listed in Table 3-1.
Step 2 Click Next.
Table 3-1 Parameter description of basic configuration
Host Name Indicates the name of the device. The host name appears in the
command prompt, and can be modified as required.
Change Administrator Configures whether to change the administrator password for

Password logging in to the Web page.
You are required to change the password upon your first login.

Old Password Enters the old password. After you select Change
Administrator Password, Old Password becomes available.
New Password Enters the new password. After you select Change
Administrator Password, New Password becomes available.
Confirm Enters the new password again. Ensure that the new passwords
you entered twice are consistent. After you select Change
Administrator Password, Confirm becomes available.
----End
Time Settings
Step 1 In Time Settings, enter or select parameters listed in Table 3-2.
Step 2 Click Next.
Table 3-2 Parameter description of time settings
Time Zone Selects the time zone in which the device is located from the
drop-down list.
Date Perform either of the following methods to configure the system

date:
l Enter the system date in the text box in the YYYY/MM/
DD format.
l Click , and select a date from the calendar that is displayed.
Time Perform either of the following methods to configure the system

time:
l Enter the system time in the text box in the hh:mm:ss format.
l Select the area for the hour, minute, or second and then click
or .
Automatically adjust After this item is selected, the system automatically adjusts the
clock for daylight saving clock for the DST.
time (DST)
Start Time Indicates the start time of the DST. This item is displayed after
Automatically adjust clock for daylight saving time (DST) is
selected.
End Time Indicates the end time of the DST. This item is displayed after
Automatically adjust clock for daylight saving time (DST) is
selected.

Offset Time Indicates the offset time of the system in the DST mechanism.
This item is displayed after Automatically adjust clock for
daylight saving time (DST) is selected.
For example, set the Start Time to 08:00:00 on the first Monday
in August, End Time to 10:00:00 on the first Monday in October,
and Offset Time to 01:00:00. At 08:00:00 on the first Monday
in August, the system time is automatically changed to 09:00:00.
At 10:00:01 on the first Monday in October, the system time is
automatically changed to 09:00:01.
----End
WAN Mode
Select the Internet access mode based on the information supplied by the network service
provider. Internet access parameters vary with different access modes.
Step 1 In WAN Mode, select the Internet access mode, as shown in Table 3-3.
Step 2 Click Next.
Table 3-3 Parameter description of selecting an Internet access mode
Static IP Applies if you obtain a fixed IP address or an IP address segment

from the network service provider.
DHCP Applies if you obtain an IP address automatically from the

network service provider.
PPPoE Applies if you obtain a user name and password from the network
service provider.
----End
WAN Settings
Step 1 Enter or select parameters according to the Internet access mode.
l Table 3-4 shows parameters for access to the Internet through a static IP address.
Table 3-4 Parameter description of accessing the Internet in static IP mode
Interface Selects an interface for accessing the Internet.

IP Address Indicates the IP address of the interface for accessing the

Internet.
The value is supplied by the network service provider and is
in dotted decimal notation (for example, 1.1.1.1).
Subnet Mask Indicates the subnet mask of the interface for accessing the
Internet.
in 255.x.x.x format.
Default Gateway Indicates the IP address of the default gateway on the interface
for accessing the Internet. The packets of intranet users' access
to the Internet are sent to the default gateway through the
interface for accessing the Internet. Then the default gateway
forwards such packets.
in dotted decimal notation (for example, 1.1.1.254).
Primary DNS Server Indicates the IP address of the primary DNS server. Generally,
LAN hosts require to access the Web site by using domain
names. Therefore, you need to specify the IP address of the
DNS server.
The value is supplied by the network service provider.
Secondary DNS Server Indicates the IP address of the secondary DNS server. When
the primary DNS server is faulty, the device accesses the
secondary DNS server for domain name resolution.
l Table 3-5 shows parameters for access to the Internet through DHCP.
Table 3-5 Parameter description of accessing the Internet in DHCP mode
Interface The interface for accessing the Internet serves as the DHCP
client and attempts to obtain an IP address from the network
service provider (DHCP server).
l Table 3-6 shows parameters for access to the Internet through PPPoE.
Table 3-6 Parameter description of accessing the Internet in PPPoE mode
Interface Selects an interface for accessing the Internet.

User Name Indicates the user name used by identity authentication for
access in PPPoE mode.
Password Indicates the password used by identity authentication for

access in PPPoE mode.
Online Mode l Always Online: applies if you are a monthly-payment

subscriber or pay by traffic.
l Inactivity Disconnection (seconds): applies if you pay by
online duration. If no traffic is transmitted with Inactivity
Disconnection(seconds), connection to the Internet is
interrupted.
Obtain an IP Address Indicates that the interface for accessing the Internet
Automatically automatically obtains an IP address from the network service
provider.
Use the Following IP Manually sets the IP address of the interface for accessing the
Address Internet.
IP Address After you select Use the Following IP Address:, IP

Address becomes available.
Step 2 Click Next.
----End
LAN Settings
Step 1 In LAN Settings, enter or select parameters listed in Table 3-7.
Step 2 Click Next.
Table 3-7 Parameter description of configuring a LAN interface
Interface Selects the interface connecting to the LAN on the device.
IP Address Indicates the IP address of the interface connecting to the LAN.

A private address such as 10.0.0.1 or 192.168.0.1 is
recommended.
Subnet Mask Indicates the subnet mask of the interface connecting to the LAN.
----End

LAN DHCP Settings

Step 1 In LAN DHCP Settings, enter or select parameters listed in Table 3-8.
Step 2 Click Next.
Table 3-8 Parameter description of configuring the DHCP service on the LAN
Enable DHCP Server on After the DHCP service on the LAN is enabled, users on the LAN
LAN can automatically obtain IP addresses ranging from the start IP
address to the end IP address.
Start IP Address Indicates the start IP address of the IP addresses assigned to the
DHCP client.
By default, the system takes the IP address mask range for the
interface as the assignable IP address range. For example, the IP
address of an interface is 192.168.1.5 255.255.255.0. When you
create a DHCP server on the interface, the system regards Start
IP Address as 192.168.1.1, and End IP Address to
192.168.1.254 by default. Because 192.168.1.5 is the IP address
of the interface, it will not be assigned. When assignable IP
address range is different from the default value, you can directly
specify the Start IP Address and End IP Address.
End IP Address Indicates the end IP address of the IP addresses assigned to the
DHCP client.
----End
Summary
Summary displays configuration information in the previous steps, including:
l Outside: displays WAN Settings configurations.

l Inside: displays LAN Settings and LAN DHCP Settings configurations.
Step 1 Check configuration information in Summary. After confirming the information, click
Apply.
Step 2 Wait a period of time. If the configuration information is successfully delivered, the Startup
Wizard Complete page is displayed.
Step 3 Click Finish. The configuration of the quick wizard is complete.
----End

Administrator Guide 4 Dashboard
4 Dashboard
4.1 Setting the Status Windows

The Dashboard tab page displays various status windows. You can specify which status
windows are displayed on the Dashboard tab page.
You can move a status window to a desired position and set an interval for refreshing the window.
l Display a status window on the Dashboard tab page.
1. Click Dashboard.
2. Click Device Information.
If the Device Information option button in the navigation list is gray, the Device
Information window is already displayed on the Dashboard tab page.
3. Repeat the preceding steps to set other status windows.
l Set the automatic refresh interval.
1. Click Dashboard.
2. Click Refresh Interval.
3. Select a refresh interval from the drop-down list.
l Move a status window.
1. Click Dashboard.
2. Move the cursor over a status window, hold down the left mouse button, and drag the
window to a desired position.
4.2 Device Information

The Device Information window displays the NGFW indicators and interface status.
Each icon indicates an interface or indicator.
l Interface icons
Table 4-1 describes the meanings of different colors for interface physical status icons.

Table 4-1 Meanings of different colors for interface physical status icons
Color Description
Green The physical status of an interface is Up, and the interface is working in
full duplex mode.
Yellow The physical status of an interface is Up, and the interface is working in
half duplex mode.
Black The physical status of an interface is Down.
To view interface information, move the cursor over a status icon. Table 4-2 describes the
interface operating information.
Table 4-2 Interface operating information
Interface Interface name, in the format of interface type + interface number, for
Name example, GE0/0/0.
Status Interface status information displayed in the format of X/Y:

l X: network layer status of an interface. Values:
– Up
– Down
l Y: physical layer status of an interface. Values:
– Line Up
– Line Down
Security Name of the security zone to which the interface belongs.

Zone
IP/Mask Interface IP address and mask
Speed Highest speed (Mbit/s) that the interface supports
Duplex Interface working mode:

l Full duplex
l Half duplex
Input Bytes Number of bytes received
Input Error Number of error packets received

Packets
Output Bytes Number of bytes sent
Output Error Number of error packets sent

Packets

l Indicator
Table 4-3 shows the indicator description.
Table 4-3 Indicator description
Indicator Meaning
System indicator Steady on: The system is running properly.

(green)
PWR indicator Steady on: The power supply works properly.

(green)
ALM indicator Off: The system is running properly.

(red)
USB0 and USB1 Steady on: A USB device is inserted in to USB0 or USB1
interface indicator interface.
(green) Off: No USB device is inserted in to USB0 or USB1 interface.
ETH, GE interface Steady on: Links are connected and the interface is Up.
indicator (green) Off: Links are not connected and the interface is Down.
4.3 System Resource

The System Resource window displays CPU, memory, Hda1, and disk usage.
Table 4-4 describes the parameters in the System Resource window.
Table 4-4 System resource parameters
CPU Usage When you move the pointer to the CPU resource icon, the CPU usage of the
data plane
at the time is displayed.
Memory Percentage of memory resources used.

Usage Move the cursor over the memory meter to view the following information:
l Memory Usage: amount of memory resources used, in percentage
l Memory Size: total memory capacity (MB)
CF Card Usage When you move the pointer to the CF card resource icon, detailed
information is displayed, including:
l CF card usage in percentage.
l Used indicates the used CF card capacity.
l CF card capacity indicates the total capacity of the CF card.

Disk Usage Move the cursor over the disk meter to view the following information:
l Percentage of hard disk resources used.
– Disk Usage: amount of hard disk resources used, in percentage
– Used: amount of hard disk resources used, in MB
– Size: total hard disk capacity, in MB
l When using dual disks for the first time or implementing capacity
expansion after using a single disk for a period of time, back up disk data
in a timely manner. The USG6650/6660/6670/6680 supports dual disks.
The disk backup procedure is as follows:
Click Disk Backup. In the window that is displayed, select the current
disk as the active disk and click OK.
If the backup progress is 100% and the current disk usage is displayed,
the disk data backup is complete.
NOTICE
After disk data backup starts, data in the active disk will be synchronized to the
backup disk and the original data on the backup disk will be overwritten.
Therefore, before starting disk data backup, correctly select the active disk.
4.4 System Information

The System Information window displays basic NGFW information, including the serial
number, software version, and working status.
Table 4-5 describes the NGFW system information.
Table 4-5 System information
SN Serial number that uniquely identifies a NGFW. You must provide the serial
number of the NGFW when you apply for a license or before you send the
NGFW for repair.
Version Current software version. To upgrade the current version, click Upgrade
on the System Information window to open the System Upgrade tab page.
For detailed upgrade procedure, see 5.13.1 Upgrading the System Using
the Web UI.
Device Name Name of the NGFW.

To change the name, perform the following steps:
1. Click Modify.
2. In the Rename dialog box, enter a new name.
3. Click Apply.

System Time Current date and time of the NGFW.

To change the date or time, perform the following steps:
1. Click Modify.
2. On the Time tab page, change the date or time.
For detailed procedure, see 5.3.1 Configuring the System Time Using the
Web UI.
Power Power module status:

l Normal
l Abnormal: If one of the two power modules has the status of Not
powered on, check for power supply module faults and rectify them.
Ambient Current ambient temperature of the NGFW, click Details on the System
Temperature Information window.
CPU Subcard Status of each CPU subcard. For more information, click Details on the
Status System Information window.
Fan Fan module status.

l Normal
l Abnormal: If Abnormal is displayed, check for fan module faults and
rectify them.
Dual-System Whether dual-system hot backup is enabled:

Hot Backup l Active: Dual-system hot backup is enabled, and the NGFW is working
Status in active mode.
l Standby: Dual-system hot backup is enabled, and the NGFW is working
in standby mode.
l Single Device: Dual-system hot backup is disabled. To enable dual-
system hot backup, click Configure and configure this function on the
Dual-System Hot Backup page. For detailed configuration procedure,
see 6 High Availability.
Agile Network Whether agile Network Function is enabled.

Function
Virtual System Whether virtual system is enabled.

IPv6 Whether IPv6 is enabled:

l Enable
l Disable
To modify the IPv6 status, perform the following steps:
1. Click Configure.
2. In the IPv6 dialog box that is displayed, perform either of the following
operations:
l To enable IPv6, select the IPv6 check box.
l To disable IPv6, clear the IPv6 check box.
The NAT64 prefix can also be configured here.
Power Power (W) of the NGFW. For more information, click Details on the
System Information window.
Number of For more information, click Details on the System Information window.
Online In the Details dialog box, you can select one or more administrators to force
Administrator them to logout.
s NOTE
Only system administrators have the permission to view the number of online
administrators and to force them to logout.
4.5 Traffic History

The Traffic History window displays information about data flows transmitted by interfaces
within specified periods.
The interfaces collect statistics on the inbound and outbound traffic and display the statistical
results in curve charts. With the curve charts, you can view traffic distribution regularities, such
as the peak and off-peak traffic hours and traffic rate to facilitate your network condition analysis.
Select an interface or all interfaces from the Interface drop-down list. You can collect traffic
statistics on the specified interface or all interfaces. Click the Time Range drop-down list. You
can collect traffic statistics on the interfaces in the past 60 minutes, 24 hours, or 30 days. Click
. You can view more detailed interface traffic statistics, including packet transmission rate,
bandwidth, and traffic.
4.6 License Information

The License Information window shows the license status and number of available resources
specified in the license.
Table 4-6 describe the license parameters.

Table 4-6 License information
License State License status:

l Active: If the status is Active, the date and time when the license was
activated is also displayed.
l Inactive
To change the license status, perform the following steps:
1. Click Configure on the License Information window.
2. In the License Management tab page, modify the configuration. For
detailed configuration procedure, see Applying For and Activating a
License.
Resource Functional resource list

Control
Authorization Function status:

Information l Enable: The specified functional resource is available. If a specific
function is enabled, its specification is also displayed.
l Disable: The specified functional resource is unavailable.
4.7 Alarm Information

The Alarm Information window displays the alarm messages. The latest alarm is displayed at
the top.
Click to view more information about alarms. Table 4-7 describes the alarm parameters.
Table 4-7 Alarm information
Security Level Severity of an alarm
Time Date and time when the alarm was generated
Description Meaning of the alarm
4.8 System Log List

In this window, you can check the latest system logs of the device. All system logs are arranged
by time of generation with the latest log on the top.
By viewing system logs, you can learn about the operating and hardware-related events. System
logs facilitate fault analysis and locating during troubleshooting.

System logs record system alarms, user login or logout, system operation, and blacklists.Table
4-8 describes the system log parameters.
Table 4-8 System log list
Time Date and time when a system log message was generated
Description Content of the system log message
Click to view more information about system logs. For more detailed information about
system logs, see System Logs.
4.9 Threat Log List

In this window, you can check the latest threat logs of the device. All threat logs are arranged
by time of generation with the latest log on the top.
Table 4-9 shows the parameters of the threat log information window.
Table 4-9 Threat log list
Time Date and time when a threat log message was generated
Threat Name Name of a threat
Action Action taken on the threat
Click to view more information about threat logs. For more detailed information about threat
logs, see Threat Logs.
4.10 Log Storage Details

The Log Storage Details window displays the percentage of storage space used to store each
type of service logs and the maximum storage space for each type of service logs.
Table 4-10 describes the log storage parameters.
Table 4-10 Log storage details
Service Service-specific log

Usage Percentage of storage space used to store a specific type of service

logs
Maximum Storage Maximum storage space for a specific type of service logs, in G.
Space
When the percentage of disk space used by a type of logs or reports exceeds the configured alarm
threshold, the icon blinks and a log is generated. In this case, access the report page and export
the report for backup. For details, see Viewing Reports. For details about the configuration of
hard disk alarm threshold, see Configuring Hard Disk Alarming Threshold.
4.11 Visual Management

This section describes how to use the visual management center.
The visual management center allows you to select an interface, internal server, or IPSec service
to configure them, check the network topology, view the network status from the topology, and
check and diagnose the device.
Prerequisites
The network planning has been complete.
You have familiarized yourself with the neighboring devices, service models, traffic directions,
inside and outside interfaces, and IP addresses, if the networking and service configuration have
been complete.
Networking
The networking diagram is the basis of the visual management center, which allows you to select
an interface, internal server, or IPSec service to configure them or check the network topology.
1. Click Configure Networking Diagram.

2. In the page that is displayed, select Monitor IPSec Service, Monitor Internal Server,
Monitor Intranet Interface, or Monitor Internet Interface based on the planning or the
actual networking.
3. In the Monitor Internal Server and Monitor Intranet Interface drop-down lists, select
the interfaces to be monitored. If the interface is not configured, click OK in the page that
is displayed and configure the interface. For details, see Configuring Interfaces.
4. Optional: Click and repeat the preceding steps to configure more interfaces. You can
configure six inside interfaces (intranet interfaces) and three outside interfaces (Internet
interfaces) on the device.

5. Click OK. The networking diagram configuration is complete.
Device Operating Status

You can move the pointer to an area icon in the networking diagram to view the status of devices,
interfaces, server mappings, and IPSec services. For details about the areas, see Figure 4-1.
Figure 4-1 Networking diagram
3
2
5
4
l Interface information and traffic transmission status

Move the pointer to area 1 or 3, information, such as the current interface name, IP address,
inbound traffic, and outbound traffic, is displayed.
You can also click Legend and check the traffic status indicated by each color.

l Server transmission status information

Move the pointer to area 2, information, such as the current number of sessions of the server
and inbound traffic, is displayed.
l Basic information about IPSec service
Move the pointer to area 4, information, such as the number of received and sent IPSec
packets for the current service and the number of the established tunnels, is displayed.
l Device resource information
Move the pointer to area 5, you can check information, such as the current CPU usage of
the data plane and the memory usage of the device.
l Health check information
Move the pointer to area 6, you can check the health score of the current network and device.
The health score represents the conditions of the network where the NGFW and its server
reside. A higher score indicates a healthier condition and a better server performance. If
the score is low, service efficiency is reduced or a fault occurs. The outer ring of the health
score can be any of the following colors:
– Green (80 to 100): The network and devices are healthy, and services are running
properly.
– Orange (60 to 80): The performance of the network and devices is medium, and services
may be affected.
– Red (lower than 60): The network and devices are unhealthy, and services are affected.
You can click View Details to query detailed health check information. For the procedure,
see Health Check.
Quick Configuration
As shown in Figure 4-1, you can complete basic configurations, change intranet and Internet
interfaces, and create servers on the networking diagram. When the device or service is abnormal,
you can collect information for diagnosis. For the corresponding area information, see Figure
4-1.
l Basic configuration of the device

Move the pointer to area 5, click Startup Wizard, Update Center, License
Management, or Diagnosis Info, and access the corresponding configuration page to
complete the configuration. Details are as follows:
Item Description
Startup Helps you complete the basic device configuration and WAN access.
Wizard For details, see Startup Wizard.
Update Describes how to upgrade the signature database. For details, see
Center Update Center.
License Describes how to manage and activate a license. For details, see License
Management Management.

Item Description
Diagnosis Displays the operating status and configuration information of each

Info module of the device. You can export the collected information and
send them to technical support personnel for fault locating. For details,
see Diagnosis Info.
l Server mapping
Move the pointer to area 2, click Set, and access the Server Mapping List page. View the
mapping information of the NAT server or click Add. Configure the server mapping. For
details, see Configuring Server Mappings
l Intranet interface/Internet interface
Move the pointer to area 1 or 3, click Set, and access the interface configuration page. For
details, see Configuring Interfaces.
Health Check
After networking planning and device configuration are complete, move the cursor to area 6 in
Figure 4-1 to perform device health check.
1. Click this area. The message "Do you want to check device health?" is displayed. Click
OK to start the check. The check result is displayed after the check is complete.
NOTE
The health index is the weighting coefficient multiplying by the average value of four-dimension
scores. The weighting coefficient is determined by the lowest score. That is, the weighting coefficient
is 1 for 100 points, 0.9 for 80 to 99 points, 0.8 for 60 to 79 points, and 0.7 for 59 points and less.
The total health index score is calculated using this formula: S = (S1 + S2 + S3 + S4)/4 x W. In this
formula, S indicates the total score; Si (i = 1, 2, 3, or 4) indicates the score of each dimension. W
indicates the weighting coefficient of the dimension with the lowest score.
2. Click View Details to query detailed information and suggestion about the use of the
hardware, network, services, and resources as well as signature database updates, and you
can optimize the device according to the suggestion.
3. You can click Re-check to perform the health check again.

Administrator Guide 5 System
5 System
5.1 Logging In to the Device for the First Time

This section describes how an administrator can use the console port and web to log in to the
NGFW administrator interface for the first time.
5.1.1 Logging In to the CLI Through the Console Port

By default, the NGFW allows an administrator to log in to the CLI administrator interface using
the console port.
Context
Figure 5-1 shows the networking diagram for the login to the NGFW through the console port.
Figure 5-1 Cabling between the PC and the Console port of the NGFW
COM Console
RS-232
PC NGFW
Procedure
Step 1 Connect the console cable.
1. Shut down the NGFW and power off the configuration terminal.
2. Connect the RS-232 serial port of the configuration terminal to the configuration interface
of the NGFW with a cable.
3. After checking the installation, power on the configuration terminal.
Step 2 Configure the terminal. The following examples describe terminal configurations in the
Windows XP and Windows 7 operating systems.
Windows XP

1. Run the terminal emulation program (such as the HyperTerminal on Windows XP) on the
PC. Choose Start > All programs > Accessories > Communications > Hyper
Terminal. The Connection Description dialog box is displayed.
2. In Name, enter the name (for example, COMM1) of the connection between the PC and
the NGFW. Then, select an icon in Icon, as shown in Figure 5-2.
Figure 5-2 Setting the name of the connection
3. Click OK. The Connect to dialog box is displayed.

4. Select the serial port, such as COM1, used for the connection between the PC and the
NGFW from the Connect using drop-down list, as shown in Figure 5-3.
Figure 5-3 Selecting the COM port of the PC

5. Click OK. The COM1 Properties dialog box is displayed.

6. Set communications parameters of the serial port or click Restore Defaults to set the default
value for the parameters, as shown in Figure 5-4.
Figure 5-4 Setting port properties
7. Click OK.
Windows 7
1. Download the PuTTY software to the local device and double-click it to run the software.
2. Choose Session, set the Connection type to Serial.
3. Set the parameters for connecting the serial port to the device.
Figure 5-5 shows detailed parameter settings.

Figure 5-5 Setting the PuTTY parameters for connecting the serial port to the NGFW
4. Click Open.
Step 3 Click Enter and enter account admin and password Admin@123.
NOTE
After three consecutive login failures through the console port, the system automatically locks out the
console port (prohibiting administrators login) for 10 minutes.
Step 4 Change the default administrator password and access the CLI interface.
NOTE
Please input new password:**********
Please confirm new password:**********
<NGFW>
----End
Follow-up Procedure
Log in to the device through the console port for management and configuration. You can also
create more administrators or establish the Telnet, STelnet, and web login environment. For
details, refer to 5.2 Administrators.

5.1.2 Logging In to the Web UI Using HTTPS

By default, the device allows an administrator to log in to the NGFW web UI using HTTPS.
Prerequisites
The browser on the administrator PC must meet any of the following requirements:
l Internet Explorer: version 6.0 to 9.0

l Firefox (recommended): version 10.0 or later
l Chrome: version 17.0 or later
NOTE
When using Internet Explorer, you are advised to version 7.0 or later.
Procedure
Step 1 Connect the network interface of the administrator PC to management interface GigabitEthernet
0/0/0 using network cables or layer-2 switches.
NOTE
The USG6310/6320 does not have any management interface. You need to connect GigabitEthernet 0/0/0 to the
network interface of the PC.
Step 2 Set the IP address of the administrator PC, within a range from 192.168.0.2 to 192.168.0.254.

Step 3 Open the browser on the administrator PC. In the address box, enter the default IP address of
the GigabitEthernet 0/0/0 (https://192.168.0.1:8443).
NOTE
If the address is http://192.168.0.1, the device automatically uses the more secure HTTPS to access the
web UI.
If the browser displays a notification for an insecure certificate, you can continue the browsing. For security,
you are advised to configure the specified certificate after logging in to the device. For details, refer to
5.2.4.2 Example for Logging In to the Web UI Using HTTPS (Specified Certificate).
Click Open Source Software Notice in the web login page, you can check the related information about
the open source software notice.
Step 4 On the login page, enter the default user name admin and password Admin@123 of the system
administrator. Click Login.
NOTE
You can also use default audit administrator account audit-admin (password Admin@123) to log in to
the device.
After three consecutive login failures, the web UI is automatically locked out for 10 minutes to forbid any
user login.
Step 5 Changing the password of the default administrator account. Click OK to access the web UI.
NOTE

----End
Follow-up Procedure
Use HTTPS to log in to the web UI for management and configuration. You can also create more
administrators. For details, refer to 5.2 Administrators.
5.2 Administrators
This section describes how to configure administrators, including configuring administrator
accounts, administrator interfaces, and services.
5.2.1 Overview
The NGFW provides an administrator mechanism consisting of administrators and administrator
interfaces. The administrator interface is a unified management page over configuration UIs and
administrators using a login method.
5.2.1.1 Administrator Overview

This section describes the administrator login methods and permission control mechanism.
Administrator Login Methods

The Table 5-1 shows administrator login methods. By default, the default administrator (admin/
Admin@123) and auditor (audit-admin) can log in to the device using web and console port.

Table 5-1 Administrator login methods
Login Application Scenario Interface Description

Method
Web An administrator performs Any Ethernet By default, an administrator

(HTTPS) operations on a device port reachable to uses account admin,
through the web page, the login PC and password Admin@123,
which is more intuitive device works. and management interface
than the CLI. You are advised GigabitEthernet 0/0/0 to
to select log in. For details, refer to
management 5.1.2 Logging In to the
interface Web UI Using HTTPS.
GigabitEthernet The device enables the
0/0/0 for login. HTTPS service by default.
If an administrator uses
HTTP for login, the device
redirects to HTTPS. You
are advised not to disable
the HTTPS service.
CLI Cons Console is the basis of Console port The default account and
ole other CLI login methods. password are admin and
Only one administrator can Admin@123. For details,
operate at the same time. refer to 5.1.1 Logging In to
Console is used in the the CLI Through the
following scenarios: Console Port.
l An administrator logs
in to the CLI for the first
time.
l If an administrator
cannot log in to the
device remotely, the
administrator can log in
locally through the
console port.
l If a device cannot start
normally, the
administrator can
access the BootROM
menu through the
console port to load the
system software.

Login Application Scenario Interface Description

Method
Teln This method applies to Any Ethernet Direct login is not enabled
et remote management and port reachable to by default. You must
maintenance. Multiple the login PC and configure the Telnet
administrators can operate device works. service. For details, refer to
at the same time. You are advised 5.2.4.3 Example for
to select Logging in to the CLI
management using the Telnet.
interface NOTICE
GigabitEthernet During Telnet login, data and
0/0/0 passwords are transmitted in
GigabitEthernet plaintext mode, causing
security risks. To secure data
0/0/0for login.
transmission, use STelnet
instead.
STel STelnet supports identity Direct login is not enabled

net authentication and by default. You must
encrypted data configure the SSH service
transmission and is more and users. For details, refer
secure than Telnet. to 5.2.4.5 Example for
Logging In to the CLI
Using STelnet (RSA
Authentication) or 5.2.4.4
Example for Logging in to
the CLI Using STelnet
(Password
Authentication).
API The northbound interfaces Northbound For details on environment

use HTTP or HTTPS to Interface construction and service
communicate with third- configuration using a
party clients. northbound API, refer to
the Northbound API
Secondary Development
Guide.
Administrator Permission Control

The NGFW controls administrator permissions by role and level.
l Binding the administrator role: The NGFW controls administrator permissions based on
the web-based configuration page. This method applies to web administrators.
l Specifying the administrator level: The NGFW controls administrator permissions based
on executable command levels. This method applies to CLI administrators.
The NGFW classifies roles based on permissions on web configuration items. The NGFW
assigns a role read-write permission, read-only permission, or none permission on a web
configuration item.

NOTICE
l The CLI structure differs from the web UI menu. Therefore, the CLI permission control of
a role is not the same as the previous operations on the web UI.
l On the administrator Web UI, the configuration rights are read-write, read-only, and none;
on the CLI, the rights are read-write and none. The read-only right on the Web UI is treated
as the none right on the CLI. If the configuration right of a user is read-only on the Web UI,
the user can view configurations on the Web UI, but cannot view the configurations on the
CLI.
Table 5-2 lists the default administrator roles of the NGFW. The NGFW also supports user-
defined administrator roles.

Table 5-2 Default administrator roles
Default Description Permission Control Modules

Role
Read-write Read-only None
system- Has all l Dashboard N/A l Policy: Audit

admin permissions l Monitor: Policy
except the Report, Traffic l Object: Audit
audit Map, Threat Configuration
function. Map, Session l Monitor: Audit
Table, System Log
Statistics,
l System: Audit
Quintuple
Log Password
Packet Capture,
Management
Quintuple
Packet
Discarding
Statistics,
Diagnosis
Center and Log.
The log
module,
including the
following
submodules:
– Traffic Log
– Threat Log
– URL Log
– Content Log
– Operation
Log
– System Log
– User
Activity
Log
– Policy
Matching
Log
– Mail
filtering
Log
l Policy module,
including the
following
submodules:
– Security
Policy


Role
– NAT Policy
– Bandwidth
Managemen
t
– Quota
Control
Policy
– Proxy
Policy
– Authenticati
on Policy
– Security
Protection
– ASPF
Configurati
on
l Object module,
including the
following
submodules:
– Certificates
– Address
– Region
– Service
– Application
– User
– Device
– Authenticati
on Server
– Schedule
– URL
Categories
– Keyword
Groups
– Email
Address
Group
– Signature
– Link Health
Check


Role
– Security
Profiles
– Anti-
Virus
– Intrusio
n
Preventi
on
– URL
Filtering
– File
Blockin
g
– Data
Filtering
– Applicat
ion
Behavio
r Control
– Mail
Filtering
l Network
module,
including the
following
submodules:
– Interface
– Interface
Pair
– Zone
– DNS
– DHCP
Server
– Router
– IPSec
– L2TP
– GRE
– DSVPN
– SSL VPN


Role
– TSM
Interworkin
g
l System
module,
including the
following
submodules:
– Setup
– Admin
– Virtual
System
– High
Availability
– Agile
Network
Configurati
on
– Set Mail
Service
– Log
Configurati
on
– License
Managemen
t
– Update
Center
– System
Upgrade
– Configurati
on file
Managemen
t
l Other


Role
device- Has service l Policy module, l Dashboard l Monitor:

admin configuration including the l Monitor: Quintuple
and device following Report, Traffic Packet Capture,
monitoring submodules: Map, Threat Diagnosis
permissions. – Security Map, Session Center and Log.
Policy Table, System The log
Statistics, module,
– NAT Policy including the
Quintuple
– Bandwidth Packet following
Managemen Discarding submodules:
t Statistics and – Operation
– Quota Log. The log Log
Control module
– System Log
Policy includes the
following – Audit Log
– Proxy
submodules: l Policy: Audit
Policy
– Traffic Log Policy
– Authenticati
– Threat Log l Object: Audit
on Policy
Configuration
– Security – URL Log
l System
Protection – Content Log
module,
– ASPF – User including the
Configurati Activity following
on Log submodules:
l Object module, – Policy – Setup
including the Matching
Log – Admin
following
submodules: – Mail – Virtual
Filtering system
– Certificates
Log – Agile
– Address
Network
– Region Configurati
– Service on
– Application – Set Mail
Service
– User
– License
– Device Managemen
– Authenticati t
on Server – Update
– Schedule Center
– URL – System
Categories Upgrade
– Keyword – Configurati
Groups on File


Role
– Email Managemen
Address t
Group – Audit Log
– Signature Password
Managemen
– Link Health
t
Check
– Security
Profiles
– Anti-
Virus
– Intrusio
n
Preventi
on
– URL
Filtering
– File
Blockin
g
– Data
Filtering
– Applicat
ion
Behavio
r Control
– Mail
Filtering
l Network
module,
including the
following
submodules:
– Interface
– Interface
Pair
– Zone
– DNS
– DHCP
Server
– Router
– IPSec


Role
– L2TP
– GRE
– DSVPN
– SSL VPN
– TSM
Interworkin
g
l System:
– High
Availability
– Log
Configurati
on
l Other


Role
device- Has the Other l Dashboard l Monitor:

admin device l Monitor: Quintuple
(monitor) monitoring Report, Traffic Packet Capture,
permission. Map, Threat Diagnosis
Map, Session Center and Log.
Table, System The log
Statistics, module,
Quintuple including the
Packet following
Discarding submodules:
Statistics and – Operation
Log. The log Log
module, – System Log
including the
following – Audit Log
submodules: l Policy: Audit
– Traffic Log Policy
– Threat Log l Object: Audit

Configuration
– URL Log
l System
– Content Log module,
– User including the
Activity following
Log submodules:
– Policy – Setup
Matching – Admin
Log
– Virtual
– Mail System
Filtering
– High
Log
Availability
l Policy module,
– Agile
including the
Network
following
Configurati
submodules:
on
– Security
– Set Mail
Policy
Service
– NAT Policy – License
– Bandwidth Managemen
Managemen t
t – Update
– Quota Center
Control – System
Policy Upgrade


Role
– Proxy – Configurati
Policy on File
– Authenticati Managemen
on Policy t
– Audit Log
– Security
Password
Protection
Managemen
– ASPF t
Configurati
on
l Object module,
including the
following
submodules:
– Certificates
– Address
– Region
– Service
– Application
– User
– Device
– Authenticati
on Server
– Schedule
– URL
Categories
– Keyword
Groups
– Email
Address
Group
– Signature
– Link Health
Check
– Security
Profiles
– Anti-
Virus
– Intrusio
n


Role
Preventi
on
– URL
Filtering
– File
Blockin
g
– Data
Filtering
– Applicat
ion
Behavio
r Control
– Mail
Filtering
l Network
module,
including the
following
submodules:
– Interface
– Interface
Pair
– Zone
– DNS
– DHCP
Server
– Router
– IPSec
– L2TP
– GRE
– DSVPN
– SSL VPN
– TSM
Interworkin
g
l System:
l Log
configuration


Role
audit- Configures a l Policy: audit l Dashboard l Monitor:

admin dedicated policy l Monitor: report Quintuple
administrator l Object: audit table, traffic Packet Capture,
role for configuration map, threat Quintuple
auditing map, and log. Packet
policies and l System: audit Discarding
log password The log
viewing audit module, Statistics,
logs. management Session Table,
including the
following System
submodules: Statistics, and
Diagnosis
– Traffic log Center
– Threat log l Policy module,
– URL log including the
– Content log following
submodules:
– Operation
log – Security
Policy
– System log
– NAT Policy
– User
activity log – Bandwidth
Managemen
– Policy t
matching
log – Quota
Control
– Mail Policy
filtering log
– Proxy
– Audit log Policy
– Authenticati
on Policy
– Security
Protection
– ASPF
Configurati
on
l Object module,
including the
following
submodules:
– Certificates
– Address
– Region
– Service


Role
– Application
– User
– Device
– Authenticati
on Server
– Schedule
– URL
Categories
– Keyword
Groups
– Email
Address
Group
– Signature
– Link Health
Check
– Security
Profiles
– Anti-
Virus
– Intrusio
n
Preventi
on
– URL
Filtering
– File
Blockin
g
– Data
Filtering
– Applicat
ion
Behavio
r Control
– Mail
Filtering
l Network
module,
including the


Role
following
submodules:
– Interface
– Interface
Pair
– Zone
– DNS
– DHCP
Server
– Router
– IPSec
– L2TP
– GRE
– DSVPN
– SSL VPN
– TSM
Interworkin
g
l System
module,
including the
following
submodules:
– Setup
– Admin
– Virtual
System
– High
Availability
– Agile
Network
Configurati
on
– Set Mail
Service
– Log
Configurati
on
– License
Managemen
t


Role
– Update
Center
– System
Upgrade
– Configurati
on file
Managemen
t
NOTICE
l If an administrator account is bound to a specific role, the level of the administrator role takes
precedence over the administrator level.
l If an administrator account is bound to a specific role, the level of the administrator role takes
precedence over the server authorization.
l Even if an administrator account is not bound to a specific role, the administrator role and
level have the following default mapping:
l 1: Monitoring level corresponds to Configuration administrator (monitoring).
l 2: Configuration level corresponds to Configuration administrator.
l 3: Management level to the 15th level correspond to System administrator.
Configuration administrator (monitoring) does not have the read-write permission of
some functions. Therefore, the administrators of 1: Monitoring level cannot execute come
commands of 1: Monitoring level.
Besides roles, the NGFW uses command lines to manage administrators hierarchically.
Administrator levels range from 1 to 15. An administrator can execute only commands with
lower levels than or same levels as the administrator level, as shown in Table 5-3. Command
lines have four levels. For details, refer to the NGFW - Command Reference.
Table 5-3 Administrator levels
Administrator Level Description
0 Allows access to visit-level commands.
1 Allows access to visit- and monitor-level commands.
2 Allows access to visit-, monitor-, and configuration-level

commands.
3 Allows access to visit-, monitor-, configuration-, and

management-level commands.

Administrator Level Description
4 to 15 Has the same permissions as the level-3 administrator. If

the command line level is elevated, the administrator level
(4 to 15) works with the elevated command line level.
Administrator Authentication Method

The NGFW authenticates an administrator account in one of the following modes before
allowing the administrator to log in:
l Local authentication
Both the administrator account and password are stored on the NGFW.
NOTE
When a northbound API is used for login, only local authentication is supported.
l Server authentication:
– If the administrator does not use domain authentication, the administrator account must
be created on the NGFW, and the password is saved on the authentication server.
Currently, the NGFW supports four server authentication modes: AD, LDAP, RADIUS,
SecurID and HWTACACS.
– If the administrator uses domain authentication, the administrator account and password
must be created and saved on the domain authentication server. No user information
needs to be configured on the NGFW. Currently, the NGFW supports RADIUS server
authentication mode.
l Server and local authentication
The NGFW performs server authentication first. The NGFW performs local authentication
only if it fails to connect to the authentication server.
NGFW. For example, user username on virtual system vsys with domain (domainname)
authentication uses user name username@domainname@@vsys to log in to and manage the
NGFW.
Administrator Accounts
Table 5-4 shows the default administrators of the NGFW.
Table 5-4 Default administrators
Account Password Role Description
admin Admin@123 System administrator The system administrator logs in to

the device for the first time using
the web UI or console port and
creates administrators. Only the
system administrator can create
other administrators.

Account Password Role Description
audit- Admin@123 Audit administrator The audit administrator configures

admin audit policies and views audit logs.
Only audit administrator audit-
admin can set audit log
permissions, and the other audit
you cannot.
To secure NGFW, you are advised to follow the minimum authorization principle and plan
administrator accounts with different permissions to avoid administrator account sharing. If
default roles cannot meet requirements, you can create new administrator roles.
5.2.1.2 Administrator Interfaces Overview

An administrator interface is a unified page on which administrators using a certain login method
are managed and not bound to specific administrators.
When an administrator logs in, the device automatically assigns the administrator an idle
administrator interface with the minimum number by login method. The administrator interface
configurations control the login process.
Table 5-5 shows the relationship between administrator interfaces and login methods.
Table 5-5 Administrator interface
Login Administrator Description

Meth Interface
od
Web Web-based Controls the web login behaviors, such as setting timeout
administrator period after login and account lockout upon the failed
interface login.
Consol CLI Console Controls console login behaviors. There is only one
e admini interface console interface because only one administrator can log
strator in to the device through the console port at one time.
interfac
Telnet/ e Virtual Controls Telnet or STelnet login behaviors. By default, the
STelne Type service supports five VTY interfaces. A maximum of 15
t Terminal interfaces can be supported. The number of VTY interfaces
(VTY) determines the maximum number of concurrent Telnet or
interface STelnet administrators.
If an administrator logs in, the device automatically assigns
an idle VTY interface to the administrator in order.
NOTICE
During Telnet login, data and passwords are transmitted in
plaintext mode, causing security risks. To secure data
transmission, use STelnet instead.

Login Administrator Description

Meth Interface
od
Web WCON Controls the CLI console login behaviors on the web. The
consol interface device supports a maximum of five WCON interfaces.
e The WCON interface is an auxiliary tool for web
administrators and cannot be customized.
CLI Administrator Interface Numbering Methods

The CLI administrator interfaces are distinguished by number. A user must access the
administrator interface view to configure functions. There are two types of CLI administrator
interface numbers.
l Relative numbers
The same type of administrator interfaces uses relative numbers, which are in the format
of type + number.
Relative numbers apply to administrator interfaces of the same type.
l Absolute numbers
Absolute numbers apply to all types of administrator interfaces on a NGFW.
Table 5-6 lists relative and absolute numbers of the console, VTY, and WCON interfaces on a
NGFW.
Table 5-6 Relative and absolute numbers of the console, VTY, and WCON interfaces
CLI Absolute Relative Number

Administrat Number
or Interface
Console 0 CON0
VTY 354 to 368 VTY0 to VTY14

354 is mapped to VTY0.
WCON 369 to 373 WCON0 to WCON4

369 is mapped to WCON0.
NOTE
You can run the display user-interface command on a NGFW to display the numbers of CLI administrator
interfaces.

CLI Administrator Interface Authentication Modes

The web administrator interface does not have an independent authentication mode but uses the
administrator authentication mode. Table 5-7 lists authentication modes for CLI administrator
interfaces.
Table 5-7 Authentication modes
Authe CLI Administrator Description

nticati Interface
on
Mode Console VTY
AAA Supported Supported If Authentication, Authorization and Accounting

and enabled (AAA) authentication is enabled on CLI
by default administrator interface, an administrator must enter
an administrator account and a password to log in to
the NGFW. The administrator can log in to an
administrator interface only after being authenticated
by the NGFW.For description of the administrator
authentication mode, see5.2.1.1 Administrator
Overview. By default, the local account is "admin",
and the password is "Admin@123".
Local Supported - A NGFW authenticates an administrator based on

both a local account and a password. The local
account and password are set on the console
administrator interface.
Passw Supported Supported A NGFW authenticates an administrator only based

ord and enabled on a password. The password of an administrator is
by default set on the interface to which the administrator logs
in. The password mode is not widely used because
the mode does not require an administrator account
and is insecure.
CLI Administrator Interface Levels

To secure the CLI administrator interface not using AAA domain authentication, you can specify
the level of the CLI administrator interface (from 1 to 15). An administrator interface of a specific
level allows an administrator to execute commands lower than or equal to the level. For example,
a level 2 interface allows an administrator to execute commands of levels 0, 1, and 2 only.
NOTE
If the CLI administrator interface uses AAA domain authentication, the administrator account level is prior
to the administrator interface level. The administrator interface level takes effect only when the
administrator account level is not set.
5.2.2 Configuring an Administrator Using the Web UI

This section describes how to configure an administrator on the web.

5.2.2.1 (Optional) Creating an Administrator Role

This section describes how to create an administrator role.
Step 1 Choose System > Admin > Administrator Role.
Step 2 Click Add.
Step 3 Set the administrator role parameters to the desired values.
If the operation is successful, a new administrator role is displayed in the Administrator Role
List page.
Repeat the preceding steps to add another administrator role.
Table 5-8 lists administrator role parameters.
Table 5-8 Administrator role parameters
Name Name of an administrator role.

The value is a string of 1 to 64 characters. The name cannot
contain the following characters: pipe characters (|), dashes (/),
backward dashes (\), equal signs (=), number signs (#),
ampersands (&), colons (:), asterisks (*), question marks (?),
quotation marks ("), greater than symbols (<), less than symbols
(>), or spaces.
The role name must be unique on a NGFW.
Description Description of an administrator role.

The value is a string of 1 to 64 characters. The name cannot
contain the following characters: pipe characters (|), dashes (/),
backward dashes (\), equal signs (=), number signs (#),
ampersands (&), colons (:), asterisks (*), question marks (?),
quotation marks ("), greater than symbols (<), less than symbols
(>), or spaces.
Permission Control Permission for modules. Select one of the following options:
Modules l Read-write: Indicates the access and control permission on
the selected content.
l Read-only: Indicates only the access permission on the
selected content.
l None: Indicates no access or control permission on the
selected content. This is the default permission.
NOTE
l Only the default role system-admin has the Read-write permission
to SNMP module, even though the Read-write permission to
System > Setup has been configured when a role is created.
l Only the system administrator has the Read-write permission to the
information collection function. Other roles do not have the
permission even if you assign the permission on Monitor >
Diagnosis Center when creating them.

Step 4 Click OK.
----End
5.2.2.2 Creating an Administrator Account

This section describes how to configure an administrator account.
Step 1 Choose System > Admin > Administrators.
Step 2 Click Add.
Step 3 Set the administrator parameters.
The new administrator will be listed in the Administrator List.
Repeat the preceding steps to create more administrators.
Table 5-9 lists administrator parameters.
Table 5-9 Administrator parameters
User Name Account of an administrator.

The value is a string of 1 to 64 characters. The name contains
letters, digits, and symbols.
The account must be unique on a NGFW.
Authentication Type Authentication type for an administrator:

l Local Authentication: A NGFW uses the locally configured
account and password to attempt to authenticate an
administrator before an administrator can log in to the
NGFW.
l Server Authentication: A NGFW uses the account and
password configured on an authentication server to attempt
to an administrator before the administrator can log in to the
NGFW.
l Server Authentication/Local Authentication: A NGFW
performs server authentication. Only if the NGFW fails to
connect to an authentication server, the NGFW performs
local authentication.
Authentication Server Select an existing authentication server or create an

authentication server.

Password/Confirm Specified password of an administrator.

Password This parameter must be specified if Authentication Mode is set
to Local Authentication or Server Authentication/Local
Authentication.
To enhance security, a password must meet the minimum
strength requirements, that is, the password needs to contain at
least three types of the following characters: uppercase letters (A
to Z), lowercase letters (a to z), digits (0 to 9), and special
characters, such as exclamation points (!), at signs (@), number
signs (#), dollar signs ($), and percent (%).
Role Name of an administrator role.

A specific role is granted specific permission. Choose System >
Admin > Administrator Role to view administrator roles and
their permissions.
Trusted Host IP address range of the hosts that can log in to the NGFW. The
value is in the format of IP address/mask. For example,
10.1.1.1/24 or 10.1.1.1/255.255.255.0 can be entered.
To add an address range, click and enter the range. A
maximum of 10 IP addresses ranges can be specified.
Advanced
Service Type Specify the login method, which can be web, Telnet, STelnet,
Console, API, FTP and SFTP.
NOTE
l You can configure the FTP or SFTP service type only after you bind
the user to a system administrator role.A default FTP directory
(hda1: ) is delivered to the new administrator when the FTP mode is
specified.
l There are security risks if the service type is configured to be Telnet
or FTP. So it is suggested to configure the service type to be STelnet
or SFTP.
l If administrator service types are changed, the service types of online
administrators are not changed, but for the administrators logging in
after service types are changed, the new service types take effect.

SSH Authentication Specify SSH as the login method. SSH authentication methods
include:
l RSA
l PASSWORD-RSA: allows the NGFW to use both the
Revist-Shamir-Adleman (RSA) algorithm and a password to
authenticate an administrator.
l PASSWORD
l ANY: allows the NGFW to use either RSA or password
authentication to authenticate an administrator.
This item is required when you create an SSH authentication
account. The default authentication method is PASSWORD.
RSA Key Value of an RSA key used to authenticate an administrator. This

parameter can be configured only when SSH Authentication
Mode is set to RSA, PASSWORD-RSA, or ANY.
To set an RSA key, perform either of the following operations:
l Select an existing RSA key.
l Create an RSA key.
1. Click Manage RSA Key.
2. Click Add.
3. Enter a name in the Public Key Name text box.
4. Enter the format of the RSA peer public key in Type. The
format can be DER, PEM, or OPENSSH. The default
format of the RSA peer public key is DER.
5. Enter a key in the Key text box for an RSA peer. The key
is generated by an SSH client, and you can copy and paste
the key in the Key text box.
6. Click Apply.
NOTE
By default, an administrator created using the web UI can log in to the device from a web page.
Interface access control, administrator service type, and enabled service on the device determine the login
method. For example, if an administrator wants to log in using HTTPS through the management interface,
the management interface must enable the HTTPS access control, the administrator account must support
HTTPS, and the device must enable HTTPS. For detailed configuration process, see Configuration
Examples.
Step 4 Click OK.
----End
Follow-up Procedure
Modify administrator parameters. You can click of the administrator whose parameters need
to be modified.

NOTE
To change the password of an administrator, enter the current administrator account password in the Please
input the administrator current password dialog box that is displayed and then click Confirm.
5.2.2.3 Configuring Device Services

This section describes how to enable the HTTP, HTTPS, and SSH services of the NGFW.
Configuring the HTTP or HTTPS Service

An administrator can access the web configuration UI of the NGFW using the HTTP or HTTPS
service for intuitive configuration and management.
HTTP and HTTPS services have been enabled on the NGFW by default. HTTPS is more secure
than HTTP, and therefore the HTTPS service is recommended.
NOTE
l If HTTP or HTTPS is used for logins to the NGFW, do not disable the HTTP or HTTPS service for
normal service running.
l Before changing the HTTP or HTTPS port number, disable the HTTP or HTTPS service.
Step 1 Choose System > Admin > Settings.

Step 2 Perform one of the following operations:
l Select Enable for HTTP Service.
l Select Enable for HTTPS Service.
l Select Enable for both services.
Step 3 Optional: Select Enable for Redirect HTTP to HTTPS.
After Redirect HTTP to HTTPS is enabled, the NGFW automatically applies HTTPS to the
HTTP service.
Step 4 Enter a port number in HTTP Port, HTTPS Port, or both service ports.
The default HTTP port number is 80, and the default HTTPS port number is 8443.
Step 5 Optional: Enter a timeout period in Web Timeout.
If you do not perform any action before the specified web service timeout period elapses, the
NGFW displays a web service timeout message prompting you to log in again.
The default timeout period is 10 minutes. Using the default value is recommended.
Step 6 Click Apply.
----End
Enabling the Telnet Service
NOTICE
During Telnet login, data and passwords are transmitted in plaintext mode, causing security
risks. To secure data transmission, use STelnet instead.

Telnet is a NGFW function as a server. Telnet on the NGFW provides access services.
1. Choose System > Admin > Settings.

2. Select Enable for Telnet Service.
3. Click Apply.
Enabling the STelnet or SFTP Service

SSH Telnet (STelnet) is a secure Telnet service. A NGFW functions as a Telnet server. It
authenticates Telnet clients and encrypts data exchanged between the Telnet server and clients.
STelnet on the NGFW provides secure access services.
SSH FTP (SFTP) is a secure FTP service. A NGFW functions as an FTP server. It authenticates
FTP clients and encrypts data exchanged between the FTP server and clients. SFTP on the
NGFW provides secure file transfer services.
Step 2 Expand SSH Configuration, perform one of the following operations:

l Select Enable for STelnet Service.
l Select Enable for SFTP Service.
Step 3 Set the following parameters.
Table 5-10 System parameters
SSH Port Number of a listening port for STelnet or SFTP.

On a NGFW SSH server providing STelnet and SFTP services,
if a new port number is set, the NGFW must disconnect all the
existing STelnet and SFTP connections to clients and then re-
establish connections to clients using the new port number.
Authentication Times Maximum number of SSH authentication attempts allowed. If

the number of failed attempts reaches the maximum number, the
NGFW locks out an administrator for 10 minutes.
Authentication Timeout Timeout period (seconds) for SSH user authentication. If an SSH
client fails to be authenticated within the specified authentication
timeout period, the SSH client must re-initiate an SSH
connection.
Key Generation Interval Interval (hours) at which a NGFW SSH server generates a key.
SSH User Level Level of an administrator that uses SSH to log in to a NGFW.
A larger value indicates a higher level.
Step 4 Click Apply.
----End

Configuring the Northbound Interface

Northbound interfaces are developed to provide application programs with a series of specific
rules and requirements for mutual communication.
The northbound interfaces use HTTP or HTTPS to communicate with third-party clients. For
details on environment construction and service configuration using a northbound API, refer to
the Northbound API Secondary Development Guide.
Step 2 Select Enable for HTTP Service or HTTPS Service.
Step 3 In HTTP Port or HTTPS Port, enter a port number.
The default HTTP port is 8448, and the default HTTPS port is 8447.
Step 4 Optional: In Session Timeout, enter a timeout duration.
Session Timeout: If no operation is performed in the specified duration and you attempt to
perform an operation again, you are prompted with a login timeout message and required to re-
log in.
You are advised to use the default timeout duration, which is 90 seconds.
Step 5 Click Apply.
----End
5.2.3 Configuring an Administrator Using the CLI

This section describes how to configure an administrator using the CLI.
5.2.3.1 (Optional) Creating an Administrator Role

If the default administrator role cannot meet requirements, you can define new administrator
roles.
Procedure
Step 1 Access the system view.
system-view
Step 2 Access the AAA view.

aaa
Step 3 Create an administrator role and access the administrator role view.
role role-name
Step 4 Optional: Rename an administrator role.

rename new-role-name
Step 5 Optional: Add a description of an administrator role.

description description-information

Step 6 Grant the role the permission for configuration modules.
Operation Command
Grant permission for the dashboard module. dashboard { none | read-only | read-
write }
Grant permission for the monitor module. monitor [ feature-name &<1–17> ] { none |
read-only | read-write }
Grant permission for the network module. network [ feature-name &<1-13> ] { none |
Grant permission for the object module. object [ feature-name &<1-21> ] { none |
Grant permission for the policy module. policy [ feature-name &<1-8> ] { none |
Grant permission for the system module. system [ feature-name &<1-11> ] { none |
----End
5.2.3.2 Creating an Administrator Account (Local Authentication)

This topic describes how to create an administrator account for local authentication.
Procedure
Step 1 Set the authentication mode to AAA for the administrator UI.
1. Run the system-view command to access the system view.
2. Run the user-interface [ ui-type ] first-ui-number [ last-ui-number ] command to access
the administrator user interface view.
3. Run the authentication-mode aaa command to set the authentication mode to AAA.
4. Run quit to return to the system view.
Step 2 Create an administrator.

1. Run the aaa command to access the AAA view.
2. Run the manager-user user-name command to configure an administrator account and
access the administrator view.
3. In the administrator view, run the level level command to set the administrator level.
NOTE
If administrator permission levels are changed, the permission levels of online administrators are not
changed, but for the administrators logging in after permission levels are changed, the new permission
levels take effect.
4. Run the service-type { api | { ftp | ssh | telnet | terminal | web } * } to set the service type
for the administrator account.
By default, no service type is specified for an administrator created using the CLI.

NOTE
You can configure the FTP serve type only after you bind the user to a system administrator role
(administrator of level-3 or above).
There are security risks if the service type is configured to be Telnet or FTP. So it is suggested to
configure the service type to be SSH.
Interface access control, administrator service type, and enabled service on the device determine the
login method. For example, if an administrator wants to log in using HTTPS through the management
interface, the management interface must enable the HTTPS access control, the administrator account
must support HTTPS, and the device must enable HTTPS. For detailed configuration process, see
Configuration Examples.
If administrator service types are changed, the service types of online administrators are not changed,
but for the administrators logging in after service types are changed, the new service types take effect.
5. Run the password cipher cipher-password command to set a password for the
administrator account.
NOTE
To enhance security, a password must meet the minimum strength requirements, that is, the password
needs to contain at least three types of the following characters: uppercase letters (A to Z), lowercase
letters (a to z), digits (0 to 9), and special characters, such as exclamation points (!), at signs (@),
number signs (#), dollar signs ($), and percent (%).
6. Run the quit command to return to the AAA view.
Step 3 Set the administrator authentication mode to local authentication.

NOTE
By default, the authentication scheme is default, and the administrator authentication mode is local (local
authentication).
1. Run the authentication-scheme scheme-name command to create an authentication
scheme and access the authentication scheme view.
2. Run the authentication-mode local command to configure the local authentication.
3. Run the quit command to quit the AAA view.
Step 4 Optional: Create an authentication domain.

1. Run the domain domain-name to create a domain and access the domain view.
2. Run the authorization-scheme scheme-name command to bind the authentication scheme
to the domain.
Step 5 Configure the permission and other attributes for the administrator account.
1. Control the administrator permission based on the administrator role.
NOTE
The administrator role is prior to the administrator level. If an administrator is bound to a role, the
administrator level does not take effect.
In the AAA view, run the bind manager-user manager-name role role-name command
to bind the administrator account to a role.
2. Optional: Enable the function of locking out the administrators that fail the authentication.
This function is invalid to the system administrator admin and console administrators.
After an administrator account is locked, using the account to log in fails even if the IP
address is changed or another mode (except the console port mode) is used. The
administrator account is unlocked only after the lockout duration expires.

a. Run the lock-authentication enable command to enable the administrator account

lockout function.
b. Run the lock-authentication failed-count count command to set the limit of login
authentication attempts.
c. Run the lock-authentication timeout timeout command to set the lockout duration
for administrator accounts.
3. Optional: Configure attributes for the administrator account.
Operation Command
Configure an FTP directory. ftp-directory directory

NOTE
If administrator FTP directories are changed,
the FTP directories of online administrators are
not changed, but for the administrators logging
in after FTP directories are changed, the new
FTP directories take effect.
Set the maximum number of logged-in access-limit max-number

users with the same administrator account.
Specify the status of an administrator state { active | block }

account.
You can specify either of the following
parameters:
l active: The administrator account is
available.
l block: The administrator account is
unavailable.
Bind the administrator account to the ACL. acl-number acl-number

Before binding, run the rule command to
configure the ACL rule.
Configure the validity period for the user password valid-days days
password.
----End
5.2.3.3 Creating an Administrator Account (Server Authentication)

This topic describes how to create an administrator account for server authentication.
Procedure
Step 1 Set the authentication mode to AAA for the administrator UI.
2. Run the user-interface [ ui-type ] first-ui-number [ last-ui-number ] command to access
the administrator user interface view.

3. Run the authentication-mode aaa command to configure the AAA authentication mode.
4. Run the quit command to return the system view.
Step 2 Set the administrator authentication mode to server authentication.

NOTE
By default, the authentication scheme is default, and the administrator authentication mode is local (local
authentication).
1. Configure the authentication scheme.
a. Run the quit command to access the AAA view.
b. Run the authentication-scheme scheme-name command to create an authentication
scheme and access the authentication scheme view.
c. Run the authentication-mode { ad | hwtacacs | ldap | radius } command to configure
the authentication mode.
d. Run the quit command to return the AAA view.
2. Configure the authorization scheme.
a. Run the authorization-scheme scheme-name command to create authorization
scheme.
b. Configure the authorization mode. The default mode is local, indicating local
authorization.
l Run the authorization-mode hwtacacs command to set the HWTACACS
authorization mode for user name-based authorization.
For the NGFW, HWTACACS authorization supports not only user-specific
authorization, but also command-specific authorization. After command-specific
authorization is enabled and an administrator of a specific level logs in to the
NGFW, the commands that the administrator enters can be executed only after
being authorized by the HWTACACS server. Configure command-specific
authorization.
1) Run the authorization-cmd privilege-level hwtacacs [ local ] command to
configure the command-specific authorization for an administrator of a
specific level.
To enable the command-specific authorization, you must configure a
HWTACACS server template on the NGFW, apply this template in the view
of the domain to which the administrator of the specific level belongs, and
perform the following configurations on the HWTACACS server:
– Add administrator information on the HWTACACS server.
– Specify the commands to be authorized on the HWTACACS server for
the user group to which the administrator belongs.
For how to create an administrator and configure the commands to be
authorized by user group, refer to HWTACACS server documents.
By default, the command-specific authorization is disabled. That is, an
administrator of any level can execute only commands of or below its level
after logging in to the NGFW.

NOTE
HWTACACS command-based authorization is independent from authorization
modes (authorization-mode) and authentication modes (authentication-mode). That
is, even if HWTACACS command-based authorization is implemented on an
administrator, non-HWTACACS authentication and authorization modes can be
implemented on this administrator as well.
2) Run the authorization-cmd no-response-policy { online | offline [ max-
times max-times-value ] } command to configure a no response policy in case
that the HWTACACS server is unavailable or in case of no administrator is
configured on the NGFW.
By default, administrator can remain online even though the command-
specific authorization fails.
l Run the authorization-mode local command to set the local authorization mode
for user name-based authorization.
If only RADIUS server authentication is configured for the administrator, the
administrator level can be set through the command line. By default, the
administrator level is 0 for Telnet and login modes other than web login. The
administrator level is 1 for web login.
1) Run the user privilege level level command to set the administrator level for
Telnet login. The default value is 0.
2) Run the web-manager user privilege level privilege-level command to set
the administrator level for web login. The default value is 1. Note that only
web administrators at level 3 or higher can log in to the device.
c. Run the quit command to return to the AAA view.
3. Configure the authentication server based on the authentication and authorization schemes.
When an authentication server is used to authenticate administrator accounts, the NGFW

acts as the proxy client for the authentication server and sends the user name and password
to the server for authentication. For details, see 11.6.6 Configuring an Authentication
Server.
Step 3 Bind the authentication scheme for the administrator account or domain based on the server
authentication mode and reference the server template.
l Bind the authentication scheme for the administrator and reference the template based on the
server authentication mode.
If administrator domain authentication is not used, the administrator account must be created
on the NGFW, and the password is saved on the authentication server. After an administrator
is created, the administrator uses User Name/Password to log in to and manage the
NGFW.
– In the AAA view, run the manager-user user-name command to configure an
administrator account and access the administrator view.
– Run the service-type { ftp | ssh | telnet | terminal | web } * to set the service type for the
By default, no service type is specified for an administrator created using the CLI.

NOTE
You can configure the FTP service type only after you bind the user to a system administrator role.
There are security risks if the service type is configured to be Telnet or FTP. So it is suggested to
configure the service type to be SSH.
For the NGFW to support SSH server authentication, you need to run the ssh authentication-type
default password command in the system view first.
Interface access control, administrator service type, and enabled service on the device determine
the login method. For example, if an administrator wants to log in using HTTPS through the
management interface, the management interface must enable the HTTPS access control, the
administrator account must support HTTPS, and the device must enable HTTPS. For detailed
configuration process, see Configuration Examples.
If administrator service types are changed, the service types of online administrators are not
changed, but for the administrators logging in after service types are changed, the new service types
take effect.
– Run the authorization-scheme scheme-name command to bind the authentication
scheme for the administrator account.
– Reference the server template.
– Run the radius-server template-name command to reference the RADIUS server
template.
– Run the hwtacacs-server template-name command to apply the HWTACACS server
template.
– Run the ad-server template-name command to reference the AD server template.
– Run the ldap-server template-name command to reference the LDAP server template.
– Run the securid-server template-name command to reference the SecurID server
template.
l Create an authentication domain.
If administrator domain authentication is used, the administrator account and password must
be created and saved on the authentication server. The NGFW does not have user information
configured. After an administrator is created, the administrator uses User
Name@Authentication Domain/Password to log in to and manage the NGFW.
NOTE
When administrator domain authentication is used, the administrator does not have any role. The
administrator level is set on the server. If not configured, the administrator level is determined by
command line authorization.
The administrator with server domain authentication has all service types without additional
configuration.
– Create an administrator on the server. For details, see the server-related document.
– Run the domain domain-name to create a domain (user group) and access the domain
view.
– Run the service-type { access | internet-access | administrator-access } * command to
configure access control for the authentication domain.
– Run the authorization-scheme scheme-name command to bind the authentication
scheme to the domain.
The authentication scheme configured in the domain view must be the same as that
configured in the AAA view.
– Optional: Run the authorization-scheme scheme-name command to configure the
authorization scheme for the domain.

This authentication scheme must be the same as that configured in the AAA view.
– Apply the server template based on the selected authentication server.
Run the radius-server template-name command to apply the RADIUS server template.
Step 4 Configure the permission and other attributes for the administrator account.
If no authentication domain is planned for the administrator, the administrator account is created
on the local device, and other functions can be configured for the administrator account as
required.
1. Control the administrator permission based on the administrator role or level.

NOTE
The administrator role is prior to the administrator level. If an administrator is bound to a role, the
administrator level does not take effect.
l In the administrator view, run the level level command to set the administrator level.
NOTE
If administrator permission levels are changed, the permission levels of online administrators are
not changed, but for the administrators logging in after permission levels are changed, the new
permission levels take effect.
l In the AAA view, run the bind manager-user manager-name role role-name command
to bind the administrator account to a role.
2. Optional: Enable the function of locking out the administrators that fail the authentication.
This function is invalid to the system administrator admin and console administrators.
After an administrator account is locked, using the account to log in fails even if the IP
address is changed or another mode (except the console port mode) is used. The
administrator account is unlocked only after the lockout duration expires.
a. Run the lock-authentication enable command to enable the administrator account

lockout function.
b. Run the lock-authentication failed-count count command to set the limit of login
authentication attempts.
c. Run the lock-authentication timeout timeout command to set the lockout duration
for administrator accounts.
3. Optional: Configure attributes for the administrator account.
Operation Command
Configure an FTP directory. ftp-directory directory

NOTE
If administrator FTP directories are changed,
the FTP directories of online administrators are
not changed, but for the administrators logging
in after FTP directories are changed, the new
FTP directories take effect.
Set the maximum number of logged-in access-limit max-number

users with the same administrator account.

Operation Command
Specify the status of an administrator state { active | block }

account.
parameters:
l active: The administrator account is
available.
l block: The administrator account is
unavailable.
Bind the administrator account to the ACL. acl-number acl-number

Before binding, run the rule command to
configure the ACL rule.
Configure the validity period for the user password valid-days days
password.
----End
5.2.3.4 (Optional) Configuring the Web UI

This section describes how to configure the administrator web UI.
Context
The NGFW supports user login to the web UI through HTTP and HTTPS by default. The default
HTTP port is 80, and the default HTTPS port is 8443.
NOTE
HTTPS is more secure than HTTP. Therefore, you are advised to use HTTPS. If you do not need to log in
to the NGFW through HTTP, run the undo web-manager enable command to disable the HTTP service
to prevent security risks.
Procedure
system-view
Step 2 Configure a web service. You can configure HTTP or HTTPS with a default certificate, or
HTTPS with a specified certificate.
l Configure HTTP.
NOTE
If you do not use the default port to log in, run the undo web-manager enable command in advance
to disable the HTTP service and default port 80. Then enable the HTTP service again.
1. Run the web-manager enable [ port port-number ] command to enable the HTTP
service.
2. Optional:

Run the web-manager redirect https enable command enables the function of
redirecting HTTP access to Web services to HTTPS access.
l Configure HTTPS with a default certificate.
When a PC (client) attempts to use HTTPS to log in to a NGFW, the NGFW (server) delivers
a default certificate to the PC. The certificate is assigned by an unknown Certificate
Authority (CA). The PC cannot verify the certificate, and is therefore vulnerable to attacks.
NOTE
If you do not use the default port to log in, run the undo web-manager security enable port port-
number command in advance to disable the HTTPS service and default port 8443. Then enable the
HTTPS service again.
1. Run the web-manager security enable port port-number command to enable the
HTTPS service.
2. Specify an SSL protocol and an encryption algorithm.
The NGFW (server) and a PC (client) must run the same SSL protocol and use the
same encryption algorithm. An inconsistency causes an SSL negotiation failure.
a. Specify an SSL or TLSV protocol.
web-manager security version { { sslv3 | tlsv1 | tlsv1.1 | tlsv1.2 } * | all }
By default, the NGFW supports SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2.
b. Specify an encryption algorithm.
web-manager security cipher-suit { { medium-strength | high-strength } * |
all }
By default, the NGFW supports medium and strong encryption algorithms.
l Configure HTTPS with a specified certificate.
When a PC (client) uses HTTPS to log in to a NGFW, the NGFW (server) delivers a
specified certificate to the PC. The certificate is assigned by a CA that the PC can recognize.
Therefore the PC can establish a secure connection to the NGFW based on the valid
certificate.
NOTE
The certificate can be issued by a worldwide known certificate authority or a PC that supports the
certificate service. The PC must import a CA certificate before being able to authenticate a certificate
sent by the NGFW.
1. The NGFW generates a certificate request file, sends the file to the CA server to apply
for the certificate, and imports the local certificate to the NGFW. For the configuration
procedure, see 12.7 Certificate.
2. Optional:
Import the CA certificate obtained from the CA server which the NGFW applies for
a certificate to the browser. For details, see the instructions to the Firefox or Internet
Explorer.
NOTE
Although the client can still access the NGFW through HTTPS even if the CA certificate is not
imported to the browser, the client cannot authenticate the access and is vulnerable to attacks.
3. Configure the NGFW to send a certificate to the client when the client accesses the
NGFW through HTTPS.
web-manager security server-certificate file-name

4. Enable HTTPS.
web-manager security enable port port-number
Enter the address of a NGFW following the string of "https://" in the address bar on
the web browser of the PC to log in to the NGFW. Ensure that the address is the same
as that specified in the certificate.
5. Configure an SSL or TLS protocol and an encryption algorithm. For the configuration
procedure, see Configuring an SSL or TLS Protocol and an Encryption
Algorithm.
Step 3 Optional: Set the timeout period for a web service.
web-manager timeout minutes
The default timeout period is 10 minutes.
Step 4 Optional: Enable the authentication failure-triggered lockout function so that the NGFW
automatically locks out an administrator account if the administrator fails to log in to the Web
UI after a specified number of consecutive attempts.
NOTE
The blacklist duration is the duration in which the interface is locked.
1. Return to the system view.

quit
2. Set the maximum number of failed authentication attempts.
firewall blacklist authentication-count login-failed authentication-times
By default, the web administrator account is blacklisted for 10 minutes after three
consecutive authentication failures. The lockout duration cannot be modified.
----End
5.2.3.5 (Optional) Managing a CLI Administrator Interface

This section describes how to manage a CLI administrator interface, how to set console
attributes, how to configure administrator interfaces to exchange messages, and how to log out
online administrators.
Configuring a CLI Administrator Interface

system-view
Step 2 Optional: Set the maximum number of available VTY interfaces.
user-interface maximum-vty number
Existing VTY interfaces are assigned specified levels and authentication parameters manually.
If the maximum number of allowed VTY to be set is greater than the number of existing VTYs,
specify a level and a password for the password authentication mode for the new VTY. You can
also specify another authentication mode.
NOTE
By default, the maximum number of VTY administrator interfaces is five.

Step 3 Access the CLI administrator interface view.
user-interface [ ui-type ] first-ui-number [ last-ui-number ]
Step 4 Optional: Enable a terminal service.
shell
By default, the terminal service is enabled on all CLI administrator interfaces.
Step 5 Optional: Configure the CLI administrator interface.
Operation Command
Set the timeout period after which a idle-timeout minutes [ seconds ]

connection between a NGFW and an
administrator PC is disconnected.
Set the maximum number of lines on each screen-length screen-length

screen.
By default each screen displays a maximum
of 24 lines.
Set the size of the historical command buffer. history-command max-size size-value
By default, the buffer caches a maximum of
10 historical commands.
Specify a command that a NGFW auto-execute command command

automatically executes after an administrator
logs in to the NGFW.
The console interface does not support this
command.
Set the CLI administrator interface priority. user privilege level level
Bind a CLI administrator interface to an acl acl-number { inbound | outbound }

access control list (ACL).
parameters:
l inbound: permits a host request with a
specified address or address range to log
in to the NGFW.
l outbound: permits a request to log in to
another device through the NGFW.
NOTE
By default, a VTY interface supports SSH and Telnet.
Step 6 Specify an authentication mode.

NOTE
l If password, local, or AAA authentication is specified and no level is specified for an administrator
account for AAA authentication, the highest level of commands that an administrator can access is
determined by the CLI administrator interface level.
l If AAA authentication is enabled and a level is specified for an administrator account, the highest level
of commands that an administrator can access is determined by the administrator account level.
l After an authentication mode is specified, the default authentication mode does not take effect. Keep
the new account and password (if configured) secure.
Configure an authentication mode.
l Configure AAA authentication.

1. Specify the AAA authentication mode.
authentication-mode aaa
2. Configure an administrator. For the configuration procedure, see Creating an
Administrator Account.
l Configure local authentication.
NOTE
Only the console interface supports local authentication.

Configure a local administrator account and password.
authentication-mode local user username password cipher password
l Configure password authentication.
Specify the password authentication mode and password.
authentication-mode password [ cipher password ]
NOTE
The interactive mode is recommended for creating administrator passwords because the passwords
configured by the cipher password command are not safe.
Step 7 Optional: Enable the NGFW to automatically lock out an administrator account if the
administrator fails to log in to a CLI administrator interface for a specified number of times.
This function improves the CLI administrator interface security.
Configure this function on either of the following interfaces:
l Console interface
By default, if an administrator fails to be authenticated three consecutive times on a console
interface, the interface is locked out 10 minutes. Within the lockout period, the authentication
cannot be authenticated.
1. Access the Console interface view.
user-interface console first-ui-number
lock authentication-count count
3. Set the lockout duration.
lock lock-timeout timeout
l VTY interface

The administrator will be locked for 10 minutes if fails three successive authentications on
the VTY interface (the administrator cannot be authenticated again in the 10 minutes).
NOTE
The function of setting the maximum number of failed VTY interface authentication attempts applies
only to Telnet administrators.
The function of setting the VTY interface lockout duration applies only to Telnet and SSH
administrators.

quit
2. Access the VTY interface view.
user-interface vty first-ui-number [ last-ui-number ]
lock authentication-count count
4. Set the lockout duration (minutes).
lock lock-timeout timeout
NOTE
If an Telnet or SSH administrator enters incorrect user names and passwords on a CLI
administrator interface for a specified number of times, the NGFW blacklists the IP address of
the PC used by the administrator and locks out the administrator interface.
----End
Configuring Attributes of the Console Port

An administrator can log in to the console interface through a console port on a NGFW. The
NGFW must have the same console port settings as an administrator host to log in to the
NGFW.

system-view
Step 2 Access the administrator interface view.

user-interface console interface-number
Step 3 Set console port attributes.
Operation Command
Set the transmission rate. speed speed-value

The default rate is 9600 bit/s.
Specify a flow control mode. flow-control { hardware | none |

The default mode is none. software }
Specify a parity mode. parity { even | mark | none | odd | space }

The default mode is none.
Set stop bits. stopbits { 1.5 | 1 | 2 }

The default stop bit is 1.

Operation Command
Set data bits. databits { 5 | 6 | 7 | 8 }

The default data bits are 8.
----End
Sending Messages to Another CLI Administrator Interface

Administrator interfaces can exchange messages.
Step 1 In the user view, enable the current interface to send messages to another administrator interface.
send { all | ui-type ui-number | ui-number }
Step 2 Enter a message to be sent and press Ctrl+Z or Enter to send the message.
----End
Logging Out Online Administrators of Another CLI Administrator Interface

You can log out an online administrator that has logged in to another administrator interface.
Step 1 View online administrator information, including interfaces to which the administrators log in.
Write down the administrators to be logged out and their administrator interfaces.
display users
Step 2 In the user view, specify an interface to which administrators logged in are to be logged out.
free user-interface { ui-number | ui-type ui-number }
Step 3 Perform either of the following operations:

l Enter y and press Enter to log out the administrator that logs in to a specified administrator
interface.
l Enter n and press Enter to cancel the logout operation.
----End
5.2.3.6 Maintaining CLI Administrator Interfaces and Administrator Accounts

You can view information about CLI administrator interfaces and administrator accounts.
Run the commands listed in Table 5-11 in any view to display information about CLI
administrator interfaces and administrator accounts.
Table 5-11 Displaying information about CLI administrator interfaces and administrator
accounts
Action Command
Modify the current current-user password-modify

administrator password.

Action Command
Display the display web-manager

configuration of and
login information on the
web UI.
Display administrator display manager-user

details.
Display the login display manager-user online-user

information of online
administrators.
Display administrator display users [ all ]

login information.
Display the display user-interface [ ui-typeui-number | number | summary ]

configurations of CLI
administrator interfaces.
Display the maximum display user-interface maximum-vty

number of allowed VTY
interfaces.
Display administrator display manager-user

information.
Display the SSH server display ssh server

information.
5.2.4 Configuration Examples

This section provides configuration examples for multiple application scenarios.
5.2.4.1 Example for Logging in to the Web UI Using HTTPS (Default Certificate)
This section provides an example of how to configure HTTPS using the web and log in to the
web UI.
Context
If the client logs in to the device using HTTPS, the device sends a default or specified certificate
to the client. If the device sends a default certificate to the client, the client cannot verify the
certificate and is prone to attacks. You are advised to use the specified certificate for security.
For details, see Logging in to the web UI Using HTTPS (Specified Certificate).
Networking Requirements
Figure 5-6 shows how to configure local authentication administrator webadmin that can use
HTTPS to log in to the web UI on the NGFW.

Figure 5-6 Networking diagram of logging in to the web UI using HTTPS (default certificate)
Administrator
GE1/0/3
10.3.0.1/24
10.3.0.10/24 NGFW
Data Planning
Item Data Description
User name webadmin -
Password Myadmin@123 -
Authentication mode Local authentication -
Role service-admin service-admin is a user-defined

role and has permissions on only the
network, policy, and object.
Trusted host 10.3.0.0/24 The administrator area is limited by

IP address.
Service Type WEB -
HTTPS port 8443 The port can be specified. The

default port is 8443.
Web service timeout 5 minutes -

period
Configuration Roadmap
1. Enable the HTTPS server on the interface.
2. Create an administrator role.
3. Create an administrator account and set the authentication mode, administrator role, and
trusted host.
4. Enable the HTTPS service and set the web service timeout period.
NOTE
This section describes only how to configure an administrator.
Procedure
Step 1 Enable the HTTPS server on interface GigabitEthernet 1/0/3.

NOTE
If you use the default settings of management interface GigabitEthernet 0/0/0 to log in to the device, skip
this step.
Because the default IP address of the management interface has been set to 192.168.0.1, the interface has
been added to the Trust zone, and the administrator is allowed to log in to the device using HTTPS.
2. Click for interface GE1/0/3 and set the parameters as follows:
Zone trust
Connection Type Static IP
IP Address 10.3.0.1/255.255.255.0
Management Access HTTPS
3. Click OK.
Step 2 Optional: Create an administrator role for administrator B.

1. Choose System > Admin > Administrator Role.
2. Click Add and set parameters as follows:
Name service-admin
Description policy_object_network_readwrite_and_other_modules_non
e
Popedom
Policy, Object, Read-write

Network
Dashboard, Monitor, None

System
3. Click OK.

1. Choose System > Admin > Administrator.
2. Click Add and set parameters as follows:
User Name webadmin
Password Mydevice@123
Role service-admin
Trusted Host 10.3.0.0/24
Advanced

Service Type WEB
3. Click OK.
Step 4 Enable the HTTPS service (default certificate) and set the service port and web service timeout
period.
1. Choose System > Admin > Settings.
2. Select Enable next to HTTPS Service.
3. Enter 8443 for HTTPS Port.
4. Enter 5 for Web Timeout.
5. Click Apply.
Step 5 In the upper right of the page, click Save Then click OK in the dialog box that is displayed.
Step 6 Open a browser and enter https://10.3.0.1:8443.
NOTE
If the browser displays a notification for an insecure certificate, you can continue the browsing.
Step 7 On the login UI, enter user name webadmin and password Myadmin@123 and click Login to
access the web UI.
----End
Configuration Script
#
interface GigabitEthernet1/0/3
ip address 10.3.0.1 255.255.255.0
service-manage https permit
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/3
#
acl number 2000
rule 5 permit source 10.3.0.0 0.0.0.255
#
web-manager security cipher-suit medium-strength high-strength
web-manager security version sslv3 tlsv1 tlsv1.1 tlsv1.2
web-manager enable
web-manager security enable port 8443
web-manager timeout 5
#
aaa
authentication-scheme default
#
manager-user webadmin

password cipher %@%@*y:3*ZN}.%%qcL1cC|@XBVMDyDwlB.Wq'6JF(iOz2D8>A\SN%@%@

service-type web
level 15
ftp-directory hda1:
acl-number 2000
authentication-scheme audit_local
#
bind manager-user webadmin role service-admin
role service-admin
description policy_object_network_readwrite_and_other_modules_none
dashboard none
monitor none
system none
network read-write
object read-write
policy read-write
#
return
5.2.4.2 Example for Logging In to the Web UI Using HTTPS (Specified Certificate)
This section provides an example for configuring HTTPS (specified certificate) using the CLI
and logging in to the web UI.
Figure 5-7 shows how to configure NGFW authentication administrator webadmin that can
use HTTPS to log in to the web UI.
Figure 5-7 Networking diagram of logging in to the web UI using HTTPS (specified certificate)
Administrator
GE1/0/3
10.3.0.1/24
10.3.0.10/24 NGFW
Data Planning
Administrator Account: webadmin -

Password:
Myadmin@123
Level: 3
Service type: web
Maximum number of
online users: 10
Role service-admin service-admin is a user-defined

role and has permissions over only
the network, policy, and object.

Trusted host 10.3.0.0/24 The administrator area is limited by

IP address.
HTTPS port 8443 The port can be specified. The

Web service timeout 5 minutes -

period
1. Assign the administrator and device the certificates from one Certificate Authority (CA)
for connection security.
2. Enable the web service on the device and HTTPS on the interface so that the administrator
can log in to the web UI using HTTPS.
3. Create an administrator account and configure a trusted host for the administrator.
4. Set an IP address for the administrator PC.
Procedure
Step 1 Configure the certificate.
1. The NGFW generates a certificate request file. An administrator sends the file to the CA
server through web, disks, or emails to apply for a certificate. The CA server generates a
certificate. The administrator can use HTTP, LDAP, or other methods to download the CA
certificate and local certificate from the server that stores the certificate to the NGFW
memory and install the certificate. For detailed configuration process, see Certificate.
NOTE
CA certificate cep_ca.cer and local certificate cep_local.cer are used as examples.
2. Optional: Obtain the CA certificate and import it to the browser of the administrator PC
(client). For details, refer to the help of the browser.
NOTE
Although the client can still access the device through HTTPS even if the CA certificate is not
imported to the browser, the client cannot verify the certificate and is prone to attacks.
3. Configure the device to send a certificate to the client when the client accesses the device
using HTTPS.
<NGFW> system-view
[NGFW] web-manager security server-certificate cep_local.cer
Step 2 Enable the web service.

1. Enable HTTPS.
[NGFW] web-manager security enable port 8443
2. Configure the web service timeout period.

[NGFW] web-manager timeout 5

3. Optional: Configure SSL and the encryption algorithm.

[NGFW] web-manager security version all
[NGFW] web-manager security cipher-suit medium-strength high-strength
The device and PC must support the same SSL and encryption algorithm. If not, the SSL
negotiation fails.
4. Optional: Configure the automatic lockout function upon a failed login on the web
administrator UI. The number of allowed login attempts is 5.
NOTE
By default, the web administrator account is blacklisted for 10 minutes after three consecutive
authentication failures. The lockout duration cannot be modified.
[NGFW] firewall blacklist authentication-count login-failed 5
5. Configure GigabitEthernet 1/0/3 IP address and enable the HTTPS service.

<NGFW> system-view
[NGFW] interface GigabitEthernet 1/0/3
[NGFW-GigabitEthernet1/0/3] ip address 10.3.0.1 255.255.255.0
[NGFW-GigabitEthernet1/0/3] service-manage enable
[NGFW-GigabitEthernet1/0/3] service-manage https permit
[NGFW-GigabitEthernet1/0/3] quit
6. Add an interface to the security zone.

[NGFW] firewall zone trust
[NGFW-zone-trust] add interface GigabitEthernet1/0/3
[NGFW-zone-trust] quit

1. Configure a trusted host for the administrator.
[NGFW] acl
2001
[NGFW-acl-basic-2001] rule permit source 10.3.0.0 0.0.0.255
[NGFW-acl-basic-2001] quit
2. Create an administrator role.

[NGFW] aaa
[NGFW-aaa] role service-admin
[NGFW-aaa-role-service-admin] description
policy_object_network_readwrite_and_other_modules_none
[NGFW-aaa-role-service-admin] dashboard none
[NGFW-aaa-role-service-admin] monitor none
[NGFW-aaa-role-service-admin] system none
[NGFW-aaa-role-service-admin] network read-write
[NGFW-aaa-role-service-admin] object read-write
[NGFW-aaa-role-service-admin] policy read-write
[NGFW-aaa] quit
3. Create an administrator and bind a role to the administrator.

[NGFW-aaa] manager-user webadmin
[NGFW-aaa-manager-user-webadmin] password
Enter Password:
Confirm Password:
[NGFW-aaa-manager-user-webadmin] service-type web
[NGFW-aaa-manager-user-webadmin] access-limit 10
[NGFW-aaa-manager-user-webadmin] acl-number 2001
[NGFW-aaa-manager-user-webadmin] quit
[NGFW-aaa] bind manager-user webadmin role service-admin
[NGFW-aaa] quit
4. Set the IP address of the administrator PC to 10.3.0.10/24.
Step 4 Log in to the NGFW on the administrator PC.

1. Open a browser and enter https://10.3.0.1:8443.

2. On the login UI, enter user name webadmin and password Myadmin@123 and click
Login to access the web UI.
----End
The configuration script of the administrator and web service is as follows:
#
ip address 10.3.0.1 255.255.255.0
service-manage enable
service-manage https permit
#
firewall zone trust
set priority 85
#
acl number 2001
rule 5 permit source 10.3.0.0 0.0.0.255
#
web-manager security cipher-suit medium-strength high-strength
web-manager security version sslv3 tlsv1 tlsv1.1 tlsv1.2
web-manager enable
web-manager security enable port 8443
web-manager timeout 5
#
aaa
authentication-scheme default
#
manager-user webadmin
password cipher %@%@fPXYG8r|>17U(MYaBLw0OE<3BRR/*~[B0>uW"^/){U_>wKB=%@%
@
service-type web
access-limit 10
acl-number 2001
authentication-scheme admin_local
#
bind manager-user webadmin role service-admin
role service-admin
description policy_object_network_readwrite_and_other_modules_none
dashboard none
monitor none
system none
network read-write
object read-write
policy read-write
return

5.2.4.3 Example for Logging in to the CLI using the Telnet

By default, the Telnet is disabled on the device. You need to establish a Telnet login environment.
This section provides an example for configuring how to log in to the CLI using the Telnet.
Context
NOTE
Telnet login is not secure. You are advised to log in to the CLI using STelnet.
Figure 5-8 shows that the NGFW has a local administrator. The local administrator has some
administrator permissions and can use the Telnet to log in to the CLI only from a local PC for
NGFW management and maintenance.
Figure 5-8 Networking diagram of logging in to the CLI using the Telnet
Administrator( Telnet ) GE1/0/3
10.3.0.1/24
10.3.0.100/24 NGFW
Data Planning
VTY interface timeout 5 minutes The default period is 10 minutes.

period
Maximum number of 2 The default value is 3.

authentication attempts
allowed
Lockout period 10 minutes The default period is 30 minutes.
Administrator account/ vtyadmin/ Note down the user name and

password Mydevice@abc password in case you forget them.
IP address of the 10.3.0.100/255.255.255.0 -

administrator's PC
1. Configurations on the NGFW are as follows:
a. Enable the Telnet service on the NGFW.
b. Configure the administrator login interface.

c. Configure the VTY administrator interface.

d. Configure the administrator.
2. Configure the IP address of the administrator PC and use the Telnet software to log in to
the VTY interface.
Procedure
Step 1 If you log in to the CLI for the first time, reference Logging In to the CLI Through the Console
Port and establish the Telnet login environment.
Step 2 Enable the Telnet service for IPv4 or IPv6. IPv4 is used as an example.
<NGFW> system-view
[NGFW] telnet server enable
Step 3 Optional: Configure the login interface.

NOTE
If you use the default settings of management interface GigabitEthernet 0/0/0 to log in to the device, do
not perform this step.
Because the default IP address of the management interface has been set to 192.168.0.1, the interface has
been added to the Trust zone, and the administrator is allowed to log in to the device using Telnet.
1. Configure the interface IP address and interface-based access control and enable the
administrator to log in to the device through Telnet.
[NGFW-GigabitEthernet1/0/3] service-manage telnet permit
2. Add an interface to the security zone.

Step 4 Configure the VTY administrator interface.

Set the authentication mode of the VTY administrator interface to AAA and idle disconnection
duration to 5 minutes (the default value is 10 minutes).
NOTE
The number of default VTY administrator interface is five. To add more interfaces, run the user-interface
maximum-vty number command.
[NGFW] user-interface vty 0 4
[NGFW-ui-vty0-4] authentication-mode aaa
[NGFW-ui-vty0-4] user privilege level 3
[NGFW-ui-vty0-4] idle-timeout 5
[NGFW-ui-vty0-4] quit
Step 5 Optional: Configure the Telnet administrator.

NOTE
The default administrator (admin/Admin@123) can use Telnet, web, and console port to log in to the device.
If you use the administrator account to log in to the device, skip this step. Change the default password
upon first login as prompted and keep the new password secure.
1. Create an administrator account.
[NGFW] aaa
[NGFW-aaa] manager-user vtyadmin
[NGFW-aaa-manager-user-vtyadmin] password

Enter Password:
Confirm Password:
[NGFW-aaa-manager-user-vtyadmin] level 3
[NGFW-aaa-manager-user-vtyadmin] service-type telnet
[NGFW-aaa-manager-user-vtyadmin] quit
2. Optional: Configure the automatic lockout function upon a failed login.
By default, an account is locked for 30 minutes after three failed login attempts. In the
following example, the account is locked for 10 minutes after two failed login attempts.
[NGFW] aaa
[NGFW-aaa] lock-authentication enable
[NGFW-aaa] lock-authentication failed-count 2
[NGFW-aaa] lock-authentication timeout 10
Step 6 Configure the local administrator PC as follows:

1. Set the IP address and subnet mask of the administrator PC to 10.3.1.100 and
255.255.255.0.
2. Run the Telnet software on the PC. Windows OS is used as an example. Choose Start >
Run. The Run window is displayed. Enter telnet 10.3.0.1 in Open as shown in Figure
5-9.
Figure 5-9 Running the Telnet software
3. Click OK and start to connect to the NGFW.

4. On the login page, enter vtyadmin for Username: and press Enter.
5. Enter Mydevice@abc for Password: and press Enter to log in to the VTY interface.
----End
#
telnet server enable
#
ip address 10.3.0.1 255.255.255.0
service-manage telnet permit
#
user-interface vty 0 4
user privilege level 3
idle-timeout 5
#
aaa
authorization-scheme default

lock-authentication enable
lock-authentication failed-count 2
lock-authentication timeout 10
#
firewall zone trust
set priority 85
#
manager-user vtyadmin
password cipher %@%@*y:3*ZN}.%%qcL1cCyDwlB.|@XBVMDWq'6JF(iOz2D8>A\SN%@%@
service-type telnet
level 3
#
return
5.2.4.4 Example for Logging in to the CLI Using STelnet (Password Authentication)
This section provides an example for configuring the administrator PC as the STelnet client and
NGFW as the STelnet server, and how to use the STelnet to log in to the VTY administrator
interface of the NGFW after password authentication.
Figure 5-10 shows that the NGFW has an administrator. The administrator wants to use STelnet
to log in to the VTY administrator interface of the NGFW after password authentication and
manage and maintain the NGFW.
Figure 5-10 Networking diagram of using STelnet to log in to the CLI (password authentication)
Administrator(Stelnet) GE1/0/3
10.3.0.1/24
10.2.0.100/24 NGFW
Data Planning
Item Data
NGFW SSH sshadmin

account
Authenticat Password
ion mode
Password Mydevice@123
Service STelnet
type

Item Data
Administrator PC SSH client software: PuTTY software (Windows XP

operating system). The PuTTY software includes the PuTTY
client for the STelnet service and the SFTP client PSFTP.
1. Configure NGFW as the SSH server.
l Enable the SSH service on the interface.
l Configure the VTY administrator interface.
l Create an SSH administrator account and specify the authentication type and service
type.
l Generate a local key pair.
l Enable the STelnet service.
l Configure the SSH service parameters.
2. Configure the administrator PC as the SSH client.
l Set an IP address for the administrator PC.
l Install the PuTTY software.
l Use PuTTY to log in to the NGFW through SSH.
NOTE
The prerequisite is that IP addresses of the interface and administrator PC, security zone, route, and security
policies have been configured. The following example introduces content related only to the administrator.
Procedure
Step 1 Configure the NGFW.
1. Enable the SSH service on interface GigabitEthernet 1/0/3.
<NGFW> system-view
[NGFW-GigabitEthernet1/0/3] service-manage ssh permit
[NGFW] quit
2. Configure VTY administrator interfaces that support AAA.

[NGFW] user-interface maximum-vty 11
3. Create SSH administrator account sshadmin and set the authentication type and service
type to Password and Stelnet.
[NGFW] aaa
[NGFW-aaa] manager-user sshadmin
[NGFW-aaa-manager-user-sshadmin] service-type ssh
[NGFW-aaa-manager-user-sshadmin] access-limit 11
[NGFW-aaa-manager-user-sshadmin] level 3
[NGFW-aaa-manager-user-sshadmin] ssh authentication-type password
[NGFW-aaa-manager-user-sshadmin] password
Enter Password:

Confirm Password:
[NGFW-aaa-manager-user-sshadmin] ssh service-type stelnet
[NGFW-aaa-manager-user-sshadmin] quit
[NGFW-aaa] quit
NOTE
The level of an SSH administrator is determined by the administrator level and the level of the
authentication mode or VTY interface. To ensure that the administrator can log in to the device
normally, you are advised to set the administrator level and the VTY interface level to not lower than
3.
4. Generate a local key pair.
[NGFW] rsa local-key-pair create
The key name will be: NGFW_Host
The range of public key size is (512 ~ 2048).
NOTES: A key shorter than 1024 bits may cause security risks.
The generation of a key longer than 512 bits may take several minutes.
Input the bits in the modulus[default = 2048]:
Generating keys...
...++++++++
..++++++++
..................................+++++++++
............+++++++++
5. Enable the STelnet service.

[NGFW] stelnet server enable
6. Optional: Set the SSH server parameters.
# Set the listening port of the SSH server to 1025, authentication timeout period 80
seconds, number of authentication retries to 4, update interval of the key pair to 1 hour,
and enable the backward compatibility function.
[NGFW] ssh server port 1025
[NGFW] ssh server timeout 80
[NGFW] ssh server authentication-retries 4
[NGFW] ssh server rekey-interval 1
[NGFW] ssh server compatible-ssh1x enable
Step 2 Configure the administrator PC as the SSH client.

1. Set the IP address and subnet mask of the administrator PC to 10.2.0.100 and
255.255.255.0.
2. Install the PuTTY software. Details are omitted.
3. Use the PuTTY software to log in to the NGFW through STelnet. (The following example
uses PuTTY0.60.)
a. Double-click PuTTY.exe. The interface shown in Figure 5-11 is displayed. Enter the
IP address of the SSH server in the Host Name (or IP address) text box.

Figure 5-11 Entering the IP address of the SSH server
b. Choose Connection > SSH in the left Category tree. The interface shown in Figure
5-12 is displayed. In Protocol options, set Preferred SSH protocol version to 2 and
click Open.

Figure 5-12 Setting SSH protocol version
c. Dialog box shown in Figure 5-13 is displayed upon the first login. Click Yes.
Figure 5-13 PuTTY security alert

d. In the login page that is displayed, enter SSH administrator account sshadmin and
press Enter. Enter Mydevice@123 and press Enter again. You can log in to
NGFW, as shown in Figure 5-14.
Figure 5-14 STelnet login page
----End
The configuration script of server NGFW_B is as follows:
#
stelnet server enable
ssh server port 1025
ssh server timeout 80
ssh server authentication-retries 4
ssh server rekey-interval 1
ssh server compatible-ssh1x enable
#
ip address 10.3.0.1 255.255.255.0
service-manage ssh permit
#
user-interface maximum-vty 11
#
aaa
#
manager-user sshadmin
service-type ssh
access-limit 11
level 3
ssh authentication-type password
password cipher %@%@fPXYG8r|>17U(MYaBLw0OE<3BRR/*~[B0>uW"^/){U_>wKB=%@%@

ssh service-type stelnet
#
return
5.2.4.5 Example for Logging In to the CLI Using STelnet (RSA Authentication)
This section describes how to configure the administrator PC as the STelnet client and NGFW
as the STelnet server, and how to use the STelnet to log in to the VTY administrator interface
of the NGFW after RSA authentication.
Figure 5-15 shows that the NGFW has an administrator. The administrator wants to use the
STelnet to log in to the VTY administrator interface of the NGFW after RSA authentication and
manage and maintain the NGFW.
Figure 5-15 Networking diagram of using STelnet to log in to the CLI (RSA authentication)
Administrator(Stelnet) GE1/0/3
10.3.0.1/24
10.2.0.100/24 NGFW
Data Planning
Item Data
NGFW SSH sshadmin

account
Authenticat RSA
ion mode
Service Stelnet
type
Administrator PC SSH client software: PuTTY software (Windows 7 operating

system). The PuTTY software includes the PuTTY client for
the STelnet service and the SFTP client PSFTP.
1. Generate a local RSA key pair on the PC and an RSA public key in the format supported
by the NGFW.
l Install the PuTTY software.
l Use the PuTTYgen tool to generate a local SSH-RSA key pair.

2. Configure NGFW as the SSH server.

l Enable the SSH service on the interface.
l Configure the VTY administrator interface.
l Save the RSA public key on the SSH client (the PC).
l Create an SSH administrator account and specify the authentication type and service
type.
l Enable the STelnet service.
3. Configure the administrator PC as the SSH client.
l Set an IP address for the administrator PC.
l Use PuTTY to log in to the NGFW through SSH.
NOTE
The prerequisite is that IP addresses of the interface and administrator PC, security zone, route, and security
policies have been configured. The following example introduces content related only to the administrator.
Procedure
Step 1 Generate an RSA public key on the PC.
2. Use the PuTTYgen tool to generate a local SSH-RSA key pair. (PuTTYgen 0.60 is used as
an example in the following part.)
a. Double-click PuTTYgen.exe. The interface shown in Figure 5-16 is displayed. In
Parameters, set Type of key to generate to SSH-2 RSA. Click Generate. The PC
starts to generate a local RSA key pair.

Figure 5-16 Selecting the SSH version for generating the local SSH-RSA key pair
b. Figure 5-17 shows the interface for generating a local RSA key pair. You must move
the mouse continuously during the generation of the local RSA key pair. Move the
pointer only in the window other than the process bar in green. Otherwise, the progress
bar suspends, and the generation of the key pair is stopped.

Figure 5-17 Generating a local RSA key pair
c. Figure 5-18 shows the generation of the local RSA key pair. Do as follows to save
the RSA key pair in the specified format:
l OpenSSH: Copy the marked content in the Key text box.
l PEM: Click Save public key, enter public for the name of the public key file, and
click Save. Click Save private key, enter private for the name of the private key
file, and click Save.
NOTE
To enhance security, you must enter a password in the Key passphrase text box and enter the
password again in the Confirm passphrase text box to set a password for using this key pair.

Figure 5-18 Saving a local RSA key pair

1. Enable the SSH service on interface GigabitEthernet 1/0/3.
NOTE
The SSH service is enabled on management interface GigabitEthernet 0/0/0 by default. If the SSH
service is disabled, enable it as follows.
<NGFW> system-view
[NGFW-GigabitEthernet1/0/3] service-manage ssh permit
2. Configure the VTY administrator interface.
# Configure VTY administrator interfaces that support AAA.

[NGFW] user-interface maximum-vty 11
3. Save the RSA public key of the intranet PC. In this example, the RSA public key is saved
in the OpenSSH coding format.

[NGFW] rsa peer-public-key key_pc encoding-type openssh

Enter "RSA public key" view, return system view with "peer-public-key end".
[NGFW-rsa-public-key] public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
[NGFW-rsa-key-code] ssh-rsa
AAAAB3NzaC1yc2EAAAABJQAAAIBwsFDGbVAbK35ecJqsioQ3BdTCa1
+eU3i13YQBHvBltIdI9bOMKYEYJbjuY4UYXkdtwA2ar6LWTI8X1hHbtYGqPk2MvjSF0hXn1DBabNUX
bLRyzWAhaopcsTbGboU88cQ6fe/DqE9jUpNLsPdg4EXz1LMyLNe134JCSe3Ufh7o/w== rsa-
key-20140515
[NGFW-rsa-key-code] public-key-code end
[NGFW-rsa-public-key] peer-public-key end
[NGFW]
4. Create an SSH administrator account and specify the authentication type and service type.
# Create SSH administrator account sshadmin and set the authentication type to RSA,
bound key to key_pc, and service type to STelnet.
[NGFW] aaa
[NGFW-aaa] manager-user sshadmin
[NGFW-aaa-manager-user-sshadmin] service-type ssh
[NGFW-aaa-manager-user-sshadmin] access-limit 11
[NGFW-aaa-manager-user-sshadmin] level 3
[NGFW-aaa-manager-user-sshadmin] ssh authentication-type rsa
[NGFW-aaa-manager-user-sshadmin] ssh assign rsa-key key_pc
[NGFW-aaa-manager-user-sshadmin] ssh service-type stelnet
[NGFW-aaa-manager-user-sshadmin] quit
[NGFW-aaa] quit
NOTE
The level of an SSH administrator is determined by the administrator level and the level of the
authentication mode or VTY interface. To ensure that the administrator can log in to the device
normally, you are advised to set the administrator level and the VTY interface level to not lower than
3.
5. Enable the STelnet service.
[NGFW] stelnet server enable
6. Optional: Set the SSH server parameters.
# Set the listening port of the SSH server to 1025, authentication timeout period 80
seconds, number of authentication retries to 4, update interval of the key pair to 1 hour,
and enable the backward compatibility function.
[NGFW] ssh server port 1025
[NGFW] ssh server timeout 80
[NGFW] ssh server authentication-retries 4
[NGFW] ssh server rekey-interval 1
[NGFW] ssh server compatible-ssh1x enable
Step 3 Configure the administrator PC as the SSH client.

1. Set the IP address and subnet mask of the administrator PC to 10.3.0.100 and 255.255.255.0.
3. Use the PuTTY software to log in to the NGFW through STelnet. (The following example
uses PuTTY0.60.)

b. Choose Connection > SSH in the left Category tree. The interface shown in Figure
5-20 is displayed. In the Protocol options area, set Preferred SSH protocol
version to 2.

Figure 5-20 Setting SSH protocol version
c. Select Auth in SSH. The dialog box shown in Figure 5-21 is displayed. Click
Browse, import the private key file private.ppk in the saved SSH-RSA key pair.

Figure 5-21 Importing the private key in the SSH-RSA key pair
d. Click Session, enter ssh-rsa in the Saved Sessions text box, and click Save to save
the SSH session, as shown in Figure 5-22.
NOTE
The saved session will be used when the PSFTP tool is used for SFTP login. Besides, no
configuration is required for future STelnet login. You can double-click the SSH session to
open the login page.

Figure 5-22 Importing the private key in the SSH-RSA key pair
e. Enter SSH administrator account sshadmin in the login page that is displayed and
press Enter. You can log in to NGFW_B, as shown in Figure 5-23.
NOTE
If a password is specified for using the key pair, you must enter the password for the login.

Figure 5-23 STelnet login page
----End
#
stelnet server enable
ssh server port 1025
ssh server timeout 80
ssh server authentication-retries 4
ssh server rekey-interval 1
ssh server compatible-ssh1x enable
#
ip address 10.3.0.1 255.255.255.0
service-manage ssh permit
#
user-interface maximum-vty 11
#
aaa
#
manager-user sshadmin
service-type ssh
access-limit 11
level 3
ssh authentication-type rsa
ssh assign rsa-key key_pc
#
return

5.2.4.6 Example for Configuring NGFW as a Client to Log in to Other Devices

This section provides an example for configuring NGFW as the STelnet or Telnet client.
Prerequisites
l The NGFW between the STelnet or Telnet server is routable.
l The STelnet server has been enabled on the server.
l The STelnet or Telnet user information configured on the STelnet or Telnet server has been
obtained.
The NGFW logs in to the server using STelnet or Telnet, as shown in Figure 5-24.
NOTICE
During Telnet login, data and passwords are transmitted in plaintext mode, causing security
risks. To secure data transmission, use STelnet instead.
Figure 5-24 Networking diagram of configuring NGFW as a client to log in to other devices
GE1/0/3
10.1.1.1/24 10.2.2.1/24
NGFW
Stelnet/Telnet Server
Stelnt/Telnet Client
Procedure
l Configure the NGFW to access the server using Telnet.
1. Enable the Telnet service on the server.
2. Use the NGFW to log in to the server using Telnet.
<NGFW> telnet 10.2.2.1
l Configure the NGFW to access the server using STelnet.

1. Enable first-time authentication.
<NGFW> system-view
[NGFW] ssh client first-time enable
2. If the STelnet server uses RSA or PASSWORD-RSA authentication method, you must
bind the NGFW STelnet account to the RSA key on the server.
a. Generate a local RSA key pair.
NOTES: A key shorter than 1024 bits may cause security
risks.

The generation of a key longer than 512 bits may take several
minutes.
Generating keys...
...++++++++
..++++++++
..................................+++++++++
............+++++++++
b. Copy the RSA keys. The information in bold is the RSA keys generated by the
client. Copy the keys and save them.
[NGFW] display rsa local-key-pair public
=====================================================
Time of Key pair created: 18:34:19 2013/1/17

Key name: NGFW_Host
Key type: RSA encryption Key
=====================================================
Key code:
308188
028180
CB35ED46 660B55CC 80EAAFD7 78DDFBF7 467A1C13
5D29865C 63509D5D E25E423A DB11A00F 77CDBBB4
D93436EA D50E4261 AC476E56 7AC6344A B0ECE377
EA2E6912 4EC32710 FC4B5D2D 61E358B1 E8EA739F
A0338BE0 ED72A9A0 EDFE49FD 071623A4 96A0A45B
4EAD2641 A8D7A39F 567B02B9 90DE5722 980072B4
B320FDA0 10F18DF9
0203
010001
Host public key for PEM format code:

---- BEGIN SSH2 PUBLIC KEY ----
AAAAB3NzaC1yc2EAAAADAQABAAAAgQDLNe1GZgtVzIDqr9d43fv3RnocE10phlxj
UJ1d4l5COtsRoA93zbu02TQ26tUOQmGsR25WesY0SrDs43fqLmkSTsMnEPxLXS1h
41ix6Opzn6Azi+Dtcqmg7f5J/QcWI6SWoKRbTq0mQajXo59WewK5kN5XIpgAcrSz
IP2gEPGN+Q==
---- END SSH2 PUBLIC KEY ----
Public key code for pasting into OpenSSH authorized_keys file :

ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAAAgQDLNe1GZgtVzIDqr9d43fv3RnocE10phlxjUJ1d4
l5C
OtsRoA93zbu02TQ26tUOQmGsR25WesY0SrDs43fqLmkSTsMnEPxLXS1h41ix6Opzn6Azi
+Dtcqmg7f5J
/QcWI6SWoKRbTq0mQajXo59WewK5kN5XIpgAcrSzIP2gEPGN+Q== rsa-
key
=====================================================
Time of Key pair created: 11:43:19 2013/9/17
Key name: NGFW_Server
Key type: RSA encryption Key
=====================================================
Key code:
3067
0260
EC20AA8E 967145ED 186D85B4 3B928A81 C312F0E2
EF34E96C 944FDE4F 6215B98A C046FB51 A195AA9E
D926DE1B 59C6B87E 024C12D1 078DE2CE E9F9C5E6
C5C2E32D CDD74D33 78E70E64 C6CF46E3 A91F8C87
5354BDDD A1A2C9BB 21112D5E 0D2CB44B
0203
010001
3. Use the NGFW to log in to the server in STelnet mode.

<NGFW> system-view
[NGFW] stelnet 10.2.2.1
----End
5.2.5 Administrator FAQ

This section describes FAQs related to administrator login.
What Is the Default Administrator Account?

The NGFW provides two default accounts.
l System administrator account admin and password Admin@123: You can use this account
to log in to the device through console or web UI for first login.
l Audit administrator account audit-admin and password Admin@123: This account is for
configuring audit policies and viewing audit logs only.
When the NGFW Is Connected to the Network at Layer 2 in Transparent Mode,

How Can I Log In to the Device Through Service Interfaces?
Add the layer-2 interface (service interface) to the VLAN and log in to the device through
interface VLANIF. For example, the two service interfaces are GigabitEthernet 1/0/1 and
GigabitEthernet 1/0/2. The configurations are as follows:
# Create a VLAN and add the interfaces to the VLAN. By default, the interfaces belong to
VLAN1.
<NGFW> system-view
[NGFW] vlan 2
[NGFW-vlan-2] quit
[NGFW-GigabitEthernet1/0/1] portswitch
[NGFW-GigabitEthernet1/0/1] port access vlan 2
#Configure the VLANIF interfaces.

[NGFW] interface vlanif 2
[NGFW-Vlanif2] ip address 10.1.3.1 24
[NGFW-Vlanif2] service-manage enable
[NGFW-Vlanif2] service-manage stelnet permit
[NGFW-Vlanif2] service-manage https permit
[NGFW-Vlanif2] quit
[NGFW-zone-trust] add interface vlanif 2
Log in to the device using 10.1.3.1 after the configurations are complete.
5.2.6 Feature History

This section describes the versions and changes in the administrator feature.

Version Description
V100R001C30SPC Add the device module in object permission control.

100
V100R001C30 Added the configuration of northbound API interfaces. A client can

call a northbound API interface to communicate with the NGFW using
HTTP/HTTPS.
V100R001C00 This is the first version to support the administrator feature.
5.3 Time
This section describes how to set the system time to ensure the proper coordination with other
devices.
5.3.1 Configuring the System Time Using the Web UI

This section describes how to use the Web UI to set the time zone and daylight saving time
(DST) on the NGFW.
Setting the Time Manually

Step 1 Choose System > Setup > Time.
Step 2 Select Manually Set the Time in Configuration Mode.
Step 3 Set Time Zone and Date.
Step 4 Set System Time.

The system time format is: HH:MM:SS (hour/minute/second). You can enter a time or select a
time item and then the or button on the right to adjust the system time.
Step 5 Click Apply.
----End
Synchronizing the Time with the Local System Time

You can synchronize the time with the local system time on the terminal (the PC that you use
to log in to the device).
Step 2 Select Synchronize the Time with the Local System Time in Configuration Mode.
Step 3 Click Apply.
----End

Synchronizing the Time with the NTP Server

You can synchronize the time with the time on an NTP server. In such a case, an NTP server
must be available on the network.

Step 2 Select Synchronize the Time with the NTP Server in Configuration Mode.
Step 3 Set Time Zone.
Step 4 Optional: Set Date and System Time.
This step is recommended. When NTP works properly, Date and System Time are obtained
from the NTP server. When NTP works improperly, the NGFW uses the Date and System
Time that you manually specify.
Step 5 Enter the IP address of the NTP server in NTP Server IP.
If you need to enter multiple NTP server IP addresses, click View/Configure on the right after
you apply the first NTP server. Enter the IP addresses of other NTP servers and click Add to
complete the configuration.
Step 6 Click Apply.
----End
Enable DST
DST advances time by one hour in summer to save energies.
Before you enable DST, configure the system time first.

Step 2 Select Automatically adjust clock for daylight saving time (DST).
Step 3 Enter or select the parameters listed in Table 5-12.
Table 5-12 Parameters of the DST
Item Description
Start Time The start time of the DST
End Time The end time of the DST
Offset Time The offset time of the system in the DST mechanism
For example, set the Start Time to 08:00:00 on the first Monday in March,
End Time to 10:00:00 on the first Monday in November, and Offset
Time to 01:00:00. At 08:00:00 on the first Monday in March, the system
time is automatically changed to 09:00:00. At 10:00:01 on the first Monday
in November, the system time is automatically changed to 09:00:01.
Step 4 Click Apply.
----End

5.3.2 Configuring the System Time Using the CLI

This section describes how to use the CLI to set the time zone and daylight saving time (DST)
on the NGFW.
Context
To ensure the proper coordination with other devices, you must set an accurate system time.
NOTE
UTC is short for Universal Time Coordinated.
Procedure
Step 1 Set the UTC standard time.
clock datetime HH:MM:SS YYYY/MM/DD
Step 2 Set the time zone.

clock timezone time-zone-name { add | minus } offset
l add indicates that the time of the time zone specified by time-zone-name is earlier than the
UTC time. For example, to set the time zone to GMT+8 in Beijing, set add 08:00:00 in this
command.
l minus indicates that the time of the time zone specified by time-zone-name is later than the
UTC time. For example, to set the time zone to GTM-8 in the United States, set minus
08:00:00 in this command.
Step 3 Set the time zone, start time, and end time.
clock daylight-saving-time time-zone-name one-year star
t-time start-data end-time end-data offset
Or:
clock daylight-saving-time time-zone-name repeating start-time { { first |
second | third | fourth | fifth | last } weekday month |
start-date }end-time { { first | second | third | fourth | fifth | last } weekday
month | end-date } offset [ start-year [ end-year ] ]
----End
5.4 License Management

This section describes how to apply for, activate, check, and debug a license.
5.4.1 Overview
License is an agreement that authorizes the use of a certain product within a specific scope and
duration. You can dynamically control the availability of certain features using the license.
License Definition
A license is a permission or authorization granted by the supplier to the customer regarding the
function, resource, and upgrade service of a product. The license is physically the combination
of a license file and a license authorization certificate.

After the license is purchased, the carrier provides the license authorization certificate for the
user to activate the license. The license authorization certificate contains the contract number,
license activation password, and the content of the license.
A license file is a .dat file obtained after the license is activated. Customers need to load the
license file to the device or software to use the functions that require a license.
License Categories
Licenses are divided into commercial licenses and non-commercial licenses according to their
actual purpose.
l Commercial license
This license is purchased under contract. If the customer needs to use license-controlled
features or the resources beyond the upper quantity limit, the customer must purchase
commercial licenses.
The commercial licenses are permanent or temporary. The permanent commercial license
includes the license certificate and the electronically delivered license file. Unless
otherwise specified, the term commercial license herein refers to permanent commercial
license. The temporary commercial license is for trial use or similar purposes.
l Non-commercial license
The license applies to non-commercial purposes such as internal tests, demonstrations, and
trainings. The non-commercial license requires no contract, and has a limited validity
period, which is no longer than three months.
License Control Items

Currently, the application of licenses involves the control over functions, resources, and service
upgrades.
l For the control over functions, a license determines whether a certain function is available.
Only after a proper license file is loaded, certain functions are available.
l For the control over resources, a license determines the available number of certain
resources. If no license file is loaded, functions are available with only a limited number
of resources.
l For the control over service upgrades, a license determines whether a service can be
upgraded. You can upgrade services only after you load a proper license file.
Table 5-13 lists the license control items.

Table 5-13 License control items
Function Status When the License Status When the Official

Is Not Activated License Is Activated
Number of virtual systems 10 The number of the virtual

systems supported by the
license varies with device
models. Details are as
follows:
l USG6310/6320: can be
increased to 20 after an
upgrade of the license.
l USG6306/6308/6330/63
50/6360/6507/6530: can
be increased to 50 after an
l USG6370/6380/6390/65
50/6570: can be increased
to 100 after an upgrade of
the license.
l USG6650/6660/6670:
can be increased to 500
after an upgrade of the
license.
l USG6680: can be
l ET1D2FW00S00: can be
l ET1D2FW00S01 and
ET1D2FW00S02: can be


SSL VPN Concurrent Users 100 The number of the concurrent

users supported by the
license varies with device
models. Details are as
follows:
l USG6306/6308/6330/63
50/6360/6507/6530: can
be increased to 500 after
an upgrade of the license.
l USG6370/6380/6390/65
50/6570: can be increased
to 1000 after an upgrade
of the license.
l USG6650/6660/6670/66
80: can be increased to
5000 after an upgrade of
the license.
l ET1D2FW00S00,
ET1D2FW00S01 and
ET1D2FW00S02: can be
Content Security Group (File The functions can be The function is available.
Blocking/Data Filtering/ configured but does not take
Application Behavior effect.
Control/Mail Filtering/Audit
Function)
IPS The functions can be Controlled the purchased

configured but does not take license (one-year or three-
effect. year license). After the
license is expired, the
upgrade service becomes
unavailable, but the IPS
function is still available.


Anti-Virus The functions can be Controlled the purchased

configured but does not take license (one-year or three-
effect. year license). After the
license is expired, the
upgrade service becomes
unavailable, but the antivirus
function is still available.
URL remote query The function is unavailable. Controlled the purchased

license (one-year or three-
year license). After the
license is expired, the remote
query service becomes
unavailable.
5.4.2 Applying For and Activating a License Using the Web UI

This section describes how to apply for and activate a license.
Introduction to License
Only one activated license exists in the system. Activating a new license invalidates the original
one.
After you purchase or renew a license, you can use either of the following methods to activate
a license:
l Local manual activation
After you purchase or renew a license and obtain the license authorization certificate, apply
for and activate the license file manually.
l Automatic online activation
After you purchase or renew a license and obtain the license authorization certificate, obtain
the activation password. The device submits the activation password to the license center
website to automatically activate the license.
If you have not purchased a license, the system provides a two-month trial license that provides
such functions as antivirus, intrusion prevention, and URL remote query.
Manual Activation of the License

After you purchase or renew a license and obtain the license authorization certificate, you still
need to apply for a license file (*.dat) before you can use the function controlled by the license.
The file name extension of a license file is .dat.
Step 1 Obtain the activation password.

As shown in Figure 5-25, you can obtain the activation password from the license authorization
certificate in the delivery accessories.

NOTE
The license certificate is delivered with the product as a paper document (A4 size) or on a CD-ROM.
Figure 5-25 License certificate
Step 2 Obtain the ESN.

Choose System > Dashboard > Status. The ESN is SN in System Information.
Step 3 Obtain the license file from the license self-service.
Log in to the http://app.huawei.com/isdp and obtain the license file according to the procedure
in the system help or displayed information.
NOTE
To apply for the licenses of multiple devices, make sure that the entitlement ID corresponds to the ESN.
If you cannot obtain the license file, contact the local technical support personnel.
Step 4 You need to obtain a new license file if you want to expand the license capacity or use new
features that are subject to license control. In this case, follow the preceding steps to apply for
the new license.
The license center automatically combines the licenses for new features with the existing license,
and generates a new license.
Step 5 Log in to the web UI and choose System > License Management.
Step 6 Select Local Manual Activation from the License Activation Mode.
Step 7 Click Browse. Select the license file to be uploaded.
Step 8 Click Activate to activate the uploaded license file.
----End
Automatic Activation of the License

No license file (*.dat) needs to be applied for during automatic online activation.

NOTE
To implement online automatic activation, you need to configure the DNS server and enable the DNS
service.
NOTE
Step 3 Select Automatic Online Activation from the License Activation Mode.
Step 4 Enter License Center Domain Name and License Authorization Code.
The License Center Domain Name is sdplsp.huawei.com.
License Authorization Code: The entitlement ID is listed in the license authorization certificate.
Step 5 Click Activate, and the device automatically activates the license.
----End
Trial License
Step 2 Select License trial use from the License Activation Mode.
Step 3 Click Activate to start to use the trial license.

You can click Stop Trial Use to stop the trial use and then click Activate to resume it. The time
during which the trial use is stopped will not be counted in the trial duration.
----End
5.4.3 Applying For and Activating a License Using the CLI

This section describes how to use the CLI to apply for and activate a license.
5.4.3.1 Applying For a License File

After you purchase or renew a license and obtain the license authorization certificate, you still
need to apply for a license file (*.dat) before you can use the function controlled by the license.
Procedure
NOTE
Step 2 Obtain the ESN.
Log in to the device and run the display firewall esn command in any view to obtain the ESN.
Step 3 Obtain the license file.
Log in to the http://app.huawei.com/isdp and obtain the license file according to the procedure
in the system help or displayed information.

NOTE
To apply for the licenses of multiple devices, make sure that the activation password corresponds to the
ESN.
If the device that you have purchased is a BDL device with a bound license, you need to search for the
ESN when you apply for a license file from the self-service system.
Step 4 You need to obtain a new license file if you want to expand the license capacity or use new
features that are subject to license control. In this case, follow the preceding steps to apply for
the new license.
The license center automatically combines the licenses for new features with the existing license,
and generates a new license.
----End
5.4.3.2 (Optional) Obtaining the License revocation code

The license revocation code is obtained when a license is deactivated. This revocation code is
used when you apply for a new license for the license is deactivated.
Context
For certain reasons, you need to obtain an revocation code before applying for a new license.
For example, adjusting the license between devices or the original license is incompatible on
the upgraded device. In this case, you should obtain an revocation code at first, then you can use
the license revocation code and ESN of device to apply for a new license file, and activate the
new license file to the device during the trial period.
The trial use period of a license is 60 days, during which all functions and services controlled
by the license is available. You need to apply for and activate a new license within 60 days.
NOTICE
Running the license revoke command causes the license file to be in trial state. The trial period
is 60 days. If the trial period is reached, services will be interrupted. Exercise caution when you
run the license revoke command.
Procedure
system-view
Step 2 Obtain an revocation code.

license revoke
----End
5.4.3.3 Uploading a License File

Before activating a license, ensure that the license file has been saved in the default root directory
of the storage device of the NGFW.

Context
Before uploading the license file, run the dir command in the user view to query the storage
usage. Ensure that there is enough space to save the license file.
Procedure
Step 1 Check whether there is enough space to save the license file.
dir directory
Step 2 Upload the license file and save it in the default root directory.
The suffix of the license file is *.dat. The license file must be saved in the root directory of the
storage device.
For how to upload the license file and save it in the root directory, see 5.10.3.2 Configuring the
NGFW as an FTP Client.
----End
5.4.3.4 Activating a License

When the Equipment Serial Number (ESN) of the NGFW matches the license, you can activate
the license using the CLI.
Context
NOTICE
Only one activated license exists in the system. Activating a new license deactivates the original
one.
The license is activated only when the Equipment Serial Number (ESN) of the NGFW matches
the license file.
Procedure
system-view
Step 2 Activate the license file in either of the following ways:

l Online automatic activation: This method is recommended when the NGFW can connect
to the Internet.
1. Set the domain name of the License service center.
license-server domain domain-name
By default, the domain name of the License service center is sdplsp.huawei.com.

During the setting of the domain name of the License service center, configure the
DNS server and enable DNS services.
2. Activate the specified license online.

license online-active lac lac-code
l Local manual activation: This method is recommended when the device cannot connect to
the Internet. You must manually obtain a license file and upload it to the NGFW to activate
it.
license active file-name
After activating a license, you can run the display license command to view the information
about the license.
----End
5.4.3.5 Displaying Information About a License

You can run the display command to display the information about the license on a device.
Procedure
Step 1 Display the information about the activated license file, activation time, resources and functions
subject to the license, and expiration time.
display license
----End
5.4.3.6 Debugging a License

If a license is faulty, you can run the debugging command in the user view to display debugging
information for fault location and analysis.
Before the debugging, you must run the terminal monitor and terminal debugging commands
in the user view to enable the display of logs, messages, debugging messages on the terminal,
so that debugging messages can be displayed on the terminal.
NOTICE
Enabling the debugging function compromises the system performance. Therefore, after
debugging, run the undo debugging all command to disable the debugging function at once.
For the description of the debugging command, see Debugging Reference.
Table 5-14 lists the command for you to debug a license.
Table 5-14 Debugging a license
Action Command
Debug the license for the device. debugging license


This section describes the versions and changes in the License feature.
Version Change Description
V100R001C30 Added the support of License trial use.
V100R001C00 The first version.
5.5 SNMP
The Simple Network Management Protocol (SNMP) is a network management protocol widely
used on TCP/IP networks. SNMP provides means to manage network elements (NEs) through
a central computer, that is, the network management system (NMS) in the network management
station (NM station) on which network management software is running. SNMP falls into three
versions, namely, SNMPv1, SNMPv2c, and SNMPv3. You can configure one or multiple
versions as required.
5.5.1 Overview
The Simple Network Management Protocol (SNMP) is a standard network management protocol
used on TCP/IP networks. Using SNMP, you can manage network elements on a central
computer that runs a network management software, which is also called the Network
Management Station (NM station).
The system for running SNMP consists of the NM station and the agent. SNMP defines how to
transmit management information between the NM station and the agent.
NM Station
The NM station is usually a PC on which the software management software runs.
The NM station has the following functions:
l Sends various request packets to network devices.

l Receives response packets and Trap messages from the managed devices and displays the
results.
Agent
The agent is a process that runs on the managed devices.
The agent has the following functions:
l Receives request packets from the NM station.

l Performs the Read or Write operation on management variables based on packet types and
generates and sends response packets to the NM station.

l Sends a Trap message to the NM station to report abnormal events, such as accessing or
quitting the system view or restarting the system once the trigger conditions configured on
each protocol module are matched.
Relationship Between the NM Station and the Agent

Figure 5-28 shows the relationship between the NM station and the agent.
Figure 5-28 Schematic diagram of the SNMP architecture

UDP Port161
Request
Response
NM Station Agent
UDP Port162
NM Station Agent
MIB
SNMP uses a hierarchical naming convention to identify each management variable and to
distinguish between managed objects. This hierarchical structure is similar to a tree with the
nodes representing managed objects. Figure 5-29 shows a managed object that can be identified
by the path from the root to the node representing the managed object.
Figure 5-29 MIB tree structure
1
1 2
1 2
1 B 2
5 6
A
In Figure 5-29, managed object B is represented by a string of digits similar to {1.2.1.1}. This
string is the Object Identifier of the managed object. The MIB describes the hierarchical structure
of the tree and is a definite collection of standard variables on monitored network devices.
SNMPv1
l Supports community-name-based access control.
l Supports MIB-view-based access control.

SNMPv2c
l Supports community-name-based access control.
l Supports MIB-view-based access control.
SNMPv3
SNMPv3 inherits basic functions of SNMPv2c. SNMPv3 defines a management frame, imports
the User Security Module (USM), and provides a securer access mechanism for users.
l Supports user group.
l Supports user-group-based access control.
l Supports user-based access control.
l Supports authentication and encryption mechanisms.
NOTICE
SNMPv3 is recommended, because SNMPv3 is more secure than SNMPv1 or SNMPv2c.
5.5.2 Application Scenarios

This section describes the application scenarios of the Simple Network Management Protocol
(SNMP).
Applicable Environment
In a new network environment, you are advised to select an appropriate SNMP version as
required. In a network environment to be expanded or upgraded, you are advised to select a
proper SNMP version based on the NMS version to ensure proper communication between the
device and the NMS.
Table 5-15 SNMP application scenarios
SNMP Application Scenario

Version
SNMPv1 SNMPv1 applies to small and simple networks, such as campus networks
and small enterprise networks.
SNMPv2c SNMPv2c applies to medium-sized and large networks. The requirement

is not demanding or the network is secure. However, the volume of the
traffic transmitted over the network is heavy and congestions may occur.
Using informs ensures that the messages sent from managed devices are
received by the NMS.
SNMPv3 SNMPv3 applies to networks of various scales, especially the networks

that have high requirements on security and can be managed only by
authorized administrators, such as the scenario where data between the
NMS and managed devices needs to be transmitted over a public network.

Typical Application
As shown in Figure 5-30, the NMS manages devices through SNMP. By querying and receiving
trap messages sent by managed devices, the NMS can learn about the running status of the
devices. If possible, you can set device parameters for management.
Figure 5-30 SNMP applications
NMS
Query and set parameters. Managed
device
Query replied and sent alarms.
5.5.3 Mechanism
This section describes the mechanism of the Simple Network Management Protocol (SNMP).
SNMP Development
SNMP is a network management protocol widely used on TCP/IP networks. In May 1990, RFC
1157 defined the first version of SNMP, namely, SNMPv1. Together with another information
management standard RFC 1155, RFC 1157 delivers a systematic method for monitoring and
managing networks. On this basis, SNMP is widely accepted as the standard for network
management.
SNMP developed rapidly in the early 1990s, but it has obvious weaknesses, such as incapable
of carrying heavy data traffic and lacking the identity authentication and privacy encryption
mechanisms. Against this backdrop, SNMPv2, released by the Internet Engineering Task Force
(IETF) in 1993, provides the following features:
l Distributed network management
l Expanded data type
l Massive data transmission, which improves efficiency and performance
l Diversified troubleshooting capabilities
l New centralized processing
l Enhanced data definition language
However, SNMPv2 did not meet all expectations, especially in terms of security performance,
such as identity authentication (identity authentication upon the first login, information integrity
analysis, and repetitive operation prevention), privacy encryption, authorization and access
control, and proper remote security configuration and management capability. As a revised
version of SNMPv2, SNMPv2c released in 1996 delivers enhanced functions but weak in
security which continues using plain-text key-based identity authentication.
In January 1998, the IETF SNMPv3 work group proposed RFC 2271 to 2275, which are
developed into SNMPv3. A series of documents define the architecture including all functions
of SNMPv1 and SNMPv2, and new security mechanisms covering authentication and encryption
services. Meanwhile, these files stipulate a set of dedicated network security and access control
rules. That is, SNMPv3 delivers security and management mechanisms based on SNMPv2.

SNMPv3 has a modularized design and facilitates the adding and modification of protocol
functions. SNMPv3 has the following features:
l Adaptability: You can use SNMPv3 to manage simple networks or complex networks.
l Expandability: You can add models as required.
l Security: SNMPv3 has multiple security models.
SNMPv3 has four major models:

l Message processing and control model: Defined in RFC 2272, this model is responsible
for generating and analyzing SNMP messages and determining whether the messages have
to pass through a proxy server during the transmission. The model receives protocol data
units (PDUs) from the dispatcher and invokes the user-based security model to add security-
related parameters to the message header. This model also accepts incoming messages,
invokes the user-based security model to process the security-related parameters in the
message header, and delivers the decapsulated PDU to the Dispatcher.
l Local processing model: This model implements access control, encapsulates packets, and
interrupts packet transmission. To implement access control, you can set the information
about the Agent based on protocol data units (PDUs). Then the management processes of
a network management station (NM station) can access the Agent with different
permissions. You can limit either the commands that an NM station can send to the Agent
or the content of the Management Information Base (MIB) on the Agent accessible to an
NM station. However, you have to configure the access control policy first. SNMPv3 uses
original statements with different parameters to determine the access control mode.
l User-based security model: This model provides identify authentication and data
encryption services. To implement these services, the NM station and the Agent must use
the same key.
– Identify authentication: When receiving a message from the Agent, the NM station must
check whether the message is from a legitimate Agent and the message is unchanged
during the transmission. When the Agent receives a message from the NM station, the
Agent also does the same thing. RFC 2104 defines the hashed message authentication
code (HMAC), which is a specific construction for calculating a message authentication
code (MAC) involving a cryptographic hash function in combination with a secret key.
SNMP can use either HMAC-MD5-96 or HMAC-SHA-96. HMAC-MD5-96 uses MD5
as the hash function and the 128-bit authKey as input, whereas HMAC-SHA-96 uses
SHA-1 as the hash function and the 160-bit authKey as input.
– Encryption: uses the cipher block chaining (CBC) mode of the Advanced Encryption
Standard (AES) for encryption and the 128-bit privKey as input. The NM station uses
the key to calculate the verification code and encapsulates the verification code into a
message. When receiving the message, the Agent uses the same key to extract the
verification code and obtains the information. The encryption process is similar to
identity authentication. The NM station and the Agent must use the same key to encrypt
and decrypt messages.
l View-based access control model: Defined by RFC 2515, the view-based access control
model implements view-based access control over user groups or community names. You
must configure a view first and specify the permission. Then you can load this view when
you configure a user, user group, or community name to control the read or write permission
or generate a trap message.

Working Mechanism of SNMP

SNMP is an application-layer protocol based on TCP/IP.
Three roles are defined for SNMP.

l NM station: sends query messages to the managed devices and receives trap messages from
the managed devices.
l Managed device: managed by the NM station and generates and sends trap messages to the
NM station.
l Agent: a process on the managed device. The Agent has the following functions:
– Receives and analyzes the query message from the NM station.
– Reads or writes the management variables based on the message type, generates a
response message, and sends the response message to the NM station.
– According to the defined alarm triggering condition of each protocol module, when the
condition is triggered, the module proactively sends a trap message to the NM station
through the Agent to report the event, such as accessing or exiting the system view or
device restart.
Figure 5-31 shows the relationship between the NM station and the Agent.
Figure 5-31 Schematic diagram of the SNMP structure

Request
Response
NM Station Agent
UDP port162 UDP port161
The NM station performs Get-Set operations to manage device nodes by running the Agent on
managed devices. Device nodes are uniquely identified by the MIB.
The following SNMP operations are available:
l The NM station obtains information about managed devices through operations, such as
Get, Get-Next, and Get-Bulk.
l The NM station uses the Set operation to configure the managed devices.
l The Agent proactively reports trap messages to the NM station, so that the NM station
obtains the operating statuses of the managed devices promptly for you to take proper
measures accordingly.
SNMP Operations
SNMP replaces the complicated command set with the Get-Set operation and delivers all
functions by using operations shown in Figure 5-32.

Figure 5-32 Schematic diagram of SNMP operations
GetRequest
GetResponse
GetNextRequest
GetResponse
NM Station SetRequest Agent
UDP port162 GetResponse UDP port161
Trap
NOTE
The Agent uses well-known port 161 to receive Get or Set packets, whereas the NM station uses well-
known port 162 to receive trap messages.
Table 5-16 shows the SNMP operations.
Table 5-16 Description of SNMP operations
Action Function
GetRequest The NM station sends a GetRequest message to the managed device to

obtain the status of a functional node by analyzing a certain variable.
GetNextReques The NM station sends a GetNextRequest message to the managed device

t to obtain the status of another functional node by analyzing the next
variable in the MIB entry.
GetResponse The managed device responds to the GetRequest, GetNextRequest, or

SetRequest message to the NM station.
GetBulk Executing this operation is the same as executing the GetNextRequest

operation for multiple times. A GetBulk message is a request message that
the NM station sends to the managed device.
SetRequest The NM station sends a SetRequest message to the managed device to set
values for variables, which therefore adjusts the status of a functional node.
Trap The managed device proactively sends trap messages to the NM station to
report events.
Management Model
In the management system of SNMP, the NM station and the Agent exchange signaling.
l The NM station, as the manager, sends SNMP request packets to the Agent.
l The Agent obtains the information to be queried by searching the MIB of the device and
sends an SNMP response packet to the NM station.

l When the module on the device meets the alarm triggering condition that is defined by the
module, the Agent sends a trap message to notify the NM station of the anomaly on the
device, which helps the network administrator clear the anomaly in a timely manner.
Figure 5-33 shows the network management model.
Figure 5-33 Management model of SNMP
NMS
Agent
Managed
Device
MIB
Managed
object
MIB
To ensure that each management object in SNMP packets is uniquely identified, SNMP uses a
hierarchical naming scheme to identify a management object. Each managed resource is
expressed as a managed object. The MIB is a collection of managed objects. It defines a series
of attributes, such as the names, access permissions, and data types of the managed objects. The
MIB can also be regarded as an interface between the NM station and the Agent. With this
interface, the NM station has the permission to read or write into each managed object in the
Agent, therefore managing and monitoring devices.
The entire hierarchical structure is like a tree, and each node on the tree represents a managed
object. As shown in Figure 5-34, one path starting from the root can be used to uniquely identify
a managed object.
Figure 5-34 MIB tree structure
1 2
1 2
1 B 2
1 6
A

Managed object B is uniquely identified by a string of digits with a pair of braces ({}), for
example, {1.2.1.1}. This string of digits is the Object Identifier (OI) of the managed object. The
MIB describes the hierarchical structure of the tree. It is a set defined by the standard variable
on the monitored network device.
You can use either a standard MIB or user-defined MIB. The former helps reduce the costs of
Agent components or even the entire network management system (NMS).
SNMP MIB employs a tree structure, which is similar to the DNS structure with its root at the
top and no root name. Figure 5-35 shows part of the MIB, which is also called the object naming
tree.
Figure 5-35 Object naming tree structure
root
ccitt(1) iso(1) Joint-iso-ccitt(1)
standard(0) registration authority(1) memberbody(2) identified organization(3)
dod(6)
internet(1)
directort(1) mgmt(2) experim ental(3) private(4) security(5) snmpv2(6)
mib-2(1) 1.3.6.1.2.1 enterprises(1) 1.3.6.1.4.1
……
system(1) intrerface(2) at(3) ip(4) icmp(5) tcp(6) udp(7) egp(8) ……
…… …… …… …… …… …… …… ……
The object naming tree has three top objects. They are ISO, ITU-T (CCITT), and the joint
organization of the two. Object ISO has four nodes. The third node (No. 3) under object ISO is
the identified organization node. The identified organization node has a subnode (No. 6) which
is named Department of Defense (DoD). Under this subnode, there is an Internet node (No. 1).
The default accessible view named Viewdefault is Internet: {1.3.6.1}.
The second node under the Internet node is management node mgmt which is numbered 2. The
management information base node is under management node mgmt, and its original name is
MIB. In 1991, a new MIB version is defined as MIB-II. At present, the name of this node is
changed to mib-2. The identifier is {1.3.6.1.2.1} or {Internet(1).2.1}. This identifier is an object
identifier.
The definition of MIB is irrelevant to network management protocols. Device vendors can define
MIB nodes according to relevant standards.

SMI
The Structure of Management Information (SMI) specifies a set of rules for naming the MIB
and defining MIB OIs, object types, access levels, and statuses. Two SMI versions are available,
SMIv1 and SMIv2.
The following lists the standard data types defined in the SMI.
l INTEGER
l OCTER STRIN
l DisplayString
l OBJECT IDENTIFIER
l NULL
l IpAddress
l PhysAddress
l Counter
l Gauge
l TimeTicks
l SEQUENCE
l SEQUENDEOF
Comparison Among SNMP Versions
Table 5-17 Comparison among SNMP versions
Featu SNMPv1 SNMPv2c SNMPv3

re
List
Acces Community name–based Community name–based User- and user group–

s access control access control based access control
contro
l
Authe Not supported Not supported Supports both

nticati authentication and
on and encryption.
encryp Authentication:
tion
l MD5
l SHA
Encryption: DES56
Error 6 error codes 16 16

code
Trap Supported Supported Supported

messa
ge

Featu SNMPv1 SNMPv2c SNMPv3

re
List
Infor Not supported Supported Not supported

m
messa
ge
GetBu Not supported Supported Supported

lk
The preceding features are described as follows:

l Access control is used to restrict the access permissions of the users to the managed device.
This feature enables the specified user to manage the specified node on the managed device,
which implements refined management.
l With authentication and encryption, packets transmitted between the NM station and the
managed device are authenticated and encrypted. This prevents packets from being stolen
or juggled and enhances data transmission security.
l The error code identifies specific fault symptoms to help administrators locate and
troubleshoot faults rapidly. On this basis, the more error codes, the easier the management
over devices.
l Traps are sent from the managed device to the NMS. In this way, the administrator can
identify device anomalies promptly. No acknowledgement is required from the NMS after
the managed device sends trap messages.
l Inform messages are sent from the managed device to the NMS. Upon receiving inform
messages from the managed device, the NMS sends acknowledgement packets for
confirmation. If no acknowledgement packet is received, the managed device sends inform
messages repeatedly and generates notification logs. In so doing, traps sent within the
startup time are synchronized after the NMS restarts. If no acknowledgement packet is
received, the system caches inform messages into the memory. That is the cause that inform
messages may consume too many system resources.
l GetBulk helps administrators perform Get-Next operations in batches. This improves
management efficiency especially on large-scale networks.
5.5.4 Configuring SNMP Using the Web UI

This section describes how to use the Web UI to configure SNMP. After you configure SNMP,
the network management station (NMS) can monitor and manage the managed devices.
Step 1 Choose System > Setup > SNMP.
Step 2 Select Enable to the right of SNMP to enable SNMP.
Step 3 Set the parameters listed in Table 5-18 and Table 5-19 for connecting managed devices to the
NMS.
Step 4 Click Apply.

Table 5-18 Parameters for configuring SNMPv1 or SNMPv2c
Parameter Description Value
SNMP Version Select the version of SNMP. The value is negotiated with the
peer NMS.
SNMP Read- The managed devices use the The read-only community name on
Only community name to authenticate the NMS must be the same as that
Community NMS users. on the managed devices. Otherwise,
Name If you configure access permissions the NMS fails to access the
on all function modules on the managed devices.
managed devices and an NMS user To enhance security, the read-only
uses read-only community name for community name is suggested to
authentication, the user can only contain a minimum of eight
view the statuses of the function characters, including at least three
modules. types of characters from the
following four groups: : uppercase
letters (A to Z), lowercase letters (a
to z), digits (0 to 9), and special
characters, such as exclamation
points (!), at signs (@), number
signs (#), dollar signs ($), and
percent (%).
SNMP Read- The managed devices use the The read-write community name on
Write community name to authenticate the NMS must be the same as that
Community NMS users. on the managed devices. Otherwise,
Name If you configure access permissions the NMS fails to access the
on all function modules on the managed devices.
managed devices and an NMS user To enhance security, the read-write
uses read-write community name community name is suggested to
for authentication, the user can contain a minimum of eight
modify the statuses of the function characters, including at least three
modules. That is, the user can types of characters from the
configure the device. following four groups: : uppercase
letters (A to Z), lowercase letters (a
to z), digits (0 to 9), and special
percent (%).

Trap Receiving Trap receiving host: IP address of By default, the UDP port number is
Host: Port: the host that receives trap packets. 162.
Security Name Port: Port on the managed device
for sending trap packets to a
destination host. Specify this
parameter when you need to use a
non-default port, for example, port
162 is in use.
Security Name: Is consistent with
the name of the NMS server.
Source Address IP address of the source interface -

of Trap Packets for sending trap messages. When
multiple routes destined for the
NMS server exist, specifying a
source interface can ensure that trap
messages carry the IP address of a
fixed source interface. This helps
administrators identify trap senders
on the NMS server.
Device Location of the site where managed -

Location devices reside. This helps
administrators locate faulty devices
quickly.
Contact Contact information of a -

Information maintenance engineer for the
managed devices, such as a
telephone number.
Table 5-19 Parameters for configuring SNMPv3
SNMP Version Select the version of the SNMP. The value is negotiated with the
peer NMS.
User Name Enter the user name that is used by The user name on the NMS must be
an NMS user to access the managed the same as that on the managed
devices. devices.

Authentication Password that is used to The authentication password on the

Password authenticate administrators. NMS must be the same as that on
The authentication ensures that the managed devices.
only administrators that have access To enhance security, the
permissions can access the authentication password is
managed devices. The suggested to contain a minimum of
authentication function applies to eight characters, including at least
networks that are secure but have three types of characters from the
multiple administrators who following four groups: : uppercase
perform operations on the device letters (A to Z), lowercase letters (a
frequently. to z), digits (0 to 9), and special
percent (%).
NOTE
If the NMS or the managed devices are
on an insecure network (for example,
the network is vulnerable to attacks),
you are advised to enable data
authentication and encryption, and
configure the different authentication
and encryption password.
Encryption Password that is used to encrypt The encryption password on the

Password data. NMS must be the same as that on
The encryption function encrypts the managed devices.
data into cipher text to prevent data To enhance security, the encryption
interception and key data leaks. password is suggested to contain a
minimum of eight characters,
including at least three types of
characters from the following four
groups: : uppercase letters (A to Z),
lowercase letters (a to z), digits (0 to
9), and special characters, such as
exclamation points (!), at signs (@),
number signs (#), dollar signs ($),
and percent (%).
Trap Receiving Trap receiving host: IP address of By default, the UDP port number is
Host: Port: the host that receives trap packets. 162.
Security Name Port: Port on the managed device
for sending trap packets to a
destination host. Specify this
parameter when you need to use a
non-default port, for example, port
162 is in use.
Security Name: Is consistent with
the name of the NMS server.

Source Address IP address of the source interface -

of Trap Packets for sending trap packets. When
multiple routes destined for the
NMS server exist, specifying a
source interface can ensure that trap
messages carry the IP address of a
fixed source interface. This helps
administrators identify trap senders
on the NMS server.
Device Location of the site where managed -

Location devices reside. This helps
administrators locate faulty devices
quickly.
Contact Contact information of a -

Information maintenance engineer for the
managed devices, such as a
telephone number.
----End
5.5.5 Configuring SNMP Using the CLI

This section describes how to configure SNMP using the CLI for the network management
system (NMS) to monitor and manage the managed devices.
5.5.5.1 Configuration Flow

This section describes the flow for configuring SNMP.
Figure 5-36 shows the flow for configuring SNMP.
NOTE
The following describes the flow for configuring SNMPv1/v2c/v3. In practice, their configuration flows differ.
For details, see the following steps.
Generally, the procedure for configuring SNMPv3 significantly differs from the procedures for configuring
SNMPv1 and SNMPv2c. Therefore, details on how to configure basic functions and access permissions are
described independently.
NOTICE
SNMPv3 is recommended, because SNMPv3 is more secure than SNMPv1 or SNMPv2c.

Figure 5-36 SNMP configuration flow
Start
Configure basic
SNMP functions.
Configure the
Configure interface
device to send
index attributes.
alarms to the NMS.
End
After SNMP configuration is complete, any network management system (NMS) that meets the
requirements and use the community name for SNMPv1 or SNMPv2c or the user group for
SNMPv3 can monitor and manage the specified node on the NGFW.
Therefore, perform the following operations as required:

l To enable the specified module on the managed device to send traps to the NMS, see 5.5.5.4
Configuring the Trap Function.
l To bind specific functions, such as charging and fault location, to the specified interfaces
when the NMS and the managed device communicate, see 5.5.5.5 Configuring Interface
Index Persistence. Ensure that the interface index remains the same in the case of device
startup and interface startup.
5.5.5.2 Configuring SNMPv1 or SNMPv2c

After basic SNMPv1 or SNMPv2c functions are configured, an NMS running SNMPv1 or
SNMPv2c can perform basic operations, such as Get and Set operations on a managed device.
Context
On small user networks where a few devices exist and the network environments (such as campus
and enterprise networks) are relatively secure, SNMPv1 is recommended to ensure the
communication between the NMS and the devices.
On large user networks where a lot of devices exist, network security is less demanding or the
network environments (such as the VPN) are relatively secure, but traffic congestion may occur
due to busy services, SNMPv2c is recommended to ensure the communication.
NOTICE
SNMPv3 is recommended, because SNMPv3 is more secure than SNMPv1 or SNMPv2c. For
details, see 5.5.5.3 Configuring SNMPv3.

Procedure
system-view
Step 2 Optional: Enable the SNMP agent function.

snmp-agent
By default, the SNMP agent function is disabled. Running any command with the parameter
snmp-agent can enable the SNMP agent function. Therefore, this step is optional.
Step 3 Enable SNMPv1 or SNMPv2c.

snmp-agent sys-info version { v1 | v2c }
By default, SNMPv3 is enabled.
The SNMP version must be the same as that of the NMS software.
After SNMPv1 is enabled on the managed device, and because SNMPv3 is enabled by default,
the device supports both SNMPv1 and SNMPv3. This means that the device can be monitored
and managed by NMSs running SNMPv1 or SNMPv3.
After SNMPv2c is enabled on the managed device, and because SNMPv3 is enabled by default,
the device supports both SNMPv2c and SNMPv3. This means that the device can be monitored
and managed by NMSs running SNMPv2c or SNMPv3.
When the snmp-agent sys-info version all command is executed, the managed device supports
all SNMP versions. That is, the NMS running SNMPv1, SNMPv2c, and SNMPv3 can monitor
and manage the device.
Step 4 Optional: Use the ACL to define the IP address of the NMS allowed to manage the NGFW.
When multiple NMSs use the same community name to manage a NGFW but only some NMSs
have the permission to access the Viewdefault view (MIB object 1.3.6.1), perform this step.
1. Create a basic ACL.
acl acl-number
2. Configure an ACL rule.

rule [ rule-id ] { deny | permit } source { source-ip-address source-wildcard
| any }
NOTICE
After an NMS is allowed to access the NGFW and the IP address of the NMS changes,
modify the setting of the IP address in the ACL. Otherwise, the NMS fails to access the
NGFW.
Step 5 Optional: Permit or deny the MIB nodes managed by the NMS in the MIB view.
To enable the NMS to manage only the specified node on the NGFW, perform this step.
Create a MIB view and specify the object to be monitored and managed by the NMS.
snmp-agent mib-view { excluded | included } view-name oid-tree
By default, the view name is ViewDefault, and the OID is 1.3.6.1.

To enable the NMS to manage most MIB nodes on the NGFW or disable NMS' access to only
certain nodes in the existing MIB view, set the excluded parameter to exclude these MIB nodes.
To enable the NMS to manage a few MIB nodes on the NGFW or enable NMS' access to certain
nodes in the existing MIB view, set the included parameter to add these manageable MIB nodes.
After the configuration is complete, only these manageable MIB nodes are accessible to the
NMS.
Step 6 Optional: Enable the SNMP community name complexity check function.
snmp-agent password complexity-check enable
This function is enabled by default.
Step 7 Set the read-only community name or the read-write community name of the NGFW and specify
the NMS and the manageable view.
snmp-agent community { read | write } community-name [ mib-view view-name | acl acl-
number ]*
To enhance security, the community name is suggested to contain a minimum of eight characters,
including at least three types of characters from the following four groups: uppercase letters (A
to Z), lowercase letters (a to z), digits (0 to 9), and special characters, such as exclamation points
(!), at signs (@), number signs (#), dollar signs ($), and percent (%).
The community name of the NGFW must be the same as that specified in the NMS software.
If the community name is set and no MIB view is configured, the NMS that uses the community
name has permissions to access objects in the Viewdefault view (MIB object: 1.3.6.1).
To grant read-only permission to the NMS in the specified view for a low-level NMS
administrator to read certain data, use parameter read in the command.
To grant read and write permission to the NMS in the specified view for a high-level NMS
administrator to read certain data, use parameter write in the command
If you specify an NMS in Step 4 and a MIB node in Step 5, you need to configure view-name
and acl-number for them to take effect.
Step 8 Optional: Specify the device administrator's contact information or device location.
snmp-agent sys-info { contact contact | location location }
By default, the device administrator's contact information is R&D. The default location of the
NGFW is China.
This step is required when the NMS administrator needs to know equipment administrators'
contact information or location of the NGFW if the NMS manages multiple devices. This allows
the NMS administrator to quickly contact the device administrator for fault location and
rectification.
To configure both the equipment administrator's contact information and location of the
NGFW, you need to run the command twice to configure them separately.
Step 9 Optional: Set the maximum size of an SNMP packet that the NGFW can receive or send.
snmp-agent packet max-size byte-count
By default, the maximum size of an SNMP packet that the NGFW can receive or send is 1500
bytes.

After the maximum size is specified, the NGFW discards any SNMP packet that is larger than
the specified size. You need to set this value based on the size of an SNMP packet that the NMS
can process. Otherwise, the NMS cannot process any SNMP packets from the NGFW.
----End
Example
# Configure SNMPv2c for the NGFW, set the read-write community name to Admin@123,
allow the NMS at 10.1.1.2 to manage the system node on the NGFW, and deny the NMS at
10.1.1.1 from managing the system node on the NGFW.
<NGFW> system-view
[NGFW] snmp-agent sys-info version v2c
[NGFW] acl 2001
[NGFW-acl-basic-2001] rule 1 permit source 10.1.1.2 0
[NGFW-acl-basic-2001] rule 6 deny source 10.1.1.1 0
[NGFW] snmp-agent mib-view included sys system
[NGFW] snmp-agent community write Admin@123 mib-view sys acl 2001
After the NGFW is routable to the NMSs, the NMS at 10.1.1.2, on which SNMPv2c runs and
which uses read-write community name Admin@123 can manage the system node on the
NGFW.
5.5.5.3 Configuring SNMPv3

After basic SNMPv3 functions are configured, a network management system (NMS) running
SNMPv3 can perform basic operations, such as Get and Set operations on a managed device.
Context
SNMPv3 is recommended for the scenarios where the user network poses high requirements on
security and only legitimate administrators can manage network devices. For example, the
communication data between the NMS and the managed device needs to be transmitted over the
public network. The authentication and encryption functions of SNMPv3 secure transmitted data
and ensure proper communication between the NMS and the managed device.
Procedure
system-view
Step 2 Optional: Enable the SNMP agent function.

snmp-agent
By default, the SNMP agent function is disabled. Running any command with the parameter
snmp-agent can enable the SNMP agent function. Therefore, this step is optional.
Step 3 Optional: Enable SNMPv3.

snmp-agent sys-info version v3
By default, SNMPv3 is enabled. Therefore, this step is optional.
Step 4 Optional: Use the ACL to define the IP address of the NMS allowed to manage the NGFW.

When multiple NMSs use the same SNMPv3 user group to manage a NGFW but only some
NMSs have the permission to access the Viewdefault view (MIB node 1.3.6.1), perform this
step.
1. Create a basic ACL.
acl acl-number

rule [ rule-id ] { deny | permit } source { source-ip-address source-wildcard
| any }
NOTICE
After an NMS is allowed to access the NGFW and the IP address of the NMS changes,
modify the setting of the IP address in the ACL. Otherwise, the NMS fails to access the
NGFW.
Step 5 Optional: Permit or deny the MIB nodes managed by the NMS in the MIB view.
To enable the NMS to manage only the specified node on the NGFW, perform this step.
Create a MIB view and specify the object to be monitored and managed by the NMS.
snmp-agent mib-view { excluded | included } view-name oid-tree
By default, an NMS has permissions to access the objects in the Viewdefault view (MIB object:
1.3.6.1).
To enable the NMS to manage most MIB nodes on the NGFW or disable NMS' access to only
certain nodes in the existing MIB view, set the excluded parameter to exclude these MIB nodes.
To enable the NMS to manage a few MIB nodes on the NGFW or enable NMS' access to certain
nodes in the existing MIB view, set the included parameter to add these manageable MIB nodes.
After the configuration is complete, only these manageable MIB nodes are accessible to the
NMS.
Step 6 Configure an SNMP user group and reference the ACL and MIB view to enable the specified
user group to manage the specified MIB nodes on the NGFW.
snmp-agent group v3 group-name [ read-view read-view | write-view write-view |
notify-view notify-view ]* [ acl acl-number ]
A user group is a collection of users with certain permissions, such as the permission on a certain
view.
NOTE
If the NMS or NGFWs are on an insecure network (for example, the network is vulnerable to attacks), you are
advised to configure parameters privacy in the command to enable data authentication and encryption and
configure the different authentication and encryption password for the user.
The available authentication and encryption modes are as follows:

l No authentication and no encryption: authentication and privacy are not configured in the
command. This mode applies to secure networks managed by specified administrators.
l Authentication but no encryption: Only authentication is configured in the command. This
mode applies to secure networks managed by multiple administrators who may frequently

perform operations on the same device. In this mode, only the authenticated administrators
can operate the managed device.
l Authentication and encryption: privacy is also configured in the command. This mode
applies to insecure networks managed by multiple administrators who may frequently
perform operations on the same device. In this mode, only the authenticated administrators
can access the managed device, and transmitted data is encrypted to avoid data interception
and data leak.
To grant the read-only permission (for a low-level administrator) to the NMS in the specified
view, use parameter read-view. To grant the read-write permission (for a high-level
administrator) to the NMS in the specified view, use parameter write-view.
To filter out useless alarms, use parameter notify-view notify-view to limit the MIB nodes that
send alarms to the NMS. Then the NGFW sends the alarms from only the MIB nodes that are
specified by parameter notify-view to the NMS.
After you configure the user group, run the snmp-agent usm-user command to add a user to
the user group. Then the NMS can access the NGFW with the user name after authentication
and authorization.
Step 7 Optional: Enable authentication and encryption password complexity checks for SNMP users.
snmp-agent password complexity-check enable
This function is enabled by default.
Step 8 Configure an SNMP user and add the user to the user group that is created by the snmp-agent
group command.
snmp-agent usm-user v3 user-name group-name [ authentication-mode { md5 | sha }
password [ privacy-mode { des56 | aes128 } password ] ]
The user name, password, and authentication and encryption modes must be the same as those
configured on the NMS.
To enhance security, the password is suggested to contain a minimum of eight characters,

including at least three types of the following characters: uppercase letters (A to Z), lowercase
letters (a to z), digits (0 to 9), and special characters, such as exclamation points (!), at signs (@),
number signs (#), dollar signs ($), and percent (%).
After authentication and encryption are enabled for the user group, the users must select a proper
mode to authenticate and encrypt data for transmission and configure the different authentication
and encryption password.
l Authentication mode
– Message Digest 5 (MD5): generates a 128-bit message digest for an input message of any
length.
– Secure Hash Algorithm (SHA-1): generates a 160-bit message digest for an input message
of less than 264 bits.
MD5 is faster than SHA-1, but is considered less secure.
l Encryption mode
– DES56: uses a 56-bit key to encrypt a plain text block.
– AES128: uses a 128-bit key to encrypt a plain text block.
DES56 are less secure, and it is recommended to use AES128.

When authentication and encryption are disabled for the user group and the parameters are
specified using this command, no encryption and authentication parameters are required for the
NMS to connect to the NGFW.
NOTE
l User groups with the same name can be configured. These user groups may adopt different authentication
modes (authentication and encryption, authentication and non-encryption, or non-authentication and non-
encryption). User selection (such as using the MIB tool) determines the actual authentication mode.
l When user groups with the same name exist, one user group may be mistakenly configured with an
unexpected authentication mode. Non-authentication and non-encryption pose security risks.
Step 9 Optional: Specify the device administrator's contact information or device location.
snmp-agent sys-info { contact contact | location location }
This step is required when the NMS administrator needs to know the device administrators'
contact information or location of the NGFW if the NMS manages multiple devices. This allows
the NMS administrator to quickly contact the device administrators for fault location and
rectification.
To configure both the equipment administrator's contact information and location of the
NGFW, you need to run the command twice to configure them separately.
Step 10 Optional: Set the maximum size of an SNMP packet that the NGFW receives or sends.
snmp-agent packet max-size byte-count
By default, the maximum size of an SNMP packet that the NGFW receives or sends is 1500
bytes.
After the maximum size is specified, the NGFW discards any SNMP packet that is larger than
the specified size. You need to set this value based on the size of an SNMP packet that the NMS
can process. Otherwise, the NMS cannot process the SNMP packets from the NGFW.
----End
Example
# Configure SNMPv3 for the NGFW, set the user name of user group Testgroup to Testuser,
enable MD5 authentication on the user, allow the NMS at 10.1.1.2 to manage the NGFW, and
deny the NMS at 10.1.1.1 from managing the NGFW.
<NGFW> system-view
[NGFW] snmp-agent sys-info version v3
[NGFW] acl 2001
[NGFW] snmp-agent group v3 Testgroup privacy write-view sys acl 2001
[NGFW] snmp-agent usm-user v3 Testuser Testgroup authentication-mode sha
Password@123 privacy-mode aes128 Password@123
After you connect NMSs to the NGFW, select SNMPv3 for the SNMP version, and configure
the user and authentication parameters on the NMSs, the NMS at 10.1.1.2 and which is a member
of user group Testgroup can manage the system node of the NGFW.

5.5.5.4 Configuring the Trap Function

(Optional) This section describes how to configure the trap function for the managed NGFWs
to send trap messages to the network management system (NMS) for fault location.
Context
NOTE
The NGFW sends Inform messages only when it uses SNMPv2c to communicates with the NMS.
Differences between trap messages and Inform messages are as follows:

l When the NGFW sends a trap message, the NMS does not need to reply any
acknowledgment.
l When the NGFW sends an Inform message, the NMS needs to reply an acknowledgment.
If no reply is received within the timeout period, the managed device retransmits the trap
message until the number of sent trap messages hits the threshold.
Based on the comparison, Inform messages are more reliable than trap messages. However, the
managed device needs to cache massive traps due to the retransmission mechanism. This
consumes huge memory resources. You are advised to use trap messages when networks are
stable and use Inform messages when device resources are sufficient but networks are unstable.
Procedure
Step 1 Enable the information center (enabled by default).
1. Access the system view.
system-view
2. Enable the information center.

info-center enable
Step 2 Send trap messages to the SNMP Agent. (By default, trap messages are sent to the SNMP Agent,
and the information level is informational.)
1. Add traps to the information channel.
info-center source { module-name | default } channel { channel-number | channel-
name } [ trap { state { off | on } | level severity } * ]
2. Output information to the SNMP Agent.

info-center snmp channel { channel-number | channel-name }
Step 3 Enable the trap function.

snmp-agent trap enable [ configuration | ipsec | l2tp | standard [ authentication
| coldstart | warmstart | linkup | linkdown ] | system ]
The snmp-agent trap enable command without any parameter enables all modules to send all
types of SNMP trap messages.
Step 4 Set trap parameters. For details on how to set trap parameters, see Setting trap parameters.
For details on how to set Inform parameters, see Setting Inform parameters.
l Set trap parameters.
Specify the destination host which receives error code and trap messages.
snmp-agent target-host trap address udp-domain ip-address [ udp-port port-
number ] [ vpn-instance vpn-instance-name ] params securityname security-
string [ v1 | v2c |
v3 [ authentication | privacy ] ]

Use proper parameters according to the following descriptions:

– The default destination UDP port is 162. In some special cases (for example, port
mapping is configured to prevent a well-known port from being attacked), you can set
udp-port to an ephemeral UDP port. This ensures proper communication between the
NMS and the NGFW.
– If the NGFW sends trap messages to the NMS over the public network, you do not need
to specify parameter vpn-instance vpn-instance-name. If the NGFW sends trap
messages to the NMS over a private network, you can use parameter vpn-instance vpn-
instance-name to specify the VPN instance to be traversed.
– Parameter securityname identifies the trap sender, which helps you learn the trap
source.
l Set Inform parameters.
1. Specify the destination host which receives error code and Inform messages.
snmp-agent target-host inform address udp-domain ip-address [ udp-port
port-number ] [ vpn-instance vpn-instance-name ] params securityname
security-string v2c
Use proper parameters according to the following descriptions:

– The default destination UDP port is 162. In some special cases (for example, port
mirroring is configured to prevent a well-known port from being attacked), you
can set udp-port to an ephemeral UDP port. This ensures proper communication
between the NMS and the NGFW.
– If the NGFW sends Informs to the NMS over the public network, you do not need
to specify parameter vpn-instance vpn-instance-name. If the NGFW sends
Informs to the NMS over a private network, you can use parameter vpn-
instance vpn-instance-name to specify the VPN instance to be traversed.
– Parameter securityname identifies the Inform sender, which helps you learn the
Inform source.
2. Optional:
Set the timeout for Inform acknowledgement, Inform retransmission attempts, and
maximum number of the Informs to be acknowledged.
snmp-agent inform { timeout seconds | resend-times times | pending
number } *
The default timeout for Inform acknowledgement is 15 seconds, the default number
of Inform retransmission attempts is 3, and the default maximum number of the
Informs to be acknowledged is 39.
Note that the command is used to set global Inform parameters. If both the global
Inform parameters and Inform parameters of a specified host are configured, the latter
takes effect for the specified host.
If the current network is unstable, you need to extend the timeout and increase Inform
retransmission attempts and the maximum number of the Informs to be acknowledged.
You are advised to set the number of Inform retransmission attempts to a value equal
to or less than 10. Otherwise, the performance of the NGFW may deteriorate.
3. Optional:
Set the timeout for Inform acknowledgement and Inform retransmission attempts for
a specific host.

snmp-agent inform { timeout seconds | resend-times times } * address udp-

domain ip-address [ vpn-instance vpn-intance-name ] params securityname
security-name
The default timeout for Inform acknowledgement is 15 seconds, and the default
number of Inform retransmission attempts is 3.
Note that this command is used to set the Inform parameters of a specific host. If both
the global Inform parameters and Inform parameters of a specified host are configured,
the latter takes effect for the specified host.
If the current network is unstable, you need to extend the timeout and increase trap
retransmission attempts.
You are advised to set the number of Inform retransmission attempts to a value equal
to or less than 10. Otherwise, the performance of the NGFW may deteriorate.
4. Optional:
Enable the notification log function.
snmp-agent notification-log enable
The notification log function is disabled by default.

If this function is disabled, the NMS cannot synchronize the trap messages that are
not received after it reconnects to the NGFW.
Only Inform messages need to be logged, and they are logged when either of the
following conditions is met:
– No Inform acknowledgment is received after the Inform retransmission attempts
hit the threshold in the pending queue.
– When the number of Inform messages exceeds the maximum number of Inform
messages that can be stored in the pending queue, follow-up Inform messages are
discarded.
5. Optional:
Set the aging time of notification logs and the maximum number of the notification
logs stored in the log buffer.
snmp-agent notification-log { global-ageout ageout | global-limit limit }
*
The default aging time of a notification log is 24 hours. After 24 hours, the notification
log is automatically deleted.
The log buffer stores a maximum of 500 notification logs by default. If the actual
number exceeds the threshold, earlier excess notification logs are deleted.
When the system memory is insufficient, you can set a relatively short aging time for
automatically resource release.
The larger the number of notification logs that can be stored in the log buffer is , the
more notification logs the buffer can store. The storage of more logs consumes more
memory resources. Therefore, adjust the value based on system performance
specifications and the actual consumption of the available services.
Step 5 Optional: Set the common parameters of alarm packets.
These parameters apply to both trap and Inform messages.
1. Specify the source interface for the sending of trap messages.
snmp-agent trap source interface-type interface-number
After you specify the source interface, the IP address of the source interface serves as the
IP address from which the trap messages are sent.

If multiple routes to the NMS are available, you can specify the source interface to ensure
that the source IP address of the trap messages is the IP address of a fixed interface. This
helps you identify the NGFW that sends the traps to the NMS.
The status of link-layer protocols is Up once the loopback interface is created. To ensure
device reliability, you are advised to set the source IP address for the sending of trap
messages to the local loopback address.
2. Set the queue length of the trap messages destined for a destination host.
snmp-agent trap queue-size size
The default queue length is 100.
To ensure that the NMS can receive traps, determine the trap queue length based on the
number of generated traps. If the NGFW generates traps frequently, you need to extend the
queue length to avoid trap loss.
3. Set the time for reserving traps.
snmp-agent trap life seconds
Trap messages are reserved for 300 seconds by default before they are deleted.
To ensure that the NMS can receive traps, determine the time for reserving trap messages
based on the number of generated traps. If the NGFW sends traps frequently, you need to
run this command to extend the time to avoid trap loss.
----End
Example
# The NGFW uses SNMPv2c to send Inform messages to the NMS. The notification log function
is enabled. Other parameters use the default values.
<NGFW> system-view
[NGFW] snmp-agent trap enable
[NGFW] snmp-agent target-host inform address udp-domain 10.1.1.2 params
securityname V2user@123 v2c
[NGFW] snmp-agent notification-log enable
# The NGFW uses SNMPv1 to send trap messages to the NMS. Other parameters use the default
values.
<NGFW> system-view
[NGFW] snmp-agent target-host trap address udp-domain 10.1.1.2 params securityname
V1user@123 v1
# The NGFW uses SNMPv3 to send trap messages to the NMS. Other parameters use the default
values.
<NGFW> system-view
V3user@123 v3
5.5.5.5 Configuring Interface Index Persistence

(Optional) In certain application scenarios, such as interface-based charging, the interface index
must be fixed and immune to the adding or deleting of interfaces, system restart, or the change
of software/hardware configurations. In this case, you can configure interface index persistence
to meet the requirements.

Context
The interface index is a number that identifies a physical interface or logical interface. On the
NMS client, you can check the ifindex attribute of each interface. In general, the interface index
dynamically changes. For example, during the device restart, or the change of hardware/software
configurations, the interface index may change. In certain application scenarios, the interface
index value must be fixed and immune to the adding or deletion of interfaces, system restart, or
the change of software/hardware configurations.
NOTICE
After interface index persistence is enabled, the indexes of all the existing interfaces and newly
created interfaces are fixed. Before restarting the system, run the save command to save interface
configurations. Otherwise, the interface indexes change after the system restart.
Procedure
system-view
Step 2 Enable interface index persistence.

ifindex constant
Step 3 Set the maximum number of interfaces with fixed indexes.

set constant-ifindex max-number number
The default maximum number of interfaces with fixed indexes is 131,070. If the number of the
interfaces with fixed indexes is 0, interface index persistence is disabled.
Frequently adding and deleting interfaces result in oversized index files. These files are stored
on the NGFW and consume system resources. To limit the size of interface index files, you can
set the maximum number of interfaces with fixed indexes. After you specify this parameter, the
system fixes interface indexes within the specified range. If this number is smaller than the
number of existing interfaces with fixed indexes, the system assigns fixed indexes to interfaces
within the specified range based on their startup time. The indexes of excessive interfaces are
fixed.
Step 4 Set the memory distribution mode for the subinterface index.
set constant-ifindex subinterface { dense-mode | sparse-mode }
When a subinterface is created, the system generates an index image file for the subinterface in
the memory based on the specified mode. You may use different subinterface numbering modes,
such as continuous or discontinuous distribution numbering. In practice, one of the following
distribution modes can be used as required:
l Sparse mode: applies to discontinuous subinterface numbering.

l Dense mode: applies to continuous subinterface numbering.
----End

Follow-up Procedure
Run the display constant-ifindex configuration command to display the status and
configuration of interface index persistence.
<sysname> display constant-ifindex configuration
ifindex constant : Enable
ifindex max-number : 65535
current ifindex subinterface mode : sparse-mode
next ifindex subinterface mode : sparse-mode
5.5.5.6 Displaying SNMP Configurations

After configuring SNMP, you can run the display commands in any view to display the
configurations.
Table 5-20 Checking SNMP configurations
Action Command
Display the current community display snmp-agent community

name.
Display the SNMP version. display snmp-agent sys-info version
Display the administrator's contact display snmp-agent sys-info contact

information.
Display the device location. display snmp-agent sys-info location
Display the information about the display snmp-agent mib-view

MIB view.
Display the information about the display snmp-agent target-host

target host.
Display global Inform parameters display snmp-agent inform [ address udp-domain

or the Inform parameters of the ip-address [ vpn-instance vpn-intance-name ]
specified target host, and host params securityname security-name ]
statistics.
Display notification logs in the log display snmp-agent notification-log [ info | logtime
buffer. starttime to endtime | size size ]
Display the configuration of display constant-ifindex configuration

interface index persistence.
Display the information about an display snmp-agent usm-user [ engineid engineid |

SNMPv3 user. group group-name | username user-name ]*
Display USM-based group display snmp-agent group

information.
Display the engine ID of the local or display snmp-agent { local-engineid | remote-

remote SNMP entity. engineid }
Display SNMP packet statistics. display snmp-agent statistics

5.5.5.7 Debugging SNMP

When faults occur on the SNMP module, you can run the debugging commands in the user view
to display the debugging messages and locate and analyze the faults.
in the user view to enable the display of the logs, traps, and debugging messages on the terminal,
so that debugging messages can be displayed on the terminal.
NOTICE
Enabling the debugging function compromises system performance. After the debugging, run
the undo debugging all command immediately to disable the debugging function.
For details on how to enable a debugging function, see Information Center Configuration.
For the description of debugging commands, refer to the Debugging Reference.
Table 5-21 lists the command for debugging SNMP.
Table 5-21 Debugging SNMP
Action Command
Debug SNMP. debugging snmp-agent { header | packet |

process | trap | event }

This section describes how to configure SNMP.
5.5.6.1 Example for Configuring the Communication Between the NGFW and the
NMS Through SNMPv1
This section provides an example for configuring the communication between the NGFW and
the NMS through SNMPv1.
NOTICE
details, see 5.5.6.3 Example for Configuring the Communication Between the NGFW and
the NMS Through SNMPv3.

As shown in Figure 5-37, two NMSs are connected to the NGFW over the Internet. According
to service requirements, only NMS2 can manage the system node on the NGFW.
For NMS2 to manage the NGFW and to facilitate fault location based on trap messages and
avoid interference by excessive useless trap messages, only the modules enabled by default can
send trap messages to NMS2.
Because the NMS administrator is far away from the NGFW, you need to configure the contact
information of the device administrator, so that the NMS administrator can contact the device
administrator in time upon the occurrence of faults for rapid fault location and rectification.
Figure 5-37 Networking diagram of configuring communication between the NGFW and the
NMS through SNMPv1
NMS1
10.1.1.1/24
IP Network GE1/0/1
10.1.2.1/24
NGFW
NMS2
10.1.1.2/24
The configuration roadmap is as follows:
1. Set basic parameters for the interfaces, including the IP address, security zone to which the
interface is assigned, and routes.
2. Configure basic SNMP functions, including enabling SNMP Agent and setting the SNMP
version and community name.
3. Configure access permissions to prevent NMS1 from managing the NGFW and allow
NMS2 to manage only the system node on the NGFW.
4. Configure the trap function to enable the NGFW to send trap messages to the NMS.
5. Configure administrator's contact information.
6. Configure NMSs.
Procedure
Step 1 Set basic parameters on the NGFW.
# Set an IP address for interface GigabitEthernet 1/0/1.
<NGFW> system-view
[NGFW-GigabitEthernet1/0/1] ip address 10.1.2.1 24
# Configure routes to ensure that NMSs are routable to the NGFW. (Details are omitted.)

NOTE
After the previous configurations, run the display ip interface brief and display ip routing-table commands
to check whether the basic parameters of the NGFW are correctly specified.
Step 2 Configure basic SNMP functions.
# Enable the SNMP Agent.

[NGFW] snmp-agent
# Set the SNMP version to SNMPv1.

# Set the community name.

[NGFW] snmp-agent community read Public&123
[NGFW] snmp-agent community write Private&123
Step 3 Configure access permissions to allow NMS2 to manage only the system node on the NGFW.
# Configure an ACL to allow NMS2 to manage the system node on the NGFW and prevent
NMS1 from managing theNGFW.
[NGFW] acl 2001
# Configure the MIB view to allow NMS2 to manage only the system node on the NGFW.
# Set the community name and reference the ACL and MIB view.
NOTE
The community name must be the same as that specified on the NMS. Otherwise, the connection fails.
[NGFW] snmp-agent community write Private&123 mib-view sys acl 2001
Step 4 Configure the trap function.
# Enable the information center (enabled by default).

[NGFW] info-center enable
# Configure the channel for outputting trap information and module information. (By default,
trap information can be sent to the SNMP Agent and the information level is informational.)
[NGFW] info-center source ip channel channel7 trap level informational state on
[NGFW] info-center snmp channel channel7
# Create a loopback interface.
NOTE
The status of link-layer protocols is Up once the loopback interface is created. Therefore, to ensure device
reliability, you are advised to set the source IP address for the sending of trap messages to the local loopback
address.
[NGFW] interface LoopBack 0
[NGFW-LoopBack0] ip address 10.1.1.1 24
[NGFW-LoopBack0] quit
# Enable the trap function and set the target host, source IP address, and the queue length and
time for reserving trap messages.


Private&123
[NGFW] snmp-agent trap source LoopBack0
[NGFW] snmp-agent trap queue-size 200
[NGFW] snmp-agent trap life 60
Step 5 # Configure the administrator's contact information.

[NGFW] snmp-agent sys-info contact mail Operator at someone@huawei.com
Step 6 Configure NMSs.

You can configure NMSs by referring to the NMS configuration manuals. Note that the SNMP
version and community name must be the same as those specified on the NGFW.
----End
Configuration Verification
If the following results are displayed, configurations succeed:
l When basic SNMP functions are configured (Step 2), NMS1 and NMS2 can access the
NGFW after you configure both of them.
l When user permissions are configured (Step 3), NMS1 cannot access the NGFW, and
NMS2 can access only the system node.
l When the trap function is configured (Step 4), create a condition (such as returning to the
system view from the user view) to trigger the sending of traps. NMS2 can receive the traps.
l After the administrator contact information is configured (Step 5), send a Get request to
obtain information about the sysContact node, mail Operator at
someone@huawei.com is displayed.
Configuration Scripts
#
sysname NGFW
#
info-center source IP channel 7 trap level informational
info-center snmp channel 7
#
acl number 2001
rule 1 permit source 10.1.1.2 0
rule 6 deny source 10.1.1.1 0
ip address 10.1.2.1 255.255.255.0
#
interface LoopBack0
ip address 10.1.1.1 255.255.255.0
#
snmp-agent
snmp-agent local-engineid 000007DB
snmp-agent community read %$%$]5G+=l70OI!lbRG9j3'Th0'{%$%$
snmp-agent community write %$%$p[5*5;mf,#F\_06TFql;7}tk%$%$ mib-view sys acl
2001
snmp-agent sys-info contact mail Operator at
someone@huawei.com
snmp-agent sys-info version v1 v3
snmp-agent target-host trap address udp-domain 10.1.1.2 params securityname %$%$p
[5*;Fql7%$%$
snmp-agent mib-view included sys system
snmp-agent trap enable ipsec
snmp-agent trap enable l2tp
snmp-agent trap enable configuration

snmp-agent trap enable system

snmp-agent trap enable standard
snmp-agent trap source LoopBack0
snmp-agent trap queue-size 200
snmp-agent trap life 60
#
return
NMS Through SNMPv2c
the NMS through SNMPv2c.
NOTICE
details, see 5.5.6.3 Example for Configuring the Communication Between the NGFW and
the NMS Through SNMPv3.
to service requirements, NMS2 can manage only the mib-2 node on the NGFW, whereas NMS1
cannot manage the NGFW.
For NMS2 to manage the NGFW and to facilitate fault location based on trap messages, only
modules enabled by default can send trap messages to the NMS. Because the trap messages sent
by the NGFW are received by NMS2 over the Internet, the Inform mode is used to ensure
reliability.
administrator for rapid fault location and rectification.
NMS through SNMPv2c
NMS1
10.1.1.1/24
IP Network GE1/0/1
10.1.2.1/24
NGFW
NMS2
10.1.1.2/24

1. Set basic parameters for the interface, including the IP address, security zone to which the
interface is assigned, and routes.
NMS2 to manage only the mib-2 node on the NGFW.
4. Configure the Inform function to enable the NGFW to send traps to the NMS.
5. Configure administrator contact information.
6. Configure NMSs.
Procedure
Step 1 Configure basic parameters for the NGFW.

<NGFW> system-view
NOTE
After the previous configurations are complete, run the display ip interface brief and display ip routing-
table commands to check whether the basic parameters of the NGFW are correctly specified.
Step 2 Configure basic SNMP functions, including enabling SNMP Agent and setting the SNMP

[NGFW] snmp-agent
# Set the SNMP version to SNMPv2c.

[NGFW] snmp-agent sys-info version v2c
# Set the community name.

[NGFW] snmp-agent community read Public&123
[NGFW] snmp-agent community write Private&123
Step 3 Configure access permissions to allow NMS2 to manage only the mib-2 node on the NGFW.
# Configure an ACL to allow NMS2 to manage the mib-2 node on the NGFW and prevent NMS1
from managing the NGFW.
[NGFW] acl 2001
# Configure the MIB view to allow NMS2 to manage only the mib-2 node on the NGFW.
[NGFW] snmp-agent mib-view included mib2 mib-2

# Set the community name and reference the ACL and MIB view.
[NGFW] snmp-agent community write Private&123 mib-view mib2 acl 2001
Step 4 Configure the Inform function.
# Enable the information center (enabled by default).

# Configure the channel for outputting trap information and module information. (By default,
informational trap messages can be sent to the SNMP Agent.)
NOTE
reliability, you are advised to set the source IP address for sending trap messages to the local loopback address.
# Set the target host, Inform parameters, source IP address, and the queue length and time for
reserving trap messages
[NGFW] snmp-agent target-host inform address udp-domain 10.1.1.2 params
securityname Private&123 v2c
[NGFW] snmp-agent inform timeout 15 resend-times 3 pending 39
[NGFW] snmp-agent notification-log enable
[NGFW] snmp-agent notification-log global-ageout 12
Step 5 # Configure the administrator's contact information.


You can configure NMSs by referring to the NMS configuration manuals. Note that the SNMP
version and community name must be the same as those specified on the NGFW.
----End
If the following results are implemented, configurations succeed:
NMS2 can access only the mib-2 node.
l When trap messages are configured (Step 4), create a condition (such as returning to the
system view from the user view) to trigger the sending of traps. NMS2 can receive the traps.

#
sysname NGFW
#
#
acl number 2001
ip address 10.1.2.1 255.255.255.0
#
interface LoopBack0
ip address 10.1.1.1 255.255.255.0
#
snmp-agent
snmp-agent community read %$%$]5G+=l70OI!lbRG9j3'Th0'{%$%$
snmp-agent community write %$%$p[5*5;mf,#F\_06TFql;7}tk%$%$ mib-view mib2 acl
2001
someone@huawei.com
snmp-agent sys-info version v2c v3
snmp-agent target-host inform address udp-domain 1.1.1.2 params securityname %$%$p
[5*5;Fql;7%$%$ v2c
snmp-agent mib-view included mib2 mib-2
snmp-agent notification-log enable
snmp-agent notification-log global-ageout 12
#
return
NMS Through SNMPv3
the NMS through SNMPv3.
to service requirements, NMS2 can manage only the system node on the NGFW, whereas NMS1
cannot manage the NGFW.
For NMS2 to manage the NGFW and to facilitate fault location based on trap messages, only
modules enabled by default can send trap messages to the NMS.

administrator for rapid fault location and rectification.
NMS through SNMPv3
NMS1
10.1.1.1/24
IP Network GE1/0/1
10.1.2.1/24
NGFW
NMS2
10.1.1.2/24
1. Set basic parameters for the interface, including the IP address, security zone to which the
interface is assigned, and default routes.
version, user group, and user.
NMS2 to manage only the system node on the NGFW.
4. Configure the trap function to enable the NGFW to send trap messages to the NMS.
5. Configure administrator contact information.
6. Configure NMSs.
Procedure
Step 1 Configure basic parameters for the NGFW.
<NGFW> system-view
NOTE
After the previous configurations, run the display ip interface brief and display ip routing-table commands
to check whether the basic parameters of the NGFW are correctly specified.
Step 2 Configure basic SNMP functions.


[NGFW] snmp-agent
# Set the SNMP version to SNMPv3.

# Configure the user group and user for the authentication and encryption of user data.
[NGFW] snmp-agent group v3 Testgroup privacy
[NGFW] snmp-agent usm-user v3 Testuser Testgroup authentication-mode sha Public&123
privacy-mode aes128 Private&123
Step 3 Configure access permissions to allow NMS2 to manage only the system node on the NGFW.
# Configure an ACL to allow NMS2 to manage only the system node on the NGFW and prevent
NMS1 from managing the system node on the NGFW.
[NGFW] acl 2001
[NGFW-acl-basic-2001] rule 1 permit source 10.1.1.2 0.0.0.0
[NGFW-acl-basic-2001] rule 6 deny source 10.1.1.1 0.0.0.0
# Configure the MIB view to allow NMS2 to manage only the system node on the NGFW.
# Reference the ACL and MIB view for the group.

NOTE
Both read-view and write-view of the system node view must be configured. For example, if only write-
view is configured, the NMS has the read-only permission on the nodes except the system node. To prevent
other nodes from sending traps, configure notify-view.
[NGFW] snmp-agent group v3 Testgroup privacy write-view sys acl 2001
Step 4 Configure the trap function.
# Enable the information center.

# Configure the channel for outputting trap information and module information.
NOTE
reliability, you are advised to set the source IP address for sending trap messages to the local loopback address.
# Set the target host, trap parameters, source IP address, and the queue length and time for
reserving trap messages and enable the sending of trap packets.
Testuser v3 privacy

Step 5 # Configure the administrator contact information.


You can configure NMSs by referring to the NMS configuration manuals. Note that the version,
user name, authentication and encryption, and password must be the same as those configured
on the NGFW.
----End
If the following results are displayed, configurations succeed:
NMS2 can access only the system node.
l When the trap function is configured (Step 4), create a condition (such as returning to the
system view from the user view) to trigger the sending of trap messages. NMS2 can receive
the traps.
#
sysname NGFW
#
#
acl number 2001
ip address 10.1.2.1 255.255.255.0
#
interface LoopBack0
ip address 10.1.1.1 255.255.255.0
#
snmp-agent
someone@huawei.com
snmp-agent sys-info version v3
snmp-agent group v3 Testgroup privacy
snmp-agent group v3 Testgroup privacy write-view sys acl 2001
snmp-agent target-host trap address udp-domain 10.1.1.2 params securityname
Testuser v3 privacy
snmp-agent mib-view included sys system
snmp-agent usm-user v3 Testuser Testgroup authentication-mode sha EI]W>FU>>`^2
09KER5,ZOQ!! privacy-mode aes128 3OF\477=:>1"-+VCRMG=%Q!!


#
return

This section describes the versions and changes in the SNMP feature.
5.6 Across-Layer-3 MAC Identification

When the NGFW is connected to the intranet through layer-3 devices, configuring across-
Layer-3 MAC address identification enables the NGFW to obtain MAC addresses of intranet
PCs.
5.6.1 Overview
This section describes the definition and service flow of across-Layer-3 MAC identification.
Definition and Objective

With Across-Layer-3 MAC address identification, when a Layer-3 network device is between
the NGFW and intranet PCs, the NGFW can still learn the MAC address of the intranet PCs.
If an intranet PC uses a dynamic IP address to access the Internet, IP address cannot be used to
match the traffic to or from the PC. In this case, you need to use the MAC address as the matching
condition of policies.
However, in the across-layer-3 networking as shown in Figure 5-40 and Figure 5-41, the
NGFW cannot directly obtain MAC addresses of intranet PCs. You must enable across-Layer-3
MAC address identification on the NGFW.
The NGFW across-Layer-3 MAC address identification supports the following two networking
scenarios:
Figure 5-40 NGFW connected to the Layer-3 network device as a Layer-3 device
L3SW NGFW
Intranet
GE1/0/1 GE1/0/2
10.100.10.2/24 202.38.10.2/24

Figure 5-41 NGFW connected to the Layer-3 network device as a Layer-2 device
L3SW NGFW
Intranet
GE1/0/1 GE1/0/2
Service Flow
Figure 5-42 shows the service flow of across-Layer-3 MAC address identification on the
NGFW.
Figure 5-42 Service flow of across-Layer-3 MAC address identification

NGFW Layer-3 Intranet PC
device
Generate or Update ARP Entries
Periodically Sends SNMP Requests
Phase 1
Returns the ARP Entries
Saves the ARP Entries

Synchronized from Layer-3
device to the Memory
Use the Learned MAC

Phase 2 Addresses of Intranet PCs
to make policies
Accesses the Internet through the

Layer-3 device and firewall
Phase 3
Permits or Blocks Intranet
Packets Based on Configured
Policies
1. Phase 1
a. The SNMP agent on the Layer-3 network device is enabled, and the network device
obtains IP-MAC mapping of intranet PCs and generate or update ARP entries.
b. The NGFW periodically sends SNMP requests to the specified Layer-3 network
device for ARP entries.
c. The Layer-3 network device replies and returns the ARP entries.
d. The NGFW learns MAC addresses of intranet PCs and saves the ARP entries to the
memory.
2. Phase 2

An administrator can use the learned MAC addresses on the NGFW as conditions in
policies.
The MAC addresses are obtained from ARP entries in the memory, not from packet header.
3. Phase 3
a. An intranet PC accesses the Internet through the Layer-3 network device and
NGFW.
b. The NGFW permits or blocks intranet packets based on configured policies.
After receiving intranet PC packets, the NGFW compares the IP and MAC address of
the PC with the obtained ARP entries to verify whether the MAC address is the real
MAC address. The NGFW uses the actual MAC address to match policies and process
intranet packets based on matching results.
5.6.2 Configuring Across-Layer-3 MAC Identification Using the

Web UI
This section describes how to use the Web user interface (UI) to configure Across-Layer-3 MAC
identification.
Prerequisites
Before configuring the across-layer-3 MAC identification function, ensure that the Layer-3
network device connected to the NGFW supports SNMPv2c, and the SNMP agent has been
enabled and community name has been configured on the network device.
Context
Intranet users use the NGFW to access the Internet, and the NGFW uses MAC addresses as
matching conditions to control intranet traffic. If the NGFW uses a Layer-3 network device to
connect to an intranet PC, the NGFW cannot obtain the MAC address of the intranet PC directly.
Therefore, across-Layer-3 MAC address identification must be enabled on the NGFW to

synchronize ARP entries from the Layer-3 network device using SNMP to obtain MAC
addresses of intranet PCs.
NOTE
If multiple Layer-3 network devices are deployed between the NGFW and an intranet PC, you are advised
to specify a network device closest to the intranet PC as the SNMP client. The NGFW can serve multiple
Layer-3 devices (SNMP clients) to synchronize ARP entries.
Procedure
Step 1 Choose System > Configuration > Across-Layer-3 MAC Identification.
Step 2 Select Enable on the right of Across-Layer-3 MAC Identification.
Step 3 Enter the parameters.
Interval for Accessing SNMP Indicates the interval between two SNMP requests.
client

Time of Failures in Accessing Indicates the length of time the SNMP client waits for a
SNMP client response to a request sent to the target network device. You
can specify this parameter based on the update interval of
a PC IP address and the network delay.
SNMP client1 Indicates the IP address of the target Layer-3 network

device.
The SNMP client ID increases with the order of
configuration.
Select an IP address from the existing IP addresses of
Layer-3 network devices.
The device supports 64 Layer-3 network devices as SNMP
clients to synchronize ARP entries.
You must specify the IP address and v2c community name
for each added SNMP client.
v2c Community Name Indicates the community name of SNMP client 1. The
community name must have been configured on the
specified Layer-3 network device, and the community
name and IP address must identify the same Layer-3
network device.
Step 4 Click Apply.
----End
5.6.3 Configuring Across-Layer-3 MAC identification Using the CLI

This section describes how to use the command line interface (CLI) to configure Across-Layer-3
MAC identification.
Prerequisites
Before configuring the NGFW learning function, ensure that the Layer-3 network device
connected to the NGFW supports SNMPv2c, and the SNMP agent has been enabled and
community name has been configured on the network device.
Context
Intranet users use the NGFW to access the Internet, and the NGFW uses MAC addresses as
matching conditions to control intranet traffic. If the NGFW uses a Layer-3 network device to
connect to an intranet PC, the NGFW cannot directly obtain the MAC address of the intranet
PC. Therefore, across-Layer-3 MAC address learning must be enabled on the NGFW to
synchronize ARP entries of the intranet PCs from the specified Layer-3 network device.
NOTE
If multiple Layer-3 network devices are deployed between the NGFW and intranet PCs, you are advised
to specify a network device closest to the intranet PCs as a target network device. The NGFW can serve
multiple Layer-3 devices (SNMP agents).

This function can be configured using command lines in hot standby deployments.
Procedure
Step 1 Enable synchronization of Layer-3 network device ARP entries using SNMP in the system view.
snmp-server arp-syn enable
Step 2 Configure the IP address and community name of the target Layer-3 network device.
snmp-server target-host arp-sync address ip-address [ vpn-instance vpn-instance-name ]
community community-name v2c
address and community must identify the same Layer-3 network device. If the target network
device is configured in the specified VPN instance, vpn-instance, address, and community
must identify the same Layer-3 network device.
NOTE
With across-Layer-3 MAC identification, the NGFW can specify multiple Layer-3 network devices as
SNMP servers to obtain ARP entries using SNMP. The device supports 64 Layer-3 network devices as
SNMP servers to synchronize ARP entries.
Step 3 Configure the SNMP request interval or request timeout period.
snmp-server arp-sync { interval interval | timeout time } *

You can specify timeout time based on the update interval of a PC IP address and the network
delay.
----End
Example
# Specify a Layer-3 network device and enable the firewall to learn MAC addresses of intranet
PCs and set the IP address of the network device to 10.10.90.7 and community name to
Public@123.
<NGFW> system-view
[NGFW] snmp-server arp-syn enable
[NGFW] snmp-server target-host arp-sync address 10.10.90.7 community Public@123
v2c
[NGFW] snmp-server arp-sync interval 10 timeout 5
Follow-up Procedure
Run the display snmp-server arp-sync table [ vpn-instance vpn-instance-name ] command to
view ARP entries obtained using SNMP.
<NGFW> display snmp-server arp-sync table
Synchronization status of the IP-MAC address mapping table: Done
The start time of synchronizing IP-MAC mapping table: 2013/8/2 09:39:24
The end time of synchronizing IP-MAC mapping table: 2013/8/2
09:39:28
----------------------------------------------------------------------------------
-------------
IP Address MAC Address Expire(M) VPN
Instance
----------------------------------------------------------------------------------
-------------
10.10.90.220 0022-a105-b948

20
10.10.90.33 0000-1111-0000 20
The display information above includes obtained ARP entries. The synchronization status is
Done, indicating that ARP entry synchronization between the device and target network device
is complete.

This section provides examples for configuring across-Layer-3 MAC identification.
5.6.4.1 Web Example for Configuring Across-Layer-3 MAC Identification

This section provides an example for configuring across-Layer-3 MAC identification on the web
UI.
The NGFW functions as the egress gateway on the enterprise network. Intranet users connect
to the NGFW through a Layer-3 switch and access the Internet through the NGFW. You need
to configure security policies, policy-based routes, and traffic policies on the NGFW for it to
control intranet traffic matching the specified MAC address.
Figure 5-43 Networking diagram for configuring across-Layer-3 MAC identification
L3SW NGFW
Trust
Intranet
10.3.1.0/24 GE1/0/1 GE1/0/2
Vlanif 2 Vlanif 3 GE1/0/1
10.3.1.2/24 10.3.2.1/24 10.3.2.2/24
If the NGFW is connected to an intranet PC with a Layer-3 switch in between, the NGFW cannot
directly obtain the MAC address of the intranet PC. In such cases, you need to configure across-
Layer-3 MAC identification on the NGFW for it to use SNMP to learn the ARP table of the
switch and thus obtain the MAC address of the intranet PC.
1. Configure basic SNMP functions on the switch.

a. Enable the SNMP agent function.
b. Set the SNMP version.
c. Set a community name for the switch.
2. Configure across-Layer-3 MAC identification on the NGFW.
a. Configure a security policy for the local -> trust interzone to allow the firewall to send
SNMP packets to the switch.

b. Configure across-Layer-3 MAC identification.
Procedure
Step 1 This example uses Huawei S5700 as an example to describe how to configure basic SNMP
functions. For basic network parameter settings of the switch, refer to the S5700 product
documentation.
1. Enable the SNMP agent function.
<Switch> system-view
[Switch] snmp-agent
2. Set the SNMP version.

[Switch] snmp-agent sys-info version v2c
3. Set a community name for the switch.

[Switch] snmp-agent community read Public@123
NOTE
The community name set on the switch must be the same as that specified on the NGFW.
Step 2 Configure across-Layer-3 MAC identification on the NGFW.

1. Set interface IP addresses on the NGFW.
Choose Network > Interface, click Edit of GE 1/0/1, and set the parameters as follows:
Zone trust
IP Address 10.3.2.2/24
2. Configure a security policy for the local -> trust interzone to allow the firewall to send
Choose Policy > Security Policy, click add, and set the parameters as follows:
Name policy_sec
Source Zone local
Destination Zone trust
Destination Address 10.3.2.1/32
3. Configure across-Layer-3 MAC identification.

Choose System > Across-Layer-3 MAC Identification, enable the across-Layer-3 MAC
identification function, and set the parameters as follows:

NOTE
l If multiple Layer-3 devices are deployed between the NGFW and intranet PC, you need to specify
the intranet PC as the target network device.
l You can also specify multiple Layer-3 devices on different subnets as SNMP clients for the
NGFW to obtain their ARP entries.
Step 3 After the preceding configurations are complete, you can use the MAC address of the intranet
PC as the policy matching condition when configuring service-specific security policies, policy-
based routes, traffic policies, authentication policy, and audit policies.
----End
Verification
Choose Policy > Security Protection > IP-MAC Binding, select Authorized, and click
Search.
#
sysname NGFW
#
ip address 10.3.2.2 255.255.255.0
#
firewall zone trust
set priority 85
add interface
GigabitEthernet1/0/1
snmp-server arp-sync enable

snmp-server arp-sync interval 10 timeout 5
snmp-server target-host arp-sync address 10.3.2.1 community %$%$9]8wKc7.fV7EYJ=LCG
[WP,#w%$%$ v2c
#
security-policy
rule name policy_sec
source-zone local
destination-zone
trust
destination-address 10.3.2.1
255.255.255.255
action permit
#
return
5.6.4.2 CLI Example for Configuring Across-Layer-3 MAC Identification

This section provides an example for configuring across-Layer-3 MAC identification on the
CLI.

The NGFW functions as the egress gateway on the enterprise network. Intranet users connect
to the NGFW through a Layer-3 switch and access the Internet through the NGFW. You need
to configure security policies, policy-based routes, and traffic policies on the NGFW for it to
control intranet traffic matching the specified MAC address.
Figure 5-44 Networking diagram for configuring across-Layer-3 MAC identification
L3SW NGFW
Trust
Intranet
10.3.1.0/24 GE1/0/1 GE1/0/2
Vlanif 2 Vlanif 3 GE1/0/1
10.3.1.2/24 10.3.2.1/24 10.3.2.2/24
If the NGFW is connected to an intranet PC with a Layer-3 switch in between, the NGFW cannot
directly obtain the MAC address of the intranet PC. In such cases, you need to configure across-
Layer-3 MAC identification on the NGFW for it to use SNMP to learn the ARP table of the
switch and thus obtain the MAC address of the intranet PC.
1. Configure basic SNMP functions on the switch.

a. Enable the SNMP agent function.
b. Set the SNMP version.
c. Set a community name for the switch.
2. Configure across-Layer-3 MAC identification on the NGFW.
a. Configure a security policy for the local -> trust interzone to allow the firewall to send
b. Configure across-Layer-3 MAC identification.
Procedure
Step 1 This example uses Huawei S5700 as an example to describe how to configure basic SNMP
functions. For basic network parameter settings of the switch, refer to the S5700 product
documentation.
1. Enable the SNMP agent function.
<Switch> system-view
[Switch] snmp-agent
2. Set the SNMP version.

[Switch] snmp-agent sys-info version v2c
3. Set a community name for the switch.

[Switch] snmp-agent community read Public@123

NOTE
The community name set on the switch must be the same as that specified on the NGFW.
Step 2 Configure across-Layer-3 MAC identification on the NGFW.

1. Set interface IP addresses on the NGFW.
<NGFW> system-view
[NGFW] interface GigabitEthernet1/0/1
2. Configure a security policy for the local -> trust interzone to allow the firewall to send
[NGFW] security-policy
[NGFW-policy-security] rule name policy_sec
[NGFW-policy-security-rule-policy_sec] source-zone local
[NGFW-policy-security-rule-policy_sec] destination-zone trust
[NGFW-policy-security-rule-policy_sec] destination-address 10.3.2.1 32
[NGFW-policy-security-rule-policy_sec] action permit
3. Configure across-Layer-3 MAC identification.

[NGFW] snmp-server arp-syn enable
[NGFW] snmp-server target-host arp-sync address 10.3.2.1 community Public@123
v2c
[NGFW] snmp-server arp-sync interval 10 timeout 5
NOTE
l If multiple Layer-3 devices are deployed between the NGFW and intranet PC, you need to specify
the intranet PC as the target network device.
l You can also specify multiple Layer-3 devices on different subnets as SNMP clients for the
NGFW to obtain their ARP entries.
Step 3 After the preceding configurations are complete, you can use the MAC address of the intranet
PC as the policy matching condition when configuring service-specific security policies, policy-
based routes, traffic policies, authentication policy, and audit policies.
----End
Verification
Verify the configuration as follows:
l Run the display snmp-server arp-sync table command to view the intranet PC MAC
address obtained by the NGFW using SNMP.
<NGFW> display snmp-server arp-sync table
Synchronization status of the IP-MAC address mapping table: Done
The start time of synchronizing IP-MAC mapping table: 2015/7/13 20:37:17
The end time of synchronizing IP-MAC mapping table: 2015/7/13
20:37:17
------------------------------------------------------------------------------
-----------------
IP Address MAC Address Expire(M) VPN
Instance
------------------------------------------------------------------
10.3.1.1 643e-8c48-f14a 20
10.3.1.2 0022-a10a-c85f 20
10.3.1.21 00e0-fc11-1111 20
10.3.2.1 0022-a100-0004
20
10.3.2.2 00e0-fc00-0014 20

------------------------------------------------------------------
Total:5
The display information above includes obtained ARP entries. The synchronization status
is Done, indicating that the NGFW has synchronized the ARP entries from the target device.
l Run the display arp command to view ARP entries, in which the intranet PC MAC
addresses learned across the Layer-3 network are included.
<NGFW> display arp
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-
INSTANCE
VLAN/PVC
------------------------------------------------------------------------------
----------------
10.3.1.1 643e-8c48-f14a 20 P
10.3.1.2 0022-a10a-c85f 20 P
10.3.1.21 00e0-fc11-1111 20 P
10.3.2.1 0022-a100-0004 20
P
10.3.2.2 00e0-fc00-0014 20 P
10.3.2.2 00e0-fc00-0014 I GE1/0/1
10.3.2.1 0022-a100-0004 19 D GE1/0/1
------------------------------------------------------------------------------
----------------
Total:7 Dynamic:1 Static:0 Interface:1 Authorized:0
SNMP:5
The display information above includes obtained ARP entries.
#
sysname NGFW
#
ip address 10.3.2.2 255.255.255.0
#
firewall zone trust
set priority 85
add interface
snmp-server arp-sync enable

snmp-server arp-sync interval 10 timeout 5
snmp-server target-host arp-sync address 10.3.2.1 community %$%$9]8wKc7.fV7EYJ=LCG
[WP,#w%$%$ v2c
#
security-policy
rule name policy_sec
source-zone local
destination-zone
trust
255.255.255.255
action permit
#
return

This section describes the versions and changes in the across-Layer-3 MAC identification
feature.

5.7 Configuring Information Push

This section describes how to configure information push.
Context
The NGFW sends notifications in text to users. You can specify the content of the notifications.
To modify a notification, export the notification template, edit the notification in the template,
and import the template file into the NGFW. The function modules that send notifications are:
l Antivirus
If you set the action for mail protocols in the antivirus profile to Alert, Declare or Delete
Attachment and the NGFW detects a virus from an email, the NGFW adds notification
information in the email body.
l URL filtering
When an accessed URL matches the filtering condition configured in the URL filtering
profile and the action specified in the profile is block, the NGFW pushes a notification page
to the user.
NOTICE
You can configure push information by using all kinds of HTML tags (including the script),
which is risky. Please use it cautiously.
Procedure
Step 1 Choose System > Setup > Information Push Configuration.
Step 2 Configure information to be pushed.

l Configure the antivirus push information.
1. Click Email Declaration or Email Delete Attachment under Anti-Virus.

Alternatively, you can click the corresponding Import. Then download the notification
template to the PC.
2. Edit the notification content in the template.
Parameter %FILE indicates the name of the virus-infected file. Each notification
message must contain only one %FILE. The NGFW automatically substitutes %
FILE with the actual value when sending notification messages. The notification
messages support spaces and can contain a maximum of 1024 characters.

3. Click Email Declaration or Email Delete Attachment. Alternatively, you can click
the corresponding Import. Then click Browse to select the template file in which the
notification is configured.
4. Click Import. The new notification takes effect after the template is successfully
imported.
l Configure the URL filtering notification.
1. Click Blacklist Blocking Configuration, User-defined Blocking Configuration,
Pre-defined Blocking Configuration, Anti-Virus Blocking Configuration, or
Default Action or Query Timeout Blocking Configuration under URL Filtering.
Alternatively, you can click the corresponding Import. Then download the notification
template to the local computer.
2. Edit the notification content in the template.
<> indicates the Hypertext Markup Language (HTML). Change the content between
<> and </>. The notification template contains a maximum of 21,504 (21*1024)
characters.
In the Pre-defined Blocking Configuration notification template, parameters %
CATNAME and %SUBCATNAME respectively indicate the predefined category and
predefined subcategory of a URL. The NGFW automatically substitutes %
CATNAME and %SUBCATNAME with the actual values when sending notification
messages.
You can add parameter %URL in the notification template to represent the URLs
accessed by users. The NGFW automatically substitutes %URL with the actual value
when sending notification messages. Parameter %URL can reside at any position in a
notification message.
If a notification message has multiple same parameters (%CATNAME, %
SUBCATNAME, or %URL), the NGFW substitutes the first one by default and directly
outputs other parameters as characters when sending the notification message.
NOTE
If the information to be pushed contains Chinese characters, set the coding method to GB2312
between <head> and </head> (for example, <meta http-equiv="Content-Type" content="text/
html; charset=GB2312"></meta>) to ensure that the information can be properly displayed.
3. Click Blacklist Blocking Configuration, User-defined Blocking Configuration,
Pre-defined Blocking Configuration, Anti-Virus Blocking Configuration, or
Default Action or Query Timeout Blocking Configuration. Alternatively, you can
click the corresponding Import. Then click Browse and select the template file where
the notification has been configured.
4. Click Import. The new notification takes effect after the template is successfully
imported.
NOTICE
Ensure the security of the file to be imported to prevent pushed pages from containing
malicious information such as phishing websites or Trojan horses.
----End

Maintaining Information Push

You can perform the following operations to modify notifications or restore default notifications:
l Click Export of the notification to be modified to download the notification file. Then edit
the downloaded notification and import the file into the NGFW.
l Click Reset corresponding to the notification to be modified to restore the default
notification.
– If you perform the reset operation in the root system, the root system uses the default
notification of the NGFW.
– If you perform the reset operation in the virtual system, the virtual system uses the
notification configured in the root system; if the default notification of the root system
has not been modified before you perform the reset operation, the virtual system uses
the default notification of the NGFW.
5.8 Setting Mail Service

After the SMTP mail server is configured, the device can send information to a specified email
box.
Context
After the mail service is enabled, the NGFW functions as an SMTP client to connect to the SMTP
server.
When the device sends information through mails, the device automatically references the mail
service parameters, such as email address.
Procedure
1. Choose System > Set Mail Service.
2. Configure the mail service.
From Specifies the sender address. Each mail address must contain 6
to 64 characters.
To Specifies the recipient address. Each mail address must contain 6

to 64 characters.
To send reports to multiple
addresses, separate the addresses
with line feeds.
Copy To Specifies the CC recipient address. Each mail address must contain 6
to 64 characters.
To copy reports to multiple
addresses, separate the addresses
with line feeds.

SMTP Mail Specifies the domain name, IPv4 The default SMTP server port is
Server/Port address, or port of the mail server. 25.
NOTE
The device does not support email
sending through a forcibly SSL-
connected email server, such as
Gmail. Commonly used email servers,
such as Sina, 163, and Winmail, are
recommended.
User Name/ Specifies the user name and When the SMTP server requires ID
Password password for logging in to the authentication, select Verify
SMTP mail server. Sender's Name and Password,
and enter the user name and
password registered on the mail
server.
NOTE
When the SMTP mail server requires
ID authentication, "sender address" is
the mailbox address obtained during
the user name registration.
3. Click Apply.
4. Click Set Test Email and log in to the recipient's or CC recipient's mailbox to see whether
the test mail is received.
Test emails are sent to test whether email messages can be successfully sent and received.
If not, check whether the parameters are correctly configured. Then, check the connectivity
between the NGFW and the SMTP server.
5.9 Logs, Trap Messages, and Debugging Messages

This section describes the logs, trap messages, and debugging messages and how to configure
the NGFW to send these messages.
5.9.1 Overview
This section describes the categorization and output principle of logs, trap messages, and
debugging messages.
5.9.1.1 Information Categorization

Information generated on the NGFW is categorized as logs, trap messages, and debugging
messages.

Logs
Logs are the records of the events and anomalies related to managed objects. These records can
be used to track user activities, manage system security functions, and provide reference for
system diagnosis and maintenance.
Each service module generates and sends logs to the log system. After analyzing the received
logs, the log system displays logs and reports on web pages and sends logs to terminals and log
hosts in acceptable formats as configured. Based on the formats, logs are classified into syslogs
and binary logs.
l Syslogs: The log system displays the content of each passing syslogs on the terminal or
forwards them to a third-party log host. Syslog output impacts system performance. Only
system logs and operations logs, which are small in volume, are sent in syslog format.
l Binary logs: The log system encapsulates passing logs in binary format before sending
them to the eSight. After parsing the received binary logs, the eSight stores and analyzes
the parsed logs. Compared with syslogs, binary logs have a smaller impact on performance.
Therefore, logs, such as traffic and policy matching logs, that contains a large volume of
data are sent as binary logs.
Trap Messages
Trap messages are notifications generated when the system detects faults. Information about the
faults is carried in trap messages. Different from logs, trap messages are time sensitive and need
to be notified to administrators in time. Therefore, the information center processes trap
messages to the NMS in a way different from the way for the logs and other messages.
Trap messages are sent from a device to the NMS. With the SNMP agent enabled on a device,
the trap function enabled on the related module, and the NMS host that receives trap messages
configured, the device generates a trap message and sends it to the specified destination address
upon the happening of an event,such as the interface is down. If the device is reachable to the
NMS, the NMS receives the trap messages from the device.
Related concepts
l Event: indicates anything that takes place on the managed device. For example, the
managed device is added, deleted, or modified.
l Fault: indicates the events that cause system malfunctions. A fault may cause the system
to lose its operation or redundancy capability.
l Trap: indicates the notification generated when the system detects a fault.
Debugging Messages
Debugging messages are the outputs of the tracing information about the operating status of a
device. Devices generate debugging messages only after the debugging function of the module
is enabled in the user view. Debugging messages display the content of packets sent or received
by the debugged module. Note that enabling debugging only generates debugging messages.
Displaying generated debugging messages requires further configurations. Different from logs
and trap messages, no buffer is available for debugging messages. Debugging messages can be
output to the console or log hosts through certain configurations.
You can perform configurations through the console port or through Telnet. The former method
is termed as Console, and the latter is termed as monitoring terminal. While debugging the

routing device through the Console or the monitoring terminal, you can configure the content
of the debugging messages.
Abundant debugging commands are available for debugging protocols and functions that a
device supports. You can enable the debugging for a protocol or a function to diagnose and
locate the fault.
The output of debugging messages depends on the following situations:
l Whether the debugging message about a protocol is output.

l Whether terminal display is enabled, that is, whether to display the debugging messages
on the terminal screen.
Figure 5-45 shows the relationship between the preceding two situations. After the debugging
for protocols 1 and 3 is enabled, corresponding debugging messages are generated. As screen
display is also enabled, the generated debugging messages are displayed. No debugging
messages about protocol 2 are generated or displayed because the debugging for protocol 2 is
not enabled.
Figure 5-45 Diagram of outputting debugging information
5.9.1.2 Information Output

This section describes the mechanism for the output of logs, trap messages, and debugging
messages and the workflow of the information center.
Log Output
Figure 5-46 shows the mechanism for the output of the logs.

Figure 5-46 Mechanism for log output

Hard disk
Log system
2 Log query
Database and report Web UI - Monitor
processing
3 Dataflow Log sending eSight

Log receiving and parsing encapsulation Binary logs
Raw service logs
1 4
Log cache Log retrieval WebUI - Dashboard
6
5
Log buffer CLI
Informatino channel
5
5 Remote terminal
Syslog 5
Local console
5 Log host
Information center
The NGFW identifies and controls traffic based on applications and services and records logs.
The logs are generated by different modules and are all sent to the log system of the NGFW.
The log system parses, stores, and redirects the logs of different modules. The process is
described as follows:
l Log receiving and parsing ( ): The log system parses, classifies, and sends the received
logs to the database, data flow encapsulation module, log buffer, or information center.
l Database ( ): The database stores received logs, including traffic, threat, URL, content,
operation, system, user activity, policy matching, mail filtering, and audit logs, and
periodically dumps the stored logs to hard disks. When you display logs on the web UI, the
NGFW sends the logs stored in the database and hard disk to the log query module for
further process before the log statistics is displayed. For details, see 25.1 Logs and
Reports.
l Dataflow encapsulation: After you configure binary log output, the log system will
encapsulate some logs (including threat logs, URL filtering logs, content logs, traffic
logs policy matching logs, IM auditing logs, HTTP auditing logs,and mail filtering logs or
session logs) in binary (dataflow) format and send the logs to the eSight system for storage
and analysis. The traffic logs and policy matching logs can be output only in binary format.
Threat logs, URL auditing logs, IM auditing logs, content logs, URL filtering logs, mail
filtering logs, and session logs are preferentially output in binary format. Other logs cannot
be output in binary format.
l Log buffer: The log buffer forwards any received threat log to the log query module for
further process before the log statistics is displayed on the Dashboard page. For details,
see Threat Report List.
l Information center: receives the log information except traffic logs and policy matching
logs, encapsulates the logs in syslog format, and sends them to the log buffer, local
console, remote terminal, and syslog host through different information channels. For

details, see Mechanism of the Information Center. In addition, the information center
sends system logs to the log buffer so that they can be displayed on the Dashboard
page after being processing by the log query module. For details, see System Logs.
NOTE
l If you do not configure binary log output, the syslog host can receive all logs except traffic logs and
policy matching logs.
l The eSight is capable of receiving syslogs and binary logs, whereas the third-party log hosts can receive
only syslogs.
Trap/Debugging Message Output

Both trap and debugging messages are sent through the information center. The procedures are
described as follows:
l Trap message output: A trap message is generated on the NGFW once a fault is detected.
After receiving the trap message from the log buffer, the information center forwards the
trap message to the local console, remote terminal, or SNMP proxy.
l Debugging message output: Debugging messages can be generated on routers after a
debugging function is enabled. After receiving the debugging message from the routers,
the information center forwards the them to the local console, remote terminal, or log hosts.
For details on the output of trap messages and debugging message, see Mechanism of the
Information Center.
Mechanism of the Information Center

The information center classifies, filters, and sends most types of the logs, trap messages, and
debugging messages.
By default, the information center is enabled. The information center dispatches logs, trap
messages, and debugging messages to 10 information channels based on their severities.
As shown in Figure 5-47, Syslogs, trap messages, and debugging messages are output through
the default information channel. However, you can manually specify the information channel.
For example, if channel 6 is specified as the information channel to the log buffer, the information
center dispatches all logs destined for the log buffer to channel 6 instead of the default channel
4.

Figure 5-47 Functions of the information center

Information type Information channel Output direction
0 console Console
1
Logs monitor Remote terminal
2 loghost Log host

trapbuffer Trap buffer
Traps 3
4 logbuffer Log buffer
Debugs snmpagent SNMP agent

5
6 channel6
7 channel7
Direction of logs 8 channel8
Direction of traps
Direction of 9 channel9
debugging information
As shown in Table 5-22, the system provides ten information channels. The first six channels
IDed 0 through 5 have their default channel names and are associated with six output directions
by default. Logs and messages that are forwarded to the information channels must be output in
specific directions before they can be saved. For the NGFWs that are equipped with a hard disk,
channel 9 is also available. That is, the NGFW of such a type has all together seven output
directions.
Table 5-22 Information channels and output directions
Chan Default Output Description

nel ID Channel Direction
Name
0 console console Outputs the information to the local Console that

can receive logs, trap messages, and debugging
messages.
1 monitor monitor Outputs the information to the remote terminal that

can receive logs, trap messages, and debugging
messages. The Monitor channel facilitates remote
maintenance.
2 loghost loghost Send logs to the log host, where the logs are stored
in files for viewing.
3 trapbuffer trapbuffer Outputs trap messages to the trap buffer. The

NGFW assigns a specified area as the alarm buffer
that records trap messages.

Chan Default Output Description

nel ID Channel Direction
Name
4 logbuffer logbuffer Outputs the logs to the log buffer. The NGFW
assigns a specified area as the log buffer that
records the logs.
5 snmpagent snmpagent Outputs the trap messages to the SNMP agent.
6 Unspecified Unspecified Reserved.
9 channel9 Unspecified Reserved.
When multiple log hosts are available, you can configure logs to be output to different log hosts
through one channel or multiple channels. For example, configure certain logs to be output to a
log host either through Channel 2 (loghost) or through Channel 6. You can also change the name
of Channel 6 for convenient management.
5.9.2 Configuring the Output of Logs, Trap Messages, and

Debugging Messages Using the CLI
This section describes how to configure the output of logs, trap messages, and debugging
messages using the CLI.
5.9.2.1 Configuring the Output of Logs in Syslog Format

This section describes how to configure log output to send logs to the log buffer, local console,
remote terminal, and third-party log hosts in syslog format.
Prerequisites
Ensure the system time setting is correct during the initial configuration. Changes of the setting
when the device is running result in inaccuracy of the timestamps recorded in existing logs.
Context
The firewall can send all types of logs (except traffic logs and policy matching logs) to a syslog
host.
If you configure both the syslog host and binary log host, session logs are sent simultaneously
in syslog and binary formats to the syslog host. Other logs are sent preferentially in binary format
to the binary log host.
NOTE
Session logs in syslog format can be output only to syslog hosts, not to the log buffer, console, or terminal.

Procedure
Step 1 Optional: Run the engine log { app-control | audit | av | data-filter | file-block | ips | mail-
filter | url-filter } enable command to enable the log function.
By default, the log function is enabled.
Step 2 Enable the output of session logs in the security interzone.

1. Run the security-policy command to access the security policy view.
2. Run the rule name rule-name command to access the security policy rule view.
3. Run the session logging command to enable the session log function.
By default, the session log function is disabled.
Step 3 Enable the information center.

2. Run the info-center enable command to enable the information center.
NOTICE
By default, the information center is enabled. If excessive logs and messages are to be generated,
enabling the information center compromises the system performance.
Step 4 Optional: Run the info-center channel channel-number name channel-name command to set
the name of the information channel that IDed as channel-number to channel-name.
Step 5 Optional: Run the info-center syslog unicode enable command to enable the information
center to send logs in unicode to information channels.
NOTE
Unicode is used to display Chinese characters. Therefore, unicode logs support only UCS-2 character set
and UTF-8 coding scheme.
Step 6 Run the info-center source { module-name | default } channel { channel-number | channel-
name } [ log { state { off | on } | level severity } * ] command to configure the channels for log
output.
Logs can be sent only after the information center is enabled.
By default, log output is not enabled on the audit log (AUDIT), mail filtering (MAILFITER),
URL filtering (URL), anti-spam (RBL), application control (APPCTL), data leak prevention
(DLP), antivirus (AV), intrusion prevention (IPS) modules. On other modules, log output is
enabled by default.
Step 7 Configure the information center to send the logs to the log buffer, local console, remote terminal,
and third-party log hosts as required.
l Configure the information center to send logs to the log buffer.
By default, the information center dispatches the logs destined for the log buffer to channel
4 by default. The size of the log buffer is 1024 KB. The log output is enabled and the severity
of the logs is Warning.

1. Run the info-center logbuffer [ channel { channel-number | channel-name } ]

command to enable the information center to send logs to the log buffer.
2. Optional: Run the info-center logbuffer size buffer-size command to set the size of
the log buffer.
l Run the info-center console channel { channel-number | channel-name } command to
enable the information center to send logs to the local console.
The information center dispatches the logs destined for the local console to information
channel 0. Log output is enabled and the severity of the logs is warning.
l Run the info-center monitor channel { channel-number | channel-name } command to
enable the information center to send logs to the VTY terminal.
l Configure the export of logs to a log host.
– info-center loghost ip-address [ port ] [ vpn-instance vpn-instance-name ] [ module
{ module-name } &<1-6> ]
– info-center loghost ip-address [ port ] [ vpn-instance vpn-instance-name ] [ channel
{ channel-number | channel-name } | facility local-number | language { chinese |
english } ] *
By default, the information center does not send logs to log hosts.
Step 8 Optional: Configure the information display function of the VTY terminal.
1. Run the quit command to return to the user view.
2. Run the terminal monitor command to enable the information display function of the
terminal.
The information display function is enabled by default. This command applies only to the
current VTY terminal where the command is executed.
3. Run the terminal logging command to enable the information display function of the
terminal.
The information display function on the VTY terminal is enabled by default.
NOTE
The information display function must be enabled if the logs are sent to the local console or remote terminal.
----End
Example
2. Run the info-center source ARP channel 4 command to send logs through channel 4.
[NGFW] info-center source ARP channel 4
3. Run the info-center console channel 0 command to send debugging messages through
channel 10.
[NGFW] info-center console channel 0
Follow-up Procedure
After the configuration, display the information recorded in the information center.
<NGFW> display info-center
Information Center:enabled
Log host:
Console:

channel number : 0, channel name : console

Monitor:
channel number : 1, channel name : monitor
SNMP Agent:
channel number : 5, channel name : snmpagent
Log buffer:
enabled,max buffer size 1024, current buffer size 1024,
current messages 259, channel number : 4, channel name : logbuffer
dropped messages 0, overwritten messages 57
Trap buffer:
current messages 0, channel number:3, channel name:trapbuffer
Information timestamp setting:
log - date, trap - date, debug - boot
Sent messages = 807, Received messages = 807
IO Reg messages = 0 IO Sent messages = 0
5.9.2.2 Configuring the Output of Logs in Binary Format

This section describes how to configure the information center to send binary logs to a log host.
Prerequisites
Ensure that the system time settings on the NGFW are the same as the settings on the eSight
during the initial configuration. Changes of the setting when the device is running result in
inaccuracy of the timestamps recorded in existing logs.
Procedure
Step 1 Run the system-view command to access the system view.
Step 2 Optional: Run the log type traffic enable command to enable the output of traffic logs.
Step 3 Optional: Run the engine log { app-control | audit | av | data-filter | file-block | ips | mail-
filter | url-filter } enable command to enable the output of threat logs, URL filtering logs,
content logs, IM auditing logs, HTTP auditing logs, and mail filtering logs.
Step 4 Enable the output of policy matching logs in the security interzone.
1. Run the log type policy enable command to enable the output of policy matching logs.
4. Run the policy logging command to enable the policy matching log function.
By default, the policy matching log function is disabled.
Step 5 Enable the output of session logs in the security interzone.


3. Run the session logging command to enable the session log function.
By default, the session log function is disabled.
Step 6 Run the data-flow loghost host-id ip-address ip-address [ port port-number ] [ vpn-instance
vpn-instance-name ] command to configure the log hosts that receive binary logs.
The NGFW supports a maximum of 16 log hosts for load balancing or redundancy.
NOTE
Only the eSight can serve as the log host that receives and parse binary logs. For details on the eSight, see
its product document.
Step 7 Optional: Run the data-flow loghost source ip-address ip-address [ source-port port-
number ] to set the source IP address and port that the NGFW uses to send binary logs.
If the source IP address is not configured, the NGFW uses the IP address of the outgoing interface
to the log host as the source IP address.
The configured source IP address must be the same as the IP address of the NGFW configured
on the log host.
Step 8 Optional: Run the data-flow send-type concurrent command to configure the output of binary
logs in concurrent mode.
If multiple log hosts are configured, the NGFW sends each binary log to all log hosts after this
command is executed.
By default, the NGFW sends binary logs in polling mode, that is, the NGFW sends binary logs
to the configured log hosts in turns.
Step 9 Optional: Run the data-flow encrypt password password command to configure the
encryption function on the NGFW for sending binary logs.
After you run this command, the NGFW will use the specified encryption password to encrypt
the binary logs before sending. After receiving the binary logs, the eSight will use the decryption
password to decrypt the logs. This ensures the log transmission security. The encryption
password specified on the NGFW and the decryption password specified on the eSight must be
the same.
NOTICE
The existing NGFW supports encryption of audit logs only. In order to ensure the security of
audit logs during the transmission, it is suggested to configure the encryption function.
----End
5.9.2.3 Configuring the Output of Trap Messages

This section describes how to configure the output of trap messages to the trap buffer, local
console, remote terminal, and SNMP proxy.

Procedure
NOTICE
name } [ trap { state { off | on } | level severity } * ] command to configure the channels for the
output of trap messages.
Trap messages can be sent only when the information center is enabled. The timestamps in trap
messages are in the date format. The trap message output function is enabled and the severity
of the trap messages is Warning.
Step 4 Configure the information center to send trap messages to the trap buffer, local console, remote
terminal, and SNMP proxy as required.
l Configure the information center to send trap messages to the trap buffer.
By default, the information center dispatches the trap messages destined for the trap buffer
to channel 13. The size of the trap buffer is 1024 trap messages.
1. Run the info-center trapbuffer [ channel { channel-number | channel-name } ]
command to enable the information center to send trap messages to the trap buffer.
2. Optional: Run the info-center trapbuffer size buffer-size command to set the size of
the trap buffer.
enable the information center to send trap messages to the local console.
By default, the information center dispatches the trap messages destined for the local console
to information channel 0. The output of trap messages is enabled and the severity of the trap
messages is Warning.
enable the information center to send trap messages to the VTY terminal.
By default, the information center dispatches the trap messages destined for the VTY terminal
to information channel 1. The output of trap messages is enabled and the severity of the trap
messages is Warning.
l Run the info-center snmp channel { channel-number | channel-name } command to enable
the information center to send trap messages to the SNMP proxy.
To enable the information center to send trap messages to the SNMP proxy, enable the SNMP
proxy function.

By default, the information center dispatches the trap messages destined for the SNMP proxy
to channel 15.

terminal.
3. Run the terminal trapping command to enable the information display function of the
terminal.
The information display function on the VTY terminal is enabled by default.
NOTE
The information display function must be enabled if the information center is configured to send the trap
messages to the local console or remote terminal.
----End
Example
1. Run the info-center source ARP channel 4 command to send the logs to through channel
4.
[NGFW] info-center source ARP channel 4
2. Run the info-center console channel 0 command to send the debugging messages through
channel 10.
Follow-up Procedure
Log host:
Console:
Monitor:
SNMP Agent:
Log buffer:
Trap buffer:

5.9.2.4 Configure the Output of Debugging Messages

This section describes how to configure the output of debugging messages to the local console,
remote terminal, and third-party log hosts.
Procedure
NOTICE
name } [ debug { state { off | on } | level severity } * ] command to configure the channels for
the output of debugging messages.
Debugging messages can be sent only when the information center is enabled. The timestamps
in debugging messages are in the boot format.
Step 4 Configure the information center to send debugging messages to the local console, remote
terminal, and log hosts as required.
enable the information center to send debugging messages to the local console.
enable the information center to send debugging messages to the VTY terminal.
l Run the info-center loghost ip-address [ port ] [ vpn-instance vpn-instance-name ]
[ module { module-name } &<1-6> ] [ channel { channel-number | channel-name } |
facility local-number | language { chinese | english } ] * command to send debugging
messages to the log hosts.
By default, the information center does not send debugging messages to the log hosts.
terminal.
3. Run the terminal debugging command to enable the information display function on the
VTY terminal.
The information display function on the VTY terminal is disabled by default.

NOTE
The information display function must be enabled if the information center is configured to send the
debugging messages to the local console or remote terminal.
----End
Example
l Run the info-center source default channel 0 command to send debugging messages
through channel 0.
[NGFW] info-center source default channel 0
l Run the info-center console channel 0 command to send debugging messages to console
CON0.
Follow-up Procedure
Log host:
Console:
Monitor:
SNMP Agent:
Log buffer:
Trap buffer:
5.9.2.5 Maintaining Logs, Trap Messages, and Debugging Messages

This section describes how to maintain logs, trap messages, and debugging messages.
Viewing the Configuration

Table 5-23 lists the commands for viewing the configuration for the output of logs, trap
messages, and debugging messages.

Table 5-23 Commands for viewing the configuration for the output of logs, trap messages, and
debugging messages.
Task Command
View the channel display channel [ channel-number | channel-name ]

configuration.
View the information in display info-center [ statistics ]

the information center.
View the information in display logbuffer [ common-log | sec-log ] [ slot slot-number |

the log buffer. level { severity | emergency | alert | critical | error | warning |
notification | informational | debugging } | size value ] * [ |
{ exclude | include } regular-expression ]
View the information in display trapbuffer [ size value ]

the trap buffer.
View enabled debugging display debugging

functions.
Clearing Statistics
NOTICE
The statistics cannot be restored after you clear it. Therefore, ensure that you are fully aware of
the result before you use the command.
Table 5-24 lists the commands for clearing the statistics about logs, trap messages, and
debugging messages.
Table 5-24 Commands for clearing the statistics about logs, trap messages, and debugging
messages
Task Command
Clear the statistics of all reset info-center statistics

modules in the
information center.
Clear information in the reset logbuffer

log buffer.
Clear information in the reset trapbuffer

trap buffer.

5.9.3 Configuring Log Output Using the Web UI

If you have a log host, you can send logs to the log host in syslog or binary format.
Prerequisites
The system time setting is correct during the initial configuration. Changing system time during
device running results in incorrect timestamps in existing logs.
To output policy matching logs and session logs to log hosts, choose Policy > Security Policy
and enable Record Policy Matching Log and Record Session Log.
NOTE
If you configure both the syslog host and binary log host, session logs are sent simultaneously in syslog and
binary formats to the syslog host. Other logs are sent preferentially in binary format to the binary log host.
Configuring Syslog Output

The firewall can send all types of logs (except traffic logs and policy matching logs) to a syslog
host.
After a syslog host is configured, the NGFW sends the syslogs it has generated to the syslog
host. The syslog host analyzes and maintains the syslogs.
Step 1 Choose System > Log Configuration.
Step 2 Configure the syslog sending function.
Log Host IP Address IP address of the log host that receives syslogs from the NGFW
This IP address must be the actual IP address of the log host.
Destination Port Port number of the log host that receives syslogs from the NGFW
This port number must be the actual port number configured on
the log host. The default port number on the log host is 514.
Language Language in which syslogs are sent to a log host

To ensure that the log collector of the log host correctly analyzes
logs, select the language that the log collector supports.
Send Interface Source interface that sends information to a syslog host

If you do not specify this parameter, the source interface is the
interface that sends logs.
This interface must exist on the NGFW and have an IP address.
Step 3 Click and repeat the preceding steps to add more log hosts.
If multiple log hosts are configured, the NGFW sends the same syslogs to different log hosts for
syslog backup.
Step 4 Click Apply.

If the Operation succeeded dialog box is displayed, the syslog sending function has been
configured.
----End
Configuring Binary Log Output

The binary host can receive Threat logs , URL logs , Content logs , Traffic logs , Policy matching
logs , IM Audit logs ,HTTP Audit logs , Mail filtering logs and session logs .
After you configure the binary log host, the NGFW sends the binary logs to the binary log host
for log analysis and management.
Step 2 Configure the binary log.
Send Binary Logs to All If Send Logs Concurrently is selected, binary logs are sent to
Log Servers all log hosts.
If not, the device sends logs to all log hosts in turn based on the
specified log host IDs.
Log Source IP Address Specifies the source IP address for sending binary logs
Source Port Specifies the source port of binary logs. The default port is 1617.
Log Host IP Address Specifies the IP address of the log host that receives binary logs
Port Specifies the port of the log host that receives binary logs. The
Step 3 Click and repeat the preceding steps to add more log hosts.
Step 4 Click Apply.
If the Operation succeeded dialog box is displayed, the binary log sending function has
been configured.
----End
Configure rules for saving original traffic logs

After you enable rules for saving original traffic logs, the system preferentially saves the traffic
logs of top N users. Choose Monitor > Log > Traffic Log to view traffic logs. The system
displays only the traffic logs of top N users that generate most traffic.
Step 2 Configure rules for saving original traffic logs.

1. Select Enable corresponding to the Save top N user logs preferentially check box.
2. In Top N users, enter a number. For example, if you enter 10, the system preferentially
saves the original traffic logs of top 10 users.

Step 3 Click Apply.
----End
Set Disk Usage Alarm Threshold

The device allocates storage spaces for each type of log. When one storage space reaches or
exceeds the configured threshold, a log is generated.
Step 2 Enter the threshold in the area box next to Alarm Threshold.
The value is an integer ranging from 50 to 100, in percentage. By default, the threshold is 85%.
Step 3 Click Apply.
----End
Set Log Processing Mode Upon Disk Space Insufficiency

The device allocates specific storage spaces on the hard disk for storing logs from each module.
When one storage space is full, the device deletes earliest logs to receive new logs.
Step 2 Choose Processing Mode upon insufficient disk space.

l Overwrite indicates that new logs overwrite the oldest logs in case of insufficient log storage
space.
l Discard indicates that the device discards new logs in case of insufficient log storage space.
Overwrite is the default log processing mode in case of insufficient log storage space.
Step 3 Click Apply.
----End

This section provides several examples for configuring the information center.
5.9.4.1 Example for Enabling the Information Center to Send Logs to Log Hosts
This section provides an example for configuring the output of syslogs generated by different
modules to log servers.
As shown in Figure 5-48, log information is sent to a log server. You can configure the
NGFW to send logs generated by the SHELL and SEC modules to different log servers
respectively. Two log servers are required for the NGFW.

Figure 5-48 Networking diagram of outputting logs to a log host

Log Server 1 Log Server 2
10.1.2.2/24 10.1.2.3/24
DMZ
10.1.2.0/24
GE1/0/2
10.1.2.1/24 GE1/0/1
10.1.3.0/24 GE1/0/3 10.1.1.0/24
10.1.3.1/24
NGFW
1. Enable the information center function to allow the output of device logs.
2. Configure a source interface for sending log information.
3. Configure log output channels to send the logs generated by different modules to log
servers.
4. Configure the log servers to receive logs from the NGFW.
Procedure
Step 1 Configure basic data for the NGFW.
# Set IP addresses of interfaces.

<NGFW> system-view
# Assign the interfaces to security zones.

[NGFW-zone-trust] add interface GigabitEthernet 1/0/3
[NGFW] firewall zone untrust
[NGFW-zone-untrust] add interface GigabitEthernet 1/0/1
[NGFW-zone-untrust] quit
[NGFW] firewall zone dmz
[NGFW-zone-dmz] add interface GigabitEthernet 1/0/2
[NGFW-zone-dmz] quit

Step 2 Configure interzone security policies.

# Configure a security policy between the Trust and Untrust zones to allow users in the Trust
zone to access resources in the Untrust zone.
[NGFW-policy-security] rule name policy1
[NGFW-policy-security-rule-policy1] source zone trust
[NGFW-policy-security-rule-policy1] destination zone untrust
[NGFW-policy-security-rule-policy1] source-address 10.1.3.0 mask 24
[NGFW-policy-security-rule-policy1] destination-address 10.1.1.0 mask 24
[NGFW-policy-security-rule-policy1] action permit
[NGFW-policy-security-rule-policy1] quit
[NGFW-policy-security] quit
# Configure a security policy between the Local zone and the DMZ to allow logs generated by
the NGFW to reach the DMZ.
[NGFW-policy-security] rule name policy2
[NGFW-policy-security-rule-policy2] source zone local
[NGFW-policy-security-rule-policy2] destination zone dmz
[NGFW-policy-security-rule-policy2] destination-address 10.1.2.0 mask 24
[NGFW-policy-security-rule-policy2] action permit
[NGFW-policy-security-rule-policy2] quit
Step 3 Enable the information center function.

<NGFW> system-view
Step 4 Configure a source interface for sending log information.

[NGFW] info-center loghost source GigabitEthernet 1/0/2
Step 5 Configure log output channels to send logs to the specified log servers.
NOTE
By default, logs are sent to a log server in syslog mode through channel 2. The default channel name is
loghost.
# Set local2 at 10.1.2.2 as the log server and configure the NGFW to allow the output of logs
generated by the SHELL module to Log Server 1 through channel 6.
[NGFW] info-center source SHELL channel 6 log level informational
[NGFW] undo info-center source default channel 6
[NGFW] info-center loghost 10.1.2.2 1000 module SHELL
# Set the log server at 10.1.2.3 and configure the NGFW to allow the output of logs generated
by the SEC module to Log Server 2 through channel loghost.
[NGFW] info-center source SEC channel 2 log level informational
[NGFW] undo info-center source default channel 2
[NGFW] info-center loghost 10.1.2.3 514 module SEC
NOTE
By default, attack defense logs are not sent to any host. To enable this function, run the info-center source
DDOS channel loghost log state on command.
Step 6 Configure log servers.

NOTE
The log server can be a compatible eSight NMS server, a PC, or a host on which third-party log software
is installed. For details, refer to related product manuals.
----End

1. According to the information center output, you can view the output of log information.
Information
Center:enabled
Log
host:
the interface name of the source
address:GigabitEthernet1/0/2
ip : 10.1.2.2, port : 1000,
channel number : 6, channel name :
channel6
language english , host facility
local2
ip : 10.1.3.3, port : 514,
loghost
language english , host facility
local7
Console:
console
Monitor:
monitor
SNMP
Agent:
snmpagent
Log
buffer:
enabled,max buffer size 1024, current buffer size
1024,
current messages 256, channel number : 4, channel name :
logbuffer
dropped messages 0, overwritten messages
150
Trap
buffer:
enabled,max buffer size 1024, current buffer size
1024,
current messages 0, channel number:3, channel
name:trapbuffer
dropped messages 0, overwritten messages
0
logfile:
channel number : 9, channel name : channel9, language :
english
Information timestamp
setting:
log - date, trap - date, debug -
boot
Sent messages = 1745, Received messages =

1744
2. When the NGFW generate session logs, you can view logs of the SEC module on Log
Server 2.
3. Run commands on the NGFW or log out of the NGFW. You can view logs of the SHELL
module on Log Server 1.

5.9.4.2 Example for Enabling the Information Center to Send Debugging Messages
to the Console
The PC connects to the console port on the NGFW. You can configure the information center
on the NGFW to send debugging messages of the specified modules to the console.
As shown in Figure 5-49, the PC connects to the console port on the NGFW. The debugging
messages of the Address Resolution Protocol (ARP) module must be sent to the console.
Figure 5-49 Networking diagram for sending debugging messages to the console
Console
NGFW PC
1. Enable the information center on the NGFW.
2. Enable the information center to send debugging messages of the ARP module to the
console.
3. Enable the display of debugging message content on the terminal.
Procedure
Step 2 Enable the information center to send debugging messages whose severity level is above
debugging through the console channel.
[NGFW] info-center source arp channel console debug level debugging
[NGFW] info-center console channel console
[NGFW] quit
Step 3 Enable the display of debugging message content on the terminal.

<NGFW> terminal monitor
<NGFW> terminal debugging
Step 4 Enable ARP module debugging.

<NGFW> debugging arp all
----End
Result
Display the debugging messages that are sent through the specified channel.
<NGFW> display channel 0
channel number:0, channel name:console

MODU_ID NAME ENABLE LOG_LEVEL ENABLE TRAP_LEVEL ENABLE DEBUG_LEVEL

ffff0000 default Y warning Y debugging Y debugging
416e0000 ARP Y warning Y debugging Y debugging
......
5.9.5 Change History

This section describes the versions and changes of the log/alarm/debugging information output
feature.
Version Description
V100R001C10 The following functions are added:

l Configuring the hard disk alarm threshold
l Configuring the log processing mode when the hard disk is full
5.10 File System

This chapter describes how to manage the directories and files in the file system of the NGFW
and how to transfer files between the NGFW and other devices.
5.10.1 Overview
This section describes the file system structure and file transfer mode of the NGFW.
5.10.1.1 File System

A file system consists storage devices and the files stored on the storage devices. You can manage
the storage devices and the files stored on the storage devices.
Table 5-25 lists the storage devices supported by the NGFW.
Table 5-25 Supported storage devices
Storage Device Root Directory Description
CF card hda1:/ Storage device in standard configuration. It is used

to store system software and configuration files.
Table 5-26 shows the system directories in the CF
card. To display the directories, run the dir /all
command.
NOTE
Information in system directories is important.
Therefore, do not change or delete these directories.

Storage Device Root Directory Description
Hard disk vdbfs:/ Optional storage device. It is used to store logs and
reports.
You are advised to install hard disks for the
NGFW to store more logs and reports.
USB disk udisk0:/ or Optional storage device. It is used to store system

udisk1:/ software and configuration files and applies to
system software and configuration upgrade
scenarios.
The USG6370/6380/6390/6550/6570,
USG6620/6630 and USG6650/6660/6670/6680
have two USB ports, namely, USB0 and USB1.
The root directories of USB0 and USB1 are
udisk0:/ and udisk1:/.
The NGFW allows you to repair and format the storage devices, as well as create, delete, and
modify files or directories on the storage devices.
Table 5-26 System directories in the CF card
Directory Function
Name
default-sdb Stores the default signature database file and version information.
update Stores post-upgrade signature database file and version information.
gpmbak Stores the backup state machines of the GPM module.
loc Stores location information.
umdb Stores user information, including users' basic information, customized

logo, and background image.
hidehttpdcertke Stores encrypted device default certificates and key pairs.

y
hidepkirsakey Stores encrypted PKI key pairs.
cfgbak Stores the backup configuration profile.

The system automatically generates this directory only when the backup
parameter is selected during the manual upgrade of the configuration
profile.
download Stores web page and image resources.

5.10.1.2 File Transfer Mode

The NGFW supports FTP, SFTP, and TFTP file transfer modes.
During file transfer, the NGFW can server as a server or client:
l NGFW as a server: Administrators can access the NGFW from terminals to manage files
on the NGFW or transfer files with the NGFW.
l NGFW as a client: Administrators can access other devices from the NGFW to manage
files on these devices or transfer files with these devices.
In the TFTP mode, the NGFW can serve only as a client. In the FTP and SFTP modes, the
NGFW can server as a server or client.
Table 5-27 lists the advantages and disadvantages of different file management modes.
Table 5-27 File transfer mode
File Transfer Application Advantages Disadvantages

Mode Scenario
FTP Applies to file l Features simple l Transfers data in

transfer scenarios configuration and plain text and
that requires high supports file therefore brings
security, such as transfer and file security risks.
version upgrade. directory
operations.
l Supports file
transfer between
two file systems.
l Supports
authentication
and
authorization.
TFTP Applies to scenarios l Uses less l Supports only file

where no complex memory space transfer, but not
communication is than FTP. interactions.
required between the l Features simple l Transfers only
client and the server, configuration. files no larger
for example, the than 32 MB.
online version load
and upgrade in lab l Transfers data in
LANs that have good plain text, does
network condition. not support
authentication or
authorization,
and therefore
brings security
risks.

File Transfer Application Advantages Disadvantages

Mode Scenario
SFTP Applies to scenarios l Implements strict l Requires

that require high encryption and complex
security, such as log integration configuration.
download and protection on data
configuration file to ensure high
backup. security.
l Supports file
transfer and file
directory
operations.
NOTICE
SFTP is recommended because of high security.
5.10.2 Managing the File System

You can manage the storage devices, directories, and files after logging in to the NGFW through
the console port, Telnet, or STelnet.
Managing Storage Devices

Table 5-28 lists the commands for managing storage devices.
NOTE
All these commands need to be executed in the user view.
Table 5-28 Commands for managing storage devices
Action Command Description
Repairing a storage device fixdisk device-name If an exception occurs in the

file system on a storage
device, the NGFW notifies
you to repair the storage
device. Back up the files
before repairing the storage
device to avoid data loss.

Formatting a storage device format device-name If the file system is abnormal

or the data is no longer
required, you can format the
storage device.
NOTICE
The data cannot be restored
after the storage device is
formatted. Therefore, exercise
caution when performing this
operation.
Managing Directories
Table 5-29 lists the commands for managing directories.
NOTE
All these commands need to be executed in the user view.
Table 5-29 Commands for managing directories
Accessing a specific cd { path | directory } l directory: specifies the

directory name of the directory to
be accessed in the current
path.
l path: specifies the name
of the directory to be
accessed in the specified
path.
Displaying the current pwd -

directory
Displaying the files and dir [ /all ] [ filename | l /all: Displays the
subdirectories in the specific directory ] information about all
directory files, including deleted
files. Deleted files are
square-bracketed, for
example, [ text ].
l filename | directory:
Displays the files and
subdirectories of a
specific directory. If the
value is not specified, the
dir command displays all
files and subdirectories in
the current directory.

Creating a directory mkdir { path | directory } l path: specifies the name

created in the specified
directory.
l directory: specifies the
name of the directory to
be created in the current
directory.
Deleting a directory rmdir { path | directory } l path: specifies the name

deleted from the specified
path.
l directory: specifies the
name of the directory to
be deleted from the
current path.
l Only empty directories
can be deleted.
l Deleted directories and
files cannot be restored
from the recycle bin.
Managing Files
Table 5-30 lists the commands for managing files.
NOTE
All these commands need to be executed in the user view, except execute filename and file prompt { alert |
quiet } (in the system view).
Table 5-30 Commands for managing files
Displaying a file more filename -
Copying a file copy source-filename -

destination-filename
Moving a file move source-filename -

Renaming a file rename source-filename -

Compressing a file zip source-filename -


Decompressing a file unzip source-filename -

Deleting a file delete [ /unreserved ] NOTICE

filename If the command carries the /
unreserved parameter, the
deleted file cannot be restored.
Restoring a deleted file undelete filename The delete filename

command deletes a file and
puts it to the recycle bin. You
can run the undelete
filename command to restore
it.
The dir /all command
displays deleted files. The
names of deleted files are
square-bracketed, for
example, [ text ].
Deleting files from the reset recycle-bin -

recycle bin [ filename ]
Running a batch file execute filename This command runs only

batch files with file name
extension bat and are stored
on storage devices of the
NGFW.
Configuring a file system file prompt { alert | quiet } The file prompt command
prompt method enables the system to display
information or alert
especially when your
operations may lead to data
loss or damage. You can run
this command to change the
file system prompt method.
5.10.3 Transferring Files

You can transfer files between NGFW and other devices through FTP, SFTP, or TFTP mode,
and manage the files on the NGFW through FTP or SFTP mode.
NOTICE

5.10.3.1 Configuring the NGFW as an FTP Server

This section describes how to configure the NGFW as an FTP server.
Procedure
system-view
Step 2 Enable the FTP server.
ftp server enable
The FTP server is configured on the NGFW by default. You need to run this command to enable
the FTP service.
Step 3 Create an FTP administrator.

1. Access the AAA view.
aaa
2. Configure an administrator account and access the administrator view.
manager-user user-name
3. Configure a password for the administrator account.
password [ cipher cipher-password ]
NOTE
The interactive mode is recommended for creating administrator passwords because the passwords
configured by the cipher password command are not safe.
4. Set the administrator level.
level level
NOTE
To ensure that the administrator can log in to the NGFW, set the administrator level to be 3 or higher.
5. Set the service type to FTP for the administrator account.
service-type ftp
6. Set the FTP service directory for the administrator account.
ftp-directory directory
7. Set the maximum number of administrators that can concurrently log in using this
access-limit max-number
8. Return to the AAA view.
quit
quit
Step 4 Optional: Set the idle duration of FTP connections.
ftp timeout minutes

To prevent unauthorized access, the NGFW automatically closes the FTP connections if the
NGFW does not receive any FTP request in a specific period of time. To use the FTP service,
FTP administrators must log in to the FTP server again.
The default connection idle duration is 30 minutes.
Step 5 Optional: Configure ACLs for FTP connections.
ACLs are configured to enhance the security of the FTP server.
1. Access the ACL view.
acl [ number ] acl-number [ vpn-instance vpn-instance ]
NOTE
FTP supports only basic ACLs. Therefore, the acl-number value ranges from 2000 to 2999.
rule [ rule-id ] { deny | permit } [ logging | source { source-ip-address soucer-wildcard

| any } | time-range time-name ]
quit
4. Configure basic ACLs for FTP connections.
ftp acl acl-number
----End
5.10.3.2 Configuring the NGFW as an FTP Client

This section describes the common operations on the NGFW which serves as an FTP client.
Procedure
Step 1 Log in to the FTP server.
Different commands are available for you to log in to the FTP server from different views.
l Set up a connection with the FTP server from the user view.
ftp ip—address or hostname [ port-number ] [ vpn-instance vpn-instance-name ]
l Set up a connection with the FTP server from the FTP client view.
open ip—address or hostname [ port-number ] [ vpn-instance vpn-instance-name ]
Step 2 Optional: Configure the data type and file transfer mode.
Set the data type to ASCII code or binary. ascii or binary

The default data type is ASCII.
Set the file transfer mode to passive or active. passive or undo passive
The client uses the passive mode to establish
the data tunnel by default.

Step 3 Perform common operations on the FTP client.
Display FTP command online help. remotehelp [ command ]
Upload a local file to the FTP server. put local-filename [ remote-filename ]
Download a file from the FTP server to the get remote-filename [ local-filename ]
local device.
Display the current directory on the FTP pwd

server.
Change the current directory on the FTP cd pathname

server.
Create a directory on the FTP server. mkdir remote-directory

NOTE
l The directory name can contain letters and
digits, but not special characters, such as angle
brackets (< >), question mark (?), backslash
(\), or colon (:).
l If you run the mkdir abc command, directory
abc is created in the root directory.
Delete a directory from the FTP server. rmdir remote-directory
Display or change the current directory on the lcd [local-directory ]

FTP client.
Display the specified directory or file on the ls [ remote-filename ] [ local-filename ]

FTP server.
Display details on a directory or a file on the dir [ remote-filename ] [ local-filename ]

FTP server.
Delete a file from the FTP server. delete remote-filename
Change the login account and log in again. user user-name [ password ]
Close the connection with the FTP server, but close

stay in the FTP view.
Close the connection with the FTP server and bye or quit
return to the user view.
----End
5.10.3.3 Configuring the NGFW as an SFTP Server

This section describes how to configure the NGFW as an SFTP server.
Procedure

system-view
Step 2 Generate a local RSA key pair.

rsa local-key-pair create
Step 3 Enable the SFTP server function.

sftp server enable
Step 4 Configure the VTY UI.

1. Access the VTY UI.
user-interface [ ui-type ] first-ui-number [ last-ui-number ]
2. Set the authentication mode to AAA.
3. Configure the VTY UI level.
user privilege level level
NOTE
To ensure that administrators can log in to the NGFW, set the VTY UI level to be 3 or higher.
By default, a VTY interface supports SSH and Telnet.
Step 5 Create an SFTP administrator.

1. Access the AAA view.
aaa
2. Configure an administrator account and access the administrator view.
manager-user user-name
3. Set the administrator level.
level level
NOTE
To ensure that the administrator can log in to the NGFW, set the administrator level to be 3 or higher.
4. Set the service type to SSH for the administrator account.
service-type ssh
5. Set the service type to SFTP for the SSH account.
ssh service-type sftp
6. Configure the SFTP service directory.
ftp-directory directory
7. Select one authentication mode for the SFTP account.
Configure the password 1. Run the ssh authentication-type password command to

authentication mode. set the authentication mode to password.
2. Run the password [ cipher cipher-password ] command
to set a password for the SFTP account.
NOTE
The interactive mode is recommended for creating administrator
passwords because the passwords configured by the cipher
password command are not safe.

Configure the RSA 1. Run the ssh authentication-type rsa command to set the
authentication mode. authentication mode to RSA.
2. Bind the SFTP account with the RSA public key on the
client.
a. In the system view, run the rsa peer-public-key key-
name [ encoding-type { der | pem | openssh } ]
command to access the RSA public key view.
b. Run the public-key-code begin command to access
the public key editing view.
c. Enter the RSA public key through typing or copy and
paste.
d. Run the peer-public-code end command to return to
the public key view.
e. Run the peer-public-key end command to return to
the system view.
f. Run the aaa to access the AAA view.
g. Run the manager-user user-name to access the
administrator view.
user-name is the SFTP account created in Step 5.2.
h. Run the ssh assign rsa-key rsa-key-name command
to bind an RSA key to the SFTP account.
Configure the ANY NOTE

authentication mode. The ANY authentication mode indicates either password or RSA
authentication. If both password authentication and RSA
authentication are configured, RSA authentication is used
preferentially.
1. Run the ssh authentication-type any command to set the
authentication type to any.
2. Select either of the following configuration:
l Run the password [ cipher cipher-password ]
command to set a password for the SFTP account.
NOTE
The interactive mode is recommended for creating
administrator passwords because the passwords configured
by the cipher password command are not safe.
l Bind the RSA public key to the SFTP account. For
details, see Bind the SFTP account with the RSA
public key on the client.

Configure the password- NOTE

RSA authentication PASSWORD-RSA authentication indicates that both password
authentication and RSA authentication are implemented.
mode.
1. Run the ssh authentication-type password-rsa
command to set the authentication type to password-
rsa.
2. Run the password [ cipher cipher-password ] command
to set a password for the SFTP account.
NOTE
The interactive mode is recommended for creating administrator
passwords because the passwords configured by the cipher
password command are not safe.
3. Bind the RSA public key to the SFTP account. For details,
see Bind the SFTP account with the RSA public key
on the client.
Step 6 Optional: Configure other parameters for the SFTP server.
Configure a listening port ssh server port port-number

on the SFTP server. NOTE
The port-number value ranges from 1025 to 55535.
By default, the listening port is 22 on the NGFW that serves as an SFTP
server.
Configure the timeout ssh server timeout seconds

duration of SFTP
authentication.
Configure the number of ssh server authentication-retries times

SFTP authentication
attempts.
Set the interval for ssh server rekey-interval interval

updating the SFTP server
key pair.
Enable the backward ssh server compatible-ssh1x enable

compatibility function.
----End
5.10.3.4 Configuring the NGFW as an SFTP Client

This section describes how to configure the NGFW as an SFTP client and how to log in to the
SFTP server.
Procedure

system-view
Step 2 Enable first-time authentication or bind the RSA public key to the SFTP server. First-time
authentication is recommended.
NOTE
When communicating with an SFTP server, the NGFW (SFTP client) needs to compare the RSA public key
sent by the server with the locally stored RSA public key to check whether it is communicating with the correct
server.
If the server RSA public key is not obtained in advance and does not exist on theNGFW, enable first-time
authentication on the NGFW to ensure that the NGFW can log in to the server.
If you have obtained the server RSA public key in advance, you can copy the public key to the NGFW and bind
the server to this public key. This method also ensures that the NGFW can log in to the server, but binding the
server to the RSA public key is complex. Therefore, first-time authentication is recommended.
l Enable first-time authentication.
ssh client first-time enable
l Bind the SFTP server to an RSA public key.
1. Access the public key view.
rsa peer-public-key key-name [ encoding-type { der | pem | openssh } ]
2. Access the public key editing view.
public-key-code begin
3. Enter the RSA public key through typing or copy and paste.
4. Return to the public key view.
public-key-code end
peer-public-key end
6. Bind the SFTP server to the RSA public key.
ssh client servername assign rsa-key keyname
NOTE
If the binding between the SFTP server and the RSA public key becomes invalid, run the undo
ssh client servername assign rsa-key command to cancel the binding and bind the SFTP server
to a new RSA public key.
Step 3 If the SFTP server uses password authentication, perform Step 4 to log in to the SFTP server.
If the SFTP server uses RSA authentication, bind the SFTP account of the NGFW to the RSA
public key on the server as follows:
1. Generate an RSA key pair on the NGFW.
2. Check the public key in the RSA key pair, copy the public key information of the host key
pair to the server, and bind the SFTP account on the NGFW to this public key. For details,
refer to the SFTP server operation guide.
display rsa local-key-pair public

NOTE
The public key information to be copied is the Key code, Host public key for PEM format code,
or Public key code for pasting into OpenSSH authorized_keys file (based on the server coding
format) field below the sysname_Host field in the display rsa local-key-pair public command
output.
<sysname> display rsa local-key-pair public
=====================================================
Time of Key pair created: 18:34:19

2013/1/17
Key name:
sysname_Host
Key type: RSA encryption
Key
=====================================================
Key
code:
308188
028180
CB35ED46 660B55CC 80EAAFD7 78DDFBF7
467A1C13
5D29865C 63509D5D E25E423A DB11A00F
77CDBBB4
D93436EA D50E4261 AC476E56 7AC6344A
B0ECE377
EA2E6912 4EC32710 FC4B5D2D 61E358B1
E8EA739F
A0338BE0 ED72A9A0 EDFE49FD 071623A4
96A0A45B
4EAD2641 A8D7A39F 567B02B9 90DE5722
980072B4
B320FDA0
10F18DF9
0203
010001
Host public key for PEM format

code:
---- BEGIN SSH2 PUBLIC KEY
----
AAAAB3NzaC1yc2EAAAADAQABAAAAgQDLNe1GZgtVzIDqr9d43fv3RnocE10phlxj
UJ1d4l5COtsRoA93zbu02TQ26tUOQmGsR25WesY0SrDs43fqLmkSTsMnEPxLXS1h
41ix6Opzn6Azi+Dtcqmg7f5J/
QcWI6SWoKRbTq0mQajXo59WewK5kN5XIpgAcrSz
IP2gEPGN
+Q==
---- END SSH2 PUBLIC KEY
----
Public key code for pasting into OpenSSH authorized_keys

file :
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAAAgQDLNe1GZgtVzIDqr9d43fv3RnocE10phlxjUJ1d4l5C
OtsRoA93zbu02TQ26tUOQmGsR25WesY0SrDs43fqLmkSTsMnEPxLXS1h41ix6Opzn6Azi
+Dtcqmg7f5J
/QcWI6SWoKRbTq0mQajXo59WewK5kN5XIpgAcrSzIP2gEPGN+Q== rsa-
key

Step 4 Log in to the SFTP server.
sftp [ -a source-address | -i ] host-ip [ port ] [ [ -vpn-instance vpn-instance-name ] |

[ prefer_kex { dh_group1 | dh_exchange_group } ] [ prefer_ctos_cipher { des | 3des |
aes128 } ] [ prefer_stoc_cipher { des | 3des | aes128 } ] [ prefer_ctos_hmac { sha1 |
sha1_96 | md5 | md5_96 } ] [ prefer_stoc_hmac { sha1 | sha1_96 | md5 | md5_96 } ] ] *
If first-time authentication is enabled and the NGFW does not store the server RSA public key,
you need to determine whether to trust the server and whether to save the server RSA public key
upon first login. Select Y when prompted.
[sysname] sftp 10.2.2.1
Please input the username:sysname
Trying 10.2.2.1 ...
Press CTRL+K to abort
Connected to 10.2.2.1 ...
The server is not authenticated. Continue to access it? [Y/N] :Y
Save the server's public key? [Y/N] :Y
The server's public key will be saved with the name 10.2.2.1. Please wait .
..
NOTE
To improve file transfer security, use AES128 preferentially as the encryption algorithm. DES and 3DES
are not recommended. Use SHA1 or SHA1–96 preferentially as the HMAC algorithm. MD5 and MD5–
96 are not recommended.
----End
5.10.3.5 Configuring the NGFW as a TFTP Client

This section describes the common operations and configurations on the NGFW which serves
as a TFTP client.
Procedure
Step 1 Optional: Configure ACLs to limit the access from the NGFW to the TFTP server.
system-view
2. Access the ACL view.
acl [ number ] acl-number [ vpn-instance vpn-instance ]
NOTE
TFTP supports only basic ACLs. Therefore, the acl-number value ranges from 2000 to 2999.
3. Configure ACL rules.
rule [ rule-id ] { deny | permit } [ logging | source { source-ip-address source-wildcard
| any } | time-range time-name ]
quit
5. Use ACLs to limit the access from the NGFW to the TFTP server.
tftp-server acl acl-number
Step 2 Perform TFTP file download and upload on the NGFW.

l In the user view, run the following command to download files through TFTP.

tftp tftp-server-address or hostname get source-filename [ destination-filename ]

l In the user view, run the following command to upload files through TFTP.
tftp tftp-server-address or hostname put source-filename [ destination-filename ]
----End
5.10.4 Maintaining the File System

You can run commands to display the FTP server and SFTP server configurations on the
NGFW.
5.10.4.1 Displaying Information About the FTP Server and FTP Administrator
This section describes how to use commands to display FTP configuration information.
Context
In routine maintenance, you can run the commands shown in Table 5-31 in any view to display
FTP configurations and FTP administrators.
Table 5-31 Displaying information about FTP configurations and FTP administrators
Action Command
Display the configurations and display ftp-server

status of the FTP server.
Display information about the display ftp-users

FTP administrators that have
logged in.
5.10.4.2 Displaying Information About the SFTP Server and SFTP Administrator
This section describes how to display the SFTP server configuration and how to debug the SFTP
function.
Displaying SFTP Administrator and Server Information

Table 5-32 lists the operations to display SFTP administrator and SFTP server information.
Table 5-32 Displaying SFTP administrator and server information
Action Command
Display SFTP administrator information. display manager-user
Display SFTP server information. display ssh server

Debugging SFTP
Before you enable the debugging function, you must run the terminal monitor command and
the terminal debugging command in the user view to enable the information display and
debugging display functions of the terminal. Then debugging information can be displayed on
the terminal.
NOTICE
Debugging commands compromise system performance. After the debugging is complete, run
the undo debugging all command to disable all debugging functions.
Table 5-33 lists the operations to debug SFTP.
Table 5-33 Debugging SFTP
Action Command
Debug SFTP. debugging ssh server vty vty-number

{ message | event | packet | all } and
debugging ssh server all { message | event
| packet | all }

This section provides examples for enabling administrators to log in to the NGFW using SSH.
5.10.5.1 Example for Back Up Files

This section describes how to back up files in the storage device after you log in to the
NGFW.
Requirements
You have already copied files to the specified directory.
Item Data
Source file name and path hda1:/sample.txt
Destination file name and path hda1:/test/sample1.txt

Procedure
Step 1 Display the information about the files in the directory of the storage device.
<NGFW> dir hda1:
Directory of hda1:/
0 -rw- 264 Oct 23 2009 10:58:16 private-data.txt
2 -rw- 679 Oct 18 2009 17:51:41 vspcfg.zip
3 -rw- 396 Aug 03 2009 09:58:16 hostkey
4 -rw- 540 Aug 03 2009 09:58:23 serverkey
13 -rw- 1717 Sep 21 2009 18:48:00 or4148.dat
15 -rw- 23 Oct 24 2009 11:14:39 sample.txt
<NGFW> dir hda1:/test/
Directory of hda1:/test/
0 drw- - Jul 12 2009 17:35:57 database
1 drw- - Jul 12 2009 17:25:57 conf
3 drw- - Jul 12 2009 17:32:57 log
Step 2 Copy files from hda1:/sample.txt to hda1:/test/sample1.txt.

<NGFW> copy hda1:/sample.txt hda1:/test/sample1.txt
Copy hda1:/sample.txt to hda1:/test/sample1.txt?[Y/N] :y
100% complete
Info:Copied file hda1:/sample.txt to hda1:/test/sample1.txt...Done
----End
Check whether the copied files exist in the specified directory.
<NGFW> dir hda1:/test/
Directory of hda1:/test/
0 drw- - Jul 12 2009 17:35:57 database
1 drw- - Jul 12 2009 17:25:57 conf
3 drw- - Jul 12 2009 17:32:57 log
4 -rw- 23 Oct 24 2009 11:16:40 sample1.txt
5.10.5.2 Example for Configuring the NGFW as an FTP Server

This section describes how to configure the NGFW as an FTP server and how to use a PC to
download files from the NGFW through FTP.
As shown in Figure 5-50, a PC is used to log in to the NGFW and download files from the
NGFW through FTP.
NOTICE
FTP transmits passwords and data in plaintext mode, causing security risks. To secure data
transmission, use SFTP.
Figure 5-50 Networking diagram for configuring the NGFW as an FTP server
MGMT (GE0/0/0)
192.168.0.1/24
192.168.0.100/24
NGFW PC

Data Planning
Item Data
NGFW Security policy: policy_ftp

FTP administrator account: admin_ftp,
password: Mydevice@ftp
FTP server directory: hda1
File: sys.bin
PC IP address and mask of the administrator's

PC: 192.168.0.100/24
FTP client software: cmd (in the Windows
operating system)
Procedure
1. Configure a security policy for the Local-Trust interzone to permit the FTP service.
<NGFW> system-view
[NGFW-policy-security] rule name policy_ftp
[NGFW-policy-security-rule-policy_ftp] service ftp
[NGFW-policy-security-rule-policy_ftp] source-zone trust
[NGFW-policy-security-rule-policy_ftp] destination-zone local
[NGFW-policy-security-rule-policy_ftp] source-address 192.168.0.100 32
[NGFW-policy-security-rule-policy_ftp] destination-address 192.168.0.1 32
[NGFW-policy-security-rule-policy_ftp] action permit
[NGFW-policy-security-rule-policy_ftp] quit
2. Configure an FTP administrator account.

[NGFW] aaa
[NGFW-aaa] manager-user admin_ftp
[NGFW-aaa-manager-user-admin_ftp] password
Enter Password:
Confirm Password:
[NGFW-aaa-manager-user-admin_ftp] level 3
[NGFW-aaa-manager-user-admin_ftp] service-type ftp
[NGFW-aaa-manager-user-admin_ftp] ftp-directory hda1:
[NGFW-aaa-manager-user-admin_ftp] access-limit 3
[NGFW-aaa-manager-user-admin_ftp] quit
[NGFW-aaa] quit
3. Enable the FTP service.

[NGFW] ftp server enable
Step 2 Set an IP address and subnet mask for the PC. Details are omitted.
Step 3 Use FTP to log in to the NGFW from the PC and download files.
1. Choose Start > Run, enter cmd, and press Enter.
2. Enter D: and press Enter to set drive D as the working directory for the administrator's PC.

3. Enter ftp 192.168.0.1, press Enter, and then use the account and password to log in to the
NGFW.
4. Download file sys.bin from the FTP directory on the NGFW to the root directory of drive
D.
5. Close the FTP connection and view the downloaded file.
C:\Documents and Settings\user> d:
D:\> ftp 192.168.0.1
Trying 192.168.0.1 ...
Warning: Ftp is not a secure protocol, and it is recommended to use Sftp.
Connected to 192.168.0.1.
220 FTP service ready.
User(192.168.0.1:(none)):admin_ftp
331 Password required for admin_ftp.
Password:
230 User logged in.
ftp> binary
200 Type set to I.
ftp> get sys.bin
200 PORT command okay.
150 Opening BINARY mode data connection for sys.bin.
226 Transfer complete.
ftp:
20116676 bytes received for 43.60 seconds at 461.40 kbyte/s.
ftp> quit
D:\>dir
......
2010-09-25 15:56 20,116,676 sys.bin
......
----End
#
sysname NGFW
#
aaa
#
manager-user admin_ftp
password cipher %@%@*y:3*ZN}.%%qcB.|@XBVML1cCyDwlDWq'6JF(iOz2D8>A\SN%@%
@
level 3
service-type ftp
ftp-directory hda1:
access-limit 3
#
security-policy
rule name policy_ftp
source-zone trust
destination-zone local
service ftp
source-address 192.168.0.100
32
destination-address 192.168.0.1 32
action permit
5.10.5.3 Example for Configuring the NGFW as an FTP Client

This section describes how to configure the NGFW as an FTP client to obtain files from an FTP
server.

As shown in Figure 5-51, configure the NGFW as an FTP client and download files from the
FTP server to the specified local directory.
NOTICE
FTP transmits passwords and data in plaintext mode, causing security risks. To secure data
transmission, use SFTP.
Figure 5-51 Networking diagram for configuring the NGFW as an FTP client
GE1/0/1
192.168.0.100/24 192.168.0.1/24
Network
FTP Server NGFW
Data Planning
Item Data
FTP server (already configured) IP address and subnet mask:

192.168.0.100/24
FTP account/password: ftp_sever/
FTPserver@123
File: sys.ini
NGFW Security policy: policy_ftp

Directory for saving the file: hda1: (default
directory on the NGFW)
Procedure
Step 1 Configure a security policy for the Local-Trust interzone to permit the FTP service.
<NGFW> system-view
[NGFW-policy-security] rule name policy_ftp
[NGFW-policy-security-rule-policy_ftp] service ftp
[NGFW-policy-security-rule-policy_ftp] source-zone local
[NGFW-policy-security-rule-policy_ftp] destination-zone trust
[NGFW-policy-security-rule-policy_ftp] source-address 192.168.0.1 24
[NGFW-policy-security-rule-policy_ftp] destination-address 192.168.0.100 24
[NGFW-policy-security-rule-policy_ftp] action permit
[NGFW-policy-security-rule-policy_ftp] quit

Step 2 Log in to the FTP server from the NGFW and download the file to the specified directory.
# Log in to the FTP server.

<NGFW> ftp 192.168.0.100
Trying 192.168.0.100
Connected to 192.168.0.100
Warning: Ftp is not a secure protocol, and it is recommended to use Sftp.
220 FTP service ready.
User(ftp 192.168.0.100:(none)):ftp_sever
331 Password required for ftp_sever
Password:
230 User ftp_sever logged in.
# Set the file transfer mode to binary and display the current directory on the NGFW for saving
the file.
[ftp] binary
200 Type set to I.
[ftp] lcd
Info: Local directory now hda1:.
# Download the file from the FTP server and display the downloaded file in the specified
directory on the NGFW.
[ftp] get sys.bin
200 PORT command okay.
150 Opening BINARY mode data connection for sys.bin.
226 Transfer complete.
ftp: 20116676 byte(s) received, in 43.60 seconds at 461.40 kbytes/sec.
[ftp] quit
<NGFW> dir
Directory of hda1:/
...
3 -rw- 20116676 Aug 07 2009 06:58:17 sys.bin
...
----End
5.10.5.4 Example for Configuring the NGFW as an SFTP Server (Password

Authentication)
This section describes how to configure the NGFW as an SFTP server and how to download
files from the NGFW through SFTP on a PC.
NGFW through SFTP.
Figure 5-52 Networking diagram for logging in to the NGFW through SFTP (password
authentication)
GE1/0/3
10.3.0.1/24
PC NGFW
10.3.1.100/24 (SFTP Server)

Data Planning
Item Data
NGFW SFTP administrator account: sftpadmin_a

Authentication type: password
Password: Mydevice@a
Service type: SFTP
Administrator PC SFTP client software: PuTTY software (Windows 7

operating system). The PuTTY software contains the
PuTTY client for the STelnet service and the SFTP
client PSFTP.
Procedure
1. Set an IP address for interface GigabitEthernet 1/0/3 and assign the interface to a security
zone.
<NGFW> system-view
2. Configure a security policy for the Local-Trust interzone to permit the SSH service.
[NGFW-policy-security] rule name policy_sftp
[NGFW-policy-security-rule-policy_sftp] service ssh
[NGFW-policy-security-rule-policy_sftp] source-zone trust
[NGFW-policy-security-rule-policy_sftp] destination-zone local
[NGFW-policy-security-rule-policy_sftp] source-address 10.3.1.0 24
[NGFW-policy-security-rule-policy_sftp] action permit
[NGFW-policy-security-rule-policy_sftp] quit
3. Enable the SFTP service.

[NGFW] sftp server enable

The range of public key size is (512 ~
2048).
risks.
Input the bits in the modulus[default =
2048]:
Generating
keys...
...+++++++
+

..+++++++
+
..................................++++++++
+
............+++++++++
5. Configure the VTY administrator interface.

6. Create an SFTP administrator account and specify an authentication mode and a service
type.
# Create SFTP administrator account sftpadmin_a and set the authentication mode to
password, service type to SFTP, and service directory to hda1:.
[NGFW] aaa
[NGFW-aaa] manager-user sftpadmin_a
[NGFW-aaa-manager-user-sftpadmin_a] service-type ssh
[NGFW-aaa-manager-user-sftpadmin_a] access-limit 3
[NGFW-aaa-manager-user-sftpadmin_a] level 3
[NGFW-aaa-manager-user-sftpadmin_a] ssh authentication-type password
[NGFW-aaa-manager-user-sftpadmin_a] password
Enter Password:
Confirm Password:
[NGFW-aaa-manager-user-sftpadmin_a] ssh service-type sftp
[NGFW-aaa-manager-user-sftpadmin_a] ftp-directory hda1:
[NGFW-aaa-manager-user-sftpadmin_a] quit
[NGFW-aaa] quit
Step 2 Configure the administrator PC.

1. Set the IP address and subnet mask of the administrator PC to 10.3.1.100/255.255.255.0.
3. Use the PuTTY to log in to NGFW_B through SFTP (the following uses PuTTY0.60 as an
example).
a. Run PSFTP.exe and enter open 10.3.0.1 to set up an SFTP connection with the
NGFW. The system displays a prompt upon the first connection, as shown in Figure
5-53.
Figure 5-53 PSFTP security prompt

b. Enter y and type the user name and password (sftpadmin_a/Mydevice@a) to log in to
the NGFW, as shown in Figure 5-54.
Figure 5-54 Logging in to the NGFW
Step 3 Download files from the NGFW.
Figure 5-55 Downloading files from the NGFW
----End

#
sysname NGFW
#
ip address 10.3.0.1 255.255.255.0
#
firewall zone trust
set priority 85
#
aaa
#
manager-user sftpadmin_a
password cipher %@%@fPXYG8r|>17U(MYaBLw0OE<3BRR/*~[B0>uW"^/){U_>wKB=%@%
@
service-type ssh
level 3
ftp-directory hda1:
access-limit 3
#
#
#
security-policy
rule name policy_sftp
source-zone trust
service ssh
source-address 10.3.1.0 24
action permit
5.10.5.5 Example for Configuring the NGFW as an SFTP Server (RSA

Authentication)
This section describes how to configure the NGFW as an SFTP server and how to download
files from the NGFW through SFTP on a PC.
NGFW through SFTP.
Figure 5-56 Networking diagram for logging in to the NGFW through SFTP (RSA
authentication)
GE1/0/3
10.3.0.1/24
PC NGFW
10.3.1.100/24 (SFTP Server)

Data Planning
Item Data
NGFW SFTP administrator account: sftpadmin_a

Authentication type: RSA
Bound client public key: key_pc
Service type: SFTP
Administrator PC SSH client software: PuTTY software

(Windows XP operating system). The
PuTTY software contains the PuTTY client
for the STelnet service, the SFTP client
PSFTP, and key generation tool PuTTYgen.
Name of the public key in the local RSA key
pair: public
Name of the private key in the local RSA key
pair: private
SSH connection: ssh-rsa
Procedure
Step 1 Generate an RSA public key on the PC.
2. Use the PuTTYgen tool to generate a local RSA key pair (the following uses PuTTYgen0.60
as an example).
a. Double-click PuTTYgen.exe. The interface shown in Figure 5-57 is displayed. In
Parameters, set Type of key to generate to SSH-2 RSA. Click Generate. The PC
starts to generate a local RSA key pair.

Figure 5-57 Selecting the SSH version for generating the local RSA key pair
b. Figure 5-58 shows the interface for generating a local RSA key pair. You must move
the mouse continuously during the generation of the local RSA key pair. Move the
pointer only in the window other than the progress bar in green. Otherwise, the
progress bar suspends, and the generation of the key pair stops.

Figure 5-58 Generating a local RSA key pair
c. Figure 5-59 shows the generation of the local RSA key pair. Do as follows to save
the RSA key pair in the specified format:
l OpenSSH: Copy the marked content in the Key text box.
l PEM: Click Save public key, enter public for the name of the public key file, and
click Save. Click Save private key, enter private for the name of the private key
file, and click Save.
NOTE
To enhance security, you must enter a password in the Key passphrase text box and enter the
password again in the Confirm passphrase text box to set a password for using this key pair.

Figure 5-59 Saving a local RSA key pair

1. Set an IP address for interface GigabitEthernet 1/0/3 and assign the interface to a security
zone.
<NGFW> system-view
2. Configure a security policy for the Local-Trust interzone to permit the SSH service.
[NGFW-policy-security] rule name policy_sftp
[NGFW-policy-security-rule-policy_sftp] service ssh
[NGFW-policy-security-rule-policy_sftp] source-zone trust
[NGFW-policy-security-rule-policy_sftp] destination-zone local
[NGFW-policy-security-rule-policy_sftp] source-address 10.3.1.0 24
[NGFW-policy-security-rule-policy_sftp] action permit
[NGFW-policy-security-rule-policy_sftp] quit
3. Enable the SFTP service.

[NGFW] sftp server enable

The range of public key size is (512 ~
2048).
risks.
Input the bits in the modulus[default =
2048]:
Generating
keys...
...+++++++
+
..+++++++
+
..................................++++++++
+
............+++++++++
5. Save the RSA public key of the intranet PC. In this example, the RSA public key is saved
in the OpenSSH coding format.
[NGFW] rsa peer-public-key key_pc encoding-type openssh
Enter "RSA public key" view, return system view with "peer-public-key end".
[NGFW-rsa-public-key] public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
[NGFW-rsa-key-code] ssh-rsa
AAAAB3NzaC1yc2EAAAABJQAAAIBwsFDGbVAbK35ecJqsioQ3BdTCa1
+eU3i13YQBHvBltIdI9bOMKYEYJbjuY4UYXkdtwA2ar6LWTI8X1hHbtYGqPk2MvjSF0hXn1DBabNUX
bLRyzWAhaopcsTbGboU88cQ6fe/DqE9jUpNLsPdg4EXz1LMyLNe134JCSe3Ufh7o/w== rsa-
key-20140515
[NGFW-rsa-key-code] public-key-code end
[NGFW-rsa-public-key] peer-public-key end
6. Configure the VTY UI.

[NGFW-ui-vty8-10] protocol inbound all
7. Create an SFTP administrator account and specify an authentication mode and a service
type.
# Create SFTP administrator account sftpadmin_a and set the authentication mode to
RSA, service type to SFTP, and service directory to hda1:.
[NGFW] aaa
[NGFW-aaa] manager-user sftpadmin_a
[NGFW-aaa-manager-user-sftpadmin_a] service-type ssh
[NGFW-aaa-manager-user-sftpadmin_a] access-limit 3
[NGFW-aaa-manager-user-sftpadmin_a] level 3
[NGFW-aaa-manager-user-sftpadmin_a] ssh authentication-type rsa
[NGFW-aaa-manager-user-sftpadmin_a] ssh assign rsa-key key_pc
[NGFW-aaa-manager-user-sftpadmin_a] ssh service-type sftp
[NGFW-aaa-manager-user-sftpadmin_a] ftp-directory hda1:
[NGFW-aaa-manager-user-sftpadmin_a] quit
[NGFW-aaa] quit
Step 3 Configure the administrator PC.

1. Set the IP address and subnet mask of the administrator PC to 10.3.1.100/255.255.255.0.

3. Use the PuTTY to log in to NGFWthrough SFTP (the following uses PuTTY0.60 as an
example).
b. Choose Connection > SSH in the left Category navigation tree. The interface shown
in Figure 5-61 is displayed. In the Protocol options area, set Preferred SSH protocol
version to 2.

Figure 5-61 Setting the SSH protocol version
c. Select Auth in SSH. The dialog box shown in Figure 5-62 is displayed. Click
Browse, import the private key file private.ppk in the saved RSA key pair.

Figure 5-62 Importing the private key in the RSA key pair
d. Click Session, enter ssh-rsa in the Saved Sessions text box, and click Save to save
the SSH session, as shown in Figure 5-63.
NOTE
The saved session will be used in the SFTP login using the PSFTP tool. Besides, no
configuration is required for future STelnet login. You can double-click the SSH session to
open the login page.

Figure 5-63 Importing the private key in the RSA key pair
e. Double-click PSFPT.exe, enter open ssh-rsa and press Enter (ssh-rsa is the name of
the saved PyTTY session), and then enter SSH administrator account sshadmin_b
and press Enter. You can access the file directory on NGFW, as shown in Figure
5-64.
Figure 5-64 SFTP login page
Step 4 Download files from the NGFW.

Figure 5-65 Downloading files from the NGFW
----End
#
sysname NGFW
#
ip address 10.3.0.1 255.255.255.0
#
firewall zone trust
set priority 85
#
aaa
#
manager-user sftpadmin_a
service-type ssh
level 3
ftp-directory hda1:
ssh authentication-type rsa
ssh assign rsa-key key_pc
access-limit 3
#
#
protocol inbound all
#
security-policy
rule name policy_sftp
source-zone trust
service ssh
action permit

5.10.5.6 Example for Downloading Files from the TFTP Server

This section describes how to download files from the TFTP server using the NGFW as the
TFTP client.
As shown in Figure 5-66, the IP address of the TFTP server is 10.111.16.160/24. Log in to the
NGFW through PC and download test.cc from the TFTP server.
NOTICE
Figure 5-66 Networking diagram of downloading files from the TFTP server
TFTP Server NGFW PC
Item Data
Path of the source file on the TFTP server test.cc
Name of the target file and storage path on the hda1:/test.cc

device
1. Start the TFTP software on the TFTP server and set the location of the source file on the
server.
2. Use the tftp command to download the file to the NGFW.
Procedure
Step 1 Start the TFTP server. Specify the directory where test.cc resides as the base directory. Figure
5-67 shows the window.

Figure 5-67 Setting the base directory of the TFTP server
NOTE
The display varies with the TFTP server software running on the PC.
Step 2 Log in to the device through the PC and run the following commands to download the file:
<NGFW> tftp 10.111.16.160 get test.cc hda1:/test.cc
Transfer file in binary mode.
Now begin to download file from remote tftp server, please wait for a while...
\
TFTP: 86235884 bytes received in 42734 second.
TFTP: 15805100 bytes received in 42734 second.
File downloaded successfully.
----End
Check whether the downloaded file is in the specified directory of the device.
<NGFW> dir hda1:
Directory of hda1:/
0 -rw- 86211956 Jun 08 2009 15:20:14 test.cc
1 -rw- 40 Jun 24 2009 09:30:40 private-data.txt
2 -rw- 396 May 19 2009 15:00:10 rsahostkey.dat
3 -rw- 540 May 19 2009 15:00:10 rsaserverkey.dat
4 -rw- 2718 Jun 21 2009 17:46:46 1.cfg
5 -rw- 14343 May 19 2009 15:00:10 paf.txt
6 -rw- 1004 Feb 05 2009 09:30:22 vrp1.zip
7 -rw- 6247 May 19 2009 15:00:10 license.txt
8 -rw- 14343 May 16 2009 14:13:42 paf.txt.bak

This section describes the versions and changes in the file system feature.

5.11 NTP
This section describes the basic concepts, mechanism, and configuration methods of Network
Time Protocol (NTP), and provides several examples for configuring NTP.
5.11.1 Overview
The NTP is used for clock synchronization between distributed time server and clients. The
system running NTP can initiate clock synchronization with other systems or accept the
synchronization requests from other systems.
NTP synchronizes the clocks of all devices on a network. Therefore, the clocks on all these
devices are the same, which enables a device to implement various operations based on the
uniform time.
The clock of any local system that runs NTP can be synchronized by other clock sources, and
the system can also function as a clock source to synchronize the clock of other systems. In
addition, two devices can exchange NTP packets for mutual synchronization.
NTP packets are encapsulated in UDP packets and use port 123 for transmission.
5.11.2 Mechanism
This section describes the mechanism of NTP.
NTP synchronizes time among a set of distributed time servers and clients. In this manner, the
time of the host is synchronized with a certain time standard. The device that provides the
standard time is a server, whereas the device being synchronized is a client. The clock of a local
system running NTP can be synchronized by other clock sources or act as a clock source to
synchronize other clocks. In addition, two devices can exchange NTP packets for mutual
synchronization. NTP packets are encapsulated in UDP packets and use port 123 for
transmission.
Implementation Process
As shown in Figure 5-68,NGFW_A and NGFW_B are connected through a Wide Area Network
(WAN). NGFW_A synchronizes the time from NGFW_B.

Figure 5-68 Diagram of NTP implementation
NTP packet 10:00:00am
Step1: Network
NGFW_A NGFW_B
NTP packet 10:00:00am 11:00:01am
Step2: Network
NGFW_A NGFW_B
NTP packet 10:00:00am 11:00:01am 11:00:02am
Step3: Network
NGFW_A NGFW_B
NTP Packet received at 10:00:03
Step4: Network
NGFW_A NGFW_B
The demonstration of the NTP mechanism is based on the following assumption:

l Before NGFW_A and NGFW_B synchronize the clock, the clock on NGFW_A is 10:00:00
am. and that on NGFW_B is 11:00:00 am.
l NGFW_B acts as the NTP server. NGFW_A synchronizes its clock with that of
NGFW_B.
l Unidirectional transmission of an NTP packet between NGFW_A and NGFW_B takes one
second.
l Both NGFW_A and NGFW_B take one second to process an NTP packet.
The clock synchronization process is as follows:
l NGFW_A sends an NTP packet to NGFW_B. The packet carries an initial timestamp,
10:00:00 am (T1), indicating the time when the packet leaves NGFW_A.
l When the NTP packet reaches NGFW_B, NGFW_B adds a timestamp, namely, 11: 00:01
am. (T2) to the NTP packet, indicting the time when NGFW_B receives the packet.
l When the NTP packet leaves NGFW_B, NGFW_B adds another timestamp, namely,
11:00:02 am. (T3) to the NTP packet, indicating the time when the packet leaves
NGFW_B.
l When receiving this returned NTP packet, NGFW_A adds a new timestamp, which is
10:00:03 am (T4).
Then NGFW_A uses the received information to calculate the following two important
parameters:

l A round trip delay of the NTP packet: Delay = (T4 - T1) - (T3 - T2).
l The clock offset of NGFW_A by taking NGFW_B as the reference: Offset = ((T2 - T1) +
(T3 - T4))/2.
NGFW_A sets its clock based on the delay and offset to synchronize its clock with NGFW_B.
NOTE
NTP uses the standard algorithm in RFC 1305 to ensure the precision of clock synchronization. The
preceding example is only a brief introduction to the operating mechanism of NTP.
Network Architecture
As shown in Figure 5-69, the networking of NTP is composed of the primary time server,
secondary time servers, clients, and interconnections in between.
Figure 5-69 Network architecture of NTP
Secondary time Primary time Secondary time

server server server
Secondary time Secondary time

server server
l The primary time server is directly synchronized with a primary reference source which is
usually a radio clock or Global Positioning System (GPS).
l A secondary time server synchronizes its clock with the clock of the primary time server
or another secondary time server on the network and transmits the time information to other
hosts on the network through NTP.
Under normal circumstances, primary and secondary time servers on the synchronization subnet
assume a hierarchical structure, with the primary server at the root and the secondary server at
successive stratums toward the leaf node. The higher the stratum level is, the less accurate the
clock.
Operating Mode
Server/Client mode:
l Client mode: The host operating in client mode (client) periodically sends NTP request
messages to the server regardless of the reachability and the stratum level of the server.

Usually, such a host is a workstation on a specified network. The host synchronizes its
clock with the clock on the server but does not change the clock of the server.
l Server mode: The host operating in server mode (server) receives NTP request messages
and responds to the client. Usually, such a host is a time server on a network and provides
synchronization information for the client but does not change its own clock.
During and after the restart, the client periodically sends NTP request messages to the server.
After receiving the NTP request message, the server encloses the destination IP address, source
IP address, source port, destination port and other necessary information in a message and sends
the message to the client. The server does not need to retain state information when the client
sends the request message. The client freely adjusts the interval for sending NTP request
messages based on the local conditions.
Peer mode:
In peer mode, the active peer and the passive peer synchronize with each other, and the lower-
level peer (higher stratum) synchronizes itself with the higher-level peer (lower stratum).
l Active peer: The host acting as the active peer periodically sends packets to the passive
peer regardless of the reachability and the stratum of the peer. The host can provide
synchronization information for the peer and also synchronize its clock with the peer.
l Passive peer: The host acting as the passive peer receives packets and responds to the peer.
The host provides synchronization information for the peer and also synchronizes its clock
with the peer.
l The premise of being a passive peer: The host receives messages from a peer operating in
active mode, the route from the host to the peer is reachable, and the stratum of the peer is
higher than or equal to the stratum of the host.
NOTE
The host acting as a passive peer is at the lower stratum on the synchronization subnet. You do not need
to obtain information about the peer in advance because the connection between peers is not set up and
status variables are not configured unless the passive host receives NTP messages from the peer.
Broadcast mode:
l The host operating in broadcast mode periodically sends clock-synchronization packets to
the broadcast address 255.255.255.255 regardless of the reachability or the stratum of its
peer. The host in this mode is usually a time server using high-speed broadcast media on
the specified network. Such a host provides synchronization information for its peers but
does not alter the clock of its own.
l The client listens in on the broadcast packets from the server. After receiving the first
broadcast packet, to estimate the network delay, the client leaves the broadcast mode and
temporarily operates in client/server mode to exchange packets with the remote server.
Later, the client restores the broadcast mode and continues to listen to the broadcast packets
and re-synchronizes the local clock according to the received broadcast packets.
The broadcast mode is applied to the high speed network that has multiple workstations and
does not require high accuracy. In a typical scenario, one or more time servers on the network
periodically send broadcast packets to the workstations. The delay of packet transmission in a
LAN is at the milliseconds level.
Multicast mode:
l The host operating in multicast mode periodically sends clock-synchronization packets to
a multicast address. Usually, the host in this mode is a time server using high-speed

broadcast media on the network. The host provides synchronization information for all the
peers but does not alter the clock of its own.
l The client listens in on the multicast packets from the server. After receiving the first
multicast packet, to estimate the network delay, the client temporarily operates in client/
server mode to exchange packets with the remote server. Later, the client restores the
multicast mode and continues to listen to the multicast packets and re-synchronizes the
local clock according to the received multicast packets.
Security Mechanism
When a time server on the subnet is faulty or data is maliciously modified or destroyed,
timekeeping on other time servers on the subnet should not be affected. To meet this requirement,
NTP provides two security mechanisms: access permission control and NTP authentication to
secure the network.
Access permission control:
The NGFW protects local NTP services by controlling access permissions.
The NGFW provides four levels of access permissions. NTP access request messages match the
access permissions from level 1 to level 4 after they reach the local host. The first matched access
permission level takes effect. The matching sequence is as follows:
l peer: indicates the minimum access permission. The remote end can request and query
time for the local NTP service. The local clock can also be synchronized with the clock of
the remote server.
l server: The remote end can request and query time for the local NTP service. The local
clock, however, cannot be synchronized with the clock of the remote server.
l synchronization: The remote end can only request time for the local NTP service.
l query: indicates the maximum access permission. The remote end can only query the time
for the local NTP service.
Authentication:
You can enable NTP authentication on networks for high security. You need to configure NTP
authentication separately on the client and the server.
When you configure NTP authentication, note the following rules:
l Configurations of NTP authentication on both the client and the server must be complete.
Otherwise, the authentication does not take effect. If you enable NTP authentication, you
must configure the key and declare the key as reliable.
l Keys configured on the server and the client must be the same.
5.11.3 Configuring Basic NTP Functions

This section describes how to configure the basic NTP functions to meet the clock
synchronization requirements in different environments. The NGFW provides four Network
Time Protocol (NTP) working modes and supports all NTP versions.

5.11.3.1 Configuring the NTP Primary Clock

This section describes how to configure the NTP primary clock on the NGFW acting as the
server.
Context
To configure a NGFW to provide the primary NTP clock, do as follows on the NGFW
functioning as the NTP server.
Procedure
system-view
Step 2 Configure a primary NTP server.

ntp-service refclock-master [ ip-address ] [ stratum ]
ip-address is the IP address of the local reference clock. The value is 127.127.t.u. t ranges from
0 to 37. Currently, the value of t is set to 1 and cannot be changed, indicating the local reference
clock. u indicates the NTP process ID, ranging from 0 to 3. If you do not specify the IP address,
the local clock is used as the NTP primary clock.
----End
Example
Access the system view, run the ntp-service refclock-master 2 command, set the local clock
to be the NTP primary clock, and set the stratum of the clock to 2.
[NGFW] ntp-service refclock-master 2
Follow-up Procedure
You can run the display ntp-service status command to display the status of the NTP service
after the configuration..
<NGFW> display ntp-service status
clock status: synchronized
clock stratum: 2
reference clock ID: LOCAL(0)
nominal frequency: 100.0000 Hz
actual frequency: 100.0000 Hz
clock precision: 2^13
clock offset: 0.0000 ms
root delay: 0.00 ms
root dispersion: 0.00 ms
peer dispersion: 10.00 ms
reference time: 16:33:26.001 UTC Apr 19 2010(CF770456.0066A11E)
5.11.3.2 Configuring NGFW in Client/Server Mode for NTP

This section describes how to configure the NGFW in client/server mode for NTP on a network
to synchronize the clock.

Procedure
l Configure the NTP client.
Perform the following steps on the NGFW that functions as a client:

system-view
2. Optional: Specify the local source interface to send NTP packets.

ntp-service source-interface interface-type interface-number [ vpn-
instance vpn-instance-name ]
3. Set the IP address of the NTP server.

ntp-service unicast-server ip-address [ version number | authentication-
keyid key-id | source-interface interface-type interface-number | vpn-
instance vpn-instance-name | preference ] *
ip-address is the IP address of the NTP server. It must be the IP address of a specific
host but not a broadcast address, a multicast address, or the IP address of the reference
clock.
NOTE
l After you specify the unicast NTP server, the local NGFW functions as the client. Only
the configuration of the NTP primary clock is necessary on the server.
l Step 2 is optional. If source-interface is specified in both Step 2 and Step 3, use the source
interface specified in Step 3 preferentially.
l For the unicast mode, after configuring the NTP client, you need to configure a security
policy between the security zone where the source interface resides and Local zone to
permit NTP packets. For the broadcast and multicast modes, you do not need to configure
the security policy.
l Optional: Specify the source interface for the NTP server to send NTP packets.
Perform the following steps on the NGFW that functions as a client:

system-view
2. Specify the local source interface for the sending of NTP packets.
ntp-service source-interface interface-type interface-number
In normal cases, you need to specify only the IP address of the NTP server on the
client. The client and the server can then exchange NTP packets using this IP address.
If you specify the source interface on the server, the server IP address specified on the
client must be the same as that of the source interface. Otherwise, the client cannot
process NTP packets from the server, and the clock synchronization fails.
----End
5.11.3.3 Configuring the NTP Peer Mode

This section describes how to configure the NTP peer to synchronize the clock between the local
NGFW that runs as the active peer and other devices acting as passive peers that do not require
any configuration.

Procedure
l Configure the NTP active peer.
system-view
2. Optional: Specify the local source interface for the sending of NTP packets.
3. Configure the NTP peer.

ntp-service unicast-peer ip-address [ version number | authentication-
keyid key-id | source-interface interface-type interface-number | vpn-
instance vpn-instance-name | preference ] *
Step 2 is optional. If source-interface is specified in both Step 2 and Step 3, use the
source interface specified in Step 3 preferentially.
ip-address is the IP address of the NTP peer. The value must be an IP address of a
specific host but not a broadcast address, multicast address, or the IP address of the
reference clock.
NOTE
l In NTP peer mode, you must enable NTP on the passive peer using a command described
in Configuring Basic NTP Functions. Otherwise, the passive peer is unable to process
NTP packets from the active peer.
l The active peer, or passive peer, or both must be in synchronized state. Otherwise, none of
them can be synchronized.
l To configure multiple passive peers, repeat the ntp-service unicast-peer command.
l Optional: Configure the source interface of the NTP passive peer.
system-view
2. Specify the local source interface for the sendinf of NTP packets.
In normal cases, you need to specify only the IP address of the NTP passive peer on
the active peer. Then the active and passive peers can then exchange NTP packets
using this IP address.
If you specify the source interface to send NTP packets on the passive peer, the IP
address of the NTP peer configured on the active peer must be the same as the IP
address of this source interface. Otherwise, the active peer cannot process NTP packets
from the passive peer.
----End
5.11.3.4 Configuring the NTP Broadcast Mode

This section describes how to configure the NTP broadcast mode for the clock synchronization
between NGFWs that serves as the broadcast server and broadcast client.
Procedure
l Configure the NTP broadcast server.

Perform the following steps on the NGFW that functions as an NTP broadcast server:

system-view
2. Specify the interface to send NTP broadcast packets.

interface interface-type interface-number
3. Configure the local NGFW as the NTP broadcast server.

ntp-service broadcast-server [ authentication-keyid key-id | version
number ]*
After the configuration, the local NGFW periodically sends clock synchronization
packets to broadcast address 255.255.255.255.
NOTE
The configured broadcast server takes effect only on the same LAN.
l Configure an NTP broadcast client.
Perform the following steps on the NGFW that functions as an NTP broadcast client:

system-view
2. Optional: Set the number of allowed dynamic local sessions.

ntp-service max-dynamic-sessions number
Step 2 is optional. By default, a maximum of 100 NTP sessions can be set up

dynamically.
3. Specify the interface to receive broadcast NTP packets.
4. Configure the local NGFW as an NTP broadcast client.

ntp-service broadcast-client
After the configuration is complete, the local NGFW listens to the broadcast NTP
packets from the server and synchronizes the local clock.
----End
5.11.3.5 Configuring the NTP Multicast Mode

This section describes how to configure the NTP multicast mode for the clock synchronization
between the NGFWs that serve as the multicast server and multicast clients.
Procedure
l Configure the NTP multicast server.
Perform the following steps on the NGFW that functions as an NTP multicast server:

system-view
2. Specify the interface to send multicast NTP packets.

3. Configure the local NGFW as the NTP multicast server.

ntp-service multicast-server [ ip-address ] [ ttl ttl-number | version

number | authentication-keyid authentication-keyid ] *
After the configuration, the local NGFW periodically sends clock synchronization
packets to multicast address 224.0.1.1.
l Configure an NTP multicast client.
Perform the following steps on the NGFW that functions as an NTP multicast client:

system-view
2. Optional: Set the number of allowed dynamic local sessions.

ntp-service max-dynamic-sessions number
3. Specify the interface to receive multicast NTP packets.

4. Configure the local NGFW as an NTP multicast client.

ntp-service multicast-client [ ip-address ]
Step 2 is optional. By default, a maximum of 100 NTP sessions can be set up

dynamically.
After the configuration, the local NGFW listens in on the broadcast NTP packets from
the server and synchronizes the local clock.
Running the ntp-service max-dynamic-sessions command does not affect the created
NTP sessions. When the number of the sessions reaches or exceeds the maximum
allowed number, new session cannot be created.
----End
5.11.3.6 Disabling a Specific Interface From Receiving NTP Packets

This section describes how to disable a specific interface on the local NGFW from receiving
NTP packets.
Procedure
system-view
Step 2 Access the interface view.

Step 3 Disable the interface from receiving NTP packets.

ntp-service in-interface
----End
5.11.4 Configuring the NTP Security Mechanisms

This section describes how to configure the access permission control and NTP authentication
function to enhance NTP security.

5.11.4.1 Configuring NTP Access Permission Control

This section describes how to configure access permission control to restrict certain NTP
requests.
Procedure
system-view
Step 2 Configure the permission for the access to NTP services on the local NGFW.
ntp-service access { peer | query | server | synchronization } acl-number
You can configure the ntp-service access command on a device based on the actual situation.
Table 5-34 lists the controllable NTP access permissions.
Table 5-34 Description of NTP access permissions
NTP Operating Mode Type of Restricted NTP Supported Devices

Requests
Unicast NTP server/client Synchronizing the client with Client

mode the server
Unicast NTP server/client Processing the clock Server

mode synchronization request from
the client
NTP peer mode Clock synchronization with Active peer

each other
NTP peer mode Clock synchronization Passive peer

request from the active end
NTP multicast mode Synchronizing the client with NTP multicast client
the server
NTP broadcast mode Synchronizing the client with NTP broadcast client
the server
----End
5.11.4.2 Enabling NTP Authentication

This section describes how to enable NTP authentication.
Context
To enable NTP authentication, you must configure the same authentication key on both the client
and server and announce the key to be reliable.

NOTE
l Configure both the NTP server and the NTP client.

l Configure the same authentication key on the server and the client and announce that the key is reliable.
Otherwise, NTP authentication fails.
l Enable NTP authentication. Otherwise, actual authentication is not implemented.
Perform the following steps on the device.
Procedure
system-view
Step 2 Enable the NTP authentication function.

ntp-service authentication enable
Step 3 Configure the NTP authentication key.

ntp-service authentication-keyid key-id authentication-mode { md5 | hmac-sha256 }
password
MD5 is faster than HMAC-SHA256, but is considered less secure.
Step 4 Announce the authentication key to be reliable.

ntp-service reliable authentication-keyid key-id
----End
5.11.4.3 Configuring NTP Authentication in Unicast Server/Client Mode

This section describes how to configure NTP authentication in client/server mode on the unicast
client.
Context
Perform the following steps on the NGFW that functions as an NTP unicast client.
Procedure
system-view
Step 2 Specify the ID of the authentication key used for synchronizing the clock with the specified NTP
server.
ntp-service unicast-server ip-address authentication-keyid key-id [ version number
| source-interface interface-type interface-number | vpn-instance vpn-instance-
name | preference ] *
----End
5.11.4.4 Configuring NTP Authentication in Peer Mode

This section describes how to configure NTP authentication in peer mode on the active peer.

Context
Perform the following steps on the device that functions as the active peer.
Procedure
system-view
Step 2 Specify the ID of the authentication key used for synchronizing the clock with the specified NTP
peer.
ntp-service unicast-peer ip-address [ version number | authentication-keyid key-id
| source-interface interface-type interface-number | vpn-instance vpn-instance-
name | preference ] *
----End
5.11.4.5 Configuring NTP Authentication in Broadcast Mode

This section describes how to configure NTP authentication in broadcast mode on the broadcast
server.
Procedure
system-view
Step 2 Specify the interface to send broadcast NTP packets.

Step 3 Specify the ID of the authentication key used by the NTP broadcast server.
ntp-service broadcast-server authentication-keyid key-id [ version number ]
The configuration of the client is the same as that without NTP authentication. For details, see
5.11.3.4 Configuring the NTP Broadcast Mode.
----End
5.11.4.6 Configuring NTP Authentication in Multicast Mode

This section describes how to configure NTP authentication in multicast mode on the multicast
server.
Procedure
system-view
Step 2 Specify the interface for the sending of multicast NTP packets.
Step 3 Specify the ID of the authentication key used by the NTP multicast server.
ntp-service multicast-server [ ip-address ] authentication-keyid key-id [ ttl ttl-
number | version number ] *

The configuration of the client is the same as that without NTP authentication. For details, see
5.11.3.5 Configuring the NTP Multicast Mode.
----End
5.11.5 Maintaining NTP

This section describes how to debug NTP using maintenance commands when an NTP running
fault occurs.
5.11.5.1 Checking NTP Configurations

After the NTP configuration is complete, you can run the display command to check the
configuration.
Context
During routine maintenance, you can run the following commands in any view to check NTP
configurations.
Table 5-35 lists the commands for checking NTP configurations.
Table 5-35 Checking NTP configurations
Action Command
Check the status of NTP display ntp-service sessions [ verbose ]

sessions.
Check the summary information display ntp-service trace

about the NTP server.
5.11.5.2 Debugging NTP

When an NTP running fault occurs, you can debug NTP using maintenance commands. By
checking debugging messages, you can locate and analyze the fault.
Context
in the user view to enable the display of logs, trap messages and debugging messages on the
terminal, so that debugging messages can be displayed on the terminal.
NOTICE
Enabling the debugging function affects system performance. Therefore, after the debugging,
you should run the undo debugging all command to disable the debugging immediately.
For the description of the debugging commands, refer to Debugging Reference.

Table 5-36 lists the commands for maintaining NTP.
Table 5-36 Debugging NTP
Action Command
Debug NTP. debugging ntp-service { access | adjustment | all | authentication

| event | filter | packet | parameter | refclock | selection |
synchronization | validity }

This section provides examples on how to configure NTP in various modes for time
synchronization over the network.
5.11.6.1 Example for Configuring NTP Authentication in Unicast Client/Server

Mode
This section provides an example on how to configure the NTP unicast client/server mode.
As shown in Figure 5-70,
l NGFW_A functions as a unicast NTP server. The clock on NGFW_A is used as the primary
NTP clock, and the stratum is 2.
l NGFW_B functions as a unicast NTP client. The clock on NGFW_B needs to be
synchronized with the clock on NGFW_A.
l NGFW_C and NGFW_D function as NTP clients. They use NGFW_B as their NTP server.
l NTP authentication is enabled.
Figure 5-70 Networking diagram of the unicast server/client mode

GE1/0/2
10.0.0.2/24
GE1/0/2 GE1/0/1 GE1/0/2
2.2.2.2/24 IP 10.0.1.1/24 10.0.0.1/24 NGFW_C
Network
GE1/0/2
NGFW_A NGFW_B 10.0.0.3/24
NGFW_D

Item Data
IP address of the reference 2.2.2.2/24

clock
Stratum of the primary NTP 2

clock
Authentication key ID 42
Authentication Mode HMAC-SHA256
Password Hello@123
1. Configure NGFW_A as the NTP server to provide the primary clock.

2. Configure NGFW_B as an NTP client and synchronize its clock with the clock of
NGFW_A.
3. Configure NGFW_C and NGFW_D as NTP clients and synchronize their clocks with the
clock of NGFW_B.
NOTE
When you configure the NTP authentication in unicast client/server mode:

l You must enable NTP authentication on the client prior to specifying the IP address of the NTP server
and the authentication key to be sent to the server. Otherwise, NTP authentication is not performed
before clock synchronization.
l You need to configure both the server and the client to implement authentication successfully.
Procedure
Step 1 Set IP addresses.
# Set IP address for the NGFW_A.

<NGFW_A> system-view
[NGFW_A] interface GigabitEthernet 1/0/2
[NGFW_A-GigabitEthernet1/0/2] ip address 2.2.2.2 24
[NGFW_A-GigabitEthernet1/0/2] quit
# Set IP addresses for the NGFW_B.

<NGFW_B> system-view
[NGFW_B] interface GigabitEthernet 1/0/2
[NGFW_B-GigabitEthernet1/0/2] ip address 10.0.0.1 24
[NGFW_B-GigabitEthernet1/0/2] quit
# Set IP address for the NGFW_C.

<NGFW_C> system-view
[NGFW_C] interface GigabitEthernet 1/0/2

[NGFW_C-GigabitEthernet1/0/2] ip address 10.0.0.2 24

[NGFW_C-GigabitEthernet1/0/2] quit
# Set IP address for the NGFW_D.

<NGFW_D> system-view
[NGFW_D] interface GigabitEthernet 1/0/2
[NGFW_D-GigabitEthernet1/0/2] ip address 10.0.0.3 24
[NGFW_D-GigabitEthernet1/0/2] quit
Step 2 Add interfaces to corresponding security zones and configure security policy between security
zones to ensure normal network communication. Details are omitted.
Step 3 Configure a primary NTP clock on NGFW_A and enable NTP authentication.
# On NGFW_A, set the local clock as the primary NTP clock and set the stratum to 2.
[NGFW_A] ntp-service refclock-master 2
# Enable NTP authentication, configure the authentication key, and announce the key to be
reliable.
[NGFW_A] ntp-service authentication enable
[NGFW_A] ntp-service authentication-keyid 42 authentication-mode hmac-sha256
Hello@123
[NGFW_A] ntp-service reliable authentication-keyid 42
NOTICE
Note that the authentication keys configured on the server and the client should be the same.
Step 4 Specify the NTP server on NGFW_B and enable NTP authentication.
# On NGFW_B, enable NTP authentication, configure the authentication key, and announce the
key to be reliable.
[NGFW_B] ntp-service authentication enable
[NGFW_B] ntp-service authentication-keyid 42 authentication-mode hmac-sha256
Hello@123
[NGFW_B] ntp-service reliable authentication-keyid 42
# Specify NGFW_A as the NTP server of NGFW_B and use the authentication key.
[NGFW_B] ntp-service unicast-server 2.2.2.2 authentication-keyid 42
Step 5 On NGFW_C, specify NGFW_B as the NTP server of NGFW_C.

[NGFW_C] ntp-service authentication enable
[NGFW_C] ntp-service authentication-keyid 42 authentication-mode hmac-sha256
Hello@123
[NGFW_C] ntp-service reliable authentication-keyid 42
[NGFW_C] ntp-service unicast-server 10.0.0.1 authentication-keyid 42
Step 6 On NGFW_D, specify NGFW_B as the NTP server of NGFW_D.

[NGFW_D] ntp-service authentication enable
[NGFW_D] ntp-service authentication-keyid 42 authentication-mode hmac-sha256
Hello@123

[NGFW_D] ntp-service reliable authentication-keyid 42

[NGFW_D] ntp-service unicast-server 10.0.0.1 authentication-keyid 42
----End
Result
l After the configuration is complete, the clock on NGFW_B can be synchronized with the
clock on NGFW_A.
Display the NTP status on NGFW_B and find that the clock status is synchronized. The
stratum of the clock is 3, one stratum lower than that on NGFW_A.
[NGFW_B] display ntp-service status
clock stratum: 3
reference clock ID: 2.2.2.2
root delay: 31.26 ms
reference time: 11:55:56.833 UTC Mar 2 2009(C7B15BCC.D5604189)
l After the configuration, the clock on NGFW_C can be synchronized with the clock on
NGFW_B.
Display the NTP status on NGFW_C and find that the clock status is synchronized. The
stratum of the clock is 4, one stratum lower than that on NGFW_B.
[NGFW_C] display ntp-service status
clock stratum: 4
l Display the NTP status on NGFW_D and find that the clock status is synchronized. The
stratum of the clock is 4, one stratum lower than that on NGFW_B.
[NGFW_D] display ntp-service status
clock stratum: 4
l Display NTP status on NGFW_A.

[NGFW_A] display ntp-service status
clock stratum: 2
reference clock ID: LOCAL(0)


root delay: 0.00 ms
reference time: 12:01:48.377 UTC Mar 2 2009(C7B15D2C.60A15981)
5.11.6.2 Example for Configuring NTP Peer Mode

This section provides an example on how to configure common NTP peer mode on three
NGFWs.
As shown in Figure 5-71, three NGFWs locate on a LAN.
l The clock on NGFW_A is the primary NTP clock, and the stratum is 2.
l NGFW_B takes NGFW_A as its NTP server. That is, NGFW_B functions as the client.
l NGFW_C takes NGFW_B as its passive peer. That is, NGFW_C acts the active peer.
Figure 5-71 Networking diagram of the NTP peer mode

NGFW_A
GE1/0/1
10.0.1.1/24
GE1/0/1 GE1/0/1
10.0.1.3/24 10.0.1.2/24
NGFW_C NGFW_B
1. Configure the clock on NGFW_A as the NTP primary clock and enable NGFW_B to send
clock synchronization request to NGFW_A.
2. Configure NGFW_C and NGFW_B as NTP peers and enable NGFW_C to send clock
synchronization request to NGFW_B
3. Synchronize the clocks on NGFW_A, NGFW_B, and NGFW_C.
Procedure
Step 1 Set the IP addresses.
# Set the IP address for the NGFW_A.

# Set the IP address for the NGFW_B.

# Set the IP address for the NGFW_C.

Step 3 Configure IP addresses for NGFW_A, NGFW_B, and NGFW_C and ensure the connectivity in
between at the network layer.
Configure an IP address for each interface according toFigure 5-71. After the configuration is
complete, the three NGFWs can ping each other.
The detailed procedures are omitted.
Step 4 Configure the NTP server/client mode.
# Configure the clock on NGFW_A as the reference clock, and the stratum is 2.
[NGFW_A] ntp-service refclock-master 2
# On NGFW_B, configure NGFW_A as the NTP server.

[NGFW_B] ntp-service unicast-server 10.0.1.1
After the configuration, the clock on NGFW_B can be synchronized with the clock on
NGFW_A.
Display the NTP status on NGFW_B and find that the clock status is synchronized. The stratum
of the clock on NGFW_B is 3, one stratum lower than that on NGFW_A.
[NGFW_B] display ntp-service status
clock stratum: 3
reference time: 06:52:33.465 UTC Mar 7 2009(C7B7AC31.773E89A8)
Step 5 Configure the unicast NTP peer mode.
# On NGFW_C, configure NGFW_B as the passive peer.

[NGFW_C] ntp-service unicast-peer 10.0.1.2
No primary clock is configured on NGFW_C, and the stratum of the clock is lower than that on
NGFW_B. Therefore, the clock on NGFW_C is synchronized with the clock on NGFW_B.
----End
Result
Display the status of NGFW_C after clock synchronization. You can find that the status is
synchronized. That is, clock synchronization is complete. You can also find that the stratum of
the clock on NGFW_C is 4, one stratum lower than that on NGFW_B.
[NGFW_C] display ntp-service status
clock stratum: 4
reference time: 06:55:50.784 UTC Mar 7 2009(C7B7ACF6.C8D002E2)
5.11.6.3 Example for Configuring NTP Authentication in Broadcast Mode

This section provides an example on how to configure NTP authentication in NTP broadcast
mode on the NGFWs that are deployed on different network segments.
As shown in Figure 5-72.
l NGFW_C and NGFW_D reside on the same network segment. NGFW_A resides on
another network segment. NGFW_B connects the two network segments.
l NGFW_C functions as the NTP broadcast server, and the local clock is the NTP primary
clock at the stratum 3. NGFW_C sends broadcast packets from GigabitEthernet 1/0/2.
l NGFW_D and NGFW_A receive the broadcast packets respectively on GigabitEthernet
1/0/2 of them.
l Enable NTP authentication.
After the configuration, the clock on NGFW_D can synchronize with the clock on NGFW_C
because they reside on the same network segment. The clock on NGFW_A, however, fails to
synchronize its clock because NGFW_A and NGFW_C are on different network segments, and
NGFW_A cannot receive the broadcast packets from NGFW_C.

Figure 5-72 Networking diagram of the NTP broadcast mode

GE1/0/2
10.1.1.2/24
NGFW_C
GE1/0/2 GE1/0/1
10.0.1.1/24 10.1.1.1/24
GE1/0/2
10.0.1.2/24
NGFW_A NGFW_B GE1/0/2
10.1.1.3/24
NGFW_D
Item Data
Stratum of the NTP primary 3

clock
Authentication key ID 16
Authentication Mode HMAC-SHA256
Password Hello@123
1. Configure NGFW_C as the NTP broadcast server.
2. Configure NGFW_A and NGFW_D as the NTP broadcast clients.
3. Configure NTP authentication on NGFW_A, NGFW_C, and NGFW_D.
Procedure
# Set the IP addresses for the NGFW_B.



# Set the IP address for the NGFW_D.

Step 3 Set an IP address for each NGFW.
Step 4 Configure an NTP broadcast server and enable NTP authentication on it.
# Set the local clock of NGFW_C as a primary NTP clock with stratum as 3.
[NGFW_C] ntp-service refclock-master 3
# Enable NTP authentication.

[NGFW_C] ntp-service authentication enable
[NGFW_C] ntp-service authentication-keyid 16 authentication-mode hmac-sha256
Hello@123
[NGFW_C] ntp-service reliable authentication-keyid 16
# Configure NGFW_C as an NTP broadcast server and enable the NGFW_C to encrypt broadcast
packets using authentication key ID 16 and send the broadcast packets from GigabitEthernet
1/0/2.
[NGFW_C-GigabitEthernet1/0/2] ntp-service broadcast-server authentication-keyid 16
Step 5 Configure NGFW_D.

[NGFW_D] ntp-service authentication enable
[NGFW_D] ntp-service authentication-keyid 16 authentication-mode hmac-sha256
Hello@123
[NGFW_D] ntp-service reliable authentication-keyid 16
# Configure NGFW_D as an NTP broadcast client that receives the broadcast packets from
GigabitEthernet 1/0/2.
[NGFW_D-GigabitEthernet1/0/2] ntp-service broadcast-client
After the configuration, the clock on NGFW_D is synchronized with the clock on NGFW_C.
Step 6 Configure NGFW_A.

[NGFW_A] ntp-service authentication enable
[NGFW_A] ntp-service authentication-keyid 16 authentication-mode hmac-sha256

Hello@123
[NGFW_A] ntp-service reliable authentication-keyid 16
# Configure NGFW_A as an NTP broadcast client that receives the NTP broadcast packets from
[NGFW_A-GigabitEthernet1/0/2] ntp-service broadcast-client
----End
Result
Display the NTP status on NGFW_D. You can find that the clock status is synchronized. That
is, the clock synchronization is complete. The stratum of the clock on NGFW_D is 4, one stratum
lower than that of NGFW_C.
clock stratum: 4
root delay: 0.00 ms
reference time: 12:17:21.773 UTC Mar 7 2009(C7B7F851.C5EAF25B)
5.11.6.4 Example for Configuring the NTP Multicast Mode

This section provides an example on how to configure the NTP multicast mode.
l NGFW_C and NGFW_D reside on the same network segment. NGFW_A resides on
another network segment. NGFW_B connects the two network segments.
l NGFW_C functions as an NTP multicast server, and its clock is a primary NTP clock at
stratum 2. NGFW_C sends multicast packets from GigabitEthernet 1/0/2.
l NGFW_D and NGFW_A receive the multicast packets respectively on GigabitEthernet
1/0/2 of them.

Figure 5-73 Networking diagram of the NTP multicast mode

GE1/0/2
10.1.1.2/24
NGFW_C
GE1/0/2 GE1/0/1
10.0.1.1/24 10.1.1.1/24
GE1/0/2
10.0.1.2/24
NGFW_A NGFW_B GE1/0/2
10.1.1.3/24
NGFW_D
1. Configure NGFW_C as the NTP multicast server.

2. Configure NGFW_A and NGFW_D as the NTP multicast clients.
Procedure

# Set the IP addresses for the NGFW_B.


# Set the IP address for the NGFW_D.


Step 3 Configure NGFW_C as the NTP multicast server.
# Set the local clock on NGFW_C as a primary NTP primary clock at stratum 2.
[NGFW_C] ntp-service refclock-master 2
# Configure NGFW_C as the NTP multicast server that sends NTP multicast packets from
[NGFW_C-GigabitEthernet1/0/2] ntp-service multicast-server
Step 4 Configure NGFW_D.

# Configure NGFW_D as an NTP multicast client that receives the NTP multicast packets from
[NGFW_D-GigabitEthernet1/0/2] ntp-service multicast-client

# Configure NGFW_A as an NTP multicast client that receives the NTP multicast packets from
[NGFW_A-GigabitEthernet1/0/2] ntp-service multicast-client
----End
Result
After the configuration, the clock on NGFW_D is synchronized with the clock on NGFW_C.
The clock on NGFW_A, however, fails to be synchronized because NGFW_A and NGFW_C
reside on different network segments. Therefore, NGFW_A cannot receive the multicast packets
from NGFW_C.
Display the NTP status on NGFW_D. You can find that the clock status is synchronized. That
is, the clock synchronization is complete. The stratum of the clock on NGFW_D is 3, one stratum
lower than that on NGFW_C.
clock stratum: 3
reference time: 17:03:32.022 UTC Apr 25 2009(C61734FD.800303C0)

This section describes the versions and changes in the NTP feature.

5.12 Update Center

This section describes how to update the signature database to the specified versions to enhance
the dynamic defense capabilities of a network security device.
5.12.1 Overview
The update center can update the signature databases. Updating the signature databases enhances
the NGFW's capability in identifying intrusions, viruses, applications, and locations of IP
addresses and increases the identification ratio.
To enable the NGFW to identify new applications and defend against new attacks and viruses,
you must update the signature databases on the NGFW.
Signature databases fall into:
l IPS signature database

l Antivirus signature database
l Application signature database for the device to identify application protocols
l Region identification signature database for the device to identify locations of IP addresses
NOTE
Updating the IPS signature database and antivirus signature database requires licenses. Ensure that the
licenses for updating the two signature databases are available and activated.
The region identification signature database supports only local update.
The signature database supports Scheduled Update, Immediate Update, and Local Update.
Select one as required.
Scheduled Update
Scheduled update refers to that the device automatically downloads and updates the signature
database from a specified update server at a specified interval. In different deployment
environments, the scheduled update can be implemented through a directly connected update
server or a proxy server.
l Update through a directly connected update server
The update server refers to the security center or other update server.
When the NGFW directly communicates with the update server over the Internet, it updates
the signature database through the update server. The default domain name of the security
center is sec.huawei.com.
As shown in Figure 5-74, the NGFW sends a version update request to the security center.
After passing update permission authentication, the NGFW downloads the latest signature
database from the security center.

Figure 5-74 Update through the security center
1 Sending the update request and verifying the update right

2 Downloading the update package Security
1 Service Center
2
Intranet
NGFW
l Update through a proxy server

If the NGFW does not directly connect to the security center over the Internet, it can connect
to the proxy server on the intranet to indirectly connect to the security center, as shown in
Figure 5-75. The NGFW connects to the proxy server and sends it an update request. The
proxy server forwards the update request to the security center. After the security center
authenticates the update permission, the proxy server downloads the latest signature
database from the security center and transmits it to the NGFW.
NOTE
If the proxy server runs the Windows operating system, CCProxy is recommended. If the proxy server
runs the Linux operating system, Squid is recommended. Ensure that the proxy server enables the
HTTP port and four access methods, namely, PUT, GET, CONNECT, and POST.
Figure 5-75 Update through a proxy server

1. Connects to the proxy server and sends it an update request.
2. Confirms the identity.
3. Forwards the update request and verifies the update
Security Service Center
premission.
4. Downloads the latest signature database.
1
Intranet 2
3
4
NGFW Proxy Server
Immediate Update
You can enable immediate update when new attacks, viruses, or applications are detected on the
network but the signature database cannot be updated immediately through scheduled update.
The download address and process for updating the signature database immediately is the same
as that for the update through scheduled update. The two update modes differ in that immediate
update can be performed at any time whereas scheduled update must be implemented at the
specified time.

Local Update
l IPS, antivirus, and application signature databases
If the NGFW is deployed remotely from the Internet and the intranet does not have an
update server, you can enable the local update.
As shown in Figure 5-76, the administrator logs in to the security center to download the
update file and save the file to the local PC. The administrator then logs in to the NGFW
and uploads the file to the NGFW through FTP, SFTP, TFTP, or Web to update the signature
database locally.
Figure 5-76 Networking diagram of the local update
Administrator
1 Logging in and registering

2 Obtaining the offline update package 1
3 Uploading the package to the 2
device for updating
3 Security
service center
Untrust
NGFW
NOTE
If you use FTP, SFTP, or TFTP to upload the update file, the file is uploaded to the specified directory
on the NGFW. If you use the Web, the update file is uploaded to the root directory of the CF card
(USG6000 series)/ eUSB (NGFW Module) on the NGFW.
l Region identification signature database
The region identification signature database supports only local update. The database is
released irregularly. You can obtain an update file using either of the following methods:
– Log in to the technical support website and download the signature database from the
Software area.
– Download the update file from https://sec.huawei.com.
5.12.2 Managing the Signature Database Using the Web UI

This section describes how to manage the signature database using the Web UI.
5.12.2.1 Scheduled Update

You can configure scheduled update if the NGFW can access the security center or intranet
update server.

Prerequisites
l A license is available for updating the signature database, and the license is activated on
the NGFW.
l The NGFW can access the security center directly or through the proxy server.
l HTTP and FTP are required for communication and downloading signature databases.
Therefore, security policies have been configured to permit HTTP and FTP traffic.
Procedure
Step 2 Click Server IP Address to the right of Refresh.
Step 3 Set the server IP address and scheduled update time.
Server IP Address Enter the IP address of the server that the NGFW accesses for
the scheduled update. This address can be an IP address or a
domain name. By default, update through the security center
(domain name: sec.huawei.com) is used.
Note:
l You must configure the DNS to resolve the domain name of
the security center. For details, see 8.3 DNS.
l To update through the other update server or the proxy server,
set the IP address of the server to that of the other update
server or the proxy server.
Port Indicates the port of the server. The default port is 80.
Scheduled Update Time Enter a time for the scheduled update. Select the update interval
from the drop-down list, daily or a specified day in every week.
Then enter a specific hour and minute in the text box to the right
of the drop-down list.
Proxy server address If the device cannot directly access the security center platform,
you can use a proxy server to connect to the security center
platform for upgrading. The proxy server address can be an IP
address or domain name.
Note: If the proxy server domain name is used, you must
configure DNS to resolve the domain name. For details, see 8.3
DNS.
Proxy server port Indicates the port of the proxy server.
User name Indicates the user name and password for logging in to the proxy
server.
Password
Step 4 Click OK.

Step 5 Select Enable Scheduled Update for the signature database on which the scheduled update is
enabled.
Step 6 After the update succeeds, you can see that Status is The loading succeeded. and Current
Version is the target version.
NOTE
After the scheduled update is enabled, if the network rate is too low and impacts the services and
performance of NGFW, you can abort the update.
----End
5.12.2.2 Immediate Update

You can perform the update immediately if you need to update the signature database before the
time specified for the scheduled update.
Prerequisites
l A license is available for updating the signature database, and the license is activated on
the NGFW.
l The NGFW can access the update server directly or through the proxy server.
l HTTP and FTP are required for communication and downloading signature databases.
Therefore, security policies have been configured to permit HTTP and FTP traffic.
Immediate Update
Step 2 Click Update Immediately for the signature database to be updated.
Step 3 Click OK.
NOTE
After the immediate update is enabled, if the network rate is too low and impacts the services and
performance of NGFW, you can abort the update.
----End
5.12.2.3 Local Update

If the device cannot access the security center, locally update the IPS, antivirus, and application
signature databases. The region identification signature database supports only local update.
Prerequisites
You have obtained update files from the security center (sec.huawei.com), As shown in Figure
5-77.

Figure 5-77 Download Page
Antivirus IPS SA signature
Location signature
Procedure
Step 2 Click Update Locally for the signature database to be updated.
Step 3 Click Browse... to select an update file.
NOTE
The IPS, antivirus, and application signature databases and region identification signature database update files
support the .zip format. When you select a file package, upload the .zip file that you have downloaded from the
website.
Step 4 Click Update.

----End
5.12.2.4 Version Rollback

If the false positive ratio of the current version is high or an anomaly occurs, you can roll back
the version.
Background

NOTICE
The version can be rolled back only once to the previous version. Multiple times of rollback will
make the versions switch between the current version and previous version.
Version Rollback
Step 2 Click Roll Back for the signature database to be rolled back.
Step 3 Click OK.
Step 4 After the version rollback succeeds, you can see that Status is The version rollback
succeeded. and Current Version is the source version.
----End
5.12.2.5 Maintaining the Update

This section describes the reasons for and solutions to signature database update failures.
After the signature database is successfully updated, The loading succeeded is displayed in
Status, and the latest version number is displayed in Current Version. If the signature database
update fails, Status displays the specific update status information, as shown in Table 5-37.
Table 5-37 Status information of signature database update failures
No. Status Information Possible Causes
1 The update service is not activated. 1. The license file is not loaded.
Please purchase this service. 2. The corresponding license control
item is disabled in the license.
2 The update service has expired. Please 1. The end time of the license control
renew this service. item of the update service is earlier
than the current system time.
2. The end time of the license control
item of the update service is earlier
than the release time of the
signature database.
3 Failed to resolve the domain name of 1. The current network environment is

the update server. Please check the poor, and the device cannot connect
configuration or network connection. to the DNS server.
2. The DNS server configuration is
incorrect.
3. The domain name of the update
server is incorrect.

4 Failed to resolve the domain name of 1. The current network environment is

the download server. Please check the poor, and the device cannot connect
configuration or network connection. to the DNS server.
2. The DNS server configuration is
incorrect.
5 Failed to connect to the update server. 1. The current network environment is

Please check the configuration or poor, and the device fails to set up
network connection. a TCP connection with the security
server.
2. The IP address of the update server
is incorrect.
6 Failed to connect to the download The current network environment is

server. Please check the configuration poor, and the device fails to set up a
or network connection. TCP connection with the download
server.
7 An error occurred during online update An error occurred when the online
initialization. update parameters are initialized
during device startup.
8 Disconnected from the update server. 1. The current network environment is

Please check the network connection. poor. As a result, a large number of
packets are lost during signature
database update, causing the
network interruption.
2. The network is disconnected
unexpectedly during the update.
For example, a related interface is
disabled, or the dial-up is
interrupted.
9 The current version is the latest. The signature database version on the
current device is up to date.
10 No available update file was found. 1. The current device model and
Please contact customer service version are not registered on the
personnel. update server.
2. An error occurred when the
signature database on the update
server is released. As a result, the
incremental update package is
released, but the full update
package is not.
3. The current signature database
version on the device is higher than
the version released on the update
server.

11 The target version is running. The target version used in local update
is already running on the device.
12 The remaining space of the CF card is The remaining CF card space (250 MB)
insufficient. is smaller than the lower limit for
update.
13 Failed to verify the signature database The MD5 value of the signature
file. Please re-download the file. database file downloaded from the
download server is different from that
returned by the update server. The
problem usually occurs on networks
with packet loss faults.
14 Failed to parse the signature database. The signature database file format is
Please change the signature database correct but does not match the internal
file. format defined by modules. This
problem usually occurs when the
signature database version is
incompatible with the engine version.
15 The update is administratively The administrator runs the update

terminated. abort command when the online
signature database is being
downloaded.
16 Signature database file error. Please re- 1. The signature database file format
download the file. is incorrect.
2. The signature database file for
another module is used.For
example, the SA signature database
file is used during IPS update.
3. The signature database file used in
local update does not match the
current system software version.
17 Busy engine. Please try again later. 1. The signature database compilation
duration exceeds 30 minutes.
2. Failed to send the update message
to the engine process.
18 Engine compilation failed. Please re- 1. Failed to call the status machine for
download the signature database file. compilation. This problem usually
occurs when the signature database
contains non-standard regular
expressions.
2. The peak memory during
compilation is too high, and
memory space cannot be obtained.

19 The engine is compiling. Please try The signature database is being

again later. compiled when the update command is
run.
20 The engine is not working properly. The engine status is abnormal during
Please try again later. the update.
21 System memory resources are During the update, the system memory
insufficient. Please try again later. is lower than the lower limit for update.
22 Failed to read the electronic label. No electronic label is loaded.

Please contact customer service
personnel.
23 Updating the signature database… The signature database is being

Please try again later. updated when the update command is
run.
24 The engine is not ready. Please try The engine is not completely started
again later. when the update command is run.
25 No CF card exists, or the CF card is not No CR card is inserted, or the CF card

formatted. format is incorrect.
26 Failed to access the update directory. Failed to access the update directory
Please contact customer service under the root directory of the CF card.
personnel.
27 Failed to authenticate the proxy server. 1. The IP address of the update proxy
Please check the update proxy server is incorrect.
configuration. 2. The user name and password of the
update proxy server are incorrectly
configured.
28 Failed to connect to the proxy server. 1. The current network environment is

Please check the configuration or poor, and the device cannot connect
network connection. to update the proxy server.
2. The IP address of the update proxy
server is incorrect.
29 Failed to resolve the domain name of The current network environment is

the proxy server. Please check the poor, and the device cannot connect to
configuration or network connection. the DNS server.
5.12.3 Managing the Signature Database Using the CLI

This section describes how to use the CLI to manage the signature database.

5.12.3.1 Installation Mode

You can manually install the downloaded signature database after confirmation or enable the
system to install the signature database automatically after the download is complete.
Context
If you enable the installation confirmation function, the new signature database version is
downloaded but not installed in the scheduled update and immediate update. When you want to
install the new version, you need to run the update confirm command.
By default, the installation confirmation function is disabled. The new signature database version
is installed directly after the download.
Procedure
l Manual installation
Confirm the downloaded new signature database version and run a specified command to
install the it.
system-view
2. Enable the installation confirmation function for installing the signature database
version.
update confirm { av-sdb | ips-sdb | sa-sdb } enable
If a new signature database version exists on the NGFW and requires installing, go to
Step 3.
3. Install the new signature database version.
update apply
l Automatic installation
Enable the system to install the new version automatically after the download is complete.
system-view
2. Disable the installation confirmation function for installing the signature database
version.
undo update confirm { av-sdb | ips-sdb | sa-sdb } enable
----End
Follow-up Procedure
Run the display update configuration command to view the installation mode of a new
signature database version.
<NGFW> display update configuration
Update Configuration Information:
------------------------------------------------------------
Internal Update Mode : Disable
Internal Update Server : -
Internal Update Port : 80
IPS-SDB:

Application Confirmation : Enable

Schedule Update : Enable
Schedule Update Frequency : Daily
Schedule Update Time : 02:24
AV-SDB:
SA-SDB:
------------------------------------------------------------
5.12.3.2 Scheduled Update

After you enable scheduled update, the NGFW automatically updates the signature database at
the specified time.
Configuring Scheduled Update from the Security Center

If the NGFW can access an update server, you can configure scheduled update through the update
server.
NOTE
Ensure that a license for updating the signature database is available and the license is activated on the
NGFW.
Step 1 Configure the security center.

system-view
2. Set the domain name of the security center.
update server domain domain-name
The default domain name of the security center is sec.huawei.com.
After you configure the domain name of the security center, you must configure the DNS
server to resolve the domain name. For detail, refer to Step 2.
Step 2 Optional: Configure the DNS server.
1. Enable the domain name resolution function of the DNS server.
dns resolve
2. Set an IP address for the DNS server.
dns server ip-address
Step 3 Optional: Set the source interface which sends the upgrade request packets.
update host source interface-type interface-number
By default, the online update query request packet is sent by the WAN interface to the Internet
server. You can run update host source to specify a LAN interface to send such packets. After
the interface is specified, the IP address of this interface is the source IP address of the request
packet.

NOTE
The specified source interface cannot be one bound to a virtual system. Otherwise, the update fails.
Step 4 Enable the scheduled update time function.
update schedule { av-sdb | ips-sdb | sa-sdb } enable
Step 5 Set the scheduled update time of the signature database.
update schedule [ { daily | weekly { Mon | Tue | Wed | Thu | Fri | Sat | Sun } } time ]
NOTE
If the scheduled update affects the service performance of the NGFW, you can run the update abort
command to terminate the update. When the network connection is good, you can run the update online
{ av-sdb | ips-sdb | sa-sdb } command to download the latest signature database.
Step 6 Optional: Install the new signature database after the new signature database downloading.
update apply { av-sdb | ips-sdb | sa-sdb }
NOTE
If the new signature database is installed automatically after the download, you do not need to run this
command. To change the installation mode of the new signature database, see 5.12.3.1 Installation
Mode.
----End
Configuring Scheduled Update from the Intranet Update Server

You can update the signature database from the proxy server if the NGFW cannot connect to
the security center.
Prerequisites:
l A license for updating the signature database is available, and the license has been activated
on the NGFW.
l The NGFW can communicate with the proxy server; the proxy server can communicate
with the security center.
l You have obtained the user name and password for logging in to the proxy server.
To update from the intranet update server, you need a license. The license verifies whether you
have the permission to update certain modules.
Step 1 Set the domain name (or IP address), user name, and password of the proxy server.
update proxy { domain domain-name | ip ip-address } [ port port-number ] [ user user-

name [ password password ] ]
NOTE
If a domain name is configured for the proxy server, a DNS server must be set to parse the domain name.
For the procedure, see Step 2.
Step 2 Optional: Configure the DNS server.

1. Enable the domain name resolution function of the DNS server.
dns resolve

2. Set an IP address for the DNS server.
packet.
NOTE
Step 4 Enable the scheduled update time function.
update schedule { av-sdb | ips-sdb | sa-sdb } enable
Step 5 Set the scheduled update time of the signature database.
update schedule [ { daily | weekly { Mon | Tue | Wed | Thu | Fri | Sat | Sun } } time ]
Step 6 Install the new signature database after the new signature database downloading.
update apply { av-sdb | ips-sdb | sa-sdb }
NOTE
command. To change the installation mode of the new signature database, see 5.12.3.1 Installation
Mode.
----End
5.12.3.3 Immediate Update

You can perform the update immediately when new attacks, viruses, or applications are detected
on the network but the signature database cannot be updated immediately through scheduled
update.
Background
The immediate update uses the same update server or proxy server as that for the scheduled
update. The download process is also the same as that for the scheduled update. The two update
modes differ in that immediate update can be performed at any time whereas scheduled update
must be implemented at the specified time.
NOTE
Ensure that a license for updating the signature database is available and the license is activated on the
NGFW.
Configuring Immediate Update
Step 1 Optional: Configure the security center or intranet update server. For details, see 5.12.3.2
Scheduled Update.

If you have configured the security center or intranet update server in 5.12.3.2 Scheduled
Update, skip this step.
packet.
NOTE
Step 3 Download the latest version of the signature database.

update online { av-sdb | ips-sdb | sa-sdb }
NOTE
If the immediate update affects the service performance of the NGFW, you can run the update abort { av-
sdb | ips-sdb | sa-sdb } command to terminate the update. When the network connection is good, run the
Step 3 command to download the latest signature database.
Step 4 Install the new signature database.

update apply
NOTE
command. To select the installation mode of the new signature database, see 5.12.3.1 Installation
Mode.
----End
5.12.3.4 Local Update

If the device cannot access the security center, locally update the IPS, antivirus, and application
signature databases. The region identification signature database supports only local update.
Prerequisites
The update file must be obtained from the security center and uploaded to the NGFW before the
update.
NOTE
If you use FTP, SFTP, or TFTP to upload the update file, the file is uploaded to the specified directory on
the NGFW. If you use the Web, the update file is uploaded to the root directory of the CF card (USG6000
series)/ eUSB (NGFW Module) on the NGFW.
Procedure
Step 1 Download the update package.
l IPS, antivirus, and application signature databases: Download update packages from the
security center ( sec.huawei.com ) , as shown in Figure 5-78. For details, refer to Help of
the security center.

l Region identification signature database: Log in to the technical support website and click
Software to download the signature database or download it from the security center
( sec.huawei.com ) .
Figure 5-78 Download Page
Antivirus IPS SA signature
Location signature
Step 2 Upload the upgrade package from the PC to the specified directory of the NGFW.
system-view
Step 4 Enable the local update.
update local { av-sdb | ips-sdb | location-sdb | sa-sdb } file filename
filename contains the complete path of the update file. It can be a local file system. For example,
hda1:/IU_cup$20ips20100628.004.x01.zip.
NOTE
The IPS, antivirus, and application signature databases and region identification signature database update files
support the .zip format. When you select a file package, upload the .zip file that you have downloaded from the
website.
----End

5.12.3.5 Version Rollback

When the current signature database is faulty (for example, false positive occurs or system
performance is degraded), you can roll back the current signature database to the previous version
through version rollbacks.
Context
You can roll back to only one version. If you perform version rollbacks repeatedly, the version
rollback is implemented between the current version and the rollback version.
NOTICE
Before the version rollback, you are advised to run the display version { { av-sdb | engine |
ips-sdb | sa-sdb }* | location-sdb } command to view the information about the rollback version.
Then, you can choose whether to perform the version rollback. If no rollback version is available,
the version rollback fails. The version in the device remains unchanged.
Procedure
system-view
Step 2 Roll back the signature database to an available rollback version.
update rollback { av-sdb | ips-sdb | location-sdb | sa-sdb }
----End
5.12.3.6 Version Restore

If an exception occurs during the update of the signature database, you can restore the signature
database to the factory default version and perform the update again.
Context
NOTICE
If the signature database is restored to the factory default version, all other versions on the
NGFW are deleted. Perform the operation with caution.
Procedure
system-view
Step 2 Restore the signature database to the factory default version.

update restore sdb-default { av | ips | sa }
----End
5.12.3.7 Maintaining the Update

This section describes the operations for update troubleshooting and routine maintenance.
Checking Update Information

After the update is complete, you can run the display commands in any view to check the update
information, as shown in Table 5-38.
Table 5-38 Checking update information
Action Command
Check the version of the display version

engine or signature
database.
Check the update display update configuration

configuration.
Check the current update display update status

status.
Check the interface display update host source

which sends the upgrade
request packets
Debugging the Update Function

When faults occur on the update module, you can run the debugging commands in the user view
to view the debugging information and locate and analyze the faults.
Before you enable the debugging function, you must run the terminal monitor and terminal
debugging commands in the user view to enable the information display function and debugging
display function of the terminal, so that debugging information can be displayed on the terminal.
NOTICE
Enabling the debugging affects system performance. Therefore, after the debugging, you should
run the undo debugging all command to disable the debugging immediately.
For the description of the debugging commands, refer to the Debugging Reference.

Table 5-39 Debugging the update function
Action Command
Enable all the debugging functions of the debugging update all

update module.
Enable the error debugging of the update debugging update error

module.
Enable the event debugging of the update debugging update event

module.
Enable the data debugging of the update debugging update data

module.
Enable the function debugging of the update debugging update func

module.
Enable the timer debugging of the update debugging update timer

module.

This section describes the versions and changes in the signature database update feature.
V100R001C30 The Web UI provides the causes and solutions of signature database
update failures.
V100R001C20SPC Deleted intranet update from signature database update and added
100 signature database update through a proxy server.
V100R001C10 l Added local update for the region identification signature database.
l Support the separate update of the IPS signature database. The
update of the signature database does not the restart of other content
security services.
5.13 System Upgrade

This section describes how to upgrade the system software and install patch files.
5.13.1 Upgrading the System Using the Web UI

This section describes how to use the Web UI to upgrade the system software and install a patch
file.

Viewing System Version Information

The Current Version is the system version information. For detailed information, click
Details on the right.
----End
Upgrading System Software

Perform the following two steps to upgrade the system software:
1. Upload the system software to the NGFW. Ensure that the free storage space is sufficient
on the NGFW. If the space is insufficient, delete unnecessary files first.
2. Specify the system software for the next startup.
The extension name of a system software file is .bin. The software file name cannot contain any
Chinese characters.
Step 2 Click Select. The System Software Management window is displayed.
Step 3 Click Upload. The Upload File window is displayed.
Step 4 Click Browse. Select the system software to be uploaded.
Step 5 Click Upload to upload the system software.

After the system software is uploaded successfully, return to the System Software
Management page, and the new system software file is displayed in the list.
Step 6 Click to set the current file as the system software for the next startup.
The upgraded system software can be used only after you restart the NGFW.
----End
One-Touch Upgrading the System Software

If the free storage space on the NGFW is insufficient, the NGFW automatically deletes the
system software that is running.
The extension name of a system software file is .bin. The software file name cannot contain any
Chinese characters.
Step 2 Click One-Touch Version Upgrade. The One-Touch Version Upgrade wizard is displayed.
Step 3 Optional: Click the Export buttons in sequence to export the alarm information, log
information, and configuration information about the NGFW to the terminal.
Step 4 Optional: Click Save to save the current system configuration information.
You are advised to save the current system configuration information to the terminal.
Step 5 Click Browse and select the system software to be uploaded.

Step 6 Select Restart the system now or Do not restart the system according to whether the current
network allows the device to restart immediately after system upgrade.
Step 7 Click Next. The device automatically starts to upgrade the system software.
The upgraded system software can be used only after you restart the NGFW.
----End
Installing a Patch File

You can upgrade the system software without interrupting system running by installing patches.
A NGFW can have multiple patch files, but only one of them is loaded in the system. To load a
new patch file, you must uninstall the loaded one first.
The extension name of a patch file is .pat. The patch file name cannot contain any Chinese
characters.

Step 2 Click Select. The Patch Document Management window is displayed.
Step 3 Click Upload. The Upload File window is displayed.
Step 4 Click Browse. Select the patch file to be uploaded.
Step 5 Click Upload to upload the patch file.
After the patch file is successfully uploaded, return to the Patch Document Management
window. The patch file is displayed in the list but is in idle state.
Step 6 Click of the patch file in idle state and click Yes in the dialog box that is displayed to upload,
activate, and run the patch file.
----End
One-Touch Installing a System Patch File

You can upgrade the system software without interrupting the system running by one-touch
system patch file installation. A NGFW can have multiple patch files, but only one of them is
loaded in the system. To load a new patch file, you need to uninstall the loaded one first.
The extension name of a patch file is .pat. The patch file name cannot contain any Chinese
characters.

Step 2 Click One-Touch Patch Upgrade. The One-Touch Patch Upgrade wizard is displayed.
Step 3 Click Browse. Select the patch file to be uploaded.
Step 4 Click Upgrade. The patch file is automatically installed.
----End
One-Touch Installing a Client Patch File

By loading client patch files on the NGFW, you can update SSL VPN client components such
as the separate client installation package, client management program installation package,

client Internet Explorer control, and client certificate filtering plug-in. When the updated client
accesses the virtual gateway, the virtual gateway automatically updates the installed components
on the client.
To load a new client patch file, the system will uninstall the loaded client patch file automatically.
The file name of the client patch file must be clientpatchmain. If the file name already exists,
the file is automatically deleted.
Step 2 Click One-Touch Client Patch Upgrade behind the Client Patch File in Use, the One-Touch
Client Patch Upgrade window is displayed.
Step 3 Click Browse. Select the client patch file to be uploaded.
Step 4 Click Upgrade. The client patch file is automatically updated.
----End
5.13.2 Upgrading the System Using the CLI

This section describes how to use the CLI to upgrade the system software and install patch files.
5.13.2.1 Upgrading System Software

This section describes how to upgrade the software when the software version of the device
system cannot meet current working requirements and a new software version is available.
Uploading System Software to the NGFW

You can use FTP, TFTP and SFTP to upload the system software to the NGFW:
NOTE
The client and server software described in the following is not delivered with the NGFW. You need to
purchase and install them separately.
l FTP
– The NGFW serves as the FTP client.
The FTP server and the NGFW can reside on different network segments, but they must
be routable to each other.
Run the FTP server program on the FTP host and place the system software to be
downloaded in the corresponding FTP working directory. Then run the command in the
user view of the NGFW to download the system software to the specified directory of
the NGFW. For details, see 5.10.3.2 Configuring the NGFW as an FTP Client.
– The NGFW serves as the FTP server.
The FTP client and the NGFW can reside on different network segments, but they must
Start the FTP server on the NGFW. For details, see 5.10.3.1 Configuring the NGFW
as an FTP Server. Log in to the NGFW through an FTP client and upload the system
software to the corresponding directory of the NGFW.
l TFTP

The NGFW serving as the TFTP client obtains system software from the TFTP server. The
TFTP server and the NGFW can reside on different network segments, but they must be
routable to each other.
Run the TFTP server program on the TFTP host and put the system software to be uploaded
in the corresponding TFTP working directory. Then run the specified commands in the user
view of the NGFW to download the system software to the corresponding directory of the
NGFW. For details, see 5.10.3.5 Configuring the NGFW as a TFTP Client.
l SFTP
– The NGFW serves as the SFTP client.
The SFTP server and the NGFW can reside on different network segments, but they
must be routable to each other.
Run the SFTP server program on the SFTP host and place the system software to be
downloaded in the corresponding SFTP working directory. Then run the command in
the user view of the NGFW to download the system software to the specified directory
of the NGFW. For details, see 5.10.3.4 Configuring the NGFW as an SFTP Client.
– The NGFW serves as the SFTP server.
The SFTP client and the NGFW can reside on different network segments, but they
Start the SFTP server on the NGFW. For details, see 5.10.3.3 Configuring the NGFW
as an SFTP Server. Log in to the NGFW through an SFTP client and upload the system
software to the corresponding directory of the NGFW.
NOTE
SFTP is more secure than FTP and TFTP. Therefore, you are advised to use SFTP to upload system
software.
Upgrading the System Software

Step 1 Run the following command in the user view to configure the system software for the next
startup.
startup system-software sys-filename
NOTICE
The system software must be a .bin file and saved under the root directory of the storage device.
Step 2 Restart the device.
reboot
----End
Postrequisite
After the configuration, run the display startup command to display the system software and
configuration file for this and next startups.
For example:

<NGFW> display startup

MainBoard:
Configed startup system software: hda1:/sup1.bin
Startup system software: hda1:/sup1.bin
Next startup system software: hda1:/sup1.bin
Startup saved-configuration file: hda1:/vrpcfg.zip
Next startup saved-configuration file: hda1:/vrpcfg.zip
5.13.2.2 Using Patches for System Upgrade

This section describes how to use patches to upgrade the device system.
Software Upgrade and Patch Management

You can upgrade the system software to add or upgrade certain features on the device. Patches
are a type of software programs compatible with the system software on the device to resolve
detected problems.
The NGFW supports hot and cold patches:

l Hot patch: A hot patch can be used to upgrade the system software without interrupting
system operation.
l Cold patch: After a cold patch is installed, the system must restart to validate the patch,
which interrupts system services.
The patches for the NGFW have four states: Idle, Activated, Deactivated, and Running. Patches
in Activated state are rolled back to the Idle state after system restart and they no longer take
effect; patches in Running state recover after system restart and they still take effect.
Figure 5-79 shows the patch status change diagram.
Figure 5-79 Patch status change diagram
Load
Idle Deactivated
Delete
Delete
Delete Active Deactive
Running Activated
Run
Uploading a Patch File to the NGFW

You can use FTP, TFTP and SFTP to upload the patch file to the NGFW:

NOTE
l FTP
Run the FTP server program on the FTP host and place the patch file to be downloaded
in the corresponding FTP working directory. Then run the command in the user view
of the NGFW to download the patch file to the specified directory of the NGFW. For
details, see 5.10.3.2 Configuring the NGFW as an FTP Client.
as an FTP Server. Log in to the NGFW through an FTP client and upload the patch
file to the corresponding directory of the NGFW.
l TFTP
The NGFW serving as the TFTP client obtains patch file from the TFTP server. The TFTP
server and the NGFW can reside on different network segments, but they must be routable
to each other.
Run the TFTP server program on the TFTP host and put the patch file to be uploaded in
the corresponding TFTP working directory. Then run the specified commands in the user
view of the NGFW to download the patch file to the corresponding directory of the
l SFTP
Run the SFTP server program on the SFTP host and place the patch file to be
the user view of the NGFW to download the patch file to the specified directory of the
NGFW. For details, see 5.10.3.4 Configuring the NGFW as an SFTP Client.
as an SFTP Server. Log in to the NGFW through an SFTP client and upload the patch
file to the corresponding directory of the NGFW.
NOTE
SFTP is more secure than FTP and TFTP. Therefore, you are advised to use SFTP to upload patch
file.

Loading a Patch
When you load a patch, the system automatically checks whether the checksum of the patch is
consistent with that of the host. If no, the loading fails.
NOTE
l Patches not in Running state become Idle after system restart. To use such a patch, you need to load,
activate, and run the patch.
l For a cold patch, you must restart the system to validate the patch.
Step 1 Load a patch in the user view.

patch load patch-file-name
Step 2 Activate the patch.
patch active patch-file-name
If the patch has inherent faults, delete it.
Step 3 Run the patch.
patch run patch-file-name
Then the patch is in running state. After you restart the device, the running state is retained.
----End
Deleting a Patch
You can delete a patch that is not required by the system.
NOTE
l A patch in any state can be deleted.

l A deleted patch cannot be recovered. You must reload the patch.
l After running the command to delete a cold patch, you must restart the system to complete the
deletion.
Step 1 Run the following command in the user view to deactivate a patch.
patch deactive patch-file-name
Step 2 Delete a patch.
patch delete patch-file-name
----End
5.13.2.3 Configuring the SSL VPN Client Patch

By loading client patch files on the NGFW, you can update SSL VPN client components.
SSL VPN Client Patch Overview

By loading client patch files on the NGFW, you can update SSL VPN client components such
as the separate client installation package, client management program installation package,
client Internet Explorer control, and client certificate filtering plug-in. When the updated client

accesses the virtual gateway, the virtual gateway automatically updates the installed components
on the client.
To load a new client patch file, the system will uninstall the loaded client patch file automatically.
The file name of the client patch file must be clientpatchmain. If the file name already exists,
the file is automatically deleted.
Client patches have four states: Idle, Activated, Deactivated, and Running. Patches in Activated
state are rolled back to the Idle state after system restart and they no longer take effect; patches
in Running state recover after system restart and they still take effect.
Figure 5-80 shows the patch status change diagram.
Figure 5-80 Patch status change diagram
Load
Idle Deactivated
Delete
Delete
Delete Active Deactive
Running Activated
Run
Uploading a Client Patch File to the NGFW

You can use FTP, TFTP and SFTP to upload the client patch file to the NGFW:
NOTE
l FTP
Run the FTP server program on the FTP host and place the client patch file to be
downloaded in the corresponding FTP working directory. Then run the command in the
user view of the NGFW to download the client patch file to the specified directory of
the NGFW. For details, see 5.10.3.2 Configuring the NGFW as an FTP Client.

as an FTP Server. Log in to the NGFW through an FTP client and upload the client
patch file to the corresponding directory of the NGFW.
l TFTP
The NGFW serving as the TFTP client obtains client patch file from the TFTP server. The
TFTP server and the NGFW can reside on different network segments, but they must be
routable to each other.
Run the TFTP server program on the TFTP host and put the client patch file to be uploaded
in the corresponding TFTP working directory. Then run the specified commands in the user
view of the NGFW to download the client patch file to the corresponding directory of the
l SFTP
Run the SFTP server program on the SFTP host and place the client patch file to be
the user view of the NGFW to download the client patch file to the specified directory
of the NGFW. For details, see 5.10.3.4 Configuring the NGFW as an SFTP Client.
as an SFTP Server. Log in to the NGFW through an SFTP client and upload the client
patch file to the corresponding directory of the NGFW.
NOTE
SFTP is more secure than FTP and TFTP. Therefore, you are advised to use SFTP to upload client
patch file.
Loading the Client Patch

Step 1 Enter the system view.
system-view
Step 2 Load the client patch.
client-patch load
Step 3 Activate the client patch.
client-patch active
If the patch has inherent faults, delete it.
Step 4 Run the client patch.
client-patch run
The patch enters the Running state.

NOTE
Patches not in Running state become Idle after system restart. To use such a patch, you need to load, activate,
and run the patch.
----End
Deleting the Client Patch

You can delete the patch that is not required by the system.
NOTE
l A patch in any state can be deleted.

l A deleted patch cannot be recovered. You must reload the patch.

system-view
Step 2 Deactivate the client patch.
client-patch deactive
Step 3 Delete the client patch.
client-patch delete
----End

This section describes the versions and changes in the system upgrade feature.
V100R001C20SPC Supported SSL VPN client patch loading to the device.

700
5.14 Configuration File

This section describes how to save, back up, and remove a configuration file as well as conduct
a comparison between configuration files.
5.14.1 Overview
A configuration file defines the configuration items required for the startup of the NGFW. You
can save a configuration file on the Eudmon, modify and remove existing configuration files,
and specify the configuration file for the NGFW to load upon each startup.

Current Configuration
The current configuration is the configuration currently takes effect, not the configuration file.
A configuration file is generated only after you save the current configuration.
Configuration File
The configuration file is saved as a .txt file, and the requirements on its content are as follows:
l The configuration file is saved in commands.

l Only non-default parameters are saved. You can find the default value of each parameter
in relevant chapters of this document.
l Commands are organized by views. The commands available in the same view are listed
together to form a section, and adjacent sections are separated by a blank line or comment
line which starts with a number sign in a pair of square brackets ([#]). The number of blank
lines or comment lines can be one or more.
l Sections are usually arranged in the order from global configuration, physical interface
configuration, logical interface configuration, to routing protocol configuration.
NOTE
In a configuration file, the command that can be identified by the system must be a string of no more than
899 characters. Directly modifying the configuration file may cause certain commands in the configuration
file to have more than 899 characters. Therefore, perform the operation with caution.
Concepts related to the configuration file are the configuration file for this startup, configuration
file for the next startup, and configuration file for disaster recovery.
l startup saved-configuration file

Indicates the configuration file for this startup.
l next startup saved-configuration file
Indicates the configuration file to be loaded for the next startup.
l next startup configuration
Indicates the configuration file for disaster recovery. Its priority is higher than next startup
saved-configuration file. Once specified, the NGFW loads the configuration file at the
next startup.
Related Operations
To manage configuration files, do as follows:
l Save current configurations to a configuration file.

l Clear a configuration file.
l Display the details on the configuration file for the next startup.
l Specify a configuration file for the next startup.
l Specify the configuration file for disaster recovery as the configuration file for the next
startup.
l Update the configuration file.

5.14.2 Managing Configuration Files Using the Web UI

This section describes how to use the Web UI to manage configuration files.
Restoring the Factory Default Configuration

You can restore the device to the factory default settings. The restoration exerts no impact on
saved configuration files. Before the restoration, you can determine whether to back up the
current configurations on the device.
NOTICE
Restore the factory configuration will reboot the device.
Step 1 Choose System > Configuration file Management.

The information displayed in Current Configuration is the current configurations of the
NGFW.
Step 2 Click Restore Factory Settings.
Step 3 In Password, enter the password of the login user.
Step 4 Optional: Back up the current configurations.

1. Select Back Up the Current Configuration File.
2. In File Name, enter the file name including the file name extension of the backup
configuration file.
Step 5 Click OK, and the device reboot and restore the factory default configuration.
----End
Displaying Configuration
You can display a maximum of 2000 configuration messages. To view more configuration
information, you must export the configuration information.
Step 2 Under Current Configuration, click Search, select search conditions on the Query
Condition dialog box, and click Search.
Filter Type l all: Display all configuration information.

l configuration: Display the configuration
information of a specified function module.
l interface: Displays the configuration of all
interfaces or a specified interface
Module This option is available only when the Filter Type is

configuration.

Interface This option is available only when the Filter Type is

interface. You can specify all or an interface number.
Matching Type Specify the position of the keyword.

l all: Display all configuration information.
l begin: Display the configuration information that
starts with the keyword.
l exclude: Display the configuration information that
does not contain the keyword.
l include: Display the configuration information that
contains the keyword.
Matching Keyword This option is unavailable when Matching Type is

all.
----End
Backing Up the Current Configurations

You can back up the current configurations of the NGFW to the terminal.
The file name extension of a configuration file can be .zip or .cfg.
Step 2 Click Export in Current Configuration.
Step 3 Click Save and select a path on the terminal to save the configuration file.
----End
Comparing Configurations
You can compare the current configurations with the configurations saved in configuration files.
Step 2 Click Compare in Current Configuration.

The differences between the configurations are displayed in Differences Between the Current
Configurations and the Contents in the Configuration File.
----End
Saving the Current Configurations

NOTE
By default, only the system administrator has the configuration saving permission. If a non-system administrator
needs to save configuration, contact the system administrator for the permission.
You can save the current configurations on the NGFW.

Step 2 Click Save in Current Configuration.
Step 3 Select Overwrite configuration file for next startup or Save as.
If you select Save as, enter a new file name.
----End
Updating a Configuration File

You can update a configuration file as follows:
1. Upload a configuration file to the NGFW. Ensure that the available storage space is
sufficient. If the space is insufficient, delete unnecessary files first.
2. Specify the configuration file for the next startup.
Step 2 Click Select. The Configuration File Management dialog box is displayed.
Step 3 Click Upload. The Upload File dialog box is displayed.
Step 4 Click Browse. Select the configuration file to be uploaded.
Step 5 Click Upload to upload the configuration file.

After the configuration file is uploaded, return to the Configuration File Management dialog
box. The file is displayed in the list.
Step 6 Click to set the current configuration file as the configuration file for the next startup.
You need to restart the device to complete the update.
----End
5.14.3 Managing Configuration Files Using the CLI

This section describes how to use the CLI to manage configuration files.
5.14.3.1 Updating the Configuration File

This function replaces the local configuration file with the configuration file on a specified FTP
or SFTP server.

Context
NOTICE
l SFTP is recommended because of high security.
l After the function of updating the configuration file is enabled, the NGFW cannot restore
the factory default settings when you press the RST button before powering on the
NGFW.
The process of updating the configuration file is as follows:

1. Obtains the configuration file from a specified FTP or SFTP server when the specified hold-
off time expires.
If the system fails to obtain the configuration file, it retries at the interval of the hold-off
time.
2. After downloading the configuration file from the server, the system restarts and updates
the configuration file.
Procedure
Step 1 Enable the function of updating the configuration file.
upgrade saved-configuration { ftp | sftp } server-address username password [ delay ]
NOTE
If you need to update the configuration file again, run the specified command to obtain the configuration file
and then update it.
----End
5.14.3.2 Specifying a Configuration File for the Next Startup

This section describes how to specify a configuration file to be loaded in the next startup of the
NGFW.
Procedure
Step 1 Specify a configuration file to be loaded for the next startup.
startup saved-configuration configuration-filename
----End
5.14.3.3 Saving the Current Configuration

The NGFW provides real-time configuration saving functions for you to save the configurations
of the NGFW.
Context
To reduce the possibility of losing the configurations because of sudden device power-off or
restart, the NGFW provides real-time configuration saving function.

NOTE
By default, only the system administrator has the configuration saving permission.
For a non-system administrator to save configuration, the system administrator must run the non-system-admin
saveenable command to grant the configuration saving permission to the non-system administrator.
Procedure
Step 1 Save the current configuration.
save [ config-filename ]
The file name extension of the configuration file must be .cfg or .zip. The configuration file
must be saved in the root directory of the storage device.
If you run the save command without specifying any parameter, the current configuration is
automatically saved into the configuration file for the next startup. If you run the save command
and specify a configuration file name, the current configuration is saved into the specified
configuration file.
----End
5.14.3.4 Using the Configuration File for Disaster Recovery

You can specify a stable configuration file in advance as the configuration file for disaster
recovery and load the configuration file when the configuration in use or the saved configuration
file cannot meet the requirement.
Context
The configuration file for disaster recovery is a backup file generated in the hda1. This
configuration file cannot be deleted, modified, or renamed. You also cannot specify the
configuration file as the one for the next startup by running the startup saved-configuration
command. The file becomes lost only after the hda1 is formatted.
After you specify a configuration file by running the backup configuration command, the
system generates a copy as the configuration file for disaster recovery in the hda1, named
nicecfg.
It is recommended that you periodically maintain the configuration file. In so doing, the latest
configuration file is available for you to restore the configuration.
Procedure
Step 1 Specify a configuration file for disaster recovery.
backup-configuration backup-filename
You can specify only one configuration file for disaster recovery. If you execute this command
multiple times, the configuration file in the last time when the command is executed is specified
as the configuration file for disaster recovery.
The changes of the original configuration files do not affect the configuration file for disaster
recovery.
Step 2 Configure the configuration file for disaster recovery as the configuration file for the next startup.

startup backup-configuration
To stop using the configuration file for disaster recovery as the configuration file for startup,
perform either of the following operations:
l After modifying the configuration, run the save command in the user view. Then the system
employs the saved configuration file as the configuration file for the next startup.
l In the user view, run the undo startup backup-configuration command to stop using the
configuration file for disaster recovery as the configuration file for startup.
----End
Follow-up Procedure
Run the display backup-configuration command to display the details on the configuration
file for disaster recovery, namely, nicecfg.
Run the display startup command to display the configuration file for the next startup.
MainBoard:
Configed startup system software: hda1:/sup.bin
Startup system software: hda1:/sup.bin
Next startup system software: hda1:/sup.bin
Startup saved-configuration file: hda1:/vrpcfg.zip
Next startup saved-configuration file: hda1:/vrpcfg.zip
Next startup configuration: backup-configuration
According to the output that is displayed, Next startup configuration indicates the
configuration file for the next startup. Its priority is higher than that of the Next startup saved-
configuration file. This item can be displayed only when the configuration file is specified for
the next startup.
5.14.3.5 Clearing a Configuration File

You can use commands to clear the configuration file that is currently loaded.
Context
You need to clear the configuration file that is currently loaded in the following cases:
l After the device software is upgraded, the software does not match the configuration file.
l The configuration file is damaged, or the device is loaded with an incorrect configuration
file.
Procedure
Step 1 Clear the configuration file that is currently loaded.
reset saved-configuration
After the configuration file is cleared, if you neither use the startup saved-configuration
command to specify a configuration file that contains correct configurations, nor use the save
command to save the current configurations in use, the NGFW initiates with default parameter
settings upon the next startup.
----End

5.14.3.6 Comparing Configuration Files

You can run commands to compare the current configuration with the configuration saved on
the storage device.
Procedure
Step 1 Compare the current configuration with the configuration saved on the storage device.
compare configuration [ current-line-number save-line-number ]
If no parameter is specified, the comparison starts from the first line. You can use parameters
current-line-number and save-line-number to skip the differences that are identified between
the configurations during the comparison.
When identifying the differences, the system displays a certain number of characters (150
characters by default) in the current configuration file and saved configuration file starting from
the line with identified differences. If the length of the content from the line with identified
differences is fewer than 150 characters, the system displays all content till the end of both files.
----End
5.14.3.7 Checking the Configuration Files

You can run display commands to display the information about the configuration files.
In routine maintenance, you can run the following commands in any view to display the
information about the configuration files.
Table 5-40 lists the commands used to display information about the configuration files.
Table 5-40 Displaying the information about configuration files
Action Command
Display the current display current-configuration

configuration file.
Display the display saved-configuration

configuration file for the
next startup.
Display the information dir [ /all ] [ filename ]

about the configuration
file saved in the storage
device.
Display the display this

configuration of the
current view.
Display the information display startup

about the configuration
file used upon the
current startup.

If the configurations are successfully applied, run the preceding commands, and you can find
the following results:
l The current configuration of the device is correct without any redundant configuration.
l The current configuration of the device is saved in the storage device.
l The device system software and configuration file that are to be loaded upon the next startup
are correct, and they are saved in the root directory of the storage device.

This section describes the versions and changes in the configuration file management feature.
V100R001C20SPC Added the function of updating the configuration file through SFTP.
700
V100R001C20SPC Added automatically update the configuration file.

100
5.15 Restart
After you upgrade the system or modify configurations on the NGFW, you must reboot the
NGFW to ensure that the latest configuration takes effect.
5.15.1 Overview
After you upgrade the system or load a host program or after an anomaly occurs in the system,
you need to restart the system.
You may need to restart the NGFW in the following cases:
l Upgrading the system.

l Loading the host program.
l The NGFW works improperly.
Restarting the NGFW interrupts services. Therefore, select off-peak hours in non-emergent
cases, such as in the early morning, to restart the NGFW.
You can restart the NGFW in either of the following modes:
l Immediate system restart

You need to run a certain command or power off the device to restart the system.
l Scheduled system restart
The NGFW allows you to restart the system at a scheduled time. You can set the time for
system restart in either of the following ways:
– Specify a specific time point for the NGFW to restart. For example, the NGFW
automatically resets the system at a specific time, such as 2:30 am.

– Specify a specific duration as the delay before the NGFW restarts. For example, the
NGFW automatically restarts after a specific time period, such as three hours later.
Upon the restart, the NGFW loads the startup configuration file specified before the restart.
5.15.2 Restarting the System Using the Web UI

This section describes how to use the Web UI to restart the system.
Background
NOTICE
l If the NGFW works improperly, try to rectify the fault. Do not restart the system frequently
in case that services are affected.
l If you must restart the system, select off-peak hours in non-emergent cases, such as in the
early morning.
l Restarting the NGFW may result in temporary data loss. Before the restart, make sure that
the configuration data is backed up.
Restarting the System

You are advised to back up the configuration file in use before you restart the system.
Step 1 Choose System > Setup > Restart.
Step 2 Select either of the following to restart the system.

l Click Save and Restart to save the configuration and restart the system.
l Click Restart to restart the system without saving the configuration.
----End
5.15.3 Restarting the System Using the CLI

This section describes how to use the CLI to restart the system.
Context
NOTICE
l When the system works abnormally, you need to rectify the fault. Do not restart the system
frequently. Otherwise, services are affected.
l Restarting the system may cause the loss of temporary data. Before the reboot, ensure that
the configuration file is saved. In common cases, do not use the CLI to reboot the system.

Restarting the System Immediately

Step 1 Select either of the following methods to restart the system:
l Run the reboot command in the user view.
l Power off the NGFW and power on it again.
----End
Restarting the System at a Specified Time Point

You should specify a time point within the idle hours for system restart to avoid service
interruption and great losses. You can perform the following procedure to restart the system:
Step 1 Restart the system at a specified time.
schedule reboot { at exact-time | delay interval }
If the clock command is executed after you run the schedule reboot command, the parameters
specified in the schedule reboot command no longer take effect.
NOTE
After the configuration is complete, run the display schedule reboot command to display the parameter
settings of the system restart at a specified time.
<NGFW> display schedule reboot
System will reboot at 16:00:00 2011/11/1 (in 2 hours and 5 minutes).
----End

This section describes the versions and changes in the system restart feature.
5.16 Upgrade Through USB

Upgrade through USB can be implemented manually or automatically.
5.16.1 Overview
To upgrade through USB, you need to store the required upgrade file in a USB drive, insert it
into the NGFW, and upload the upgrade file in the USB drive to upgrade the NGFW.
Manual Upgrade
In manual upgrade, you need to run the upgrade command after inserting a USB disk to upgrade
system software and configuration files.

Automatic Upgrade
In automatic upgrade, the NGFW automatically upgrades after the USB drive is inserted. This
method simplifies operations and enhances the upgrade efficiency.
Before implementing upgrade through USB, check whether a configuration file exists on the
NGFW:
l If no configuration file exists, the NGFW starts the upgrade after the USB drive is inserted.
In this scenario, you need only to store all required upgrade files in the USB drive and insert
it into the NGFW, requiring no command execution.
l If a configuration file exists, you need to enable upgrade through USB before inserting the
USB drive.
NOTE
The NGFW begins to support automatic upgrade through USB from V100R001C30SPC100.
5.16.2 Restrictions and Precautions

Read this section carefully before you configure upgrade through USB.
Note the following before using a USB drive to upgrade the NGFW:
l Power-off during the upgrade will result in an upgrade failure.
l The CF card of the NGFW must be able to store upgrade files.
l The USB drive cannot be removed during the upgrade to avoid data loss or damage to the
file system.
l Ensure that the USB drive is compatible with the NGFW, with the file system format being
FAT32 and USB port being USB2.0.
l Do not insert two USB drives for upgrade.
5.16.3 Manually Upgrading System Software and Configuration

File
This section describes how to manually upgrade the system software and configuration file.
Procedure
Step 1 Obtain the system software and configuration file and store them in the same directory on USB.
In this example, the system software is system-software.bin, the configuration file is system-
config.zip, and they are stored in the root directory on the USB drive.
Step 2 Insert the USB drive into the NGFW.
Step 3 Upgrade the system software and configuration file.
l Upgrade the system software.
<NGFW> upgrade system-software udisk0:/system-software.bin
Upgrade system software ?[Y/
N]:Y
Info: Check system software begin, it will take a long time, please don't power
down or pull out disk...............................
...............................................................................

..............................................
Info:Udisk0:Successful upgrade, ready to restart.
l Upgrade the configuration file.

<NGFW> upgrade system-configuration udisk0:/system-config.zip
Upgrade system configuration ?[Y/
N]:Y
Info: Check system configuration begin, it will take a long time, please don't
power down or pull out disk.....done.
The file hda1:/system-config.zip exists. Overwrite it?[Y/

N]:Y
Info: Upgrade system configuration begin, it will take a long time, please don't
power down or pull out disk.....done.
(Warning: Reboot system is required to make current upgrade take effect.)
NOTE
The number of USB ports varies with NGFW models. Enter the actual number of USB ports supported by the
NGFW in udisk0.
Step 4 Optional: Run the reboot command in the user view to restart the NGFW. Skip this step when
upgrading the system software because the NGFW will automatically restart.
Step 5 Check the upgrade result.

l Run the display startup command to check whether the current startup system software and
configuration file names are the target file names. If yes, the upgrade succeeds.
MainBoard:
Configed startup system software: hda1:/SUP.bin
Startup system software: hda1:/system-software.bin
Next startup system software: hda1:/SUP51.bin
Startup saved-configuration file: hda1:/system-config.zip
Next startup saved-configuration file: hda1:/system-cfg.zip
l Run the display version command to check whether the SoftwareVersion on the NGFW is
the target version. If yes, the system software is upgraded successfully.
<NGFW> display version
HUAWEI Versatile Routing Platform Software
Software Version: V100R001C30SPC100 (VRP (R) Software, Version 5.30)
Copyright (C) 2014-2015 Huawei Technologies Co., Ltd.
sysname uptime is 0 week, 0 day, 15 hours, 20 minutes
Patch: V100R001C20SPH001
l Run the display current-configuration command to check whether the configuration of the
NGFW is the target version. If yes, the configuration file is upgraded successfully.
----End
5.16.4 Upgrading System Software and Configuration File (No

Configuration File on the NGFWs)
This section describes how to upgrade the system software and configuration files for multiple
NGFWs when no configuration file exists on them.
5.16.4.1 Preparation for the Upgrade

When no configuration file exists on the NGFW, you need to obtain upgrade files and make an
index file before upgrade.

Procedure
Step 1 Obtain the system software and configuration file and store them in the same directory in the
USB drive.
NOTICE
The name of the target system software in the USB drive must be different from that of the one
running currently. Otherwise, the upgrade will fail.
Step 2 Make an index file.

1. Create a text file named usb.ini.
2. Copy the following content into the text file and edit fields. For details, see Table 5-41.
BEGIN
[USB CONFIG]
SN=
[UPGRADE INFO]
OPTION=AUTO
DEVICENUM=1
[DEVICE DESCRIPTION]
OPTION=OK
ESN=DEFAULT
MAC=DEFAULT
VERSION=
DIRECTORY=
FILENUM=
TYPEn=
FILENAMEn=
END
Table 5-41 Fields in the index file
Field Content
SN Enter the SN, which is the time of the automatic upgrade

through USB in the format of YearMonthDate.Hour-
MinuteSecond. For example, when the upgrade time of
the NGFW is 2014-12-28 08:09:10, the SN is
20141228.080910.
NOTE
When a USB drive storing an index file is inserted into the
NGFW, the NGFW compares its SN field with the one in the
index file and starts automatic upgrade through USB when
they are different. After the upgrade succeeds, the NGFW sets
its SN field to the one in the index file to avoid unnecessary
upgrade.
VERSION Enter the target version name.
DIRECTORY Enter the path of the upgrade files in the USB drive. If
the path is the root directory, enter DEFAULT.
Otherwise, enter the actual path. For example, if the
upgrade files are in the NGFW folder, enter /NGFW.

Field Content
FILENUM Enter the number of upgrade file types. To upgrade

either the system software or configuration file, enter 1;
to upgrade both, enter 2.
TYPEn Enter the system software type and name. For example,
FILENAMEn to upgrade both the system software and configuration
file, enter system-software.bin for the system software
and system-config.zip for the configuration file as
follows:
TYPE1=SYSTEM-SOFTWARE
FILENAME1=system-software.bin
TYPE2=SYSTEM-CONFIG
FILENAME2=system-config.zip
NOTE
To upgrade multiple NGFWs to various versions, copy the
upgrade file package of one NGFW to the USB drive after
another NGFW is successfully upgraded and ensure that the
file name is the same as the FILENAME in the index file.
Step 3 Save the index file.
Step 4 Copy index file usb.ini to the root directory of USB.
----End
5.16.4.2 Upgrading System Software and Configuration file (No Configuration File
on the NGFW)
The NGFW starts automatic upgrade through USB after a USB drive storing all required files
is inserted.
Procedure
1. Insert the USB drive into the NGFW.
If the SYS indicator (green) blinks eight times each second, the NGFW has started
automatic upgrade. The NGFW obtains the system software and configuration file from
the USB drive based on the index file usb.ini, copies them to its CF card, and automatically
sets them as the system startup files.
2. Wait until the NGFW restarts.
NOTE
The restart takes 10 to 30 minutes depending on the product model and version upgrade conditions.
3. Check the upgrade result.
l Determine the upgrade status based on the SYS and ALM indicators on the NGFW:
– If the SYS indicator (green) blinks twice per second, the upgrade has succeeded.
– If the SYS indicator (green) is off and the ALM indicator is on, the upgrade has
failed.
l Check the log file named ESN_time on the USB drive.

– If the upgrade succeeds, the log information resembles the following content. Device
SN is the same as SN in the index file in 5.16.4.1 Preparation for the Upgrade.
Upgrade time:
20141228084910
Device SN:
20141228.080910
Device ESN:
210235G7LNZ0C8000001
Device MAC address:

00e0fccc221c
Info: Deployment using the USB flash drive is completed successfully, and
the device has restarted.
– If the upgrade through USB fails, check the Info content in the log file for
preliminary fault location.
5.16.5 Automatically Upgrading System Software and

Configuration File (A Configuration File Available on the NGFW)
This section describes how to upgrade the system software and configuration file when a
configuration file already exists on the NGFW.
5.16.5.1 Preparation for the Upgrade

This section describes how to prepare for the system software and configuration file upgrade on
multiple NGFWs where configuration files already exist.
Procedure
Step 1 Optional: Encrypt the configuration file (.cfg) to protect it. Skip this step if you do not need to
upgrade the configuration file.
NOTE
Configure an authentication password containing at least three of the following types of characters: upper-case
letters, lower-case letters, digits, and special characters (except spaces and question marks) for security.
You can download an encryption software, such as Winrar and 7zip from the Internet to encrypt
the configuration file. In this example, Winrar is used.

Step 2 Obtain system software and store them in the same directory that stores the configuration file
on the USB drive.
NOTICE
The name of the target system software in the USB drive must be different from that of the one
running currently. Otherwise, the upgrade will fail.
Step 3 Optional: Obtain the HMACs of the system software and configuration file. Skip this step if
HMAC check is not required.

1. Download the HashCalc tool from http://hashcalc.software.informer.com/download/.

Install and start it.
2. Obtain the HMACs as follows:
NOTICE
l If the configuration file is encrypted, Key: must be the same as the encryption key in
Step 1. Otherwise, the upgrade will fail.
l If the configuration file is not encrypted, ensure that Key: contains at least three of the
following types of characters: upper-case letters, lower-case letters, digits, and special
characters (except spaces and question marks) for security.
l Select SHA256 because NGFW supports only this type of hash algorithm.
Step 4 Make an index file.

1. Create a text file named usb.ini.
2. Copy the following content into the text file and edit fields. For details, see Table 5-42.
BEGIN
[USB CONFIG]
SN=
[UPGRADE INFO]
OPTION=AUTO
DEVICENUM=
[DEVICEn DESCRIPTION]
OPTION=OK
ESN=
MAC=
VERSION=
DIRECTORY=
FILENUM=2
TYPEn=
FILENAMEn=

HMACn=
END
Table 5-42 Fields in the index file
Field Content
DEVICENUM l To upgrade the software for only one NGFW, set

DEVICENUM to 1, ESN to the ESN of the
NGFW, and MAC to the MAC address of the
NGFW.
l To upgrade the software of multiple NGFWs to the
same version, set DEVICENUM to 1, ESN to
DEFAULT, and MAC to DEFAULT.
l To upgrade the software of multiple NGFWs to
different versions, set DEVICENUM to the actual
number of NGFWs to be upgraded and enter the
actual values in ESN and MAC.
SN Enter the SN, which is the time of the automatic upgrade

through USB in the format of YearMonthDate.Hour-
MinuteSecond. For example, when the upgrade time of
the NGFW is 2014-12-28 08:09:10, the SN is
20141228.080910.
NOTE
When a USB drive storing an index file is inserted into the
NGFW, the NGFW compares its SN field with the one in the
index file and starts automatic upgrade through USB when
they are different. After the upgrade succeeds, the NGFW sets
its SN field to the one in the index file to avoid repetitive
upgrade.
DEVICEn DESCRIPTION Enter the description about the NGFW to be upgraded.

For example, DEVICE2 DESCRIPTION indicates the
description of the second NGFW to be upgraded.
n is an integer ranging from 1 to 100.
ESN Enter the ESN of the NGFW. You can run the display
firewall esn command to obtain the ESN of each
NGFW. To match all NGFWs, enter DEFAULT.
MAC Enter the MAC address of interface GigabitEthernet

0/0/0 of the NGFW. You can run the display
interface GigabitEthernet 0/0/0 command to obtain the
MAC address. To match all NGFWs, enter DEFAULT.
VERSION Enter the version name.
DIRECTORY Enter the path where files are stored on USB. If it is the
root directory of USB, enter DEFAULT; otherwise,
enter the specific path, such as //test.

Field Content
FILENUM Enter the number of upgrade file types. To upgrade

either the system software or configuration file, enter 1;
to upgrade both, enter 2.
TYPEn Enter the system software type and name. For example,
FILENAMEn to upgrade both the system software and configuration
file, enter system-software.bin for the system software
HMACn and system-config.zip for the configuration file as
follows:
FILENAME1=system-software.bin
HMAC1=0ab30a2596bd0f6744631002d941f4218f40e784a
e51447ed0bf3a2ff075939a
TYPE2=SYSTEM-CONFIG
FILENAME2=system-config.zip
HMAC2=27dadb18efe4c0cf00268c3d3573a1ea9c270e5c5
6bfda9dd9bba1d168b5d680
n values in TYPE, FILENAME, and HMAC must be

the same.
Step 5 Save the index file.
Step 6 Copy index file usb.ini to the root directory of USB.
----End
Index File Examples

Example 1: The software of a NGFW needs to be upgraded, and HMAC check needs to be
implemented to determine whether the system software has been tampered with.
Make an index file that meets the following requirements:

l The data change time is 2014-06-28 08:09:10.
l Upgrade is required.
l The device ESN is 00080123456789, and the MAC address is 0018-0303-1234.
l The system software system-software01.bin is in the root directory of the USB drive, the
version is V100R001C30SPC100, and the HMAC is
c3caaee8f4f6bd1389f438801e40dad9af30f2fbbe7e8f55121b39c6c16ba488.
The corresponding index file is as follows:

BEGIN
[USB CONFIG]
SN=20140628.080910
[UPGRADE INFO]
OPTION=AUTO
DEVICENUM=1
[DEVICE1 DESCRIPTION]
OPTION=OK
ESN=00080123456789
MAC=0018-0303-1234
VERSION=V100R001C30SPC100
DIRECTORY=DEFAULT
FILENUM=1

FILENAME1=system-software01.bin
HMAC1=c3caaee8f4f6bd1389f438801e40dad9af30f2fbbe7e8f55121b39c6c16ba488
END
Example 2: The software of multiple NGFWs needs to be upgraded, and HMAC check is
not required.
l Upgrade is required.
l The system software system-software01.bin is in the root directory of the USB drive, the
version is V100R001C30SPC100, and HMAC check is not required.
BEGIN
[USB CONFIG]
SN=20140628.080910
[UPGRADE INFO]
OPTION=AUTO
DEVICENUM=1
OPTION=OK
ESN=DEFAULT
MAC=DEFAULT
DIRECTORY=DEFAULT
FILENUM=1
END
Example 3: The software of two NGFWs needs to be upgraded, and HMAC check is not
required.
l For one NGFW, the ESN is 00080123456789, the MAC address is 0018-0303-1234, the
system software name is system-software01.bin, the version number is
V100R001C30SPC100, the configuration file is system-config01.zip, and neither file
requires HMAC check.
l For the other NGFW, the ESN is 66680123456789, the MAC address is 0018-0303-5678,
the system software name is system-software02.bin, the version number is
V100R001C30SPC100, the configuration file is system-config01.zip, and neighther file
requires HMAC check.
BEGIN
[USB CONFIG]
SN=20140628.080910
[UPGRADE INFO]
OPTION=AUTO
DEVICENUM=2
OPTION=OK
ESN=00080123456789
MAC=0018-0303-1234
DIRECTORY=DEFAULT
FILENUM=2

TYPE2=SYSTEM-CONFIG
FILENAME2=system-config01.zip
OPTION=OK
ESN=66680123456789
MAC=0018-0303-5678
DIRECTORY=DEFAULT
FILENUM=2
TYPE2=SYSTEM-CONFIG
FILENAME2=system-config02.zip
END
5.16.5.2 Automatically Upgrading System Software and Configuration File (A

Configuration File Available on the NGFW)
After a USB storing all required files is inserted and the automatic upgrade through USB function
is enabled, the NGFW starts to upgrade the system software and configuration file through USB.
Procedure
Step 1 Set the authentication password for automatic upgrade through USB on the NGFW.
NOTICE
l If configuration file encryption or HMAC check is configured, the password for automatic
upgrade through USB must be the same as the configuration file encryption password and
the HMAC.
l If configuration file encryption or HMAC check is not configured, ensure that the
authentication password contains at least three of the following types of characters: upper-
case letters, lower-case letters, digits, and special characters (except spaces and question
marks) for security.
<NGFW> system-view
[NGFW] usb autoupdate password
Enter Password:
Confirm Password:
Step 2 Optional: Enable HMAC check on the NGFW if the function is required.
NOTICE
If the index file does not contain the HMAC of the upgrade file, do not enable HMAC check;
otherwise, the upgrade will fail.
[NGFW] hmac enable
Step 3 Enable automatic upgrade through USB on the NGFW.

[NGFW] autoupdate enable
Step 4 Insert the USB drive into the NGFW.
The NGFW automatically verifies the index file and starts automatic upgrade if the verification
succeeds, with the following information displayed on the screen:
Info: Auto update begin, it will take a long time, please don't power down or pull
out disk.
Info: Udisk0: The SN in the ini file is inconsistent with the device's setting, the
system need to be upgraded.
Step 5 Wait until the NGFW restarts.

NOTE
The automatic restart takes 10 to 30 minutes depending on the product model and version upgrade.
Step 6 Verify the upgrade result.

Run the display usb usb-id autoupdate state command to check the status of the automatic
upgrade through USB.
<NGFW> display usb 0 autoupdate state detail
Info: Deployment using the USB flash drive is completed successfully, and the
device has restarted.
----End

This section describes the versions and changes in the upgrade through USB feature.
V100R001C20SPC Added automatic upgrade through USB.

700
V100R001C00 Supported manual upgrade through USB for the first time.
5.17 NQA
This chapter describes the Network Quality Analysis (NQA) mechanism, testing scenarios, and
general parameters and provides examples for configuring NQA.
5.17.1 Overview
The NQA function measures the performance of various protocols running on networks to ensure
that administrators can collect various network running indicators.
5.17.1.1 Introduction to NQA

NQA tests the performance of various protocols running on networks and serves as an effective
tool for diagnosing and locating network faults.

Introduction to NQA
With the improving requirements regarding the QoS, especially after traditional IP networks
bear voice and video services, Service Level Agreements (SLAs) are commonly signed between
broadband service providers and their subscribers.
To ensure the committed bandwidth stated in the SLA, broadband service providers require
statistics on various network parameters, such as delay, jitter, and packet loss ratio and learn
about the performance status of the network in time. The NAQ function delivered by the
NGFW fulfills the requirements.
NQA measures the performance of various protocols running on networks to ensure that
broadband service providers can collect various network parameters in real time, for example,
the measurement of total HTTP latency, TCP latency, file transmission rate, and FTP latency.
Through network management based on these parameters, broadband service providers provide
users with services of different levels at different costs.
Comparison Between the NQA and Ping

NQA expands and enhances the Ping function.
Ping tests the round trip time of the Internet Control Message Protocol (ICMP) packet between
the local end and specified destination end. The NQA not only delivers the previous function
but also detects whether the TCP, UDP, DHCP, FTP, HTTP, and SNMP services are enabled
and tests the response time of these services. Figure 5-81 shows the networking diagram for
NQA tests.
Figure 5-81 Networking diagram for NQA tests

Server
IP/MPLS
Network
NQA Client
The information about the round trip time of each packet or whether the transmission of a packet
times out is not displayed on the console terminal in real time. You can run the display nqa
results command after the test to display the test result.
You can set the parameters of all NQA operations on the NMS and start the test.
5.17.1.2 NQA Server and NQA Client

The NQA function is implemented in client/server mode. To perform NQA tests, you need to
create proper NQA instance beforehand.
NQA Instance and NQA Client

You can perform multiple NQA tests of different types. However, each test requires an individual
NQA instance, and each instance applies to only one test type.

You need to create NQA instances on NQA clients. Each instance is identified by the
administrator who creates the instance and an operation tag.
In an instance view, you need to configure test parameters for related test. Note that not all
parameters apply to every test type.
NQA Server
For most tests, you need to configure only the NQA clients. For TCP, UDP, and Jitter tests,
however, you must configure the NQA server.
The NQA server processes the test packets from the clients. As shown in Figure 5-82, the NQA
server responds to the test request packet initiated by the client through the listening on a specific
port.
Figure 5-82 Relationship between the NQA client and the NQA server
IP/MPLS
Network
NQA Client NQA Server
You can create multiple TCP or UDP listening services on an NQA server. Each listening service
maps a specific destination address and a port. You can specify the same destination address
and port for multiple services.
Performing NQA Tests

After you specify the destination address and port, the NQA server can respond to test request
packets from the client. The IP address and port number specified on the server must be the same
as those configured on the client.
After creating an instance and configuring related test parameters, start the NQA test by running
the start command, and then run the display nqa results command to display the test result.
5.17.2 Mechanism
For an NQA test, both the NQA client and NQA server are involved. The NQA client sends test
requests to the server to initiate the an NQA test. You can use commands to configure NQA
instances or configure the NMS to send relevant configuration instructions to the NGFW. Then,
the NQA module on the NGFW places configured NQA instances into proper test queues for
scheduling.
You can immediately start an NQA instance after it is configured or delay the start for a period
of time, or you can set a specific time point in the future for the NQA instance to automatically
start. After an NQA instance starts, test packets are generated based on the test type of the
instance. If the packet size specified during the configuration of the instance is smaller than the
required minimum size of the packets transmitted through the tested protocol, the minimum
packet size takes effect.

After receiving the test request packet from the client, the NQA server returns a response packet.
Then the client timestamps the received response packet with the current local system time and
sends the packet back to the NQA server. After receiving another response packet from the
server, the client calculates the round-trip time (RTT) of the packet.
NOTE
For a Jitter test instance, both the client and the server timestamp the packet with the local system time of
their own. In this way, the client can calculate the jitter time of the packet.
Based on the RTT of the packet, you can learn about the running status of the tested packet.
HTTP Test
An NQA HTTP test is used to test the response speed in three phases. Figure 5-83 shows these
phases.
l DNS resolution: It is the time for the client to receive a DNS resolution packet containing
an IP address after it sends a DNS packet to the resolver for domain name resolution.
l Setting up a TCP connection: It is the time for the client to set up a TCP connection with
the HTTP server through a three-way handshake.
l Transaction: It is a period from the time at which the client sends a Get or Post packet to
the HTTP server to the time at which a response packet sent by the client reaches the HTTP
server.
Through an HTTP test, the following items can be calculated based on the information in the
packets received by the client:
l Minimum, maximum, and total time for DNS resolution

l Minimum, maximum, and total time for setting up a TCP connection
l Minimum, maximum, and total HTTP transaction time
You can use these statistics to assess HTTP performance over the network.
Figure 5-83 Applicable scenario of the HTTP test

server.com
10.2.1.1/24
IP Network
10.1.1.1/24
DNS Server
10.3.1.1/24

DNS Test
A DNS test is used to test the DNS resolution speed. The DNS test uses UDP packets. Figure
5-83 shows the process of a DNS test.
1. The client sends a query packet to the DNS server for domain name resolution.
2. After receiving the query packet, the DNS server returns a response packet to the client.
3. After receiving the response packet, the client calculates the time for DNS resolution based
on the time between the sending of the query packet and the receiving of the response packet
on the client. You can use the test result to assess the DNS performance over the network.
FTP Test
An FTP test is used to test the response speed of the FTP server when you download a file from
or upload a file to the server. The FTP test uses TCP packets. You can obtain the response speed
in two phases. Figure 5-84 shows the process of an FTP test.
l Setting up and maintaining a control connection: It is the time that the client uses to set up
a TCP control connection with the FTP server through three-way handshake and
interchanges signals through the control connection.
l Setting up and maintaining a data transmission connection: It is the time that the client uses
to download a file from or upload a file to the FTP server through the data transmission
connection.
Through an FTP test, the following items can be calculated based on the information in the
packets received by the client:
l Minimum, maximum, and average time to set up a control connection

l Minimum, maximum, and average time to set up a data transmission connection
You can use these statistics to assess the FTP performance over the network.
Figure 5-84 Applicable scenario of the FTP test

192.168.0.1/24 192.168.0.100/24
GE0/0/0
FTP Client FTP Server
SNMP Test
An SNMP test is used to test the packet transfer rate between a host and an SNMP agent. The
SNMP test uses UDP packets. Figure 5-85 shows the process of an SNMP test.
1. The client sends a request packet to the SNMP agent for obtaining the system time.
2. After receiving the request packet, the SNMP agent queries the system time, constructs a
response packet, and sends the response packet to the client.

After receiving the response packet, the client calculates the packet transfer rate based on
the time between the sending of the request packet and the receiving of the response packet
on the client. You can use the test result to assess the SNMP performance over the network.
Figure 5-85 Application scenario of the SNMP test

A B C
10.1.1.1/24 10.1.1.2/24 10.2.1.1/24 10.2.1.2/24

SNMP Agent
TCP Test
A TCP test is used to test the TCP connection rate between a host and a TCP server through a
three-way handshake. Figure 5-86 shows the process of a TCP test.
1. The client (device A) sends a SYN packet to the TCP server (device B).
2. After receiving the TCP SYN packet, the TCP server accepts the request and responds a
SYN-ACK packet.
3. After receiving the SYN-ACK packet, the client returns an ACK packet to the TCP server.
Then, a TCP connection is established.
The client can calculate the TCP connection rate based on the time between the sending of
the SYN packet and the receiving of the ACK packet on the client. You can use the test
result to assess the TCP performance over the network.
Figure 5-86 Applicable scenario of the TCP test

A B C
10.1.1.1/24 10.1.1.2/24 10.2.1.1/24 10.2.1.2/24

NQA Server
UDP Test
A UDP test is used to test the packet transfer rate between a host and a UDP server. Figure
5-86 shows the process of a UDP test.
1. The client (device A) constructs a UDP packet and sends it to the UDP server (device B).
2. After receiving the UDP packet, the UDP server returns the packet to the client.
After receiving the returned packet, the client calculates the packet transfer rate between
the client and the UDP server based on the time between the sending and receiving of the
packet on the client. You can use the test result to assess the UDP performance over the
network.

ICMP Test
An ICMP test is used to test the reachability of the route between the NQA client and NQA
server. The ICMP test is similar to the ping command. However, the output of the test is more
diversified.
l By default, the NGFW stores the results of the latest five tests.
l The test result contains information about average ICMP latency, packet loss ratio, and the
time at which the last packet is correctly received.
Figure 5-87 shows the process of an ICMP test.
1. The client (device A) constructs an ICMP Echo Request packet and then sends it to the
server (device B).
2. After receiving the ICMP Echo Request packet, the server responds an ICMP Echo Reply
packet.
After receiving the ICMP Echo Reply packet, the client can calculate packet transfer rate
based on the time between the sending of the ICMP Echo Request packet and the receiving
of the ICMP Echo Request Reply packet. You can use the test result to test the reachability
of the route between the client and server.
Figure 5-87 Applicable scenario of the ICMP test
A B
Traceroute Test
A Traceroute test is used to detect the forwarding path between the NQA client and a destination
and collect statistics related to the routers along the forwarding path.Figure 5-88 shows the
process of a Traceroute test.
1. The client (device A) constructs a UDP packet and sends the packet to the destination
(device B). The TTL of the packet is 1.
2. After the first-hop router (device C) receives the UDP packet, it checks the TTL field and
finds that the TTL is set to 0. Then, device C returns an ICMP Time Exceeded packet.
3. After the client receives the ICMP Time Exceeded packet, it obtains the IP address of the
first-hop router and re-constructs a UDP packet. The TTL of this packet is 2.
4. After the second-hop router (device D) receives the UDP packet, it checks the TTL of the
packet and finds that the TTL is set to 0. Then, device D returns an ICMP Time Exceeded
packet.
5. The procedure repeats and after the packet reaches the last-hop router, the router returns
an ICMP Port Unreachable packet to the client.

The client can then obtain the forwarding path from the client to the destination and collect
statistics related to each router along the forwarding path based on the ICMP packet returned
by each hop. You can use this statistics to assess the network performance.
Figure 5-88 Applicable scenario of the Traceroute test
A B
LSP Ping Test

An NQA LSP Ping test is used to detect the reachability of two types of LSPs: LDP LSPs and
TE LSPs. Figure 5-89 shows the process of an LSP Ping test.
1. In an LSP Ping test, the client constructs a UDP MPLS Echo Request packet destined for
an IP address on network segment 127.0.0.0/8. The client searches for the LDP LSP based
on the specified remote LSR ID and then forwards the packet through the LDP LSP in the
MPLS domain. For the search for a TE LSP, the packet can be sent from a tunnel interface
and then forwarded along a specified CR-LSP.
2. The egress monitors port 3503 and then returns an MPLS Echo Reply packet.
The client can then calculate the packet transfer rate between the client and the egress based
on the time between the sending and receiving of packets. You can use the test results to
assess the network performance.

Figure 5-89 Application scenario of the LSP Ping test
MPLS
Backbone
Loopback1 Loopback1 Loopback1

10.10.1.9/32 10.10.2.9/32 10.10.3.9/32
10.1.1.1/24 10.2.1.1/24
A 10.1.1.2/24 10.2.1.2/24
B C
5.17.3 Setting ICMP Test Parameters

This section describes how to set ICMP test parameters on the NQA client.
Context
Do as follows on the NQA client:
Procedure
system-view
Step 2 Configure an NQA instance and access the NQA instance view.
nqa test-instance admin-name test-name
Step 3 Set the test type to ICMP.

test-type icmp
The default NQA test type is ICMP.
Step 4 Specify the destination IP address.

destination-address ipv4 ip-address
Step 5 Optional: Perform the following as required to set other ICMP test parameters.
l Configure the VPN instance to be tested.
vpn-instance vpn-instance-name
l Specify the source interface that sends test packets.
source-interface [ interface-type interface-number ]
l Specify the source IP address.
source-address ipv4 ip-address

NOTE
If the destination IP address is in a different network segment from the source IP address, you cannot use
this command. Otherwise, the NQA test fails.
l Set the size (packet header excluded) of the echo request packet.
datasize size
l Set the packet TTL value. ttl value
ttl value
ttl equals the -h option in theping command.
l Set the type of service (ToS) field in the IP packet header.
tos value
tos equals the -tos option in the pingcommand.
l Configure padding characters.
datafill string
datafill equals the -p option in the ping command.
l Specify the interval for sending the test packets.
interval seconds interval
interval seconds equals the -m option in the ping command.
l Specify the percentage of the failed NQA tests.
fail-percent percent
l Configure the NQA client to send test packets without querying the routing table,
sendpacket passroute
Step 6 Start the NQA test.

start
Use one of the following commands as required:
l Start the NQA test immediately.

start now [ end { at [ yyyy/mm/dd ] hh:mm:ss | delay { seconds second | hh:mm:ss } |
lifetime { seconds second | hh:mm:ss } ]
l Start the NQA test at the specified time point.
start at [ yyyy/mm/dd ] hh:mm:ss [ end { at [ yyyy/mm/dd ] hh:mm:ss | delay { seconds
second | hh:mm:ss } | lifetime { seconds second | hh:mm:ss } ]
l Start the NQA test after the delay of a specified period.
start delay { seconds second | hh:mm:ss } [ end { at [ yyyy/mm/dd ] hh:mm:ss | delay
{ seconds second | hh:mm:ss } | lifetime { seconds second | hh:mm:ss } ]
----End
Follow-up Procedure
Run the display nqa results command. If the following output is displayed, the test succeeds.
l testFlag is inactive
l The test is finished

l Completion:success
[NGFW] display nqa results
NQA entry(admin, icmp) :testFlag is inactive ,testtype is icmp
1 . Test 1 result The test is finished
Send operation times: 3 Receive response times: 3
Completion:success RTD OverThresholds number: 0
Attempts number:1 Drop operation number:0
Disconnect operation number:0 Operation timeout number:0
System busy operation number:0 Connection fail number:0
Operation sequence errors number:0 RTT Stats errors number:0
Destination ip address:10.1.1.2
Min/Max/Average Completion Time: 31/46/36
Sum/Square-Sum Completion Time: 108/4038
Last Good Probe Time: 2006-8-2 10:7:11.4
Last Packet Loss 0 %
NOTE
NQA test results cannot be automatically displayed on a terminal. You must run the display nqa results
command to display the test results. The command output contains the test results of only the last five tests.
5.17.4 Setting DHCP Test Parameters

This section describes how to set DHCP test parameters on the NQA client.
Context
NOTE
You can configure the NGFW as a DHCP server. For details, refer to 8.4 DHCP.
Procedure
system-view
Step 2 Configure an NQA instance and access the NQA instance view.
Step 3 Set the test type to DHCP.

test-type dhcp
Step 4 Specify the source interface that sends the DHCP request packet.
source-interface interface-type interface-number
The specified source interface can be an Ethernet interface connected to the DHCP server, an
Eth-Trunk interface, or a Vlanif interface.
Step 5 Optional: Run the following commands to configure other parameters for the DHCP test.
l Set the timeout of the NQA test.
timeout time
NOTE
For the DHCP test, the time between the sending of the probe packet and the receiving of the response
packet may last for 10 seconds. By default, the timeout period is 15 seconds. You are advised to set the
timeout period longer than 10 seconds.
l Set the percentage of the failed NQA test items.


start
Use one of the following commands as required:

l Start the NQA test at a specified time point.
----End
Follow-up Procedure
l Number of disconnections from the server and number of timeout disconnection operations.
l Number of times the server being busy and number of failed connections.
l Numbers of operations with incorrect sequences and number of packet discards.
l Number of incorrect statistics collections.
<NGFW> display nqa results
NQA entry(admin, dhcp) :testFlag is inactive ,testtype is dhcp
5.17.5 Setting the FTP Download Test Parameters

During the FTP download test, the NQA client also serves as the FTP client.
Context
NOTE
If you set the FTP source port, you must set the FTP destination port at the same time. Ensure both ports
are the same.
Do as follows on the NQA client (FTP client):

Procedure
system-view
Step 2 Create an NQA test instance and access the test instance view.
Step 3 Set the test type to FTP.

test-type

destination-address ipv4 ip-address [ lsp-masklen masklen | lsp-loopback loopback-
address ] *
Step 5 Specify the source IP address.

Step 6 Optional: Perform the following operations as required to configure other parameters of the
FTP Download test:
l Specify the FTP source port.
source-port port-number
l Specify the FTP destination port.
destination-port port-number
l Configure the NQA client to send packets without querying the routing table.
Step 7 Set the FTP operation to GET.

ftp-operation get
The default FTP operation type is Get.
Step 8 Specify the FTP user name.

ftp-username name
Step 9 Specify the FTP password.

ftp-password password
Step 10 Specify the name of the file to be downloaded.

ftp-filename file-name
NOTE
During the FTP download test, select a file with a relatively small size for the test. If the file is too large,
the test may fail because of timeout.

start
Use one of the following commands as required.


----End
Follow-up Procedure
l "CtrlConnTime"
l "DataConnTime"
l "SumTime"
NQA entry(admin, ftp) :testFlag is inactive ,testtype is ftp
SendProbe:1 ResponseProb:1
Completion :success RTD OverThresholds number: 0
MessageBodyOctetsSum: 448 Stats errors number: 0
Operation timeout number: 0 System busy operation number:0
Drop operation number:0 Disconnect operation number: 0
CtrlConnTime Min/Max/Average: 438/438/438
DataConnTime Min/Max/Average: 218/218/218
SumTime Min/Max/Average: 656/656/656
5.17.6 Setting the FTP Upload Test Parameters

During the FTP upload test, the NQA client also serves as the FTP client.
Context
NOTE
If you set the FTP source port , set the destination port at the same time. Ensure both ports are the same.
Do as follows on the NQA client (FTP client):
Procedure
system-view
Step 3 Set the test type to FTP.

test-type ftp


address ] *
Step 5 Specify the source IP address.

Step 6 Optional: Perform the following operations as required to set other parameters for the FTP
upload test:
l Specify the source port.
l Specify the destination port.
l Configure the NQA test client to send test packets without querying the routing table.
Step 7 Set the FTP operation type to PUT.

ftp-operation put
The default FTP operation type is Get.
Step 8 Specify the FTP user name.

ftp-username name
Step 9 Specify the FTP password.

ftp-password password
Step 10 Perform the following operations as required to upload a file.

l Specify the name of a file to be uploaded if necessary. If you specify a file without specific
path, the system searches for the file in the current directory. If no matches are found, the
system constructs a file using the specified file name. The size of the file for the upload test
is 1 MB.
ftp-filename file-name
NOTE
l The file name cannot contain characters, such as ~, *, /, \, ', ", but the file path can contain these
characters.
l The file name can include the file name extension but cannot be the file name extension only, such
as .txt.
l Specify the size of the file to be uploaded if necessary.
ftp-filesize size
The client then automatically creates a file named nqa-ftp-test.txt for the upload.
NOTE
During the FTP test, select a file with a relatively small size. If the file is too large, the test may fail because
of timeout.
Step 11 Start the NQA upload test.

start
Select the start modes as required.


----End
Follow-up Procedure
Run the display nqa results command. If the following items are displayed, the test succeeds.
l "CtrlConnTime"
l "DataConnTime"
l "SumTime"
5.17.7 Setting HTTP Test Parameters

During the HTTP test, the NQA client also serves as the HTTP client.
Context
Do as follows on the NQA client (HTTP client):
Procedure
system-view
Step 3 Set the test type to HTTP.

test-type http


Step 5 Optional: Perform the following operations as required to set other parameters for the HTTP
test:
l Specify the source IP address
NOTE
The default destination port is 80.

l Specify the percentage of the failed HTTP tests.
l Configure the NQA client to send test packets without querying the routing table
Step 6 Set the HTTP operation type.

http-operation { get | post }
The default HTTP operation type is Get.
Step 7 Specify the name of the web page to be accessed during the test and the HTTP version
http-url deststring [ verstring ]
NOTE
Specify the name of the web page in the http-url deststring [ verstring ] command. Do not use http:// and
the domain name. Otherwise, the test may fail.
If the HTTP version is not specified, HTTP1.0 is applied by default. You can set the HTTP version to
HTTP 1.1.

start
Select one of the following operations as required.

l Start the NQA test at a specified timepoint
l Start the NQA test after the delay of a specified period
----End

Follow-up Procedure
l "DNSRTT"
l "TCPConnectRTT"
l "TransactionRTT and RTT"
NQA entry(admin, http) :testFlag is inactive ,testtype is http
Completions: success OverThresholdsnumber: 0
MessageBodyOctetsSum: 0 TargetAddress: 10.2.2.2
DNSQueryError number: 0 HTTPError number: 0
TcpConnError number : 3 System busy operation number:0
DNSRTT Sum/Min/Max:0/0/0 TCPConnectRTT Sum/Min/Max: 7/2/3
TransactionRTT Sum/Min/Max: 11/3/4 RTT Sum/Min/Max: 18/5/7
DNSServerTimeout:0 TCPConnectTimeout:0 TransactionTimeout: 0
5.17.8 Setting the DNS Test Parameters

During the DNS test, the NQA client also serves as the DNS client.
Context
Do as follows on the NQA client (DNS client):
Procedure
system-view
Step 2 Configure the DNS server at the specified IP address.

Step 4 Set the test type to DNS.

test-type dns
Step 5 Specify the IP address of the DNS server.

dns-server ipv4 ip-address
Step 6 Specify the URL of the destination host.

destination-address url urlstring

start
l Start the NQA test immediately

l Start the NQA test at a specified time point


----End
Follow-up Procedure
Run the display nqa results [ admin-name test-name ] command. If the following output is
displayed, the test succeeds.
NQA entry(admin, dns) :testFlag is inactive ,testtype is dns
5.17.9 Setting Traceroute Test Parameters

The output of the NQA traceroute test is more informative than that of the common traceroute
command.
Context
Procedure
system-view
Step 3 Set the test type to traceroute.

test-type traceroute
Step 4 Specify the destination address for the traceroute test.

Step 5 Perform the following operations as required to set other parameters for the Traceroute test:
l Specify the maximum hop failures.
tracert-hopfailtimes

l Specify the initial TTL and the maximum TTLof the test packets.
tracert-livetime first-ttl first-ttl max-ttl max-ttl
l Set the ToS field in the IP packet header.
tos value
l Configure the NQA client to send test packets without querying the routing table.
start
Select one of the following start modes as required.

----End
Follow-up Procedure
Run the display nqa results command. If the statistics of each hop is displayed, the test succeeds.
NQA entry(admin, trace) :testFlag is inactive ,testtype is trace
Completion:success Attempts number:1
Drop operation number:0
Last good path Time:2006-8-5 14:38:58.5
1 . Hop 1
OverThresholds number: 0
2 . Hop 2
RTD OverThresholds number: 0

5.17.10 Setting the SNMP Query Test Parameters

This section describes how to set SNMP test parameters on the NQA client.
Context
Procedure
system-view
Step 3 Set the test type to SNMP.

test-type snmp
Step 4 Specify the destination IP address which is the IP address of the SNMP agent.
NOTE
The SNMP function must be enabled on the destination host. Otherwise, the destination host fails to receive
echo packets.
Step 5 Optional: Perform the following operations as required to set other parameters for the SNMP
test:
l Set the source IP address.
l Specify the interval for sending test packets.

start



----End
Follow-up Procedure
Run the display nqa results [ admin-name test-name ] command. If the following output is
displayed, the test succeeds.
NQA entry(admin, snmp) :testFlag is inactive ,testtype is snmp
5.17.11 Configuring the TCP Test

This section describes how to use the NQA to test the speed for establishing a TCP connection.
5.17.11.1 Configuring the TCP Server

This section describes how to configure the TCP listening service on the TCP server.
Context
Do as follows on the NQA server:
Procedure
system-view
Step 2 Configure the TCP listening service.

nqa-server tcpconnect [ vpn-instance vpn-instance-name ] ip-address port-number
Note that the IP address and port listened by the server must be the same as those configured on
the client.
----End
5.17.11.2 Configuring the TCP Client

This section describes how to configure the NQA test on the TCP client.

Context
Do as follows on the NQA client (TCP client):
Procedure
system-view
Step 3 Set the test type to TCP.

test-type

address ] *
Step 5 Specify the destination port.

Step 6 Optional: Perform the following operations as required to set other parameters for the TCP test:
l Set the interval for sending test packets.
l Set the percentage of the failed NQA tests.
l Configure the NQA client to send test packets without querying the routing table.sendpacket
passroute

start
Select one of following start modes as required:



The differences between the TCP Public tests and TCP Private tests are as follows:
l For TCP Public tests, connection requests are initiated and sent to TCP port 7. You do not
need to specify the destination port on the client. However, you must configure the server to
listen in on TCP port 7.
l For TCP Private tests, you must specify the destination port on the client and enable the
listening service on the server.
----End
Follow-up Procedure
l Run the display nqa results [ admin-name test-name ] command to display the test results
on the NQA client.
l Run the display nqa-server command to display the information about the NQA server.
NQA entry(admin, tcp) :testFlag is inactive ,testtype is tcp
5.17.12 Configuring the UDP Test

This section describes how to use the NQA to test the speed for establishing a UDP connection.
5.17.12.1 Configuring the UDP Server

This section describes how to configure the UDP listening service on the NQA server.
Context
Do as follows on the NQA server:
Procedure
system-view
Step 2 Configure the UDP listening service.

nqa-server udpecho [ vpn-instance vpn-instance-name ] ip-address port-number

NOTICE
The IP address and port listened by the server must be the same as those specified on the client.
----End
5.17.12.2 Configuring the UDP Client

This section describes how to configure the NQA test on the UDP client.
Context
Procedure
system-view
Step 3 Set the test type to UDP.

test-type udp

address ] *

Step 6 Optional: Perform the following operations as required to set other parameters for the UDP test:
l Specify the interval for sending test packets, run the
l Specify the percentage of the failed NQA tests

start


The differences between the UDP Public test and the UDP Private test are as follows:
l For UDP Public tests, connection requests are initiated and sent to UDP port 7. You do not
need to specify the destination port on the client. However, you must configure the server to
listen in on UDP port 7.
l For UDP Private tests, you must specify the destination port on the client and enable the
listening service on the server.
----End
Follow-up Procedure
l Run the display nqa results [ admin-name test-name ]command to display the test results
on the NQA client.
NQA entry(admin, udp) :testFlag is inactive ,testtype is udp
5.17.13 Configuring the Jitter Test

This section describes how to configure a UDP jitter test.
5.17.13.1 Configuring the NQA Server for the Jitter Test

This section describes how to configure the UDP listening service on the NQA server.

Context
The jitter time refers to the interval for sending two adjacent packets minus the interval for
receiving the two packets.
The process of a Jitter test is as follows:
1. The client sends packets to the destination at a specified interval.

2. After receiving each packet, the server timestamps the packet and returns it to the client.
3. After receiving the returned packet, the client calculates the jitter time based on the time
subtraction between the interval for sending two adjacent packets and the interval for
receiving the two packets.
You can use the maximum, minimum, and average jitter time calculated based on the information
received on the source to assess network performance.
In a Jitter test, you can set the number of packets to be sent consecutively. Through this setting,
you can simulate traffic of certain types within a short period. For example, you can set 3000
UDP packets to be sent at an interval of 20 milliseconds for the simulation of G711 traffic.
Procedure
system-view
Step 2 Configure the UDP listening service.

nqa-server udpecho [ vpn-instance vpn-instance-name ] ip-address port-number
Note that the IP address and port listened by the NQA server must be the same as those specified
on the client.
NOTE
To improve the test accuracy, you can configure the Network Time Protocol (NTP) on both the client and
the server.
----End
5.17.13.2 Configuring the NQA Client for the Jitter Test

This section describes how to configure the jitter test on the NQA client.
Context
NOTE
The system supports the collection of the statistics on the maximum unidirectional transmission delay.
Procedure
system-view

Step 3 Set the test type to jitter.

test-type jitter


Step 6 Optional: Perform the following operations as required to set other parameters for the Jitter test:
l Set the number of test packets sent each time.
jitter-packetnum number number
The Jitter test collects statistics on and performs analysis on the transmission delay of the
UDP packets. The system sends multiple test packets for each test to calibrate the statistics
and analysis. The more test packets are sent, the more accurate the statistics and analysis are.
This process, however, is time consuming.
NOTE
The number of the Jitter tests performed depends on the settings in the probe-count command. The
number of test packets sent during each test depends on the settings in the jitter-packetnum command.
During the actual configuration, note that the number of tests being multiplied by the number of the
test packets for each test must be less than 3000.
interval { milliseconds interval | seconds interval }
The shorter the interval for sending the Jitter test packets is, the faster the test is completed.
If the interval, however, is set to a very small value, the test result may be inaccurate.
l Specify the percentage of the failed NQA tests.
l Configure the client to send test packets without querying the routing table.
l Specify the version number of Jitter packets in the system view.
nqa-jitter tag-version { 1 | 2 }
If version 2 is used, after enabling the collection of statistics on the packet loss across a
unidirectional link, you can view the packet loss across the link from the source to the
destination, from the destination to the source, and from unknown directions. According to
the statistics, you can easily locate network faults and detect attacks.

start


----End
Follow-up Procedure
The configurations for jitter tests are complete.
l Run the display nqa results command to display the test results on the NQA client.
If the following output is displayed, the jitter test succeeds.
<NGFW> display nqa results test-instance admin jitter
NQA entry(admin, jitter) :testFlag is inactive ,testtype is jitter
SendProbe:100 ResponseProbe:100
Completion :success RTD OverThresholds number:0
OWD OverThresholds SD number:0 OWD OverThresholds DS number:0
Min/Max/Avg/Sum RTT:1/13/2/211 RTT Square Sum:589
NumOfRTT:100 Drop operation number:0
System busy operation number:0 Operation timeout number:0
Min Positive SD:1 Min Positive DS:1
Max Positive SD:1 Max Positive DS:11
Positive SD Number:11 Positive DS Number:22
Positive SD Sum:11 Positive DS Sum:36
Positive SD Square Sum :11 Positive DS Square Sum :154
Min Negative SD:1 Min Negative DS:1
Max Negative SD:1 Max Negative DS:11
Negative SD Number:11 Negative DS Number:20
Negative SD Sum:11 Negative DS Sum:35
Negative SD Square Sum :11 Negative DS Square Sum :157
Max Delay SD:6 Max Delay DS:6
Packet Loss SD:0 Packet Loss DS:0
Packet Loss Unknown:0 Average of Jitter:1
Average of Jitter SD:1 Average of Jitter DS:1
jitter out value:0.1960239 jitter in value:0.5825673
NumberOfOWD:100
OWD SD Sum:10 OWD DS Sum:101
NOTE
If the delay for the source end to send packets is longer than that for the destination end to receive packets,
the jitter is a negative value.
5.17.14 Setting the Parameters for an LSP Ping Test in the LDP
Tunnel
This section describes how to set the parameters on the NQA client for an LSP Ping test in the
LDP tunnel.

Procedure
system-view
Step 3 Set the test type to LSP Ping.

test-type lspping
Step 4 Specify the destination IP address to be tested.

destination-address ipv4 ip-address { lsp-masklen masklen | lsp-loopback loopback-
address }*
Step 5 Optional: Perform the following operations as required to configure other parameters for the
LSP Ping test:
l Configure the response mode of the echo packet.
lsp-replymode { no-reply | udp }
NOTE
In a unidirectional LSP Ping test, if the lsp-replymode no-reply command is executed, the test result
displays that the test fails regardless of whether the test succeeds or fails. If the test succeeds, the test
result also displays the number of the timeout packets. If the test fails, the test result displays the number
of the discarded packets.
l Specify the packet size.
datasize size
NOTE
The sum of datasize and the size of the packet header should be less than the MTU of the interface.
Otherwise, the test may fail.
l Set the maximum TTL value of the packet.
ttl number
l Set the LSP EXP value.
lsp-exp exp
l Set the padding character of the packet.
datafill fillstring
l Set the percentage of the failed NQA tests.

start


l Start the NQA test at a specified time.
----End
Follow-up Procedure
The configurations of the LSP Ping Test function are complete.
l Statistics about errors

l History statistics of each test packet
l Statistics of results of each test
NQA entry(admin, test) :testFlag is inactive ,testtype is lspping
5.17.15 Creating an NQA Test Group

This section describes how to create a test group on the NQA client based on the type of the test
group.
Procedure
system-view
Step 3 Set the test type.

test-type { icmp | jitter }
The default test type is ICMP.

Step 4 Convert the current instance to a group.

switch-to group
Step 5 Return to the system view.

quit
Step 6 Access the view of the existing NQA test instance.

Step 7 Add the current NQA test instance to the created test group.
join group nqa admin-name test-name

quit
Step 9 Access the view of the created test group.

Step 10 Optional: Set the test period for the test group.
group-testperiod period
The default interval between two test groups is 60 seconds.
NOTE
During the specified period of a test group, if there are too many tests in the test group, the group test cannot
be started. Therefore, you should set a proper test period for the group test based on the number of tests in
the test group.

start

----End
Follow-up Procedure
The configurations of the NQA reserved group Test function are complete.
NQA entry(admin, test1) :testflag is inactive ,testtype is icmp


Lost packet ratio: 66 %
NQA entry(admin, test2) :testflag is inactive ,testtype is icmp
Lost packet ratio: 0 %
l Run the display nqa-agent to view the status of the test on the NQA client.
5.17.16 Setting General NQA Test Parameters

This section describes how to set the general NQA test parameters.
Context
Procedure
system-view
Step 2 Create an NQA test instance and access the instance view.
Step 3 Perform the following operations as required to set the general parameters:
l Specify the description of the instance.
description string
l Specify the timeout period of the test.
timeout time
l Specify the number of probe packets sent during each test.
probe-count number
NOTE
The number of probe packets for each test does not apply to FTP and DNS tests.
l Specify the NQA test interval.
frequency interval
l Prohibit packet fragmentation.
set-df

NOTE
The set-df command applies only to traceroute tests.

l Specify the maximum number of test history entries.
records history number
l Specify the maximum number of recorded test results.
records result number
l Set the test aging time.
agetime hh:mm:ss
----End
Follow-up Procedure
The configurations of general NQA test parameters are complete.
l Run the display nqa-agent,to display the configured general parameters on the NQA client.
<NGFW> display nqa-agent
NQA Tests Max:2000 NQA Tests Number: 2
NQA Flow Max:1000 NQA Flow Remained:1000
nqa test-instance a a
test-type pwe3trace
local-pw-id 1
vc-type bgp
nqa status : normal
nqa test-instance a b
test-type icmpjitter
destination-address ipv4 10.1.1.201
source-address ipv4 10.1.1.200
hardware-based enable
ttl 100
tos 100
timeout 20
nqa status : normal
5.17.17 Setting Round-Trip Delay Thresholds

This section describes how to set the round-trip delay threshold on the device where the NQA
test is performed.
Context
Procedure
system-view
Step 3 Specify the round-trip delay threshold for test packets.

threshold rtd value


send-trap overthreshold
----End
Follow-up Procedure
l Run the display nqa-agent [ admin-name operation-tag ] [ verbose ] command to display
the configured round-trip delay threshold on the NQA client.
<NGFW> diplay nqa-agent test jitter verbose
1 NQA entry(admin, icmp):
test type:icmp current flag:inactive
current status:finished current completion:success
start at : no start time end at : no end time
nqa status : normal
configuration :
test-type icmp
threshold rtd 2
send-trap rtd
5.17.18 Setting the Unidirectional Delay Threshold

This section describes how to set the unidirectional delay threshold on the NQA client for test
packets.
Context
Procedure
system-view
Step 3 Specify the unidirectional delay threshold for test packets.

threshold owd value
----End
Follow-up Procedure
The configurations of the unidirectional delay threshold are complete.
l Run the display nqa-agent [ admin-name operation-tag ] [ verbose ] command to display

the configured unidirectional delay threshold on the NQA client.
<NGFW> diplay nqa-agent test jitter verbose
1 NQA entry(test, jitter):
test type:jitter current flag:inactive
current status:finished current completion:success
nqa status : normal
configuration :
test-type jitter
destination-address ipv4 10.1.1.2

destination-port 2900
threshold owd-sd 1
5.17.19 Configuring the Trap Function

This section describes how to configure the trap function for an NQA test.
5.17.19.1 Sending Trap Messages When Tests Failed

After the configuration is complete, if an NQA test fails, the NGFW sends a trap message.
Procedure
system-view
Step 3 Enable the trap function for the NGFW to send trap messages if a test fails.
send-trap
By default, the trap function is disabled.
Step 4 Specify the number of failed tests that triggers the sending of the trap message.
test-failtimes times
By default, a trap message is sent for each failed test.
----End
5.17.19.2 Sending Trap Messages When Probes Failed

After the configuration is complete, if an NQA test failed, the NGFW sends a trap message.
Procedure
system-view
Step 3 Enable the trap function for the NGFW to send trap messages when a probe fails.
send-trap probefailure
Step 4 Configure the number of probe failures that triggers the sending of the trap message.
probe-failtimes times
By default, a trap message is sent for each failed probe.
----End

5.17.19.3 Sending Trap Messages When Probes Are Complete

This section describes how to enable the trap function for the NGFW to send a trap message
after the NQA test is complete.
Procedure
system-view
Step 2 Create an NQA instance and access the instance view.

Step 3 Enable the trap function for the NGFW to send a trap message after the NQA test is complete.
send-trap testcomplete
----End
5.17.19.4 Sending Trap Messages When the Transmission Delay Exceeds the
Threshold
This section describes how to enable the NGFW to send a trap message when the transmission
delay exceeds the threshold during an NQA test.
Procedure
system-view
Step 2 Create an NQA instance and access the instance view.

Step 3 Enable the trap function for the NGFW to send a trap message when the transmission delay
exceeds the threshold.
send-trap overthreshold
----End
5.17.20 Maintaining NQA

This section describes how to maintain network quality analysis (NQA) by restarting test cases,
clearing statistics, and debugging.
5.17.20.1 Restarting an NQA Test Instance

This section describes how to terminate a running instance by restarting it.

Context
NOTICE
Restarting an NQA test instance interrupts the running of the test.
To restart an NQA test instance, run the following command in the NQA test instance view.
Table 5-43 Restarting NQA test instances
Action Command
Restart an NQA test instance. restart
5.17.20.2 Clearing NQA Statistics

This section describes how to clear historical statistics in the NQA view.
Context
NOTICE
NQA statistics cannot be restored after you clear them. Therefore, confirm the action before you
use the command.
To clear NQA statistics, run the following command in the NQA view.
Table 5-44 Clearing NQA statistics
Action Command
Clear the history statistics clear-records

and test result of an NQA
test.
5.17.20.3 Debugging NQA

This section describes how to debug the NQA when a fault occurs.
Context
debugging commands in the user view to enable the display of terminal information and terminal
debugging messages, so that the debugging messages can be displayed on the terminal.

NOTICE
Enabling the debugging affects system performance. Therefore, after debugging, you need to
run the undo debugging all command to disable the debugging in time.
For details on the debugging commands, refer to the Debugging Reference.

Table 5-45 shows the related operation of debugging NQA.
Table 5-45 Debugging NQA
Action Command
Debug NQA. debugging nqa

This section provides examples for configuring NQA tests.
5.17.21.1 Example for Performing an ICMP Test

This section provides an example on how to perform an ICMP test on the NQA client to test
whether the peer device is reachable.
As shown in Figure 5-90, NGFW_A functions as the NQA client to test whether NGFW_B is
routable.
Figure 5-90 Networking diagram of the ICMP test

NGFW_A NGFW_B
GE1/0/1 GE1/0/1
10.1.1.1/24 10.1.1.2/24
NQA agent
1. Perform an ICMP test to check whether the packet sent by NGFW_A can arrive
atNGFW_B and obtain the round-trip time (RTT) of the packet.
Procedure


Step 3 Start the NQA client and create an ICMP test.

[NGFW_A] nqa test-instance admin icmp
[NGFW_A-nqa-admin-icmp] test-type icmp
[NGFW_A-nqa-admin-icmp] destination-address ipv4 10.1.1.2
Step 4 Start the test immediately.

[NGFW_A-nqa-admin-icmp] start now
----End
Result
[NGFW_A-nqa-admin-icmp] display nqa results admin icmp
NQA entry(admin, icmp) :testFlag is inactive ,testtype is icmp
5.17.21.2 Example for Performing a DHCP Test

This section provides an example on how to perform a DHCP test on two adjacent NGFWs to
test the time for the DHCP server (one of the NGFWs) to assign an IP address to the other
NGFW.
l NGFW_B functions as the DHCP server.
l Performing a DHCP test is required to obtain the time that the DHCP server to assign an
IP address to the client (NGFW_A).

Figure 5-91 Configuration Roadmap

NGFW_A NGFW_B
GE1/0/1 GE1/0/1
10.2.1.1/24 10.2.1.2/24
NQA agent DHCP Server
1. Configure NGFW_A as the NQA client.

2. Create a DHCP instance and perform the DHCP test on NGFW_A to check whether
NGFW_A can set up a connection with NGFW_B and obtain an IP address from
NGFW_B.
Procedure


Step 3 Enable the NQA client and create a DHCP instance.

[NGFW_A] undo dhcp enable
[NGFW_A] nqa test-instance admin dhcp
[NGFW_A-nqa-admin-dhcp] test-type dhcp
[NGFW_A-nqa-admin-dhcp] source-interface GigabitEthernet 1/0/1
[NGFW_A-nqa-admin-dhcp] timeout 20

[NGFW_A-nqa-admin-dhcp] start now
----End
Result
[NGFW_A-nqa-admin-dhcp] display nqa results admin dhcp
NQA entry(admin, dhcp) :testFlag is active ,testtype is dhcp


5.17.21.3 Example for Performing an FTP Download Test

This section provides an example on how to perform an FTP download test on two adjacent
NGFWs. One NGFW functions as the FTP server, and the other functions as the FTP client.
As shown in Figure 5-92, NGFW_A serves as the NQA client, and NGFW_B serves as the FTP
server. NGFW_A logs in to NGFW_B for downloading a test file.
Figure 5-92 Networking diagram of the FTP download test

NGFW_A NGFW_B
GE1/0/1 GE1/0/1
10.1.1.1/24 10.1.1.2/24
Item Data
FTP user name and password user name: user1

password: hello@123
Test file of the FTP test test.txt

2. Create an FTP instance and start the test on NGFW_A to check whether NGFW_A can set
up a connection with the FTP server and obtain the time that NGFW_A uses to download
the test file from the FTP server.
Procedure

# Set IP address for the NGFW_B.

Step 3 Configure NGFW_B as the FTP server.

[NGFW_B] ftp server enable
[NGFW_B] aaa
[NGFW_B-aaa] manager-user user1
[NGFW_B-aaa-manager-user-user1] password
Enter Password:
Confirm Password:
[NGFW_B-aaa-manager-user-user1] level 3
[NGFW_B-aaa-manager-user-user1] service-type ftp
[NGFW_B-aaa-manager-user-user1] ftp-directory hda1:/
[NGFW_B-aaa-manager-user-user1] quit
[NGFW_B-aaa] quit
Step 4 Create an FTP instance on NGFW_A.

[NGFW_A] nqa test-instance admin ftp
[NGFW_A-nqa-admin-ftp] test-type ftp
[NGFW_A-nqa-admin-ftp] destination-address ipv4 10.1.1.2
[NGFW_A-nqa-admin-ftp] source-address ipv4 10.1.1.1
[NGFW_A-nqa-admin-ftp] ftp-operation get
[NGFW_A-nqa-admin-ftp] ftp-username user1
[NGFW_A-nqa-admin-ftp] ftp-password hello@123
[NGFW_A-nqa-admin-ftp] ftp-filename test.txt

[NGFW_A-nqa-admin-ftp] start now
----End
Result
After the test, you can run the display nqa results admin command to display the test result.
[NGFW_A-nqa-admin-ftp] display nqa results admin ftp
5.17.21.4 Example for Performing an FTP Upload Test

This section provides an example on how to perform an FTP upload test on the NGFW.

As shown in Figure 5-93, NGFW_A serves as the FTP client and tests the speed of uploading
a file to the FTP server (NGFW_C).
Figure 5-93 Networking diagram of the FTP upload test

NGFW_A NGFW_B NGFW_C
GE1/0/2 GE1/0/1
10.1.1.1/24 10.2.1.1/24
GE1/0/2 GE1/0/2
10.1.1.2/24 10.2.1.2/24
Item Data
FTP user name and password user name: user1

password: hello@123
Name of the test file to be nqa-ftp-test.txt

uploaded
1. Configure NGFW_A (NQA client) as an FTP client.

2. Create an FTP instance and start the test on NGFW_A to check whether NGFW_A can set
up a connection with the FTP server and obtain the time that NGFW_A uses to upload the
test file to the FTP server.
3. Enter the password to log in to the FTP server to upload a file.
Procedure

# Set IP addresses for the NGFW_B.


# Set IP address for the NGFW_C.

zones. Details are omitted.
Step 3 Configure reachable routes between NGFW_A and NGFW_C. The detailed procedure is
omitted.
Step 4 Configure NGFW_C as the FTP server.

[NGFW_C] ftp server enable
[NGFW_C] aaa
[NGFW_C-aaa] manager-user user1
[NGFW_C-aaa-manager-user-user1] password
Enter Password:
Confirm Password:
[NGFW_C-aaa-manager-user-user1] level 3
[NGFW_C-aaa-manager-user-user1] service-type ftp
[NGFW_C-aaa-manager-user-user1] ftp-directory hda1:/
[NGFW_C-aaa-manager-user-user1] quit
[NGFW_C-aaa] quit
Step 5 Create an FTP instance on NGFW_A and create a 10 KB file for uploading.
[NGFW_A] nqa test-instance admin ftp
[NGFW_A-nqa-admin-ftp] test-type ftp
[NGFW_A-nqa-admin-ftp] destination-address ipv4 10.2.1.2
[NGFW_A-nqa-admin-ftp] source-address ipv4 10.1.1.1
[NGFW_A-nqa-admin-ftp] ftp-operation put
[NGFW_A-nqa-admin-ftp] ftp-username user1
[NGFW_A-nqa-admin-ftp] ftp-password hello@123
[NGFW_A-nqa-admin-ftp] ftp-filesize 10

[NGFW_A-nqa-admin-ftp] start now
----End
Result
l You can run the display nqa results admin ftp command on NGFW_A to display the test
result.
[NGFW_A-nqa-admin-ftp] display nqa results admin ftp
1 . Test 1 result The test is
finished
SendProbe:1 ResponseProbe:
1
Completion :success RTD OverThresholds number:
0
MessageBodyOctetsSum: 86 Stats errors number:
0
Operation timeout number: 0 System busy operation number:
0
Drop operation number:0 Disconnect operation number:
0
CtrlConnTime Min/Max/Average:
50/50/50
DataConnTime Min/Max/Average:

20/20/20
l On NGFW_C, you can view that a file named nqa-ftp-test.txt is added.

<NGFW_C> dir
Directory of hda1:/
0 -rw- 331 Jul 06 2009 18:34:34 private-data.txt
1 -rw- 10240 Jul 06 2009 18:37:06 nqa-ftp-test.txt
2540 KB total (1536 KB free)
5.17.21.5 Example for Performing an HTTP Test

This section provides an example on how to test HTTP response speed on the NGFW.
As shown in Figure 5-94, the NGFW connects to the HTTP server through the WAN. Perform
an HTTP test to test the response speed of the HTTP server.
Figure 5-94 Networking diagram of the HTTP test

HTTP Server
10.2.1.1/24
NGFW
IP Network
GE1/0/1
10.1.1.1/24
1. Configure the NGFW as an NQA client.
2. Create an HTTP instance and start the HTTP test on the NGFW to check whether
theNGFW can set up a connection with the HTTP server and obtain the time for transferring
a file between the NGFW and the HTTP server.
Procedure
Step 1 Set the IP address.
<NGFW> system-view
Step 2 Add interface to corresponding security zone and configure security policy between security
Step 3 Create an HTTP instance on NGFW.
<NGFW> system-view
[NGFW] nqa test-instance admin http

[NGFW-nqa-admin-http] test-type http

[NGFW-nqa-admin-http] destination-address ipv4 10.2.1.1
[NGFW-nqa-admin-http] http-operation get
[NGFW-nqa-admin-http] http-url www.example.com

[NGFW-nqa-admin-http] start now
----End
Result
After the test, you can run the display nqa results admin http command to display the test
result.
[NGFW-nqa-admin-http] display nqa results admin http
NQA entry(admin, http) :testFlag is inactive ,testtype is http
Completions: failed RTD OverThresholdsnumber: 0
MessageBodyOctetsSum: 0 TargetAddress: 10.2.1.1
DNSQueryError number: 0 HTTPError number: 0
TcpConnError number : 0 System busy operation number:0
DNSRTT Sum/Min/Max:0/0/0 TCPConnectRTT Sum/Min/Max: 0/0/0
TransactionRTT Sum/Min/Max: 0/0/0 RTT Sum/Min/Max: 0/0/0
DNSServerTimeout:0 TCPConnectTimeout:3 TransactionTimeout: 0
5.17.21.6 Example for Performing a DNS Test

This section provides an example on how to perform a DNS test on the NGFW.
As shown in Figure 5-95, theNGFW functions as a DNS client and accesses the host at
10.2.1.1/24 using domain name example.com.
Figure 5-95 Networking diagram of the DNS test

server.com
10.2.1.1/24
NGFW
IP Network
GE1/0/1
10.1.1.1/24
DNS Server
10.3.1.1/24

1. Configure the NGFW as an NQA client.

2. Create a DNS instance and start the test on theNGFW to check whether theNGFW can set
up a connection with the DNS server and obtain the speed that the DNS server responds to
an address resolution request.
Procedure
Step 1 Set the IP address.
<NGFW> system-view
Step 2 Add interface to corresponding security zone and configure security policy between security
Step 3 Configure reachable routes between the NGFW, the DNS server, and the host to be accessed.
(The detailed procedure is omitted.)
Step 4 Create a DNS instance.
<NGFW> system-view
[NGFW] dns server 10.3.1.1
[NGFW] nqa test-instance admin dns
[NGFW-nqa-admin-dns] test-type dns
[NGFW-nqa-admin-dns] dns-server ipv4 10.3.1.1
[NGFW-nqa-admin-dns] destination-address url example.com

[NGFW-nqa-admin-dns] start now
----End
Result
After the test, you can run the display nqa results admin dns command to display the test result.
[NGFW-nqa-admin-dns] display nqa results admin dns
NQA entry(admin, dns) :testFlag is inactive ,testtype is dns
Destination ip address: 10.3.1.1
5.17.21.7 Example for Performing a Traceroute Test

This section provides an example on how to perform a traceroute test on the NGFW.
As shown in Figure 5-96, NGFW_A connects to NGFW_C through NGFW_B and serves as
the NQA client. Perform the traceroute test on NGFW_A to trace the routing path to
GigabitEthernet 1/0/1 on NGFW_C.

Figure 5-96 Networking diagram of the traceroute test

GE1/0/2 GE1/0/1
10.1.1.1/24 10.2.1.1/24
GE1/0/2 GE1/0/2
10.1.1.2/24 10.2.1.2/24
1. Configure NGFW_A as an NQA client.

2. Create a traceroute instance and perform the traceroute test on NGFW_A to obtain the
statisticson each hop along the path fromNGFW_A to NGFW_C.
Procedure



Step 3 Configure reachable routes between NGFW_A and NGFW_C. (The detailed procedure is
omitted.)
Step 4 Create a traceroute instance on NGFW_A and set the destination IP address of the test packets
to 10.2.1.2.
[NGFW_A] nqa test-instance admin trace
[NGFW_A-nqa-admin-trace] test-type trace
[NGFW_A-nqa-admin-trace] destination-address ipv4 10.2.1.2

[NGFW_A-nqa-admin-trace] start now
----End
Result
After the test, you can run the display nqa results admin trace command on NGFW_A to
display the test result.
[NGFW_A-nqa-admin-trace] display nqa results admin trace
[NGFW_A-nqa-admin-trace] display nqa results admin trace
NQA entry(admin, trace) :testFlag is inactive ,testtype is trace
Completion:success Attempts number:1
Drop operation number:0
Last good path Time:2009-8-5 14:38:58.5
1 . Hop 1
2 . Hop 2
5.17.21.8 Example for Performing an SNMP Test

This section provides an example on how to perform an SNMP test on the NGFW.
As shown in Figure 5-97,NGFW_C functions as an SNMP agent. It is required to perform an
SNMP test to obtain the duration between the sending of a query packet and the receiving of the
reply packet on NGFW_A.
Figure 5-97 Networking diagram of the SNMP test

GE1/0/2 GE1/0/1
10.1.1.1/24 10.2.1.1/24
GE1/0/2 GE1/0/2
10.1.1.2/24 10.2.1.2/24

1. Configure NGFW_A as an NQA client.

2. Create an SNMP instance and start the test on NGFW_A.
3. Enable the SNMP Agent on NGFW_C.
Procedure



omitted.)
Step 4 Enable the SNMP Agent on NGFW_C.

[NGFW_C] snmp-agent
Step 5 Create an SNMP instance on NGFW_A.

[NGFW_A] nqa test-instance admin snmp
[NGFW_A-nqa-admin-snmp] test-type snmp
[NGFW_A-nqa-admin-snmp] destination-address ipv4 10.2.1.2

[NGFW_A-nqa-admin-snmp] start now
----End
Result
After the test, you can run the display nqa results admin snmp command to display the test
result.
[NGFW_A-nqa-admin-snmp] display nqa results admin snmp
NQA entry(admin, snmp) :testFlag is inactive ,testtype is snmp


5.17.21.9 Example for Performing a TCP Test

This section provides an example on how to perform a TCP test to test the time for a device to
establish a TCP connection with another device.
As shown in Figure 5-98, NGFW_A connects to NGFW_C through NGFW_B. Start the TCP
Private test on NGFW_A to test the time for NGFW_A to establish a TCP connection with
NGFW_C.
Figure 5-98 Networking diagram of the TCP test

GE1/0/2 GE1/0/1
10.1.1.1/24 10.2.1.1/24
GE1/0/2 GE1/0/2
10.1.1.2/24 10.2.1.2/24
Item Data
IP address of the NQA server 10.2.1.2/24
TCP service listening port on 9000

the server
1. Configure NGFW_A as the NQA client and NGFW_C as the NQA server.
2. Configure the listening port on the NQA server and create a TCP instance on the NQA
client.
Procedure




omitted.)
Step 4 Configure NGFW_C as the NQA server.
# Set the IP address and port that the NQA server listens in on.
[NGFW_C] nqa-server tcpconnect 10.2.1.2 9000
# Enable the NQA client and create a TCP Private instance.

[NGFW_A] nqa test-instance admin tcp
[NGFW_A-nqa-admin-tcp] test-type tcp
[NGFW_A-nqa-admin-tcp] destination-address ipv4 10.2.1.2
[NGFW_A-nqa-admin-tcp] destination-port 9000

[NGFW_A-nqa-admin-tcp] start now
----End
Result
After the test, you can run the display nqa results admin tcp command to display the test result.
[NGFW_A-nqa-admin-tcp] display nqa results admin tcp
NQA entry(admin, tcp) :testFlag is inactive ,testtype is tcp

5.17.21.10 Example for Performing a UDP Test

This section provides an example on how to perform a UDP Public test to test the round-trip
time of the UDP packet between two NGFWs.
As shown in Figure 5-99, NGFW_A connects to NGFW_C through NGFW_B. Start an UDP
Public test to test the round-trip time of the UDP packet transmitted between NGFW_A and
NGFW_C.
Figure 5-99 Networking diagram of the UDP test

GE1/0/2 GE1/0/1
10.1.1.1/24 10.2.1.1/24
GE1/0/2 GE1/0/2
10.1.1.2/24 10.2.1.2/24
Item Data
IP address of the NQA server 10.2.1.2/24
UDP service listening port on 6000

the server
1. NGFW_A functions as the NQA client and NGFW_C functions as the NQA server.
2. Configure the listening port on the NQA server and create a UDP test instance on the NQA
client.
Procedure


omitted.)
Step 4 Configure NGFW_C as the NQA server.
# Set the IP address and port that the NQA server listens in on.
[NGFW_C] nqa-server udpecho 10.2.1.2 6000
# Enable the NQA client and create a UDP Public instance.

[NGFW_A] nqa test-instance admin udp
[NGFW_A-nqa-admin-udp] test-type udp
[NGFW_A-nqa-admin-udp] destination-address ipv4 10.2.1.2
[NGFW_A-nqa-admin-udp] destination-port 6000

[NGFW_A-nqa-admin-udp] start now
----End
Result
After the test, you can run the display nqa results admin udp command to display the test
result.
[NGFW_A-nqa-admin-udp] display nqa results admin udp
NQA entry(admin, udp) :testFlag is inactive ,testtype is udp
5.17.21.11 Example for Performing an LSP Ping Test in the LDP Tunnel
This section provides an example on how to perform an LSP Ping test on an intermediate device
to test the LSP connectivity between the other two devices.
As shown in Figure 5-100, NGFW_A connects to NGFW_C through NGFW_B.

l OSPF runs on NGFW_A, NGFW_B, and NGFW_C, and the three NGFWs learn the host
routes to loopback interfaces from each other.
l MPLS and MPLS LDP are enabled on NGFW_A, NGFW_B, and NGFW_C.
l MPLS and MPLS LDP are enabled on the interfaces connecting NGFW_A, NGFW_B, and
NGFW_C to trigger the establishment of an LDP tunnel.
It is required to perform an LSP Ping test to check the connectivity of the LSP between
NGFW_A and NGFW_C.
Figure 5-100 Networking diagram of LSP Ping test
area 0
Loopback1 Loopback1 Loopback1

10.10.1.9/32 10.10.2.9/32 10.10.3.9/32
GE1/0/2 GE1/0/1
10.1.1.1/24 10.2.1.1/24
GE1/0/2 GE1/0/2
10.1.1.2/24 10.2.1.2/24
2. Configure NGFW_C as the NQA server.
3. Create an LSP Ping test instance on NGFW_A.
Procedure
[NGFW_A] interface LoopBack 1
[NGFW_A-LoopBack1] ip address 10.10.1.9 32
[NGFW_A-LoopBack1] quit



[NGFW_B] interface LoopBack 1
[NGFW_B-LoopBack1] ip address 10.10.2.9 32
[NGFW_B-LoopBack1] quit

[NGFW_C] interface LoopBack 1
[NGFW_C-LoopBack1] ip address 10.10.3.9 32
[NGFW_C-LoopBack1] quit
omitted.)
# Enable the NQA client and create an LSP Ping instance for the test in the LDP tunnel.
[NGFW_A] nqa test-instance admin lspping
[NGFW_A-nqa-admin-lspping] test-type lspping
[NGFW_A-nqa-admin-lspping] lsp-type ipv4
[NGFW_A-nqa-admin-lspping] destination-address ipv4 10.10.3.9 lsp-masklen 32

[NGFW_A-nqa-admin-lspping] start now
----End
Result
After the test, you can run the display nqa results admin lspping command to display the test
result.
[NGFW_A-nqa-admin-lspping] display nqa results admin lspping
NQA entry(admin, lspping) :testFlag is inactive ,testtype is lspping
5.17.21.12 Example for Configuring an NQA Test Group

This section provides an example on how to configure an NQA test group to test the connectivity
between another two devices.

As shown in Figure 5-101, NGFW_A connects to NGFW_C through NGFW_B and functions
as the NQA client. It is required to test whether NGFW_B and NGFW_C are reachable.
Figure 5-101 Networking diagram of configuring an NQA test group

test1
GE1/0/2 GE1/0/1
10.1.1.1/24 10.2.1.1/24
GE1/0/2 GE1/0/2
10.1.1.2/24 10.2.1.2/24
NGFW_B
NGFW_A test2 NGFW_C
Item Data
Time for the test group to start 10s

2. On NGFW_A, create an NQA test group that consists of two test instances to check whether
NGFW_B and NGFW_C are reachable and obtain the RTT of a test packet.
Procedure





omitted.)
Step 4 Create an ICMP test group on NGFW_A.

[NGFW_A] nqa test-instance group icmp
[NGFW_A-nqa-group-icmp] test-type icmp
[NGFW_A-nqa-group-icmp] switch-to group
[NGFW_A-nqa-group-icmp] quit
Step 5 Create test instances admin test1 and admin test2 on NGFW_A to respectively check the
connectivity between NGFW_A, NGFW_B, and NGFW_C.
[NGFW_A] nqa test-instance admin test1
[NGFW_A-nqa-admin-test1] test-type icmp
[NGFW_A-nqa-admin-test1] join group nqa group icmp
[NGFW_A-nqa-admin-test1] destination-address ipv4 10.1.1.2
[NGFW_A-nqa-admin-test1] quit
[NGFW_A] nqa test-instance admin test2
[NGFW_A-nqa-admin-test2] test-type icmp
[NGFW_A-nqa-admin-test2] join group nqa group icmp
[NGFW_A-nqa-admin-test2] destination-address ipv4 10.2.1.2
[NGFW_A-nqa-admin-test2] quit
Step 6 Return to the test group view and configure the test to start in 10 seconds.
[NGFW_A] nqa test-instance group icmp
[NGFW_A-nqa-group-icmp] start delay seconds 10
# Run the display nqa-agent command on NGFW_A to display the status of the test group and
the member test instances on the client.
[NGFW_A-nqa-group-icmp] display nqa-agent
NQA Tests Max:2000 NQA Tests Num:3
NQA Concurrent Requests Max:1000 NQA Concurrent Requests Num:1
NQA Jitter Concurrent Max:5 NQA Jitter Concurrent Num:0
NQA icmp Concurrent Max:50 NQA icmp Concurrent Num:1
NQA Trace Concurrent Max:50 NQA Trace Concurrent Mum:0
1 NQA entry(admin, test1):
current status:no start current completion:no result
nqa status : group member, belong to group : group icmp
2 NQA entry(admin, test2):
current status:no start current completion:no result
nqa status : group member, belong to group : group icmp
3 NQA entry(group, icmp):
test type:icmp current flag:active
current status:no start current completion:NA
start at : 2009-8-24 14:35:34 end at : no end time
nqa status : group leader, group members number : 2
----End

Result
Twenty seconds after the test, you can run the display nqa results command to display the test
results.
[NGFW_A-nqa-admin-icmp] display nqa results
NQA entry(admin, test1) :testFlag is inactive ,testtype is icmp
NQA entry(admin, test2) :testFlag is inactive ,testtype is icmp
5.17.21.13 Example for Sending a Trap Message When the Transmission Time
Exceeds the Threshold
This section provides an example on how to enable the NGFW to send trap messages to the
NMS when the transmission time exceeds the threshold.
Prerequisites
The NGFW can communicate with the NMS.
As shown in Figure 5-102, NGFW_A connects to NGFW_C through NGFW_B. Create a jitter
instance, set the transmission delay threshold, and enable the trap function. After the jitter test,
if the transmission time of the test packet from NGFW_A to NGFW_C (or from NGFW_C to
NGFW_A) exceeds the specified threshold for unidirectional transmission, or the round trip time
of the test packet exceeds the specified threshold, NGFW_A sends a trap message to the NM
station. Based on the received trap message, you can know the cause of the trap message.

Figure 5-102 Networking diagram of enabling the trap function when the transmission delay
exceeds the threshold
NM Station
10.1.2.2/24
GE1/0/1
NQA Server
10.1.2.1/24
GE1/0/2 GE1/0/1
10.1.1.1/24 10.1.3.1/24
GE1/0/2 GE1/0/2
10.1.1.2/24 10.1.3.2/24
Item Data
IP address and port of the NQA IP address: 10.1.3.2

server Port: 9000
IP address of the NM station 10.1.2.2
Round-trip transmission delay 20

(RTD) threshold 100
Uni-directional transmission
(from the destination to the
source) delay (OWD) threshold
1. Set a transmission delay threshold.

2. Enable the trap function.
3. Enable NGFW_A to send trap messages to the NM station.
Procedure




omitted.)
Step 4 Create a jitter instance.
# Configure NGFW_C as the NQA server and set the IP address and port of the NQA server for
listening UDP services.
[NGFW_C] nqa-server udpecho 10.1.3.2 9000
# Configure NGFW_A as the NQA client and create a jitter instance on NGFW_A.
[NGFW_A] nqa test-instance admin jitter
[NGFW_A-nqa-admin-jitter] test-type jitter
[NGFW_A-nqa-admin-jitter] destination-address ipv4 10.1.3.2
[NGFW_A-nqa-admin-jitter] destination-port 9000
Step 5 Set the transmission delay threshold.
# Set the RTD threshold on NGFW_A.

[NGFW_A-nqa-admin-jitter] threshold rtd 20
# Set the uni-directional transmission (from the destination to the source) delay threshold on
NGFW_A.
[NGFW_A-nqa-admin-jitter] threshold owd 100

[NGFW_A-nqa-test-jitter] send-trap overthreshold
[NGFW_A-nqa-test-jitter] quit
Step 7 # Configure the NGFW to send traps to the NMS through SNMPv3 and keep default values for
other parameters.
[NGFW_A] snmp-agent trap enable
[NGFW_A] snmp-agent target-host trap address udp-domain 10.1.2.2 params
securityname v3user@123 v3 privacy
Step 8 Enable the NGFW_A to send trap messages to the NM station.

[NGFW_A] nqa test-instance admin jitter
[NGFW_A-nqa-admin-jitter] start now

[NGFW_A-nqa-admin-jitter] quit
[NGFW_A] quit
----End
Result
After the test, you can run the display nqa results admin jitter command to display the test
result.
l <NGFW_A-nqa-admin-jitter> display nqa results admin jitter

NQA entry(admin, jitter) :testFlag is inactive ,testtype is
jitter
1 . Test 1 result The test is
finished
SendProbe:60 ResponseProbe:
0
Completion :failed RTD OverThresholds number:
0
Min/Max/Sum RTT:0/0/0 RTT Square Sum:
0
NumOfRTT:0 Drop operation number:
0
Operation sequence errors number:0 RTT Stats errors number:
0
System busy operation number:0 Operation timeout number:
60
Min Positive SD:0 Min Positive DS:
0
Max Positive SD:0 Max Positive DS:
0
Positive SD Number:0 Positive DS Number:
0
Positive SD Sum:0 Positive DS Sum:
0
Positive SD Square Sum :0 Positive DS Square Sum :
0
Min Negative SD:0 Min Negative DS:
0
Max Negative SD:0 Max Negative DS:
0
Negative SD Number:0 Negative DS Number:
0
Negative SD Sum:0 Negative DS Sum:
0
Negative SD Square Sum :0 Negative DS Square Sum :
0
Packet Loss SD:0 Packet Loss DS:
0
Max Delay SD:0 Max Delay DS:
0
jitter out value:0.0000000 jitter in value:
0.0000000
OWD OverThresholds number:0 Packet Loss Unknown:
0
NumberOfOWD:
0
OWD SD Sum:0 OWD DS Sum:0
l Check whether the trap buffer contains the trap message.

<NGFW> display trapbuffer
#2010-06-03 00:28:34 NGFW NQA/4/RTDTHRESHOLD:OID
1.3.6.1.4.1.2011.5.25.111.6.16 NQA entry RTD over threshold.
(OwnerIndex=admin,
TestName=jitter)
#2010-06-03 00:28:34 NGFW NQA/4/SDTHRESHOLD:OID

1.3.6.1.4.1.2011.5.25.111.6.17 NQA entry OWD-SD over threshold.

(OwnerIndex=admin,
TestName=jitter)
#2010-06-03 00:28:34 NGFW NQA/4/DSTHRESHOLD:OID
1.3.6.1.4.1.2011.5.25.111.6.18 NQA entry OWD-DS over threshold.
(OwnerIndex=admin, TestName=jitter)
l When the RTD exceeds 20 seconds or the OWD exceeds 100 seconds, the NMS can receive
trap messages. To check the trap messages, choose Resource > Fault Manage > Current
Alarms in the NMS main menu.
5.17.22 Feature Reference

This section provides NQA references.
5.17.22.1 Feature History

This section describes the versions and changes in the NQA feature.
5.17.22.2 Standards and Protocols

This section provides NQA-related standards and protocols.
The standards and protocols used for NQA are as follows:
l RFC 1889: RTP: A Transport Protocol for Real-Time Applications

l RFC 2925: Definitions of Managed Objects for Remote Ping, Traceroute, and Lookup
Operations
l RFC 2131: Dynamic Host Configuration Protocol
l RFC 1035: DOMAIN NAMES - IMPLEMENTATION AND SPECIFICATION
l RFC 414: FILE TRANSFER PROTOCOL (FTP) STATUS AND FURTHER
COMMENTS
l RFC 1945: Hypertext Transfer Protocol - HTTP/1.0
l RFC 2616: Hypertext Transfer Protocol - HTTP/1.1
l RFC 792: INTERNET CONTROL MESSAGE PROTOCOL
l IEEE 802.1AG DRAFT6.1: IEEE 802.1AG DRAFT6.1
l RFC 792: INTERNET CONTROL MESSAGE PROTOCOL
l RFC 1157: A Simple Network Management Protocol (SNMP)
l RFC 1905: Protocol Operations for Version 2 of the Simple Network Management Protocol
(SNMPv2)
l RFC 3414: User-based Security Model (USM) for version 3 of the Simple Network
Management Protocol (SNMPv3)
l RFC793\RFC862: Echo Protocol

l RFC 1393: Traceroute Using an IP Option
5.18 LLDP
Link Layer Data Protocol (LLDP) provides a link-layer network discovery mode for tracing and
rapidly learning Layer-2 network topology changes.
5.18.1 Overview
LLDP is the neighbor discovery protocol defined in IEEE 802.1AB. Using the LLDP technology,
the Network Management System (NMS) can rapidly learn the current network topology and
topology changes when the network scale increases rapidly.
LLDP provides a standard link-layer discovery mode, which organizes the main capabilities,
management address, device identifier, and interface identifier of the local device into different
Type/Length/Value (TLVs), encapsulates them in the Link Layer Discovery Protocol Data Units
(LLDPDU), and then advertises LLDPDUs to the directly connected neighbors. After receiving
the LLDPDUs, the neighbors store them as the standard Management Information Base (MIB)
for the NMS to check and analyze the communication status along the links.
5.18.2 Configuring Basic LLDP Functions

This section describes how to configure the basic LLDP functions for the device to collect the
information about topology changes.
5.18.2.1 Enabling the LLDP Function

Before configuring the LLDP function, you need to enable the LLDP function globally.
Context
NOTE
The LLDP function takes effect only after being enabled both globally and on appropriate interfaces. By
default, the LLDP function is disabled both globally and on appropriate interfaces.
When LLDP is enabled globally, the function on the interfaces is automatically enabled.
Procedure
system-view
Step 2 Enable the LLDP function globally.
lldp enable
----End
5.18.2.2 Configuring the LLDP Working Mode

This section describes how to configure the LLDP working mode for an interface to send or
receive LLDP packets.

Context
The LLDP working modes are categorized into:
l txrx: The interface sends and receives LLDP packets.

l tx: The interface only sends LLDP packets.
l rx: The interface only receives LLDP packets.
l disable: The interface does not send or receive LLDP packets.
By default, the LLDP working mode of an interface is txrx.
Procedure
system-view
Step 2 Access the view of the specified interface.
Step 3 Set the LLDP working mode.
lldp state { disable | rx | tx | txrx }
----End
5.18.2.3 (Optional) Setting the Interface Initialization Latency

When the LLDP working mode of an interface changes, the system initializes the interface status.
By setting the interface initialization latency, you can avoid the repeated initialization of the
interface due to frequent working mode changes.
Context
NOTE
By default, the interface initialization latency is two seconds.
Procedure
system-view
Step 2 Set the interface initialization latency.
lldp restart-delay interval
----End
5.18.2.4 (Optional) Configuring the Advertisable TLVs

In practice, you can configure the advertisable TLVs as required. By default, an interface only
sends basic Type-Length_value (TLVs).

Context
The TLV is the unit that constitutes the LLDPDU. Each TLV represents a piece of information.
The TLVs that can be encapsulated through LLDP are basic TLVs, TLVs defined in IEEE 802.1,
and TLVs defined in IEEE 802.3. The basic TLV is the base TLV in network device
management.
Basic TLVs contains multiple types of TLVs mandatory for implementing the LLDP function,
and they must be advertised in LLDPDUs.
The TLV defined in IEEE 802.1 and TLV defined in IEEE 802.3 are used to enhance the
management over network devices. You can determine whether to send them in LLDPDUs as
required.
The TLV defined in IEEE 802.1 and TLV defined in IEEE 802.3 include other information, such
as the VLAN ID and interface speed.
Procedure
system-view
Step 2 Access the view of the specified interface.
Step 3 Configure the types of advertisable TLVs
lldp tlv-enable { basic-tlv { all | management-address | system-capability | system-

description | system-name | port-description } | 802.1-tlv { all | port-protocol-vlan-id | port-
vlan-id | protocol-identity | vlan-name } | 802.3-tlv { all | link-aggregation | mac-physic |
maximum-frame-size | power-via-mdi } }
----End
5.18.2.5 (Optional) Setting the Management Address

A management address clearly identifies a device, facilitating network management and the
formation of the network topology. The management address is encapsulated in the Management
Address TLV of the LLDP packet and then advertised.
Context
The management address must be a legal unicast IP address of the device. If an invalid or no IP
address is specified, the NGFW automatically finds an IP address and uses it as the LLDP
management address. The finding order is: the smallest IP address of loopback interfaces, the
smallest IP address of VLANIF interfaces, the smallest IP address of physical interfaces. If no
IP address is found, the bridge MAC of the NGFW is used as the management address.
Procedure
system-view

Step 2 Set the management address to be advertised.
lldp management-address ip-address
----End
5.18.2.6 (Optional) Setting Other LLDP Parameters

This section describes how to set the TTL multiplier, LLDP packet sending interval, and delay
for notifying the administrator of neighbor status changes.
Context
NOTICE
Both the LLDP packet sending interval and delay should be shorter than the TTL. Otherwise,
the neighbor device cannot receive the LLDP packets sent by the NGFW after the information
about the NGFW ages on the neighbor device.
Procedure
system-view
Step 2 Configure the number of LLDP packets rapidly sent by the NGFW to a neighbor node. The
default value is 3.
lldp message-transmission fast count
The number of packets rapidly sent is the value of count, that is, the number of packets
consecutively sent from an interface to the neighbor node when the working mode of the interface
changes from disable or rx to tx or txrx.
Step 3 Configure the TTL multiplier. The default value is 4.
lldp message-transmission hold-multiplier hold-multiplier
NOTE
The TTL in the TTL TLV carried by an LLDP packet sent by the local NGFW specifies the aging time of
the information about the local NGFW on the neighbor device. Its value is the TTL multiplier multiplied
by the interval at which an LLDP packet is sent (Formula: TTL = TTL multiplier x interval at which an
LLDP packet is sent). The maximum value is 65535. Therefore, you can set the aging time of the
information about the local NGFW on the neighbor device by specifying the TTL multiplier.
Step 4 Specify the interval for sending LLDP packets.
lldp message-transmission interval interval
The default interval is 30 seconds.
Step 5 Specify the delay for sending LLDP packets.
lldp message-transmission transmit-delay interval

The default delay is 2 seconds.
Step 6 Enable the checks in polling mode and specify the check interval.
lldp check-change-interval interval
By default, the polling function is not enabled.
Step 7 Specify the delay for notifying of neighbor status changes.
lldp notification-interval interval
The default value is 5.
----End
5.18.3 Maintaining LLDP

When you maintain LLDP, you can clear relevant statistics and display the configurations.
5.18.3.1 Clearing LLDP Statistics

This section describes how to clear relevant LLDP statistics in the user view.
Context
NOTICE
LLDP statistics cannot be restored after you clear them. Therefore, ensure that the statistics to
be cleared is no longer in need.
To clear the information, run the following command in the user view.
Table 5-46 Clearing LLDP statistics
Action Command
Clear LLDP statistics. reset lldp statistic
5.18.3.2 Displaying LLDP Configurations

After you configure LLDP, you can run display commands to display the configurations.
During routine maintenance, you can run the following commands in all views to display the
configurations.

Table 5-47 Maintaining LLDP
Action Command
Display the information about display lldp neighbor [ interface interface-type

the LLDP neighbors of the interface-number | brief | list]
interface.
Display the current LLDP status display lldp local [ interface interface-type interface-
of the interface. number ]
Display the LLDP statistics. display lldp statistics [ interface interface-type

interface-number ]
5.18.4 Example for Configuring LLDP

This section provides an example for configuring the LLDP function.
As shown in Figure 5-103, NGFW_A connects to NGFW_B and the NMS respectively through
GigabitEthernet 1/0/2 and GigabitEthernet 1/0/1. The LLDP function is configured on both
NGFW_A and NGFW_B, so that the network administrator can check the status of the links
connected to NGFW_A.
Figure 5-103 LLDP networking
NMS NGFW_A NGFW_B

GE1/0/2
GE1/0/1 10.16.39.220/24
IP Network
GE1/0/2
10.16.39.221/24
Procedure



Step 3 Configure the LLDP function on NGFW_A. Enable the function on GigabitEthernet 1/0/2 and
set the working mode of LLDP to rx. In this way, NGFW_A receives only the LLDP packets
from neighbor nodes.
[NGFW_A] lldp enable
[NGFW_A-GigabitEthernet1/0/2] lldp state rx
[NGFW_A] lldp management-address 10.16.39.220
Step 4 Configure the LLDP function on NGFW_B. Enable the function on GigabitEthernet 1/0/2 and
set the working mode of LLDP to tx. In this way, NGFW_B sends LLDP packets only to neighbor
nodes.
[NGFW_B] lldp enable
[NGFW_B-GigabitEthernet1/0/2] lldp state tx
[NGFW_B] lldp management-address 10.16.39.221
----End
l Run the display lldp neighbor interface GigabitEthernet 1/0/2 command on NGFW_A
to display the information about the LLDP neighbor of the specified interface.
<NGFW_A> display lldp neighbor interface GigabitEthernet 1/0/2
Interface GigabitEthernet1/0/2 has 1 LLDP
Neighbors:
Neighbor
1:
ChassisIdSubtype:
MacAddress
ChasssisId: 0022 a103
6079
PortIdSubtype:
InterfaceName
PortId: GigabitEthernet
1/0/2
TimeToLive: 120
seconds
PortDesc: Huawei, USG6600 series, GigabitEthernet 1/0/2
Interface
SysName: NGFW_B
SysDesc: NGFW_B Huawei Versatile Routing Platform Software, Software
Version : USG6600 V100R001C10 (VRP (R) Software, Version 5.30) ,
Copyright (C) 2014-2015 Huawei Technologies Co., Ltd.
SysCapSupported:
SysCapEnabled:
Router
Management Address: IPv4: 10.16.39.221 (System Port Number - 386) (OID:
Standard
LLDP
MIB)
Expired Time: 119 seconds

According to the output that is displayed, GigabitEthernet 1/0/2 on NGFW_A connects to

NGFW_B.
l If you display the information about the LLDP neighbors of the interface on the
NGFW_A, after the link between NGFW_A and NGFW_B is interrupted and the LLDP
information of NGFW_B is aged, no neighbor information is available on GigabitEthernet
1/0/2 of NGFW_A.
<NGFW_A> display lldp neighbor interface GigabitEthernet 1/0/2
Interface GigabitEthernet1/0/2 has 0 LLDP
Neighbors :

This section describes the versions and changes in the LLDP feature.
5.19 PMTU
You can perform Path Maximum Transmission Unit (PMTU) discovery to determine the
smallest MTU of all interfaces without fragmenting packets along the path from the source to
the destination.
5.19.1 Overview
This section provides the definition of PMTU and describes the application of PMTU discovery.
PMTU
PMTU is the smallest MTU of the packets that are transmitted along the path from the source
to the destination on the network. Packets that are smaller than the PMTU can be transmitted
along the path without being fragmented.
You can discover and obtain the PMTU of the specific destination IPv4 address and use an
appropriate MTU to send the packets over the network. In this way, packets are not fragmented
during transmission. This MTU eases the burden of intermediate routing devices, makes best
use of network resources, and offers the highest throughput.
PMTU varies with the selected path and may change during communication. In addition, the
PMTU values in the forward and return directions may also differ because the paths in both
directions are different.
PMTU Discovery
As shown in Figure 5-104, the PC establishes a TCP connection with the Web server before
accessing the Web server. The SYN packet contains the Maximum Segment Size (MSS) which
is the MTU header. When the SYN packet reaches the server, the server changes the MSS to an
appropriate value to ensure that packets are not fragmented. However, sometimes the
intermediate devices fail to process the packets properly. Therefore, the negotiated MTU value

is larger than the actual size. When the PC sends a non-fragmented packet that is larger than the
actual MTU, the packet is discarded when it reaches NGFW_B, causing access failure. To rectify
the fault, you need to tune the MTU on NGFW_A and enable the PC to renegotiate with
NGFW_A so that the PC can send packets with an appropriate MSS.
For example, the PC negotiates with the Web server and sends an 800-byte non-fragmented
packet. The packet can be forwarded by NGFW_A whose MTU is 1500 bytes. However, when
the packet reaches NGFW_B, it is discarded because the MTU of NGFW_B is 512 bytes, smaller
than the actual packet size.
Therefore, by PMTU discovery on NGFW_A, the MTU of all the interfaces that are used to
forward the non-fragmented packet to the specific destination IP address is obtained, and this
value is 512 bytes. After the PMTU is obtained, change the configurations on NGFW_A, for
example, changing the MTU of all the interfaces to 512 bytes. The PC renegotiates with
NGFW_A and sends a packet with a smaller MTU, so that the packet can be transmitted over
the network without being fragmented. In this way, the problem is resolved.
Figure 5-104 PMTU discovery

Web server
MTU = 1500 MTU = 512
NGFW_A NGFW_B
Packet size = 800 bytes Reply packet unreachable
Non-fragmented Discarded
5.19.2 Discovering the PMTU

This section describes how to discover the PMTU between the two endpoint of a link.
Context
NOTE
The first PMTU discovery packet is 48 bytes. If the PMTU on the path is less than 48 bytes, PMTU discovery
fails.
If the discovery packet passes through a tunnel, the discovered PMTU has a deviation. The deviation is the
size of the tunnel encapsulation payload.
Procedure
Step 1 Discover the PMTU along the path to the specific destination IPv4 address.
pathmtu [ -a source-ip-address | -max pmtu-max | -step step | -t timeout | -vpn-instance vpn-

instance name ] * destination-ip-address
Parameter -a source-ip-address specifies the source IP address of the PMTU discovery packet.
If you do not set this parameter, the source IP address is the IP address of the route egress.

Parameter -max pmtu-max specifies the maximum test scope of PMTU. The default value is
1500 bytes.
Parameter -step step specifies the incremental step for the second-round discovery. The default
value is 10 bytes. Smaller step gets more precise PMTU but consumes more resources, such as
time and memory. The increasing step for the first round is fixed to 38 bytes. You cannot modify
this value.
Parameter -t timeout specifies the timeout time of the probing. The default value is two seconds.
----End
Follow-up Procedure
After the maximum MTU of the path is obtained through PMTU discovery, change the
configurations of the NGFW, for example, changing the MTU of the device interface. In this
way, packets are not fragmented on the network. This eases the burden of the intermediate
devices and rectifies relevant faults.
5.19.3 Example for Discovering the PMTU

This section provides an example for discovering the PMTU.
As shown in Figure 5-105, a PC accesses the Web server through the GRE tunnel. In case that
the MTU of the tunnel is too small and to ensure that packets can be transmitted in the tunnel,
packets are fragmented along the intermediate links. However, this increases the burden on the
intermediate devices. In addition, to avoid fragment attacks, the Web server receives only the
Don't Fragment packets. When the packet is too large, the normal access is affected. Therefore,
you need to discover the PMTU on NGFW_A to obtain the maximum MTU on the path to
NGFW_B. Then change the MTU of the uplink and downlink interfaces of the GRE tunnel to
ensure service continuity.
Figure 5-105 Networking diagram for probing the PMTU

Web Sever
PC GE1/0/1
GE1/0/2 10.1.3.2/24
10.1.1.1/24 10.1.2.1/24
10.1.3.1/24
NGFW_A GRE Tunnel NGFW_B
Item Data
NGFW_A Interface: GigabitEthernet 1/0/1

IP address: 10.1.2.1/24

Item Data
NGFW_B Interface: GigabitEthernet 1/0/2

IP address: 10.1.3.1/24
PC IP address: 10.1.1.1/24
Web server IP address: 10.1.3.2/24
The roadmap for probing the PMTU is as follows:
1. Probe the PMTU on the NGFW.

2. Change the MTU of the uplink and downlink interfaces according to the discovered PMTU
to ensure service continuity.
Procedure
Step 1 Set the IP Addresses.
<NGFW_A> system
<NGFW_B> system
Step 2 Add interface to security zone and configure security policy between security zone (omitted).
For details on how to add interface to security zone, refer to related chapters in Security
Zones, and for details on how to configure security policy, refer to related chapters in Security
Policy.
Step 4 Ensure that NGFW_A, NGFW_B, and NGFW_C are routable to each other. Details are omitted.
Step 5 Configure PMTU discovery onNGFW_A to discover the maximum MTU from the tunnel
(source IP address: 10.1.2.1/24) to the Web server (destination IP address: 10.1.3.2/24). The
incremental step is 10 byte.
<NGFW_A> pathmtu -a 10.1.2.1 -step 1 10.1.3.2
PathMtu test to 10.1.3.2 (public) , step: 1 byte(s) , discovery field max: 1500
1 * * *
2 * * *
PathMtu test result: Success, PathMtu: 1300
Step 6 Change the MTU of the uplink and downlink interfaces of the GRE tunnel to the discovered
PMTU 1300 to ensure that packets are not fragmented on the intermediate network. The MTU
eases the burden of the intermediate devices and ensures proper network communication. The
following uses changing the MTU of interface GigabitEthernet 1/0/1 as an example.
[NGFW_A-GigabitEthernet1/0/1] mtu 1300

[NGFW_A-GigabitEthernet1/0/1] shutdown
[NGFW_A-GigabitEthernet1/0/1] undo shutdown
NOTE
The change of MTU on an interface takes effect only after you restart the interface (by running the
shutdown command and then the undo shutdown command on the interface).
Step 7 Configure the GRE tunnel. For details, refer to 20.5 GRE.
----End

This section describes the versions and changes in the PMTU feature.
5.20 NetStream
This chapter describes the basic concepts, mechanism, and application of the NetStream.
5.20.1 Overview
The NetStream collects statistics on network traffic and periodically sends statistics to the
NetStream Collector (NSC). The statistics can be used for charging, network management, and
guiding the network planning.
NetStream is a statistics collection technology based on network traffic, collecting and

classifying statistics on the communication traffic and resource usage over the network and
providing service- and resource-specific network monitoring and management functions.
The main application scenario of the NetStream technology are as follows:

l Charging
The NetStream collects refined data based on the usage of resources, such as lines,
bandwidths, and time ranges. The collected data covers IP addresses, packet number, byte
number, time, ToS, and applications. Based on the collected and classified data, ISPs can
implement flexible charging policies based on the duration, bandwidth, application, and
service quality, and enterprise customers can calculate expenses or allocate costs.
l Network planning and analysis
The NetStream provides key information for the optimization of network design and
planning, thus obtaining optimal and reliable network performance through low operating
costs.
l Network monitoring
The NetStream delivers real-time network monitoring. The RMON, RMON-2, and flow-
based analysis technologies enable intuitive illustration of the traffic models of individual
routers and the entire network, and provide advanced fault detection, effective
troubleshooting, and rapid fault rectification.

l Application monitoring and analysis

The NetStream also provides detailed information about network applications. For
example, you can view the percentages of the traffic volume consumed by the Web, FTP,
Telnet, and other well-known TCP/IP applications. Based on such information, ICPs and
ISPs can effectively plan and allocate network and application resources.
l Abnormal traffic detection
By analyzing NetStream flows, the NetStream detects abnormal traffic, such as attacks,
over the network in real time. Based on the trap messages from the NMS and the
interworking with the NMS, network security is ensured.
The NetStream mainly consists of three devices, namely, the NetStream Data Exporter (NDE),
NetStream Collector (NSC), and NetStream Data Analyzer (NDA). The relationship among the
three devices are shown in the following figure.
Figure 5-106 Roles in a NetStream system
NGFW_A NSC
(NDE)
NDA
NGFW_B NSC
(NDE)
The NDE collects statistics over the passing traffic and sends detailed statistics to the NSC for
filtering and merging. Then the NSC sends the filtered and merged statistics to the NDA for
further merging and generation of intuitive graphs and reports. The generated graphs and reports
provide a reference for network planning, network monitoring, application analysis, and fault
location.
On networks, the IP network is connectionless. Therefore, the communication between different
types of services are implemented through a group of IP packets sent from one terminal to
another. Actually, these IP packets form the data flow of a network service. Most data flows are
temporary, intermittent, and bidirectional. NetStream mainly identifies different flows and
collects flow-specific statistics based on the destination and source IP addresses, destination and
source ports, protocol, ToS, and input and output interfaces. Serving as an NDE, the NGFW
periodically sends received statistics to the NSC for processing. Then the NSC sends the statistics
to the NDA for data analysis and report generation.
5.20.2 Mechanism
This section describes the mechanism of NetStream.
Concept of Sampling
After NetStream is enabled on an interface, the NGFW uses the CPU to process the
establishment, maintenance, aging, and aggregation of NetStream flows and generate data for

the export. At the meantime, the NGFW saves the NetStream information in the appropriate
interface table. If every packet is counted and involved in the establishment of NetStream flows,
the performance of the interface is heavily affected, especially for those high-speed interfaces.
Therefore, sampling is implemented. The sampled packets are sent to the NetStream card for
further process. The lower the sampling rate, the less the performance is affected.
Sampling Process
Figure 5-107 shows the sampling process.
Figure 5-107 Process of sampling flows

Enable the
Fragment
sampling Analyze whether the
ed Check whether the
Check whether the function sampling function is
packet is in unicast or
packet is fragmented enabled on the
Broadcast mode
interface
The sampling
function is enabled
Sampling packets Sampling all packets
Compare randomly
The generated flow Determine whether a
generated value and
information is sent to sampling value is set
the value configured on No
the NSC on the interface
the interface
The sampling Sampling on
Yes
packets number
Compare the count
value and the value Extract the count vaule
configured on the for counting packets
information
The following table shows the related NetStream configurations on the interface.
Name Width Function
Mark for enabling the 1 bit Indicates whether the packet destined for a unicast
transmission of unicast IP address is allowed through.
packets
Mark for enabling the 1 bit Indicates whether the packet destined for a multicast
transmission of IP address is allowed through.
multicast packets
Mark for enabling the 1 bit Indicates whether the sampling function is enabled
sampling of passing on the interface.
packets
Sampling mask 15 bits Indicates the count value ratio of sampling all packet
and sampling on packet number.
Interface index 16 bits Indicates the combination of the 4-bit long slot
information and the 12-bit long interface index
information, serving as the inbound interface
information of the NetStream flow.

The preceding information must be configured on the inbound interface and outbound interface.
The NGFW can then sample packets on both the inbound and outbound interfaces.
Aging Flows
Certain current flows must be deleted to release memory for the successive flows. This is because
the number of flows across the network burst up in a short time, Thousands of flows can be
generated in a few seconds. The process for deleting flows to release memory is called flow
aging.
Four flow aging modes are available:
l Scheduled flow aging

Flows are aged if the inactive period (from the time when the last packet is received to the
current time) times out. Flows are also aged if the active period (from the time when the
first packet passes to the current time) times out. Flows in the cache may not be aged if the
active period times out. This is because the system ages flows only when a new flow arrives.
However, if the inactive period times out, flows in the cache are immediately aged
regardless of whether the active period times out. Active and inactive timeout values can
be manually set or use the default values. The default active timeout period is 30 minutes,
and the inactive timeout value is 30 seconds.
l Aging triggered by TCP FIN and RST packets
For a TCP connection, the sending of the packet carrying the FIN or RST flag bit indicates
that the TCP session is closed. Therefore, if a NetStream TCP flow contains the packet
with the FIN or RST flag bit, the system can immediately age this TCP flow. If the first
packet in the flow contains the FIN or RST flag bit, the system creates and processes the
flow normally instead of aging the flow.
l Aging triggered by excessive statistics bytes
The flow in the cache records the number of passed bytes. When the number of bytes
exceeds the specified upper limit, the cache overflows. Therefore, when the system detects
that the total bytes in a flow exceed 3.9 Gb, the system immediately ages the flow.
l Forcible aging
You can run the reset ip netstream statistics command to age all flows in the current
cache.
Displaying Flow Statistics

Displaying original flows: After the NetStream module collects the statistics on the aged
NetStream flows, the system generates UDP packets carrying the statistics and sends the packets
to the NSC. The NSC then flexibly processes the received flow records. This process increases
the usage of bandwidth and the CPU of the routing device. In addition, to store the flow records,
additional memory capacity is required. This increases the load on devices.
Displaying aggregated flows: After the NetStream module collects the statistics on the aged
NetStream flows, the system classifies the raw statistics based on certain rules to aggregate flows.
The aggregated flows are sent in UDP packets. Aggregating original flows decreases bandwidth
and CPU usages and saves memory.Table 5-48 lists the currently supported aggregation modes.

Table 5-48 Aggregation modes
Aggregation Mode Description
as Flows are classified based on four key values: source autonomous

system (AS) ID, destination AS ID, index of the inbound interface,
and index of the outbound interface. Flows with the same four key
values are aggregated into one flow, and one aggregation flow
record is generated.
as-tos Flows are classified based on five key values: source AS ID,
destination AS ID, index of the inbound interface, index of the
outbound interface, and ToS field. Flows with the same five key
protocol-port Flows are classified based on three key values: protocol ID, source
port, and destination port. Flows with the same three key values are
aggregated into one flow, and one aggregation flow record is
generated.
protocol-port-tos Flows are classified based on six key values: protocol ID, source
port, destination port, ToS field, index of the inbound interface, and
index of the outbound interface. Flows with the same six key values
are aggregated into one flow, and one aggregation flow record is
generated.
source-prefix Flows are classified based on four key values: AS ID, length of the
source mask, prefix of the source address, and index of the inbound
interface. Flows with the same four key values are aggregated into
one flow, and one aggregation flow record is generated.
source-prefix-tos Flows are classified based on five key values: AS ID, length of the
source address mask, prefix of the source address, ToS fields, and
index of the inbound interface. Flows with the same five key values
are aggregated into one flow, and one aggregation flow record is
generated.
destination-prefix Flows are classified based on four key values: AS ID, length of the
destination address mask, prefix of the destination address, and
index of the outbound interface. Flows with the same four key
destination-prefix-tos Flows are classified based on five key values: AS ID, length of the
destination address mask, prefix of the destination address, ToS
field, and index of the outbound interface. Flows with the same five
key values are aggregated into one flow, and one aggregation flow

Aggregation Mode Description
prefix Flows are classified based on eight key values: source AS ID,
destination AS ID, length of the source address mask, length of the
destination address mask, prefix of the source address, prefix of the
destination address, index of the inbound interface, and index of the
outbound interface. Flows with the same eight key values are
aggregated into one flow, and one aggregation flow record is
generated.
prefix-tos Flows are classified based on nine key values: source AS ID,
destination AS ID, length of the source address mask, length of the
destination address mask, prefix of the source address, prefix of the
destination address, ToS field, index of the inbound interface, and
index of the outbound interface. Flows with the same nine key
mpls-label Flows are classified based on MPLS labels. Flows with the same
MPLS label are aggregated in to one flow, and one aggregation flow
5.20.3 NetStream Basic Configurations

To output statistics packets, you can enable interfaces, set the output formats of packets, and
configure the statistics output.
5.20.3.1 Enabling NetStream

This section describes how to enable the NetStream function.
Procedure
system-view

Step 3 Enable the NetStream function to collect statistics on IPv4 unicast traffic flows passing the
interface.
ip netstream inbound
NOTE
To enable the function for a sub-interface, set the VLAN ID for this sub-interface first.
By default, NetStream is disabled.
----End

5.20.3.2 Configuring the Output Format of Packets

This section describes how to configure NetStream to output statistics packets in the version 5
or 9 format.
Context
NOTE
Currently, the NetStream function of the NGFW supports two versions of the output packets, namely, 5
and 9. Version 9 provides users with a template for you to customize the statistics factors according to
actual requirements, thus ensuring the flexibility of the statistics output.
l Version 5: The original data flow is generated on the basis of the 7–tuple. The format of packets is
fixed and hard to extend. Version 5 does not support the statistic output on the BGP next hop.
l Version 9: Based on the template, version 9 ensures that the output of statistics is more flexible and
can be used to output the data of various format combinations. Version 9 supports the statistic output
of MPLS and the BGP next hop.
Do as follows on the NGFW on which traffic statistics need to be collected.
Procedure
system-view
Step 2 Configure the format of output packets.

ip netstream export version version [ origin-as | peer-as ] [ bgp-nexthop ]
The default format is version 5 with the AS option as peer-as. The output does not contain the
BGP next hop.
----End
5.20.3.3 Configuring the Output of Statistics

This section describes how to set the destination address and port that NetStream sends packets
to.
Context
Do as follows on the NGFW on which traffic statistics need to be collected.
Procedure
system-view
Step 2 Optional: Set the source address of the output statistics packets.
ip netstream export source ip-address
Step 3 Set the destination address of the output statistics packets.

ip netstream export host ip-address port
You can set a maximum of two destination IP addresses respectively for the active and the
standby NSCs.

NOTE
You can configure two destination addresses in the system view and the aggregation mode view,
respectively.
----End
5.20.4 Configuring the Aggregated Statistics on Traffic Flows

This section describes how to configure the aggregation of the statistics on the IPv4 traffic
passing the interface. In this case, the network bandwidth usage, CPU usage, and storage space
can be tremendously reduced.
5.20.4.1 Enabling NetStream for an Interface

This section describes how to enable the NetStream function for an interface.
Procedure
system-view

Step 3 Enable the NetStream to collect statistics on unicast traffic flows that passing the interface.
ip netstream inbound
NOTE
To enable the function for a sub-interface, set the VLAN ID for the sub-interface first.
By default, NetStream is disabled.
----End
5.20.4.2 Configuring Aggregation

After the you configure aggregation, the NetStream function is enabled.
Context
NOTE
To aggregate the traffic statistics and output aggregated statistics in packets, configure the aggregation mode.
At present, both Version 8 and Version 9 support the following aggregation modes: as, as-tos, protocol-port,
protocol-port-tos, source-prefix, source-prefix-tos, destination-prefix, destination-prefix-tos, prefix, and prefix-
tos.
Procedure
system-view
Step 2 Access the view of the specified aggregation mode.

ip netstream aggregation { as | as-tos | destination-prefix | destination-prefix-
tos | prefix | prefix-tos | protocol-port | protocol-port-tos | source-prefix |
source-prefix-tos }

Step 3 Enable the aggregation function.

enable
Step 4 Optional: Configure the mask for the aggregation.

mask { source | destination } minimum mask-length
You can configure the source aggregation mask only for modes prefix, prefix-tos, source-prefix,
and source-prefix-tos.
You can configure the destination aggregation mask only for modes prefix, prefix-tos,
destination-prefix, and destination-prefix-tos.
----End
5.20.4.3 Configuring the Format of the Output Statistics

This section describes how to configure the packet format of aggregated statistics.
Procedure
system-view

source-prefix-tos }
Step 3 Configure the format for outputting aggregated statistics in packets.

export version { 8 | 9 }
l The output of the statistics on aggregated MPLS flows uses version 9.

l The output of the statistics on other aggregated flows uses version 8 by default.
----End

This section describes how to set the destination address and port for outputting the aggregated
statistics on passing traffic flows.
Procedure
system-view

source-prefix-tos }
Step 3 Set the source address of the output statistics.

Step 4 Set the destination address of the output statistics.


You can set a maximum of two destination IP addresses respectively for the active and the
standby NSCs.
NOTE
You can set two destination addresses in the system view and in the aggregation mode view.
----End
5.20.5 Configuring the Traffic Statistics on the Vlanif Interface

This section describes how to configure the statistics on the traffic passing the Vlanif interface.
5.20.5.1 Enabling NetStream on a Vlanif Interface

Enabling the NetStream function on a Vlanif interface is the basis for statistics collection.
Context
Do as follows on the NGFW on which the statistics of traffic passing the VLANIF interface
need to be collected.
Procedure
system-view
Step 2 Access the Vlanif interface view.

interface vlanif vlan-id
Step 3 Enable NetStream on the Vlanif interface.

ip netstream [ sampler fix-packets packet-interval ] inbound
By default, NetStream is disabled on the Vlanif interface.
----End
5.20.5.2 Configuring the Format of the Output Statistics

This section describes how to set the output format of the packets passing the Vlanif interface.
Context
Do as follows on the NGFW on which the statistics of traffic on the Vlanif interface need to be
collected.
Procedure
system-view
Step 2 Configure the format of the output statistics.

ip netstream export version version [ origin-as | peer-as ] [ bgp-nexthop ]
The default format is version 5 with the AS option as peer-as. The output does not contain the
BGP next hop.

NOTE
Version 5 does not support the output of the BGP next hop.
----End

This section describes how to set the destination address and port for outputting the traffic
passing the Vlanif interface.
Context
Do as follows on the NGFW on which the statistics of traffic passing the Vlanif interface need
to be collected.
Procedure
system-view
Step 2 Set the source address for outputting statistics.

Step 3 Set the destination address for outputting statistics.

You can set a maximum of two destination IP addresses for the active and the standby NSCs.
NOTE
You can configure two destination addresses either in the system view and the aggregation mode view,
respectively.
----End
5.20.6 Setting NetStream Parameters

By adjusting NetStream parameters, you can ensure that statistics accurately reflect network
status and avoid causing a great impact on the forwarding performance of the device.
5.20.6.1 Configuring NetStream Sampling

By lowering the sampling rate of NetStream, you can reduce the impact on the forwarding
performance of the NGFW. However, raising the sampling rate improves the statistical accuracy.
Context
Configure NetStream sampling in the interface view of the NGFW that samples the passing
flows.
Procedure
system-view


interface
Step 3 Configure NetStream sampling on the current interface.

ip netstream sampler
If the interface is configured with a sampling rate, the passing traffic flows are sampled at the
rate. If not, the sampling rate is 1:1, that is, all packets along the passing traffic flows are sampled.
----End
5.20.6.2 Configuring the Aging Time for Flows

After the flow ages, the NGFW sends information to the NSC through UDP. You can adjust the
active timeout and inactive timeout for flows.
Context
Do as follows on the NGFW on which NetStream sampling is required.
Procedure
system-view
Step 2 Specify the time to age an active flow.

ip netstream timeout active active-interval
Step 3 Specify the time to age an inactive flow.

ip netstream timeout inactive inactive-interval
active-interval ranges from 1 to 60 minutes.

inactive-interval ranges from 1 to 600 seconds.
By default, active-interval is 30 minutes, and inactive-interval is 1 seconds.
----End
5.20.6.3 Configuring Parameters for Refreshing the Template

Version 9 uses the template to output statistics. For example, by adjusting the parameters in the
template, you can change the interval for sending the template.
Procedure
l Configure the parameters for refreshing the template for original traffic flows.
1. Run the following command on the NGFW on which NetStream sampling is required
to access the system view.
system-view
2. Set the parameters for refreshing the option template.

ip netstream export template option { export-stats | refresh-rate packet-
interval | sampler | timeout-rate timeout-interval }
3. Set the parameters for refreshing the template for outputting the statistics on original
traffic flows in version 9.

ip netstream export template { refresh-rate packet-interval | timeout-

rate timeout-interval }
For the NSC to receive and process the statistics, you need to send the appropriate
template to the NSC. After you set the parameters for refreshing the template, the
template on the NSC can be synchronized with that of the system.
The option template contains the information about the NetStream configuration.
export-stats and sampler indicate the system option and interface option respectively.
Once the refreshment parameters of the option template are configured, statistics
collection with the system option or that with the interface option is enabled.
If export-stats is specified, statistics collection with the system option is enabled. If

sampler is specified, statistics collection with the interface option is enabled.
l Configure the parameters for refreshing the template for aggregated traffic.
1. Run the following command on the NGFW on which NetStream sampling is required
to access the system view.
system-view
2. Set the parameters for refreshing the option template.

ip netstream export template option { export-stats | refresh-rate packet-
interval | sampler | timeout-rate timeout-interval }
3. Access the view of the specified aggregation mode.

ip netstream aggregation{ as | as-tos | protocol-port | protocol-tos |
source-prefix | source-prefix-tos | destination-prefix | destination-
prefix-tos | prefix | prefix-tos }
4. Set the parameters for refreshing the template for outputting the statistics on
aggregated traffic in version 9.
template { refresh-rate packet-interval | timeout-rate timeout-interval }
----End
5.20.7 Maintaining NetStream

After NetStream is configured, you can check related configurations and clear statistics.
5.20.7.1 Displaying the NetStream Configurations

This section describes how to display statistics using display commands.
Context
During routine maintenance, you can run the following commands in any view to display the
NetStream configurations.
Table 5-49 lists the commands for displaying the running status of NetStream.
Table 5-49 Checking the configurations of NetStream
Action Command
Display the information about the display ip netstream cache

flows in the cache.

Action Command
Display the NetStream statistics on display ip netstream export [ template ]

output packets.
5.20.7.2 Clearing the NetStream Statistics

This section describes how to clear the NetStream statistics to age all the information in the
cache.
NOTICE
Statistics cannot be restored after being cleared. Perform the operation with caution.
Table 5-50 lists the commands for clearing the NetStream statistics.
Table 5-50 Clearing the statistics on netStream
Action Command
Clear the NetStream statistics. reset ip netstream statistics
5.20.7.3 Debugging NetStream

If the NetStream module is faulty, you can run the following debugging command in the user
view to debug NetStream and display debugging messages for fault location and analysis.
Before enable the debugging function, you must run the terminal monitor and terminal
debugging commands in the user view to enable the display of logs and messages on the
terminal, so that the debugging messages can be displayed on the terminal.
NOTICE
Enabling the debugging function affects the system performance. Therefore, after debugging,
you need to run the undo debugging all command to disable the debugging function.
Table 5-51 lists the command for NetStream debugging.

Table 5-51 Debugging NetStream
Action Command
Debug NetStream. debugging ip netstream { event | packet }

This section provides examples for configuring NetStream in different networks.
5.20.8.1 Example for Collecting the Statistics on Unicast Traffic Flows

This section provides an example for collecting statistics on the unicast flow in the inbound
direction of the interface.
As shown in Figure 5-108, an enterprise network is connected to NGFW_B on the carrier
network through NGFW_A. NetStream is enabled on NGFW_B. In such a scenario, the carrier
can collect the statistics on the inbound traffic flows passing GigabitEthernet 1/0/1 of
NGFW_B. The collected statistics provides a reference for network accounting.
Figure 5-108 Networking diagram of collecting the statistics on unicast traffic
GE1/0/1 GE1/0/1 NSC&NDA

User 10.1.1.1/24 10.1.1.2/24 10.2.1.2/24
Network ISP
NGFW_A NGFW_B
Item Data
Destination IP address of the NetStream 10.2.1.2

traffic
Destination port of the NetStream traffic 6000
Source IP address of the NetStream traffic 10.2.1.1
NetStream statistics output version version 5

1. Set IP addresses for the interfaces on the NGFWs.

2. Enable NetStream for collecting statistics on inbound traffic flows on NGFW_B.
Procedure
Step 1 Set IP addresses for the interfaces on NGFW_A and NGFW_B.
Step 2 Enable the NetStream function for collecting inbound statistics on NGFW_B.
# Access the system view and change the system name to NGFW_B.
<NGFW> system-view
[NGFW] sysname NGFW_B
# Enable the NetStream function for collecting inbound statistics on NGFW_B.

[NGFW_B-GigabitEthernet1/0/1] ip netstream inbound
# Configure the output version of the collected statistics on NGFW_B.

[NGFW_B] ip netstream export version 5
# Configure the NGFW_B to send the collected statistics to the NSCs and NDA.
[NGFW_B] ip netstream export host 10.2.1.2 6000
# Set the source address for the NGFW_B to send the collected statistics.
[NGFW_B] ip netstream export source 10.2.1.1
----End
Result
l After the configuration is complete, run the display ip netstream cache command in the
user view to display the statistics about the cached NetStream traffic flows.
<NGFW_B> display ip netstream cache
IP netstream cache
information
Stream active timeout(minute) :
30
Stream inactive timeout(second):
1
Active stream entry :
0
Inactive stream entry :
8000
Stream entry been created :
0
Last clearing of statistics :
never
IP packet number of different

size
1-80 81-552 553-576 577-612 613-1480 1481-1500
1501-
0 0 0 0 0 0
0
Protocol Total Packets Stream Packets Active(sec) Idle

(sec)
Streams /Sec /Sec /stream /stream /

stream
----------------------------------------------------------------------------
Total 0 0 0 0 0
0
DstIf DstIP SrcIP Pro Tos Flgs

Pkts
SrcIf DstP Msk AS SrcP Msk AS
NextHop
BGP: BGP
NextHop
--------------------------------------------------------------------------
l After the configuration is complete, run the display ip netstream export command in the
user view to display the information about the output of NetStream traffic statistics.
<NGFW_B> display ip netstream export
Version 5 ip export information
Stream destination IP(UDP): 10.2.1.2(6000)
Stream source IP: 10.2.1.1
Exported stream number: 120
Exported UDP datagram number: 120 failed number:0
5.20.8.2 Example for Collecting Statistics on Aggregated Traffic Flows

The NGFW connects to two carrier networks at the same time, aggregates the data packets
passing the interface based on AS IDs, and sends them to the NSA.
As shown in Figure 5-109, enabling NetStream on NGFW_B helps collect the statistics on the
traffic flows from the user network to both ISP networks. The collected statistics provides a
reference for network accounting.

Figure 5-109 Networking diagram of collecting the statistics on aggregated traffic flows
loopback0
GE1/0/4
10.2.1.2/24
ISP1
NSC&NDA
10.4.1.2/24 NGFW_C
loopback0
loopback0
GE1/0/4
10.2.1.1/24 GE1/0/3
User GE1/0/4
10.1.1.1/24 i 10.4.1.1/24
Network
GE1/0/1 GE1/0/2
10.1.1.2/24 10.3.1.1/24
NGFW_A NGFW_B
loopback0
GE1/0/4 ISP2
10.3.1.2/24
NGFW_D
1. Configure reachable routes between the user network and access network.
2. Configure reachable routes between the access network and ISP1 and between the access
network and ISP2.
3. Enable NetStream on NGFW_B.
Procedure
# Set IP addresses for NGFW_A.

# Set IP addresses for NGFW_B.



# Set IP addresses for NGFW_C.

# Set IP addresses for NGFW_D.

Step 2 Configure IGP routes between NGFW_A and NGFW_B.
Configure dynamic routes on NGFW_A.

<NGFW> system-view
[NGFW] sysname NGFW_A
[NGFW_A] ospf router-id 1.1.1.1
[NGFW_A-ospf-1]area 0
[NGFW_A-ospf-1-area-0.0.0.0] network 10.1.1.1 0.0.0.255
Configure dynamic routes on NGFW_B.

[NGFW_B] ospf router-id 2.2.2.2
[NGFW_B-ospf-1]area 0
[NGFW_B-ospf-1-area-0.0.0.0] network 10.1.1.2 0.0.0.255
Step 3 Establish BGP neighbors between NGFW_B and NGFW_C and between NGFW_B and
NGFW_D.
Establish dynamic BGP neighbors between NGFW_B and NGFW_C.

[NGFW_B] bgp 65001
[NGFW_B-bgp] router-id 2.2.2.2
[NGFW_B-bgp] peer 10.2.1.2 as-number 65002
[NGFW_B-bgp] ipv4-family unicast
[NGFW_B-bgp-af-ipv4] import-route ospf 1
[NGFW_C] bgp 65002
[NGFW_C-bgp] router-id 3.3.3.3
[NGFW_C-bgp] peer 10.2.1.1 as-number 65001
Establish dynamic BGP neighbors between NGFW_B and NGFW_D.

[NGFW_B] bgp 65001
[NGFW_B-bgp] router-id 2.2.2.2
[NGFW_B-bgp] peer 10.3.1.2 as-number 65003
[NGFW_D] bgp 65003
[NGFW_D-bgp] router-id 4.4.4.4
[NGFW_D-bgp] peer 10.3.1.1 as-number 65001
Step 4 Enable NetStream on NGFW_B.
Configure the output of aggregated traffic flows.

[NGFW_B] ip netstream aggregation as

[NGFW_B-aggregation-as] enable
[NGFW_B-aggregation-as] export version 9
[NGFW_B-aggregation-as] ip netstream export host 10.4.1.2 6000
[NGFW_B-aggregation-as] ip netstream export source 10.4.1.1
Enable NetStream for inbound traffic passing the interface.

[NGFW_B-GigabitEthernet1/0/1] ip netstream inbound
----End
Result
l # After the configuration is complete, run the display ip netstream cache command in the
user view to display the statistics on the cached traffic flows.
<NGFW_B> display ip netstream cache
IP netstream cache
information
Stream active timeout(minute) :
30
Stream inactive timeout(second):
1
Active stream entry :
0
Inactive stream entry :
8000
Stream entry been created :
0
Last clearing of statistics :
never
IP packet number of different

size
1-80 81-552 553-576 577-612 613-1480 1481-1500
1501-
0 0 0 0 0 0
0
Protocol Total Packets Stream Packets Active(sec) Idle

(sec)
Streams /Sec /Sec /stream /stream /
stream
----------------------------------------------------------------------------
Total 0 0 0 0 0
0
DstIf DstIP SrcIP Pro Tos Flgs

Pkts
SrcIf DstP Msk AS SrcP Msk AS
NextHop
BGP: BGP
NextHop
--------------------------------------------------------------------------
l After the configuration is complete, run the display ip netstream export command in the
user view to display the information about the output of the traffic.
<NGFW_B> display ip netstream export
Version 9 AS aggregation information

Stream destination IP(UDP): 10.4.1.2(6000)

Stream source IP: 10.4.1.1
Exported stream number: 129
5.20.8.3 Example for Configuring NetStream on a Vlanif Interface

Two interfaces of the NGFW are added to the same VLAN, and the NGFW collects statistics
on the data flows passing the Vlanif interface.
As shown in Figure 5-110, add GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to the same
VLAN and configure the collection of the statistics on the traffic passing interface
Figure 5-110 Networking diagram of configuring NetStream on a Vlanif member interface

NGFW
GE1/0/4 GE1/0/3
192.168.2.1/24 172.16.8.1/24
GE1/0/1 GE1/0/2
NSC&NDA VLANIF100 VLANIF100
172.16.8.145/24
192.168.2.2/24
VLANIF100
192.168.1.1/24
Switch1 Switch2
192.168.1.2/24 VLAN 100
Item Data
Destination address 192.168.2.2
Destination port 6000
Source address 192.168.2.1

1. Configure a VLAN and a Vlanif interface.

2. Set an IP address for each interface.
3. Enable NetStream for collecting statistics on inbound traffic.
Procedure
Step 1 Create a VLAN and a Vlanif interface and set an IP address for each of them.
# Create VLAN 100.

<NGFW> system-view
[NGFW] vlan 100
[NGFW-vlan100] quit
# Add GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to VLAN 100.

[NGFW-GigabitEthernet1/0/1] undo shutdown
# Create a Vlanif interface and set an IP address for it.

[NGFW-Vlanif100] ip address 192.168.1.1 255.255.255.0
[NGFW-Vlanif100] quit
# Set IP addresses for GigabitEthernet 1/0/4 and GigabitEthernet 1/0/3.

Step 3 Enable NetStream on a Vlanif member interface.
# Enable NetStream for collecting the statistics on the inbound and outbound traffic passing the
Vlanif member interface GigabitEthernet 1/0/1.
[NGFW-Vlanif100] ip netstream inbound
# Configure NetStream sampling.

[NGFW-Vlanif100] ip netstream sampler fix-packets20 inbound
# Set the destination address, destination port, and source address.

[NGFW] ip netstream export host 192.168.2.2 6000

[NGFW] ip netstream export source 192.168.2.1
[NGFW] quit
----End
Result
l Run the display ip netstream cache command in the user view to display the statistics on
original traffic flows.
<NGFW> display ip netstream cache
The total records in cache is 3.
Show information of cache is starting.
get show cache user data success
DstIf DstIP SrcIP Pro Tos FlgsPkts
SrcIf DstPMsk AS SrcP Msk AS NextHop
BGP: BGP NextHop
--------------------------------------------------------------------------
GigabitEthernet 1/0/3 172.16.8.1 192.168.1.2 0 0 0 95040
0.0.0.0
l Run the display ip netstream export command in the user view to display the information
about the output of the original traffic statistics.
<NGFW> display ip netstream export
Version 8 AS aggregation information
Stream destination IP(UDP): 192.168.2.2
(6000)
Exported stream number:
395

This section describes the versions and changes in the NetStream feature.
5.21 Agile Network

This section describes basic agile network concepts and the configurations and usage restrictions
of the NGFW on agile networks.
5.21.1 Overview
The agile network is a new enterprise networking solution for legacy enterprise networks. It is
easier, more flexible, and faster in configuration, maintenance, and service response compared
with traditional enterprise networks.
Based on customer requirements, agile networks fall into three scenarios: service mobility,
service chain, and security collaboration. This section describes the working mechanisms and
configuration methods of the firewall in different application scenarios.

Service Mobility
Service mobility (also called service mobility) enables consistent enterprise resource access
permissions and experience (the same priority and bandwidth for users to access enterprise
resources) regardless of where the users access the enterprise network. As shown in the service
mobility scenario in Figure 5-111, the firewalls are deployed at the borders of the headquarters,
branch office, and data center to provide user identification and permission control functions.
Apart from the user identification and permission control functions, the firewalls at the borders
of the headquarters and branch office provide L2TP VPN, L2TP over IPSec VPN, and SSL VPN
services for mobile employees and allocate bandwidth resources to access users to ensure that
the traffic of VIP users is preferentially forwarded.
Figure 5-111 Service mobility application scenario
Employees on the move Outside the

Branch and partners campus network
Inside the
campus network
Controller Router
NGFW
(firewall)
Data center Control center
Core switch
Aggregatio
n switch
Access
... ... ... switch
R&D Marketing Finance AP
In the service mobility application scenario, the Controller centrally manages user identity
information (user name and password) and access permissions (firewall security policies). The
Agile Controller (Controller for short) categorizes users into different security groups. After you
configure security groups and access permissions on the Controller, the Controller delivers the
configurations to all identity authentication and permission control devices (in this scenario,
both the firewalls and aggregation switches are identity authentication and permission control
devices to implement authentication and permission control). This section uses the firewall at
the egress of the campus network as an example to describe the mechanisms of user
authentication and permission control when a VPN user accesses data center resources or an
intranet user accesses Internet resources after the Controller server delivers the security groups
and access permissions to the device (firewall or aggregation switch).
l An employee on the move uses VPN to access enterprise networks and enterprise resources.
1. An employee on the move uses VPN to initiate a connection request to the firewall at
the headquarters egress.

2. After receiving the VPN request from the user, the firewall sends the user's identity
information to the Controller for verification.
3. After verifying the identity information, the Controller sends a response message to
the firewall indicating authentication success. The firewall establishes a VPN
connection with the user and records the security group and IP address of the user,
which are in the "online user list" on the firewall.
4. When receiving the service traffic from the employee on the move to the data center,
the firewall at the egress of the headquarters looks up the online user list for the traffic
IP address to find the corresponding user information. Then the firewall looks up the
permission control list based on the user information and implements permission
control accordingly.
l An intranet user accesses Internet resources.
1. The intranet user initiates identity authentication to the aggregation switch.
2. After receiving the authentication request from the user, the aggregation switch sends
the user's identity information to the Controller for verification.
3. The Controller records the IP address-account mapping of the user after verification
and sends a response message to the aggregation switch indicating authentication
success. After receiving the response message from the Controller, the aggregation
switch creates a mapping between the user and IP address.
4. The firewall sends an identity query message to the Controller to request the user
identity corresponding to the source address of the traffic. After receiving the query
request, the Controller returns the user identity information to the firewall. Then, the
firewall can find the permission control policy based on the user identity information.
In agile networks, users may need to access DNS, DHCP, or Portal servers before they are
authenticated. When the traffic from a user to a server goes through the firewall, the firewall
queries the corresponding security group information from the Controller server. However, the
user is not authenticated yet. Therefore, the Controller server informs the firewall that the user
belongs to the unknown group. In at least 10 minutes after that, the firewall will not query the
user information from the Controller server. Before the user information is refreshed (the interval
is 10 minutes by default), the user traffic will match the policies of the unknown group.
Therefore, the user cannot obtain the correct permission immediately after the user is
authenticated.
To resolve this problem, the pre-security domain is introduced into the agile network. The pre-
security domain refers to the domain accessible before users are authenticated. When an
unauthenticated user accesses a server in the pre-security domain, the firewall directly forwards
the traffic without querying the security group of the traffic. After the user is authenticated and
the service traffic reaches the firewall, the firewall queries the security group information from
the Controller server, which ensures that the query result is consistent with the actual security
group of the user. When you deploy an agile network, consider that users may need to access
the DNS, DHCP, and Portal servers before they are authenticated. You can select the servers
and deploy them in the pre-security domain as required.
Service Chain
Service chain is a scenario in which all security check devices are centrally deployed in the
security resource pool, with each device responsible for different security check tasks.
Enterprises can schedule the traffic going through the core switch in a specific order for the core
switch to send the traffic to these security devices for security checks. Figure 5-112 shows the

service chain scenario. In this scenario, the firewall resides in the security resource pool to
provide the content security check. The firewalls are deployed in off-line mode next to the core
switch and each firewall establish a GRE tunnel with each core switch. When receiving the
traffic to be checked, the core switch diverts the traffic over one GRE tunnel to the corresponding
firewall. After security checks, the firewall injects the traffic over the other GRE tunnel to the
core switch.
Figure 5-112 Service chain scenario
Employees on the move

Branch Outside the
and partners
campus network
Inside the
campus network
Security Router
resource pool
NGFW
Controller (firewall)
Data center
Control Core switch
center
Aggregatio
n switch
Access
switch
... ... ...
Finance AP
R&D Marketing
GRE tunnel pair
Security Collaboration
Security collaboration is a solution for improving overall intranet security defense capabilities.
This solution provides visibility into network health conditions, security event quantity and
types, and security risk trends and monitors and handles security events. As shown in Figure
5-113, the firewall sends to the Controller syslogs about security events, such as viruses,
intrusions, Trojans, and data leaks. After receiving security logs, the Controller delivers security
warning and actions, such as isolate or block, to the aggregation switch, so that the aggregation
switch can block these risks.

Figure 5-113 Security collaboration scenario
Employees on the move

Branch Outside the
and partners
campus network
Inside the
campus network
Security resource Router
pool
NGFW
(firewall)
Controller
Data center
Control Core switch
center
Aggregatio
n switch
Access
switch
... ... ...
Finance AP
R&D Marketing
GRE tunnel pair

This section describes the restrictions and precautions applicable to agile networks.
Restrictions
Table 5-52 lists the restrictions of the agile network function.
Table 5-52 Restrictions of the agile network function
Function Restriction Description
Virtual system Virtual systems do not support the agile network function.
IPv6 The agile network function does not support IPv6 services.
TSM function The TSM function and the agile network function are mutually
exclusive. Before you enable the agile network function, disable
the TSM function.
Security policy The agile network function cannot be enabled if security policies
are configured on the device. Before you enable the agile network
function, delete the configured security policies.
Precautions
The enabling or disabling of the agile network function affects other functions on the device, as
listed in Table 5-53.

Table 5-53 Impact of the agile network function on other functions
Function When the Agile Network When the Agile Network

Function Is Enabled Function Is Disabled
User The user management function does The user management function takes
management not take effect. effect.
Security If you select Delivered by The system deletes all security

policy controller for Security Policy policies delivered by the Controller.
Configuration when the agile
network function is enabled, you
cannot manually modify the security
policies delivered by the Controller.
Policy When the agile network function is The policy redundancy analysis,
redundancy enabled, the policy redundancy policy matching analysis, and policy
analysis, analysis, policy matching analysis, tuning functions take effect.
policy and policy tuning functions do not
matching take effect.
analysis, and
policy
tuning
Content If you select Delivered by The content security check function

security controller for Security Policy takes effect.
check Configuration when the agile
network function is enabled, the
content security check function is
unavailable.
Traffic Traffic policies are not affected. The traffic policies that the Controller
policy delivers are deleted.
Policy- PBR is not affected. The PBRs delivered by the Controller

based are deleted.
routing
(PBR)
NOTE
When the agile network function is disabled, security policies, traffic policies, and PBR are "user group"-
based matching conditions. When the agile network function is enabled, parameter user group in the three
policies will be substituted with parameters Source Agile Security Group and Destination Agile Security
Group.
5.21.3 Connecting the NGFW to the Controller

After you configure the agile network function on the NGFW and connect the NGFW to the
Controller, the NGFW can obtain the security groups and policies configured on the Controller.

Procedure
Step 1 Choose System > Agile Network Configuration.
Step 2 Select Enable for Agile Network Function.
Step 3 Set the parameters for connecting the NGFW to the Controller.
Primary Controller IP Indicates the IP address of the primary Controller. Two

address Controllers may be deployed to improve availability. If the
primary Controller is down, the NGFW can establish
connections with the secondary Controller.
Controller Standby Server Indicates the IP address of the secondary Controller.

IP Address
Authentication Password Indicates the password that the Controller uses to authenticate
the NGFW.
After the agile network is deployed, the IP address and password
of each device on the network will be specified on the Controller.
When a device sends a connection request to the Controller, the
Controller looks for the password of the device based on the
source IP address. If the passwords are the same, the
authentication succeeds.
RADIUS Server The NGFW needs to query the security group information of the
user from the RADIUS server to implement the security policy.
For configurations of the RADIUS server, see 11.5.6.1
Configuring a RADIUS Server. The RADIUS server is
integrated into the Controller. Therefore, the IP address of the
RADIUS server is that of the Controller. If an independent
RADIUS server is deployed, contact the network administrator
for the IP address of the RADIUS server.
Security Policy l Delivered by controller

Configuration Select this value in the service mobility scenario. The
Controller will automatically deliver security group and
security policy configurations to the NGFW.
l Manually configured
Select this value in the service chain scenario. The Controller
cannot automatically deliver security policies to firewalls in
the service chain scenario. Therefore, you must select
Manually configured for this parameter.
----End
5.21.4 Viewing the Configurations Delivered by the Controller

After you connect the firewalls to the Controller, the Controller delivers the configured security
groups, online users, and security policies to the firewalls.

Viewing Agile Security Groups

Step 1 Choose Object > Agile Security Group > Agile Security Group.
Step 2 The firewalls automatically obtains all security groups from the Controller, as shown in the
following figure.
You can click Refresh to refresh the result.
----End
Viewing Online Users

Step 1 Choose Object > Agile Security Group > Online Member.
Step 2 When receiving service traffic from the user, the NGFW requests the user identity and group
information of the traffic from the Controller, looks up for the security policies based on the user
information, and add the user to the online user list, as shown in the following figure.
The firewall queries user status information from the Controller every 10 minutes. As a result,
the user information on the firewall may not be in synchrony with that on the Controller. You
can click Refresh to display the latest user status information.
Table 5-54 lists the online user information that is displayed.
Table 5-54 Online user list
Item Description
User IP Address Indicates the IP address of a user.

Item Description
Agile Security Group Indicates the agile security group of a user.

On the Controller, there are two default agile
security groups, Any and Unknown. The Any
agile security group allows everyone to
access the company's portal. The Unknown
agile security group is for unauthenticated
users. For example, an enterprise defines that
unauthenticated users can access only
network resources provided for guests.
Login Time Indicates the time when a user is added to the

online user list after passing the security
policy check.
Access Mode Three access modes are available:

l l2tp: Users access the firewall in L2TP
dial-up mode.
l svn: Users access the firewall in SSL VPN
mode.
l unknown: The user access type is
unknown. For example, when an intranet
user accesses the Internet, no VPN is used.
Therefore, the access type is unknown.
Bandwidth Indicates the maximum bandwidth allocated

to the user.
----End
Viewing Security Policies

Step 1 Choose Policy > Security Policy.
Step 2 The firewall automatically synchronizes security policy information from the Controller, as
shown in the following figure.
NOTE
When the agile network function is enabled, parameter user group in security policies will be substituted
with parameters Source Agile Security Group and Destination Agile Security Group. Other parameters
remain the same. For details on each parameter, see 13.1.6 Configuring a Security Policy.
----End
5.21.5 Configuring Agile Network Services

The service mobility and service chain scenarios may require some security services, but the
service configurations vary with scenarios.

5.21.5.1 Configuring the Firewall to Provide L2TP Over IPSec Access Services and
Implement Identity Authentication and Permission Control for L2TP Users in a
Service Mobility Scenario
This section describes how to configure the firewall and Controller in a service mobility scenario
to allow mobile users to access the intranet through L2TP over IPSec.
As shown in Figure 5-114, an NGFW is deployed on the border of an intranet as a security
gateway. The NGFW provides VPN access services for mobile employees and implements
access permission control. A Controller is deployed for user information configuration and
delivers access permission control policies to the NGFW.
User requirement: Mobile employees are allowed to access web server resources on the intranet
through L2TP over IPSec only during working hours.
Figure 5-114 User access permission control in the service mobility scenario
NGFW
GE1/0/2 GE1/0/1
10.2.0.1/24 1.1.1.1/24
Web server GE1/0/3 Employee on

10.2.0.10/24 10.3.0.1/24 the move
6.6.6.6/24
Controller
10.3.0.10/24
Data Planning
Item Data

Security group to which the web server
belongs: web resource security group

Item Data
NGFW Interface: GE1/0/1

IP address: 1.1.1.1
Security zone: Untrust
Interface: GE1/0/2
IP address: 10.2.0.1
Security zone: Trust
Interface: GE1/0/3
Password for interworking with the
Controller: Admin@123
Shared Key: Radius@123
Controller IP address: 10.3.0.10/24

In this example, the Controller has the
RADIUS server function to authenticate
users, and therefore the IP address of the
RADIUS server is also 10.3.0.10/24.
RADIUS authentication key: Radius@123
Password (XMPP password): Admin@123
NOTE
All passwords in this example are used only for
reference and are not default passwords. Contact
the administrator of the Controller to obtain
required passwords.
Mobile user IP address: 6.6.6.6/24

Name: Jack
Account: J00001
Password: Hello123
Department: Marketing
Schedule Working hours: 9:00 to 17:00

Non-working hours: 0:00 to 8:59 and 17:01
to 23:59
1. Configure the Controller.
Configure parameters for the Controller, as shown in the following figure.

① Configure a user.
Jack ④Configure an authentication rule. Configure access
Account: Configure a ⑤
J00001 ③ permission control.
security group.
Password: Authentication rule Access permission
Hello123
Department:
Matching Security group control policy
Rule name Authentication
marketing
condition result Source Destination
Working
Configure a Regulations Marketing Working security security security group security group Permission
②
schedule. for working Working group group Working
hours Web resource Permit
Schedule Non-working security group
Regulations Marketing Non-working security group
security
Working hours for non-workingNon-working security group
group Non-working Web resource Deny
hours
Web resource security group security group
Non-working hours User traffic during working
security group
hours matches the rule.
User traffic during non-working
When Jack attempts to access web server resources during working hours, Jack's
department and schedule information matches the "work" authorization rule. Based on the
rule, Jack belongs to the "working security group". Query the access permission control
policy that uses the "working security group" as the source security group and the "web
resource security group" as the destination security group. Then you can obtain Jack's
access permission. The Controller delivers the access permission control policy to the
firewall. When traffic sent from Jack passes through the firewall, the firewall searches for
the source and destination security groups based on the user name and then implements the
access permission control policy (referred to as security policy on the firewall).
2. Configure the firewall.
a. Enable the agile network function on the firewall.
b. Configure L2TP over IPSec.
3. After interworking with the firewall, the Controller delivers all configured security groups
and access permission control policies to the firewall.
NOTE
The Controller updates with versions. Therefore, in this example, the Controller configuration is for
reference only. For details, refer to the configuration manual of the Controller.
Procedure
Step 1 Configure the Controller.
1. Add the firewalls to be managed by the Controller.
a. Choose Resource > Device > Device Manager, click Add, and configure information
on the firewalls to be managed by the Controller.

b. Click the XMPP tab and set XMPP connection parameters.
c. Click OK.
2. Add the account and password of the mobile user to the Controller.

a. Choose Resource > User > User Management. On the Department tab, click
, set Department to Marketing department, and click OK.
b. On the User tab corresponding to the Marketing Department, click , set a

mobile user name, and click OK.
c. Click in the row of Jack. On the Account Management page, click . On

the Add Account page, set a login account and password for Jack.
The user name is used to identify a user, whereas the account and password configured
here are used for identity authentication when Jack accesses the intranet through L2TP
over IPSec.

d. Click OK to return to the User Management page.

3. Configure a schedule.
a. Choose Policy > Permission Control > Policy Element > Schedule and click
to set working and non-working hours.
b. Click OK.
4. Configure security groups for the mobile user and web server.
a. Choose Policy > Permission Control > Security Group > Security Group
Management and click Add to add the working and non-working security groups.
Then click OK.

b. Choose Policy > Permission Control > Security Group > Security Group
Management, and click to add a security group for the web server, and click
OK.
c. In the row of the Web_resource_security_group, click to bind the web server

to an IP address and click OK.

5. Configure a pre-authentication domain, so that mobile employees can access the NGFW
and Controller before being authenticated.
Choose Policy > Security Group > Intranet Configuration and add the IP addresses of
the NGFW virtual gateway and Controller to the pre-authentication domain.
6. Configure permission profiles.

a. Create a permission profile. Choose Policy > Permission Control > Authentication
and Authorization > Authorization Result and click to create a permission
profile. Then click OK.
The permission profile will be referenced during authorization rule configuration. To
easily search for a security group during authorization rule configuration, the
permission profile name must be the same as the security group name.

7. Add authorization rules.

a. Choose Policy > Permission Control > Authorization Policy > Authorization
Rule and click to create a permission rules. Then click OK.

b. Click OK.
8. Configure an access permission template.
a. Choose Policy > Service Mobility > Permission Control and click Permission
Template. Configure the permission on the web server for mobile users during the
working and non-working hours.

b. Click OK.
9. Configure access permission control rules.
a. Choose Policy > Service Mobility > Permission Control and click Add. Configure
a policy for controlling the access to the web server from mobile users during the

b. Click OK.
Step 2 Configure the firewall.

1. Set an IP address for each interface, assign interfaces to security zones, and complete basic
parameter settings.
a. Choose Network > Interface.
b. Click next to the GE1/0/1 and set parameters as follows:
Security zone untrust
IPv4

IP address 1.1.1.1/24
c. Click OK.
d. Repeat the preceding steps to configure GE1/0/2 and GE1/0/3.
Security zone trust
IPv4
Security zone trust
IPv4
2. Configure the RADIUS server.

a. Choose Object > Authentication Server > RADIUS. Click Add and set parameters
as follows:
The parameters must be consistent with those on the RADIUS server. The shared key
is Admin@123.
b. Click OK.
3. Configure an authentication domain.
a. Choose Object > User > Authentication Domain. Modify the default authentication
domain and set the following parameters.

b. Click OK.
4. Configure an L2TP over IPSec tunnel.
a. Choose Network > IPSec > IPSec. In IPSec Policy List, click Add.
b. Set Scenario to Site-to-multisite and Peer Type to L2TP over IPSec client.
c. Complete Basic Configuration. Multiple branches need to access the headquarters.
Therefore, do not specify the remote gateway addresses. The pre-shared key is
Admin@123.
d. Set Dial-up User Configuration as follows:
e. Under Data Flow to Be Encrypted, click Add to add a data flow as follows.

f. In IKE/IPSec Proposal , click Accept Proposal from the Peer Device to accept the
IPSec protocol and algorithm proposed by the peer.
g. Click Apply to complete the NGFW configuration.
5. Enable the agile network function on the firewall.
a. Choose System > Agile Network Configuration.

b. Select Enable next to Agile Network Function.
c. Configure parameters for the NGFW to interwork with the Controller.
If the status of Controller Active Server IP Address is displayed as Connected, the
firewall successfully interworks with the Controller.
Step 3 Configure a mobile user.
The mobile user can use the VPN client or Windows L2TP client for VPN access through L2TP
over IPSec. For details, see 20.2.11.14 Web Example for Configuring L2TP over IPSec VPN
for Users to Access the Headquarters Using the Windows L2TP Client or 20.2.11.12 Web
Example for Configuring L2TP over IPSec VPN for Users that Dial Up to the Headquarters
Using the VPN Client.
Step 4 Log in to the Controller again and configure it to deliver the security groups and policies to the
firewall.

1. Choose Policy > Permission Control > Security Group > Security Group
Management and click Global Deployment. In the dialog box that is displayed, click
OK.
2. Choose Policy > Service Mobility > Permission Control and click Global
Deployment. In the dialog box that is displayed, click OK.
----End
Verification
1. Mobile employee Jack can access web server resources on the intranet after dialing to the
firewall with account J00001 through L2TP over IPSec during working time.
2. Mobile employee Jack cannot access web server resources on the intranet after dialing to
the firewall with account J00001 through L2TP over IPSec during non-working time.
5.21.5.2 Configuring the Firewall to Provide SSL VPN Access Services and
Implement Identity Authentication and Permission Control for SSL VPN Users in
a Service Mobility Scenario
This section describes how to configure the firewall and Controller in a service mobility scenario
to allow mobile users to access the intranet through SSL VPN.
gateway. The NGFW provides VPN access services for mobile employees and implements
access permission control. A Controller is deployed for user information configuration and
delivers access permission control policies to the NGFW.
User requirement: Mobile employees are allowed to access web server resources on the intranet
through SSL VPN only during working hours.
Figure 5-115 User access permission control in the service mobility scenario
NGFW
GE1/0/2 GE1/0/1
10.2.0.1/24 1.1.1.1/24
Web server GE1/0/3 Employee on

10.2.0.10/24 10.3.0.1/24 the move
6.6.6.6/24
Controller
10.3.0.10/24

Data Planning
Item Data

Security group to which the web server
belongs: web resource security group

IP address: 1.1.1.1
Interface: GE1/0/2
Interface: GE1/0/3
Password for interworking with the

RADIUS server function, and therefore the IP
address of the RADIUS server is also
10.3.0.10/24.
NOTE
required passwords.
Mobile user IP address: 6.6.6.6/24

Name: Jack
Account: J00001
Password: Hello123
Department: Marketing
Schedule Working hours: 9:00 to 17:00

Non-working hours: 0:00 to 8:59 and 17:01
to 23:59

Configure parameters for the Controller, as shown in the following figure.
Jack ④Configure an authentication rule. Configure access
Account: Configure a ⑤
J00001 ③ permission control.
security group.
Password: Authentication rule Access permission
Hello123
Department:
Matching Security group control policy
Rule name Authentication
marketing
condition result Source Destination
Working
Configure a Regulations Marketing Working security security security group security group Permission
②
schedule. for working Working group group Working
hours Web resource Permit
Schedule Non-working security group
Regulations Marketing Non-working security group
security
Working hours for non-workingNon-working security group
group Non-working Web resource Deny
hours
Web resource security group security group
Non-working hours User traffic during working
security group
User traffic during non-working
When Jack attempts to access web server resources during working hours, Jack's
department and schedule information matches the "work" authorization rule. Based on the
rule, Jack belongs to the "working security group". Query the access permission control
policy that uses the "working security group" as the source security group and the "web
resource security group" as the destination security group. Then you can obtain Jack's
access permission. The Controller delivers the access permission control policy to the
firewall. When traffic sent from Jack passes through the firewall, the firewall searches for
the source and destination security groups based on the user name and then implements the
access permission control policy (referred to as security policy on the firewall).
b. Configure SSL VPN.
3. After interworking with the firewall, the Controller delivers all configured security groups
and access permission control policies to the firewall.
NOTE
Procedure

c. Click OK.
2. Add the account and password of the mobile user to the Controller.

, set Department to Marketing Department, and click OK.

c. Click in the row of Jack. On the Account Management page, click . On

the Add Account page, set a login account and password for Jack.
The user name makes it easy for the administrator to identify a user. However, the
configured account and password are required for identity authentication when Jack
attempts to access the intranet through SSL VPN. The password is Hello123.


3. Configure a time range.
a. Choose Policy > Permission Control > Policy Element > Schedule and click
to set working and non-working hours.
b. Click OK.
4. Configure security groups for the mobile user and web server.
Management and click Add to add the working and non-working security groups.
Click OK.

b. Choose Policy > Permission Control > Security Group > Security Group
Management, and click to add a security group for the web server, and click
OK.
c. In the row of the Web_resource_security_group, click to bind the web server

to an IP address and click OK.

6. Configure profile.
a. Create a permission profile. Choose Policy > Permission Control > Authentication
and Authorization > Authorization Result and click to create a permission
profile. Then click OK.


Rule and click .

b. Click OK.
8. Configure an access permission template.
a. Choose Policy > Service Mobility > Permission Control and click Permission
Template. Configure the permission on the web server for mobile users during the

b. Click OK.
9. Configure access permission control rules.
a. Choose Policy > Service Mobility > Permission Control and click Add. Configure
a policy for controlling the access to the web server from mobile users during the

b. Click OK.

parameter settings.
IPv4

c. Click OK.
Security zone trust
IPv4
Security zone trust
IPv4

as follows:
The parameters must be consistent with those on the RADIUS server.
b. Click OK.
3. Configure an authentication domain.
a. Choose Object > User > Authentication Domain. Click Add to create an
authentication domain.
b. Click OK.


5. Configure an SSL VPN gateway, including the gateway address, user authentication, and
maximum number of concurrent users.
a. Choose Network > SSL VPN > SSL VPN.
b. Click Add and set SSL VPN gateway parameters as follows:
c. Click Next.
6. Configure the SSL version, SSL encryption suite, and timeout duration and life cycle of
SSL sessions on the device. The configuration is optional. You can use the default values.

7. Select the services to be enabled.

a. Select Network Extension.
b. Click Next.
8. Configure the network extension function.
a. Set a range of IP addresses available to the network extension function.
b. In Accessible Private Network Segment List, click Add.

c. Set the accessible IP address range on the intranet as follows:

d. Click Next.
9. Configure the SSL VPN role authorization.
a. On the Group Permission List, Click Add.
b. Configure role authorization based on the following parameters.
User J00001 must already exist on the firewall.
c. Under User/User Group List, click Add.

d. Add the user J00001 to the user list.
e. Click Finish.
Step 3 Log in to the Controller again and configure it to deliver the security groups and policies to the
firewall.
1. Choose Policy > Permission Control > Security Group > Security Group
Management and click Global Deployment. In the dialog box that is displayed, click
OK.
2. Choose Policy > Service Mobility > Permission Control and click Global
Deployment. In the dialog box that is displayed, click OK.
----End
Verification
Jack accesses web server resources on the intranet through SSL VPN as follows:

1. Jack enters https://1.1.1.1 (URL of a virtual gateway) in the address box of the browser
and press Enter.
2. On the login page that is displayed, Jack enters account J00001 and password Hello123.
3. The network extension function is displayed on the SSL VPN gateway page, as shown in
Figure 5-116.
After Jack clicks Start, Jack's laptop obtains a campus network address from the virtual
gateway. Then Jack accesses intranet resources as Jack does on a LAN.
Figure 5-116 Network extension
4. The firewall (virtual gateway) obtains users' access permission policies from the Controller.
Therefore, Jack can access web server resources during working time but cannot during
non-working time.
5.21.5.3 Configuring the Firewall to Prioritize VIP Users' Services and Implement
Bandwidth Management in a Service Mobility Scenario
This section describes how to configure the firewall to prioritize VIP users' services and
implement bandwidth management in a service mobility scenario.
gateway. The NGFW controls users' bandwidth resources and prioritize VIP users' services in
case of insufficient bandwidth resources. A Controller is deployed for user information (such as
bandwidth and priority) configuration and delivers the information to the firewall. The firewall
controls user bandwidth and priorities.
Figure 5-117 User bandwidth and priority control in the service mobility scenario
VIP
NGFW
GE1/0/2 GE1/0/1
10.2.0.1/24 1.1.1.1/24
Web server GE1/0/3

10.3.0.1/24
User
Controller
10.3.0.10/24

Data Planning
Item Data

IP address: 1.1.1.1
Interface: GE1/0/2
Interface: GE1/0/3
Password for the interworking between the
firewall and Controller: Admin@123

RADIUS server function, and therefore the IP
address of the RADIUS server is also
10.3.0.10/24.
NOTE
required passwords.
Common user Uplink bandwidth: 3 Mbit/s

Downlink bandwidth: 6 Mbit/s
VIP user Uplink bandwidth: 5 Mbit/s

Downlink bandwidth: 10 Mbit/s
Priority: high
Configure parameters of the Controllers. Then the Controller delivers security groups and
their QoS and bandwidth policies to the firewall. After receiving traffic from a user, the
firewall searches for the matching security group and bound policies based on the user'
account.

Configure a QoS policy
Jack (common user)
③ Configure an authentication rule. ④
and a traffic policy.
Account: Configure a
J00001 ②
security group.
Password: Authentication rule QoS policy and traffic policy
Admin@123
Department: Matching Authentication Security group Security
marketing Rule name QoS Bandwidth
condition result group
Normal Normal
Normal Account Normal Upstream: 3M
security security
Mark (VIP user) service (J00001) group security group - Downstream:6
Account: group M
M00002 VIP VIP Upstream: 5M
Password: VIP Account VIP security
service security security group High Downstream:10
Hello@123 (M00002) group
group M
Department:
marketing Traffic of a normal user matches the rule.
Traffic of a VIP user matches the rule.
NOTE
Users in the example are VPN users. When a VPN user dials to the firewall, the firewall authenticates
the user's identity and finds the security group and policies defined for the user. If traffic sent by a
user on the campus to access the Internet passes through the firewall, the intranet switch will
authenticate the identity of the user. The firewall cannot directly identify traffic senders. Therefore,
the firewall queries user information from the Controller based on the source IP address of traffic.
Then the firewall executes QoS and bandwidth policies on the traffic based on the security group
defined for the user.
b. Configure the SSL VPN.
NOTE
When the SSL VPN Client enabled the auto selective preference function, the firewall shold enable
ping service. the configurations as follows:
2. Click in the same line as the interface to be configured.

3. Set the following Ethernet interface parameters.
select the ping service in the Management Access.
4. Click OK.
3. After interworking with the firewall, the Controller delivers all configured security groups,
QoS policies, and bandwidth policies to the firewall.
NOTE
Procedure

c. Click OK.
2. Add the accounts and passwords of mobile users to the Controller.

, set Department to Market Department, and click OK.


c. In the rows of Jack and Mark, click . On the Account Management page, click
. On the Add Account page, set login accounts and passwords for Jack and
Mark.
The user name is used to identify a user, whereas the account and password configured
here are used for identity authentication when Jack accesses the intranet through L2TP
over IPSec.


3. Configure security groups for Jack and Mark.
Choose Policy > Permission Control > Security Group > Security Group
Management and click Add to add common and VIP security groups. Click OK.
5. Configure permission profiles.

a. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Result and click to create a permission profile. Then click
OK.


Rule and click .


b. Click OK.

parameter settings.

IPv4
c. Click OK.
Security zone trust
IPv4
Security zone trust
IPv4
2. Complete VPN configuration based on actual networking. For details, see 5.21.5.1
Configuring the Firewall to Provide L2TP Over IPSec Access Services and Implement
Identity Authentication and Permission Control for L2TP Users in a Service Mobility
Scenario and 5.21.5.2 Configuring the Firewall to Provide SSL VPN Access Services
and Implement Identity Authentication and Permission Control for SSL VPN Users
in a Service Mobility Scenario.
as follows:
is Admin@123.
b. Click OK.


Step 3 Log in to the Controller again, configure QoS and bandwidth policies, and configure the
Controller to send security groups and policies to the firewall.
After enabling the agile network function on the firewall, check whether the firewall can
interwork with the Controller. If yes, configure QoS and bandwidth policies on the Controller
and configure the Controller to deliver security groups and policies to the firewall.
1. Choose Policy > Service Mobility > User Qos Policy.
2. Configure QoS for the VIP security group.
3. After the configuration is complete, click Deploy.
4. Choose Policy > Quick Authorization and click to configure uplink and downlink
bandwidth for common and VIP security groups.
Set User Information as required.

5. Click Confirm.
----End

Verification
Mark's services (VIP user) are prioritized at peak hours.
5.21.5.4 Enabling the Firewall to Provide Content Security Check Services in the
Service Chain Scenario
This section describes how to enable the firewall to provide content security check services in
the service chain scenario.
Figure 5-118 shows the service chain scenario. The firewall is deployed in off-line mode next
to the core switch and checks the security of the specified traffic that passing through the core
switch. The enterprise requires that the firewall check the security of the traffic from all
employees to the Web server.
Figure 5-118 Service chain scenario

GE1/0/1
10.2.1.1/24
Core switch ne
l
t un
E l
GR un
ne
R Et NGFW
G
Web server
10.2.0.10/24
Controller
Intranet 10.3.0.10/24
users
10.1.2.1/24
Data Planning
Item Data

Security zone: trust
Password for connecting the firewall to the

Item Data

RADIUS authentication password:
Radius@123
NOTE
All passwords used in this example are for
demonstration only and are not the default
passwords. For actual passwords, contact the
administrator of the Controller.

Agile security group of the Web server: Web
server
Core switch vlanif 100: 10.2.1.2

l vlan 100
l gigabitethernet 1/0/1
vlanif 200: 10.3.0.1
l vlan 200
vlanif 300: 10.2.0.1
l vlan 300
Employee User name: Robert

Account: R00001
Password: Admin@1234
Agile security group of the employee: Robert

b. In the Service Chain scenario, the firewall needs to establish two GRE tunnels with
the core switches. Therefore, you need to configure two loopback interfaces as the
source interfaces of the GRE tunnels. Other GRE tunnel configurations are delivered
by the Controller to the firewall.
c. Configure the content security check function on the firewall.
NOTE
If the firewall uses an Eth-Trunk interface to connect to the switch in the Service Chain scenario,
you need to configure per-packet load balancing on the Eth-Trunk interface. For configuration details,
see 8.6.6 Configuring the Load Balancing Mode.

2. Configure the core switch.

In the Service Chain scenario, the core switch needs to establish two GRE tunnels with the
firewall. Therefore, you need to configure two loopback interfaces as the source interfaces
of the GRE tunnels. Other GRE tunnel configurations are delivered by the Controller to
the core switch.
NOTE
a. Add the core switch and firewall to the Controller server so that the Controller can
deliver the configured policy information to the core switch and firewall.
b. Define the data flow that the firewall needs to check.
c. Configure service chain resources.
d. Orchestrate and deploy the defined service chains.
Procedure
1. Set interface IP addresses and assign the interfaces to security zones.
b. Click of GE1/0/1 and set the parameters as follows:
Security zone trust
IPv4

as follows:
is Admin@123.
b. Click OK.

b. Select Enable for Agile Network Function.

c. Set the parameters for connecting the NGFW to the Controller.
If the status of the Controller Active Server IP Address parameter is Connected,
the firewall has been connected to the Controller.
NOTE
In the service chain scenario, the firewall must configure the content security check function.
Therefore, you must select Manually configured for Security Policy Configuration.
4. Configure two loopback interfaces on the firewall.

NOTE
You need to log in to the CLI console for this task.
a. Click on the lower right of the page.

b. Click the CLI Console(not connected) dialog box to connect to the device CLI
console.
c. After the connection succeeds, run the following commands:
<sysname> sysname NGFW
[NGFW] ip route-static 10.1.1.2 255.255.255.255 10.2.1.2
[NGFW] ip route-static 10.1.2.2 255.255.255.255 10.2.1.2
Step 2 Configure the core switch.

[swtich] system-view
[swtich] interface LoopBack 1
[swtich–LoopBack100] ip address 10.1.1.2 255.255.255.255
[swtich] interface LoopBack 2
[swtich–LoopBack100] ip address 10.1.2.2 255.255.255.255
[swtich] ip route-static 10.1.1.1 255.255.255.255 10.2.1.1
[swtich] ip route-static 10.1.2.1 255.255.255.255 10.2.1.1
[swtich] group-policy controller 10.3.0.10 password Admin@123

1. Add the firewall and switch.

a. Choose Resource > Device > Device Manager, click Add, and set the parameters of
the firewall to be managed.
b. Click the XMPP tab and set the XMPP connection parameters.
c. Click OK.
d. Click Add and set the parameters of the core switch to be managed.

e. Click OK.
2. Define the data flow that the firewall needs to check.
a. In the main menu, choose Policy > Service Chain Orchestration > Service Flow
Defining, click Add, and set the parameters as shown in the following figure.

b. Click OK.
3. Configure the IP address pool.
a. In the main menu, choose Policy > Service Chain Orchestration > IP Address
Pool, click Add, and set the parameters as shown in the following figure.
The IP addresses in this address pool are used for the tunnel interfaces of the GRE
tunnels between the core switch and firewall.
b. Click OK.
4. Configure service chain resources.
a. In the main menu, choose Policy > Service Chain Orchestration > Service Chain
Resource, click Add.
l In the Orchestration Device group box, add the devices to the correct positions
in the topology on the right.
l In the Service Device group box, add the devices to the correct positions in the
topology on the right.
b. Click Save.
5. Arrange and deploy service chains.
a. In the main menu, choose Policy > ServiceChain Orchestration > Service Chain
Orchestration and click Add.
l In the Service Flow group box, add service flow user_to_web_server to the
corresponding service flow on the right topology.

l In the right topology, put the service devices, such as the firewall to the specified
position between the source and destination based on the traffic detection sequence.
b. ClickSave.
6. Configure users on the enterprise network.
a. Choose Resource > User > User Management, click on the Department
tab, and add employee Robert to the R&D department. Then click OK.
b. Click on the User tab of the R&D department and set the name of the
employee on the move. Then click OK.
c. In the row of Robert, click . On the Account Management page that is displayed,
click . Then on the Add Account page, set the login account and password
information of Robert.
User names are configured for administrators to identify users. Only the account and
password specified on this page are for user authentication. The login password is
Admin@1234.

d. Click OK to return to the user management page.

7. Configure the security group of the employee and Web server.
Management, click , and add a common and a VIP security group. Then click
OK.
b. In the row of the security group of the web server, click and bind an IP address
to the Web server. Then click OK.

8. Configure the authentication result.

a. Choose Policy > Permission Control > Authentication and Authorization >
Authorization Result and click . Then click OK.
The configured authentication result will be referenced when you configure
authentication rules. To find the correct security group rapidly when you configure
authentication rules, the names of the authentication result must be the same as that
of the security group.

9. Add an authorization rule.

Rule and click .

b. Click OK.
Step 4 Configure the content security check function on the firewall.
1. Choose Policy > Security Policy, click Add, and set the parameters as shown in the
following figure.
NOTE
In the example, the default content security configuration is used as an example. For detailed
configurations, see 2.10.5 Configuring a Security Policy.

2. Click OK.
----End
Verification
Check whether the Controller has delivered the security group and policy configuration to the
firewalls and core switches and whether the firewalls have implemented content security checks
on the traffic from employees to the Web server.
5.21.6 Reference
This section provides references of the agile network function.
5.21.6.1 Specifications
This section describes agile network specifications.
Table 5-55 lists the specifications of the agile security groups, security policies, and maximum
number of displayed users that the firewall can synchronize from the Controller in the service
mobility scenario.

Table 5-55 Agile network specifications
Item Specifications
Agile security group l USG6310/6320: 512

l USG6306/6308/6330/6350/6360/6507/6530: 512
l USG6370/6380/6390/6550/6570: 512
l USG6620/6630: 512
l USG6650/6660/6670/6680: 512
l NGFW Module: 512
Security policy l USG6310/6320: 3000

l USG6306/6308/6330/6350/6360/6507/6530:
4096
l USG6370/6380/6390/6550/6570: 4096
l USG6620/6630: 4096
l USG6650/6660/6670/6680: 4096
l NGFW Module: 4096
Maximum number of displayed users l USG6310/6320: 100000

l USG6306/6308/6330/6350/6360/6507/6530:
100000
l USG6370/6380/6390/6550/6570: 100000
l USG6620/6630: 100000
l USG6650/6660/6670/6680: 4096
l NGFW Module: 100000

This section describes the versions and changes of the agile network function.

This section provides the standards and protocols related to the agile network function for
reference.
Standards and protocols of the agile network function are as follows:

l RFC3920: Extensible Messaging and Presence Protocol (XMPP)

Administrator Guide 6 High Availability
6 High Availability
6.1 Hot Standby

The hot standby function enables the standby device to take over services from the faulty active
device to ensure service continuity.
6.1.1 Overview
This section describes the background and basic functions of hot standby.
With the popularity of network applications and the exponential bandwidth growth, a short
network interruption may severely compromise services and lead to great losses. Therefore, high
availability becomes a crucial factor in network construction.
As shown in Figure 6-1, device 1 forwards the service traffic of all intranet users to the Internet.
If device 1 goes faulty, all data exchanges between the intranet and Internet are interrupted.
Figure 6-1 Networking diagram of a single-link network
Switch
Device 1
Switch
Intranet
users

To prevent single-point failures, you can deploy two devices for hot standby. When one device
goes faulty, service traffic can be smoothly switched to the standby device.
As shown in Figure 6-2, service traffic is forwarded by device 1. When device 1 goes faulty,
service traffic switches to device 2, which ensures uninterrupted services and improves network
reliability.
Figure 6-2 Networking diagram of hot standby
Switch
Device 1 Device 2
Switch
Traffic direction
when the network is
operating properly
Traffic direction
when a fault occurs
Intranet user
6.1.2 Application Scenario

This section describes the application scenarios of hot standby.
6.1.2.1 Active/Standby Mode

In active/standby mode, one device to forwards traffic and the other is in standby mode to ensure
service continuity.
Definition
In active/standby mode, the active device processes services, and the standby device stays in
idle state. If an error occurs on the interface or link of the active device or the active device is
faulty, the standby device becomes active and takes over services.

Active/standby backup prevents single points of failure, enhancing network availability.

Therefore, active/standby is usually deployed at the access point of key services, such as the
access point to the Internet or to a bank's database server.
As shown in Figure 6-3, two NGFWs are deployed at the network ingress. NGFW1 is the active
device and processes service traffic. NGFW2 is the standby device and does not process service
traffic. Configurations and status information are synchronized from NGFW1 to NGFW2
through the heartbeat cable. If NGFW1, its interface, or its link is faulty, NGFW2 becomes the
active device and takes over service traffic from NGFW1 to ensure service continuity.
Figure 6-3 Application scenario of active/standby backup
Traffic before switchover Traffic after switchover
Router Router
NGFW1 NGFW2 NGFW1 NGFW2

Active Standby Active Standby
Switch Switch
Fault
Traffic before
switchover
Traffic after
switchover
Heartbeat link
Intranet user Intranet user
Typical Networking
Based on the type of service interfaces on the NGFWs and the type of the upstream and
downstream devices, you can deploy active/standby mode in the following scenarios:
l Service interfaces work at Layer 3 and connect to switches.
As shown in Figure 6-4, the service interfaces of the NGFW work at Layer 3 and directly
connect to switches. Static routes are configured for each NGFW to communicate with the
routers or PCs that are connected to the downstream and upstream switches.
This networking scheme is commonly used and recommended for deploying the NGFW.
This scheme applies to small and medium-sized networks and networks on which the
NGFW functions as a gateway.

NOTE
Compared with Figure 6-3, two switches are deployed at both the upstream and downstream links in
Figure 6-4, which enhances network availability.
Figure 6-4 Networking diagram of active/standby backup when service interfaces work at
Layer 3 and connect to switches
Internet
Switch3 Switch4
VRRP
Layer-3 Layer-3
interface interface
NGFW1 NGFW2
Layer-3 Layer-3
VRRP
interface interface
Switch1 Switch2
Traffic before switchover
Traffic after switchover

Intranet
Heartbeat link
Based on Figure 6-4, you can connect the upstream and downstream interfaces on
NGFW1 respectively to Switch4 and Switch2 and the upstream and downstream interfaces
on NGFW2 respectively to Switch3 and Switch1.
In this way, a full redundancy hot standby network is deployed, as shown in Figure 6-5.
Full redundancy hot standby improves network availability and service continuity in case
multiple links fail. For example, when GE1/0/1 and GE1/0/2 on NGFW1 and GE1/0/1 on
NGFW2 are faulty, service traffic can be forwarded through GE1/0/2 on NGFW2.

Figure 6-5 Networking diagram of full redundancy hot standby
Switch3 Switch4
GE1/0/2 GE1/0/2
GE1/0/1 GE1/0/1
NGFW1 NGFW2
Switch1 Switch2
Heartbeat link
l Service interfaces work at Layer 3 and connect to routers.

As shown in Figure 6-6, the service interfaces of the NGFWs work at Layer 3 and directly
connect to routers. OSPF runs between the NGFWs and their upstream and downstream
routers.
This networking scheme is commonly used and recommended for deploying the NGFW.
The networking scheme applies to large and medium-sized networks.
You can combine this networking scheme with the networking scheme in which service
interfaces work at Layer 3 and connect to switches. In the new networking scheme, routers
serve as upstream devices, and switches serve as downstream devices.
Layer 3 and connect to routers
Router3 Router4
OSPF
Layer-3 Layer-3
interface interface
NGFW1 NGFW2
Layer-3 Layer-3 Traffic before
interface interface switchover
OSPF
Traffic after
switchover
Router1 Router2 Heartbeat link


connect to switches. The service interfaces of each NGFW are added to the same VLAN.
The NGFWs are transparently deployed in the existing network and do not change the
network topology.
The service interfaces of the NGFWs work at Layer 2. Therefore, IP address-related
services, such as VPN, cannot run on the NGFWs.
Layer 2 and connect to switches
Switch3 Switch4
Layer-2 Layer-2
interface interface
NGFW1 NGFW2
Layer-2 Layer-2
Traffic before
interface interface
switchover
Traffic after
switchover
Switch1 Switch2 Heartbeat link
6.1.2.2 Load Balancing

If service traffic is heavy and two firewalls are required to process the traffic and back up for
each other, you are advised to deploy two NGFWs for load balancing.
Definition
Load balancing means that two devices serve as backup for each other and both devices process
services. When one device is faulty, the other device takes over all the services. When you plan
the network topology, ensure that the total traffic load of two devices does not exceed the
processing capability of either device.
Both devices process services, which improves packet forwarding efficiency and eases the load
on a single device.
As shown in Figure 6-8, two NGFWs are deployed at the network border. Then service traffic
is forwarded to both NGFWs for processing. Each NGFW functions as an active device that
processes service traffic, as well as a standby device that synchronizes the configuration and
status of the other NGFW through the heartbeat cable.

If an interface or link on NGFW1, or the NGFW1 is faulty, NGFW2 takes over the forwarding
of all service traffic.
Figure 6-8 Application scenario of load balancing
Normal traffic Traffic upon faults
Router Router
NGFW1 NGFW2 NGFW1 NGFW2

Active Standby Active Standby
Switch Switch
Fault
Traffic forwarded by
NGFW1
NGFW2
Heartbeat link
Intranet user Intranet user
Typical Networking
Based on the type of service interfaces on the NGFWs and the type of the upstream and
downstream devices, you can deploy load balancing in one of the following networking
diagrams:

connect to switches. Static routes are configured for each NGFW to communicate with the
routers or PCs that are connected to the downstream and upstream switches.
The two NGFWs process services on the network. This networking scheme applies to small
and medium-sized networks or networks on which the NGFW functions as a gateway.

Figure 6-9 Networking diagram of load balancing when service interfaces work at Layer
3 and connect to switches
Internet
Switch3 Switch4
Layer-3 VRRP Layer-3

interface interface
NGFW1 NGFW2
Layer-3 Layer-3
interface VRRP interface
Switch1 Switch2
NGFW1
Intranet NGFW2
Heartbeat link

connect to routers. OSPF runs between the NGFWs and their upstream and downstream
routers.
The two NGFWs process services on the network. This networking scheme applies to large
and medium-sized networks.

3 and connect to routers
Router3 Router4
OSPF
Layer-3 Layer-3
interface interface
NGFW1 NGFW2
Layer-3 Layer-3
interface interface
OSPF
Traffic forwarded by NGFW1

connect to routers. OSPF runs between the upstream and downstream routers. The service
interfaces of each NGFW are added to the same VLAN.
Both NGFWs process services, and the NGFWs transparently connect to the existing
network and do not change the network topology.
The service interfaces of the NGFWs work at Layer 2. Therefore, IP address-related
services, such as VPN, cannot run on the NGFWs.
2 and connect to routers
Router3 Router4
OSPF
Layer-2 Layer-2
interface interface
NGFW1 NGFW2
Layer-2 Layer-2
interface interface
OSPF Traffic forwarded by NGFW2

6.1.3 Mechanism
This section describes the protocols and concepts in hot standby.
As shown in Figure 6-12, the five key issues about hot standby are as follows:
l How to determine device status (active/standby)

l How to monitor interfaces or devices and to detect faults
l How to implement an active/standby switchover when a fault occurs
l How traffic is routed before and after device failure
l How to synchronize information between the active/standby devices
Figure 6-12 Key issues about hot standby

Determining the active/standby state
Standby
Active Information
synchronization
NGFW_A NGFW_B
Fault detection
Status switchover
Standby Active
Information
synchronization
NGFW_B
NGFW_A
Traffic directing
Service traffic
Heartbeat link
Fault
The five key issues are described as follows:
Active/Standby Status Determined by VGMP Groups

Virtual Router Redundancy Protocol (VRRP) Group Management Protocol (VGMP) groups
determine the active/standby status of devices.
As shown in Figure 6-13, each NGFW belongs two VGMP groups: one active and one standby.
The default priority of the active VGMP group is 65001, and that of the standby VGMP group
is 65000.
The VGMP groups of two NGFWs use heartbeat interfaces to exchange VGMP Hello packets
to negotiate the active/standby status.

A VGMP group has the following states:
l Initialize: indicates that the VGMP group is not started.

l Active: indicates that the local device's VGMP group has a higher priority than the remote
device's VGMP group.
l Standby: indicates that the local device's VGMP group has a lower priority than the remote
device's VGMP group.
The status of a VGMP group determines the status of the NGFW.
l If the NGFWs work in active/standby mode, the NGFW in the active VGMP group is in
active state, and the NGFW in the standby VGMP group is in standby state.
l If the NGFWs work in load balancing mode, both NGFWs belong to the active VGMP
group.
In this case, the NGFW on which hot standby is enabled first is called a designated active
device, and the NGFW on which hot standby is enabled later is called a designated standby
device.
Figure 6-13 Active/standby status determined by VGMP groups
Active Standby
Active/Standby
NGFW_A NGFW_B
active group standby group
State: active State: standby
standby group active group

State: initialize State: initialize
Active Active
Load balancing
NGFW_A NGFW_B

State: standby State: active
Heartbeat messages
Heartbeat link
Fault Detection Implemented by VGMP Groups

VGMP groups can detect interface or device faults. Interface or device faults decrease the priority
values of VGMP groups, which changes the active/standby status of the VGMP groups and the
active/standby status of NGFWs.

Interface fault detection
Each time an interface monitored by a VGMP group fails, the priority of the VGMP group
decreases by 2. The priority of a VGMP group is calculated using this formula: Priority of a
VGMP group = Default priority of the VGMP group - 2 x N (N indicates the number of interface
faults).
Table 6-1 lists the methods to detect interface faults.
Table 6-1 Interface fault detection
Method Networking Operation
Use a VRRP group to The service interfaces of each Configure VRRP groups. For
monitor interfaces. NGFW work at Layer 3 and details about VRRP groups,
are directly connected to see Interface Monitoring
switches. The NGFWs use Based on VRRP Groups.
static routes to communicate
with the routers or PCs
directly connected to the
switches.
Directly monitor interfaces. The service interfaces of each Configure VGMP groups to
NGFW work at Layer 3 and monitor interfaces.
are directly connected to
routers. The NGFWs and
routers run OSPF.
Monitor the VLAN to which The service interfaces of each Add these service interfaces
the service interfaces of each NGFW work at Layer 2. to VLANs and configure
NGFW belong. VGMP groups to monitor the
VLANs. Each time an
interface in a VLAN fails, the
priority value of the
corresponding VGMP group
is reduced by 2.
Monitor remote interfaces. VGMP groups monitor Specify IP addresses or

remote interfaces that are domain names of the remote
neither on the NGFWs nor on interfaces to be monitored by
their directly connected the VGMP groups.
devices.
Device fault detection
If the standby device does not receive a VGMP Hello packet from the active device within three
consecutive Hello intervals, the standby device considers the active device faulty. The standby
device switches its VGMP group to active and starts to work as the active device.
If the heartbeat link or a heartbeat interface goes faulty, the two devices cannot receive VGMP
Hello packets from each other and will both switch to active state. In this case, the devices cannot
synchronize configurations or sessions and requires troubleshooting.

Interface Monitoring Based on VRRP Groups

As shown in Figure 6-14, VRRP combines a group of interfaces in a broadcast domain into a
VRRP group. In a VRRP group, only one interface is in active state and the other interfaces are
in standby state. A VRRP group has a virtual IP address. Only the active interface in the VRRP
group can use the virtual IP address as the next-hop address to forward packets.
Figure 6-14 VRRP group
Next-hop address of the

router: 1.1.1.1/24
VRRP group 1
Virtual IP address:
1.1.1.1/24
GE1/0/1
State: active GE1/0/1
State: standby
NGFW_A NGFW_B
GE1/0/3
GE1/0/3
State: active
State: standby
VRRP group 2
Virtual IP address:
10.1.1.1/24
Gateway
address of the VRRP groups
PC: 10.1.1.1/24 Intranet Service traffic
Heartbeat link
When you add an interface on the NGFW to a VRRP group, you must specify a VGMP group
for the interface. The status of a VGMP group determines the status of the interfaces in the
associated VRRP groups. If the status of the VGMP group is active, the status of the interfaces
in the associated VRRP group is active. If the status of the VGMP group is standby, the status
of the interfaces in the associated VRRP group is standby.
As shown in Figure 6-15, during the active/standby status switchover of a VGMP group, the
interfaces in all associated VRRP groups are forced to switch their status so that the upstream
and downstream interfaces of the NGFW simultaneously switch their status, which ensures that
both the incoming and outgoing traffic is forwarded by the standby device.

Figure 6-15 Network on which VGMP groups control the status of the interfaces in a VRRP
group
VGMP group status VGMP group status VGMP group status VGMP group status
Active Active Standby Standby
Active X Initialize X Initialize X Initialize
Active Active Active Standby
(1) Initial state (2) Upstream (3) VGMP group (4) Adjust the status of the
interface goes faulty. status changes. downstream interface.
Device Status Switchover Controlled by VGMP Groups
As shown in Figure 6-16, the process in which VGMP groups control the device status
switchover is described as follows:
l In active/standby mode
Normally, the priority of the active VGMP group on NGFW_A is 65001, and NGFW_A
is the active device.
When a monitored interface of NGFW_A goes faulty, the priority of the active VGMP
group on NGFW_A decreases to 64999, which is smaller than that of the standby VGMP
group on NGFW_B. Therefore, the active VGMP group on NGFW_A becomes the standby
VGMP group, and NGFW_A becomes the standby device. The standby VGMP group on
NGFW_B becomes the active VGMP group, and NGFW_B becomes the active device.
If the preemption function is enabled and NGFW_A recovers, the priority of the standby
VGMP group on NGFW_A changes back to 65001, which is higher than that (65000) of
the active VGMP group on NGFW_B. Then NGFW_A preempts to be the active device.
If the preemption function is disabled and NGFW_A recovers, NGFW_A still acts as the
standby device and does not process services.
l In load balancing mode
Normally, the active VGMP group on NGFW_A and the standby VGMP group on
NGFW_B form a active/standby pair, and the standby VGMP group of NGFW_A and the
active VGMP group of NGFW_B form another active/standby pair. Therefore, both
NGFW_A and NGFW_B consider themselves as active devices, forming dual-active
device networking. The devices forward traffic based on the routes on the upstream and
downstream devices.
When a monitored interface of NGFW_A goes faulty, the priorities of active and standby
VGMP groups on NGFW_A decrease. The priority of the active VGMP group on
NGFW_A is smaller than that of the standby VGMP group on NGFW_B, and the priority
of the standby VGMP group on NGFW_A is smaller than that of the active VGMP group
on NGFW_B. Therefore, the VGMP groups on NGFW_A are in standby state. Therefore,
NGFW_A becomes the standby device, and NGFW_B starts to forward all traffic.

Figure 6-16 Device status switchover controlled by VGMP groups
Standby
Active
Active/standby NGFW_B
NGFW_A

Standby Active
NGFW_A NGFW_B

Active Active
Load balancing
NGFW_A NGFW_B

Standby Active
NGFW_A NGFW_B

Heartbeat messages
Heartbeat link

Traffic Directing
In hot standby networking, traffic must always be directed to the active device.
Table 6-2 lists the methods for directing traffic in different networking environments.
Table 6-2 Methods for directing traffic in different networking environments
Networking Method
The service interfaces of each NGFW work Only the active device responds to ARP
at Layer 3 and are directly connected to requests carrying virtual IP addresses. Each
switches. The NGFWs use static routes to ARP packet carries a virtual IP address and
communicate with the routers or PCs directly the corresponding MAC address (the MAC
connected to the switches. address can be a virtual one or the MAC
address of an interface, which is determined
by the vrrp virtual-mac enable command
setting). The upstream or downstream switch
updates its MAC table based on received
ARP packets. The MAC address
corresponding to the virtual IP address in the
MAC table indicates the interface connecting
to the active firewall. In this manner, traffic
from the upstream or downstream switch can
be diverted to the active firewall for
forwarding.
The service interfaces of each NGFW work The active device advertises routes with
at Layer 3 and are directly connected to regular costs. The standby device increases
routers. The NGFWs and routers run OSPF. the cost of each route by 65500. Therefore,
traffic is forwarded by the active device.
The service interfaces of each NGFW work The VLAN on the active device can forward
at Layer 2 and are added to the same VLAN. traffic, but the VLAN on the standby device
cannot. Therefore, traffic is forwarded by the
active device.
Information Synchronization Using HRP

If the configurations have not been synchronized to the standby device before the active/standby
switchover, the functions configured on the active device cannot implemented on the standby
device, which causes service interruptions.
The NGFW is a stateful firewall that dynamically creates a session for each new connection.
The active device may have many sessions but the standby device has none, because only the
active device forwards traffic. If the session entries on the active device have not been
synchronized to the standby device before the active/standby switchover, services are interrupted
after the switchover because the traffic previously forwarded by the active device cannot match
the session entries on the standby device.
Therefore, important configurations and session status information must be synchronized
between the active and standby devices. The NGFW uses the Huawei Redundancy Protocol

(HRP) to synchronize configuration information. After HRP is enabled, the key configurations
and session status information are synchronized to the standby device in real time.
In hot standby networking, information is synchronized through the heartbeat link.
The two NGFWs use the heartbeat link to detect each other's status and synchronize
configurations and status information. The interfaces at the ends of a heartbeat link are called
heartbeat interfaces.
6.1.4 Analysis of Typical Hot Standby Networks

This section describes typical hot standby networks and analyzes the mechanism of each.
6.1.4.1 Networking 1: Service Interfaces of Each NGFW Working at Layer 3 and

Directly Connecting to Switches
This section describes the networking in which the service interfaces of each NGFW work at
Layer 3 and directly connect to switches.
As shown in Figure 6-17, the service interfaces of each NGFW work at Layer 3 and directly
connect to Layer 2 switches.
This network supports both active/standby and load balancing modes.

Active/Standby
Figure 6-17 Active/standby networking in which the service interfaces of each NGFW work at
Layer 3 and directly connect to switches
Next-hop address of
the router: 1.1.1.1/24
GE1/0/3 GE1/0/3
State: active VRRP group 2 State: standby
Virtual IP address: 1.1.1.1/24
Active Standby
NGFW_A NGFW_B
GE1/0/1 VRRP group 1 GE1/0/1
State: active Virtual IP address: 10.1.1.1/24 State: standby
Interface MAC Address：

e024-7fb3-481f
Eth0/0/2
Eth0/0/1 MAC Address Port
e024-7fb3-481f Eth0/0/1
Gateway
address of the
PC: 10.1.1.1/24 Intranet VRRP group
Service traffic
ARP reply packets
Heartbeat link
As shown in Figure 6-17, a VRRP group is configured on each service interface of NGFW_A.
The service interfaces are in the active state. A VRRP group is configured on each service
interface of NGFW_B. The service interfaces are in the standby state. The virtual IP address of
the corresponding VRRP group is configured as the gateway address of the PC on the intranet.
The analysis on network operating is as follows:
1. The PC sends an ARP packet to the directly connected switch for requesting the MAC
address of the gateway. The switch broadcasts the ARP packet.
2. Only the interface (such as GE1/0/1 of NGFW_A) in active state responds to the ARP
packet and sends the interface MAC address.

3. The switch records the mapping between the interface MAC address and Eth0/0/1 and sends
the MAC address to the PC.
4. The PC sends a service packet with the interface GE1/0/1 MAC address of NGFW_A as
the destination address to the switch.
5. Based on the mapping between the MAC address and port, the switch sends the packet to
NGFW_A from Eth0/0/1.
Normally, the traffic sent from the PC is forwarded by NGFW_A (active device).
Figure 6-18 Networking in which the active device goes faulty
Next-hop address of
GE1/0/3 GE1/0/3
State: standby VRRP group 2 State: active
Standby Active
NGFW_A NGFW_B
State: standby Virtual IP address: 10.1.1.1/24 State: active
Interface MAC Address：

0022-a100-0002
Eth0/0/2
Eth0/0/1 MAC Address Port
0022-a100-0002 Eth0/0/2
Gateway
address of the
PC: 10.1.1.1/24 VRRP groups
Intranet
Service traffic
Gratuitous ARP packets
Heartbeat link
Fault
The analysis on the operating of the network on which NGFW_A goes faulty, as shown in Figure
6-18, is as follows:
1. When a service interface of NGFW_A goes faulty, NGFW_A becomes the standby device,
and NGFW_B becomes the active device.

2. NGFW_B sends gratuitous ARP packets, which triggers the directly connected switches
to update the mappings between MAC addresses and ports, such as the interface GE1/0/1
MAC address of NGFW_B and Eth0/0/2.
3. When the PC sends a service packet to the switch, the switch forwards the packet to
NGFW_B from Eth0/0/2.
Then the traffic sent from the PC is forwarded by NGFW_B.
Load Balancing
As shown in Figure 6-19, the load balancing networking is configured as follows:
l VRRP groups 1 and 2 are configured on GE1/0/1 of NGFW_A. GE1/0/1 is in active state
in VRRP group 1 and in standby state in VRRP group 2.
l VRRP groups 1 and 2 are configured on GE1/0/1 of NGFW_B. GE1/0/1 is in standby state
in VRRP group 1 and in active state in VRRP group 2.
l Set the gateway of PC1 to the virtual IP address of VRRP group 1 and set that of PC2 to
the virtual IP address of VRRP group 2.
l VRRP groups 3 and 4 are configured on GE1/0/3 of NGFW_A. GE1/0/3 is in active state
in VRRP group 3 and in standby state in VRRP group 4.
l VRRP groups 3 and 4 are configured on GE1/0/3 of NGFW_B. GE1/0/3 is in standby state
in VRRP group 3 and in active state in VRRP group 4.
l Two static routes are configured on the router. The next-hop address of one route is the
virtual IP address of VRRP group 3, and the next-hop address of the other route is the virtual
IP address of VRRP group 4.
GE1/0/1 of NGFW_A uses the virtual IP address of VRRP group 1 as the next-hop address to
forward packets. GE1/0/1 of NGFW_B uses the virtual IP address of VRRP group 2 as the next-
hop address to forward packets. Some PC traffic is forwarded by NGFW_A, while the other PC
traffic is forwarded by NGFW_B, implementing load balancing.

Figure 6-19 Load balancing networking in which the service interfaces of each NGFW work at
Layer 3 and directly connect to switches
Next-hop address of
VRRP group 4
GE1/0/3 GE1/0/3
VRRP group 3
Active Active
NGFW_A NGFW_B
VRRP group 2
Gateway address of Gateway address of

PC1: 10.1.1.1/24 PC2: 10.1.1.2/24
Intranet
VRRP groups
Traffic of PC1
Traffic of PC2
Heartbeat link

Directly Connecting to Routers
Layer 3 and directly connect to routers.
As shown in Figure 6-20, the service interfaces on each NGFW work at Layer 3 and directly
connect to routers. The NGFWs and their directly connected routers use OSPF to communicate.

This network supports both active/standby and load balancing modes.
Active/Standby
Figure 6-20 Networking in which the service interfaces of each NGFW work at Layer 3 and
directly connect to routers
Router_C Router_D
OSPF
NGFW_A NGFW_B
OSPF
Router_A Router_B

Heartbeat link
As shown in Figure 6-20, NGFW_A (active device) advertises routes properly. NGFW_B
(standby device) increases the cost of each route to be advertised by 65500.
The routers connected to the NGFWs use the path with the smaller cost to forward traffic.
Therefore, traffic is forwarded by NGFW_A (active device).
When a service interface of NGFW_A goes faulty, NGFW_A becomes the standby device, and
NGFW_B becomes the active device.
NGFW_B advertises routes properly, whereas NGFW_A increases the cost of each route to be
advertised by 65500. After route reconvergence, traffic is forwarded by NGFW_B.

Load balancing
Layer 3 and directly connect to routers
Router_C Router_D
Cost10 Cost10
OSPF
NGFW_A NGFW_B
OSPF
Cost10 Cost10
Router_A Router_B
Traffic forwarded by NGFW_A

Traffic forwarded by NGFW_B
Heartbeat link
As shown in Figure 6-21, NGFW_A and NGFW_B that work in load balancing mode are both
active devices and properly advertise routes.
Therefore, you need to set the same cost for the interfaces that connect Routers A and C to
NGFW_A and the interfaces that connect Routers B and D to NGFW_B. This setting allows
traffic to be balanced between NGFW_A and NGFW_B.

Directly Connecting to Switches
Layer 2 and directly connect to switches.
As shown in Figure 6-22, the service interfaces on each NGFW work at Layer 2 and connect
to Layer 2 switches. The service interfaces on each NGFW are added to the same VLAN.
The network supports active/standby only.

directly connect to switches
Switch_C Switch_D
NGFW_A NGFW_B
Switch_A Switch_B
Service link
Heartbeat link
VLAN
Active/Standby
As shown in Figure 6-22, the VLAN on NGFW_A (active device) is enabled and can forward
traffic. The VLAN on NGFW_B (standby device) is disabled and cannot forward traffic.
Therefore, all traffic is forwarded by NGFW_A.
NOTICE
If hot standby in load balancing mode is enabled, the VLANs on the two firewalls need to be
enabled. Otherwise, a loop may be formed between the switches. Therefore, the networking
applies only to the active/standby mode. If you want to deploy hot standby in load balancing
mode, contact Huawei technical support personnel.
If NGFW_A goes faulty, NGFW_A becomes the standby device, and NGFW_B becomes the
active device.
If NGFW_A becomes the standby device, all interfaces on the VLAN of the NGFW_A goes
Down and then Up. Because of interface status changes, all switches update their MAC
forwarding tables. Therefore, traffic is diverted to NGFW_B.


Directly Connecting to Routers
Layer 2 and directly connect to routers.
As shown in Figure 6-23, the upstream and downstream interfaces on the NGFW work at Layer
2 and directly connect to routers. The NGFWs and their directly connected routers use OSPF to
communicate. The upstream and downstream service interfaces on each NGFW are added to
the same VLAN.
The network supports the load balancing mode only.
directly connected to routers
Router_C Router_D
OSPF
NGFW_A NGFW_B
OSPF
Router_A Router_B
Service link
Heartbeat link
VLAN
Traffic forwarded by NGFW_A
Traffic forwarded by NGFW_B
Load Balancing
The VLANs on NGFW_A and NGFW_B are enabled and can forward traffic. NGFW_A,
NGFW_B, and their directly connected routers need to run OSPF to divert traffic.
Therefore, you need to set the same cost for the interfaces that connect Routers A and C to
NGFW_A and the interfaces that connect Routers B and D to NGFW_B. This setting allows
traffic to be balanced between NGFW_A and NGFW_B.

NOTICE
In this networking, hot standby in load balancing mode is recommended. If hot standby works
in active/standby mode, the VLANs on the standby firewall are disabled. When an active/standby
switchover occurs, route convergence is slow, affecting service forwarding.
If NGFW_A goes faulty, NGFW_A becomes the standby device, and NGFW_B becomes the
active device.
If NGFW_A becomes the standby device, all interfaces on the VLAN of the NGFW_A goes
Down and then Up. As a result, all routers need to recalculate routes. In this case, the VLAN on
NGFW_A is disabled, and the cost of the path that passes through NGFW_A increases.
Therefore, all traffic is forwarded by NGFW_B.

This section describes the restrictions on hot standby, including hardware restrictions, software
restrictions, and the restrictions on interworking with NAT and IPSec.
Hardware Restrictions
l Currently, hot standby can be implemented between only two devices.
l The active and standby devices must have the same product model and version.
l The active and standby devices must have the same number and types of boards installed
in the same arrangement. Otherwise, the information synchronized from the active device
does not match the physical configuration of the standby device. As a result, faults occur
after an active/standby switchover.
l If you want to use a Layer 2 interface as a heartbeat interface, add the Layer 2 interface to
a VLAN. Then create a VLANIF interface and configure an IP address for the VLANIF
interface. Use the VLANIF interface as a heartbeat interface and specify remote to specify
the IP address of the heartbeat interface on the remote device.
Software Restrictions
l The active and standby devices must run software of the same version. Otherwise, some
configurations or session table structures on the two devices may be different. As a result,
faults may occur when the active and standby devices synchronize configurations and
status.
l The BootROM versions on the active and standby devices must be the same.
l If configuration commands are executed manually on the active and standby devices after
the automatic backup function is disabled, the configuration contents are the same but the
configuration order is not. For example, the policy matching conditions on the active and
standby devices are different. In such cases, the consistency check function will determine
that the active and standby device configurations are different. However, this impacts
neither the hot standby service nor the performance. You just need to re-configure the
commands.
l It is recommended that the active and standby devices use their initial configuration files.
Otherwise, faults may occur after the active/standby switchover because of configuration
conflicts.

l The service interfaces and heartbeat interfaces used by active and standby devices must be
the same. For example, if the active device uses GigabitEthernet1/0/1 as the service
interface and GigabitEthernet1/0/7 as the heartbeat interface, the standby device must use
the same interfaces.
l The interfaces with vrrp virtual-mac enable configured cannot function as the heartbeat
interfaces.
l To configure an Eth-Trunk interface as a heartbeat interface, you need to run the load-
balance packet-all command to set per-packet load balancing for the Eth-Trunk interface.
l The default MTU of the heartbeat interface must be 1500.
l The service interfaces of the active and standby devices use fixed IP addresses. Therefore,
you cannot use the hot standby function together with the features, such as PPPoE and
DHCP, that use dynamic IP addresses.
l Before changing the working mode on the web page after hot standby is established, you
must clear all hot standby-related configurations.
l If you use the engine overload action command to set the engine overload action to
block, an active/standby switchover affects connected services (for example FTP
connections), and reconnection is required. If you set the action to bypass, reconnection is
not required. An active/standby switchover affects proxy services, such as SSL proxy and
mail proxy services, and reconnection is required, regardless of whether the value is
block or bypass.
Restrictions on Interworking with NAT

l When hot standby interworks with NAT, the upstream and downstream service interfaces
on the active and standby devices must be Layer 3 interfaces.
l In load balancing mode, if a NAT address pool is required on the two NGFWs , you must
run the hrp nat ports-segment primary command on one NGFW and the hrp nat ports-
segment secondary command on the other NGFW to prevent port conflicts during NAT
process.
l In the load balancing networking, if you configure only one NAT address pool and do not
configure port translation in the address pool-based source NAT policy, the two NGFWs
may translate the source IP addresses of traffic from different hosts to the same IP address,
causing address conflicts.
In this case, you are advised to create two NAT address pools for the NGFWs to translate
source IP addresses to addresses in different address pools. For example, NGFW_A and
NGFW_B are deployed in hot standby mode and process traffic from 10.1.1.1 to 10.1.1.128
and 10.1.1.129 to 10.1.1.254 respectively. Configure address pool-based source NAT
without port translation, create NAT address pools addressgroup1 and addressgroup2,
and configure two source NAT policies for the NGFWs to translate the source IP addresses
of the traffic from 10.1.1.1 to 10.1.1.128 to addresses in addressgroup1 and those of the
traffic from 10.1.1.129 to 10.1.1.254 to addresses in addressgroup2.
Restrictions on Interworking with IPSec

l When hot standby interworks with IPSec, the upstream and downstream service interfaces
used by the active and standby devices to establish an IPSec tunnel must be Layer 3
interfaces.

l The configurations of hot standby and IPSec are respectively the same no matter when hot
standby interworks with IPSec or they are used separately.
l Only the IPSec policy configuration, not the interface configuration, is synchronized from
the active device to the standby device. Therefore, you need only to apply IPSec policies
in the outgoing interface of the standby device.
l If the NGFW initiates the establishment of an IPSec tunnel, you must run the local-
address ip-address command to specify the virtual VRRP IP address as the local IP address
for initiating the IPSec negotiation.
6.1.6 Configuring Hot Standby Using the Web UI

This section describes how to configure hot standby using the web UI.
Prerequisites
1. Determine the networking mode. For networking details, see 6.1.4 Analysis of Typical
Hot Standby Networks.
2. Determine whether to use the active/standby or load balancing mode.
3. Complete basic network configurations, such as interface, routes, and security policy
configurations.
Context
The hot standby configuration varies according to networking modes.
Networking Operation
6.1.4.1 Networking 1: Service Interfaces of Complete the task of Step 4 and add the
Each NGFW Working at Layer 3 and upstream and downstream service interfaces
Directly Connecting to Switches of each NGFW to VRRP groups.
6.1.4.2 Networking 2: Service Interfaces of Complete the task of Step 5 to enable the
Each NGFW Working at Layer 3 and NGFWs to monitor their upstream and
Directly Connecting to Routers downstream service interfaces.
6.1.4.3 Networking 3: Service Interfaces of The tasks of Step 4 and Step 5 are not
Each NGFW Working at Layer 2 and required.
Directly Connecting to Switches Because a VGMP group monitors all VLANs
except VLAN1 by default, you only need to
add the upstream and downstream service
interfaces of the NGFWs to VLANs.
6.1.4.4 Networking 4: Service Interfaces of The tasks of Step 4 and Step 5 are not
Each NGFW Working at Layer 2 and required.
Directly Connecting to Routers Because a VGMP group monitors all VLANs
except VLAN1 by default, you only need to
add the upstream and downstream service
interfaces of the NGFWs to VLANs.
Perform the following steps on the NGFWs:

Procedure
Step 1 Choose System > High Availability > Dual-System Hot Backup.
Step 2 Click Edit.
Step 3 Select the check box of Enable and set basic hot standby parameters. Parameters are described
as follows:
Working Mode Select the operating mode of each NGFW.

l Active/Standby: In this mode, one of the NGFWs functions
as the active device, and the other as the standby device.
l Load balancing: In this mode, the two NGFWs back up each
other and balance the traffic load.
NOTICE
If the service interfaces of the NGFWs work at Layer 2 and are directly
connected to switches, you must select Active/Standby.
State Select the active or standby status of the local NGFW only when
two NGFWs work in active/standby mode.
Heartbeat Interface Select a heartbeat interface. Ensure that the heartbeat interface
has an IP address. The heartbeat interface is used to synchronize
configurations and status information between the NGFWs.
NOTE
You need to configure an interzone security policy between the Local
zone and the zone to which the heartbeat interfaces belong so that the two
devices can exchange packets.
If the heartbeat interfaces of the two devices are connected
through switches or routers, you must set Peer IP. Peer IP is the
IP address of the heartbeat interface on the remote device.
You can configure a maximum of 16 heartbeat interfaces. Only
the heartbeat interface that is configured first and is in the Up
state is used. You can click to add a heartbeat interface.
Proactive Preemption Determine whether to enable the preemption function. By

default, the preemption function is enabled, and the preemption
delay is 60s. The preemption function takes effect only on the
active device.
The preemption function enables the original active device to
return to active after recovery. If the preemption function is
disabled, the original active device remains in standby state after
recovering from a fault.
If the service interfaces of the NGFWs work at Layer 2 and are
directly connected to routers, you must enable the preemption
function.

Hello Packet Interval Set the interval at which Hello packets are sent. The default
interval is 1000 ms and is recommended. Ensure that the active
and standby devices have the same interval.
l In active/standby mode, this parameter is the interval at which
the active device sends Hello packets.
l In load balancing mode, this parameter is the interval at which
the two devices exchanges Hello packets.
Step 4 Configure a virtual IP address for each VRRP group.

NOTE
You need to configure a virtual IP address if the service interfaces of the NGFWs work at Layer 3 and are directly
connected to switches.
1. In Configure Virtual IP Address, click Add.
2. Configure a virtual IP address. The principles for configuring a virtual IP address are as
follows:
l If Working Mode is Active/Standby, you must add a service interface on the active
device to a VRRP group, and add a service interface with the same interface number on
the standby device to the same VRRP group.
As shown in Figure 6-24, GE1/0/1 of NGFW_A is added to VRRP group 2, and
GE1/0/1 of NGFW_B is also added to VRRP group 2.
l If Working Mode is set to Load balancing, you must add a service interface on
NGFW_A to two VRRP groups (one in the active VRRP group and the other in the
standby VRRP group) and add a service interface with the same interface number on
the NGFW_B to the same two VRRP groups. However, the active VRRP group on one
device is the standby VRRP group on the other.
As shown in Figure 6-24, GE1/0/1 of NGFW_A is added to VRRP group 2 in active
state and VRRP group 4 in standby state, and GE1/0/1 of NGFW_B is added to VRRP
group 2 in standby state and VRRP group 4 in the active state.

Figure 6-24 Configuring virtual IP addresses

NGFW_A
Switch A GE1/0/3 GE1/0/1 Switch C
10.3.0.1/24 10.2.0.1/24
Standby Active Active Standby
VRRP VRRP VRRP VRRP

group 3 group 1 group 2 group 4
10.3.0.4/24 10.3.0.3/24 10.2.0.3/24 10.2.0.4/24
Active Standby Standby Active
Switch B GE1/0/3 GE1/0/1 Switch D

10.3.0.2/24 10.2.0.2/24
NGFW_B
VRID ID of a VRRP group. The interfaces with the same interface

number on the active and standby devices must have the same
VRID.
For example, the GE1/0/1 interfaces of NGFW_A and
NGFW_B in Figure 6-24 have the same VRID (2).
Interface Interface added to a VRRP group. This interface must be an

uplink/downlink service interface of the NGFW, such as
GE1/0/1 and GE1/0/3 of the NGFW in Figure 6-24.
Interface IP Address/ After you select Interface, the IP address/mask of the

MASK interface is automatically displayed.
For example, if you select GE1/0/1 of NGFW_A, 10.2.0.1/24
is displayed.
Virtual IP Address/ Virtual IP address of a VRRP group, such as 10.2.0.3/24,

MASK 10.3.0.3/24, 10.2.0.4/24, and 10.3.0.4/24 in Figure 6-24.
The virtual IP address cannot be an interface IP address. If
the virtual IP address and interface IP address of a VRRP
group are in different network segments, the subnet mask is
required.
The virtual IP address is shared by both devices deployed in
hot standby mode. For upstream and downstream devices, the
two NGFWs work as one device with the virtual IP address
of the VRRP group as the interface address. Therefore, the
next hop of the static routes on the upstream and downstream
devices must be the virtual IP addresses of the VRRP groups.

Virtual MAC A virtual MAC address is a MAC address generated based

on the VRID in the format of 00-00-5E-00-01-{ VRID}. Each
VRID maps with one virtual MAC address.
In hot standby scenarios, if the peer device needs to verify
the MAC address, enable the virtual MAC address function.
Otherwise, the MAC address changes upon active/standby
switchovers, leading to packet loss.
Link-Local Address For a VRRPv6 group, both the virtual IP address and link-
local address are required. The link-local address is an IPv6
address whose prefix is FE80, such as FE80::7. This address
is used for communication between adjacent nodes on a link
and is valid only for the link. Before configuring a virtual
IPv6 address for a VRRPv6 group, you must configure a link-
local address for the group.
State If you set Working Mode to Load Balancing, this parameter

is displayed.
As show in Figure 6-24, if one device in a VRRP group is in
active state, the other device in the VRRP group must be in
standby state. If one device in a VRRP group is in standby
state, the other device in the VRRP group must be in active
state.
3. Click OK.
Step 5 Configure interface monitoring, as shown in Figure 6-25.

NOTE
If the service interfaces of each NGFW work at Layer 3 and are directly connected to routers, you must configure
interface monitoring. A monitored interface must be a service interface.

Figure 6-25 Configuring interface monitoring
Router A NGFW_A Router C

GE1/0/3 GE1/0/1
1.1.1.1/24
OSPF OSPF
GE1/0/3 GE1/0/1
Router B NGFW_B Router D
Parameters are described as follows:
Monitored Interface Interfaces to be monitored, such as GE1/0/1 and GE1/0/3 in

Figure 6-25
Monitored Remote IP address or domain name of an indirectly connected interface

Detection IP Address/ that needs to be monitored, such as public IP address 1.1.1.1 in
Domain Name Figure 6-25.
The interface for which you enter Monitored Remote Detection
IP Address/Domain Name sends out probe packets.
Add selected monitored After you select this check box, the system adds all selected
interface to the monitored Monitored Interfaces to the monitored interface group.
interface group If an interface in the monitored interface group goes down, all
interfaces in this group go down. For example, if GE1/0/1 in
Figure 6-25 goes down, GE1/0/3 also goes down.
Step 6 Click OK.
----End

Follow-up Procedure
After you compete the preceding operations, choose System > High Availability > Dual-
System Hot Backup to view the operating status of hot standby. The parameters related to hot
standby are described as follows:
Current Working Mode l Single Device: is displayed if hot standby is not enabled.
l Active/Standby Backup: is displayed when the devices work
in active/standby mode.
l Load Balancing: is displayed when the devices work in load
balancing mode.
Current State l Initialization: is displayed after the configuration is complete

and before hot standby is established,
l Active: is displayed on the active device after hot standby is
established.
l Standby: is displayed on the standby device after hot standby
is established.
Click Details to view records about the active/standby
switchover, including Time, Description and Reason.
Click Manual Switchover to manually switchover the state of
device.
Current HeartBeat Heartbeat interface and its bandwidth usage.

Interface
Proactive Preemption Whether the preemption function is enabled.
Configuration Whether the configurations of the active and standby devices are
Consistency consistent.
Click Check to check whether the configurations of the devices
are consistent.
Click Details to view the check results, check date, and
inconsistent items. In the dialog box that is displayed, click
Synchronize Configuration to synchronize device
configurations.
Click Recheck to check whether the configurations of the
devices are consistent.
Virtual IP State of a monitored VRRP group
Interface State of a monitored interface
Monitored Remote IP address/domain name of an indirectly connected interface that

Detection IP Address/ is monitored
Domain Name

6.1.7 Configuring Hot Standby Using the CLI

This section describes how to configure hot standby using the CLI.

This section describes the flow for configuring hot standby. You can read the section of each
configuration step based on the flowcharts in this section.
For details about the flow for configuring hot standby, see Figure 6-26.
Figure 6-26 Configuration flow
Start
Complete basic
network configurations.
Layer 3 service
Layer 3 service Layer 2 service interfaces
interfaces
interfaces connect connect to switches or
connect to
to routers. routers.
switches.
Perform
one of the Configure interface Configure VLAN
Configure VRRP groups.
operations monitoring. monitoring.
.
Configure heartbeat
interfaces.
Enable dual-system hot

backup.
Configure a backup
mode.
Check the
configuration.
End.
6.1.7.2 Configuring VRRP Groups

If the service interfaces of each NGFWs work at Layer 3 and are directly connected to switches,
you need to configure VRRP groups.

Prerequisites
1. Complete service interface configurations, such as IP address and security zone
configurations.
2. Configure security policies to permit legitimate traffic.
Context
The configuration rodmap is as follows:
Figure 6-27 Networking for configuring VRRP groups
NGFW_A
Switch A GE1/0/3 GE1/0/1 Switch C
10.3.0.1/24 10.2.0.1/24
Standby Active Active Standby
VRRP VRRP VRRP VRRP

group 3 group 1 group 2 group 4
10.3.0.4/24 10.3.0.3/24 10.2.0.3/24 10.2.0.4/24
Active Standby Standby Active
Switch B GE1/0/3 GE1/0/1 Switch D

10.3.0.2/24 10.2.0.2/24
NGFW_B
l Active/standby
1. Configure a VRRP group on each service interface of the active device and add the
VRRP groups to a active VGMP group.
As shown in Figure 6-27, VRRP group 2 configured on GE1/0/1 and VRRP group 1
configured on GE1/0/3 of NGFW_A are added to the active VGMP group.
2. Configure a VRRP group on each service interface of the standby device and add the
VRRP groups to the standby VGMP group.
As shown in Figure 6-27, VRRP group 2 configured on GE1/0/1 and VRRP group 1
configured on GE1/0/3 of NGFW_A are added to the standby VGMP group.
3. On the hosts or devices that are directly connected to each NGFW, set the gateway
address or next-hop address of the static route to the virtual IP address of the
corresponding VRRP group.
l Load balancing
1. Two VRRP groups are configured on each service interface of NGFW_A. One VRRP
group is added to the active VGMP group, and the other to the standby VGMP group.
As shown in Figure 6-27, on the downlink interface of NGFW_A, configure VRRP
group 1 and add it to the active VGMP group; configure VRRP group 3 and add it to
the standby VGMP group. On the uplink interface, configure VRRP group 2 and add

it to the active VGMP group; configure VRRP group 4 and add it to the standby VGMP
group.
2. On the service interfaces of NGFW_B, configure the same VRRP groups but add them
to the opposite VGMP groups.
As shown in Figure 6-27, on the downlink service interface of NGFW_A, configure
VRRP group 1 and add it to the standby VGMP group; configure VRRP group 3 and
add it to the active VGMP group. On the uplink service interface, configure VRRP
group 2 and add it to the standby VGMP group; configure VRRP group 4 and add it
to the active VGMP group.
3. On the downstream devices, configure two static routes, with the next hop addresses
being the virtual IP addresses of the two VRRP groups respectively.
Procedure
The interfaces that support VRRP groups include Layer 3 Ethernet interfaces and their
subinterfaces, Layer 3 Eth-Trunk interfaces, and VLANIF interfaces.
Step 2 Run the following commands to configure a VRRP or VRRPv6 group as required:
l Configure a VRRP group.
vrrp vrid virtual-router-id virtual-ip virtual-address [ ip-mask | ip-mask-length ]
{ active | standby }
l Configure a VRRPv6 group.
1. Configure a link-local address.

vrrp6 vrid virtual-router-id virtual-ip FE80::X:X link-local { active | standby }
2. Configure a virtual IPv6 address.
vrrp6 vrid virtual-router-id virtual-ip virtual-ipv6-address
Note the following points when using the previous commands:
l virtual-router-ID specifies the VRRP group ID. The two hot standby NGFW must be
configured with the same VRID.
l FE80::X:X link-local specifies the link-local address of the VRRPv6 group. The link-local
address is an IPv6 address whose prefix is FE80. This address is used for communication
between adjacent nodes on a link and is valid only for the link. Before configuring a virtual
IPv6 address for a VRRPv6 group, you must configure a link-local address for the group.
l virtual-address specifies the virtual IPv4 address of the VRRP group, while virtual-ipv6-
address specifies the virtual IPv6 address of the VRRPv6 group. The virtual IP address should
not be the same as the interface address.
Both NGFWs use the virtual IP address to communicate with other devices. For upstream
and downstream devices, the two NGFWs serve as one device, with the virtual IP address
being the interface address. If you configure static routes on upstream and downstream
devices, configure the virtual IP address as the next hop.

l ip-mask | ip-mask-length specifies the subnet mask of the virtual IPv4 address of the VRRP
group. If the virtual IP address and interface IP address are in different network segments,
configure the subnet mask for the interface IP address.
Step 3 Optional: Configure VRRP authentication.
vrrp vrid virtual-router-ID authentication-mode { simple | md5 } key
By default, VRRP packets are not authenticated by the NGFW. VRRP packet authentication is
not required on a secure network.
You can enable VRRP packet authentication if necessary. The NGFW supports simple text
authentication (with parameter simple configured) and md5 authentication.
NOTE
Set the same VRRP authentication key on the service interfaces that are added to the same VRRP group.
VRRPv6 groups do not support VRRP packet authentication.
Step 4 Optional: Enable the virtual MAC address function on the interface.
vrrp virtual-mac enable
By default, the virtual MAC address is enabled on the NGFW.
Enable this function on the interface when the directly connected device is a Layer-4 switch.
Step 5 Optional: In the system view, configure the interval at which the active device sends gratuitous
ARP packets.
vrrp gratuitous-arp timeout time
By default, the active device sends gratuitous ARP packets every 300s (5 minutes).
The time value must be smaller than the aging time of the MAC address table on the switches
directly connected to the NGFW. The smaller the time value, the sooner the MAC address table
on the switches is updated after the active/standby switchover of the NGFW.
----End
Example
When the NGFWs work in active/standby mode shown in Figure 6-27, the VRRP group
configuration is as follows:
[NGFW_A-GigabitEthernet1/0/1] vrrp vrid 2 virtual-ip 10.2.0.3 active
[NGFW_B-GigabitEthernet1/0/1] vrrp vrid 2 virtual-ip 10.2.0.3 standby

When the NGFWs work in load balancing mode shown in Figure 6-27, the VRRP group
configuration is as follows:
[NGFW_A-GigabitEthernet1/0/1] vrrp vrid 4 virtual-ip 10.2.0.4 standby
[NGFW_A-GigabitEthernet1/0/3] vrrp vrid 3 virtual-ip 10.3.0.4 standby
[NGFW_B-GigabitEthernet1/0/1] vrrp vrid 4 virtual-ip 10.2.0.4 active
[NGFW_B-GigabitEthernet1/0/3] vrrp vrid 3 virtual-ip 10.3.0.4 active
6.1.7.3 Configure Interface Monitoring

This section describes how to configure interface monitoring when service interfaces work at
Layer 3 and connect to routers.
Prerequisites
1. Service interfaces are configured, including setting interface IP addresses and assigning
interfaces to security zones.
2. OSPF is configured on the NGFWs and their downstream and upstream routers.
3. A security policy is configured to permit legitimate traffic.
Procedure
Step 1 Access an interface view from the system view.
The interface can be a Layer-3 Ethernet interface, its subinterface, or a Layer-3 Eth-Trunk
interface.
Step 2 Enable a active or standby VGMP group to monitor the interface.
hrp track { active | standby }
In active/standby mode, run the hrp track active command on the service interfaces of the active
NGFW and the hrp track standby command on the service interfaces of the standby NGFW.
In load balancing mode, run both the hrp track active and hrp track standby commands on
the service interfaces of the active and standby NGFWs.
Step 3 In the system view, enable OSPF cost adjustment based on VGMP group status.
l IPv4 networks:
hrp ospf-cost adjust-enable [ standby-cost ]

l IPv6 networks:
hrp ospfv3-cost adjust-enable [ standby--cost ]
NOTICE
This command is mandatory in active/standby mode when the service interfaces work at Layer
3 and connect to routers. This command is optional in load balancing mode.
By default, this function is enabled, and the cost value (standby-cost) is 65500.
The value of standby-cost depends on the OSPF costs of the upstream and downstream routers,
and it must be greater than the costs of the upstream and downstream routers of the standby
NGFW.
After you run this command, the NGFW advertise OSPF costs based on its active/standby status.
If the NGFW is the active device, it advertises the routes it learns. If the NGFW is the standby
device, it advertises the routes whose costs are standby-cost so that the upstream and downstream
routers can use the active NGFW as the next hop based on route calculation.
----End
Example
Figure 6-28 Configure interface monitoring

GE1/0/3 GE1/0/1
10.3.0.1/24 10.2.0.1/24
GE1/0/7
10.10.0.1/24
OSPF GE1/0/7 OSPF
10.10.0.2/24
GE1/0/3 GE1/0/1
10.3.1.1/24 10.2.1.1/24
In active/standby mode shown in Figure 6-28, the interface monitoring configurations are as
follows:
[NGFW_A-GigabitEthernet1/0/1] hrp track active
[NGFW_B-GigabitEthernet1/0/1] hrp track standby

In load balancing mode shown in Figure 6-28, the interface monitoring configurations are as
follows:
[NGFW_A-GigabitEthernet1/0/1] hrp track standby
[NGFW_A-GigabitEthernet1/0/3] hrp track standby
[NGFW_B-GigabitEthernet1/0/1] hrp track active
[NGFW_B-GigabitEthernet1/0/3] hrp track active
6.1.7.4 Configuring VLAN Monitoring

This section describes how to configure VLAN monitoring when service interfaces work at
Layer 2. By default, the VGMP group monitors all VLANs except VLAN1 after hot standby is
enabled.
Prerequisites
1. Service interfaces are configured, including configuring interfaces as Layer 2 interfaces
and assigning interfaces to security zones.
2. The upstream and downstream service interfaces are added to the same VLAN (not
VLAN1).
3. A security policy is configured to permit legitimate traffic.
Context
Note the following when you configure VLAN monitoring:
l When service interfaces work at Layer 2 and connect to switches, VLAN monitoring can
be implemented only in active/standby mode.
l When service interfaces work at Layer 3 and connect to routers, VLAN monitoring can be
implemented only in load balancing mode. In such cases, the OSPF costs on the upstream
routers must be the same, and those on the downstream routers must be the same, too.
Procedure
Step 1 Access a VLAN view from the system view.

vlan vlan-id
Step 2 Enable a active or standby VGMP group to monitor the VLAN.
hrp track { active | standby }
In active/standby mode, run the hrp track active command in the view of the VLAN of the
service interfaces on the active NGFW and the hrp track standby command in that of the service
interfaces on the standby NGFW.
In load balancing mode, run both hrp track active and hrp track standby commands on the
service interfaces of the active and standby NGFWs.
----End
Example
Figure 6-29 Configuring VLAN monitoring (service interfaces connect to switches)

Switch A NGFW_A Switch C
GE1/0/3 GE1/0/1
VLAN2 VLAN2
GE1/0/3 GE1/0/1
Switch B NGFW_B Switch D
Service link
Heartbeat link
VLAN
When service interfaces work at Layer 2 and connect to switches in active/standby mode shown
in Figure 6-29, the configurations of VLAN monitoring are as follows:
[NGFW_A] VLAN 2
[NGFW_A-vlan-2] port GigabitEthernet 1/0/1
[NGFW_A-vlan-2] hrp track active
[NGFW_B] VLAN 2
[NGFW_B-vlan-2] port GigabitEthernet 1/0/1
[NGFW_B-vlan-2] hrp track standby

Figure 6-30 Configuring VLAN monitoring (service interfaces connect to routers)

VLAN2
GE1/0/3 GE1/0/1
OSPF area
GE1/0/3 GE1/0/1
VLAN2
Service link
Heartbeat link
VLAN
When service interfaces work at Layer 2 and connect to routers in load-balancing mode shown
in Figure 6-30, the configurations of VLAN monitoring are as follows:
[NGFW_A] VLAN 2
[NGFW_A-vlan-2] hrp track active
[NGFW_A-vlan-2] hrp track standby
[NGFW_B] VLAN 2
[NGFW_B-vlan-2] hrp track active
[NGFW_B-vlan-2] hrp track standby
6.1.7.5 Configuring Heartbeat Interfaces

This section describes how to configure a heartbeat interface on each NGFW and connect the
two interfaces with a heartbeat cable.
Context
The NGFWs use the heartbeat interface to exchange heartbeat packets and synchronize
configuration and status information.
You are advised to directly connect the heartbeat interfaces on the NGFWs.
You can also use an Eth-Trunk interface as the heartbeat interface to improve network
availability and increase the bandwidth of heartbeat link.
To configure an Eth-Trunk interface as a heartbeat interface, you need to run the load-balance
packet-all command to set per-packet load balancing for the Eth-Trunk interface.
Procedure
Step 1 Set an IP address for each heartbeat interface.

1. Access the interface view from the system view.
A heartbeat interface can be a Layer-3 Ethernet interface or its subinterface, Layer-3 Eth-
Trunk interface, or Vlanif interface.
2. Set an IP address for each heartbeat interface.
ip address ip-address net-mask
You can set a private IP address because the heartbeat interface does not advertise routes
or forward service traffic.
Step 2 Assign the heartbeat interfaces to a security zone.

1. Access the security zone view from the system view.
firewall zone zone-name
You must assign the heartbeat interfaces on the two NGFWs to the same security zone.
2. Assign the heartbeat interfaces to a security zone.
add interface interface-type interface-number
Step 3 Specify the heartbeat interface in the system view.
hrp interface interface-type interface-number [ remote ip-address ]
l The type and ID of the heartbeat interfaces on the NGFWs must be the same. For example,
if you set GigabitEthernet 1/0/7 as the heartbeat interface on NGFW_A, you must also set
GigabitEthernet 1/0/7 as the heartbeat interface on NGFW_B.
l You can directly connect the heartbeat interfaces on the NGFWs or deploy a switch or router
in between.
If you deploy a switch or router in between, you must use the remote ip-address command
to specify the IP address of the remote heartbeat interface.
If you want to use a Layer 2 interface as a heartbeat interface, add the Layer 2 interface to a
VLAN. Then create a VLANIF interface and configure an IP address for it. If you use a
VLANIF interface as a heartbeat interface, the remote parameter must be set regardless of
whether the heartbeat interfaces are directly interconnected or through another device.
Step 4 Optional: Configure the action as permit in the security policy implemented between the Local
zone and the security zone to which the heartbeat interfaces are assigned.
NOTE
l If remote is not set, the heartbeat packets are encapsulated into VRRP packets, and the NGFW that has no
security policy can properly process backup packets.
l If remote is configured, the heartbeat packets are encapsulated into UDP packets, and a correct security
policy needs to configured for the interzone between the Local zone and the security zone where the heartbeat
interfaces reside, which enables the NGFW to properly send and receive the heartbeat packets.
1. Access the security policy view from the system view.
security-policy
2. Create a security policy and access the security policy view.
rule name rule-name

3. Specify the source security zone.
source-zone { zone-name &<1-6> | all }
Set zone-name &<1-6> to local and the security zone to which the heartbeat interfaces are
assigned.
NOTE
Specify two security zones for both source-zone and destination-zone to permit bidirectional traffic
between the Local zone and the security zone to which the heartbeat interfaces are assigned.
4. Specify the destination security zone.
destination-zone { zone-name &<1-6> | all }
Set zone-name &<1-6> to local and the security zone to which the heartbeat interfaces are
assigned.
5. Set the action to permit.
action permit
----End
Example
Figure 6-31 Configuring heartbeat interfaces

GE1/0/3 GE1/0/1
10.3.0.1/24 10.2.0.1/24
GE1/0/7
10.10.0.1/24
OSPF GE1/0/7 OSPF
10.10.0.2/24
GE1/0/3 GE1/0/1
10.3.1.1/24 10.2.1.1/24
As shown in Figure 6-31, NGFW_A and NGFW_B are connected using heartbeat interfaces
GigabitEthernet1/0/7, and GigabitEthernet1/0/7 is assigned to the DMZ.
The heartbeat interface configuration on NGFW_A is as follows:

[NGFW_A] firewall zone dmz
[NGFW_A-zone-dmz] add interface GigabitEthernet 1/0/7
[NGFW_A-zone-dmz] quit
[NGFW_A] security-policy
[NGFW_A-policy-security] rule name ha
[NGFW_A-policy-security-rule-ha] source-zone local dmz
[NGFW_A-policy-security-rule-ha] destination-zone local dmz
[NGFW_A-policy-security-rule-ha] action permit

[NGFW_A-policy-security-rule-ha] quit
[NGFW_A-policy-security] quit
[NGFW_A] hrp interface GigabitEthernet 1/0/7
The heartbeat interface configuration on NGFW_B is the same as that on NGFW_A except the
interface IP address.
6.1.7.6 Enabling Hot Standby

A hot standby network is established only after you enable the hot standby function.
Prerequisites
1. 6.1.7.2 Configuring VRRP Groups, 6.1.7.3 Configure Interface Monitoring, or 6.1.7.4
Configuring VLAN Monitoring is complete.
2. 6.1.7.5 Configuring Heartbeat Interfaces is complete.
Context
In active/standby mode, after you enable hot standby, the heartbeat interfaces are properly
configured if the HRP_A command prompt is displayed on the active device, and the HRP_S
command prompt is displayed on the standby device.
In load balancing mode, both NGFWs process services. The HRP_A command prompt is
displayed on the NGFW on which hot standby is enabled first, and the HRP_S command prompt
is displayed on the other NGFW.
NOTICE
In normal cases, HRP_A or HRP_S is not displayed on both NGFWs at the same time.
You must enable hot standby for the NGFWs to establish active/standby status before you
configure other services, such as NAT and IPSec. Then the configurations and status information
can be synchronized from the active NGFW to the standby NGFW.
Procedure
Step 1 Optional: In the system view, set the Hello interval.
hrp timer hello interval
The default Hello interval for the active VGMP group is 1000 milliseconds.

NOTICE
You are advised to use the default interval. If you set the interval to a smaller value, active/
standby switchover may be triggered when no fault occurs.
If you need to change this value, ensure that the intervals specified on active and standby
NGFWs are the same. Otherwise, the active/standby status of the NGFWs may frequently
change.
Step 2 Optional: Set the preemption delay for the VGMP group.
hrp preempt [ delay interval ]
The preemption function of the VGMP group is enabled by default, and the default preemption
delay is 60 seconds.
In hot standby scenarios, you are not advised to disable the the preempt function of a VGMP
management group on the standby device. Otherwise, the standby device may fail to switch to
active when the active device is fault.
NOTICE
In hot standby mode, if VRRP and dynamic routing protocols are enabled on the NGFWs and
their upstream and downstream devices, ensure that the preemption delay for the VGMP groups
is longer than the convergence period of the dynamic routing protocols (such as OSPF) to prevent
service interruptions. Or you can disable the preemption function.
Step 3 Configure load balancing in the system view.
hrp loadbalance-device
By default, the NGFWs work in active/standby mode. You can run this command to switch to
the load balancing mode.
In the load balancing mode, you must configure the command on both NGFWs.
You do not need to configure this command in active/standby mode.
Step 4 Configure active and standby devices in the system view.
hrp standby-device
The NGFW functions as the active device by default. You can run this command to configure
the NGFW as the standby device.
In the active/standby mode, you need to run this command on the standby NGFW to configure
it as the standby device. Do not configure this command on the active NGFW.
In load balancing mode, you do not need to configure active and standby devices.
Step 5 Configure NAT port allocation for load balancing in the system view.
hrp nat ports-segment { primary | secondary }

NOTICE
In load balancing mode, if a NAT address pool is required on the two NGFWs, you must run
the hrp nat ports-segment primary command on one NGFW and the hrp nat ports-segment
secondary command on the other NGFW to prevent port conflicts during NAT process.
You do not need to configure this command in active/standby mode.
Step 6 Optional: Set a delay for TCP session status detection in the system view.
hrp tcp link-state check delay delay-time
When the upstream and downstream service interfaces on the NGFW work in hot standby mode
at Layer 2 and TCP session status detection is enabled on the NGFW, run the hrp tcp link-state
check delay command on active and standby NGFWs to set a delay for TCP session status
detection. Otherwise, the new active NGFW upon a switchover fails to establish sessions because
it cannot immediately learn the MAC address table. After a delay is set, TCP session status
detection is postponed on the new active NGFW after a switchover, ensuring that the new active
NGFW has enough time to learn the MAC address table.
By default, TCP session status detection is not delayed.
Step 7 Optional: Configure the key for encrypting specific backup packets (configuration commands)
between the active and standby devices.
hrp encryption-key
By default, the backup packets are transferred in plain texts. When the heartbeat interfaces of
the two NGFW are not directly connected, you are advised to run the command to configure an
encryption key for security reasons. You need to configure the key on both the active and standby
NGFWs. Ensure that the keys on the two NGFWs are the same. Otherwise, backup between the
NGFWs may fail.
Step 8 Enable hot standby in the system view.
hrp enable
You must run this command on both NGFWs.
Step 9 Optional: Enable auto-check for active/standby configuration consistency.
hrp configuration auto-check timer-interval
Auto-check is performed only on the active device. After auto-check is complete, the active
device sends the HRP/4/CFGCHECK log based on the check result.
This command can be automatically synchronized to the standby device. You only need to
configure this command on the active device. After an active/standby switchover is performed,
the new active device continues to check configuration consistency.
Step 10 Optional: Configure the priority in the IP header of the heartbeat packets.
hrp ip-packet priority priority-number
The default priority in the IP header of heartbeat packets is 6.

A larger value of the priority-number indicates a higher priority. Packets with a higher priority
are forwarded first.
Step 11 Optional: Allow configurations on the standby NGFW.
hrp standby config enable
This command applies only to the standby NGFW.
This function is disabled by default. All information to be backed up must be configured on the
active NGFW.
After enabling this function, you can configure all information that can be backed up, and the
configurations can be synchronized to the active NGFW.
If confilicting settings are configured on the active and standby NGFWs, the settings configured
later overrides previously configured settings.
----End
6.1.7.7 Configuring the Backup Mode

This section describes how to configure the backup modes, including automatic, manual, and
quick session backup.
Prerequisites
Enabling Hot Standby is complete before you enable automatic or manual backup.
Context
The NGFW supports three backup modes shown in Table 6-3.

Table 6-3 Backup modes supported by the NGFW
Backup Mode Configuration Status Description

Command Information
Automatic backup With automatic When both NGFWs Automatic backup is

backup enabled and are running properly enabled on the
both the active and and status NGFW by default.
standby NGFWs information that The active NGFW
working properly, needs to be backed automatically
each command that is up is generated on the synchronizes the
executed on the active NGFW, the configuration
active NGFW is active NGFW commands and status
synchronized to the automatically information to the
standby NGFW if the synchronizes the standby NGFW. This
command can be status information to function applies to
backed up. The the standby NGFW. various hot standby
commands that Automatic backup of networks.
cannot be backed up the status
are executed only on information fails
the active NGFW. when the standby
Commands that can NGFW is faulty.
be backed up are
configured only on
the active NGFW.
The commands that
cannot be backed up
can be configured on
both NGFWs.
Automatic backup of
configuration
commands fails
when the standby
NGFW is faulty.


Command Information
Manual batch backup When both the active When both the active Manual batch backup
and standby NGFWs and standby NGFWs is required when the
are working are working configurations
properly, you can properly, you can between the active
execute commands execute commands and standby NGFWs
to instruct the active to synchronize status are different.
NGFW to information that can
synchronize the be backed up to the
configuration standby NGFW.
commands that can Manual batch backup
be backed up to the of status information
standby NGFW. fails when the
Then the commands standby NGFW is
executed on the faulty.
active NGFW are
executed on the
standby NGFW at
the same time.
Manual batch backup
of configuration
commands fails
when the standby
NGFW is faulty.


Command Information
Quick session No backup When the NGFWs For timely

backup work in load- synchronization,
balancing mode, the only status
forward and return information is
packets may pass synchronized in
through different quick session
NGFWs. If the backup.
session information Quick session
is not timely backup applies to
synchronized to the load-balancing mode
standby NGFW, the in which both the
standby NGFW active and standby
discards packets. devices process
To resolve this issue, services.
you can use quick
session backup to
synchronize the
status information
from the active
NGFW to the
standby NGFW, so
that the return
packets can match
the session table on
the standby NGFW.
Quick session
backup ensures
service continuity on
networks where the
forward and return
paths of packets are
different.
Procedure
l Enable automatic backup of commands and status information in the system view.
hrp auto-sync [ config [ static-route ] | connection-status ]
By default, the automatic backup of configuration commands and connection statuses of

the NGFW is enabled, but the automatic backup of static routes is disabled.
You can run the hrp auto-sync config command to enable the automatic backup function
(except for automatic backup of static routes). To enable automatic backup of static routes,
run the hrp auto-sync config static-route command.

When you run the hrp auto-sync command without specifying parameter config or
connection-status, both the commands (except for automatic backup of static routes) and
status information are automatically backed up.
l Enable manual batch backup in the user view.
hrp sync [ config | connection-status ]
Enable manual batch backup when automatic backup fails or when configurations are out
of sync.
l Enable quick session backup in the system view.
hrp mirror session enable
When the NGFWs work in load-balancing mode, the forward and return packets may pass
through different NGFWs. To ensure service continuity, you must enable quick session
backup to ensure that the session information on one NGFW is synchronized to the other
NGFW.
When the NGFWs work in active/standby mode, enabling quick session backup is optional.
NOTE
Quick session backup synchronizes only session status information.
----End
6.1.7.8 Configuration Verification

After you configure hot standby, you can verify the configuration as follows.
Procedure
Step 1 Check command prompts.
After the HRP active/standby relationship is established, the NGFW whose command line
prompt is HRP_A is the active device, and NGFW whose command prompt is HRP_S is the
standby device.
Step 2 Check the hot standby configuration based on Table 6-4.
Table 6-4 Hot standby configuration verification checklist
No. Man Item Check Method Check Result

dator
y or
Opti
onal
General items
1 Mand Models and software versions of the <sysname> display version □Passed
atory active and standby firewalls are the □Not passed
same.


dator
y or
Opti
onal
2 Mand Types and slots of interface cards of <sysname> display device □Passed
atory the active and standby firewalls are □Not passed
the same.
3 Mand Service interfaces of the active and <sysname> display hrp state □Passed
atory standby firewalls are the same. □Not passed
4 Mand Heartbeat interfaces of the active and <sysname> display hrp interface □Passed
atory standby firewalls are the same. □Not passed
4.a Optio If the Eth-Trunk is used as the <sysname> display eth-trunk trunk- □Passed
nal heartbeat link, member interfaces of id □Not passed
the active and standby firewalls are
the same.
4.b Optio If the service link is used as the <sysname> display current- □Passed
nal heartbeat link, both the heartbeat configuration | include hrp □Not passed
interface and the IP address of the interface
peer heartbeat interface are specified.
5 Mand Interfaces of the active and standby <sysname> display zone □Passed
atory firewalls are configured into the same □Not passed
security zone.
6 Optio Service interfaces of the active and l IPv4: <sysname> display vrrp □Passed
nal standby firewall are configured into interface interface-type □Not passed
the same VRRP backup group and interface-number
share the same virtual IP address. l IPv6: <sysname> display vrrp6
interface interface-type
interface-number
7 Optio Service interfaces of the active and <sysname> display hrp state □Passed
nal standby firewalls are configured into □Not passed
different VRRP management groups.
8 Mand The preemption function of the active <sysname> display hrp group □Passed
atory firewall is disabled or the preemption □Not passed
delay is set to 60 seconds.
9 Optio If forward and return packets go <sysname> display current- □Passed

nal through different paths, the quick configuration | include hrp mirror □Not passed
session backup function is enabled.
Service interfaces work at Layer 3


dator
y or
Opti
onal
10 Mand The upstream and downstream <sysname> display port vlan □Passed
atory service interfaces are added to the [ interface-type interface-number ] □Not passed
same VLAN.
11 Mand VRRP management groups are <sysname> display hrp state □Passed
atory configured to monitor the status of □Not passed
service interfaces.
12 Optio If firewalls are connected to upstream <sysname> display hrp group □Passed
nal and downstream switches, the □Not passed
firewalls work in active/standby
mode.
13 Optio If firewalls are connected to upstream <sysname> display hrp group □Passed
nal and downstream routers, the firewalls □Not passed
work in load bandaging mode.
Service interfaces work at Layer 3
14 Mand IP addresses are assigned to interfaces <sysname> display ip interface □Passed

atory of the active and standby firewalls. brief □Not passed
15 Optio If firewalls are connected to upstream Check the static route configurations □Passed
nal and downstream switches, the of the upstream and downstream □Not passed
switches are configured to consider devices.
the virtual IP address of the VRRP
backup group to be their next hop.
16 Optio If firewalls are connected to upstream <sysname> display ospf [ process- □Passed
nal and downstream routers, OSPF runs id ] brief □Not passed
between the firewalls and the
heartbeat interfaces are not in the
OSPF area.
17 Optio If firewalls are connected to upstream <sysname> display current- □Passed

nal and downstream routers and work in configuration | include hrp ospf- □Not passed
active/standby mode, route costs of cost
the firewalls are adjusted according to
the status of dual-system hot backup.
Load Balancing
18 Mand Quick session backup is enabled. <sysname> display current- □Passed

atory configuration | include hrp mirror □Not passed
19 Optio The port range of the NAT address <sysname> display current- □Passed
nal pool is specified. configuration | include hrp nat □Not passed

Step 3 In the interface view of the active device, run the shutdown command to check whether the
active/standby switchover can be implemented.
After you run the shutdown command on a service interface of the active device, the interface
goes down and the other service interfaces are working properly. If the command prompt on the
active device begins with HRP_S, the command prompt on the standby device begins with
HRP_A, and traffic is forwarded properly, the active/standby switchover succeeds.
After you run the undo shutdown command on the same interface of the active device, the
interface goes up. After the preemption delay expires, the preemption succeeds if the command
prompt on the active device begins with HRP_A, the command prompt on the standby device
begins with HRP_S, and traffic is forwarded properly.
Step 4 In the user view of the active device, run the reboot command to check whether the active/
standby switchover can be implemented.
After you run the reboot command on the active device, the active/standby switchover succeeds
if the command prompt on the standby device begins with HRP_A, and packets are properly
forwarded.
The active device continues to work upon restart. After the preemption delay expires, the
preemption succeeds if the command prompt on the active device begins with HRP_A, the
command prompt on the standby device begins with HRP_S, and traffic is forwarded properly.
----End

This section provides several examples of how to configure hot standby.
6.1.8.1 Active/Standby Networking in Which the Service Interfaces of Each NGFW

Work at Layer 3 and Are Directly Connected to Switches
This section provides an example of how to configure hot standby in the active/standby mode
in which the service interfaces of each NGFW work at Layer 3 and are directly connected to
switches.
On the network shown in Figure 6-32, the service interfaces of two NGFWs work at Layer 3
and are directly connected to switches.
The upstream switch is connected to the carrier network and the public IP address assigned to
the enterprise is 1.1.1.1.
The NGFWs are expected to work in active/standby mode. Normally, traffic is forwarded by
NGFW_A. When NGFW_A goes faulty, NGFW_B takes over.

Layer 3 and are directly connected to switches
Router
1.1.1.10/24
VRRP group 1
GE1/0/1 1.1.1.1/24 GE1/0/1
10.2.0.1/24 10.2.0.2/24
GE1/0/7
10.10.0.2/24
NGFW_A NGFW_B
GE1/0/7
GE1/0/3 10.10.0.1/24 GE1/0/3
10.3.0.1/24 VRRP group 2 10.3.0.2/24
10.3.0.3/24
Intranet Service link
Heartbeat link
Procedure
Step 1 Complete interfaces and basic network configurations.
1. Configure interfaces on NGFW_A.

b. Click GE1/0/1 and set the parameters as follows:
Zone untrust
IPv4
Default Gateway 1.1.1.2
c. Click OK.
d. Repeat the preceding steps to configure GE1/0/3.

Zone trust
IPv4
e. Repeat the preceding steps to configure GE1/0/7.
Zone dmz
IPv4
IP Address 10.10.0.1/24
2. Configure interfaces on NGFW_B.

Zone untrust
IPv4
c. Click OK.
d. Repeat the preceding steps to configure GE1/0/3.
Zone trust
IPv4
e. Repeat the preceding steps to configure GE1/0/7.
Zone dmz
IPv4
IP Address 10.10.0.2/24

1. Configure hot standby on NGFW_A.
a. Choose System > High Availability > Dual-System Hot Backup.
b. Click Edit.
c. Select the Enable check box and set the parameters as follows:

d. Click OK.
2. Configure hot standby on NGFW_B.
b. Click Edit.
d. Click OK.
Step 3 Configure the default route whose next hop is the virtual IP address (10.3.0.3) of VRRP group
2.
Step 4 Configure the security policies.
Security policies configured on NGFW_A are automatically backed up to NGFW_B.

2. Click Add.
3. Configure security policy policy_sec and set the parameters as follows:
Name policy_sec

Source Zone trust
Action Permit
4. Click OK.
Step 5 Configure a NAT policy to allow intranet users to access the Internet.
NAT policies configured on NGFW_A are automatically backed up to NGFW_B.
1. Choose Policy > NAT Policy > Source NAT.

2. Click the NAT Address Pool tab.
3. Click Add.
4. Configure a NAT address pool and set the parameters as follows:
Name 1
IP Address Range 1.1.1.1-1.1.1.1
5. Click OK.
6. Click the Source NAT tab.
7. Click Add.
8. Configure NAT policy policy_nat and set the parameters as follows:
Name policy_nat
Source Zone trust
Action NAT
After NAT
Source Address IP address of the outbound interface
Address pool 1
9. Click OK.
----End
Choose System > High Availability > Dual-System Hot Backup to view the operating status
of hot standby.
l Normally, the Current Working Mode of NGFW_A is Active/Standby Backup and the
Current State is Active. The Current Working Mode of NGFW_B is Active/Standby

Backup and the Current State is Standby. This shows that traffic is forwarded by
NGFW_A.
l When NGFW_A goes faulty, the Current Working Mode of NGFW_A is Active/
Standby Backup and the Current State is Standby. The Current Working Mode of
NGFW_B is Active/Standby Backup and the Current State is Active. This shows that
traffic is forwarded by NGFW_B.
NGFW_A NGFW_B
# #
hrp enable hrp enable
hrp standby-device
hrp interface GigabitEthernet 1/0/7 hrp interface GigabitEthernet 1/0/7
# #
interface GigabitEthernet 1/0/1 interface GigabitEthernet 1/0/1
ip address 10.2.0.1 255.255.255.0 ip address 10.2.0.2 255.255.255.0
vrrp vrid 1 virtual-ip 1.1.1.1 vrrp vrid 1 virtual-ip 1.1.1.1
255.255.255.0 active 255.255.255.0 standby
# #
vrrp vrid 2 virtual-ip 10.3.0.3 active vrrp vrid 2 virtual-ip 10.3.0.3
# standby
interface GigabitEthernet 1/0/7 #
ip address 10.10.0.1 255.255.255.0 interface GigabitEthernet 1/0/7
# ip address 10.10.0.2 255.255.255.0
firewall zone trust #
set priority 85 firewall zone trust
add interface GigabitEthernet 1/0/3 set priority 85
# add interface GigabitEthernet 1/0/3
firewall zone untrust #
set priority 5 firewall zone untrust
firewall zone dmz #
set priority 50 firewall zone dmz
# add interface GigabitEthernet1/0/7
ip route-static 0.0.0.0 0.0.0.0 #
GigabitEthernet1/0/1 1.1.1.2 ip route-static 0.0.0.0 0.0.0.0
# GigabitEthernet1/0/1 1.1.1.2
nat address-group 1 #
section 0 1.1.1.1 1.1.1.1 nat address-group 1
# section 0 1.1.1.1 1.1.1.1
security-policy #
rule name policy_sec security-policy
source-zone trust rule name policy_sec
destination-zone untrust source-zone trust
action permit destination-zone untrust
# action permit
nat-policy #
rule name policy_nat nat-policy
source-zone trust rule name policy_nat
destination-zone untrust source-zone trust
action nat address-group 1 destination-zone untrust
action nat address-group 1

6.1.8.2 Load Balancing Networking in Which the Service Interfaces of Each NGFW
Work at Layer 3 and Are Directly Connected to Switches
This section provides an example of configuring hot standby in load balancing mode in which
the service interfaces work at Layer 3 and are upstream and downstream connected to switches.
As shown in Figure 6-33, service interfaces of the two NGFW devices work at Layer 3, having
upstream and downstream connections to Layer-2 switches.
Now the NGFW devices are supposed to work in load sharing mode. Normally, both
NGFW_A and NGFW_B forward traffic. If either NGFW fails, the other NGFW forwards all
traffic to ensure service continuity.
Figure 6-33 Load balancing networking in which the service interfaces work at Layer 3 and are
upstream and downstream connected to switches
GE1/0/1 GE1/0/1
1.1.1.1/24 1.1.1.2/24
GE1/0/7
10.10.0.2/24
NGFW_A NGFW_B
GE1/0/7
GE1/0/3 10.10.0.1/24 GE1/0/3
10.3.0.1/24 10.3.0.2/24
Intranet
Service path
Backup path

Procedure
Step 1 Configure interfaces and perform the basic network configurations.
b. Click GE1/0/1 and set the following parameters:
IPv4
c. Click OK.
d. Repeat the preceding steps to set the following parameters for the GE1/0/3 interface.
Security zone trust
IPv4
e. Repeat the preceding steps to set the following parameters for the GE1/0/7 interface.
Security zone dmz
IPv4
IP Address 10.10.0.1/24
2. Configure the interfaces on NGFW_B.

b. Click GE1/0/1 and set the following parameters:
Zone untrust
IPv4
c. Click OK.
d. Repeat the preceding steps to set the following parameters for the GE1/0/3 interface.
Security zone trust
IPv4

e. Repeat the preceding steps to set the following parameters for the GE1/0/7 interface.
Security zone dmz
IPv4
IP Address 10.10.0.2/24
Step 2 Configure dual-system hot standby.

1. Configure dual-system hot standby on NGFW_A.
b. Click Edit.
c. Select the Enable checkbox and set the parameters as follows:
d. Click OK.
2. Configure dual-system hot standby on NGFW_B.
b. Click Edit.

d. Click OK.
Step 3 Configure default routes on the Intranet devices to set virtual IP address 10.3.0.3 of VRRP
backup group 3 as the next hop for certain devices and virtual IP address 10.3.0.4 of VRRP
backup group 4 as the next hop for the other devices.
Step 4 Configure a security policy.
The security policy configurations on NGFW_A will be automatically backed up to NGFW_B.

2. Click Add.
3. Set the following parameters to configure security policies:
Name policy_sec
Source Zone trust
Action Permit
4. Click OK.
5. Click New.
6. Set the following parameters to configure security policies:
Name policy_dmz
Source zone local,dmz
Destination zone local,dmz
Action Permit

7. Click OK.
----End
Verification
Choose System > High Availability > Dual-System Hot Standby.
l Normally, Working Mode is Load Sharing for both NGFW_A and NGFW_B; Current
Status is Active for NGFW_A and Standby for NGFW_B. In this case, both NGFW
forward traffic.
l If NGFW_A malfunctions, Working Mode is Active/Standby Backup for both
NGFW_A and NGFW_B; Current Status is Standby for NGFW_A and Active for
NGFW_B. In this case, NGFW_B only forwards traffic.
NGFW_A NGFW_B
# #
hrp mirror session enable hrp mirror session enable
hrp loadbalance-device hrp loadbalance-device
# #
vrrp vrid 1 virtual-ip 1.1.1.3 active vrrp vrid 1 virtual-ip 1.1.1.3 standby
vrrp vrid 2 virtual-ip 1.1.1.4 standby vrrp vrid 2 virtual-ip 1.1.1.4 active
# #
vrrp vrid 4 virtual-ip 10.3.0.4 standby
standby vrrp vrid 4 virtual-ip 10.3.0.4 active
# #
# #
firewall zone trust firewall zone trust
set priority 85 set priority 85
add interface GigabitEthernet 1/0/3 add interface GigabitEthernet 1/0/3
# #
firewall zone dmz firewall zone dmz
add interface GigabitEthernet1/0/7 add interface GigabitEthernet1/0/7
# #
firewall zone untrust firewall zone untrust
# #
security-policy security-policy
rule name policy_sec rule name policy_sec
source-zone trust source-zone trust
destination-zone untrust destination-zone untrust
action permit action permit
rule name policy_dmz rule name policy_dmz
source-zone local source-zone local
source-zone dmz source-zone dmz
destination-zone local destination-zone local
destination-zone dmz destination-zone dmz


Work at Layer 3 and Are Directly Connected to Routers
routers.
and are directly connected to routers. The NGFWs and directly connected routers run OSPF.
Layer 3 and are directly connected to routers
OSPF
GE1/0/1 GE1/0/1
10.2.0.1/24 10.2.1.1/24
GE1/0/7
10.10.0.2
NGFW_A NGFW_B
GE1/0/7
GE1/0/3 10.10.0.1 GE1/0/3
10.3.0.1/24 10.3.1.1/24
OSPF
Service link
Heartbeat link
Procedure
Step 1 Configure interfaces and basic network configurations.

Zone untrust
IPv4
c. Click OK.
d. Repeat the preceding steps to set the parameters of GE1/0/3.
Zone trust
IPv4
e. Repeat the preceding steps to set the parameters of GE1/0/7.
Zone dmz
IPv4
IP Address 10.10.0.1/24

Zone untrust
IPv4
c. Click OK.
Zone trust
IPv4
Zone dmz
IPv4
IP Address 10.10.0.2/24

Step 2 Configure OSPF to ensure IP connectivity.

1. Configure OSPF on NGFW_A.
a. Choose Network > Router > OSPF.
b. Click Add.
c. Create an OSPF process and set the parameters as follows:
Type OSPF v2
Process ID 10
d. Click OK.
e. Click .
f. Click Add.
g. Create an OSPF area and set the parameters as follows:
Area 0.0.0.0
IP Network 10.2.0.0
Mask/Wildcard 255.255.255.0
Mask
h. Click OK.
i. Choose Basic Configuration > Network Settings.
j. Click Add.
k. Create a network and set the parameters as follows:
Area 0.0.0.0
IP Network 10.3.0.0
Mask
l. Click OK.
2. Configure OSPF on NGFW_B.
b. Click Add.
Type OSPF v2
Process ID 10
d. Click OK.

e. Click .
f. Click Add.
Area 0.0.0.0
IP Network 10.2.1.0
Mask
h. Click OK.
j. Click Add.
Area 0.0.0.0
IP Network 10.3.1.0
Mask
l. Click OK.

b. Click Edit.

d. Click OK.
b. Click Edit.
d. Click OK.


2. Click Add.
Name policy_sec
Source Zone local,trust,untrust
Destination Zone local,trust,untrust
Action Permit
4. Click OK.
----End
of hot standby.
NGFW_A.

NGFW_A NGFW_B
# #
hrp standby-device
hrp ospf-cost adjust-enable hrp ospf-cost adjust-enable
# #
hrp track active hrp track standby
# #
# #
# #
# #
# #
# #
ospf 10 ospf 10
area 0.0.0.0 area 0.0.0.0
network 10.2.0.0 0.0.0.255 network 10.2.1.0 0.0.0.255
network 10.3.0.0 0.0.0.255 network 10.3.1.0 0.0.0.255
# #
source-zone untrust source-zone untrust
destination-zone trust destination-zone trust
This section provides an example of how to configure hot standby in the load balancing mode
routers.
and are directly connected to routers. The NGFWs and directly connected routers run OSPF.

The NGFWs are expected to work in load balancing mode. Normally, both NGFW_A and
NGFW_B forward traffic. When one NGFW goes faulty, the other NGFW takes over all the
traffic load.
OSPF
GE1/0/1 GE1/0/1
10.2.0.1/24 10.2.1.1/24
GE1/0/7
10.10.0.2
NGFW_A NGFW_B
GE1/0/7
GE1/0/3 10.10.0.1 GE1/0/3
10.3.0.1/24 10.3.1.1/24
OSPF
Service link
Heartbeat link
Procedure
Zone untrust
IPv4
c. Click OK.
Zone trust
IPv4

Zone dmz
IPv4
IP Address 10.10.0.1/24

Zone untrust
IPv4
c. Click OK.
Zone trust
IPv4
Zone dmz
IPv4
IP Address 10.10.0.2/24

b. Click Add.
Type OSPF v2
Process ID 10

d. Click OK.
e. Click .
f. Click Add.
Area 0.0.0.0
IP Network 10.2.0.0
Mask
h. Click OK.
j. Click Add.
Area 0.0.0.0
IP Network 10.3.0.0
Mask
l. Click OK.
b. Click Add.
Type OSPF v2
Process ID 10
d. Click OK.
e. Click .
f. Click Add.
Area 0.0.0.0
IP Network 10.2.1.0
Mask

h. Click OK.
j. Click Add.
Area 0.0.0.0
IP Network 10.3.1.0
Mask
l. Click OK.

b. Click Edit.
d. Click OK.
b. Click Edit.

d. Click OK.

2. Click Add.
Name policy_sec
Action Permit
4. Click OK.
----End
of hot standby.
l Normally, the Current Working Mode of NGFW_A is Load Balancing and the Current
State is Active. The Current Working Mode of NGFW_B is Load Balancing and the
Current State is Standby. This shows that traffic is forwarded by NGFW_A.

l s
NGFW_A NGFW_B
# #
# #
hrp track active hrp track active
hrp track standby hrp track standby
# #
# #
# #
# #
# #
# #
ospf 10 ospf 10
area 0.0.0.0 area 0.0.0.0
network 10.2.0.0 0.0.0.255 network 10.2.1.0 0.0.0.255
network 10.3.0.0 0.0.0.255 network 10.3.1.0 0.0.0.255
# #


Work at Layer 3 with Routers as Upstream Devices and Switches as Downstream
Devices
in which the service interfaces of each NGFW work at Layer 3 with routers as upstream devices
and switches as downstream devices.
On the network shown in Figure 6-36, the service interfaces of two NGFWs work at Layer 3,
with routers as upstream devices and switches as downstream devices. The NGFWs and directly
connected routers run OSPF.
Layer 3 with routers as upstream devices and switches as downstream devices
OSPF
GE1/0/1 GE1/0/1
10.2.0.1/24 10.2.1.1/24
NGFW_A NGFW_B
GE1/0/7 GE1/0/7
GE1/0/3 10.10.0.1 10.10.0.2
GE1/0/3
10.3.0.1/24 10.3.0.2/24
Master VRRP group 1 Slave
10.3.0.3/24
Service link
Heartbeat link
Procedure

Zone untrust
IPv4
c. Click OK.
Zone trust
IPv4
Zone dmz
IPv4
IP Address 10.10.0.1/24

Zone untrust
IPv4
c. Click OK.
Zone trust
IPv4
Zone dmz
IPv4
IP Address 10.10.0.2/24


b. Click Add.
Type OSPF v2
Process ID 10
d. Click OK.
e. Click .
f. Click Add.
Area 0.0.0.0
IP Network 10.2.0.0
Mask
h. Click OK.
j. Click Add.
Area 0.0.0.0
IP Network 10.3.0.0
Mask
l. Click OK.
b. Click Add.
Type OSPF v2
Process ID 10
d. Click OK.

e. Click .
f. Click Add.
Area 0.0.0.0
IP Network 10.2.1.0
Mask
h. Click OK.
j. Click Add.
Area 0.0.0.0
IP Network 10.3.0.0
Mask
l. Click OK.

b. Click Edit.

d. Click OK.
b. Click Edit.

d. Click OK.
Step 4 Configure the default route whose next hop is the virtual IP address (10.3.0.3) of VRRP group
1.

2. Click Add.
Name policy_sec
Action Permit
4. Click OK.
----End

of hot standby.
NGFW_A.

NGFW_A NGFW_B
# #
hrp standby-device
hrp preempt delay 60 hrp preempt delay 60
# #
# #
# standby
interface GigabitEthernet 1/0/7 #
ip address 10.10.0.1 255.255.255.0 interface GigabitEthernet 1/0/7
# ip address 10.10.0.2 255.255.255.0
firewall zone trust #
set priority 85 firewall zone trust
firewall zone untrust #
set priority 5 firewall zone untrust
firewall zone dmz #
set priority 50 firewall zone dmz
add interface GigabitEthernet1/0/7 set priority 50
# add interface GigabitEthernet1/0/7
ospf 10 #
area 0.0.0.0 ospf 10
network 10.2.0.0 0.0.0.255 area 0.0.0.0
network 10.3.0.0 0.0.0.255 network 10.2.1.0 0.0.0.255
# network 10.3.0.0 0.0.0.255
security-policy #
rule name policy_sec security-policy
source-zone local rule name policy_sec
source-zone trust source-zone local
source-zone untrust source-zone trust
destination-zone local source-zone untrust
destination-zone trust destination-zone local
destination-zone untrust destination-zone trust
action permit destination-zone untrust
action permit
Work at Layer 3, with Routers as Upstream Devices and Switches as Downstream
Devices
This section provides an example of how to configure hot standby in load balancing mode in
which the service interfaces of each NGFW work at Layer 3, with routers as upstream devices
and switches as downstream devices.

On the network shown in Figure 6-37, the service interfaces of two NGFWs work at Layer 3,
with routers as upstream devices and switches as downstream devices. The NGFWs and directly
connected routers run OSPF.
traffic load.
Layer 3, with routers as upstream devices and switches as downstream devices
OSPF
GE1/0/1 GE1/0/1
10.2.0.1/24 10.2.1.1/24
NGFW_A NGFW_B
GE1/0/7 GE1/0/7
GE1/0/3 10.10.0.1 10.10.0.2
GE1/0/3
10.3.0.1/24 10.3.0.2/24
Master VRRP group 1 Slave
10.3.0.3/24
VRRP group 2
Slave Master
10.3.0.4/24
Service link
Heartbeat link
Procedure
Zone untrust
IPv4

c. Click OK.
Zone trust
IPv4
Zone dmz
IPv4
IP Address 10.10.0.1/24

Zone untrust
IPv4
c. Click OK.
Zone trust
IPv4
Zone dmz
IPv4
IP Address 10.10.0.2/24

b. Click Add.

Type OSPF v2
Process ID 10
d. Click OK.
e. Click .
f. Click Add.
Area 0.0.0.0
IP Network 10.2.0.0
Mask
h. Click OK.
j. Click Add.
Area 0.0.0.0
IP Network 10.3.0.0
Mask
l. Click OK.
b. Click Add.
Type OSPF v2
Process ID 10
d. Click OK.
e. Click .
f. Click Add.
Area 0.0.0.0

IP Network 10.2.1.0
Mask
h. Click OK.
j. Click Add.
Area 0.0.0.0
IP Network 10.3.0.0
Mask
l. Click OK.

b. Click Edit.

d. Click OK.
b. Click Edit.

d. Click OK.
Step 4 Configure the default routes on intranet devices. You can set the next hop of some devices to
the virtual IP address (10.3.0.3) of VRRP group 1 and that of other devices to the virtual IP
address (10.3.0.4) of VRRP group 2.

2. Click Add.
Name policy_sec
Action Permit
4. Click OK.
----End

of hot standby.
l s

NGFW_A NGFW_B
# #
# #
# #
vrrp vrid 2 virtual-ip 10.3.0.4 standby
standby vrrp vrid 2 virtual-ip 10.3.0.4 active
# #
# #
# #
# #
# #
ospf 10 ospf 10
area 0.0.0.0 area 0.0.0.0
network 10.2.0.0 0.0.0.255 network 10.2.1.0 0.0.0.255
network 10.3.0.0 0.0.0.255 network 10.3.0.0 0.0.0.255
# #
This section provides an example of how to configure hot standby in load balancing mode in
which the service interfaces of each NGFW work at Layer 2 and are directly connected to routers.

and are directly connected to routers. The uplink and downlink service interfaces of each
NGFW are added to VLAN2.
The NGFWs and directly connected routers run OSPF. The NGFWs transparently transmit OSPF
packets and do not calculate routes.
traffic load.
OSPF
GE1/0/1 VLAN2 GE1/0/7 GE1/0/1

10.10.0.1
NGFW_A NGFW_B
GE1/0/7
GE1/0/3 10.10.0.2 VLAN2 GE1/0/3
OSPF
Service link
Heartbeat link
VLAN
Procedure
Zone untrust
Mode Switch

Access VLAN ID 2
c. Click OK.
Zone trust
Mode Switch
Access VLAN ID 2
Zone dmz
IPv4
IP Address 10.10.0.1/24

Zone untrust
Mode Switch
Access VLAN ID 2
c. Click OK.
Zone trust
Mode Switch
Access VLAN ID 2
Zone dmz
IPv4

IP Address 10.10.0.2/24

b. Click Edit.
d. Click OK.
b. Click Edit.
d. Click OK.

2. Click Add.
Name policy_sec

Source Zone trust,untrust
Destination Zone trust,untrust
Action Permit
4. Click OK.
----End
of hot standby.
l s

NGFW_A NGFW_B
# #
# #
vlan 2 vlan 2
GigabitEthernet1/0/1 GigabitEthernet1/0/1
# #
portswitch portswitch
port link-type access port link-type access
# #
portswitch portswitch
port link-type access port link-type access
# #
# #
# #
# #
# #
6.1.9 Troubleshooting
This section describes how to troubleshoot faults in hot standby.
6.1.9.1 Services Are Interrupted Because of Inconsistent Numbers of Eth-Trunk

Member Interfaces on the Firewalls Working in Load Balancing Mode

Symptom
Two firewalls implement hot standby and work in load balancing mode. The intranet server
provides web services. Services are slow or unavailable to Internet users. The users on the
intranet can access web pages hosted on the intranet server.
Possible Causes
l The firewalls work in load balancing mode.
l The forward and return paths may be inconsistent when the firewalls work in load balancing
mode, and quick session backup is disabled.
l The heartbeat link fails and some sessions are not synchronized.
Procedure
Step 1 Run the display hrp state command to check the HRP status of each firewall. The command
output shows that the status of each firewall is normal.
Step 2 Run the display firewall session table or display firewall ipv6 session table command to check
the session table on each firewall. The numbers of sessions on the two firewalls are widely
different.
Step 3 Check whether quick session backup is enabled on the firewalls. Quick session backup is enabled
on the firewalls.
Step 4 Check the heartbeat link configuration. The firewalls use an Eth-Trunk as the heartbeat interface.
Three member interfaces are specified on the active firewall, but only two (no
GigabitEthernet1/0/6) are specified on the standby firewall.
The firewalls use multiple member interfaces of the Eth-Trunk in turn to send synchronization
messages. When the active firewall uses GigabitEthernet1/0/6 to synchronize sessions,
GigabitEthernet1/0/6 on the standby firewall discards the synchronization messages after
receiving them, because GigabitEthernet1/0/6 is not a member interface of the Eth-Trunk on the
standby firewall. As a result, some sessions on the active firewall cannot be synchronized to the
standby firewall.
The forward and return paths of service packets may be inconsistent when the firewalls work in
load balancing mode. If some sessions are not synchronized to the standby firewall, return
packets of these sessions are discarded by the standby firewall because they do not match any
session.
Step 5 On the standby firewall, add GigabitEthernet1/0/6 to the Eth-Trunk. Then the fault is rectified.
----End
Suggestion and Summary

When you use the Eth-Trunk as the heartbeat link, ensure that the Eth-Trunk on the two firewalls
have the same number of member interfaces. Otherwise, some sessions on the active firewall
cannot be synchronized to the standby firewall.
If two firewalls have different numbers of physical interfaces added to the Eth-Trunk and work
in load balancing mode, services may be interrupted. If two firewalls have different numbers of
physical interfaces added to the Eth-Trunk and work in active/standby mode, services may be
interrupted after the active/standby switchover.

6.1.9.2 Automatic Configuration Synchronization Fails Because of an Incorrect

Device Configuration Sequence
Symptom
During the hot standby configuration, a subinterface is configured on the active firewall and
added to the Trust zone. A subinterface is also configured on the standby firewall but is not
added to the Trust zone.
Possible Causes
l Automatic configuration synchronization is disabled.
l Firewall configurations are incorrect.
Procedure
Step 1 Check the hot standby configuration. The automatic configuration synchronization function is
enabled.
Step 2 View the logs on the active and standby firewalls to check the configuration steps performed by
the administrator.
1. On the active firewall, subinterface GigabitEthernet1/0/2.5 is created.
2. On the active firewall, GigabitEthernet1/0/2.5 is added to the Trust zone.
3. On the standby firewall, subinterface GigabitEthernet1/0/2.5 is created.
The firewall can automatically synchronize security zone configurations, but not interface
configurations. Based on the configuration steps performed by the administrator, no subinterface
exists on the standby firewall when subinterface GigabitEthernet1/0/2.5 is added to the Trust
zone on the active firewall. The standby firewall cannot add a subinterface that does not exist
to the zone. Therefore, configuration synchronization fails.
Step 3 Delete the subinterface from the Trust zone on the active firewall and then add it to the zone.
----End

The firewalls cannot automatically back up interface configurations. Interface configurations
must be manually performed on the two firewalls separately. To use automatic configuration
synchronization, you must first complete interface configurations on the two firewalls.
6.1.9.3 Automatic Configuration Synchronization Fails Because of Redundant

Configurations on the Standby Firewall
Symptom
Two firewalls are deployed in hot standby networking. On the active firewall, the administrator
adds GigabitEthernet1/0/2 to the Trust zone, but the configuration is not synchronized to the
standby firewall.

Possible Causes
l Automatic synchronization is disabled.
l Firewall configurations are incorrect.
Procedure
Step 1 Check the hot standby configuration. The automatic synchronization function is enabled.
Step 2 Create a temporary ACL on the active firewall. The configuration can be synchronized to the
standby firewall, which indicates that the function of automatic synchronization is working
properly.
Step 3 Check the configurations of the standby firewall. GigabitEthernet1/0/2 is added to the DMZ.
Step 4 On the active firewall, disable automatic synchronization.
Step 5 On the standby firewall, remove GigabitEthernet1/0/2 from DMZ and add it to the Trust zone.
Step 6 On the active firewall, enable automatic synchronization.
----End

By default, security zone, ACL, and attack defense configurations on the active firewall can be
automatically synchronized to the standby firewall. If redundant configurations exist on the
standby firewall before hot standby is enabled, conflicts may occur when the configurations on
the active firewall are synchronized to the standby firewall. As a result, automatic
synchronization fails.
6.1.9.4 Standby Firewall Switches to Active after Receiving Attack Packets
Symptom
In hot standby networking, the standby firewall switches to the active state and then the standby
state.
2012-09-09 17:56:17 sysname
%%01VGMP/4/STATE(1): Virtual Router Management Group STANDBY : STANDBY
-->ACTIVE 2012-09-09 17:56:17 sysname %%01VRRP/4/STATEWARNING(1):
Interface: GigabitEthernet1/0/1 , Virtual Router 1 : STANDBY changed
to ACTIVE! 2012-09-09 17:56:17 sysname %%01VRRP/4/STATEWARNING(1):
Interface: GigabitEthernet1/0/2 , Virtual Router 1 : STANDBY changed
to ACTIVE! 2012-09-09 17:56:17 sysname %%01VGMP/4/STATE(1): Virtual
Router Management Group STANDBY : ACTIVE -->STANDBY 2012-09-09 17:56:17
sysname %%01VRRP/4/STATEWARNING(1): Interface: GigabitEthernet1/0/1
, Virtual Router 1 : ACTIVE changed to STANDBY! 2012-09-09 17:56:17
sysname %%01VRRP/4/STATEWARNING(1): Interface: GigabitEthernet1/0/2
, Virtual Router 1 : ACTIVE changed to STANDBY!
Possible Causes
l The VGMP group priority changes because of an interface or link fault.
l The active firewall is too busy to send heartbeat packets.

l The standby firewall is too busy to receive heartbeat packets.
Procedure
Step 1 Check the firewall logs generated before the fault occurs.
When the fault occurs, no log is generated about interface status change. The firewall status
change is not caused by interface or link failures. The cause of the fault is that the standby firewall
does not receive any heartbeat packet from the active firewall within three heartbeat intervals.
Step 2 Check the firewall logs generated before the fault occurs.
When the fault occurs, a large number of attack logs exist on the standby firewall. The number
of logs during the period is far larger than that in other periods, which means that attack traffic
reaches the standby firewall when the fault occurs. The attacks exhaust the CPU of the standby
firewall. As a result, the standby firewall cannot receive any heartbeat packet during that period
of time.
Step 3 To rectify the fault, increase the heartbeat interval.
NOTICE
Adjust the heartbeat interval on the standby firewall and then on the active firewall.
HRP_S<sysnameB> system-view HRP_S[sysnameB] hrp timer hello 3000
HRP_A<sysnameA> system-view HRP_A[sysnameA] hrp timer hello 3000
The default heartbeat interval is 1000 ms. Adjusting the heartbeat interval does not affect the
active/standby switchover speed when an interface or link fails.
----End

The standby firewall switches to the active state, because the CPU resources are exhausted and
the firewall is too busy to send or receive heartbeat packets. Check the operations (such as saving
configurations) or abnormal traffic (such as burst traffic and attack traffic) that may result in
heavy traffic when the fault occurs.
To rectify the fault, increase the heartbeat interval.
6.1.9.5 Service Interface of the Active Firewall Does not Change Its Status Because
the Standby Firewall Is Faulty
Symptom
After GigabitEthernet1/0/4 on the active firewall fails, traffic is not switched to the standby
firewall.

Alarm Information
The VRRP status of the active firewall has changed and GigabitEthernet1/0/4 has went down.
2012-03-22 14:15:59 sysname %%01VRRP/4/STATEWARNING(1): Interface:
GigabitEthernet1/0/1 , Virtual Router 1 : STANDBY changed to INITIALIZE!
2012-03-22 14:15:59 sysname %%01IFNET/4/LINK_STATE(1): Line protocol
on interface GigabitEthernet1/0/4 has turned into DOWN state.
Possible Causes
l The firewalls work in active state.
l After GigabitEthernet1/0/4 of the active firewall goes faulty, the VGMP group on the active
firewall still has a higher priority than that on the standby firewall.
Procedure
Step 1 Check the firewall logs. The HRP status is normal when the fault occurs.
Step 2 Run the display hrp group command to check the priorities of the VGMP groups on the two
firewalls.
The priority value of the active VGMP group on the active firewall is 64999, which is normal.
The priority value of the standby VGMP group on the standby firewall is reduced by four to
64996, which indicates that two interfaces fail on the standby firewall. The active VGMP group
on the active firewall has a higher priority than the standby VGMP group on the standby firewall.
Therefore, the HRP status does not change.
Step 3 Run the display hrp state command to check the HRP status of the standby firewall.
Two subinterfaces on the standby firewall go down. The priority of the standby VGMP group
is reduced from 65000 to 64996.
Step 4 Troubleshoot the subinterfaces to bring them up.
----End

The HRP status is determined by the priority of the VGMP groups on the active and standby
firewalls. Ensure that the priority of the standby VGMP group is smaller than that of the active
VGMP group by 1 before the active/standby switchover. Otherwise, the HRP status does not
change after the active firewall fails.
6.1.9.6 Active/Standby Switchover Occurs when a VRRP Group Is Added
Symptom
On the network shown in Figure 6-39, two firewalls implement hot standby. The uplink
interfaces of the firewalls are added to VRRP group 1, and the downlink interfaces of the
firewalls are added to VRRP group 2.

Figure 6-39 Network on which the active/standby switchover occurs when a VRRP group is
added
Switch Switch
VRRP 1
Firewall A Firewall B
VRRP 2
Switch Switch
Firewall A works in active state and all VRRP groups are added to the active VGMP group.
Firewall B works in standby state and all VRRP groups are added to the standby VGMP group.
After VRRP group 3 is configured on GigabitEthernet1/0/3 of firewall A, an active/standby
switchover occurs.
Possible Causes
After an interface in Down state of the active firewall is added to a VRRP group, the priority of
the VGMP group on the active firewall is lower than that on the standby firewall. As a result,
the HRP status changes.
Procedure
Step 1 Run the display hrp group command to check the priority of each VGMP group. The priority
of the active VGMP group is 64999, and that of the standby VGMP group is 65000.
By default, the priority value of the active VGMP group is 65001, and that of the standby VGMP
group is 65000. The priority is reduced by 2 when an interface is down.
Step 2 Check the status of GigabitEthernet1/0/3. The interface is down.
After you configure VRRP group 3 on GigabitEthernet1/0/3 of firewall A, the priority of the
VGMP group on the active firewall changes from 65001 to 64999, which is smaller than that
(65000) of the VGMP group on the standby firewall. As a result, the HRP status changes.
Step 3 Troubleshoot the interface to bring it up.
----End

When you add or delete a VRRP group, the firewalls recalculate the priority of their VGMP
groups based on interface status. The priority determine whether the HRP status changes.
Similar to this troubleshooting case, if the active and standby firewalls have the same number
of interfaces in the Down state, deleting a VRRP group or enabling an interface on the standby

firewall also triggers an active/standby switchover. Therefore, perform these operations on the
active firewall first.
6.1.9.7 Active/Standby Switchover Fails Because of Incorrect HRP Track

Configuration
Symptom
As shown in Figure 6-40, two firewalls are connected to upstream routers and downstream
switches.
l VRRP is enabled on the firewalls.
l The switches run different services. OSPF is enabled on the routers and the subinterfaces
of the firewalls.
l Hot standby is enabled on the two firewalls and the firewalls work in active/standby mode.
When the firewalls are normal, firewall A handles service traffic.
When the link fails between firewall A and router A, the HRP status does not change, resulting
in a service interruption.
Figure 6-40 Network on which an active/standby switchover fails because of incorrect HRP
track configuration
Private
network
Router A Router B
OSPF1 OSPF2
Switch A Switch B
Possible Causes
The HRP track configurations on the two firewalls are incorrect.

Procedure
Step 1 Check the hot standby configurations on the two firewalls. HRP track is configured on the
interfaces connected to routers, but not on the subinterfaces.
Step 2 Configure HRP track on the subinterfaces connected to routers. The HRP status changes and
services are restored.
Possible causes are as follows:
l OSPF runs on the subinterfaces of the two firewalls and routers. The IP addresses of the
firewall interfaces are not specified, the link state of the interface is up, the protocol state of
the interface is down, and HRP track is configured on the interfaces on both firewalls. In this
case, the priority of the VGMP group on both firewalls is reduced by 2. Therefore, the HRP
status does not change.
l If HRP track is configured on the subinterfaces on the firewalls, and the link between firewall
A and router A fails, all subinterfaces become down. In this case, the priority of the VGMP
group is reduced by 2 when any subinterface becomes down. The VGMP group on firewall
A has a lower priority than firewall B. Therefore, the HRP status changes.
----End

In hot standby networking, if you configure the HRP track on interfaces, you must also configure
HRP track on subinterfaces.
When HRP track is configured on multiple subinterfaces of an interface, the priority of the
VGMP group is reduced by 2 when any subinterface becomes down.
6.1.9.8 Services Are Temporarily Interrupted After Preemption Because an

Interface on a Switch Cannot Forward Packets Immediately After Recovery
Symptom
On the network shown in Figure 6-41, two firewalls and two switches are connected in a ring
topology. Hot standby is enabled on the firewalls.
Figure 6-41 Network diagram
Switch A Switch B

After GigabitEthernet1/0/1 that connects firewall A to switch A becomes down, firewall B

rapidly takes over. After this interface becomes up, traffic is switched back to firewall A, but
services are interrupted for a short period.
Possible Causes
l The switch fails.
l The preemption delay is too short.
Procedure
Step 1 Set up a test environment and check the ARP table on the switch when firewall A preempts to
be the active device.
After the preemption, firewall A sends gratuitous ARP packets to refresh the ARP table and
MAC address table on the switch. During the seven to eight seconds before the ARP table is
refreshed, the switch continues to forward packets to the firewall B, causing a service
interruption.
Step 2 Check information about ARP packet debugging on firewall A.

HRP_A<sysnameA> debugging arp packet HRP_A<sysnameA> terminal monitor
HRP_A<sysnameA> terminal debugging 0.18482116 sysnameA %%01ARP/7/arp_send(d): Send
an ARP Packet, operation : 1, sender_eth_addr : 0022-a104-5b4d,sender_ip_addr :
192.168.255.2, target_eth_addr : 0000-0000-0000, target_ip_addr : 192.168.255.2
0.18492433 sysnameA %%01ARP/7/arp_send(d): Send an ARP Packet, operation : 1,
sender_eth_addr : 0000-5e00-0101,sender_ip_addr : 192.168.255.1, target_eth_addr :
0000-0000-0000, target_ip_addr : 192.168.255.1 0.18496433 sysnameA %%01ARP/7/
arp_send(d): Send an ARP Packet, operation : 1, sender_eth_addr :
0000-5e00-0101,sender_ip_addr : 192.168.255.1, target_eth_addr : 0000-0000-0000,
target_ip_addr : 192.168.255.1 0.18502433 sysnameA %%01ARP/7/arp_send(d): Send an
ARP Packet, operation : 1, sender_eth_addr : 0000-5e00-0101,sender_ip_addr :
192.168.255.1, target_eth_addr : 0000-0000-0000, target_ip_addr : 192.168.255.1
0.18508433 sysnameA %%01ARP/7/arp_send(d): Send an ARP Packet, operation : 1,
sender_eth_addr : 0000-5e00-0101,sender_ip_addr : 192.168.255.1, target_eth_addr :
0000-0000-0000, target_ip_addr : 192.168.255.1 ......
Firewall A broadcasts five packets, including one gratuitous ARP packet destined for the
interface IP address and four gratuitous ARP packets destined for the virtual IP address of the
VRRP group.
Step 3 Check information about ARP packet debugging on switch A.

Aug 15 2011 19:28:17.590.1-05:13 sysnameA ARP/7/arp_rcv:Receive an ARP Packet,
operation : 1, sender_eth_addr : 0000-5e00-010 1, sender_ip_addr : 192.168.255.1,
target_eth_addr : 0000-0000-0000, target_ip_addr : 192.168.255.1
Switch A receives only the last gratuitous ARP packet destined for the virtual IP address of the
VRRP group, but not the other four packets.
The debugging information on the switch shows that after the switch receives the gratuitous
ARP packet, services recover immediately. Switch A cannot receive the ARP packet
immediately after the interface on switch A becomes up.
Step 4 Change the preemption delay of the firewall to the default value (60 seconds). Services run
smoothly after firewall A preempts to be the active device and no interruption occurs.
----End


When an interface of a switch becomes up, it takes a few seconds for the interface to receive
packets. The switch cannot immediately receive the gratuitous ARP packet from the firewall or
refresh the ARP table entries.
The preemption delay of the firewall must be larger than the duration for firewall interface
recovery. The default preemption delay is recommended.
6.1.9.9 Packet Loss Occurs Due to VRID Conflict
Symptom
Two firewalls are deployed in hot standby networking. A large number of ping packets are lost
when the virtual IP address of the VRRP group is pinged from the downstream switch.
Possible Causes
l The link is faulty.
l VRIDs conflict.
Procedure
Step 1 Ping the IP address of the firewall interface from the downstream switch. If no packet is lost,
the link is normal.
Step 2 Check the firewall active/standby status. The active/standby status is correct.
Step 3 Check the ARP table on the switch. The virtual MAC address of one VRRP group is mapped to
two IP addresses.
Step 4 Check firewall logs. A log records a virtual IP address error.

2011-09-09 17:56:17 sysname %%01VRRP/3/CONFIGERROR(1):
System detected a VRRP config error of VIRTUAL IP ADDRESS ERROR, Interface:
GigabitEthernet1/0/1, Virtual Router: 1!
Step 5 Check the VRRP configurations on the network. Another device has a same VRID as the firewall,
and the device is connected to the same switch as the firewall. As a result, the MAC address
entry on the switch is incorrect.
Step 6 Change the VRID of the firewall.
----End

Duplicate VRIDs cannot exist on the same VLAN.
6.1.9.10 The NAT Traffic Is Interrupted After Active/Standby Switchover

Symptom
As shown in Figure 6-42, the two firewalls are deployed in hot standby mode, and the two
firewalls and two switches are connected in a ring topology. Firewall A is the active firewall,
and firewall B is the standby firewall.
Server
The active/standby switchover is performed rapidly between the two firewalls when firewall A
is disconnected from the Internet or intranet. However, the NAT traffic is interrupted.
Power off firewall A. The NAT traffic is still interrupted.
Possible Causes
The active/standby switchover is performed, but the NAT traffic is interrupted. This indicates
that a fault occurs in traffic forwarding. The configurations of firewall B may be incorrect, or
the MAC address table on the switches is not refreshed.
Procedure
Step 1 Check the configurations of firewall B. The configurations are correct.
Step 2 Disconnect the cable from the WAN interface of firewall A. Check the session statistics on both
firewalls.
Sessions are set up on firewall A, and the number of sessions increases continuously. The number
of sessions remain unchanged on firewall B. The cause may be that the MAC address table on
the switch is not refreshed after the active/standby switchover.

Step 3 Connect a PC to the switch. Ping the virtual IP address of the downstream VRRP group from
the PC. Continue to check the session statistics on both firewalls.
Sessions are set up on firewall B, and the number of sessions continuously increases on firewall
B, but the number of sessions remains unchanged on firewall A. This indicates that the MAC
address table on the switch is correct.
Step 4 Insert the cable to the WAN interface of firewall A. Wait for firewall A to preempt the active
state.
Step 5 On firewall A, add an interface in down state to the VRRP group to trigger the active/standby
switchover. Then check the session statistics.
Sessions are set up on firewall A, the number of sessions increases continuously, and statistics
on return traffic is displayed. This indicates that the NAT traffic resumes. In conclusion, the
packets destined for the Internet are forwarded to firewall A regardless of the active/standby
switchover.
Step 6 Display the routing table on the server. The next-hop of the default route is the inside interface
of firewall A, but not the virtual IP address of the VRRP group.
Step 7 Modify the route configuration on the server. The fault is rectified.
----End

The original network has a standalone firewall. The fault occurs after two firewalls are deployed
for hot standby. The route configuration on the server is not modified after the network changes,
causing the problem.
During network adjustment, modify not only the firewall configurations, but also the
configurations of upstream and downstream devices.
6.1.9.11 Services Are Interrupted After the Upstream Switch Restarts Because the
Preemption Delay Is Too Short
Symptom
Figure 6-43 shows the networking diagram. Firewall A is the active firewall, and the preemption
function is enabled on this firewall. Services are interrupted after switch C unexpectedly restarts.

Switch A Firewall A Switch C
Switch B Firewall B Switch D

Possible Causes
l The active/standby switchover fails.
l Some sessions are not synchronized.
l Switch C is not started because the preemption delay is too short.
Procedure
Step 1 Check the logs on the firewalls and switches.
After switch C fails, the active/standby switchover is performed. Firewall B and switch D take
over services. However, the service interface of switch C goes up and down repeatedly when
switch C restarts. When the interface on switch C becomes up, firewall A determines that the
link recovers and starts to preempt. As a result, services are interrupted.
According to tests, switches take about 3 minutes to restart.
Step 2 Change the preemption delay of the active firewall to 240 seconds.
HRP_A<sysnameA> system-view HRP_A[sysnameA] hrp preempt delay 240
----End

To enable the preemption function, ensure that the preemption delay is longer than the duration
required the restart of upstream and downstream devices.
6.1.10 Reference
This section provides reference information about hot standby.
6.1.10.1 Commands and Status Information That Can Be Synchronized

This section describes the commands and status information that can be synchronized in hot
standby.
The NGFW backs up the following configuration commands and status information:
Commands That Can Be Synchronized

NOTE
In most cases, display, reset, and debugging commands cannot be backed up.
l Policy
– Security policy
– NAT policy
– Bandwidth management
– Authentication policy
– Attack defense

– Blacklist
– ASPF configuration
l Object
– Address
– Service
– Application
– User
NOTE
User-related configuration commands can be backed up. User, user group, and security group
information cannot be backed up.
– Authentication server
– Time range
– URL category
– Keyword group
– Email address group
– Signature
– Security configuration file
– Antivirus
– Intrusion prevention
– URL filtering
– File filtering
– Content filtering
– Application behavior control
– Mail filtering
l Network
– New logical interface
– Interface configuration
NOTE
The following interface configuration commands can be backed up:

l add interface
l alias alias
l service-manage enable
l service-manage { http | https | ping | ssh | snmp | telnet } { permit | deny }
l reset service-manage
l tunnel-protocol
– Security zone
– DNS
– IPSec
– SSL VPN
– TSM interworking

– VLAN Configuration
NOTE
The following VLAN configuration commands can be backed up:

l vlan { vlan-id | batch { vlanid [ to vlanid ] } & <1-10> }
l vlan-type dot1q vlan-id
l Static route
NOTE
The automatic backup of static routes is disabled by default. You need to run the hrp auto-sync config
static-route command to enable this function.
l System
– Administrator
– Log configuration
NOTE
The following commands cannot be backed up:

l data-flow loghost host-id ip-address ip-address [ port port-number ] [ vpn-instance vpn-
instance-name ]
l data-flow loghost source ip-address ip-address [ source-port port-number ]
– Virtual system
Status Information That Can Be Synchronized

l Session table generated by the NGFW
l Server Map
l IP monitoring table
l Fragment cache table
l GTP table
l Blacklist
l PAT-based port mapping table
l NO-PAT-based address mapping table

This section describes the versions and changes in the hot standby feature.
V100R001C30SPC Added the support for automatic backup of static routes.

100
V100R001C10 Added hot standby on IPv6 networks.


This section describes the standards and protocols used in hot standby.
The standards are as follows:
l RFC2338: Virtual Router Redundancy Protocol (version 1, 1998)
l RFC3768: Virtual Router Redundancy Protocol (version 2, 2004)
The protocols are as follows:
l VRRP: Virtual Router Redundancy Protocol
l VGMP: VRRP Group Management Protocol
l HRP: Huawei Redundancy Protocol
6.1.11 Hot Standby FAQ

This section provides FAQs about hot standby.
6.1.11.1 FAQs on Failures
Why Are Services Interrupted After the Original Active Firewall Preempts?
Services are normal after the active/standby switchover, but services are interrupted after the
active firewall preempts. because the cause might be that the network has not converged or
sessions are not completely backed up. Besides, if a switch fails, its interfaces may go up and
down repeatedly when the switch restarts. If the firewall preempts during the process, services
may be interrupted.
In this case, adjust the preemption delay of the original active firewall.
Why Does Active/Standby Switchover Occurs Repeatedly?

Check service interface status. If the interfaces go up and down repeatedly, active/standby
switchover occurs repeatedly. If service interfaces are normal, the constant status change may
be caused by different heartbeat intervals on the two firewalls. In this case, change the intervals
to the same value.
Why Does Not the Original Active Firewall Preempt After Recovery?
l The preemption function is disabled.
l The preemption conditions are not met. The original active firewall does not immediately
preempt after recovery. Instead, it waits for a delay before the preemption. The preemption
delay is set to avoid unstable active/standby switchover.
Why Are the Same Configuration Items Arranged in Different Orders in the
Configuration Files on the Active and Standby Firewalls?
The fault usually results from inconsistent initial configurations of the two firewalls. You need
to delete the configuration items in different orders and reconfigure them.

You are advised to configure hot standby based on the default settings.
Why Are the Session Tables on the Active and Standby Firewalls Different?
Check the status of the heartbeat link. If the heartbeat link fails, the sessions on the active firewall
cannot be synchronized to the standby firewall.
If the automatic session backup function is disabled, the sessions on the two firewalls are
different. Even when the automatic session backup function is enabled, sessions are not
synchronized in real time. Only when the sessions to be synchronized are detected by the session
aging thread, the sessions are synchronized to the standby firewall. Therefore, established
sessions are synchronized to the standby firewall after a period (about 10 seconds).
The firewalls do not back up sessions of the following types when the automatic session backup
function is enabled:
l Sessions to the firewall
l Half-open TCP connections
l Sessions in which the first packets are UDP packets and subsequent packets are not (such
as the BitTorrent packets)
What Are the Differences Between Automatic Session Backup and Quick Session
Backup? Why Is Quick Session Backup Required in Case of Inconsistent Forward
and Return Paths?
The differences between quick session backup and automatic session backup are as follows:
l In quick session backup, sessions are synchronized to the standby firewall immediately
after being set up. In automatic session backup, only sessions that require backup and are
detected by the session aging thread are synchronized to the standby firewall.
l The quick session backup function can back up half-open TCP sessions and sessions to the
firewall.
If the forward and return paths are different, enable quick session backup to ensure that the
sessions on the two firewalls are the same.
Why Does TCP Services Are Interrupted When Quick Session Backup Is Enabled
in Case of Inconsistent Forward and Return Paths?
In case of inconsistent forward and return paths, the synchronization may fail or be delayed due
to traffic bursts, result in service delay or interruption. For example, one firewall forwards TCP
SYN packets, and the other forwards TCP ACK packets. If the session table is not synchronized,
ACK packets may be discarded.
If this condition poses great impacts on services, disable stateful inspection on the firewall.
Why Are the Sessions of the Current Active Firewall Marked with Remote After
Active/Standby Switchover?
The sessions marked with remote are synchronized from the original active firewall. After
active/standby switchover, the synchronized sessions are still marked with remote until the
sessions age out.

Why Cannot I Run Commands on the Standby Firewall?

After the active/standby status is set up on the two firewalls, you can run the commands that can
be automatically synchronized only on the active firewall, not on the standby firewall.
To manually run these commands on the standby firewall, run the undo hrp auto-sync config
command to disable the automatic synchronization function.
Why Are Not Commands Executed on the Active Firewall Synchronized to the
Standby Firewall?
If you disable the automatic configuration synchronization function, the configurations are not
synchronized. Besides, not all commands can be synchronized. For example, interface and
routing configurations cannot be synchronized.
For commands that can be synchronized, see 6.1.10.1 Commands and Status Information
That Can Be Synchronized.
Why Does the Log Server Receive NAT Session Logs from Both the Active and
Standby Firewalls?
Log configuration on the active firewall is automatically synchronized to the standby firewall.
If the log configuration is synchronized to the standby firewall, the standby firewall sends logs
to the log server.
You can perform the following steps to negate the log configuration on the standby firewall:
1. Run the undo hrp auto-sync config command to disable the automatic configuration
synchronization function.
2. Negate the log server configuration.
3. Run the hrp auto-sync config command to enable the automatic configuration
synchronization. This ensures that subsequent configurations can be automatically
synchronized to the standby firewall.
Why Does the Ping to the Virtual IP Address of the VRRP Group Fail?
l VRIDs conflict.
l Pinging virtual IP addresses is disabled. Huawei firewalls enable you to ping virtual IP
addresses by default. If ping virtual IP address is disabled, run the vrrp virtual-ip ping
enable command.
Why Does the Original Designated Active Firewall Become the Designated
Standby Firewall After Recovery?
To become the designated active firewall, the firewall must meet the following conditions:
l Only the firewall whose VRRP management group is in active state has the chance to
become the designated active device. (In active/standby mode, the active firewall is the
designated active firewall.)

l In load balancing mode, the designated active firewall is selected based on the priorities of
the VRRP management groups and IP addresses of heartbeat interfaces.
The designated active and standby firewalls do not switch statuses unless a fault occurs on the
designated active firewall or the designated active firewall leaves the VRRP group. This
mechanism ensures the stability of the designated active firewall.
Therefore, in load balancing mode, the original designated standby firewall becomes the
designated active firewall after the original designated active firewall fails. After the original
designated active firewall recovers, the original active VGMP group on this firewall preempts
to be the active VGMP group, but the original designated active firewall does not preempt.
6.1.11.2 FAQs on Configurations
Must I Set a Physical IP Address for the Uplink or Downlink Interface After I Set
the Virtual IP Address of the VRRP Group on the Interface?
Yes. You must set a physical IP address for the interface before you set the virtual IP address
of the VRRP group on the interface. The physical IP address and the virtual address of the VRRP
group can reside on the same network segment or different network segments.
Why Does the Active Firewall Require a Longer Preemption Delay Than That on
the Standby Firewall?
Preemption starts after the original active firewall recovers. If the preemption delay of the active
firewall is too shorter than that on the standby firewall, the active firewall may switch status
before the session entries on the standby firewall are completely synchronized to the active
firewall. As a result, some services may be interrupted. Therefore, the active firewall requires a
longer preemption delay.
Preemption does not start after the standby firewall recovers. Therefore, preemption delay is
meaningless for the standby firewall and you can use the default preemption delay.
Does a Long Preemption Delay for the Active Firewall Affect the Failure Response
Speed?
No. When the active firewall fails, services are immediately switched to the standby firewall.
After the original active firewall recovers, it must wait for the preemption delay before
preempting During the process, the standby firewall is working. Therefore, the long preemption
delay of the active firewall does not affect the failure response speed.
How Does the Adjustment to the VGMP Hello Interval Affect the Network?
VGMP Hello packets are known as heartbeat packets and are used to check the operating status
of the active and standby firewalls. If the standby VGMP group does not receive any VGMP
Hello packet from the peer within three consecutive Hello intervals, the standby VGMP group
considers that the peer fails and switches to the active state. Therefore, a short VGMP Hello
interval enhances the failure response speed of the firewall.
However, if the interval is too short, the hot standby status may become unstable. When the CPU
is overloaded, the task of sending VGMP Hello packets cannot be scheduled, resulting in a false
switchover. Therefore, the default value, 1 second, is recommended.

What Should I Pay Attention to When Configuring IPSec VPN in Hot Standby
Networking?
l The service interfaces (including VLANIFs) connecting the firewall to upstream and
downstream devices must work at Layer 3.
l Before configuring IPSec VPN, you must establish the hot standby status. The IPSec policy
configured on the active firewall will be automatically synchronized to the standby one.
On the standby firewall, you only need to apply the synchronized IPSec policy to the
outgoing interface.
l If the firewall serves as the initiator of the IPSec tunnel, you must run the local-address
ip-address command to specify the virtual IP address of the VRRP group as the IP address
for IPSec negotiation.
l Configure DPD to delete the tunnel that has been established on the original active firewall
after an active/standby switchover to prevent packet loss.
Must the Heartbeat Interfaces Be Directly Connected?

No. The heartbeat interfaces can be connected either directly or through intermediate devices,
such as switches or routers. Directly connection between the heartbeat interfaces is
recommended.
If the heartbeat interfaces are connected through intermediate devices, set remote to specify the
IP address of the peer heartbeat interface when configuring a heartbeat interface.
If you do not set remote, the NGFW encapsulates heartbeat packets into VRRP packets before
sending them. Because VRRP packets are sent in multicast mode, some switches and routers
send received VRRP packets to their CPUs for processing, which consumes CPU resources.
Heartbeat packets increase with services on the NGFW, causing high CPU usage on the switches
and routers. Meanwhile, the switches and routers also process other packets sent in multicast
mode, such as OSPF packets, which compromises services. As a result, the NGFW status is not
stable. As a result, heartbeat packets from the NGFW are discarded, and the NGFW status is not
stable.
After you set remote, the NGFW encapsulates heartbeat packets into UDP packets. The switches
and routers do not send UDP packets to their CPU, which has no impact on device performance
and services.
Is Security Policy Required to Permit Packets Between the Local Zone and the Zone
Where the Heartbeat Interface Resides?
l If you do not configure remote when you configure the heartbeat interface, the heartbeat
packets are encapsulated into VRRP packets, and the NGFW that has no security policy
can properly process backup packets.
l If you configure remote when you configure the heartbeat interface, the heartbeat packets
are encapsulated into UDP packets, and a correct security policy needs to configured for
the interzone between the Local zone and the security zone where the heartbeat interfaces
reside, which enables the NGFW to properly send and receive the heartbeat packets.
6.1.11.3 FAQs on Mechanism

What Determines the Active and Standby Status of Firewalls in Load Balancing
Mode?
In load balancing mode, the firewall on which hot standby is enabled first is the designated active
firewall.
On a Hot Standby Network, What Do Designated Active Device and Designated

Standby Device Stand For?
In load balancing mode, each firewall belongs to a active VGMP group.
To ensure that configurations are correctly synchronized, the concepts of designated active
device and designated standby device are introduced. The firewall that sends synchronization
messages is called the designated active device (marked as HRP_A in the command prompt),
and the one that receives synchronization messages called the designated standby device (marked
as HRP_S in the command prompt).
Commands that can be automatically synchronized can be executed only on the designated active
device.
On a Hot Standby Network, Which Packets Are Used by Upstream and

Downstream Layer-2 Devices to Learn the Port for the Virtual MAC Addresses?
The active firewall periodically sends VRRP advertisement messages. The source MAC address
of these packets is the virtual MAC address of the VRRP group. The upstream and downstream
Layer-2 devices learn the port mapped to the virtual MAC address through the VRRP
advertisement messages.
On a Hot Standby Network, Which Packets Are Used by Upstream and

Downstream Layer-3 Devices to Learn the MAC Address of a Virtual IP Address?
To forward packets, upstream and downstream Layer-3 devices look up the routing table for the
next hop, that is, the virtual IP address of the VRRP group. Then the devices look up the ARP
table for the MAC address of the virtual IP address. If no match is found, the devices broadcast
an ARP request. Only the active firewall responds to ARP requests.
In the ARP reply, the source MAC address in the Ethernet header is the virtual MAC address of
the VRRP group. Upstream and downstream Layer-3 devices learn the virtual MAC address
mapped to the virtual IP address through the ARP reply.
Upstream and downstream use the virtual MAC address as the destination MAC address when
sending packets to the firewall.
What Are Differences Between hrp auto-sync and hrp sync?

hrp auto-sync automatically synchronizes all subsequent configurations and status entries to
the standby firewall. hrp auto-sync is enabled by default. The command does not synchronize
existing configurations and status entries.
hrp sync immediately synchronizes the existing configurations and status entries from the active
firewall to the standby firewall. The command takes effect immediately and does not affect
subsequent configurations and status entries.

How Interface Priorities Are Calculated?

The firewall has two default VGMP groups: active and standby VGMP groups. The default
priority of the active VGMP group is 65001, and that of the standby VGMP group is 65000.
The priority of the VGMP group is lowered by 2 only when:

l A physical interface in the VGMP group fails.
l A Eth-Trunk interface in the VGMP group fails. The failure of a member interface of the
Eth-Trunk does not affect the priority of the VGMP group.
l A member interface of the VGMP group in a VLAN fails.
l A member interface of an IP-Link fails.
Why Cannot Easy IP Be Deployed with Hot Standby?

You cannot specify the VRID in Easy IP implementation. In normal cases, the active firewall
uses the IP address of its outgoing interface as the public address to set up sessions. After active/
standby switchover, the standby firewall also uses the IP address of its outgoing interface as the
public address. In this case, the sessions synchronized from the active firewall do not match the
IP address of the outgoing interface on the standby firewall. As a result, services are interrupted.
6.1.11.4 FAQs on Specifications
How Long Does Active/Standby Switchover Take?

The duration of active/standby switchover depends on the triggering condition.
l If the active/standby switchover is caused by an interface or link fault, the switchover
completes within milliseconds.
l If the active/standby switchover is caused by a device failure, the switchover completes
within three heartbeat intervals.
Can the Virtual IP Address of a VRRP Group Be Added to the NAT Address Pool?
Yes. If the virtual IP address of the VRRP group is the only public IP address for the intranet,
you can add the virtual IP address to the NAT address pool.
Which Types of Interfaces Can Be Used as Service Interfaces? Which Types of

Interfaces Can Be Used as Heartbeat Interfaces?
Table 6-5 shows whether a type of interfaces can be used as service interfaces or heartbeat
interfaces.
Table 6-5 Common interfaces
Interface Type Service Interface Heartbeat Interface
10GE interface Supported and recommended Supported and recommended
GE interface Supported and recommended Supported and recommended

Interface Type Service Interface Heartbeat Interface
Eth-Trunk interface Supported and recommended Supported and recommended
Subinterface Supported Supported but not

recommended
Vlanif interface Supported Supported but not

recommended
If you use a subinterface as a service interface, you must add the subinterface, not the physical
interface, to the VRRP group or VGMP group.
Can the Virtual MAC Address Be Used as the Source MAC Address of Packets?
Yes. By default, the firewall uses the physical MAC address to encapsulate Layer-3 service
packets. To use the virtual MAC address, run the vrrp virtual-mac enable command in the
interface view.
On a Hot Standby Network, Can Upstream and Downstream Devices Be Layer-4

Switches?
Yes. In this situation, the firewall must use the virtual MAC address to encapsulate service
packets. Otherwise, services are interrupted after active/standby switchover.
By default, the firewall uses the physical MAC address to encapsulate service packets. On hot
standby networks, Layer-4 switches establish a connection status table to record the source MAC
address (that is, the MAC address of the service interface on the active firewall) in the packets
forwarded by the firewall. Layer-4 switches forward packets based on the connection status
table. During active/standby switchover, Layer-4 switches do not automatically refresh MAC
addresses in the connection status table. Therefore, packets are sent to the original active firewall
if the physical MAC address is used. As a result, services are interrupted.
If the virtual MAC address is used, the connection status tables on Layer-4 switches record the
virtual MAC address. After active/standby switchover, Layer-4 switches can forward service
packets to the new active firewall.
Corresponding to the virtual IP address, the virtual MAC address is automatically generated
based on the VRID in either of the following formats:
l IPv4: 00-00-5E-00-01-{VRID}
l IPv6: 00-00-5E-00-02-{VRID}
On a service interface of the firewall, you can run the following command to use the virtual
MAC address to encapsulate service packets.
[sysname-GigabitEthernet1/0/1] vrrp virtual-mac enable
6.1.11.5 FAQs on Miscellaneous Issues

How Can I Test Active/Standby Switchover?

Active/standby switchover is performed once the priorities of VGMP groups change. The
priorities cannot be manually changed. You can use either of the following methods to change
the priorities:
l Manually disable a member interface in the VRRP group on the active firewall to trigger
active/standby switchover. If the switchover fails, services are interrupted.
l Manually disable an idle interface on the active firewall and run the hrp track active
command to add the interface to the active VGMP group.
How to Update the Signature Database on the Standby Firewall?

The commands for online signature database updates can be automatically synchronized to the
standby firewall. The active and standby firewalls download the latest signature database as
scheduled from the security center. Besides, when you manually update the signature database
on the active firewall, the update is automatically implemented on the standby firewall.
Does Hot Standby Require a License?

The hot standby function does not require a license.
If other services require a license, ensure that licenses with the same specifications are activated
on both the active and standby firewalls. Otherwise, services may be interrupted.
6.2 Bypass
An electrical bypass function can be enabled to avoid network communication interruption
caused by an NE failure and improve network reliability. The bypass function requires an
installed bypass interface card.
6.2.1 Overview
This section describes the background and basic principles of bypass.
If a NGFW is deployed on a network in in-line mode, once the NGFW stops functioning, the
network services are interrupted, and enormous consequences may occur. Sometimes, the loss
is disastrous.
To minimize the impact of this failure and improve network reliability, a bypass interface card
can be installed on the NGFW. When the NGFW is powered off or faulty, the bypass interface
card directly connects to the upstream and downstream devices. In this way, the traffic directly
passes through the NGFW without detection or blocking, and the services are not interrupted.
After the NGFW recovers, the traffic is taken over by the NGFW for processing and forwarding,
and the traffic security is restored.
The NGFW supports the electrical bypass interface card: E4BY interface card, that is, 4-port 2-
link 10/100/1000M adaptive electrical bypass interface card.
On an E4BY interface card, GE0 and GE1, and GE2 and GE3 on the 4 x GE electrical bypass
interface card form two pairs of bypass interfaces. When bypass interfaces work at Layer 2, they
provide the electrical bypass function. When the NGFW is powered off or faulty, these interfaces

are in bypass state. In this case, the traffic passes between devices at both sides, not the
NGFW itself, realizing direct interconnection.
The following takes a pair of bypass interfaces (GE0 and GE1) as example to show data flows
in both bypass and non-pass states.
As shown in Figure 6-44, GE0 connects to Router_A and GE1 to Router_B. When interfaces
work in non-bypass state, the traffic flows from Router_A to the NGFW through GE0. After the
processing is complete , the traffic flows from GE1 on the NGFW to Router_B. The reverse also
works. When interfaces work in bypass state, the traffic flows from Router_A to the NGFW
through GE0. Then it directly flows to Router_B through GE1 without being processed by the
NGFW. That is, Router_A directly connects to Router_B.
Figure 6-44 Schematic diagram of data flows in bypass and non-bypass states
Router_A Router_A
GE0 GE0
NGFW NGFW
GE1 GE1
Router_B Router_B
Non-bypass state Bypass state

Data flow

Read this section carefully before you configure Bypass.
To minimize the service interruption during the switchover of the bypassword working mode,
set the duplex mode of the bypass ports and their upstream and downstream ports to full duplex.
6.2.3 Bypass Function of the Electrical Interface

When four interfaces on the 4 x GE electrical bypass interface card wok in non-bypass state,
they function the same as the GE Ethernet electrical interface. In bypass state, adjacent two pairs
of bypass interfaces (which are formed by GE0 and GE1, and GE2 and GE3) are directly
connected.
6.2.3.1 Configuring the Electrical Bypass Using the Web

This section describes how to configure the electrical bypass using the Web.

Context
Before you configure an electrical bypass function, ensure that a bypass interface card with
electrical interfaces is installed on the device.
l When the interfaces are in bypass state, the upstream and downstream devices are connected
directly by a pair of bypass interfaces, and traffic is not processed by the local device.
l When the interfaces are not in bypass state, a pair of bypass interfaces are not directly
connected, and traffic is processed by the local device.
By default, the interfaces are not in bypass state.
The interfaces can be switched to the bypass state by either of the following two methods:
l Automatic mode
– Hardware mode: When the device is powered off and the relay automatically closes,
the interface is switched to the bypass state.
– Software mode: When the device is restarted, and the detection over the heartbeat with
the main board is enabled, the interface switches to the bypass state in the case that the
heartbeat is lost.
l Manual mode
In software mode, the interface can be manually switched to the bypass state.
When interfaces work in bypass state, services are not interrupted, for they are not processed by
the NGFW. That causes certain potential security risks. It is recommended that you rectify the
fault immediately to restore interface to the non-bypass state.
Procedure
Step 1 Choose System > High Availability > Bypass.
Step 2 On the Electrical Bypass List interface click corresponding to a pair of interfaces.
Step 3 Configure the automatic recovery and status switchover functions.
Automatic Recovery Enables the automatic recovery of the bypass status.

l With the automatic recovery function enabled, after a device
restores to normal, the interfaces are automatically switched
back to non-bypass state.
l With the automatic recovery function disabled, after a device
restores to normal, the interfaces remain in bypass state.
Status Switchover Switches the bypass status manually.

l With the status switchover function enabled, the interfaces
are in bypass state, and the bypass status is switch.
l With the status switchover function disabled, the interfaces
are in non-bypass state, and the bypass status is no-switch.

Step 4 Click OK.
----End
6.2.3.2 Configuring the Electrical Bypass Using the CLI

This section describes how to configure the electrical bypass using the CLI.
Context
Before you configure an electrical bypass function, ensure that a bypass interface card with
electrical interfaces is installed on the device.
l When the interfaces are in bypass state, the upstream and downstream devices are connected
directly by a pair of bypass interfaces, and traffic is not processed by the local device.
l When the interfaces are not in bypass state, a pair of bypass interfaces are not directly
connected, and traffic is processed by the local device.
By default, the interfaces are not in bypass state.
The interfaces can be switched to the bypass state by either of the following two methods:
l Automatic mode
– Hardware mode: When the device is powered off and the relay automatically closes,
the interface is switched to the bypass state.
– Software mode: When the device is restarted, and the detection over the heartbeat with
the main board is enabled, the interface switches to the bypass state in the case that the
heartbeat is lost.
l Manual mode
In software mode, the interface can be manually switched to the bypass state.
When interfaces work in bypass state, services are not interrupted, for they are not processed by
the NGFW. That causes certain potential security risks. It is recommended that you rectify the
fault immediately to restore interface to the non-bypass state.
Procedure
Step 1 Run:
system-view
The system view is displayed.
Step 2 Run:
bypass-link bypass-link-number
The configuration view of the bypass interface is displayed.
Step 3 Run:
switch bypass
The interface is switched to the bypass state.

By default, the interface is in non-bypass state.
Step 4 Optional: Run:
auto-recover
The automatic recovery of the bypass state is enabled.
When the automatic recovery of the bypass state is enabled, and the interface automatically
switches to the bypass state due to device breakdown or fault, the interface automatically
switches to the non-bypass state after the device restores to normal.
If the automatic recovery of the bypass state is disabled, the interface automatically switching
to the bypass state is always in bypass state.
By default, the function is enabled.
----End
Follow-up Procedure
Run the display bypass command to display the bypass state of the interface.
<NGFW> display bypass
Interface-1 Interface-2 BYPASS-Switch
2/0/0 2/0/1 switch
2/0/2 2/0/3 no switch

This section describes the versions and changes in the bypass feature.
6.3 Link-group
In link-group, multiple physical interfaces are bound to a logical group to ensure the status
consistency of the interfaces in the group.
6.3.1 Introduction
This section describes the definition and purpose of link-group.
Definition
A link-group is used to bind the state of several physical interfaces to form a logical group. If
one of the interfaces within the logical group is faulty, the system sets the state of the other
interfaces as Down. After all the interfaces are functional, the system resets the state of the
interfaces within the logical group as Up.

Purpose
The Link-group management group ensures the status consistency of the physical interfaces in
the group, and accelerates the route convergence when the link is faulty.
6.3.2 Configuring Link-group

A link-group is used to allocate multiple interfaces to a logical group, thus ensuring the
consistency of the status of interfaces in the group.
Prerequisites
Set the IP addresses of interfaces and add the interfaces to security zones.
Context
The link group function binds the status of several interfaces to form a logical group. If one
interface in the logical group is faulty, the system changes the status of the other interfaces to
Down. After all the interfaces recover, the system changes the status of the interfaces to Up. The
link group function ensures that the status of the upstream and downstream interfaces are
consistent with each other, avoiding the inconsistence of upstream and downstream paths upon
active/standby switchover.
Procedure
Step 1 Run:
system-view
Step 2 Run:
The interface view is displayed.
Step 3 Run:
link-group link-group-id
The interface is added to the link-group.
By default, the system is not configured with the link-group management group.
----End
Follow-up Procedure
Run the display link-group link-group-id command to check the configuration of the link-
group.
<NGFW> display link-group 1
link group 1, total 2, fault 0
GigabitEthernet1/0/2 : up


This section describes the versions and changes in the Link-group feature.
6.4 IP-link
IP-link, automatic service link reachability detection, detects the status of the links indirectly
connected to the device.
6.4.1 Introduction
This section describes the definition and purpose of IP-link.
Definition
With IP-link, the NGFW periodically transmits ICMP echo request or ARP request to a specific
destination IP address and waits for the response. If not receiving any response packet within
the specified interval (three seconds by default), the NGFW considers that the current link is
faulty, and then performs link-related subsequent operations. If receiving three successive
response packets within the time limit specified later through the link that is considered to be
faulty, the NGFW considers that the link recovers, and then performs the subsequent operations
of link recovery.
Purpose
connected to the NGFW to ensure service continuity.

This section describes the application scenario of IP-link.
IP-link mainly applies to the following scenarios:
Dual-system hot backup

If the NGFW works in dual-system hot backup networking and identifies a fault affecting
services, you can set the VGMP management group to monitor IP-link. In this case, the
NGFW adjusts the priority of VGMP management group to trigger the active/standby
switchover, ensuring service continuity.
After VGMP management group monitor IP-link is configured, the status of links or interfaces
indirectly connected to the NGFW can be identified. As shown in Figure 6-45, if the interface
(with IP address 1.1.1.1/24) of the router in the Untrust zone is faulty and IP-link is enabled, the
system automatically triggers the active/standby switchover to ensure service continuity.

Figure 6-45 Networking diagram of IP-link

NGFW_A
1.1.1.1/24
Trust Untrust
NGFW_B
Static routing environment

When IP-link identifies link faults, the NGFW adjusts its static routes accordingly to ensure that
the link used every time enjoys the highest priority and is routable, which keeps service
continuity.
As shown in Figure 6-46, when intranet users access the Internet, two static routes are available.
One route is bound with IP-link. When this link is faulty, the traffic is switched to the other,
ensuring the normal running of services.
Figure 6-46 IP-link in the static routing environment

Router 1
10.10.1.2/24
IP-Link 1
NGFW
Switch
Intranet GE1/0/2 GE1/0/1
192.168.1.1/24 10.10.1.1/24
10.10.1.3/24
Router 2
Policy-based routing environment

PBR cannot sense the reachability of the links of the next hop and default next hop. When the
link of the next hop or default next hop is unreachable and the device adopts the settings of the
next hop or the default next hop for packet forwarding, the packet forwarding may fail.
Interworking PBR with IP-link solves the previous problem and improves the flexibility of PBR
applications and the dynamic network environment sensation of PBR. When you configure IP-
link, ensure that the destination IP address of the monitored link is consistent with the specified
next hop or default next hop of PBR and associate policy-based routes with IP links. IP-link

monitors the reachability of the links of the next hop and default next hop and dynamically
determines the availability of policy-based routes by IP link state.
l When an IP link is Up, the link is reachable, and the settings of the next hop and default
next hop take effect for packet forwarding.
l When an IP link is Down, the link is unreachable, and the settings of the next hop and
default next hop are invalid, packet forwarding is performed without the policy-based route.
The device continues to search for routes to forward packets and ensure service continuity.
DHCP Client environment

As shown in Figure 6-47, the NGFW serves as the egress gateway and adopts dual uplinks. On
the active link, the NGFW serves as the DHCP client to obtain an IP address. The standby link
is a PPPoE one. When IP-link is performed on the link behind the DHCP server, the NGFW
obtains the gateway address as the next hop for IP-link. If you identify that the link after the
DHCP server is faulty, switch the NGFW to the backup link.
Figure 6-47 IP-link in the DHCP Client environment

DHCP Client DHCP Server
IP-Link 1
Intranet
NGFW
PPPoE
6.4.3 Configuring IP-Link

This section describes how to configure IP-link.
Context
connected to the NGFW to ensure service continuity.
When multiple IP links are configured on a device, the IP links send link detection packets
concurrently. As a result, the CPU usage increases dramatically. To resolve this problem, enable
the IP-Link group function to add IP links to an IP-Link group. The IP links of the IP-Link group
send link detection packets in batches within the interval to reduce the CPU usage.
Procedure
Step 1 Run:
system-view
Step 2 Configure an IPv4 or IPv6 IP-link based on networking.

l Create an IPv4-link.
ip-link link-id [ vpn-instance vpn-instance-name ] destination { ip-address | domain-
name } [ interface interface-type interface-number ] [ timer interval ] [ mode { icmp
[ next-hop { nexthop-address | dhcp | dialer } ] | arp } ]
l Create an IPv6-link.
ip-link link-id ipv6 destination { ipv6-address | domain-name } [ interface interface-type
interface-number ] [ timer interval ] [ mode { icmpv6 [ next-hop nexthop-ipv6-address ]
| ns } ]
NOTE
Using the default timer value (3s) for IP-link detection is recommended. A smaller value may cause IP-link
flapping.
Step 3 Configure the following items based on the number of IP-links on the device.
NOTE
The IP-link function and the IP-Link group function cannot be enabled concurrently. When the IP-link
function is enabled, the IP-links that are added to the IP-link become invalid, and the unadded IP-links
remain valid.
l When the number of IP-links on the device is larger than 32, you must run the ip-link group
enable command to enable the IP-link group function and then configure the following:
1. Run:
ip-link group add linkid beginlinkID [ to endlinkID ]
Add multiple IP links to an IP-Link group.
2. Run:
ip-link group interval interval
Configure the interval for the IP-Link group to send detection packets.
Increasing the interval reduces the CPU load, but the link detection sensitivity
decreases.
l When the number of IP-links is less than 32, run the ip-link check enable command to
enable the IP-link function. Alternatively, you can enable the IP-link group function.
----End
6.4.4 Configuring the Interworking Between IP-Link and Other

Function
This section describes the configuration between IP-link and other function.
6.4.4.1 Configuring the Interworking Between IP-Link and Dual-system Hot

Backup
After the interworking between IP-Link and dual-system hot backup is configured, the
NGFW can detect the status of the links that are not directly connected to the NGFW. When one
link is faulty, route switchover or active/standby switchover is triggered.

Prerequisites
Complete the configuration of the IP-link function. For details, see 6.4.3 Configuring IP-
Link.
Context
After the link reachability check function is configured, the NGFW periodically sends ICMP
echo request packets or ARP request packets to the specified destination IP address to detect the
status of the link that is not directly connected to the NGFW. If the NGFW does not receive any
response packet within the specified time limit, three seconds in default mode, the NGFW
considers that the link fails, and then performs link-related follow-up operations. If the
NGFW receives three successive response packets within the time limit specified later through
the link that was considered to be faulty, the NGFW considers that the link recovers, and then
performs follow-up operations of link recovery.
In dual-system hot backup networking mode, after IP link reachability check is enabled and
VGMP management group monitor IP-link is configured, when the link indirectly connected to
the NGFW fails, the VGMP management group module determines whether to synchronously
back up configuration commands and session state information and therefore trigger the failover
of the active and standby NGFWs.
NOTE
If the NGFW is connected to the upstream and downstream devices through GE optical interfaces, if the
upstream and downstream devices do not support the auto-negotiation function, and if an optical fiber fails,
the NGFW cannot detect the failure of the single optical fiber. If the IP link reachability check is enabled
and VGMP management group monitor IP-link is configured, the VGMP management group priority of
the active NGFW is reduced and the active/standby switchover occurs when a single optical fiber fails.
Procedure
Step 1 Run:
system-view
Step 2 Run:
hrp track ip-link iplink-id { active | standby }
You can configure the active management group or standby management group to monitor status
of an IP link.
On the active device, configure the Active management group to monitor IP-link status. On the
standby device, configure the Standby management group to monitor IP-link status.
----End
Follow-up Procedure
Run the display ip-link command to display the information about the IP-Link that interworks
with dual-system hot backup.
<sysname> display ip-link
num state timer vpn-instance ip-address interface-name mode vgmp next

-hop
11 down 3 10.1.1.111 icmp active
When IP-link is in Up state, the monitored link works properly. When IP-link is in Down state,
the monitored link is disconnected.
6.4.4.2 Configuring the Interworking Between IP-Link and Static Routes

This section describes the procedure and precautions for configuring the interworking between
IP-Link and static routes.
Prerequisites
Link.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ip route-static ip-address { mask | mask-length } { nexthop-address | interface-type interface-
number [ nexthop-address ] } [ preference preference ] track ip-link link-id [ description
description ]
Configure the interworking between IP-Link and static routes.
----End
Follow-up Procedure
with static routes.
-hop
11 down 3 10.1.1.111 icmp active
6.4.4.3 Configuring the Interworking between PBR and IP-Link

PBR and IP-Link.
Prerequisites
Link.

Procedure
Step 1 Run:
system-view

Step 2 Run:
policy-based-route
Accesses the view of the PBR policy.

Step 3 Run:
rule name rule-name
Create a PBR rule and access its view.

Step 4 Run:
track ip-link link-id
Configure the Interworking between PBR and IP-Link.
NOTE
A PBR rule can interwork with either IP-link or BFD.
----End
Follow-up Procedure
with PBR.
-hop
1 up 3 10.1.2.1 icmp none
6.4.4.4 Configuring the Interworking between DHCP and IP-Link

DHCP and IP-Link.
Prerequisites
Link.
Context
In dual-uplink networking, if active/standby switchover between links is required, the active
link must be assigned a high-priority route. The smaller the value, the higher the priority.
When the device acts as the DHCP client, the priority of the default route obtained from the
DHCP server is 245. In dual-uplink networking, if the active link is in DHCP mode and the

standby link is in other modes, the route priority of the standby link must be larger than 245.
Thereby, in interworking between DHCP and IP-link, the system disconnects the DHCP link
upon identifying its fault. In this way, traffic is switched to the standby link.
Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
dhcp client enable track ip-link ip-link-id
DHCP is associated with the IP-Link.
----End
Follow-up Procedure
with DHCP.
-hop
1 up 3 10.1.1.1 GE1/0/1 icmp none dhcp
6.4.5 Maintaining IP-Link

After configuring IP-link, you can run the display commands to view the related configuration.
You can also enable the debugging function if necessary.
Checking IP-Link Configuration

Table 6-6 shows the operations related to checking interface backup configuration.
Table 6-6 Checking IP-link configuration
Action Command
Check the configuration of and display ip-link [ vpn-instance vpn-instance-name ]

status information about IP-link. [ link-id ]

Debugging IP-Link
Before opening the debugging, you must run the terminal monitor and terminal debugging
commands in the user view to enable the terminal information display and terminal debugging
information display functions, so that the debugging information is displayed on the terminal.
NOTICE
Enabling the debugging affects the system performance. Therefore, after debugging, you need
to run the undo debugging all command to disable the debugging in time.
For details on the explanation of the debugging commands, refer to the Debugging Reference.
Table 6-7 shows the operations related to debugging IP link.
Table 6-7 Debugging IP link
Action Command
Enable all IP link debugging ip-link [ link-id ]

debuggings.
Enable IP link packet debugging ip-link [ link-id ] packet

debugging.
Enable IP link event debugging ip-link [ link-id ] event

debugging.

This section describes the configuration examples of IP-link.
6.4.6.1 Example for Configuring the Interworking Between IP-Link and Dual-
system Hot Backup
Introduce the example for configuring the interworking between IP-link and dual-system hot
backup according to the example for configuring active/standby dual-system hot backup
Network Requirements
The NGFW is deployed on the service node as a security device. Upstream and downstream
devices are routers. NGFW_A and NGFW_B work in active/standby mode
Figure 6-48 shows the networking diagram. The detailed description is as follows:
l OSPF is applied among the router and two NGFWs. The router sends service packets to
the Active NGFW according to the route calculation result.

l The upstream and downstream ports of the NGFW are added to the same link-group. Thus,
the route convergence rate is accelerated when a link is faulty.
l NGFW monitor the network egress through the interworking function between IP-Link and
dual-system hot backup. When the network egress on the link where NGFW_A resides is
down, NGFW_B can swtich to active device and the service packets are sended to
NGFW_B.
Figure 6-48 Networking diagram of the example for configuring the interworking between IP-
link and dual-system hot backup
GE1/0/1 NGFW_A GE1/0/3
10.100.10.2/24 10.100.30.2/24
GE1/0/2 GE1/0/2
10.100.50.2/24 10.100.50.3/24
GE1/0/1 GE1/0/3 2.2.2.2/24

PC1 10.100.20.2/24 10.100.40.2/24 PC2
192.168.1.3/24 NGFW_B 3.3.3.3/24
IP-Link
1. Set the IP addresses of interfaces on active and standby NGFWs, and add the interfaces to
corresponding security zones and upstream and downstream interfaces on the same
NGFW to the same link-group.
2. Run OSPF on active and standby NGFWs, and adjust the OSPF-related cost value according
to the HRP status.
3. Configure the active management group to monitor the status of interfaces in the interface
view of the active NGFW, and configure the standby management group to monitor the
status of interfaces in the interface view of the standby NGFW.
4. Configure the interworking between IP-link and dual-system hot backup on active and
standby NGFWs
5. Configure HRP backup channels on active and standby NGFWs and enable HRP.
6. Enable the automatic backup of configuration commands, and configure the security policy
for the Trust-Untrust interzone on active and standby NGFWs.
7. Configure the router.
Procedure
Step 1 Configure the NGFW_A.
# Set an IP address for GigabitEthernet 1/0/1.


# Add GigabitEthernet 1/0/1 to the Trust zone.

[NGFW_A] firewall zone trust
[NGFW_A-zone-trust] add interface GigabitEthernet 1/0/1
[NGFW_A-zone-trust] quit

# Add GigabitEthernet 1/0/3 to the Untrust zone.

[NGFW_A] firewall zone untrust
[NGFW_A-zone-untrust] add interface GigabitEthernet 1/0/3
[NGFW_A-zone-untrust] quit
# Add GigabitEthernet 1/0/1 and GigabitEthernet 1/0/3 to the same link-group management
group.
[NGFW_A-GigabitEthernet1/0/1] link-group 1
[NGFW_A-GigabitEthernet1/0/3] link-group 1

# Add GigabitEthernet 1/0/2 to the DMZ.

# Run the OSPF dynamic routing protocol on NGFW_A.

[NGFW_A] ospf 101
[NGFW_A-ospf-101] area 0
[NGFW_A-ospf-101-area-0.0.0.0] quit
# Enable the function of adjusting the related cost value of OSPF according to the HRP status.
NOTICE
When the NGFW is deployed on the OSPF network to work in dual-system hot backup mode,
this command must be configured.
[NGFW] hrp ospf-cost adjust-enable
# Configure the active management group to monitor the status of interfaces in the interface
view.


# Configure the IP-Link to monitor the network egress.

[NGFW_A] ip-link check enable
[NGFW_A] ip-link 1 destination 1.1.1.1 interface GigabitEthernet 1/0/3
# Configure the interworking between IP-Link and dual-system hot backup. When the network
egress is down, the IP-Link status turns to down and the priority of management group reduces
2.
[NGFW_A] hrp track ip-link 1 active
# Configure an HRP backup channel.

# Enable HRP.
[NGFW_A] hrp enable
Step 2 Configure the dual-system hot backup function on NGFW_B.
The configuration on the NGFW_B is similar to that on the NGFW_A. The differences are as
follows:
l The IP addresses of interfaces on NGFW_B should be different from those of interfaces on

NGFW_A; moreover, the IP addresses of the service interfaces corresponding to NGFW_B
and NGFW_A should not be on the same network segment.
l When OSPF is executed on NGFW_B, the route to the network segment directly connected
to the service interface on NGFW_B should be advertised.
l When the hrp track function is configured on the service interfaces of NGFW, the hrp track
standby should be configured corresponding to the active management group of NGFW_A.
Step 3 Configure the interworking between IP-Link and dual-system hot backup on NGFW_B.
[NGFW_B] ip-link check enable
[NGFW_B] ip-link 1 destination 2.2.2.2 interface GigabitEthernet 1/0/3
[NGFW_B] hrp track ip-link 1 standby
Step 4 Enable automatic backup of configuration commands, and configure the interzone packet-
filtering rules for the Trust zone and Untrust zone on NGFW_A.
NOTE
When HRP is enabled on both NGFW_A and NGFW_B, and the automatic backup of configuration
commands is enabled on NGFW_A, the security policy configured on NGFW_A are automatically backed
up to NGFW_B.
# Enable automatic backup of configuration commands.

HRP_A[NGFW_A] hrp auto-sync config
# Configure security policy to ensure that the users on network segment 192.168.1.0/24 can
access the Untrust zone.
HRP_A[NGFW_A] security-policy
HRP_A[NGFW_A-policy-security] rule name ha
HRP_A[NGFW_A-policy-security-rule-ha] source-zone trust

HRP_A[NGFW_A-policy-security-rule-ha] destination-zone untrust

HRP_A[NGFW_A-policy-security-rule-ha] source-address 192.168.1.0 24
HRP_A[NGFW_A-policy-security-rule-ha] action permit
Step 5 Configure the router.

Configure OSPF on the router. For detailed configuration commands, refer to documents related
to the router.
----End
1. Run the display hrp state command on NGFW_A to check the status of the current HRP.
If the following information is displayed, HRP is successfully established.
HRP_A[NGFW_A] display hrp state
The firewall's config state is: ACTIVE
Current state of interfaces tracked by

active:
2. PC2, which is in the Untrust zone, serves as the HTTP server and provides HTTP services
externally. PC1 in the Trust zone accesses the HTTP server in the Untrust zone, and files
are downloaded. Check sessions respectively on NGFW_A and NGFW_B.
HRP_A[NGFW_A] display firewall session table verbose
http VPN: public --> public ID: a48f3648905d02c034567da1
Zone: trust -> untrust TTL: 00:10:00 Left: 00:08:39
Output-interface: GigabitEthernet1/0/1 Nexthop: 10.100.10.2 MAC:
00-00-5e-00-01-02
<-- packets:1135 bytes:86014 --> packets:1127 bytes:45653
192.168.1.3:2048 --> 3.3.3.3:80 PolicyName: ha
HRP_S[NGFW_B] display firewall session table verbose
http VPN: public --> public ID: a48f3648905d02c0553591da1
Zone: trust -> untrust Remote TTL: 00:10:00 Left: 00:09:00
Output-interface: GigabitEthernet1/0/1 Nexthop: 10.100.10.2 MAC:
00-00-5e-00-01-02
<-- packets:0 bytes:0 --> packets:0 bytes:0
192.168.1.3:2048 --> 3.3.3.3:80 PolicyName: ha
As shown in the previous information, sessions with remote tags exist on NGFW_B, which
indicates that the session backup succeeds after you configure dual-system hot backup. In
addition, the traffic passing through NGFW_B is 0, which indicates that NGFW_B is
completely in standby state. This represents active/standby networking.
Configuration script of NGFW_A:
#
sysname NGFW_A
#
hrp enable
hrp ospf-cost adjust-enable
hrp interface GigabitEthernet 1/0/2
#
ip-link check enable
ip-link 1 destination 1.1.1.1 interface GigabitEthernet1/0/3 mode icmp
hrp track ip-link 1 active
#
interface GigabitEthernet 1/0/1
ip address 10.100.30.2 255.255.255.0

link-group 1
hrp track active
#
ip address 10.100.50.2 255.255.255.0
#
ip address 10.100.10.2 255.255.255.0
link-group 1
hrp track active
#
firewall zone trust
add interface GigabitEthernet 1/0/1
#
firewall zone dmz
#
firewall zone untrust
#
ospf 101
area 0.0.0.0
network 10.100.10.0 0.0.0.255
network 10.100.30.0 0.0.0.255
#
security-policy
rule name ha
source-zone trust
destination-zone untrust
action permit
#
return
Configuration script of NGFW_B:

#
sysname NGFW_B
#
hrp enable
#
ip-link 1 destination 2.2.2.2 interface GigabitEthernet1/0/3 mode icmp
hrp track ip-link 1 standby
#
ip address 10.100.40.2 255.255.255.0
link-group 1
hrp track standby
#
ip address 10.100.50.3 255.255.255.0
#
ip address 10.100.20.2 255.255.255.0
link-group 1
hrp track standby
#
firewall zone trust
#
firewall zone dmz
#

#
ospf 101
area 0.0.0.0
network 10.100.20.0 0.0.0.255
network 10.100.40.0 0.0.0.255
#
security-policy
rule name ha
source-zone trust
action permit
#
return
6.4.6.2 Example for Configuring the Interworking between Static Route and IP-
Link
This section describes the example for configuring IPv4 static route binding with IP-Link.
As shown in Figure 6-49, the switch is connected to two routers and the company has two links
to access the Internet. Two IP-Links are configured. IP-Link 1 is from the NGFW to router 1
and IP-Link 2 is from the NGFW to router 2. IP-Link 1 is the primary link. Two static routes
are installed, one bound to IP-Link 1, the other to IP-Link 2. If IP-Link 1 fails, traffic will be
switched to IP-Link 2 so that Internet access will not be interrupted.
Figure 6-49 Netwoking of configuring the interworking between static route and IP-Link
Router 1
10.10.1.2./24
IP-Link 1
NGFW
Switch
Intranet
GE1/0/2 GE1/0/1
192.168.1.1/24 10.10.1.1./24
10.10.1.3./24
Router 2
Procedure
Step 1 Configure two IP-Links to detect the links from NGFW to router 1 and router 2.
[NGFW] ip-link check enable
[NGFW] ip-link 1 destination 10.10.1.2 mode icmp
Step 2 Install two static routes to reach the Internet and bind them to the two IP-Links. Set the
preferences of the two links to ensure that the link to router 1 has a higher preference.
[NGFW] ip route-static 0.0.0.0 0.0.0.0 10.10.1.2 track ip-link 1
[NGFW] ip route-static 0.0.0.0 0.0.0.0 10.10.1.3 preference 70 track ip-link 2
----End

Verify the configuration on the NGFW as follows:
When the links between the NGFW and the two routers are both normal, run the display ip-
link command. The output resembles:
[NGFW] display ip-link
num state timer vpn-instance ip-address interface-name mode vgmp next-
hop
1 up 3 10.10.1.2 icmp
none
2 up 3 10.10.1.3 icmp none
Run the display ip routing-table command, the output shows that the default route to the Internet
is the one directed to router 1.
[NGFW] display ip routing-
table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 8 Routes : 8
Destination/Mask Proto Pre Cost Flags NextHop Interface

0.0.0.0/0 Static 60 0 RD 10.10.1.2
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0

10.10.1.0/24 Direct 0 0 D 10.10.1.1

192.168.1.0/24 Direct 0 0 D 192.168.1.1
Run the display ip routing-table verbose command. The output resembles:
Destination: 0.0.0.0/0
Protocol: Static Process ID: 0
Preference: 60 Cost: 0
NextHop: 10.10.1.2 Neighbour: 0.0.0.0
State: Active Adv GotQ Age: 00h03m29s
Tag: 0 Priority: 0
Label: NULL QoSInfo: 0x0
RelayNextHop: 0.0.0.0 Interface: GigabitEthernet1/0/1
TunnelID: 0x0 Flags: RD
State: Inactive Adv GotQ Age: 00h00m08s
Tag: 0 Priority: 0
TunnelID: 0x0 Flags: R
The output shows that when the two links are normal, the preference value of the route to
10.10.1.2 is 60 (the default preference value). Therefore, the link is in the Active state and is
installed in the routing table. The route to 10.10.1.3 has a preference value of 70 and is in the
Inactive state. This route is the backup route and is not installed in the routing table.

When the link to router 1 breaks, run the display ip-link command. The output shows that the
IP-Link to 10.10.1.2 is down.
num state timer vpn-instance ip-address interface-name mode vgmp next-
hop
1 down 3 10.10.1.2 icmp
none
2 up 3 10.10.1.3 icmp none
Run the display ip routing-table command, the output shows that the default route to the Internet
is the one directed to router 2.
[NGFW] display ip routing-
table
------------------------------------------------------------------------------

0.0.0.0/0 Static 70 0 RD 10.10.1.3

10.10.1.0/24 Direct 0 0 D 10.10.1.1

192.168.1.0/24 Direct 0 0 D 192.168.1.1
Run the display ip routing-table verbose command. The output resembles:

Tag: 0 Priority: 0
TunnelID: 0x0 Flags: R
State: Invalid Adv GotQ Age: 00h03m29s
Tag: 0 Priority: 0
The output shows that when the link to 10.10.1.2 breaks, the state of IP-Link 1 is Down and the
route to 10.10.1.2 is set to Invalid. The route to 10.10.1.3, which has a preference value of 70,
is set to Active and installed in the routing table.
The outputs show that the configuration is correct.

#
sysname NGFW
#
ip-link 1 destination 10.10.1.2 mode icmp
#
ip route-static 0.0.0.0 0.0.0.0 10.10.1.2 track ip-link 1
ip route-static 0.0.0.0 0.0.0.0 10.10.1.3 preference 70 track ip-link 2
#
return
6.4.6.3 Example for Configuring the Interworking between PBR and IP-Link
This example describes how to configure PBR to select next hops for various packets and balance
link traffic. It also describes how to use IP-link for monitoring the reachability of links where
the next hops of the packets on policy-based routes reside and dynamically determining the
availability of the policy-based routes by IP-link state. When a policy-based route is unavailable,
the device can search for standby routes to ensure link continuity.
As shown in Figure 6-50, an enterprise has departments A and B. Departments A and B, acting
as service departments, have heavy traffic and require different links for traffic balancing. In
addition, the departments require high stability and continuity.
To meet their requirements, the enterprise applies for two links that access the Internet, namely,
ISP1 and ISP2 to balance link traffic. The two links are mutually backed up to ensure link
continuity.
The requirements are as follows:
l Department A resides on network segment 10.1.0.0/16 and its packets for accessing the
Internet pass through link ISP1 in normal cases.
l Department B resides on network segment 10.2.0.0/16 and its packets for accessing the
Internet pass through link ISP2 in normal cases.
l The links of departments A and B are mutually backed up. When the link (active link) of
a department is faulty, traffic is switched to the link (standby link) of another department.
Figure 6-50 Networking diagram of configuring PBR to interwork with IP-link
Router_A
Switch 1.1.2.1/24
Department A GE1/0/4 nk1
IP-Li
10.1.0.1/16 ISP1
GE1/0/2
NGFW 1.1.2.2/24
GE1/0/3
1.1.3.2/24
ISP2
Department B GE1/0/1 IP-Li
10.2.0.1/16 nk2
Switch Router_B
1.1.3.1/24

NOTE
This example describes only PBR-related configurations, but not configurations (such as NAT and route
reachability among Router_A, Router_B, and NGFW) required by the NGFW for providing Internet access
services.
The roadmap for configuring PBR to interwork with IP-link is as follows:

1. To balance traffic on different links, configure source IP address-based PBR, so that packets
for accessing the Internet from department A pass through ISP1 and packets for accessing
the Internet from department B pass through ISP2.
2. To ensure the continuity and mutual standby of links at which departments A and B reside,
do as follows:
a. Configure PBR to interwork with IP-link. IP-link monitors the reachability of the
active links of departments A and B. When the active links are faulty, PBR becomes
invalid. The device searches for standby routes to ensure service continuity.
b. Configure static routes from department A to link ISP2 and from department B to link
ISP1 as the standby routes of departments A and B. Moreover, configure static routes
to interwork with IP-link. IP-link monitors the reachability of the standby links of
departments A and B.
Procedure
Step 1 Configure IP-link.
NOTE
To ensure interworking between PBR and IP-link, the destination IP address detected by IP-link must be
consistent with the setting of the next hop of packets.
# Enable IP-link.
[NGFW] ip-link check enable
# Create IP-link 1 for detecting link reachability from the NGFW to destination address 1.1.2.1.
# Create IP-link 2 for detecting link reachability from the NGFW to destination address 1.1.3.1.
Step 2 Configure policy-based routing and associate them with IP links.

# Configure rule A_1, so that packets sent from 10.1.0.0/16 to 10.2.0.0/16 are not pbr.
[NGFW] policy-based-route
[NGFW-policy-pbr] rule name A_1
[NGFW-policy-pbr-rule-A_1] ingress-interface GigabitEthernet 1/0/4
[NGFW-policy-pbr-rule-A_1] source-address 10.1.0.0 16
[NGFW-policy-pbr-rule-A_1] destination-address 10.2.0.0 16
[NGFW-policy-pbr-rule-A_1] action no-pbr
[NGFW-policy-pbr-rule-A_1] quit
# Configure rule A_2, so that packets sent from 10.1.0.0/16 are sent to next-hop 1.1.2.1.


[NGFW-policy-pbr-rule-A_2] action pbr next-hop 1.1.2.1
Configure rule A_2 to interwork with IP-link 1

[NGFW-policy-pbr-rule-A_2] track ip-link 1
# Configure rule B_1, so that packets sent from 10.2.0.0/16 to 10.1.0.0/16 are not pbr.
[NGFW-policy-pbr] rule name B_1
[NGFW-policy-pbr-rule-B_1] ingress-interface GigabitEthernet 1/0/1
[NGFW-policy-pbr-rule-B_1] source-address 10.2.0.0 16
[NGFW-policy-pbr-rule-B_1] destination-address 10.1.0.0 16
[NGFW-policy-pbr-rule-B_1] action no-pbr
[NGFW-policy-pbr-rule-B_1] quit
# Configure rule B_2, so that packets sent from 10.2.0.0/16 are sent to next-hop 1.1.3.1.
[NGFW-policy-pbr-rule-B_2] action pbr next-hop 1.1.3.1
Configure rule B_2 to interwork with IP-link 2

[NGFW-policy-pbr-rule-B_2] track ip-link 2
Step 3 Configure default routes and associate them with IP links.

# Configure the default route, set the next hop to 1.1.2.1/24, and associate the route with IP-link
1.
# Configure the default route, set the next hop to 1.1.3.1/24, and associate the route with IP-link
2.
----End
1. When active links are reachable, packets for accessing the Internet from department A are
forwarded by the NGFW to ISP1, and packets for accessing the Internet from department
B are forwarded by the NGFW to ISP2.
# Run the display ip-link command. You can view that the IP links are Up.
num state timer vpn-instance ip-address interface-name mode vgmp
next
-hop
# Run the ping 1.1.2.1 command in department A. The pinging attempt is successful. Then
run the ping 1.1.3.1 command. The pinging attempt is unsuccessful.
C:\Documents and Settings\DepartA>ping 1.1.2.1
Pinging 1.1.2.1 with 32 bytes of data:
Reply from 1.1.2.1: bytes=32 time=9ms TTL=254


Ping statistics for 1.1.2.1:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 9ms, Average = 4ms
Request timed out.

Request timed out.
Request timed out.
Request timed out.

# Run the ping 1.1.3.1 command in department B. The pinging attempt is successful. Then
C:\Documents and Settings\DepartB>ping 1.1.3.1


Request timed out.

Request timed out.
Request timed out.
Request timed out.

2. When the active link is faulty, the NGFW searches for the standby route and forwards the
packets of departments to the corresponding standby link. Active link ISP1 of department
A is used as an example for explanation.
# Run the display ip-link command. The IP link where department A resides is Down.
next
-hop
1 down 3 1.1.2.1 icmp none
# Run the ping 1.1.2.1 command in department A. The pinging attempt is unsuccessful.
Then run the ping 1.1.3.1 command. The pinging attempt is successful.



Request timed out.

Request timed out.
Request timed out.
Request timed out.

3. When active links restore to normal, the NGFW forwards all packets to the active links.
Active link ISP1 of department A is used as an example.
# Run the display ip-link command. Both IP links of department A are Up.
next
-hop
# Run the ping 1.1.2.1 command in department A. The pinging attempt is successful. Then


Request timed out.

Request timed out.
Request timed out.
Request timed out.

4. The mutual access of departments A and B is successful. The pinging attempt from
department A to B is used as an example.



Configuration scripts of NGFW
#
sysname NGFW
#
#
ip address 10.2.0.1 255.255.0.0
#
ip address 1.1.2.2 255.255.255.0
#
ip address 1.1.3.2 255.255.255.0
#
ip address 10.1.0.1 255.255.0.0
#
#
policy-based-route
rule name A_1
ingress-interface GigabitEthernet1/0/4
action no-pbr
rule name A_2
track ip-link 1
action pbr next-hop 1.1.2.1
rule name B_1
action no-pbr
rule name B_2
track ip-link 2
#
return
6.4.6.4 Example for Configuring the Interworking between DHCP and IP-Link
By binding the link where DHCP runs to IP-Link, you can resolve the problem that the
automatically delivered static route cannot be bound to the IP-Link.

As shown in Figure 6-51, the router is the gateway of a building. All enterprises in the building
access the Internet through the router. NGFW_A acts as the gateway of an enterprise in the
building. To ensure network continuity, the enterprise uses the dual-uplink networking. The
active link accesses the Internet through DHCP, that is, NGFW_A as the DHCP client accesses
the Internet by obtaining the IP address from the DHCP server. The standby link accesses the
Internet through PPPoE.
Because the DHCP client cannot sense link reachability, NGFW_A cannot switch the traffic to
the standby link in the event of link faults. To interwork with IP-Link, check the availability of
the link where the DHCP client resides. Upon link faults, service traffic is switched to the standby
link.
Figure 6-51 Networking diagram of configuring the interworking between DHCP and IP-Link
IP-Link 1 Building
Enterprise
PC
DHCP client Router
GE1/0/2 DHCP server
10.1.1.2/24 8.8.8.1/24
Intranet 10.1.1.1/24 8.8.8.2/24
GE1/0/1
NGFW
PPPoE Dial-up
Procedure
Step 1 Configure IP-Link.
NOTE
To ensure interworking between DHCP and IP-link, the destination IP address detected by IP-link must be
consistent with the IP address of the Router.
# Enable IP-link.
<NGFW> system-view
[NGFW_A] ip-link check enable
# Create IP-link 1 for detecting link reachability from the NGFW_A to destination address
8.8.8.1.
[NGFW_A] ip-link 1 destination 8.8.8.1 interface GigabitEthernet 1/0/2 mode icmp
next-hop dhcp
Step 2 Configure the DHCP client function, and associate DHCP with the IP-Link.
# Enable the DHCP client function on interface GigabitEthernet 1/0/2, and associate DHCP with
the IP-Link 1.
[NGFW_A] dhcp enable

[NGFW_A-GigabitEthernet1/0/2] dhcp client enable track ip-link 1

Step 3 Configure the default route.

# Configure the default route with outbound interface Dialer 0 and route priority 255.
NOTE
When the NGFW_A acts as the DHCP client, the priority of the default route obtained from the DHCP
server is 245. When PPPoE is used for backup access, the priority of the default route must be larger than
245. The higher the priority value, the lower the priority.
[NGFW_A] ip route-static 0.0.0.0 0.0.0.0 Dialer 0 preference 255
----End
1. When the active link is reachable, access packets are forwarded by NGFW_A to the active
link.
# Run the display ip-link command. You can view that IP-Link is created and it is in Up
state.
[NGFW_A] display ip-link
next
-hop
1 up 3 8.8.8.1 GE1/0/2 icmp none dhcp
# Run the display ip routing-table command on NGFW_A. You can view that the default
route to NGFW_A is the gateway address obtained through the DHCP server and the route
priority is 245.
[NGFW_A] display ip routing-table
------------------------------------------------------------------------------

0.0.0.0/0 Static 245 0 RD 10.1.1.1

10.1.1.0/24 Direct 0 0 D 10.1.1.2
192.168.0.0/24 Direct 0 0 D 192.168.0.100
2. When the active link is faulty, NGFW_A switches the traffic to the standby link.
# Run the display ip-link command. You can view that the status of the IP-Link is Down.
[NGFW_A] display ip-link
next
-hop
1 down 3 8.8.8.1 GE1/0/2 icmp none
dhcp
# Run the display ip routing-table command. You can view that default route obtained
through the DHCP server is deleted and the backup default route with outbound interface
Dialer 0 is loaded to the routing table.

[NGFW_A] display ip routing-table

Route Flags: R - relay, D - download to
fib
------------------------------------------------------------------------------
Routing Tables:
Public
Destination/Mask Proto Pre Cost Flags NextHop

Interface
0.0.0.0/0 Static 255 0 D 0.0.0.0

Dialer0
127.0.0.0/8 Direct 0 0 D 127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1
InLoopBack0
192.168.0.0/24 Direct 0 0 D 192.168.0.100
192.168.0.100/32 Direct 0 0 D 127.0.0.1
InLoopBack0
3. When the active link recovers, run the display ip-link command on NGFW_A. You can
view that the status of the IP-Link turns to Up. Run the display ip routing-table command.
You can view that the default route to NGFW_A obtained through the DHCP server is re-
loaded to the routing table.
#
sysname NGFW
ip-link 1 destination 8.8.8.1 interface GigabitEthernet1/0/2 mode icmp next-hop
dhcp
#
dhcp client enable track ip-link 1
#
ip route-static 0.0.0.0 0.0.0.0 Dialer 0 preference 255
ip route-static 0.0.0.0 0.0.0.0 10.1.1.1 preference 245 track ip-link 1
#
return

This section describes the versions and changes in the IP-link feature.
V100R001C10 Added IPv6-Link.

6.5 BFD
As an independent hello protocol, BFD implements low-overhead and rapid fault detection. By
interworking with upper-layer protocols, BFD enables them to rapidly identify and recover from
faults.
6.5.1 Introduction
This section describes the definition and purpose of BFD.
Definition
Bidirectional Forwarding Detection (BFD) quickly detects communications faults between
systems and reports corresponding faults to the upper-layer protocol.
Purpose
To minimize the impact of failures and improve network availability, network devices need to
rapidly detect communication failures to take early remedial actions to ensure service continuity.
The current fault detection mechanisms include:

l Hardware detection: For example, the Synchronous Digital Hierarchy (SDH) alarms are
used to detect faults on links. This mechanism features quick identification of faults;
however, not all medium can provide this mechanism.
l Slow Hello mechanism: It usually refers to the Hello mechanism offered by a routing
protocol. The slow Hello mechanism can detect a fault in seconds. In high-speed data
transmission, for example, at Gbit/s rate, the detection delay of more than one second causes
the loss of a large amount of data. In delay-sensitive services such as the voice service, the
delay of more than one second is unacceptable.
l Other detection mechanisms: Specific detection mechanisms may be provided by different
protocols or device vendors. If a network has devices from multiple vendors, these detection
mechanisms are difficult to implement.
BFD overcomes the limitations of earlier detection mechanisms.
BFD provides the following functions:

l Provides low-overhead and quick fault detection for channels between adjacent forwarding
engines. The detected faults may occur on interfaces, data links, or forwarding engines.
l Provides a single mechanism to detect any media and protocol layers in real time. In
addition, the detection duration and overhead range are variable.

This section describes the application scenario of BFD.
6.5.2.1 Interworking Between BFD and OSPF

This section describes the application scenario of interworking between BFD and OSPF.

A link fault or the change of topology may lead to rerouting in a network. The short-duration
convergence of a routing protocol is important for the improvement of availability of the
network. A feasible solution is to fast detect the fault and notify the fault to the routing protocol
immediately.
In the BFD-OSPF interworking, OSPF is associated with a BFD session. The BFD session fast
detects a link fault and notifies OSPF of the fault. In this manner, OSPF speeds up the response
to the change of the network topology.
Table 6-8 shows statistics of convergence speeds when OSPF is and is not associated with a
BFD session.
Table 6-8 Statistics of OSPF convergence speeds
Associated with Link Fault Detection Mechanism Convergence

BFD or Not Speed
Not associated with Timeout of the OSPF Hello keepalive timer At the second level
BFD
Associated with BFD BFD session in the Down state At the millisecond
level
Typical Application
As shown in Figure 6-52, OSPF runs among Router_A, Router_B, and Router_C which are
mutual neighbors. The link from Router_A to Router_B serves as the active link whereas the
link from Router_A to Router_C to Router_B as the standby link.
Create a BFD session on the link between Router_A and Router_B. Therefore, when the link
status changes, the convergence speed of OSPF increases. If the link between Router_A and
Router_B fails, BFD rapidly identifies the fault and notifies OSPF of the fault. Therefore, the
service traffic is switched to the standby link.
Figure 6-52 Networking diagram of the BFD-OSPF interworking
BFD session
Router_A Router_B
Normal traffic direction

Abnormal traffic direction
Area 0 Router_C BFD session

6.5.2.2 Interworking Between BFD and Static Routes

This section describes the application scenario of interworking between BFD and static routes.
Static route is manually configured by administrators for a known path. Different from dynamic
route, static route does not have the detection mechanism. When the network fails, administrator
intervention is needed.
By interworking, the static route is bound to a static BFD session. Therefore, the status of the
static route changes with the status of the BFD session.
Typical Application
As shown in Figure 6-53, Router_A connects Router_B with a Layer-2 switch, and can
communicate with the Internet through a static route. The link from Router_A to Router_B serves
as the active link while the link from Router_A to Router_C to Router_B serves as the standby
link.
To increase the network reliability and shorten the route convergence time, you can establish a
BFD session between Router_A and Router_B to check the link status.
l If the BFD session on the static route detects a fault (the status changes from Up to Down),
BFD reports the fault to the system. The system deletes this route from the routing table,
and the traffic switches to the standby link.
l If the BFD session on the static route is successfully created (the status changes from Down
to Up), BFD reports to the system. The system adds this route to the routing table, and the
traffic switches back to the active link.
Figure 6-53 Networking diagram of the interworking between BFD and static route (one-hop
detection)
BFD session
Router_A Router_B
Router_C BFD session

The interworking between BFD and static route supports two detection modes:
l One-hop detection
Devices on both ends of the BFD session connect directly or with a Layer-2 switch, that
is, the BFD session and the static route share the same outbound interface, and the IP address
of the peer end is the next hop of the route. Figure 6-53 shows the typical application of
the one-hop detection networking.
l Multi-hop detection
As Figure 6-54 shows, the devices on both ends of the BFD session are indirectly connected
with multi-hop routing channels. In this case, the BFD session binds the IP address of the
peer end but not the outbound interface of the static route.
Figure 6-54 Networking diagram of the interworking between BFD and static route (multi-
hop detection)
BFD session
Router_A Switch Router_D Router_B
Router_C BFD session
6.5.2.3 Interworking Between BFD and FRR

This section describes the application scenario of interworking between BFD and FRR.
Fast ReRoute (FRR) is a mechanism which reports the fault detected at the physical layer or
data link layer to the upper-layer routing system, and immediately performs the traffic
switchover by using a standby link. In this case, the impact of link failures on services is
minimized.
On traditional IP networks, if a fault is detected at a lower layer, the visible evidence is that the
physical interface on the router becomes Down. After detecting such faults, the router notifies

the upper-layer routing system to perform corresponding updates and recalculate the routes.
Usually, it takes a few seconds to converge the route (select another available route) after the
link fails.
In delay-sensitive or packet loss-sensitive services, the convergence duration of the second level
is unacceptable because service interruption occurs in the duration. For example, the acceptable
duration of network interruption for Voice Over IP (VoIP) service is of the millisecond level.
The application of IP FRR ensures that the forwarding system detects such faults and takes
countermeasures to rapidly recover services.
However, IP FRR takes effect only after being triggered by a fault detection mechanism (for
example, BFD).
Typical Application
As shown in Figure 6-55, two links are available between Router_A and Router_B. The link
from Router_A to Router_C to Router_B serves as the active link, while the link from Router_A
to Router_D to Router_B serves as the standby link.
Establish a BFD session between Router_A and Router_B. When the active link is faulty, BFD
reports the faulty to FRR, and the FRR switches the traffic to the standby link rapidly.
Figure 6-55 Networking diagram of the BFD-FRR interworking

Router_C
Router_A Router_B
BFD session
Router_D
6.5.2.4 Interworking Between BFD and DHCP

This section describes the application scenario of interworking between BFD and DHCP.
To ensure network reliability, some enterprises use the dual-uplink networking. Usually, the
DHCP link serves as the active link. In such case, the egress gateway of the company serves as

the DHCP client, and the company obtains IP addresses from the DHCP server to access the
Internet. Links such as PPPoE link serve as the standby links.
As the DHCP client, the egress gateway cannot sense the availability of the link on which the
egress gateway resides. When the link fails, the gateway cannot switch the service traffic to the
standby link rapidly, resulting in service interruptions.
The BFD-DHCP interworking resolves this problem. The association of the DHCP client with
the BFD session enables BFD to dynamically determine the availability of the DHCP link
according to BFD session status.
Typical Application
As shown in Figure 6-56, Router_A serves as the egress gateway of a building. All companies
in the building access the Internet through Router_A. Router_B serves as the egress gateway of
a company in the building. To ensure network continuity, the company uses the dual-uplink
networking, with DHCP and PPPoE links as the active and standby link respectively.
Figure 6-56 Networking diagram of the BFD-DHCP interworking

BFD session
PC
Router_B DHCP server Router_A
Intranet
DHCP client
PPPoE
BFD session
To ensure that the DHCP client can sense the fault and perform the link switch quickly when
the active link fails, you can establish a static BFD session between Router_A and Router_B,
and bind the DHCP to BFD on Router_B.
By BFD-DHCP interworking, Router_B delivers the following functions:

l When BFD detects a fault on the active link, the system disables the DHCP link and switches
the service traffic to the standby link.
l When BFD detects that the active link is recovered, service traffic is switched back to the
active link.
6.5.2.5 Interworking Between BFD and PBR

This section describes the application scenario of interworking between BFD and PBR.

Policy-Based Routing (PBR) is a mechanism, which selects routes based on the customized
policy rather than forwards packets by searching the FIB table based on the destination addresses
of IP packets. The PBR can be used for the purpose of security or load balancing.
PBR supports route selection based on packet information such as the source IP addresses and
packet types of received packets. Packets that meet certain conditions are forwarded according
to packet information such as the outbound interface and next hop, and the default outbound
interface and next hop.
PBR cannot sense the availability of the link where the PBR is enabled. When the link is
unreachable and the device forwards the packet, the packet forwarding may fail.
The BFD-PBR interworking resolves the previous problems, and improves the flexibility of PBR
applications and the dynamic network environment sensation of PBR. After the actions of PBR
are associated with the static BFD session, the BFD can monitor the reachability of the next hop
or outbound interface and dynamically detect the availability of the policy-based routes.
Typical Application
As shown in Figure 6-57, Router_A serves as the egress gateway of a company. There are two
links connecting to the Internet. Normally, the service initiated by Department A travels from
Router_A to Router_B. When a fault occurs, the service traffic is switched to the other link.
To ensure that Router_A can rapidly and dynamically sense the availability of PBR, you can
create a BFD session between Router_A and Router_B. When the link between Router_B and
the Layer-2 switch fails, the BFD can identify the fault and notify Router_A rapidly, and the
PBR bound to the BFD session becomes invalid. In this way, Router_A searches for standby
routes to ensure service continuity.
Figure 6-57 Networking diagram of the BFD-PBR interworking
ion
s ess
BFD Router_B
PC
Department A Router_A
PC Router_C
PC
BFD session
6.5.2.6 Interworking Between BFD and Hot Standby

This section describes the application scenario of interworking between BFD and Hot Standby.

The hot standby function enables the standby device to take over services from the faulty active
device to ensure service continuity.
Virtual Router Redundancy Protocol (VRRP) Group Management Protocol (VGMP) groups
determine the active/standby status of devices.
When BFD works with hot standby, VGMP groups are used to monitor static BFD sessions, and
the priorities of VGMP groups change based on the status of BFD sessions. The change of the
priorities of VGMP groups triggers active/standby switchover.
Typical Application
As shown in Figure 6-58, NGFW_A and NGFW_B are deployed on a hot standby network.
NGFW_A functions as the active device, and NGFW_B functions as the standby device.
To improve network reliability and enable the NGFWs to monitor the status of indirectly-
connected links, you need to create BFD sessions between the NGFW_A and the router_A and
use active VGMP group on the NGFW_A to monitor the status of BFD session. And you need
to create BFD sessions between the NGFW_B and the router_B and use standby VGMP group
on the NGFW_B to monitor the status of BFD session.
As shown in Figure 6-58, if interface GE1/0/1 on Router_A is faulty, the BFD session detects
the interface fault (changes the status from Up to Down) and notifies the VGMP group on
NGFW_A of the fault. Then the priority of the VGMP group on NGFW_A is lower than the
priority of the VGMP group on NGFW_B and triggers active/standby switchover. Therefore,
NGFW_A becomes the standby device, and NGFW_B becomes the active device.
Figure 6-58 Networking diagram of the interworking between BFD and Hot Standby
NGFW_A BFD Session Router_A
GE1/0/1
NGFW_B BFD Session
6.5.3 Mechanism
This section describes the BFD mechanism.
6.5.3.1 BFD Packet

This section describes the format of the BFD packet.
BFD packets fall into two types, namely, BFD control packet and BFD echo packet.

BFD Control Packet

BFD control packets are encapsulated in UDP packets for transmission, and the destination port
of UDP is port 3784.
A BFD control packet consists of a mandatory part and an optional authentication part. Figure
6-59 shows the format of the BFD control packet.
Figure 6-59 Format of the BFD control packet
0 7 16 23 31
Vers Diag Sta P F C A D R Detect Mult Length
My Discriminator
Your Discriminator
Desired Min TX Interval
Required Min RX Interval
Required Min Echo RX Interval

Auth Type Auth Len Authentication Data…
(Optional) (Optional) (Optional)
NOTE
NGFW does not support the BFD function.
Table 6-9 shows the description of each field in the packet.
Table 6-9 Description of each field in the BFD control packet
Field Lengt Description

h
Vers (Version) 3 bits Indicates the version number of the protocol. The current version
number is 1.


h
Diag 5 bits Indicates the cause that the status of the latest session changes
(Diagnostic) from Up to other status in the local system. Different values
indicate different causes:
l 0: No Diagnostic
l 1: Control Detection Time Expired
l 2: Echo Function Failed
l 3: Neighbor Signaled Session Down
l 4: Forwarding Plane Reset
l 5: Path Down
l 6: Concatenated Path Down
l 7: Administratively Down
l 8: Reverse Concatenated Path Down
l 9 to 31: Reserved for future use
Sta (State) 2 bits Indicates the status of the current BFD session. Different values
indicate different statuses:
l 0: AdminDown. Indicates that the BFD session is in
administrative Down state.
l 1: Down. Indicates that the BFD session is Down or just
established.
l 2: Init. Indicates that the BFD session can communicate with
the peer end and the local end expects the session to enter the
Up state.
l 3: Up. Indicates that the BFD session is successfully
established.
P (Poll) 1 bit Indicates the bit for connection request confirmation. Different
values indicate different meanings:
l 1: indicates that the sending system requests the confirmation
of the connection or the parameter changes.
l 0: indicates that the sending system does not request the
confirmation of the connection or the parameter changes.
F (Final) 1 bit Indicates the bit determining whether the sending system
responds to a BFD control packet with P bit as 1. Different values
indicate different meanings:
l 1: indicates that the sending system responds to a BFD control
packet with P bit as 1.
l 0: indicates that the sending system does not respond to a BFD
control packet with P bit as 1.


h
C (Control 1 bit Indicates the bit determining whether BFD control packets are
Plane transmitted on the control plane. Different values indicate
Independent) different meanings:
l 1: indicates that the sending system implements BFD
independent of the control plane. That is, BFD packets are
transmitted on the forwarding plane. BFD continues to work
even if the control plane fails.
l 0: indicates that BFD packets are transmitted on the control
plane.
A 1 bit Indicates the bit determining whether BFD control packets

(Authentication contain the authentication field. Different values indicate
Present) different meanings:
l 1: indicates that the BFD control packet contains the
authentication field, and the session needs to be authenticated.
l 0: indicates that the BFD control packet does not contain the
authentication field, or the session does not need to be
authenticated.
NOTE
NGFW does not provide the BFD authentication function currently. The
A bit is set to 0 all the time.
D (Demand) 1 bit Indicates the demand mode operation bit. Different values
indicate different meanings:
l 1: indicates that the sending system expects to run in demand
mode.
l 0: indicates that the sending system does not expect to or
cannot run in demand mode.
R (Reserved) 1 bit This field is set to 0 when a BFD control packet is sent. This field
is ignored when a BFD control packet is received.
Detect Mult 1 byte Indicates the detection time multiplier, that is, the maximum
(Detect time number of continuous loss of packets permitted by the packet
multiplier) receiver. The bit is used to check whether the link is normal.
l Demand mode: uses the local detection time multiplier.
l Asynchronous mode: uses the detection time multiplier of the
peer end.
Length 1 byte Indicates the length of a BFD control packet, in bytes.
My 4 Indicates a unique non-zero discriminator value generated by the

Discriminator bytes sending system. The value is used to differentiate multiple BFD
sessions of a system.
Your 4 Indicates the value of My Discriminator sent from the remote

Discriminator bytes system. If this value is not received, the field is set to 0.


h
Desired Min Tx 4 Indicates the desired minimum interval for sending BFD control
Interval bytes packets by the local system, in microseconds.
Required Min 4 Indicates the minimum interval required between receiving two
Rx Interval bytes BFD control packets, in microseconds.
Required Min 4 Indicates the minimum interval required between receiving two
Echo Rx bytes BFD echo packets, in microseconds. If the interval is set to 0, the
Interval sending system cannot receive BFD echo packets.
Auth Type 1 byte Indicates the authentication type of BFD control packets.
Different values indicate different authentication types:
l 0: Reserved
l 1: Simple Password
l 2: Keyed MD5
l 3: Meticulous Keyed MD5
l 4: Keyed SHA1
l 5: Meticulous Keyed SHA1
l 6 to 255: Reserved for future use
Auth Len 1 byte Indicates the length of the authentication field, including the
authentication type field and the authentication length field, in
bytes.
Authentication 2 Indicates the authentication data.

Data bytes
BFD Echo Packet

BFD echo packets provide a fault detection mechanism independent from BFD control packets.
The local end sends and receives the packets. The peer end returns the packets over the reverse
channel without processing the packets. Therefore, the format of BFD echo packet is not defined
by the BFD protocol. The only requirement is that the sender can distinguish sessions according
to packet contents.
BFD echo packets are encapsulated in UDP packets for transmission. The destination port
number is 3784. The destination IP address is the address of the sending interface. The source
IP address is specified manually.
6.5.3.2 BFD Mechanism

This section describes the BFD mechanism, including detection mode, detection time and
detection parameter negotiation.
In the BFD mechanism, a BFD session is established between two systems, and BFD control
packets are sent periodically along the path. If one system does not receive any BFD control
packets in a certain period, it is regarded that a fault occurs on the path.

BFD control packets are encapsulated in UDP packets for transmission. At the beginning of a
session, two systems negotiate with each other through the parameters (including the session
identifier, minimum expected packet sending/receiving interval, and BFD session status on the
local end) in BFD control packets. After the negotiation succeeds, BFD control packets are
transmitted along the path on the basis of the negotiated packet sending/receiving interval.
To ensure fast detection, the packet sending/receiving interval is specified to the microsecond
level by the BFD protocol. Limited by device processing capability, BFD only reaches the
millisecond level on the devices of most vendors, and is further converted to the microsecond
level during internal processing.
Detection Mode
BFD supports the following detection modes:
l Asynchronous mode
In this mode, two systems periodically transmit BFD control packets to each other on the
basis of the negotiated packet sending/receiving interval. If one system does not receive
any BFD control packets from the other system in the detection period, it is regarded that
the BFD session is Down. The asynchronous mode is the most frequently used BFD mode.
l Demand mode
In this mode, once a BFD session is established, the system does not periodically send BFD
control packets. Instead, other detection mechanisms (such as the Hello mechanism of
routing protocols and hardware detection mechanism) are adopted to reduce the costs
caused by BFD sessions. In demand mode, there is a timer in the system. When the timer
expires, the system sends a query packet with short sequence to check the link. If the system
does not receive the reply packet, it is regarded that the session is Down.
A supplementary function for the previous modes is the echo function. When the echo function
is enabled, a BFD control packet is transmitted in this method: The local system sends a BFD
control packet, and the remote system loops it back through the forwarding channel. If none of
several consecutive echo packets is received, it is regarded that the BFD session is Down. The
echo function can interwork with the asynchronous mode or demand mode.
Currently, the system supports only the passive echo function for the one-hop session in
asynchronous mode. If devices supporting the echo function are available on the network, you
need to configure the BFD passive echo function on the device to enable its compatibility with
other devices. When the device enters the passive echo mode, the interval for transmitting BFD
control packets is increased. The devices on both ends of the BFD session send the BFD echo
packets (the source and destination IP address are both the IP address of the outbound interface
on the local end) which returns to the local end through ICMP redirection. In this way, the link
status is checked.
Detection Time
The BFD time is determined by the following three values:
l Desired Min Tx Interval (DMTI): the minimum interval for the transmission of BFD control
packets desired by the local end
l Required Min Rx Interval (RMRI): the minimum interval for the reception of BFD control
packets required by the local end
l Detect time multiplier (Detect Mult): the detect time multiplier

After one system receives the BFD control packet from the peer end, it compares the RMRI
attached in the packet with the local DMTI, and uses the larger value as the interval for the
transmission of BFD control packets. That is, the system with a slower speed determines the
transmission rate of BFD control packets.
The value of Detect Mult is not negotiated. It is configured by the two systems on both ends.
The detection time in asynchronous mode equals to the value of the received Detect Mult from
the peer end times the larger value of the local RMRI and the received DMTI.
The detection time in demand mode equals to the value of the local Detect Mult times the larger
value of the local DMTI and the received RMRI.
For example, the value of the local RMRI is 400 milliseconds; the value of the local DMTI is
300 milliseconds; the value of the received DMTI is 300 milliseconds, the value of the received
RMRI is 400 milliseconds, the value of the received Detect Mult is 4, and the value of the local
Detect Mult is 5.
The detection time in asynchronous mode = 4 x maximum (400 milliseconds and 300
milliseconds) = 1600 milliseconds. And the detection time in demand mode = 5 x maximum
(300 milliseconds and 400 milliseconds) = 2000 milliseconds.
The values of DMTI, RMRI, and Detect Mult can be configured independently. Therefore, the
two systems may differ in the transmission rate of BFD control packets.
You are advised to configure the same value on both ends for hardware using the same
transmission medium.
Detection Parameter Negotiation

After a BFD session is established, you can dynamically modify the detection parameters,
without changing the current session status. After you modify the detection parameters, the
device performs the following actions:
l DMTI change
1. The local end immediately sends a BFD control packet (carries a new DMTI) with P
bit as 1 in the transmission interval.
2. The local end recounts the transmission interval, and compares it with the current one.
If the transmission interval needs to be changed to a smaller value, the following
occurs:
– The local end immediately restarts the sending timer, and sends BFD control
packets with P bit as 1 based on the new transmission interval.
– After receiving the BFD control packet with P bit as 1, the peer end replies a BFD
packet with F bit as 1. The peer end recounts the detection time, restarts the
detection timer immediately, and detects the link based on the new detection time.
– After receiving the BFD packet with F bit as 1 from the peer end, the local end
stops sending BFD control packets with P bit as 1.
If the transmission interval needs to be changed to a larger value, the following occurs:
– The local end sends BFD control packets (carries a new DMTI) with P bit as 1
based on the current transmission interval.

– After receiving the BFD control packet with P bit as 1, the peer end replies a BFD
packet with F bit as 1. The peer end recounts the detection time, restarts the
detection timer immediately, and detects the link based on the new detection time.
stops sending BFD control packets with P bit as 1. The local end restarts the sending
timer, and sends BFD control packets based on the new transmission interval.
If the recalculated transmission interval and the current transmission interval are equal,
the local end does not change the transmission interval.
l RMRI change
1. The local end immediately sends a BFD control packet (carries a new RMRI) with P
bit as 1 in the transmission interval.
2. The local end recounts the detection time, and compares it with the current one.
If the detection time becomes greater, the following situation occurs:
– The local end restarts the detection timer, and detects links based on the new
detection time. The local end continues sending BFD control packets (carries a
new RMRI) with P bit as 1.
– After receiving the BFD control packets with P bit as 1, the peer end immediately
replies a BFD control packets with F bit as 1, recounts the transmission interval,
and restarts the sending timer.
stops sending BFD control packets with P bit as 1.
If the detection time becomes smaller, the following occurs:
– The local end sends BFD control packets (carries a new RMRI) with P bit as 1
based on the current transmission interval.
– After receiving the BFD control packets with P bit as 1, the peer end immediately
replies a BFD control packets with F bit as 1, recounts the transmission interval,
and restarts the sending timer.
stops sending BFD control packets with P bit as 1, updates the detection time, and
restarts the detection timer.
If the recalculated detection time and the current detection time are equal, the local
end does not change the detection time.
3. Detect Mult change
a. The local end immediately sends a BFD control packet (carries a new detect time
multiplier) with P bit as 1 in the transmission interval. The new detect time
multiplier is attached in every packet from then on.
b. After receiving the BFD control packet, the peer end recounts the detection time,
and detects links based on the new detection time.
6.5.3.3 BFD Session Management

This section describes the BFD session management, including session establishment mode and
session establishment process.

Session Establishment Mode

BFD distinguishes sessions according to the My Discriminator and Your Discriminator of
the control packets. According to the differences of My Discriminator and Your
Discriminator in their establishment modes, NGFW supports the following types of BFD
sessions.
l Static BFD session with a manually designated discriminator
You need to set BFD session parameters manually, including the configuration of My
Discriminator and Your Discriminator, and deliver a BFD session establishment request
manually.
Manual configuration errors may occur in this mode, for example, the incorrect
configuration of My Discriminator and Your Discriminator results in the failure of the
BFD session. Meanwhile, the establishment and deletion of the BFD session is manually
triggered, and lacks flexibility.
The interworking between BFD and PBR, DHCP, or FRR requires the static BFD session
with manually designated discriminators. In the application of the interworking between
BFD and static routing, you can choose the static BFD session with manually designated
discriminators or the static BFD session with negotiated discriminators according to the
network status.
l Static BFD session with an automatically negotiated discriminator
You need to manually establish the BFD session, but do not need to configure My
Discriminator and Your Discriminator. Both discriminators are negotiated through the
BFD session.
In the application of the interworking between BFD and static routing, the BFD session
with an automatically negotiated discriminator is required in the scenario where the device
at the peer end does not support static BFD session, and the dynamic BFD session is
adopted; meanwhile, the local device is routable to the peer end, and ensures the application
of the interworking between BFD and static routing.
l Dynamic BFD session triggered by protocols
Dynamic BFD session triggered by protocols refers to the BFD session dynamically
triggered by routing protocols.
In dynamic establishment mode, the system processes My Discriminator and Your
Discriminator in the following ways:
– Dynamically assigning My Discriminator
When an application program triggers the dynamic establishment of BFD sessions, the
system assigns a value from the dynamic session discriminators as the My
Discriminator of the BFD session. The system sends a BFD control packet with the
value of Your Discriminator as 0 (the value of My Discriminator is the assigned
value, and the state is Down) to the peer system to negotiate a session.
NOTE
The system distinguishes static BFD session and dynamic BFD session according to the
classification of discriminators. The value of My Discriminator for static BFD session ranges
from 1 to 8191, and the value of My Discriminator for dynamic BFD session ranges from 8192
to 16,383.
– Self-learning Your Discriminator
Upon receiving the BFD control packet with the value of Your Discriminator as 0, the
system on one end of the BFD session determines whether the packet matches the local

BFD session according to the quadruplet (source IP address, destination IP address,

outbound interface, and VPN index). If yes, the system learns the value of My
Discriminator in the received packet to obtain the value of Your Discriminator.
Session Establishment Process

BFD establishes a session by using three-way handshake. When sending the BFD control packet,
the sender fills the Sta field with the current session status on the local end. The receiver transfers
the BFD state machine and establishes the session according to the Sta field of the received BFD
control packet and the current session status on the local end. Taking the establishment of BFD
session as an example, Figure 6-60 shows the transference of the state machine.
Figure 6-60 BFD session establishment
Router_A Router_B
Sta: Down Sta: Down

Down Down
Down-> Init Down-> Init

Sta: Init Sta: Init
Init-> Up
Sta: Up Init-> Up
Sta: Up
1. After receiving the message from the upper-layer protocol, BFDs of Router_A and
Router_B send BFD control packets with the status as Down. In static BFD session with
manually designated discriminator, the value of Your Discriminator in the packet is
manually designated. In static BFD session with negotiated discriminator, the value of
Your Discriminator in the packet is negotiated by both parties. In the dynamic
establishment of BFD sessions, the value of Your Discriminator is 0.
2. After receiving the BFD control packet with the status as Down, Router_B switches the
session status to Init, and sends a BFD control packet with the status as Init. The change of
BFD sessions of Router_A is the same as Router_B.
3. After receiving the BFD control packet with the status as Init, Router_B switches the session
status to Up, and sends a BFD control packet with the status as Up. The change of BFD
sessions of Router_A is the same as Router_B.
4. When the statuses of Router_A and Router_B are both Up, the session is successfully
established and starts to detect the link.

After the status switches from Down to Init, a timeout timer is enabled on Router_A and
Router_B respectively. If the routers do not receive the BFD control packet whose status is Init
or Up within the timeout, the BFD session status in the local system automatically switches to
Down.
6.5.4 Manually Configuring a Static BFD Session

After you create a BFD session manually, the upper-layer protocol will be bound to this session
to enable interworking.
6.5.4.1 Creating a Static BFD Session

By creating BFD sessions on both ends of an IP link, you can detect faults on the link rapidly.
Static BFD sessions support one-hop detection and multi-hop detection. You can use the
detection method according to the network of a session.
Prerequisites
Before you configure a static BFD session, complete the following tasks:
l Correctly connecting interfaces and setting IP addresses.
l Configuring routing protocols for the reachability of the network layer.
Context
One-hop detection and multi-hop detection of static BFD sessions are described as follows:
l One-hop detection detects the connectivity of the IP link between two directly-connected
systems. One-hop refers to a hop of the IP address.
Only one BFD session exists on the specified interface between the two systems going
through BFD one-hop detection.
l Multi-hop detection detects any paths between two systems. The paths may cover multiple
hops or even overlap in certain parts.
To detect and monitor direct links (or links connected by a Layer-2 switch) rapidly, you can
configure either BFD one-hop detection or multi-hop detection. However, the former is
recommended.
If the peer IP address resides on different network segments from the IP address of the local
outbound interface, you can configure only multi-hop detection to rapidly detect and monitor
the connectivity of IP links. By creating BFD sessions on both ends of a multi-hop path, you
can detect faults on the path rapidly.
To detect the physical link status using BFD, static BFD sessions can be configured in the
following ways:
l Specifying the peer IP address
If the peer IP address is known, bind the BFD session to this IP address and send BFD
control packets to the IP address.
l Using the default IP address
If the peer IP address cannot be specified (in some cases, the peer end does not have an IP
address), bind the BFD session to a multicast address and send BFD control packets to the

multicast address. The multicast address can be adjusted as required. For details, see 6.5.5.2
Configuring the Default Multicast Address for One-hop BFD.
Creating a BFD session through the default IP address is valid only for one-hop detection.
NOTE
When multiple protocols are bound to one static BFD session, the change of the session status affects all
related protocols.
Procedure
Step 1 Run:
system-view
Step 2 Run:
bfd
The global BFD function is enabled and the BFD global view is displayed.
You can configure the BFD only after the global BFD function is enabled.
Step 3 Run:
quit
Return to the system view.
Step 4 Select the following configuration methods according to the network status of both ends where
the static BFD session is created.
l For the Layer-3 interfaces with IP addresses:
Run:
bfd cfg-name bind peer-ip peer-ip [ vpn-instance vpn-instance-name ]
[ interface interface-type interface-number [ nexthop { nexthop-address |
dhcp } ] ] [ source-ip source-ip ]
A static BFD session is created through the specified peer IP address.

– For one-hop detection during your binding of the BFD session, you need to specify only
the local outbound interface. Otherwise, it is multi-hop detection.
– When you create a one-hop BFD session for the first time, you must bind it to the peer
IP address and the local interface. The session cannot be changed once created. When
you create a multi-hop BFD session for the first time, you must bind it to the peer IP
address at least. If the outbound interface and next hop are also configured, the BFD
control packet is forwarded from the specified outbound interface to the next hop.
– If you need to access the session view after a BFD session is created, specify the session
configuration name.
– When you create BFD configuration items, the system only checks whether the IP
address format is legitimate, rather than the correctness. If bound to an incorrect peer
or source IP address, the BFD session cannot be established.
– To configure DHCP to interwork with BFD, specify the next hop of the static BFD
session as nexthop dhcp.
– If BFD interworks with Unicast Reverse Path Forwarding (URPF), specify a correct
source IP address manually through the source-ip option when binding the BFD session,

because URPF checks the source IP addresses of received packets. In so doing, BFD
control packets are prevented from being incorrectly discarded.
– If both interface and source-ip are specified, the source IP address must be the same
as the IP address of the interface.
l For Layer-2 interfaces and the Layer-3 interfaces without IP addresses:
Run:
bfd cfg-name bind peer-ip default-ip interface interface-type interface-
number [ source-ip source-ip ]
A static BFD session is created through the default multicast address.
Step 5 Configure the discriminator.

l Run:
discriminator local local-discr-value
A local discriminator is configured.

l Run:
discriminator remote remote-discr-value
A remote discriminator is configured.

NOTE
l The local discriminator must correspond to the remote discriminator on both ends of a BFD session.
Otherwise, the session cannot be established.
l For a BFD session bound to the default multicast address, the local discriminator cannot be the same
as the remote one.
l The local and remote discriminators cannot be changed once they are created.
Step 6 Run:
commit
The configurations are submitted.
NOTE
After all necessary parameters (such as the local and remote discriminators) are specified, you must run
the commit command to successfully create a BFD session.
----End
Example
# Create static BFD session test on NGFW_A, set the peer IP address to 30.1.1.1, set the
outbound interface and next hop respectively to GigabitEthernet 1/0/1 and 1.1.1.1, and set the
local discriminator to 10 and remote one to 20.
[NGFW_A] bfd
[NGFW_A-bfd] quit
[NGFW_A] bfd test bind peer-ip 30.1.1.1 interface GigabitEthernet 1/0/1 nexthop
1.1.1.1
[NGFW_A-bfd-session-test] discriminator local 10
[NGFW_A-bfd-session-test] discriminator remote 20
[NGFW_A-bfd-session-test] commit
# Create static BFD session test on NGFW_B, set the peer IP address to 1.1.1.2, and set the local
discriminator to 20 and remote one to 10.

[NGFW_B] bfd
[NGFW_B-bfd] quit
[NGFW_B] bfd test bind peer-ip 1.1.1.2
[NGFW_B-bfd-session-test] discriminator local 20
[NGFW_B-bfd-session-test] discriminator remote 10
[NGFW_B-bfd-session-test] commit
Follow-up Procedure
l Run the display bfd configuration command to display the configuration information
about the static BFD session. The following uses the information that is displayed on
NGFW_A as an example
<NGFW_A> display bfd configuration static verbose
------------------------------------------------------------------------------
--
BFD Session Configuration Name :
test
------------------------------------------------------------------------------
--
Local Discriminator : 10 Remote Discriminator : 20
BFD Bind Type : Interface(GigabitEthernet1/0/1)
Bind Session Type : Static
Bind Peer Ip Address : 30.1.1.1
Bind Interface : GigabitEthernet1/0/1
TOS-EXP : 6 Local Detect Multi : 3
Min Tx Interval (ms) : 1000 Min Rx Interval (ms) : 1000
WTR Interval (ms) : -- Process PST : Disable
Proc interface status : Disable
Local Demand Mode : Disable
Bind Application : No Application Bind
Session Description : --
------------------------------------------------------------------------------
--
Total Commit/Uncommit CFG Number : 1/0
The local and remote discriminators, interface bound to the session, and peer IP address
configured on NGFW_A are displayed in the output information. According to the
statistics, the configuration of the session is submitted.
l Run the display bfd session command to display the information about the static BFD
session. The following uses the information that is displayed on NGFW_A as an example
<NGFW_A> display bfd session static
------------------------------------------------------------------------------
--
Local Remote Peer IP Address Interface Name State Type
------------------------------------------------------------------------------
--
10 20 30.1.1.1 GigabitEthernet1/0/1 Up Static
------------------------------------------------------------------------------
--
According to the output, if the BFD session is in Up state, the BFD session between two
devices is established. If the BFD session is in Down state, it failed to be established.
6.5.4.2 (Optional) Adjusting Session Detection Parameters

When you create a BFD session, adjust the BFD control packet sending interval, receiving
interval, and local detection multiple of the device according to the network status and
performance. The parameter adjustment does not affect the status of existing BFD sessions.

Context
The detection parameters of a BFD session includes the BFD control packet sending interval,
receiving interval, and local detection multiple. After detection parameters are changed, the
mapping between valid parameters and configured parameters on the local and peer devices is
as follows:
l Actual BFD control packet sending interval in the local = maximum (configured local
sending interval and configured peer receiving interval)
l Actual BFD control packet receiving interval in the local = maximum (configured peer
sending interval and configured local receiving interval)
l In asynchronous mode, actual BFD control packet detection interval in the local = Actual
local receiving interval x Configured peer BFD detection multiple
l In demand mode, actual BFD control packet detection interval in the local = Actual local
sending interval x Configured local BFD detection multiple
NOTE
When the network is in poor quality or overloaded, increase the BFD detection interval as required.
A larger BFD detection interval is required when a low-speed interface (such as virtual template, dialer, or tunnel
interface), the IPSec or L2TP tunnel, or traffic limiting through QoS is used.
For example:
l The configured local sending interval is 300 ms, receiving interval is 300 ms, and detection
multiple is 4.
l The configured peer sending interval is 400 ms, receiving interval is 600 ms, and detection
multiple is 5.
Then,
l The actual sending interval in the local is the maximum value between 300 ms and 600 ms,
namely, 600 ms. The actual receiving interval is the maximum value between 400 ms and
300 ms, namely, 400 ms. The actual detection interval in asynchronous mode is 2000 ms
(400 ms x 5). The actual detection interval in demand mode is 2400 ms (600 ms x 4).
l The actual sending interval on the peer end is the maximum value between 400 ms and 300
ms, namely, 400 ms. The actual receiving interval is the maximum value between 300 ms
and 600 ms, namely, 600 ms. The actual detection interval in asynchronous mode is 2400
ms (600 ms x 4). The actual detection interval in demand mode is 2000 ms (400 ms x 5).
NOTE
The system automatically changes the local sending interval and receiving interval to random values
ranging from 2,000 ms to 3,000 ms upon detecting the BFD session in Down state. When the BFD session
becomes Up, the system restores the intervals to the configured values. This limits the consumption over
system resources.
Procedure
Step 1 Run:
system-view
Step 2 Run:
bfd cfg-name

The BFD session view is displayed.

Step 3 Run:
min-tx-interval interval
The BFD control packet sending interval is configured.

By default, the minimum sending interval is 1000 ms.
Step 4 Run:
min-rx-interval interval
The BFD control packet receiving interval is configured.

By default, the minimum receiving interval is 1000 ms.
Step 5 Run:
detect-multiplier multiplier
The local detection multiple is configured.

By default, the local detection multiple is 3.
Step 6 Run:
commit

NOTE
To change session parameters (by using the process-pst, min-tx-interval, min-rx-interval, detect-
multiplier, tos-exp, wtr, or description command) after a BFD session is created, you must run the
commit command. In this case, the configurations can take effect.
----End
Follow-up Procedure
l Run the display bfd configuration command to display the detection parameters of the
static BFD session.
<sysname> display bfd configuration static name test verbose
------------------------------------------------------------------------------
--
BFD Session Configuration Name :
test
------------------------------------------------------------------------------
--
------------------------------------------------------------------------------
--
l Run the display bfd session command to display the specified detection parameters of the
static BFD session and the actual detection parameters after session negotiation.

<sysname> display bfd session static verbose

------------------------------------------------------------------------------
--
Session MIndex : 1028 State : Down Name : test
------------------------------------------------------------------------------
--
Session Detect Mode : Asynchronous Mode Without Echo Function
FSM Board Id : 0 TOS-EXP : 6
Actual Tx Interval (ms): 1300 Actual Rx Interval (ms):
1300
Local Detect Multi : 3 Detect Interval (ms) : --
Echo Passive : Disable Acl Number : -
Last Local Diagnostic : No Diagnostic
Session TX TmrID : 4104 Session Detect TmrID : --
Session Init TmrID : -- Session WTR TmrID : --
PDT Index : FSM-0|RCV-0|IF-0|TOKEN-0
------------------------------------------------------------------------------
--
6.5.4.3 (Optional) Configuring Auto-negotiation of Static Discriminators

By configuring the auto-negotiation of static discriminators, you can enable the connection to
the device that establishes BFD sessions dynamically. The auto-negotiation function of static
discriminators is mainly applied to static routes.
Context
This function is used, when BFD interworks with the static route and the local device needs to
communicate with the peer device, which uses the dynamic BFD session.
Local and remote discriminators cannot be configured on the device when you configure the
auto-negotiation of static discriminators.
The configuration difference between the static auto-negotiated BFD session and the static BFD
session lies in:
l After you create the static auto-negotiation configuration by running the bfd bind peer-ip
source-ip auto command, the BFD session can be established without the commit
command executed.
l After the parameters (such as the BFD control packet sending interval, receiving interval,
and local detection multiple) of the static auto-negotiated BFD session are changed, they
take effect without the commit command executed.
Procedure
Step 1 Run:
system-view

Step 2 Run:
bfd
Step 3 Run:
quit
Step 4 Run:
bfd cfg-name bind peer-ip peer-ip [ vpn-instance vpn-instance-name ] [ interface
interface-type interface-number] source-ip source-ip auto
A static auto-negotiated BFD session with the static discriminator is created.
l Parameter peer-ip cannot be a multicast IP address.

l If both interface and source-ip are specified, the source IP address must be the same as the
IP address of the interface.
----End
Follow-up Procedure
l Run the display bfd configuration command to display the configuration information
about the static auto-negotiated BFD session.
<sysname> display bfd configuration static-auto verbose
------------------------------------------------------------------------------
--
BFD Session Configuration Name : single
------------------------------------------------------------------------------
--
BFD Bind Type : Peer Ip
Address
Bind Session Type : S_Auto
Bind Interface : --
Bind Source Ip Address : 10.0.0.1
TOS-EXP : 6 Local Detect Multi :
3
Min Tx Interval (ms) : 1000 Min Rx Interval (ms) :
1000
WTR Interval (ms) : -- Process PST :
Disable
------------------------------------------------------------------------------
--
Total Commit/Uncommit CFG Number : 1/0
l Run the display bfd session command to display the information about the static auto-
negotiated BFD session.
<sysname> display bfd session static-auto verbose
------------------------------------------------------------------------------
--
Session MIndex : 16385 State : Up Name : single

------------------------------------------------------------------------------
--
BFD Bind Type : Peer Ip Address
Bind Session Type : S_Auto
Bind Peer IP Address : 10.0.0.2
Bind Interface : --
Bind Source IP Address : 10.0.0.1
Actual Tx Interval (ms): 1150 Actual Rx Interval (ms): 1150
Local Detect Multi : 3 Detect Interval (ms) : 30
WTR Interval (ms) : - Process PST : Disable
Proc Interface Status : Disable
Last Local Diagnostic : No Diagnostic
Bind Application : AUTO
Session TX TmrID : - Session Detect TmrID : -
Session Init TmrID : - Session WTR TmrID : -
PDT Index : FSM-3010000 | RCV-0 | IF-3010000 | TOKEN-0
Session Description : -
------------------------------------------------------------------------------
--
A BFD session of the S_Auto type is established. The local and remote discriminators are
8193 and 8192 respectively, which are obtained through auto-negotiation.
6.5.4.4 (Optional) Configuring the Session Demand Mode

When a large number of BFD sessions are established in the system, you are recommended to
set the detection mode to the demand mode to prevent the system from being affected by the
overheads of periodically-transmitted BFD control packets. By default, BFD session detection
uses the asynchronous mode.
Context
After a BFD session is established, two detection modes are available:
l Asynchronous mode
In asynchronous mode, the systems send BFD control packets at the negotiated period. If
one system does not receive the BFD control packet sent by the peer end within the detection
interval, it regards that the BFD session is in Down state. The asynchronous mode is the
most commonly used one.
l Demand mode
In demand mode, once a BFD session is established, the systems do not periodically send
BFD control packets. Instead, other detection mechanisms (such as the slow Hello
mechanism of routing protocols and hardware detection mechanism) are used to reduce the
overheads caused by BFD sessions. In demand mode, there is a query timer in the system.
When the query timer expires, the system sends a query packet with short sequence to check
the link. If the system does not receive the reply packet, it is regarded that the session is
Down.
The communication parties are required to work in the same mode. That is, only after the demand
mode is configured on both ends, the BFD session can run in demand mode.

Procedure
Step 1 Run:
system-view
Step 2 Run:
bfd cfg-name
Step 3 Run:
demand
The detection mode for BFD sessions is set to the demand mode.

demand timer time-value
The scheduled demand in demand mode is enabled, and the demand interval is specified.
After timer time-value is configured, the device sends query packets at the interval specified by
time-value.
----End
Follow-up Procedure
Run the display bfd configuration command to check whether the demand mode is enabled for
static BFD sessions, and display the interval of scheduled demand.
--------------------------------------------------------------------------------
BFD Session Configuration Name : test
--------------------------------------------------------------------------------
Local Demand Mode : Enable Demand Tx Interval (ms): 600
Session Desciption : Router_A
--------------------------------------------------------------------------------
6.5.4.5 (Optional) Configuring Session Descriptions

By configuring session descriptions when you create static BFD sessions, you can better
understand the configurations. Generally, a description explains the devices on both ends of a
session.

Context
NOTE
The description command is valid only for statically configured BFD sessions, but invalid for the
dynamically configured BFD sessions and the auto-negotiated BFD sessions with static discriminators.
Procedure
Step 1 Run:
system-view
Step 2 Run:
bfd cfg-name
Step 3 Run:
description description
A BFD session description is configured.
By default, the BFD session description is empty.
Step 4 Run:
commit
NOTE
----End
Follow-up Procedure
Run the display bfd configuration command to display the description the static BFD session.
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------

6.5.4.6 (Optional) Configuring the Priority for Sending BFD Packets

Adjusting the priority for sending BFD packets changes the sending order in the case of
congestion at the interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:
bfd cfg-name

Step 3 Run:
tos-exp tos-value
The priority for sending BFD packets is configured.

By default, the priority is 6, namely, the highest priority.
In the case of congestion, the system preferentially sends the BFD packet with a higher priority.
You are advised to change the default configuration only after you have known the related
affects.
Step 4 Run:
commit
NOTE
----End
Follow-up Procedure
Run the display bfd configuration command to display the packet priority for the static BFD
session.
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------


--------------------------------------------------------------------------------
6.5.4.7 (Optional) Configuring the BFD WTR Time

The status change of the static BFD session will take effect after the Wait to Recovery (WTR)
time, which avoids the affects caused by BFD session flapping on upper-layer protocols.
Context
If a BFD session flaps, BFD-related applications will be frequently switched between active and
standby devices. To avoid this case, you can configure the WTR time for the BFD session. When
a BFD session changes from Down to Up, the BFD will notify this status change to upper-layer
applications only after the WTR time.
Procedure
Step 1 Run:
system-view
Step 2 Run:
bfd cfg-name
Step 3 Run:
wtr wtr-value
The WTR time for the BFD session is configured.
By default, the time of waiting for recovery of the BFD session is 0, indicating no waiting.
NOTE
The BFD session is bidirectional. The detection is performed by BFD sessions set up on both ends
respectively. If WTR is needed, configure it on two ends manually. Or, when the status of the session on
one end changes, the applications on both ends can find that the status of the BFD sessions are inconsistent.
Step 4 Run:
commit
NOTE
----End
Follow-up Procedure
Run the display bfd configuration command to display the WTR time for the static BFD
session.


--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
WTR Interval (ms) : 3600000 Process PST : Disable
--------------------------------------------------------------------------------
6.5.5 Adjusting BFD Global Parameters

Adjusting BFD global parameters affects all static and dynamic BFD sessions on the device.
6.5.5.1 Delaying the Up State Change of the BFD Session

In special scenarios, delaying the Up state change of the BFD session prevents traffic loss that
is caused because the routing protocol becomes Up later than the interface.
Context
In actual networking, some devices enable traffic switchover based on the BFD session status.
However, the routing protocol becomes Up later than the interface. As a result, traffic fails to
find the route when switched back, and is therefore lost. After you delay the Up state change of
the BFD session, the session will become Up a period after the fault is rectified, making up the
defect that the routing protocol becomes Up later than the interface.
Procedure
Step 1 Run:
system-view
Step 2 Run:
bfd
Step 3 Run:
delay-up seconds
The Up state change delay of the BFD session is configured.
By default, the Up state change delay of the BFD session is 0 second. That is, the Up state change
of the BFD session is not delayed.
----End

Follow-up Procedure
Run the display bfd statistics command to display BFD global statistics.
<sysname> display bfd statistics
Current Display Board Number:Main;Current Product Register Type:
Current Session Number :
Static session : 256 Dynamic session : 0
S-Auto session : 0 IP session : 256
--------------------------------------------------------------------------------
PAF/LCS Name Maxnum Minnum Final Actual Create
--------------------------------------------------------------------------------
BFD_CFG_NUM 256 1 256 0 256
BFD_IF_NUM 256 1 256 0 0
BFD_SESSION_NUM 256 1 256 0 256
BFD_IO_SESSION_NUM 256 1 256 0 0
--------------------------------------------------------------------------------
IO Board Current Created Session Statistics Information :
--------------------------------------------------------------------------------
256
--------------------------------------------------------------------------------
Current Total Used Discriminator Num : 256
--------------------------------------------------------------------------------
BFD HA Information :
--------------------------------------------------------------------------------
Core Current HA Status : Slave Not Ready
Shell Current HA Status : Slave Not Ready
--------------------------------------------------------------------------------
BFD Timer Information :
--------------------------------------------------------------------------------
Period Refresh Session Timer ID/Position : 1026/0
System Session Delay Up Timer : OFF
Field System Session Delay Up Timer is displayed in the output, indicating the status of the
timer which delays becoming Up. OFF indicates that the system runs properly. ×s indicates that
X seconds after the system is recovered, the BFD session becomes Up.
6.5.5.2 Configuring the Default Multicast Address for One-hop BFD

If you cannot specify the peer IP address when detecting a link using BFD, use the default
multicast IP address to establish a BFD session.
Context
When you perform one-hop BFD on the Layer-3 physical interfaces without IP addresses or
Layer-2 interfaces, use the default multicast IP address.
By default, the default multicast IP address for BFD is 224.0.0.184.
The default multicast IP address must be changed in the following situations:
l Other protocols on the network use this multicast IP address.
l If there are overlapping BFD sessions on the BFD path, for example, Layer-3 interfaces
are connected by BFD-enabled Layer-2 switching devices, the devices where different
devices reside must be configured with different default multicast IP addresses. This
prevents BFD packets from being forwarded incorrectly.
l If the Layer-2 interfaces of the two devices are connected through a Layer-2 switch that
provides the BFD function, and multicast IP addresses are used to set up BFD sessions,
when the global BFD function is enabled on the switch, run the default-ip-address
command to configure different default multicast IP addresses for the two devices and

switch. Otherwise, the switch cannot forward the BFD multicast packets, resulting in BFD
session interruption.
Procedure
Step 1 Run:
system-view
Step 2 Run:
bfd

default-ip-address ip-address
The default multicast IP address for BFD is configured.
----End
6.5.5.3 Enabling Passive Echo

The BFD passive echo function enables the device to communicate with an echo-supported
device on the network. This function applies only to one-hop detection.
Prerequisites
Before enabling the passive echo function, you can configure the ACL if required.
NOTE
BFD echo packets loop back through ICMP redirection on the peer end. In an IP packet encapsulating the
BFD echo packet, the destination address and source address are both the IP address of the local outbound
interface. Therefore, the ACL rule must allow the source IP addresses of both the local end and peer end.
Context
When there are echo-supported devices on the network, you need to configure the BFD passive
echo function for compatibility with other devices.
Procedure
Step 1 Run:
system-view
Step 2 Run:
bfd
Step 3 Run:
echo-passive { all | acl basic-acl-number }

The BFD passive echo function is enabled.
l If you configure all, the passive echo function of all BFD sessions is enabled.
l If you configure acl basic-acl-number, the passive echo function of BFD sessions is
determined by the ACL rule. That is, the passive function of only ACL-compliant BFD
sessions is enabled.
----End
6.5.6 Configuring the Interworking Between BFD and Other

Function
This section describes the configuration between BFD and other function.
6.5.6.1 Configuring BFD-OSPF Interworking

You can configure BFD features on the link running OSPF in the scenarios where data
transmission poses high requirements on timeliness and OSPF convergence needs to be sped up
upon link status changes.
Prerequisites
Before you configure BFD-OSPF interworking, complete the following tasks on devices at both
ends:
l Setting the IP addresses of interfaces to ensure reachable adjacent nodes.

l Configuring basic OSPF functions to enable neighbor relationship in Full state. For details,
see 10.4 OSPF.
Context
NOTE
Note that BFD-OSPF interworking needs to be configured on devices at both ends.
You can select one of the following modes to configure BFD-OSPF interworking:
l Enables BFD in the OSPF process.

To enable BFD on all interfaces in the OSPF process, enable BFD on all interfaces of
devices at both ends of the link where the BFD session is to be established.
l Enables BFD on the interface.
The priority of BFD on the interface is higher than that of BFD in the OSPF process.
To enable BFD on certain interfaces or enable certain interfaces to rapidly identify link
faults in the case that BFD is enabled in the OSPF process, you can enable BFD on the
specified interface.
Procedure
Step 1 Run:
system-view

Step 2 Run:
bfd
Step 3 Run:
quit
Step 4 Select one of the following configuration modes as required.

l Enables BFD in the OSPF process.
1. Run:
ospf [ process-id ]
The OSPF view is displayed.

2. Run:
bfd all-interfaces enable
BFD is enabled in the OSPF process and the BFD session is established.
After BFD is enabled in the OSPF process, BFD sessions are created on all interfaces
whose neighbor status is Full in the process.
3. (Optional) Run:
bfd all-interfaces { detect-multiplier multiplier-value | min-rx-interval
receive-interval | min-tx-interval transmit-interval } *
Parameters for the BFD session are specified.

– By default, the local detection multiple is 3, the minimum receiving interval is
1000 ms, and the minimum sending interval is 1000 ms.
– If no BFD packet is received from the peer end at the value of receive-interval ×
multiplier-value (the value of receive-interval is negotiated based on the local min-
rx-interval and remote min-tx-interval), BFD mistakenly considers that the
neighbor becomes Down.
– If only parameters for the BFD session are specified, no BFD session is created.
4. Run:
quit

5. Run:

6. (Optional) Run:
ospf bfd block
The BFD session is prohibited from being dynamically created on the interface.
After BFD is enabled on all interfaces in the OSPF process, you can run this command
on certain interfaces to reduce monitored links. This improves performance.
l Enables BFD on the interface.
1. Run:
ospf bfd enable

BFD is configured on the OSPF-enabled interface.

2. Run:

3. (Optional) Run:
ospf bfd { detect-multiplier multiplier-value | min-rx-interval receive-
interval | min-tx-interval transmit-interval } *
Parameters for the BFD session on the OSPF-enabled interface are specified.
– By default, the local detection multiple is 3, the minimum receiving interval is
1000 ms, and the minimum sending interval is 1000 ms.
– Because the priority of BFD on the interface is higher than that of BFD in the OSPF
process, the parameters of the BFD session on the interface enjoy higher priorities
than those of the BFD session in the OSPF process.
----End
Example
# Enable BFD for OSPF process 100. Assume that OSPF runs between devices at both ends and
the neighbor status is Full. The following takes what is configured on the device at one end as
an example.
[sysname] ospf 100
[sysname-ospf-100] bfd all-interfaces enable
Follow-up Procedure
# Run the display ospf bfd session command on one device to display the information about
the BFD session in the OSPF process.
<sysname> display ospf bfd session all
OSPF Process 100 with Router ID

172.16.1.1
NeighborId:172.16.1.2 AreaId:0.0.0.0
Interface:GigabitEthernet1/0/1
BFDState:up rx :1000 tx :1000
Multiplier:3 BFD Local Dis:8192 LocalIpAdd:10.1.1.1
RemoteIpAdd:10.1.1.2 Diagnostic
Info:Init
BFDState is Up, indicating that the status of the BFD session in the OSPF process is Up. In this
case, BFD starts monitoring the link status of OSPF.
6.5.6.2 Configuring the Interworking between BFD and Static Routes

To provide IP-link for public IPv4 static routes by using BFD sessions, you can bind static routes
to BFD sessions. One static route can be bound to only one session.
Prerequisites
Before you configure the interworking between BFD and static routes, perform the following
on devices at both ends:

l Setting the IP addresses of interfaces, to ensure reachable adjacent nodes.

l Configuring a static route. For details, see 10.2 IP Static Route.
l Manually configuring the static BFD session. For details, see 6.5.4 Manually Configuring
a Static BFD Session.
The static BFD session can be one-hop or multi-hop.
Procedure
Step 1 Run:
system-view
Step 2 Run:
ip route-static [ vpn-instance vpn-instance-name ] ip-address { mask | mask-
length } { nexthop-address | interface-type interface-number [ nexthop-address ] |
vpn-instance vpn-instance-name nexthop-address } [ preference preference ] track
bfd-session cfg-name [ description description ]
The interworking between the static route and BFD is configured.
l Before you configure the interworking, make sure that the destination IP address and next-
hop IP address (or outbound interface) are the same as those of the static route. Generally,
configure the static route, and then bind it to the BFD session.
l cfg-name specifies the BFD session, where the link to be monitored is specified.
----End
Example
# The device has a default static route, whose destination IP address is 10.1.1.1. Configure the
interworking between the static route and BFD to monitor the link. (Suppose that the bfd_a for
the static route and the static BFD session is configured.)
[sysname] ip route-static 0.0.0.0 0 10.1.1.1 track bfd-session bfd_a
Follow-up Procedure
l Run the display ip routing-table command to display the IP routing table. When the link
is faulty, the static route entry does not exist in the routing table. After the fault is rectified,
the static route entry is available in the routing table.
l Run the display bfd session command to display the information about the BFD session.
6.5.6.3 Configuring BFD-FRR Interworking

This section describes the procedure and precautions for configuring BFD-FRR interworking.
Prerequisites
For details on how to manually configure the static BFD session, see 6.5.4 Manually
Configuring a Static BFD Session.

Context
BFD-FRR interworking is configured as follows:
l Configure FRR to form the standby link.
l Configure BFD to detect the status of active and standby links.
Procedure
Step 1 Configure FRR. For details, see 10.1.3.4 Configuring FRR.
----End
6.5.6.4 Configuring BFD-DHCP Interworking

This section describes the procedure and precautions for configuring BFD-DHCP interworking.
Prerequisites
Before you configure BFD-DHCP interworking, complete the following tasks:
1. Configuring the device as the DHCP client and enable the device to obtain the IP address
from the DHCP server. For details, see 8.4.5.3 Configuring a DHCP Client.
2. Manually configuring static BFD sessions on devices at both ends. For details, see 6.5.4
Manually Configuring a Static BFD Session.
The neighbor relationship can be successfully negotiated only if static BFD sessions
(excluding auto-negotiated static sessions), must be specified with local and remote
discriminators.
When one end of the BFD session is the DHCP client, the next hop of the static BFD session
needs to be specified as nexthop dhcp. That is, when the device acts as the DHCP client,
the obtained gateway address serves as the next-hop IP address for forwarding BFD packets.
For the peer DHCP client for BFD interworking, you need to specify the peer IP address
in the static BFD session as the IP address of the DHCP client. If the IP address obtained
by the DHCP client changes, you need to re-create a BFD session.
Context
In dual-uplink networking, if active/standby switchover between links is required, the active
link must be assigned a high-priority route. The smaller the value, the higher the priority.
When the device acts as the DHCP client, the priority of the default route obtained from the
DHCP server is 245. In dual-uplink networking, if the active link is in DHCP mode and the
standby link is in other modes, the route priority of the standby link must be larger than 245.
Thereby, in DHCP-BFD interworking, the system disconnects the DHCP link upon identifying
its fault. In this way, traffic is switched to the standby link.
NOTE
To implement DHCP-BFD interworking, you need to only configure the device serving as the DHCP client.

Procedure
Step 1 Run:
system-view
Step 2 Run:
Step 3 Run:
dhcp client enable track bfd-session local-discr-value
DHCP is associated with the BFD session.
During DHCP-BFD interworking, the bound local-discr-value value is the local discriminator
of the monitored BFD session, not the BFD configuration name.
----End
Follow-up Procedure
Run the display bfd session command on the DHCP client to display the information about the
static BFD session that interworks with DHCP.
<sysname> display bfd session static verbose
--------------------------------------------------------------------------------
Session MIndex : 1024 State : Up Name : 1
--------------------------------------------------------------------------------
BFD Bind Type : Interface(GigabitEthernet 1/0/1)
Bind Interface : GigabitEthernet 1/0/1
Actual Tx Interval (ms): 1000 Actual Rx Interval (ms): 1000
Local Detect Multi : 3 Detect Interval (ms) : 3000
Active Multi : 3
Last Local Diagnostic : Control Detection Time Expired
Bind Application : DHCP
Session TX TmrID : 4103 Session Detect TmrID : 4104
Session Init TmrID : -- Session WTR TmrID : --
PDT Index : FSM-0|RCV-0|IF-0|TOKEN-0
--------------------------------------------------------------------------------
6.5.6.5 Configuring BFD-PBR Interworking

This section describes the procedure and precautions for configuring BFD-PBR interworking.

Prerequisites
Before you configure BFD-PBR interworking, complete the following tasks on devices at both
ends:
The static BFD session can be of the one-hop or multi-hop type.
l Configuring the IP unicast PBR. For details, see 17 PBR.
Context
You need to configure the interworking function only on the device where the PBR function is
enabled.
When the interworking function is configured and the BFD session is deleted from the remote
device, the interworking function fails. In this case, the local device continues forwarding traffic
based on the PBR.
Procedure
Step 1 Run:
system-view
Step 2 Run:
policy-based-route
Accesses the view of the PBR policy.
Step 3 Run:
rule name rule-name
Create a PBR rule and access its view.
Step 4 Run:
track bfd-session local-discr-value
Configure the Interworking between PBR and BFD.
NOTE
A PBR rule can interwork with either IP-link or BFD.
----End
Follow-up Procedure
Run the display bfd session command to display the information about the static BFD session
bound to the PBR.
<sysname> display bfd session static
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
10 20 10.1.2.1 -- Up Static

30 40 10.1.3.1 -- Down Static

--------------------------------------------------------------------------------
If BFD sessions are in Down state, they fail to be created. If BFD sessions are in Up state, they
are created at both devices.
6.5.6.6 Configuring the Interworking between BFD and Hot Standby

BFD and Hot Standby.
Prerequisites
Before you configure the interworking between BFD and Hot Standby, complete the following
tasks on devices at both ends:
l Configuring the Hot Standby. For details, see 6.1 Hot Standby.
Procedure
Step 1 Run:
system-view
Step 2 Run:
hrp track bfd-session local-discr-value { active | standby }
You can configure the active management group or standby management group to monitor status
of an BFD session.
On the active device, configure the Active management group to monitor BFD session status.
On the standby device, configure the Standby management group to monitor BFD session status.
----End
Follow-up Procedure
Run the display bfd session command to display the information about the static BFD session
bound to the VGMP groups.
<sysname> display bfd session static
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
10 20 10.1.2.1 -- Up Static
--------------------------------------------------------------------------------
If BFD sessions are in Down state, they fail to be created. If BFD sessions are in Up state, they
are created at both devices.

6.5.7 Maintaining BFD

After configuring BFD, you can run the display commands to view the configuration result,
session information, and related statistics. You can also clear statistics or enable debugging if
necessary.
Checking BFD Information

During routine maintenance, you can run the following commands in any view to learn about
BFD running status.
NOTE
You can view the information about BFD session statistics and BFD sessions only after parameters for
BFD sessions are specified and BFD sessions are successfully created.
Table 6-10 Checking BFD information
Action Command
Check the configuration of display bfd configuration { all | dynamic | peer-ip peer-ip
the BFD session. [ vpn-instance vpn-instance-name ] | static [ name cfg-
name ] | static-auto } [ verbose ]
Check the information about display bfd interface [ interface-type interface-number ]

the BFD-enabled interface.
Check the information about display bfd session { all | discriminator local-discr-value |
the BFD session. dynamic | peer-ip peer-ip [vpn-instance vpn-instance-
name ] | static | static-auto } [ verbose ]
Check global BFD statistics. display bfd statistics
Check statistics on BFD display bfd statistics session { all | discriminator local-
sessions. discr-value | dynamic | peer-ip peer-ip [ vpn-instance vpn-
instance-name ] | static | static-auto }
Check the information about display ospf [ process-id ] bfd session interface-type
the BFD session triggered interface-number [ router-id ]
by the OSPF neighbor. display ospf [ process-id ] bfd session { router-id | all }
Check the information about display rm bfd-session [ vpn-instance vpn-instance-name ]

the BFD session stored in [ destination destination-address ] [ source source-address ]
RM. [ interface interface-type interface-number ] [ protocol
ospf ]
display rm bfd-session all
Clearing BFD Statistics

To diagnose and locate BFD faults, you need to perform DHCP statistics for a period of time to
check the consistency between received and sent packets. Therefore, before you restart a
statistics operation, run the reset command to clear historical statistics.

NOTICE
BFD statistics cannot be restored after you clear them. Therefore, perform the operation with
caution.
Table 6-11 Clearing BFD statistics
Action Command
Clear statistics on received reset bfd statistics { all | discriminator discriminator-

and sent BFD packets. value }
Debugging BFD
When a BFD running fault occurs, you can run the debugging commands in the user view to
debug BFD, view the debugging information, and locate and analyze the fault.
Before you enable debuggings, run the terminal monitor and terminal debugging commands
in the user view to enable terminal information display and debugging information display on
the terminal.
Enabling debuggings will deteriorate system performance. After debuggings are complete, run
the undo debugging all command in a timely manner to disable debuggings.
Table 6-12 Debugging BFD
Action Command
Enable all BFD debuggings. debugging bfd all
Enable the BFD defect debugging bfd defect-detect

detection debugging.
Enable the BFD error debugging bfd error

debugging.
Enable the BFD event debugging bfd event

debugging.
Enable the BFD state debugging bfd fsm

machine debugging.
Enable the BFD packet debugging bfd packet

debugging.
Enable the BFD process debugging bfd process

debugging.

Action Command
Enable the BFD product debugging bfd product-interface

interface debugging.
Enable the BFD session debugging bfd session-management

management debugging.
Enable the BFD timer debugging bfd timer

debugging.

This section describes the configuration examples of BFD.
6.5.8.1 Example for Configuring BFD-OSPF Interworking

In OSPF networking with multiple devices, BFD delivers rapid fault detection.
As shown in Figure 6-61, NGFW_A carries main services of an enterprise and OSPF runs
between NGFW_B and NGFW_C. The link from NGFW_A to NGFW_B is an active link,
whereas the link from NGFW_A, NGFW_C, to NGFW_B is a standby link. It is required that
traffic can be immediately switched to the standby link when the active link is faulty, and it can
be also switched back after the active link is recovered.
Figure 6-61 Networking diagram of configuring BFD-OSPF interworking
NGFW_A NGFW_B
Loopback 0 BFD Session Loopback 0
172.16.1.1/32 172.16.1.2/32
GE1/0/3 GE1/0/1 GE1/0/1
192.168.1.1/24 10.1.1.1/24 10.1.1.2/24
.1 /2
G 0.1
.2 /0
E1 .3
4
1
.1 E1
/2
/0 .1/2
10
10 G
G .3.2
4
/2 4
.2 1
E1 /2
/2
.1 /0/
.1
.2
/0 4
10 E1
/2
Loopback 0
172.16.1.3/32
NGFW_C
Area 0

1. OSPF runs among NGFW_A, NGFW_B, and NGFW_C. The OSPF neighbor status is Full.
2. To monitor the active link, enable BFD for the OSPF process on each device.
3. To better switch traffic on the active link, enable BFD between NGFW_A and NGFW_B.
Procedure
# Configure basic OSPF functions.

<NGFW> system-view
[NGFW_A] ospf 100
[NGFW_A-ospf-100] quit
# Enable BFD for OSPF process 100.

[NGFW_A] bfd
[NGFW_A-bfd] quit
[NGFW_A] ospf 100
[NGFW_A-ospf-100] bfd all-interfaces enable
[NGFW_A-ospf-100] quit
# Enable BFD for interface GigabitEthernet 1/0/1. Set the minimum sending and receiving
interval to 500 ms, and the local detection multiple to 4.
[NGFW_A-GigabitEthernet1/0/1] ospf bfd enable
[NGFW_A-GigabitEthernet1/0/1] ospf bfd min-tx-interval 500 min-rx-interval 500
detect-multiplier 4
Step 2 Configure NGFW_B.

<NGFW> system-view
[NGFW_B] ospf 100
[NGFW_B-ospf-100] area 0
[NGFW_B-ospf-100-area-0.0.0.0] quit
[NGFW_B-ospf-100] quit

[NGFW_B] bfd
[NGFW_B-bfd] quit
[NGFW_B] ospf 100

[NGFW_B-ospf-100] bfd all-interfaces enable

[NGFW_B-ospf-100] quit
# Enable BFD for interface GigabitEthernet 1/0/1. Set the minimum sending and receiving
interval to 500 ms, and the local detection multiple to 4.
[NGFW_B-GigabitEthernet1/0/1] ospf bfd enable
[NGFW_B-GigabitEthernet1/0/1] ospf bfd min-tx-interval 500 min-rx-interval 500
detect-multiplier 4
Step 3 Configure NGFW_C.

<NGFW> system-view
[NGFW] sysname NGFW_C
[NGFW_C] ospf 100
[NGFW_C-ospf-100] area 0
[NGFW_C-ospf-100-area-0.0.0.0] network 172.16.1.3 0.0.0.0
[NGFW_C-ospf-100-area-0.0.0.0] quit
[NGFW_C-ospf-100] quit

[NGFW_C] bfd
[NGFW_C-bfd] quit
[NGFW_C] ospf 100
[NGFW_C-ospf-100] bfd all-interfaces enable
[NGFW_C-ospf-100] quit
[NGFW_C] bfd
----End
1. After configurations are complete, view the next-hop address of the external route in the
OSPF process on NGFW_B, to determine whether to use the active link.
# Run the display ospf routing command. You can view the next hop of 192.168.1.1 is
10.1.1.1. In this case, the active link is used.
<NGFW_B> display ospf routing

172.16.1.2
Routing
Tables
Routing for
Network
Destination Cost Type NextHop AdvRouter
Area
10.1.3.0/24 2 Transit 10.1.1.1 172.16.1.3
0.0.0.0
10.1.3.0/24 2 Transit 10.1.2.2 172.16.1.3
0.0.0.0
10.1.2.0/24 1 Transit 10.1.2.1 172.16.1.3
0.0.0.0
172.16.1.3/32 2 Stub 10.1.2.2 172.16.1.3
0.0.0.0
172.16.1.2/32 1 Stub 172.16.1.2 172.16.1.2
0.0.0.0

10.1.1.0/24 1 Transit 10.1.1.2 172.16.1.2

0.0.0.0
172.16.1.1/32 2 Stub 10.1.1.1 172.16.1.1
0.0.0.0
192.168.1.0/24 2 Stub 10.1.1.1 172.16.1.1 0.0.0.0
Total Nets:
8
Intra Area: 8 Inter Area: 0 ASE: 0 NSSA: 0
2. View the OSPF neighbor status on one device. The following uses the information
displayed on NGFW_A as an example.
# Run the display ospf peer command to view the OSPF neighbor status. You can view
that OSPF neighbor status is Full. Therefore, the BFD session is automatically established
after BFD for the OSPF process is enabled.
<NGFW_A> display ospf peer

172.16.1.1
Neighbors
Area 0.0.0.0 interface 10.1.1.1(GigabitEthernet1/0/1)'s

neighbors
Router ID: 172.16.1.2 Address: 10.1.1.2 GR State:
Normal
State: Full Mode:Nbr is Master Priority:
1
DR: 10.1.1.1 BDR: 10.1.1.2 MTU:
0
Dead timer due in 28
sec
Neighbor is up for
00:20:00
Authentication Sequence:
[ 0 ]
Neighbors
Area 0.0.0.0 interface 10.1.3.1(GigabitEthernet1/0/2)'s

neighbors
Router ID: 172.16.1.3 Address: 10.1.3.2 GR State:
Normal
State: Full Mode:Nbr is Master Priority:
1
DR: 10.1.3.2 BDR: 10.1.3.1 MTU:
0
Dead timer due in 38
sec
Neighbor is up for
00:11:43
Authentication Sequence: [ 0 ]
# Run the display ospf bfd session all command. You can view that the status of the BFD
session is Up.
<NGFW_B> display ospf bfd session all

172.16.1.2
BFDState:up rx :1000 tx :
1000

Multiplier:3 BFD Local Dis:8192 LocalIpAdd:

10.1.1.2
Info:Init
1000
10.1.2.1
RemoteIpAdd:10.1.2.2 Diagnostic Info:Init
3. BFD-related parameters are modified after interface-based BFD is enabled on NGFW_A

and NGFW_B.
# Run the display ospf bfd session all command to display BFD-related parameters.
<NGFW_A> display ospf bfd session all

172.16.1.1
500
10.1.1.1
Info:Init
1000
10.1.3.1
RemoteIpAdd:10.1.3.2 Diagnostic Info:Init
4. Stimulate that the active link is faulty.

# Run the shutdown command on interface GigabitEthernet 1/0/1 of NGFW_A. On
NGFW_B, you can view that the next hop of 192.168.1.1 in the OSPF routing table is route
10.1.2.2. In this case, the standby link is used.
<NGFW_B> display ospf routing

172.16.1.2
Routing
Tables
Routing for
Network
Destination Cost Type NextHop AdvRouter
Area
10.1.3.0/24 2 Transit 10.1.2.2 172.16.1.3
0.0.0.0
10.1.2.0/24 1 Transit 10.1.2.1 172.16.1.3
0.0.0.0
172.16.1.3/32 2 Stub 10.1.2.2 172.16.1.3
0.0.0.0
172.16.1.2/32 1 Stub 172.16.1.2 172.16.1.2
0.0.0.0
172.16.1.1/32 3 Stub 10.1.2.2 172.16.1.1
0.0.0.0
192.168.1.0/24 3 Stub 10.1.2.2 172.16.1.1 0.0.0.0

Total Nets:
6
Intra Area: 6 Inter Area: 0 ASE: 0 NSSA: 0
# Run the undo shutdown command on GigabitEthernet 1/0/1 of NGFW_A. The traffic
is switched to the active link. 1 shows the routing table.
l Configuration scripts of NGFW_A
#
sysname NGFW_A
#
bfd
#
ip address 10.1.1.1 255.255.255.0
ospf bfd
enable
ospf bfd min-tx-interval 500 min-rx-interval 500 detect-multiplier
4
#
ip address 10.1.3.1 255.255.255.0
#
ip address 192.168.1.1 255.255.255.0
#
interface Loopback 0
ip address 172.16.1.1 255.255.255.255
#
ospf
100
bfd all-interfaces
enable
area
0.0.0.0
network 172.16.1.1
0.0.0.0
network 10.1.1.0
0.0.0.255
network 10.1.3.0
0.0.0.255
network 192.168.1.0 0.0.0.255
#
return
l Configuration scripts of NGFW_B

# sysname NGFW_B
#
bfd
#
ip address 10.1.1.2 255.255.255.0
ospf bfd
enable
ospf bfd min-tx-interval 500 min-rx-interval 500 detect-multiplier
4
#
ip address 10.1.2.1 255.255.255.0
#
ip address 172.16.1.2 255.255.255.255
#
ospf

100
bfd all-interfaces
enable
area
0.0.0.0
network 172.16.1.2
0.0.0.0
network 10.1.1.0
0.0.0.255
network 10.1.2.0
0.0.0.255
#
return
l Configuration scripts of NGFW_C

#
sysname NGFW_C
#
bfd
#
ip address 10.1.2.2 255.255.255.0
#
ip address 10.1.3.2 255.255.255.0
#
ip address 172.16.1.3 255.255.255.255
#
ospf
100
bfd all-interfaces
enable
area
0.0.0.0
network 172.16.1.3
0.0.0.0
network 10.1.2.0
0.0.0.255
network 10.1.3.0
0.0.0.255
#
return
6.5.8.2 Example for Configuring Interworking Between BFD and Static Routes
If two static routes with different priorities to the same destination are configured, active and
standby links can be automatically switched through the probing over the reachability of the
gateway.
As shown in Figure 6-62, a company accesses the Internet through dual links. Static routes are
configured respectively between NGFW_A and NGFW_B as well as between NGFW_A and
NGFW_C. NGFW_A->NGFW_B is the active link, and NGFW_A->NGFW_C is the standby
link. It is required that traffic can be immediately switched to the standby link when the active
link is faulty, and it can be also switched back after the active link is recovered.

Figure 6-62 Networking diagram of configuring the interworking between BFD and static routes
ion NGFW_B
e ss
S /1 GE
D 1/0 4 19 1/0/
BF GE .2/2 2.1 2
1 68
.1. .1.
10 1/24
/1
E 1/0 .1/24
G .1.1
10
GE
10 1/0/
.1. 2
2.1
24
NGFW_A /2 4
1/
10 GE1
16 1
2.
2. /0/
.1.
2.2 /0/2
8.
19 E1
/24
G
NGFW_C
The roadmap is as follows:
1. Configure static routes to different destinations between NGFW_A and NGFW_B as well
as between NGFW_A and NGFW_C. Configure the priorities for the routes, distinguishing
the active and standby links.
2. To better switch traffic on the active link, manually configure the BFD function between
NGFW_A and NGFW_B.
Procedure
# Configure a static route, and set the priority of the static route between NGFW_A and
NGFW_C to 100. In this case, NGFW_A->NGFW_B is the active link, and NGFW_A-
>NGFW_C is the standby link.
<NGFW> system-view
[NGFW_A] ip route-static 192.168.1.0 255.255.255.0 10.1.1.2
[NGFW_A] ip route-static 192.168.2.0 255.255.255.0 10.1.2.2 preference 100
# Configure the BFD session for NGFW_B.

[NGFW_A] bfd
[NGFW_A-bfd] quit
[NGFW_A] bfd ab bind peer-ip 10.1.1.2
[NGFW_A-bfd-session-ab] discriminator local 10
[NGFW_A-bfd-session-ab] discriminator remote 20
[NGFW_A-bfd-session-ab] commit
[NGFW_A-bfd-session-ab] quit
# Configure the interworking between the static route and BFD.

[NGFW_A] ip route-static 192.168.1.0 255.255.255.0 10.1.1.2 track bfd-session ab
# Configure the BFD session for NGFW_A.

<NGFW> system-view
[NGFW_B] bfd
[NGFW_B-bfd] quit
[NGFW_B] bfd ab bind peer-ip 10.1.1.1
[NGFW_B-bfd-session-ab] discriminator local 20
[NGFW_B-bfd-session-ab] discriminator remote 10
[NGFW_B-bfd-session-ab] commit
[NGFW_B-bfd-session-ab] quit
----End
1. After the configurations are complete, view the information in the routing table.
# Run the display ip routing-table command on NGFW_A. In the routing table, there are
two static routes to different destinations.
<NGFW_A> display ip routing-table
fib
------------------------------------------------------------------------------
Routing Tables:
Public
Destinations : 8 Routes :
8

Interface
10.1.1.0/24 Direct 0 0 D 10.1.1.1

10.1.1.1/32 Direct 0 0 D 127.0.0.1
InLoopBack0
10.1.2.0/24 Direct 0 0 D 10.1.2.1
10.1.2.1/32 Direct 0 0 D 127.0.0.1
InLoopBack0
127.0.0.0/8 Direct 0 0 D 127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1
InLoopBack0
192.168.1.0/24 Static 60 0 RD 10.1.1.2
192.168.2.0/24 Static 100 0 RD 10.1.2.2
If the Pre field has a smaller value, the route to destination IP address 192.168.1.0/24 has
a higher priority, and serves as the active link. When the link is normal, traffic is forwarded
from this link.
2. View the BFD session status on NGFW_A or NGFW_B.
# Run the display bfd session all command. You can view that the status of the BFD session
is Up. The following uses the information that is displayed on NGFW_A as an example.
<NGFW_A> display bfd session all
------------------------------------------------------------------------------
--

Local Remote Peer IP Address Interface Name State

Type
------------------------------------------------------------------------------
--
10 20 10.1.1.2 -- Up
Static
------------------------------------------------------------------------------
--
3. Stimulate that the active link is faulty.

# Run the shutdown command on interface GigabitEthernet 1/0/1 of NGFW_A.
<NGFW_A> display ip routing-table
fib
------------------------------------------------------------------------------
Routing Tables:
Public
Destinations : 5 Routes :
5

Interface
10.1.2.0/24 Direct 0 0 D 10.1.2.1

10.1.2.1/32 Direct 0 0 D 127.0.0.1
InLoopBack0
127.0.0.0/8 Direct 0 0 D 127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1
InLoopBack0
192.168.2.0/24 Static 100 0 RD 10.1.2.2 GigabitEthernet1/0/2
When you check the routing table on NGFW_A, you can view that the static route to
192.168.1.0/24 is deleted and the standby link is used in this case.
After the undo shutdown command is configured, the active link is recovered, and the
static route to 192.168.1.0/24 is added to the routing table again.
#
sysname NGFW_A
#
bfd
#
ip address 10.1.1.1 255.255.255.0
#
ip address 10.1.2.1 255.255.255.0
#
bfd ab bind peer-ip
10.1.1.2
discriminator local
10
discriminator remote
20
commit
#
ip route-static 192.168.1.0 255.255.255.0 10.1.1.2 track bfd-session ab
ip route-static 192.168.2.0 255.255.255.0 10.1.2.2 preference 100

#
return

#
sysname NGFW_B
#
bfd
#
ip address 10.1.1.2 255.255.255.0
#
ip address 192.168.1.1 255.255.255.0
#
bfd ba bind peer-ip
10.1.1.1
discriminator local
20
discriminator remote
10
commit
#
return
l Configuration scripts of NGFW_C

#
sysname NGFW_C
#
ip address 10.1.2.2 255.255.255.0
#
ip address 192.168.2.1 255.255.255.0
#
return
6.5.8.3 Example for Configuring BFD-FRR Interworking

BFD-FRR interworking implements switchover upon fault detection, if a standby FRR route is
configured manually.
As shown in Figure 6-63, two LANs communicate with each other through three NGFWs. To
ensure link reliability, two links exist between VLANs. The active link is between NGFW_A
and NGFW_B, whereas the standby link is between NGFW_A and NGFW_C. In BFD-FRR
interworking, traffic is rapidly switched to the standby link, when the active link is faulty. After
the fault of the active link is rectified, the system automatically switches to the active link.

Figure 6-63 Networking diagram of configuring BFD-FRR interworking
/1
G 92.
1/0 24
E1 16
E
1
G .2/
/0 8.1
1
.1.
/2 .1
10 NGFW_B
/2
4
/1
E 1/0 .1/24
G .1.1 Switch
10 GE1/0/2 GE1/0/1
10.1.2.1/24 192.168.2.1/24
GE1/0/2
NGFW_A 10.1.2.2/24
NGFW_C
NOTE
The following mainly describes FRR- and BFD-related configurations.
1. Configure routes to implement the network connection.

2. Specify the backup interface and next hop for the active link.
3. Enable FRR.
4. Configure the static BFD session to detect the active link. In BFD-FRR interworking, traffic
is rapidly switched to the standby link, when the active link is faulty. After the fault of the
active link is rectified, the system automatically switches to the active link.
Procedure
# Configure the IP prefix list named 1 to match only the default route. This configures the backup
outbound interface for the route.
<NGFW> system-view
[NGFW_A] ip ip-prefix 1 permit 0.0.0.0 0
# Specify the backup interface and next hop for the active link.
[NGFW_A] route-policy ipfrr permit node 10
[NGFW_A-route-policy] if-match ip next-hop ip 1
[NGFW_A-route-policy] apply backup-interface GigabitEthernet 1/0/2
[NGFW_A-route-policy] apply backup-nexthop 10.1.2.2
[NGFW_A-route-policy] quit
# Enable FRR.
[NGFW_A] ip frr route-policy ipfrr
# Configure the BFD session between NGFW_A and NGFW_B.

[NGFW_A] bfd
[NGFW_A-bfd] quit
[NGFW_A] bfd ab bind peer-ip 10.1.1.2
[NGFW_A-bfd-session-ab] discriminator local 10
[NGFW_A-bfd-session-ab] discriminator remote 20
[NGFW_A-bfd-session-ab] commit
[NGFW_A-bfd-session-ab] quit
# Configure the BFD session between NGFW_B and NGFW_A.

<NGFW> system-view
[NGFW_B] bfd
[NGFW_B-bfd] quit
[NGFW_B] bfd ab bind peer-ip 10.1.1.1
[NGFW_B-bfd-session-ab] discriminator local 20
[NGFW_B-bfd-session-ab] discriminator remote 10
[NGFW_B-bfd-session-ab] commit
[NGFW_B-bfd-session-ab] quit
----End
1. Run the display ip routing-table verbose command to display the information about the
backup outbound interface and next hop in the routing table.
<NGFW_A> display ip routing-table verbose
Tag: 0 Priority: 0
BkNextHop: 10.1.2.2 BkInterface: GigabitEthernet1/0/2
BkLabel: NULL SecTunnelID: 0x0
BkPETunnelID: 0x0 BkPESecTunnelID: 0x0
The previous information shows that GigabitEthernet 1/0/2 serves as a backup interface.
2. Run the display bfd session all command to display the information about the BFD session.
The following uses the information displayed on NGFW_A as an example.
<NGFW_A> display bfd session all
------------------------------------------------------------------------------
--
Type
------------------------------------------------------------------------------
--
10 20 10.1.1.2 -- Up
Static
------------------------------------------------------------------------------
--
3. Run the shutdown command to disable interface GigabitEthernet 1/0/1. Then view the
routing table on NGFW_A. The result shows that the outbound interface to 0.0.0.0/0 is
GigabitEthernet1/0/2. In this case, the standby link is used.

4. Run the undo shutdown command to re-enable interface GigabitEthernet 1/0/1. Then view
the routing table on NGFW_A. The result shows that the outbound interface to 0.0.0.0/0 is
GigabitEthernet1/0/1. In this case, the active link recovers.
#
sysname NGFW_A
#
bfd
#
ip ip-prefix 1 permit 0.0.0.0 0
#
ip frr route-policy ipfrr
#
route-policy ipfrr permit node 10
if-match ip next-hop ip-prefix 1
apply backup-nexthop 10.1.2.2
apply backup-interface GigabitEthernet1/0/2
#
ip address 10.1.1.1 255.255.255.0
#
ip address 10.1.2.1 255.255.255.0
#
bfd ab bind peer-ip 10.1.1.2
discriminator local 10
discriminator remote 20
commit
#
return

#
sysname NGFW_B
#
bfd
#
ip address 10.1.1.1 255.255.255.0
#
ip address 192.168.1.1 255.255.255.0
#
bfd ba bind peer-ip 10.1.1.1
commit
#
return
6.5.8.4 Example for Configuring BFD-DHCP Interworking

By binding the link where DHCP runs to BFD, you can resolve the problem that the automatically
delivered static route cannot be bound to the BFD session.
As shown in Figure 6-64, the router is the gateway of a building. All enterprises in the building
access the Internet through the router. NGFW acts as the gateway of an enterprise in the building.

To ensure network continuity, the enterprise uses the dual-uplink networking. The active link
accesses the Internet through DHCP, that is, NGFW as the DHCP client accesses the Internet
by obtaining the IP address from the DHCP server. The standby link accesses the Internet through
PPPoE.
Because the DHCP client cannot sense link reachability, NGFW cannot switch the traffic to the
standby link in the event of link faults. To interwork with BFD, check the availability of the link
where the DHCP client resides. Upon link faults, service traffic is rapidly switched to the standby
link.
Figure 6-64 Networking diagram of configuring DHCP-BFD interworking

BFD session
PC
DHCP client DHCP server Router
GE1/0/1
10.1.1.2/24 8.8.8.2/24
Intranet 10.1.1.1/24 8.8.8.1/24
NGFW
PPPoE
Procedure
Step 1 Configure static BFD sessions.
# Configure BFD session 1 with peer IP address 8.8.8.1, local discriminator 10, and remote
discriminator 20.
[NGFW] bfd
[NGFW-bfd] quit
[NGFW] bfd 1 bind peer-ip 8.8.8.1 interface GigabitEthernet 1/0/1 nexthop dhcp
[NGFW-bfd-session-1] discriminator local 10
[NGFW-bfd-session-1] discriminator remote 20
[NGFW-bfd-session-1] commit
[NGFW-bfd-session-1] quit
Step 2 Configure the DHCP-BFD interworking.
# Associate DHCP with the BFD session.

[NGFW] dhcp enable
[NGFW-GigabitEthernet1/0/1] dhcp client enable track bfd-session 10
Step 3 Configure the default route.
# Configure the default route with outbound interface Dialer 0 and route priority 255.
NOTE
When the NGFW acts as the DHCP client, the priority of the default route obtained from the DHCP server
is 245. When PPPoE is used for backup access, the priority of the default route must be larger than 245.
The higher the priority value, the lower the priority.
[NGFW] ip route-static 0.0.0.0 0.0.0.0 Dialer 0 preference 255

Step 4 Configure the router.

1. Configure static BFD sessions.
discriminator 10.
<Router> system-view
[Router] bfd
[Router-bfd] quit
[Router] bfd 1 bind peer-ip 10.1.1.2
[Router-bfd-session-1] discriminator local 20
[Router-bfd-session-1] discriminator remote 10
[Router-bfd-session-1] commit
[Router-bfd-session-1] quit
2. Configure a static route with destination IP address 10.1.1.0/24 and next hop 8.8.8.2 to
NGFW.
[Router] ip route-static 10.1.1.0 255.255.255.0 8.8.8.2
----End
1. When the active link is reachable, access packets are forwarded by NGFW to the active
link.
# Run the display bfd session all command. You can view that BFD sessions are created
and they are in Up state. The following uses the information displayed on NGFW as an
example.
[NGFW] display bfd session all
------------------------------------------------------------------------------
--
Type
------------------------------------------------------------------------------
--
10 20 8.8.8.1 GigabitEthernet1/0/1 Up
Static
------------------------------------------------------------------------------
--
# Run the display ip routing-table command on NGFW. You can view that the default
route to NGFW is the gateway address obtained through the DHCP server and the route
priority is 245.
[NGFW] display ip routing-table
------------------------------------------------------------------------------

0.0.0.0/0 Static 245 0 RD 10.1.1.1

2. When the active link is faulty, NGFW switches the traffic to the standby link.
# Run the display bfd session all command. You can view that the status of the BFD session
is Down. The following uses the information displayed on NGFW as an example.
------------------------------------------------------------------------------
--


Type
------------------------------------------------------------------------------
--
10 20 8.8.8.1 GigabitEthernet1/0/1 Down
Static
------------------------------------------------------------------------------
--
# Run the display ip routing-table command. You can view that default route obtained
through the DHCP server is deleted and the backup default route with outbound interface
Dialer 0 is loaded to the routing table.
[NGFW] display ip routing-table
fib
------------------------------------------------------------------------------
Routing Tables:
Public

Interface
0.0.0.0/0 Static 255 0 D 0.0.0.0

Dialer0
3. When the active link recovers, run the display bfd session all command on NGFW. You
can view that the status of the BFD session turns to Up. Run the display ip routing-
table command. You can view that the default route to NGFW obtained through the DHCP
server is re-loaded to the routing table.
l Configuration scripts of NGFW
#
sysname NGFW
#
bfd
#
dhcp client enable track bfd-session 10
#
bfd 1 bind peer-ip 8.8.8.1 interface GigabitEthernet1/0/1 nexthop dhcp
commit
#
ip route-static 0.0.0.0 0.0.0.0 Dialer 0 preference 255
ip route-static 0.0.0.0 0.0.0.0 10.1.1.1 preference 245 track bfd-session 1
#
return
l Configuration scripts of the router

#
sysname Router
#
bfd
#
ip address 8.8.8.1 255.255.255.0
#
bfd 1 bind peer-ip 10.1.1.2

commit
#
ip route-static 10.1.1.0 255.255.255.0 8.8.8.2
#
return
6.5.8.5 Example for Configuring BFD-PBR Interworking

By binding the specified PBR to the BFD session, you can adjust the PBR dynamically according
to the network status.
As shown in Figure 6-65, an enterprise has departments A and B. Departments A and B, acting
as service departments, generate heavy traffic and require different links for traffic balancing.
In addition, the departments require high stability and service continuity.
To meet their requirements, the enterprise has two links (ISP1 and ISP2) to access the Internet.
The two links share the traffic and can back up for each other to ensure service continuity.
The requirements are as follows:
l Department A resides on network segment 10.1.0.0/16 and its packets pass through link
ISP1 in normal cases.
l Department B resides on network segment 10.2.0.0/16 and its packets pass through link
ISP2 in normal cases.
l The links of departments A and B are mutually backed up. When the link (active link) of
a department is faulty, traffic is switched to the link (standby link) of another department.
Figure 6-65 Networking diagram of configuring interworking between PBR and BFD
PC
BFD session 1
ISP1 Router_A
Department A GE1/0/1 1.1.2.1/24
GE1/0/3
10.1.0.1/16 1.1.2.2/24
PC
PC PC NGFW
Department B GE1/0/2 GE1/0/4

10.2.0.1/16 1.1.3.2/24 Router_B
ISP2
1.1.3.1/24
PC BFD session 2
PC
NOTE
This example describes only PBR-related configurations, but not configurations (such as NAT and route
reachability among Router_A, Router_B, and NGFW) required by the NGFW for providing Internet access.

1. To balance traffic on different links, configure the PBR based on source IP addresses, so
that packets from department A pass through ISP1 and those from department B pass
through ISP2.
2. To ensure the continuity and mutual backup of links at which departments A and B reside,
perform the following:
a. Configure static BFD sessions respectively on the NGFW, Router_A, and Router_B
to detect the link connectivity between the NGFW and Router_A, and between the
NGFW and Router_B.
b. Configure the interworking between PBR and BFD. BFD monitors the availability of
the active links of departments A and B. When the active links are faulty, PBR becomes
invalid. The device searches for standby routes to ensure service continuity.
c. Configure static routes from department A to link ISP2 and from department B to link
ISP1 as the backup routes of departments A and B. Moreover, configure static routes
to interwork with BFD. BFD monitors the availability of the standby links of
departments A and B.
Procedure
1. Configure static BFD sessions.
discriminator 20.
[NGFW] bfd
[NGFW-bfd] quit
[NGFW] bfd 1 bind peer-ip 1.1.2.1
discriminator 40.
[NGFW] bfd 2 bind peer-ip 1.1.3.1
2. Configure PBRs and associate them with BFD sessions.
# Configure rule A_1, so that packets sent from 10.1.0.0/16 to 10.2.0.0/16 are not pbr.
[NGFW-policy-pbr-rule-A_1] destination-address 10.2.0.0 16
[NGFW-policy-pbr-rule-A_1] action no-pbr
# Configure rule A_2, so that packets sent from 10.1.0.0/16 are sent to next-hop 1.1.2.1.
[NGFW-policy-pbr-rule-A_2] action pbr next-hop 1.1.2.1

Configure rule A_2 to interwork with BFD session 1

[NGFW-policy-pbr-rule-A_2] track bfd-session 10
# Configure rule B_1, so that packets sent from 10.2.0.0/16 to 10.1.0.0/16 are not pbr.
[NGFW-policy-pbr-rule-B_1] destination-address 10.1.0.0 16
[NGFW-policy-pbr-rule-B_1] action no-pbr
# Configure rule B_2, so that packets sent from 10.2.0.0/16 are sent to next-hop 1.1.3.1.
[NGFW-policy-pbr-rule-B_2] action pbr next-hop 1.1.3.1
Configure rule B_2 to interwork with BFD session 2

[NGFW-policy-pbr-rule-B_2] track bfd-session 30
3. Configure default routes and associate them with BFD sessions.
# Configure a default route, set the next hop to 1.1.2.1/24, and associate the route with BFD
session 1.
[NGFW] ip route-static 0.0.0.0 0.0.0.0 1.1.2.1 track bfd-session 1
# Configure a default route, set the next hop to 1.1.3.1/24, and associate the route with BFD
session 2.
[NGFW] ip route-static 0.0.0.0 0.0.0.0 1.1.3.1 track bfd-session 2
Step 2 Create BFD session 1 on Router_A.
discriminator 10.
<Router_A> system-view
[Router_A] bfd
[Router_A-bfd] quit
[Router_A] bfd 1 bind peer-ip 1.1.2.2
[Router_A-bfd-session-1] discriminator local 20
[Router_A-bfd-session-1] discriminator remote 10
[Router_A-bfd-session-1] commit
[Router_A-bfd-session-1] quit
Step 3 Create BFD session 2 on Router_B.
discriminator 30.
<Router_B> system-view
[Router_B] bfd
[Router_B-bfd] quit
[Router_B] bfd 2 bind peer-ip 1.1.3.2
[Router_B-bfd-session-1] discriminator local 40
[Router_B-bfd-session-1] discriminator remote 30

[Router_B-bfd-session-1] commit
[Router_B-bfd-session-1] quit
----End
1. When active links are reachable, packets from department A are forwarded by the
NGFW to ISP1, and those from department B are forwarded by the NGFW to ISP2.
# Run the display bfd session all command. You can view that BFD sessions are created
and they are in Up state.
------------------------------------------------------------------------------
--
Type
------------------------------------------------------------------------------
--
10 20 1.1.2.1 -- Up
Static
30 40 1.1.3.1 -- Up
Static
------------------------------------------------------------------------------
--
# Run the ping 1.1.2.1 command in department A. The ping succeeds. Then run the ping
1.1.3.1 command. The ping fails.


Request timed out.

Request timed out.
Request timed out.
Request timed out.

# Run the ping 1.1.3.1 command in department B. The ping succeeds. Then run the ping



Request timed out.

Request timed out.
Request timed out.
Request timed out.

2. When the active link is faulty, the NGFW searches for the standby route and forwards the
packets of departments to the corresponding standby link. The following uses active link
ISP1 of department A as an example.
# Run the display bfd session all command. The status of BFD session 1 of the link where
department A resides is Down.
------------------------------------------------------------------------------
--
Type
------------------------------------------------------------------------------
--
10 20 1.1.2.1 -- Down
Static
30 40 1.1.3.1 -- Up
Static
------------------------------------------------------------------------------
--
# Run the ping 1.1.2.1 command in department A. The ping fails. Then run the ping
1.1.3.1 command. The ping succeeds.


Request timed out.

Request timed out.
Request timed out.
Request timed out.


3. When active links restore to normal, the NGFW forwards all packets to the active links.
The following uses active link ISP1 of department A as an example.
# Run the display bfd session all command. The status of the BFD session of the link where
department A resides is Up.
------------------------------------------------------------------------------
--
Type
------------------------------------------------------------------------------
--
10 20 1.1.2.1 -- Up
Static
30 40 1.1.3.1 -- Up
Static
------------------------------------------------------------------------------
--
# Run the ping 1.1.2.1 command in department A. The ping succeeds. Then run the ping


Request timed out.

Request timed out.
Request timed out.
Request timed out.

4. Departments A and B can communicate with each other. In the following example, the user
in department A pings that in department B.



l Configuration scripts of NGFW
#
sysname NGFW
#
bfd
#
ip address 10.1.0.1 255.255.0.0
#
ip address 10.2.0.1 255.255.0.0
#
ip address 1.1.2.2 255.255.255.0
#
ip address 1.1.3.2 255.255.255.0
#
commit
#
commit
#
ip route-static 0.0.0.0 0.0.0.0 1.1.2.1 track bfd-session 1
ip route-static 0.0.0.0 0.0.0.0 1.1.3.1 track bfd-session 2
#
policy-based-
route
rule name
A_1
ingress-interface
16
16
action no-
pbr
rule name
A_2
ingress-interface
16
track bfd-session
10
action pbr next-hop
1.1.2.1
rule name
B_1
ingress-interface
16
16
action no-
pbr
rule name
B_2

ingress-interface
16
track bfd-session
30
#
return
l Configuration scripts of Router_A

#
sysname Router_A
#
bfd
#
commit
#
return
l Configuration scripts of Router_B

#
sysname Router_B
#
bfd
#
commit
#
return
6.5.8.6 Example for Configuring the Interworking Between BFD and Hot Standby
Introduce the example for configuring the interworking between BFD and Hot Standby
according to the example for configuring active/standby mode.
Network Requirements
The NGFW is deployed on the service node as a security device. Upstream and downstream
devices are routers. NGFW_A and NGFW_B work in active/standby mode
Figure 6-66 shows the networking diagram. The detailed description is as follows:
l OSPF is applied among the router and two NGFWs. The router sends service packets to
the Active NGFW according to the route calculation result.
l NGFW monitor the network egress through the interworking function between BFD and
Hot Standby. When the network egress on the link where NGFW_A resides is down,
NGFW_B can swtich to active device and the service packets are sended to NGFW_B.

Figure 6-66 Networking diagram of the example for configuring the interworking between BFD
and Hot Standby
GE1/0/1
NGFW_A GE1/0/3
10.100.10.2/24 10.100.30.2/24 Router_A
192.168.1.0/24
1.1.1.2
GE1/0/2
10.100.50.2/24 GE1/0/2
10.100.50.3/24
2.2.2.2
GE1/0/1 GE1/0/3 Router_B

10.100.20.2/24 10.100.40.2/24
NGFW_B BFD
Session
Procedure
Step 1 Configure the Hot Standby function on NGFW_A.

# Add GigabitEthernet 1/0/1 to the Trust zone.


# Add GigabitEthernet 1/0/3 to the Untrust zone.


# Add GigabitEthernet 1/0/2 to the DMZ zone.

# Run the OSPF dynamic routing protocol on NGFW_A.

[NGFW_A] ospf 101

# Enable the function of adjusting the related cost value of OSPF according to the HRP status.
NOTICE
When the NGFW is deployed on the OSPF network to work in dual-system hot backup mode,
this command must be configured.
[NGFW] hrp ospf-cost adjust-enable
# Configure the active management group to monitor the status of interfaces in the interface
view.
# Configure an HRP backup channel.

# Enable the session fast backup function.

[NGFW_A] hrp mirror session enable
# Enable HRP.
[NGFW_A] hrp enable
Step 2 Configure the Hot Standby function on NGFW_B.

The configuration on the NGFW_B is similar to that on the NGFW_A. The differences are as
follows:
l The IP addresses of interfaces on NGFW_B should be different from those of interfaces on
NGFW_A; moreover, the IP addresses of the service interfaces corresponding to NGFW_B
and NGFW_A should not be on the same network segment.
l When OSPF is executed on NGFW_B, the route to the network segment directly connected
to the service interface on NGFW_B should be advertised.
l When the hrp track function is configured on the service interfaces of NGFW, the hrp track
standby should be configured corresponding to the active management group of NGFW_A.
Step 3 Configure OSPF on the router. For detailed configuration commands, refer to documents related
to the router.
Step 4 Configure security policy to ensure that the users on network segment 192.168.1.0/24 can access
the Untrust zone.
The security policy configured on NGFW_A are automatically backed up to NGFW_B.
HRP_A[NGFW_A] security-policy
HRP_A[NGFW_A-policy-security] rule name ha

HRP_A[NGFW_A-policy-security-rule-ha] source-zone trust

HRP_A[NGFW_A-policy-security-rule-ha] destination-zone untrust
HRP_A[NGFW_A-policy-security-rule-ha] source-address 192.168.1.0 24
HRP_A[NGFW_A-policy-security-rule-ha] action permit
Step 5 Configure BFD sessions on NGFW_A and Router_A.
discriminator 20 on NGFW_A.
HRP_A[NGFW_A] bfd
HRP_A[NGFW_A-bfd] quit
HRP_A[NGFW_A] bfd 1 bind peer-ip 1.1.1.2
HRP_A[NGFW_A-bfd-session-1] discriminator local 10
HRP_A[NGFW_A-bfd-session-1] discriminator remote 20
HRP_A[NGFW_A-bfd-session-1] commit
HRP_A[NGFW_A-bfd-session-1] quit
discriminator 10 on Router_A.
<Router_A> system-view
[Router_A] bfd
[Router_A-bfd] quit
[Router_A] bfd 1 bind peer-ip 10.100.30.2
[Router_A-bfd-session-1] discriminator local 20
[Router_A-bfd-session-1] discriminator remote 10
[Router_A-bfd-session-1] commit
[Router_A-bfd-session-1] quit
Step 6 Configure the interworking between BFD and Hot Standby on NGFW_A.
HRP_A[NGFW_A] hrp track bfd-session 10 active
Step 7 Configure BFD sessions on NGFW_B and Router_B.
discriminator 20 on NGFW_B.
HRP_S[NGFW_B] bfd
HRP_S[NGFW_B-bfd] quit
HRP_S[NGFW_B] bfd 1 bind peer-ip 2.2.2.2
HRP_S[NGFW_B-bfd-session-1] discriminator local 10
HRP_S[NGFW_B-bfd-session-1] discriminator remote 20
HRP_S[NGFW_B-bfd-session-1] commit
HRP_S[NGFW_B-bfd-session-1] quit
discriminator 10 on Router_B.
<Router_B> system-view
[Router_B] bfd
[Router_B-bfd] quit
[Router_B] bfd 1 bind peer-ip 10.100.40.2
[Router_B-bfd-session-1] discriminator local 20
[Router_B-bfd-session-1] discriminator remote 10
[Router_B-bfd-session-1] commit
[Router_B-bfd-session-1] quit
Step 8 Configure the interworking between BFD and Hot Standby on NGFW_B.
HRP_S[NGFW_B] hrp track bfd-session 10 standby
----End

#
sysname NGFW_A
#
bfd
#
hrp enable
hrp track bfd-session 10 active
#
ip address 10.100.30.2 255.255.255.0
hrp track active
#
ip address 10.100.50.2 255.255.255.0
#
ip address 10.100.10.2 255.255.255.0
hrp track active
#
firewall zone trust
#
firewall zone dmz
#
#
commit
#
ospf 101
area 0.0.0.0
network 10.100.10.0 0.0.0.255
network 10.100.30.0 0.0.0.255
#
security-policy
rule name ha
source-zone trust
action permit
#
return

#
sysname NGFW_B
#
bfd
#
hrp enable
hrp track bfd-session 10 standby
#
ip address 10.100.40.2 255.255.255.0

hrp track standby

#
ip address 10.100.50.3 255.255.255.0
#
ip address 10.100.20.2 255.255.255.0
hrp track standby
#
firewall zone trust
#
firewall zone dmz
#
#
commit
#
ospf 101
area 0.0.0.0
network 10.100.20.0 0.0.0.255
network 10.100.40.0 0.0.0.255
#
security-policy
rule name ha
source-zone trust
action permit
#
return

This section provides reference information about BFD.

This section describes the versions and changes in the BFD feature.
6.5.9.2 Reference Standards and Protocols

This section provides the standards and protocols related to BFD for reference.
Standards and protocols of BFD are as follows:
l RFC 5880: Bidirectional Forwarding Detection (BFD)

l RFC 5881: Bidirectional Forwarding Detection (BFD) for IPv4 and IPv6 (One Hop)
l RFC 5882: Generic Application of Bidirectional Forwarding Detection (BFD)

l RFC 5883: Bidirectional Forwarding Detection (BFD) for Multihop Paths

Administrator Guide 7 Virtual System
7 Virtual System
7.1 Overview
A virtual system is a logical device created on a physical device. Virtual systems are independent
from each other.
A NGFW can be logically divided into multiple virtual systems. Each virtual system has its
resources and configurations, such as interface, address set, user/user group, and routing table
and policies, and provides the same functions as a physical system.
Virtual systems have the following features:
l Each virtual system has its own administrators and can be managed independently. With
virtual systems, a large network can be divided into smaller subnets with each being served
by a virtual system, simplifying the network management.
l Each virtual system has its own configurations and routing table so that networks connected
to different virtual systems can have overlapping private addresses.
l Each virtual system has its own resource quota so that a busy virtual system has no impact
on other virtual systems.
l The traffic of different virtual systems is separated to ensure security. However, different
virtual systems can still communicate with each other if needed.
l Virtual system technology reduces hardware investment, power consumption, and
equipment footprint.
7.2 Application Scenarios

This section describes the application scenarios of virtual systems.
Virtual systems apply to the following scenarios:
Network Isolation for Large and Medium-sized Enterprises

Networks of large and medium-sized enterprises are usually geographically dispersed, with a
large number of devices and complex configurations. Departments of enterprises have different
security requirements. Meeting such security requirements on large and medium-sized networks
involve complex firewall configurations, which are prone to errors. In contrast, the firewall

virtualization technology allows you to divide a network into multiple smaller subnets and
configure a virtual system for each subnet, making network boundaries clearer and network
management easier.
As shown in Figure 7-1, virtual systems are created on the NGFW for the R&D, financial, and
administrative departments of an enterprise. The administrators of each department have clearly
defined permissions, and the departments can communicate based on the policies. The
departments can also have different Internet access permissions.
Figure 7-1 Network isolation for large and medium-sized enterprises

Intranet
NGFW
R&D
department
Virtual system for

the R&D department
Financial
department
Virtual system for the

financial department
Administrative
department
Virtual system for the

Service data flow
administrative department
Security Gateway for Cloud Computing Centers

Cloud computing provides computing and storage capabilities over the Internet. To ensure
reliable cloud-based services, traffic of different customers must be isolated, protected, and
served by necessary resources. With virtual system technology, you can deploy a NGFW at the
egress of a cloud computing center and create a virtual system for each customer to isolate and
protect the traffic of different customers.
As shown in Figure 7-2, enterprises A and B have servers at the cloud computing center. The
NGFW functions as the security gateway at the egress of the cloud computing center. It isolates
the traffic of different enterprises and protects the cloud computing center based on the
configured security policies.

Figure 7-2 Security gateway for the cloud computing center
Cloud computing center

NGFW
Enterprise A Enterprise A
Virtual
system A
Enterprise B Enterprise B
Virtual
system B Service data flow
7.3 Mechanism
This section describes the mechanism of the virtual system.
7.3.1 Virtual System and Administrator

This section describes the concepts of root system, virtual system, and administrator.
Virtual System
The NGFW has two types of virtual systems: root system (root) and virtual system (VSYS).
l Root system (root)

The root system is a special virtual system on the NGFW and is available even if the virtual
system function is disabled. After the virtual system function is enabled on the NGFW, the
root system inherits all the configurations of the NGFW.
The root system manages other virtual systems and forwards data between them.
l Virtual system (VSYS)
Virtual systems are independent logical systems created on a NGFW.
Figure 7-3 shows the logical structure of the root system and virtual systems.

Figure 7-3 Logical structure of the root system and virtual systems
Virtual system N
Virtual system A
Virtual system B
……
Root system
To forward, isolate, and independently manage traffic of different virtual systems, the NGFW
implements virtualization in the following aspects:
l Resources: Each virtual system has dedicated resources, including interfaces, VLANs,
policies, and sessions. The resources are assigned by root system administrators and
managed by virtual system administrators.
l Configuration: Each virtual system has its own configuration interface and administrators
and cannot be accessed by administrators of other virtual systems.
l Services: Each virtual system has its own route entries, policies, and security
configurations, which apply only to packets of the virtual system.
With the preceding virtualization techniques, each virtual system can function as a dedicated
firewall that is exclusively managed by its administrator.
Administrator
Administrators are classified into root system administrators and virtual system administrators.
Figure 7-4 illustrates the permissions of the two types of administrators.
Figure 7-4 Permissions of root system and virtual system administrators
…… Create virtual system

system services.
Configure virtual
Administrator of Administrator of Administrator of administrators. Root

virtual system A virtual system B virtual system N administrator
Create virtual systems

and allocate virtual
system N
system A
system B
Virtual
Virtual
Virtual
system resources.
……
Root system
Configure public system services/Configure

the communication between virtual systems.

l Root system administrator

After the virtual system function is enabled, the administrators of the NGFW will become
administrators of the root system. Root system administrators can manage the NGFW and
the root system, using the same login and authentication methods and with the same
permissions.
A root system administrator can configure virtual systems, such as creating or deleting
virtual systems, creating virtual system administrators, and allocating resources to virtual
systems, only when virtual system management permission is assigned to the root system
administrator. Root system administrators thereafter all have virtual system management
permission unless otherwise specified.
l Virtual system administrator
Each virtual system has one or multiple administrators. A virtual system administrator can
manage only the virtual system on which the administrator is created.
To relate administrators with virtual systems, virtual system administrator accounts are
named in the format of administrator name@@virtual system name.
7.3.2 Virtual System Resource Allocation

This section describes the virtual system resource allocation mechanism. Limiting the amount
of resources of each virtual system prevents a virtual system from preempting too much resources
from other virtual systems.
Basic resources, such as security zones, policies, and sessions, can be either automatically or
manually assigned to virtual systems, whereas other resources are preempted by all virtual
systems.
Resource Allocation
Table 7-1 lists the resources that are automatically and manually assigned.
Table 7-1 Automatically and manually assigned resources
Resource Name Allocation Description

Method
SSL VPN Automatically Each virtual system is automatically assigned a

Gateways assigned quota of four SSL VPN gateways upon creation.
Security Zones Automatically Each virtual system is automatically assigned a

assigned quota of eight security zones, including four
default security zones and four user-defined
security zones.
Sessions Manually assigned -
New Session Rate Manually assigned The new session rate indicates the number of new
sessions a virtual system can create in one
second.
Online Users Manually assigned -

Resource Name Allocation Description

Method
SSL VPN Manually assigned -

Concurrent Users
Users Manually assigned -
User Groups Manually assigned -
Security Groups Manually assigned -
Policies Manually assigned Specifies the maximum total number of all

policies, including security, NAT, bandwidth,
authentication, audit, and routing policies.
Maximum Manually assigned Specifies the maximum incoming bandwidth of

Bandwidth all interfaces of a virtual system.
DHCP Dynamic Manually assigned Specifies the number of dynamic IP addresses

Address Lease that can be assigned to a virtual system.
DHCP Static Manually assigned Specifies the number of static IP addresses that
Address Lease can be assigned to a virtual system.
Manually assigned resources have a guaranteed value and maximum value.
l Guaranteed value: specifies the amount of a resource committed to a virtual system and
cannot be preempted by other virtual systems.
l Maximum value: specifies the maximum allowed amount of resource that a virtual system
can have. Whether the virtual system can achieve the maximum value depends on available
resources and competition between virtual systems.
For example, 10 virtual systems are configured on the NGFW and the total number of sessions
available for the NGFW is 500,000. If virtual system A is configured with a guaranteed number
of 10,000 sessions and a maximum number of 50,000 sessions, then virtual system A can
establish 10,000 sessions without preemption. However, whether virtual system A can establish
50,000 sessions depends on the competition of other nine virtual systems and the root system.
If the total number of sessions established by the other nine virtual systems and the root system
is less than 450,000, then virtual system A can establish a maximum number of 50,000 sessions.
Root system administrators can assign resources to virtual systems based on their purpose. For
example, virtual system 1 connects to the zone where the enterprise servers reside to protect the
servers and virtual system 2 connects to the zone created for a department of 20 employees to
control Internet access. In this case, the two virtual systems have different needs for resources.
Virtual system 1 needs more sessions than virtual system 2, but does not need any users, whereas
virtual system 2 needs a quota of 20 users but needs fewer sessions than virtual system 1.
Resource Preemption
The following resources are preempted by all virtual systems:

l Address and address group

l Region and region group
l User-defined service and service group
l User-defined application and application group
l NAT address pool
l Schedule
l Traffic profile
l Static route
l Various types of tables, including the server-map, IP-MAC binding, ARP, and MAC
address table
7.3.3 Virtual System Traffic Sorting

This section describes how the NGFW forwards traffic of different virtual systems.
If no virtual systems are configured on the NGFW, the NGFW forwards packets based on policies
and various tables (such as session, MAC address, and routing table) of the root system. After
virtual systems are configured on the NGFW, each virtual system functions as a dedicated device
and has its own policies and tables for packet processing. In this case, after receiving a packet,
the NGFW must first determine the destination virtual system of the packet. This process is
called traffic sorting.
The NGFW sorts traffic based on interface (for Layer-3 interface) or VLAN (for Layer-2
interfaces).
Interface-based Traffic Sorting

After an interface (a GE interface or GE subinterface) is bound to a virtual system, all packets
received at this interface belong to the bound virtual system, and the NGFW processes the
packets based on the configuration of the virtual system.
In Figure 7-5, the three virtual systems, VSYSA, VSYSB, and VSYSC, have their dedicated
inside interfaces, which are respectively GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and
GigabitEthernet 1/0/3. After receiving packets, the NGFW forwards them to their virtual systems
for routing and policy matching.

Figure 7-5 Interface-based traffic sorting
GE1/0/4
VSYSA VSYSB VSYSC
Traffic sorting
GE1/0/1(VSYSA) GE1/0/3(VSYSC)
GE1/0/2(VSYSB)
10.3.0.0/24 10.3.2.0/24
10.3.1.0/24
VLAN-based Traffic Sorting

If a VLAN is bound to a virtual system, the NGFW forwards packets from this VLAN to the
bound virtual system.
In Figure 7-6, the inside interface GigabitEthernet 1/0/1 of the NGFW is a Layer-2 trunk
interface and is configured to permit packets from VLAN10, VLAN20, and VLAN30, which
are bound to VSYSA, VSYSB, and VSYSC respectively. After receiving a packet on
GigabitEthernet 1/0/1, the NGFW checks the VLAN tag carried in the packet header to determine
the source VLAN of the packet and then forwards the packet to the virtual system to which the
VLAN is bound.
After the packet enters the virtual system, the NGFW checks the MAC address table to obtain
the outgoing interface and then forwards or discards the packet based on the inter-zone policy.

Figure 7-6 VLAN-based traffic sorting
GE1/0/2
Trunk VLAN10,20,30
VSYSA VSYSB VSYSC
VLAN10 VLAN20 VLAN30
Traffic sorting
GE1/0/1
Trunk VLAN10,20,30
VLAN Tag: 10 VLAN Tag: 20 VLAN Tag: 30
VLAN 10 VLAN 30
VLAN 20
7.3.4 Communication Between Virtual Systems

Virtual systems can communicate using virtual interfaces.
Virtual Interface
Virtual interfaces are logical interfaces used for inter-virtual system communication. After a
virtual system is created, the system automatically creates a virtual interface for the virtual
system. Virtual interfaces are named in the format of Virtualif+number, with the virtual interface
of the root system numbered 0 (Virtualif0). Other virtual interfaces are automatically numbered
from 1. Unlike other interfaces, virtual interfaces can work without IP addresses.
As shown in Figure 7-7, the virtual interfaces (Virtualif1 to VirtualifN) of all virtual systems
are connected to the virtual interface (Virtualif0) of the root system through a virtual link. You
can add virtual interfaces to secure zones and configure routes and security policies to enable
and control the communication between the root system and virtual systems.
You can compare the root system to a router that forwards traffic for virtual systems.

Figure 7-7 Virtual interface
Virtual system A Virtualif1
Virtualif2
Virtual system B Virtualif0
Virtual system N VirtualifN

Root system
Virtual interface
The communication between virtual systems and between a virtual system and the root system
is described as follows.
Communication Between the Root System and Virtual Systems

Configure communication between the root system and virtual systems in the following
scenarios:
l Hosts served by virtual systems need to communicate with hosts served by the root system.
l The number of public IP addresses is insufficient and all virtual systems need to access the
Internet through the root system. In this case, the traffic of the virtual systems must be
forwarded by the root system.
As shown in Figure 7-8, you can configure routes and security policies to allow private network
10.3.0.0/24 connected to virtual system A (VSYSA) to access the server at 3.3.3.3 on the Internet
through interface GE1/0/1 of the root system.
Figure 7-8 Communication between a virtual system and the root system
2 Forwards packets VSYSA routing table
based on the Destination Destination Outgoing Destination Destination Outgoing
firewall processing Next hop Next hop
Address VSYS interface Address VSYS interface
flow and find the
destination VSYS in 3.3.3.3/32 root - - 3.3.3.3/32 root GE1/0/1 1.1.1.254
the routing table 10.3.0.0/24 VSYSA GE1/0/2 - 10.3.0.0/24 VSYSA - -
based on the
destination address. …… …… …… …… …… …… …… ……
4 Forwards packets based on the
firewall processing flow and find
1
Se the outgoing interface and next
req nds hop in the routing table based on
ue an a
st. cc the destination address.
ess 3 Sends
2 Forwards 4 Forwards 5 Access the Internet.
packets.
packets. packets.
GE1/0/2 Virtualif1 Virtualif0 GE1/0/1

10.3.0.0/24
Virtual ISP
Root
system A Gateway
system
(VSYSA) 1.1.1.254
3.3.3.3

Configure routes as follows to enable communication between VSYSA and the root system:
1. Configure a static route on VSYSA. Set the destination IP address to 3.3.3.3 and destination
virtual system to root.
2. Configure a static route on the root system. Set the destination IP address to 3.3.3.3, the
outgoing interface to GE1/0/1, and the next hop to the gateway IP address obtained from
the carrier. The static routes in steps 1 and 2 are used to forward traffic from hosts connected
to VSYSA to the Internet.
3. Configure a static route on the root system. Set the destination IP address to 10.3.0.0/24
and destination virtual system to VSYSA.
4. Configure a static route on VSYSA. Set the destination IP address to 10.3.0.0/24 and the
outgoing interface to GE1/0/2. The static routes in steps 3 and 4 are used to forward traffic
from the Internet to hosts connected to VSYSA.
Configure security policies as follows to enable communication between VSYSA and the root
system:
1. On VSYSA, add interface GE1/0/2 to the Trust zone and Virtualif1 to the Untrust zone,
and configure a security policy to allow the Trust zone to access the Untrust zone.
2. On the root system, add interface GE1/0/1 to the Untrust zone and Virtualif0 to the Trust
zone, and configure a security policy to allow the Trust zone to access the Untrust zone.
Network 10.3.0.0/24 is a private network. Therefore, a NAT policy must be configured for the
network to access the Internet. The NAT policy can be configured on VSYSA or the root system,
whichever the public IP addresses are configured.
Communication Between Two Virtual Systems

Two virtual systems can communicate with each other through the root system. As shown in
Figure 7-9, users connected to VSYSA need to access the server connected to VSYSB through
the root system.

Figure 7-9 Communication between two virtual systems

VSYSA routing table Root routing table
2 Forwards packets Destination Destination Outgoing Destination Destination Outgoing
based on the firewall Next hop Next hop
Address VSYS interface Address VSYS interface
processing flow and
10.3.1.3/32 root - - 10.3.1.3/32 VSYSB - -
find the destination
VSYS in the routing 10.3.0.0/24 VSYSA GE1/0/2 - 10.3.0.0/24 VSYSA - -
table based on the
destination address. …… …… …… …… …… …… …… ……
1 Sends an access
Virtual
request.
system A
2 Forwards
(VSYSA)
packets. 3 Finds the outgoing
GE1/0/2 interface in the
10.3.0.0/24 Virtualif1
routing table of the
root system.
Virtualif 0
4 Sends packets.
10.3.1.0/24 GE1/0/3 Virtualif2
Root
5 Forwards Virtual system
packets. system B
Server 6 Access the (VSYSB)
10.3.1.3 server.
VSYSB routing table 5 Forwards packets based on

Destination Destination Outgoing the firewall processing flow
Next hop
Address VSYS interface and find the outgoing interface
10.3.1.3/32 VSYSB GE1/0/3 - in the routing table based on
the destination address.
10.3.0.0/24 root - -
…… …… …… ……
Configure routes as follows to enable communication between VSYSA and VSYSB:
1. Configure a static route on VSYSA. Set the destination IP address to 10.3.1.3 and
destination virtual system to root.
2. Configure a static route on the root system. Set the destination IP address to 10.3.1.3 and
destination virtual system to VSYSB.
3. Configure a static route on VSYSB. Set the destination IP address to 10.3.1.3 and the
outgoing interface to GE1/0/3. The static routes in steps 1, 2, and 3 are used to forward
traffic from hosts connected to VSYSA to the server connected to VSYSB.
4. Configure a static route on VSYSB. Set the destination IP address to 10.3.0.0/24 and
destination virtual system to root.
5. Configure a static route on the root system. Set the destination IP address to 10.3.0.0/24
and destination virtual system to VSYSA.
6. Configure a static route on VSYSA. Set the destination IP address to 10.3.0.0/24 and the
outgoing interface to GE1/0/2. The static routes in steps 4, 5, and 6 are used to forward
traffic from VSYSB to hosts connected to VSYSA.
Configure security policies as follows to enable communication between VSYSA and VSYSB:

1. On VSYSA, add interface GE1/0/2 to the Trust zone and Virtualif1 to the Untrust zone,
and configure a security policy to allow the Trust zone to access the Untrust zone.
2. On VSYSB, add interface GE1/0/3 to the Trust zone and Virtualif2 to the Untrust zone,
and configure a security policy to allow the Untrust zone to access the Trust zone.
NOTE
The root system only forwards packets between virtual systems based on the routing table and does not
implement any security functions. Therefore, you do not need to configure any security policies on the root
system.
Similarly, if address translation is needed, a NAT policy must be configured on VSYSA,

VSYSB, or the root system.
Communication Between Virtual Systems with Overlapping Private Addresses

As virtual systems are isolated from each other and are independently managed, IP address
overlapping may occur if administrators of different virtual systems assign the same private
addresses to hosts in their networks. Overlapping addresses can cause the following
communication problems:
l For communication between virtual systems and the root system

For example, a host connected to VSYSA and a host connected to VSYSB have the same
private IP address 10.3.0.2, and the two hosts need to communicate with a server (IP
address: 192.168.1.1) connected to the root system.
Packets originating from both virtual systems can be correctly forwarded to the server.
However, return packets originating from the server and destined for the IP address 10.3.0.2
cannot be correctly forwarded by the root system, because both VSYSA and VSYSB have
a host whose IP address is 10.3.0.2.
To resolve this problem, configure NAT policies on the two virtual systems to translate the
source IP addresses of their packets into non-conflicting IP addresses before the packets
are forwarded to the root system. Then, configure routes on the root system for the translated
IP addresses so that the root system can correctly forward packets to hosts connected to
VSYSA and VSYSB that have the same private IP address.
l For communication between two virtual systems
For example, a network connected to VSYSA and a network connected to VSYSB use the
same private IP address segment 10.3.0.0/24 and need to communicate with each other.
Without NAT, hosts connected to VSYSA cannot communicate with hosts connected to
VSYSB because the packets they send carry the same source and destination IP address or
address segment.
To resolve this problem, configure NAT policies on the root system to translate the source
or destination IP addresses of packets for VSYSA and VSYSB.
For example, to allow a host connected to VSYSA need to access a server (IP address:
10.3.0.3) connected to VSYSB, configure a NAT policy on VSYSA to translate the source
IP addresses of packets to 192.168.1.1, and configure IP address mapping on VSYSB to
map the private IP address (10.3.0.3) of the server on VSYSB to 192.168.2.1. The detailed
route and NAT configurations are as follows:
1. On VSYSA, configure a NAT policy for source IP address translation.

Source IP Address Before Source IP Address After

Translation Translation
10.3.0.0/24 192.168.1.1
2. On VSYSA, configure a static route to the root system.
Source Virtual Destination IP Destination Outgoing

System Address Virtual System Interface
- 192.168.2.1 root -
3. On the root system, configure a static route to VSYSB.
Source Virtual Destination IP Destination Outgoing

System Address Virtual System Interface
- 192.168.2.1 VSYSB -
4. On VSYSB, configure IP address mapping for the server.
Type Public IP Address Private IP Address
Static mapping 192.168.2.1 10.3.0.3
5. On VSYSB, configure a static route to 10.3.0.3.

Refer to the preceding steps to configure static routes for the return traffic from VSYSB to
VSYSA.
7.4 Restrictions and Precautions

This section describes the restrictions and precautions that apply to the use of virtual systems.
Restrictions
Most functions of the NGFW are available in virtual systems. For detailed function availability,
see Function Availability for Virtual Systems. Table 7-2 describes the usage restrictions for
some functions available on virtual systems.
Table 7-2 Usage restrictions for virtual system functions
Function Restrictions
Administrator Virtual system administrators cannot log in to the device using

the console port.
Signature database and The signature database and system software can only be updated
system software update on the root system.

Function Restrictions
Configuration file Virtual system administrators can configure a virtual system

management using the Web UI or CLI of the virtual system. However, they
can only use the Web UI to import or export the virtual system
configuration file.
SSH Virtual system administrators can use STelnet to log in to a

virtual system. However, the passwords used for the login can
only be generated on the root system. The SSH configurations of
the root system apply to all virtual systems.
Port management The ports for services, including HTTP, HTTPS, and SSH, can
only be set on the root system.
Certificate Certification-related operations can only be performed on the

root system. The operations include certificate application,
import, deletion, and filtering, and certificate revocation list
(CRL) uploading. The certification configurations of the root
system apply to all virtual systems.
User management and The redirection mode for authentication and the authentication
authentication page can only be configured on the root system. The user
management and authentication configurations of the root
system apply to all virtual systems.
Log and report The log server can only be configured on the root system. The
log and report configurations of the root system apply to all
virtual systems
Precautions
A Layer-3 GE, VLAN, or VLANIF interface cannot be assigned in any of the following
situations:
l The GE interface or VLAN has been assigned to a virtual system.

l The GE or VLANIF interface is used as a heartbeat interface in hot standby deployment.
l The GE or VLANIF interface is used as the source interface which sends the signature
databases upgrade request packets.
l The GE or VLANIF interface is referenced by a policy.
l TCP proxy or IPv6 function is enabled on the GE or VLANIF interface or the GE or
VLANIF interface is added to a security zone or link-group.
l The GE interface is an Eth-trunk member interface or switched to a Layer-2 interface.
The following configurations of an interface are automatically cleared when the interface is
assigned to a virtual system:
l IP address
l IPSec
l DDoS attack defense

Trunk and hybrid Layer-2 interfaces and Layer-3 interfaces on which subinterfaces are created
may be simultaneously used by multiple virtual systems. Therefore, the Traffic History
displayed on the Dashboard of each virtual system is the total traffic of all virtual systems that
use the interfaces.
Virtual systems can forward only session logs and packet discard logs (excluding policy
matching logs) to the log server of the public system. Attack defense logs of virtual systems can
be displayed only on the device, and they cannot be sent to the log server by the information
center.
7.5 Deploying a Virtual System Using the Web UI

This section describes how to deploy a virtual system using the Web UI as a root system
administrator.
7.5.1 Enabling the Virtual System Function

This section describes how to enable the virtual system function. You can configure resource
classes and create virtual systems only after the virtual system function is enabled.
Procedure
Step 1 Access the Dashboard page. Click Configure next to Virtual System in the System
Information group area.
Figure 7-10 Enabling the virtual system function
Step 2 Select Enable.

Step 3 Click Apply.
----End

Changes to the Web UI

After the virtual system function is enabled, the Web UI changes as follows:
l The Virtual System drop-list box is displayed at the upper right corner of the page, as
shown in Figure 7-11. If multiple virtual systems are created on the NGFW, you can select
the name of a virtual system to access the configuration page of the virtual system. In the
drop-list box, root indicates the root system, vsysa and vsysb are the virtual systems that
the administrator has created.
Figure 7-11 Accessing the configuration page of the virtual system
l The Virtual System node is displayed in the navigation tree on the System page.
Figure 7-12 Virtual system nodes
7.5.2 Configuring a Resource Class

This section describes how to configure a resource class. You are advised to configure resource
classes before creating any virtual system.

Context
All virtual systems created on a NGFW share the resources available on the NGFW. To ensure
the availability of system resources for all virtual systems and prevent a virtual system from
overusing system resources, restrict the amount of system resources available for each virtual
system.
To do so, add a resource class, configure the system resources for the resource class, and bind
the resource class to a virtual system.
NOTE
A resource class can be bound to multiple virtual system. If multiple virtual systems require the same type and
amount of system resources, bind the same resource class to each of these virtual systems.
NOTE
Resource class r0 is bound to the root system by default and cannot be deleted or renamed.
Procedure
Step 1 Check resource usage.
Before allocating resources for virtual systems, check the available resources using a root system
1. Choose System > Virtual System > Resource Class.

2. Click Remained Resource to view information about available resources.
Name -
Remained Number Amount of available system resources = Total system

resources - Amount of allocated system resources - Amount
of system resources used by the root system
Ensure that the amount of system resources to be allocated
does not exceed the amount of available system resources.
Step 2 Click Add to create and configure a resource class.
Name Name of the resource class.
Description Description of the resource class.

The description must clearly indicate the function of the resource
class so that virtual systems can be easily searched for.

Resource Name Name of the resources to be allocated

l Policy indicates the total number of allowed policies,
including security, NAT, bandwidth, authentication, audit,
and PBR policies.
l Maximum Bandwidth indicates the incoming bandwidth for
all interfaces, including virtual interfaces.
l New Session Rate indicates the number of new sessions a
virtual system can create in one second.
l DHCP Dynamic Address Lease indicates the number of
dynamic IP addresses that can be assigned to a virtual system.
The IP addresses must be IPv4 addresses.
l DHCP Static Address Lease indicates the number of static
IP addresses that can be assigned to a virtual system. The IP
addresses must be IPv4 addresses.
Guaranteed Number Minimum amount of a specified resource item available for a

virtual system. Once the amount of system resources are assigned
to a virtual system, they are exclusively used by the virtual
system.
Maximum Number Maximum allowed amount of a specified resource item available

for a virtual system. The actual amount of a specified resource
item a virtual system can obtain depends on the competition of
other virtual systems.
Step 3 Click OK.
----End
7.5.3 Creating a Virtual System and Allocating Resources

This section describes how to create a virtual system and allocate resources to it.
Context
A resource class must be specified for a virtual system to allocate resources, such as policy and
concurrent sessions quota.
In addition, interfaces and VLANs must be allocated as required after a virtual system has been
added.
Procedure
Step 1 Choose System > Virtual System > Virtual System.
Step 2 Click Add. Then click the Basic Configuration tab and configure necessary parameters.

Name Name of the virtual system.
Description Description of the virtual system.

The description must clearly indicate the function of the virtual
system so that virtual systems can be easily searched for.
Resource Class Resource class to be bound. Values are as follows:

l If no resource class is selected, or if NONE is selected, the
virtual system preempts resources, such as concurrent
sessions and policy quota, from the root system. If the root
system does not have any resource available, the virtual
system will have no resource to use.
l Select New Resource Class to create a new resource class
and bind it to the virtual system.
l Select a resource class and bind it to the virtual system.
Step 3 Allocate interfaces or VLANs for the added virtual system.

l Click the Assign Interface tab. Then allocate the interfaces for the virtual system as
required.
The interface must be an available Layer-3 Ethernet interface or subinterface.
l Click the Assign VLAN tab. Then allocate the VLANs for the virtual system as required.
The Layer-2 interface or VLANIF interfaces of the VLAN are also assigned to the virtual
system.
Step 4 Click OK.
Step 5 To apply the configuration, click Save at the upper right corner of the page. Then click OK in
the dialog box that is displayed.
----End
Follow-up Procedure
After configurations are complete, perform the following operations:
l Check the created virtual system and system resources allocated to it in Virtual System
List.
l Select a virtual system in Virtual System List and click Resource Usage to view the usage
of the resources allocated to the virtual system.
l Select a virtual system and click to access the virtual system administrator page.
To delete a virtual system, select the virtual system in the Virtual System List, and click
Delete. Then, click OK in the dialog box that is displayed. All configurations of the deleted
virtual system are cleared, and all resources allocated to the virtual system are reclaimed.

7.5.4 Enabling Communication Between a Virtual System and the

Root System
This section describes how to configure routes and security policies for the communication
between a virtual system and the root system.
Context
To enable the communication between the virtual system and root system, you need to correctly
configure the routes and security policies on the virtual system and root system, just as on two
physical devices.
Before the actual configuration, you are advised to read Communication between a virtual
system and the root system and learn about the mechanism for the communication between a
virtual system and the root system.
As shown in Figure 7-13, routes and security policies must be configured to enable the users of
virtual system VSYSA to access the Internet server at IP address 3.3.3.3 through public interface
GE1/0/1 of the root system.
Trust Untrust
NGFW
GE1/0/3 GE1/0/1
10.3.0.1/24 1.1.1.1/24
10.3.0.0/24
VSYSA root
ISP Gateway
1.1.1.254 3.3.3.3
Virtual interface
Procedure
Step 1 Configure routes and security policies on VSYSA.
1. Select vsysa in the Virtual System drop-down list at the upper right corner of the page to
access virtual system VSYSA.
2. Choose Network > Router > Static Route.
3. Click Add and configure a static route to the Internet as follows:
Source Virtual System vsysa
Destination Address/ 3.3.3.3/255.255.255.255

Mask
Destination Virtual root

System
Next Hop -
Interface -

NOTE
An inter-virtual system static route has the destination virtual system specified to guide packet forwarding
for the source virtual system. The packets destined for the destination address are sent from the source
virtual system to the destination virtual system for route searching and packet forwarding.
Inter-virtual system static routes do not have next hops specified.
5. Click next to the Virtualif1 interface to add the interface to the Untrust zone.
NOTE
The ID of a virtual interface is automatically assigned based on existing IDs in the system. Therefore, in
actual configurations, the interface might not be Virtualif1. You can view the mapping between the virtual
system and virtual interface in Interface List.
7. Click Add and configure a security policy as follows:
Name to_internet
Source Zone trust
Source Address/ 10.3.0.0/24

Region
Destination Address/ 3.3.3.3/32

Region
Action Permit
Step 2 Configure routes and security policies on the root system.

1. Select root in the Virtual System drop-down list at the upper right corner of the page to
access the root system.
3. Click Add and configure a default route to the Internet as follows:
Source Virtual System root

Mask

System
Next Hop 1.1.1.254
Interface -
4. Repeat the preceding step and configure a static route to the users of VSYSA.


Mask
Destination Virtual vsysa

System
Next Hop -
Interface -

6. Click next to the Virtualif0 interface to add the interface to the Trust zone.
Name vsys_to_internet
Source Zone trust
Source Address/ any

Region

Region
Action Permit
----End
7.5.5 Enabling Communication Between Virtual Systems

between two virtual systems.
Context
As shown in Figure 7-14, users connected to VSYSA must use the root system to access the
server connected to VSYSB. The root system acts as a router that connects both virtual systems
and forwards packets from one virtual system to the other.
Before the configuration, you are advised to read Communication Between Two Virtual
Systems and learn about the mechanism for the communication between two virtual systems.

Figure 7-14 Communication between virtual systems

Trust NGFW
GE1/0/3
10.3.0.1/24
10.3.0.0/24 VSYSA
Virtual interface
Trust
root
GE1/0/4
10.3.1.0/24 10.3.1.1/24
VSYSB
10.3.1.3
Procedure
Step 1 Configure the routes for the communication between VSYSA and VSYSB on the root system.
NOTE
implement any security functions. Therefore, you do not need to configure any security policies in the root
system.
3. Click Add and configure a static route to VSYSB as follows:

Mask
Destination Virtual vsysb

System
Next Hop -
Interface -
NOTE
An inter-virtual system static route has the destination virtual system specified to guide packet forwarding
for the source virtual system. The packets destined for the destination address are sent from the source
virtual system to the destination virtual system for route searching and packet forwarding.
Inter-virtual system static routes do not have next hops specified.
4. Repeat the preceding step and configure a static route to the users of VSYSA.


Mask
Destination Virtual vsysa

System
Next Hop -
Interface -

access VSYSA.
3. Click Add and configure a static route to the server on VSYSB as follows:
NOTE
VSYSA traffic must be transited through the root system. Therefore, the destination virtual system of the
static route must be the root system.
Source Virtual System vsysa

Mask

System
Next Hop -
Interface -
NOTE
The ID of a virtual interface is automatically assigned based on existing IDs in the system. Therefore, in
actual configurations, the interface might not be Virtualif1. You can view the mapping between the virtual
system and virtual interface in Interface List.
Name to_server
Source Zone trust

Region


Region
Action Permit
Step 3 Configure routes and security policies on VSYSB.

1. Select vsysb in the Virtual System drop-down list at the upper right corner of the page to
access VSYSB.
3. Click Add and configure a static route to the users of VSYSA:
NOTE
VSYSB traffic must be transited through the root system. Therefore, the destination virtual system of the
static route must be the root system.
Source Virtual System vsysb

Mask

System
Next Hop -
Interface -

Name vsysa_to_server
Source Zone untrust
Destination Zone trust

Region

Region
Action Permit
----End

7.5.6 Creating a Virtual System Administrator

This section describes how to configure a virtual system administrator, the login method for the
configured administrator, and the interface used by the administrator to log in to the virtual
system.
Context
Once a virtual system is created, the root system administrator can configure one or more
administrators for the virtual system. You can log in to and manage the virtual system using the
accounts of these administrators. The root system administrator can create system administrators
for a virtual system only on the configuration page of the virtual system. The method for creating
a virtual system administrator is the same as that for creating a root system administrator.
Data Planning
Item Data
Administrator User name: admin@@vsysa

Authentication type: Local authentication
Password: Vsysadmin@123
Role: System administrator
Trusted hosts: 10.3.0.99/32 and 10.3.0.100/32
Login interface Interface: GE1/0/3

IP address: 10.3.0.1/24
Virtual system: VSYSA
NOTE
The login interface allocated for the login to the virtual system can be
one of the interfaces that belong to the root system.
Login method HTTPS
NOTE
The following assumes that VSYSA has already been created and interface GE1/0/3 has already been allocated
for the virtual system as the login interface.
Procedure
Step 1 Create a virtual system administrator.
access VSYSA.
2. Choose System > Administrator > Administrator.
3. Click Add and set the parameters.

NOTE
The name of a virtual system administrator must be suffixed with @@Virtual system name.
If a third-party authentication server is used to authenticate the virtual system administrator, the user name
configured on the authentication server does not need to carry the suffix "@@virtual system name". For
example, if the authentication server needs to authenticate administrator admin@@vsysa of virtual system
VSYSA, configure user name admin on the authentication server.
NOTE
Trusted hosts are the IP addresses of the hosts that are allowed to log in to the virtual system. If the IP
address of the administrator PC is fixed, add the IP address as a trusted host so that the administrator can
log in to the virtual system using the PC. If the IP address of the administrator PC is dynamically allocated,
do not configure any trusted hosts. Otherwise, the administrator may fail to log in to the virtual system if
the IP address of the administrator PC changes.
Step 2 Configure the login interface.

2. Click next to GE1/0/3 and configure necessary parameters.

NOTE
Select HTTPS in Access management so that the virtual system administrator can log in to the Web UI
over HTTPS. Another option is HTTP. However, you are advised to select HTTPS for security reasons.
Select Ping so that the interface can be pinged to test the connectivity between the administrator PC and
the login interface.
Step 3 Enable HTTPS.

2. Choose System > Administrator > Settings and check whether the HTTPS service is
enabled. If the HTTPS service is disabled, configure a port number and enable the HTTPS
service.
3. Click Apply.
Step 4 To apply the configuration, click Save at the upper right corner of the page. Then click OK in
the dialog box that is displayed.
----End
Follow-up Procedure
After the configuration is complete, you can log in to the virtual system as the virtual system
administrator as follows:
1. Open a browser and enter https://10.3.0.1:Port number. Port number indicates the port
number specified when you enable the HTTPS service.
NOTE
If the browser displays a certificate error page, ignore it and continue to the website.

2. On the login page, enter the user name (admin@@vsysa) and password
(Vsysadmin@123) of the virtual system administrator and click Login to log in to the
virtual system.
7.6 Deploying a Virtual System Using the CLI

This section describes how to deploy a virtual system using the CLI as a root system
administrator.
7.6.1 Enabling the Virtual System Function

This section describes how to enable the virtual system function. You can configure resource
classes and create virtual systems only after the virtual system function is enabled.
Procedure
Step 1 Access the system view and run the following command to enable the virtual system function.
vsys enable
----End
Changes to the CLI

After the virtual system function is enabled, the CLI has changed in following aspects:
l All commands related to the virtual system function are available.
l The virtual system view is enabled so that the root system administrator can run switch
vsys to access and configure a virtual system.
<NGFW> system-view
[NGFW] switch vsys vsysa //vsysa is a created virtual system
[NGFW-vsysa]
7.6.2 Configuring a Resource Class

This section describes how to configure a resource class. You are advised to configure resource
classes before creating any virtual system.
Context
All virtual systems created on a NGFW share the resources available on the NGFW. To ensure
the availability of system resources for all virtual systems and prevent a virtual system from

overusing system resources, restrict the amount of system resources available for each virtual
system.
To do so, add a resource class, configure the system resources available for the resource class,
and bind the resource class to the virtual system.
NOTE
A resource class can be bound to multiple virtual system. If multiple virtual systems require the same type and
amount of system resources, configure a single resource class and bound the resource class to each of these
virtual systems.
Procedure
Step 1 Run the following command to check resource usage.
display resource global-resource [ resource-item { bandwidth-ingress | online-user |

policy | security-group | session | session-rate | user | user-group | dhcps-dynamic-lease |
dhcps-static-lease } ]
Check the available resources as the root system administrator before allocating resources for
virtual systems.
The following is a sample command output of the display resource global-resource command:
<NGFW> display resource global-resource
Global resource table:
------------------------------------------------------------
Global-Num Remain-Num RemUse-Num
session 3000000 3000000 1
policy 15000 15000 18
online-user 4000 4000 0
user 4000 4000 17
user-group 512 512 14
security-group 5000 5000 4
bandwidth-ingress 10000000 10000000 0
ssl-vpn-concurrent 500 500 0
session-rate 30000 30000 0
dhcps-dynamic-lease 15000 15000 100
dhcps-static-lease 5000 5000 0
------------------------------------------------------------
l Global-Num: Total number of resources

l Remain-Num: Number of reserved resources on the root system, which equals to the
difference between the total number of resources and the number of resources allocated to
virtual systems.
l RemUse-Num: Number of resources used by the root system.
Number of available resources = Number of reserved resources on the root system (Remain-
Num) - Number of resources used by the root system (RemUse-Num)
Ensure that the guaranteed amount of a specified resource allocated to a virtual system must not
exceed the amount of available resources.
Step 2 In the system view, run the following command to create a resource class and access the resource
class view.
resource-class resource-class-name
Step 3 Configure the guaranteed and maximum amount of resources available for a virtual system.

NOTE
l Guaranteed value: Minimum amount of a specified resource item available for a virtual system. Once the
amount of system resources are allocated to a virtual system, they are exclusively used by the virtual system.
l Maximum value: Maximum allowed amount of a specified resource item available for a virtual system.
Whether the resources used by a virtual system can reach the maximum amount is determined by the
resources used by other virtual systems.
Configure the guaranteed and resource-item-limit session { reserved-number

maximum number of sessions session-reserved-number | maximum session-
available for a virtual system. maximum-number } *
Configure the maximum number of resource-item-limit session-rate maximum session-

new session rate available for a rate-maximum-number
virtual system.
Configure the guaranteed quota of resource-item-limit policy reserved-number policy-

policies. reserved-number
NOTE
Available policies are security policies, NAT policies,
bandwidth policies, authentication policies, audit policies,
and routing policies.
Configure the guaranteed and resource-item-limit online-user { reserved-number

maximum number of online users online-user-reserved-number | maximum online-user-
on a virtual system. maximum-number } *
Configure the SSL VPN concurrent resource-item-limit ssl-vpn-concurrent reserved-

users. number ssl-vpn-concurrent-reserved-number
Configure the guaranteed quota of resource-item-limit user reserved-number user-

online users. reserved-number
Configure the guaranteed quota of resource-item-limit user-group reserved-number

user groups. user-group-reserved-number
Configure the guaranteed quota of resource-item-limit security-group reserved-

security groups. number security-group-reserved-number
Configure the maximum upstream resource-item-limit bandwidth-ingress maximum

bandwidth. bandwidth-ingress-maximum-number
NOTE
The maximum bandwidth refers to the maximum value of the
total upstream bandwidth available for all interfaces,
including virtual interfaces, of the virtual system.
Set the guaranteed and maximum resource-item-limit dhcps-dynamic-lease

numbers of DHCP dynamic address { reserved-number ddhcps-dynamic-lease-reserved-
leases. number | maximum dhcps-dynamic-lease-maximum-
number }
NOTE
DHCP Dynamic Address Lease supports only IPv4
addresses.

Set the guaranteed number of resource-item-limit dhcps-static-lease reserved-

DHCP static address leases. number dhcps-static-lease-reserved-number
NOTE
DHCP Static Address Lease supports only IPv4 addresses.
----End
Follow-up Procedure
To rename a created resource class, run rename in the resource class view.
<NGFW> system-view
[NGFW] resource-class r1
[NGFW-resource-class-r1] rename r2
[NGFW-resource-class-r2]
7.6.3 Creating a Virtual System and Allocating Resources

This section describes how to create a virtual system and allocate resources to it.
Context
A resource class must be specified for a virtual system to allocate resources, such as policy and
concurrent sessions quota.
In addition, interfaces and VLANs must be allocated as required after a virtual system has been
added.
Procedure
Step 1 Run the following command in the system view to create a virtual system and access the
management view of the virtual system.
vsys name vsys-name
Step 2 Optional: Run the following command to configure the description of a virtual system.
The description must clearly indicate the function of the virtual system so that virtual systems
can be easily searched for.
Step 3 Bind a resource class to the virtual system.
assign resource-class resource-class-name
Step 4 Allocate interfaces or VLANs for the added virtual system.
l Run the following command to allocate interfaces for the added virtual system.
assign interface interface-type interface-number
The interface must be an available Layer-3 Ethernet interface or Layer–3 Ethernet
subinterface.
l Run the following command to allocate the VLAN to the added virtual system.
assign vlan vlan-id

The Layer-2 interface or VLANIF interfaces of the VLAN are also available for the virtual
system.
Step 5 Save the current configuration in the user view.
save [ configuration-file ]
You are advised to save the current configuration after the virtual system is created.
----End
Follow-up Procedure
After configurations are complete, perform the following:
l Run the display vsys [ vsys-name ] [ verbose ] command to view the configuration of the
created virtual system.
l Run the display resource resource-usage vsys vsys-name command to view the resources
used by the virtual system.
l Run the switch vsys vsys-name command in the system view to access the virtual system
view and configure services on the virtual system.
l Run the undo vsys name vsys-name command in the system view to delete a virtual system.
All configurations of the deleted virtual system are cleared, and all resources allocated to
the virtual system are reclaimed.
7.6.4 Enabling Communication Between a Virtual System and the

Root System
between a virtual system and the root system.
Context
To enable the communication between the virtual system and root system, you need to correctly
configure the routes and security policies on the virtual system and root system, just as on two
physical devices.
Before the actual configuration, you are advised to read Communication between a virtual
system and the root system and learn about the mechanism for the communication between a
virtual system and the root system.
As shown in Figure 7-15, routes and security policies must be configured to enable the users of
VSYSA to access the Internet server at IP address 3.3.3.3 through public interface GE1/0/1 of
the root system.
Trust Untrust
NGFW
GE1/0/3 GE1/0/1
10.3.0.1/24 1.1.1.1/24
10.3.0.0/24
VSYSA root
ISP Gateway
1.1.1.254 3.3.3.3
Virtual interface

Procedure
# Access the VSYSA view.
<NGFW> system-view
[NGFW] switch vsys vsysa
# Configure a static route to the server on the Internet.
NOTE
Users connected to VSYSA access the Internet through the public interface of the root system. Therefore, the
destination VPN of the static route must be the VPN instance named public of the root system.
[NGFW-vsysa] ip route-static 3.3.3.3 32 public
# Add virtual interface Virtualif1 of VSYSA to the Untrust zone.
NOTE
The ID of a virtual interface is automatically assigned based on existing IDs in the system. Therefore, the actual
interface may not be Virtualif1. To view the virtual interface of the virtual system, run display interface
brief.
[NGFW-vsysa] firewall zone untrust
[NGFW-vsysa-zone-untrust] add interface Virtualif1
[NGFW-vsysa-zone-untrust] quit
# Configure the policies for users of VSYSA to access the server on the Internet.
[NGFW-vsysa] security-policy
[NGFW-vsysa-policy-security] rule name to_internet
[NGFW-vsysa-policy-security-rule-to_internet] source-zone trust
[NGFW-vsysa-policy-security-rule-to_internet] destination-zone untrust
[NGFW-vsysa-policy-security-rule-to_internet] source-address 10.3.0.0 24
[NGFW-vsysa-policy-security-rule-to_internet] destination-address 3.3.3.3 32
[NGFW-vsysa-policy-security-rule-to_internet] action permit
[NGFW-vsysa-policy-security-rule-to_internet] quit
[NGFW-vsysa-policy-security] quit
Step 2 Configure routes and security policies on the root system.

# Return to the system view of the root system.
[NGFW-vsysa] quit
# Configure a default route to the Internet and set the next hop of the default route to
1.1.1.254.
[NGFW] ip route-static 3.3.3.3 32 1.1.1.254
# Configure a static route to users of VSYSA.
NOTE
After a virtual system is created, the NGFW creates a VPN instance of the same name for the virtual system.
When configuring the static route to a specified virtual system, set the destination VPN of the static route to the
VPN instance corresponding to the virtual system.
[NGFW] ip route-static 10.3.0.0 24 vpn-instance vsysa
# Add virtual interface Virtualif0 of the root system to the Trust zone.
[NGFW-zone-trust] add interface Virtualif0

# Configure the policies for users of VSYSA to access the server on the Internet.
[NGFW-policy-security] rule name vsys_to_internet
[NGFW-policy-security-rule-vsysa_to_internet] source-zone trust
[NGFW-policy-security-rule-vsysa_to_internet] destination-zone untrust
[NGFW-policy-security-rule-vsysa_to_internet] source-address any
[NGFW-policy-security-rule-vsysa_to_internet] destination-address any
[NGFW-policy-security-rule-vsysa_to_internet] action permit
[NGFW-policy-security-rule-vsysa_to_internet] quit
----End
7.6.5 Enabling Communication Between Virtual Systems

between two virtual systems.
Context
As shown in Figure 7-16, users of virtual system VSYSA must use the root system to access
the server connected to virtual system VSYSB. The root system acts as a router that connects
both virtual systems and forwards packets from one virtual system to the other.
Before the configuration, you are advised to read Communication Between Two Virtual
Systems and learn about the mechanism for the communication between two virtual systems.
Figure 7-16 Communication between virtual systems

Trust NGFW
GE1/0/3
10.3.0.1/24
10.3.0.0/24 VSYSA
Virtual interface
Trust
root
GE1/0/4
10.3.1.0/24 10.3.1.1/24
VSYSB
10.3.1.3
Procedure
Step 1 Configure the routes for the communication between virtual systems VSYSA and VSYSB on
the root system.
NOTE
implement any security functions. Therefore, you do not need to configure any security policies in the root
system.

NOTE
After a virtual system is created, the NGFW creates a VPN instance of the same name for the virtual system.
When configuring the static route to a specified virtual system, set the destination VPN of the static route to the
VPN instance corresponding to the virtual system.
<NGFW> system-view
[NGFW] ip route-static 10.3.0.0 24 vpn-instance vsysa
# Configure a static route to users of VSYSB.

[NGFW] ip route-static 10.3.1.0 24 vpn-instance vsysb
# Access the VSYSA view.

<NGFW> system-view
# Configure a static route to the server connected to VSYSB.
NOTE
The traffic destined for VSYSB passes the root system. Therefore, configure the destination VPN of the static
route to the VPN instance named public of the root system.
[NGFW-vsysa] ip route-static 10.3.1.3 32 public
# Configure a static route to users of VSYSA with interface GE1/0/3 as the outgoing interface.
[NGFW-vsysa] ip route-static 10.3.0.0 24 GigabitEthernet 1/0/3
# Add virtual interface Virtualif1 of VSYSA to the Untrust zone.
NOTE
The ID of a virtual interface is automatically assigned based on existing IDs in the system. Therefore, the actual
interface may not be Virtualif1. To view the virtual interface of the virtual system, run display interface
brief.
[NGFW-vsysa] firewall zone untrust
[NGFW-vsysa-zone-untrust] add interface Virtualif1
[NGFW-vsysa-zone-untrust] quit
# Configure the policies for users of VSYSA to access the server connected to VSYSB.
[NGFW-vsysa] security-policy
[NGFW-vsysa-policy-security] rule name to_server
[NGFW-vsysa-policy-security-rule-to_internet] source-zone trust
[NGFW-vsysa-policy-security-rule-to_internet] destination-zone untrust
[NGFW-vsysa-policy-security-rule-to_internet] source-address 10.3.0.0 24
[NGFW-vsysa-policy-security-rule-to_internet] destination-address 10.3.1.3 32
[NGFW-vsysa-policy-security-rule-to_internet] action permit
[NGFW-vsysa-policy-security-rule-to_internet] quit
[NGFW-vsysa-policy-security] quit
# Access the VSYSB view.

[NGFW-vsysa] quit
[NGFW] switch vsys vsysb
# Configure a static route to the server connected to VSYSB with interface GE1/0/4 as the
outgoing interface.
[NGFW-vsysb] ip route-static 10.3.1.0 24 GigabitEthernet 1/0/4

NOTE
The traffic destined for VSYSA passes the root system. Therefore, configure the destination VPN of the static
route to the VPN instance named public of the root system.
[NGFW-vsysb] ip route-static 10.3.0.0 24 public
# Add virtual interface Virtualif2 of VSYSB to the Untrust zone.

[NGFW-vsysb] firewall zone untrust
[NGFW-vsysb-zone-untrust] add interface Virtualif2
[NGFW-vsysb-zone-untrust] quit
# Configure the policies for users of VSYSA to access the server connected to VSYSB.
[NGFW-vsysb] security-policy
[NGFW-vsysb-policy-security] rule name vsysa_to_server
[NGFW-vsysb-policy-security-rule-vsysa_to_vsysb] source-zone untrust
[NGFW-vsysb-policy-security-rule-vsysa_to_vsysb] destination-zone trust
[NGFW-vsysb-policy-security-rule-vsysa_to_vsysb] source-address 10.3.0.0 24
[NGFW-vsysb-policy-security-rule-vsysa_to_vsysb] destination-address 10.3.1.3 32
[NGFW-vsysb-policy-security-rule-vsysa_to_vsysb] action permit
[NGFW-vsysb-policy-security-rule-vsysa_to_vsysb] quit
[NGFW-vsysb-policy-security] quit
----End
7.6.6 Creating a Virtual System Administrator

This section describes how to configure a virtual system administrator, the login method for the
configured administrator, and the interface for the administrator to log in to the virtual system
using the CLI.
Context
Once a virtual system is created, the root system administrator can configure one or more
administrators for the virtual system. You can log in to and manage the virtual system using the
accounts of these administrators. The root system administrator can create system administrators
for a virtual system only on the configuration page of the virtual system. The method for creating
a virtual system administrator is the same as that for creating a root system administrator.
Data Planning
Item Data
Administrator User name: admin@@vsysa

Authentication type: Local authentication
Password: Vsysadmin@123
Role: System administrator
Trusted hosts: 10.3.0.99/32 and 10.3.0.100/32

Item Data
Login interface Interface: GE1/0/3

IP address: 10.3.0.1/24
Virtual system: VSYSA
NOTE
The login interface allocated for the login to the virtual system can be
one of the interfaces that belong to the root system.
Login method Telnet

NOTICE NOTE
Telnet login is not secure. The NGFW supports the login over Stelnet. For details, see Example for
You are advised to log in to Logging in to the CLI Using STelnet (Password Authentication) and
the CLI using STelnet. Example for Logging In to the CLI Using STelnet (RSA
Authentication).
Note that the local key in the two preceding examples can be generated
only on the root system. All virtual systems share the configuration of
the root system.
NOTE
The following assumes that VSYSA has already been created and interface GE1/0/3 has already been allocated
for the virtual system as the login interface.
If you have already configured the administrators that log in to the CLI using Telnet, perform only the operations
in Step 4 through Step 6.
Procedure
Step 1 Enable Telnet.
<NGFW> system-view
[NGFW] telnet server enable
Step 2 Configure the VTY administrator interface.
# Configure five VTY administrator interfaces that support AAA and Telnet and set the level
of the VTY administrator interfaces to 3.
NOTE
To ensure that the administrator can log in to the device, you are advised to set the level of the VTY administrator
interfaces to 3 or larger.
Step 3 Configure the automatic lockout function for failed login attempts.
By default, an account is locked for 30 minutes after three consecutive login failures. In the
following example, the account is locked for 10 minutes after five consecutive login failures.
[NGFW] aaa
[NGFW-aaa] lock-authentication enable

[NGFW-aaa] lock-authentication failed-count 5

[NGFW-aaa] lock-authentication timeout 10
Step 4 Access the VSYSA view.

Step 5 Create an administrator account.
# Configure a trusted host.

[NGFW-vsysa] acl 2001
[NGFW-vsysa-acl-basic-2001] rule permit source 10.3.0.99 0.0.0.0
[NGFW-vsysa-acl-basic-2001] rule permit source 10.3.0.100 0.0.0.0
[NGFW-vsysa-acl-basic-2001] quit
# Set the administrator account to admin@@vsysa, VTY administrator interface level to 3,

login method to telnet and the maximum number of connections for the account to 5.
[NGFW-vsysa] aaa
[NGFW-vsysa-aaa] manager-user admin@@vsysa
[NGFW-vsysa-aaa-manager-user-admin@@vsysa] password
Enter Password:
Confirm Password:
[NGFW-vsysa-aaa-manager-user-admin@@vsysa] level 3
[NGFW-vsysa-aaa-manager-user-admin@@vsysa] service-type telnet
[NGFW-vsysa-aaa-manager-user-admin@@vsysa] acl-number 2001
[NGFW-vsysa-aaa-manager-user-admin@@vsysa] access-limit 5
[NGFW-vsysa-aaa-manager-user-admin@@vsysa] quit
[NGFW-vsysa-aaa] quit
NOTE
The name of a virtual system administrator must be suffixed with @@Virtual system name.
If a third-party authentication server is used to authenticate the virtual system administrator, the user name
configured on the authentication server does not need to carry the suffix "@@virtual system name". For example,
if the authentication server needs to authenticate administrator admin@@vsysa of virtual system VSYSA,
configure user name admin on the authentication server.
NOTE
To ensure that the administrator can log in to the device properly, you are advised to set the administrator level
to 3 or larger.
The maximum number of the connections for the account must be smaller than the number of online users
configured for the virtual system.
# Associate the administrator with the system administrator role.

[NGFW-vsysa-aaa] bind manager-user admin@@vsysa role system-admin
[NGFW-vsysa-aaa] quit
NOTE
Trusted hosts are the IP addresses of the hosts that are allowed to log in to the virtual system. If the IP address
of the administrator PC is fixed, add the IP address as a trusted host so that the administrator can log in to the
virtual system using the PC. If the IP address of the administrator PC is dynamically allocated, do not configure
any trusted hosts. Otherwise, the administrator may fail to log in to the virtual system if the IP address of the
administrator PC changes.
Step 6 Configure the login interface.
# Configure the interface IP address and interface-based access control and enable the
administrator to log in to the device through HTTPS.
[NGFW-vsysa] interface GigabitEthernet 1/0/3
[NGFW-vsysa-GigabitEthernet1/0/3] ip address 10.3.0.1 255.255.255.0
[NGFW-vsysa-GigabitEthernet1/0/3] service-manage enable

[NGFW-vsysa-GigabitEthernet1/0/3] service-manage telnet permit

[NGFW-vsysa-GigabitEthernet1/0/3] quit
# Add the interface to a security zone.

[NGFW-vsysa] firewall zone trust
[NGFW-vsysa-zone-trust] add interface GigabitEthernet1/0/3
[NGFW-vsysa-zone-trust] quit
----End
Follow-up Procedure
After the configuration is complete, the virtual system administrator can log in to the virtual
system as follows:
1. The following uses the Windows operating system as an example. Choose Start > Run.
The Run dialog box is displayed. Then enter telnet 10.3.0.1 in Open.
2. Click OK. The PC starts to connect to the NGFW.

3. Enter admin@@vsysa as the user name and press Enter.
4. Enter Vsysadmin@123 as the password and press Enter to access the CLI of the virtual
system.
7.7 Configuring Virtual System Services

This section describes how to configure services for a virtual system.
Context
As shown in Figure 7-17, each virtual system has independent resources, such as interfaces,
security zones, and users quota, and acts as a separate device. Configuring services for virtual
system is the same as configuring service for the root system. However, certain functions may
be restricted due to the limit of resources for the virtual system and permissions of virtual system
administrators.

Figure 7-17 Configuring virtual system services

FTP Server Web Server
10.2.0.3/24 10.2.0.5/24
10.2.0.0/24
DMZ
Trust Untrust
GE1/0/6
10.3.0.0/24
GE1/0/3 GE1/0/1
VSYSA
The following procedure covers only the key points and precautions in configuring virtual system
services. For details, see corresponding sections in the administrator guide.
Procedure
Step 1 Access the configuration page of the virtual system.
Virtual system services can be configured by the root system or virtual system administrator.
The root system and virtual system administrators access the virtual system in different ways.
For details, see Table 7-3.
l For the root system administrator

– If the Web UI is used
Select a virtual system from the Virtual System drop-down list at the upper right corner,
or
– If the CLI is used
Run the switch vsys vsys-name command in the system view.
l To log in to the virtual system as a virtual system administrator, log in to the Web UI of
the virtual system using a browser or to the CLI using a remote login tool.
Step 2 Configure the service interface.
The key step in the configuration of a service interface is to add the configured interface to a
proper security zone. After interfaces are assigned into proper security zones, the networks
connected to these interfaces are divided. Then, you can configure services specific to security
zones. By default, security zones Trust, Untrust, DMZ, and Local are created on each virtual
system. Plan the security zones on a virtual system by following the same rules that apply to the
root system.

Table 7-3 lists the interface types that may be available on a virtual system and their
configuration descriptions.
Table 7-3 Interface types
Interface Type Configuration Description
Layer-3 Ethernet interface Involves the configuration of security zones, IP

address, packet rate, and duplex mode.
If the interface serves as a login interface for
administrators, enable access management.
Layer-2 Ethernet interface Involves the configuration of security zones.
VLANIF interface Involves the configuration of security zones and IP

addresses.
Ethernet subinterface Involves the configuration of security zones and IP

addresses.
Virtual interface Involves the configuration of security zones and IP

addresses.
NOTE
The root system administrator has already completed the configuration of the interface before assigning them
to virtual systems. Therefore, these interfaces are not configurable on the virtual system.
Step 3 Configure a security policy.
In common cases, security policies are required for following types of traffic:
l Traffic destined from intranet users to the Internet in the Untrust zone
l Traffic destined from intranet users in the Trust zone to the intranet server in the DMZ zone
l Traffic destined from Internet users in the Untrust zone to the intranet server in the DMZ
zone
Each security policy can reference different content security profiles to implement content
security functions, such as antivirus, intrusion prevention, URL filtering, file blocking, content
filtering, application behavior control, and anti-spam.
Step 4 Configure the NAT policy.
If the number of public IP addresses is insufficient, you can configure NAT policies to support
Internet access of intranet users. You can also use NAT policies to hide network topology.
For example, you can configure a NAT policy for the virtual system in Table 7-3 as follows:

l Configure a source NAT policy in the Trust->Untrust interzone so that intranet users can
access the Internet by sharing a few public IP addresses.
l Configure the NAT Server in the Untrust->DMZ interzone so that public network users can
access the server on the intranet.
Step 5 Configure users and authentication
To implement user-specific access and permission control, create users and add them to different
groups. Then, configure authentication policies for user groups.
For example, as shown in Figure 7-17, you can add the senior executives to one group and
common employees to another user groups and configure different authentication policies for
the user groups. The configurations give senior executives full Internet access without being
authenticated, whereas common employees must be authenticated before obtaining Internet
access.
Step 6 Configure other security functions as required.
Table 7-4 Configure other security function for the created virtual system.
Configure policy-based routing Policy-based routing enables the virtual system to

control packet routing and forwarding. In many
scenarios, policy-based routing is used to specify the
outgoing interface or next hop of a traffic flow.
Configure SSL VPN. SSL VPN allows users to access the resources on the
intranet over the Internet.
Configure traffic policies. Traffic policies ensure user-specific or application-

specific bandwidth allocation, avoiding network
congestion.
Configure anti-DDoS. Anti-DDoS prevents DDoS attacks, such as the SYN,

UDP, ICMP, HTTP, HTTPS, DNS, and SIP flood
attacks.
Configure IP/MAC binding IP/MAC binding is usually implemented at Layer 2 to

prevent IP spoofing. After IP/MAC binding is
configured, only source IP addresses bound to the
source MAC addresses are valid.
Configure blacklists. After a blacklist is configured, the virtual system

discards all packets that match the blacklist. Compared
with security policies, blacklist is easier and faster.
----End
7.8 Configuration Examples

This section provides examples for configuring virtual systems in multiple application scenarios.

7.8.1 Web Example for Configuring Virtual Systems to Isolate

Enterprise Departments (Layer-3 Access, Virtual Systems Sharing
the WAN Interface of the Root System)
An enterprise may have multiple departments, and each department has specific functions and
responsibilities and requires specific network management policies, which complicates the
configuration. As the egress gateway of the enterprise network, the NGFW uses virtual systems
to manage departments separately, simplifying the configuration.
Medium-sized enterprise A deploys a firewall as the network gateway. The network of this
enterprise is divided into three subnets respectively for the R&D, financial, and administrative
department. The security policies for the three departments are different and must meet the
following requirements:
l The intranet has only one public IP address and one outside interface. Therefore, all
departments must use the same interface to access the Internet.
l Internet access is granted to all employees of the administrative department, some
employees of the R&D department, but none of the employees of the financial department.
l The three departments have similar traffic volumes and therefore are assigned the same
amount of virtual system resources.
Configure virtual systems to meet the preceding requirements. Figure 7-18 shows the
networking diagram.
Figure 7-18 Networking diagram of network isolation (Layer-3 access, virtual systems sharing
the WAN interface of the root system)
Intranet
Trust NGFW
GE1/0/3
R&D 10.3.0.1/24
department
10.3.0.0/24
VSYSA
Trust
GE1/0/4
Financial 10.3.1.1/24
department
10.3.1.0/24 GE1/0/1
1.1.1.1/24
VSYSB root
Trust
GE1/0/5
Administrative 10.3.2.1/24
department
10.3.2.0/24
VSYSC

Data Planning
root l Outside interface: In the example, all

GE1/0/1 departments must access the
l Security zone to which Internet from their own
the outside interface virtual systems through the
belongs: Untrust root system. The departments
do not have overlapping
l Outside interface IP private IP addresses.
address: 1.1.1.1/24 Therefore, you are advised to
l Inside interface: virtual configure the NAT policies
interface Virtualif0 of the on the root system.
root system
l Security zone to which
the inside interface
belongs: Trust
l IP address of the carrier
network gateway:
1.1.1.254/24
VSYSA l Virtual system name: -

VSYSA
l Outside interface:
VSYSA's virtual
interface
the outside interface
belongs: Untrust
l Inside interface: GE1/0/3
l Inside interface IP
address: 10.3.0.1/24
l Private IP address range:
10.3.0.0/24
belongs: Trust
l Administrator:
admin@@vsysa
l IP addresses allowed to
access the Internet:
10.3.0.2 to 10.3.0.10

VSYSB l Virtual system name: -

VSYSB
VSYSB's virtual interface
belongs: Untrust
address: 10.3.1.1/24
10.3.1.0/24
belongs: Trust
l Administrator:
admin@@vsysb
VSYSC l Virtual system name: -

VSYSC
VSYSC's virtual interface
belongs: Untrust
address: 10.3.2.1/24
10.3.2.0/24
belongs: Trust
l Administrator:
admin@@vsysc

Resource class l Name: r1 The three departments have

l Reserved Number for similar traffic volumes and
Session: 10000 therefore are assigned the
same resource class.
l Maximum for Session:
50000
l User: 300
l User Group: 10
l Policy: 300
l Maximum Bandwidth:
100000 kbps
1. The root system administrator creates three virtual systems VSYSA, VSYSB, and VSYSC,
assigns resources, and configures an administrator for each virtual system.
2. The root system administrator configures routes and NAT policies for intranet users to
access the Internet.
3. The administrator of the R&D department logs in to the NGFW to configure IP addresses,
routes, and security policies for VSYSA.
4. The administrator of the financial department logs in to the NGFW to configure IP
addresses, routes, and security policies for VSYSB.
5. The administrator of the administrative department logs in to the NGFW to configure IP
addresses, routes, and security policies for VSYSC.
Procedure
Step 1 The root system administrator creates virtual systems VSYSA, VSYSB, and VSYSC and assigns
resources to them.
1. Use the account of the root system administrator to log in to the NGFW web UI.
2. Select Dashboard. Click Configure of Virtual System in the System Information
dashboard, select Enable of Virtual System, and click Apply.
3. Choose System > Virtual System > Resource Class and click Add. Then set resource
class parameters as follows.

4. Choose System > Virtual System > Virtual System and click Add. Then configure basic
information for VSYSA as follows.
5. Click the Assign Interface tab and click to assign the GE1/0/3 interface to VSYSA.

6. Click Save on the upper right of the panel to save the configurations.
7. Create virtual systems VSYSB and VSYSC by referring to the preceding substeps and
assign the GE1/0/4 interface to VSYSB and the GE1/0/5 interface to VSYSC.
Step 2 The root system administrator configures administrators for virtual systems.
1. Select the vsysa from the Virtual System drop-down list at the upper right corner.
2. Choose System > Administrator > Administrator and click Add. Then configure
parameters for VSYSA. The following figure shows the example parameter settings.

3. Configure administrators admin@@vsysb and admin@@vsysc respectively for the

VSYSB and VSYSC by referring to the preceding substeps.
Step 3 The root system administrator configures routes, security policies, and NAT policies for intranet
users to access the Internet.
1. Choose Network > Interface and click corresponding to GE1/0/1. Then configure a
security zone and an IP address as follows.
2. Assign Virtualif0 to the Trust zone by referring to the preceding substep.

3. Choose Network > Router > Static Router and click Add. Then configure a static route
as follows.

4. Click Add and configure a static route as follows. This static route is used to divert to
VSYSA the Internet traffic requested by users of VSYSA.
VSYSC the Internet traffic requested by users of VSYSC.
6. Choose Policy > Security Policy > Security Policy and click Add. Then configure a
security policy as follows. This security policy allows intranet users to access the Internet.
A virtual system administrator can configure security policies specific to intranet users' IP

addresses. Therefore, the root system administrator does not need to specify IP address
ranges but selects any when configuring a security policy.
7. Choose Policy > NAT Policy > Source NAT > Source NAT and click Add. Then configure
a NAT policy as follows.
Step 4 The administrator of the R&D department configures IP addresses, routes, and security policies
for VSYSA.

1. Use the virtual system administrator account admin@@vsysa to log in to the NGFW web
UI.
2. Choose Network > Interface and click corresponding to the GE1/0/3 interface. Then
configure a security zone and an IP address for the GE1/0/3 interface as follows.
3. Assign Virtualif1 to the Untrust zone by referring to the preceding substep.

NOTE
The ID of a virtual interface is automatically assigned based on existing IDs in the system. Therefore,
the actual interface may not be Virtualif1. You can view the mapping between virtual systems and
virtual interfaces in Interface List.
as follows. This static route is used to divert the Internet traffic requested by users of
VSYSA to the root system.

NOTE
For simplicity, this example is based on the assumption that VSYSA only processes the Internet
access of intranet users. Therefore, in this example, Destination Address/Mask is set to
0.0.0.0/0.0.0.0 so that all packets are sent to the root system by default. In real-world configurations,
to ensure correct routing, you must set Destination Address/Mask to a specific IP address range
that is allowed to access the Internet. If the routing configuration is incorrect, the private networks
attached to VSYSA may not communicate with each other.
5. Choose Object > Address > Address and click Add. Then configure IP addresses.
security policy A as follows. This security policy allows intranet users of a specific network
segment to access the Internet.
7. Configure a security policy B by referring to the preceding substeps, which blocks all the
other intranet users from accessing the Internet. The priority of security policy B is lower
than that of security policy A. Therefore, you do not need to specify IP address ranges for
security policy B but select any.

Step 5 The financial department administrator admin@@vsysb and administrative department

administrator admin@@vsysc log in to the NGFW web UI and configure IP addresses, security
zones, and security policies for VSYSB and VSYSC, respectively.
The configuration is similar as that of the R&D department except the following:
l The IP address of the inside interface is different.

l You do not need to create an IP address range for the financial department. You only need
to configure a security policy to prevent all IP addresses from accessing the Internet.
l You do not need to create an IP address range for the administrative department. You only
need to configure a security policy to allow all IP addresses to access the Internet.
----End
Verification
l Access the Internet from the administrative department. If the access succeeds, the IP
addresses, security policies of VSYSC, and NAT policy of the root system are correctly
configured.
l Access the Internet from the financial department. If the access fails, the IP addresses and
security policies of VSYSB are correctly configured.
l Use a PC that is allowed to access the Internet and a PC that is not allowed to access the
Internet from the R&D department and use the PCs to access the Internet. If the results are
as expected, the IP addresses and security policies of VSYSA are correctly configured.
Configuration script of the root system

#
sysname NGFW
#
vsys enable
#
resource-class r1
resource-item-limit session reserved-number 10000 maximum 50000
resource-item-limit policy reserved-number 300
resource-item-limit user reserved-number 300
resource-item-limit user-group reserved-number 10
resource-item-limit bandwidth-ingress reserved-number 0 maximum 100000
#
vsys name vsysa 1
assign resource-class r1
assign interface GigabitEthernet1/0/3
#
vsys name vsysb 2
#
vsys name vsysc 3
#
ip address 1.1.1.1 255.255.255.0
#
firewall zone trust
set priority 85
add interface Virtualif0
#
set priority 5
#
ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/1 1.1.1.254
ip route-static 10.3.0.0 255.255.255.0 vpn-instance vsysa
ip route-static 10.3.2.0 255.255.255.0 vpn-instance vsysc
#
security-policy
rule name to_internet
source-zone trust
action permit
#
nat-policy
rule name nat1
source-zone trust
egress-interface GigabitEthernet1/0/1
source-address address-set 10.3.0.0 16
action nat easy-ip
#
return
Configuration script of VSYSA

#
ip address 10.3.0.1 255.255.255.0
service-manage ping permit
#
firewall zone trust
set priority 85
#
set priority 5

#
aaa
#
manager-user admin@@vsysa
password cipher %@%@@~QEN4"Db/xmvR'5@=5)^`WN]~h`Mwn-{BNPy#ZYE>`6`f]X%@%@
service-type web telnet ssh
level 15
#
bind manager-user admin@@vsysa role system-admin
#
ip address-set ipaddress1 type object
address 0 range 10.3.0.2 10.3.0.10
#
ip route-static 0.0.0.0 0.0.0.0 public
#
security-policy
source-zone trust
source-address address-set ipaddress1
action permit
rule name to_internet2
source-zone trust
action deny
#
return
Configuration script of VSYSB

#
ip address 10.3.1.1 255.255.255.0
#
firewall zone trust
set priority 85
#
set priority 5
#
aaa
#
manager-user admin@@vsysb
password cipher %@%@zG{;O|!gEN4"Db/xmvR'5@=5)^`WN]~h`Mwn-{BNPy#ZYE>`6`f]
level 15
#
bind manager-user admin@@vsysb role system-admin
#
#
security-policy
source-zone trust
action deny
#
return

Configuration script of VSYSC

#
ip address 10.3.2.1 255.255.255.0
#
firewall zone trust
set priority 85
#
set priority 5
#
aaa
#
manager-user admin@@vsysc
password cipher %@%@zG{;x|!gEN5"Db/6dvR'5@=5)^`WN]~h`Mwn-{BNPy#ZYE>`6`f]
level 15
#
bind manager-user admin@@vsysc role system-admin
#
#
security-policy
source-zone trust
action permit
#
return

Enterprise Departments (Layer-3 Access, Virtual Systems Having
Independent WAN Interfaces)
The NGFW functions as the access gateway of the office area of a large campus network to
protect the intranet. The intranet has multiple service departments, and the administrator
configures virtual systems for each department to implement independent management over
department networks.
As shown in Figure 7-19, a NGFW is deployed in area of the large campus network as the access
gateway. The network of area A comprises the R&D and non-R&D departments, and the two
departments have different network access permissions. Requirements are as follows:
l Some employees in the R&D department can access the Internet, and all employees in the
non-R&D department can access the Internet.
l The R&D and non-R&D departments are isolated from each other and cannot communicate.
l The service volumes of the R&D and non-R&D departments are nearly the same. Therefore,
the same virtual system resources are allocated to them.

Figure 7-19 Networking diagram of network isolation (Layer-3 access, virtual systems having
independent WAN interfaces)
Area A Intranet NGFW
Trust
GE1/0/3 GE1/0/1
R&D 10.3.0.1/24 10.1.1.8/24
department
10.3.0.0/24
VSYSA
Trust
GE1/0/4 GE1/0/2
Non-R&D 10.3.1.1/24 10.1.1.9/24
department
10.3.1.0/24
VSYSB 10.1.1.1/24
Data Planning
VSYSA l Virtual system name: -

VSYSA
GE1/0/1
address: 10.1.1.8/24
belongs: Untrust
address: 10.3.0.1/24
10.3.0.0/24
belongs: Trust
10.3.0.2 to 10.3.0.10


VSYSB
GE1/0/2
address: 10.1.1.9/24
belongs: Untrust
address: 10.3.1.1/24
10.3.1.0/24
belongs: Trust
Resource class l Name: r1 -

l Reserved Number for
Session: 10000
50000
l User: 300
l User Group: 10
l Policy: 300
100000 kbps
1. The root system administrator creates two virtual systems VSYSA, and VSYSB, assigns
resources.
2. The root system administrator configures IP addresses, routes, security policies, and NAT
policies for VSYSA.
3. The root system administrator configures IP addresses, routes, security policies, and NAT
policies for VSYSB.
Procedure
Step 1 The root system administrator creates virtual systems VSYSA, and VSYSB, and assigns
resources to them.


5. Click the Assign Interface tab and click to assign the GE1/0/1 and GE1/0/3 interfaces
to VSYSA.
7. Create virtual systems VSYSB by referring to the preceding substeps and assign the
GE1/0/2 and GE1/0/4 interfaces to VSYSB.
Step 2 The root system administrator configures IP addresses, routes, security policies, and NAT
policies for VSYSA.
1. Select the vsysa from the Virtual System drop-down list at the upper right corner.
2. Choose Network > Interface and click corresponding to GE1/0/1. Then configure a
security zone and an IP address as follows.

3. Click corresponding to GE1/0/3. Then configure a security zone and an IP address as

follows.
as follows.

security policy as follows. This security policy allows intranet users of a specific network
7. Configure a security policy by referring to the preceding substeps, which blocks all the

8. Choose Policy > NAT Policy > Source NAT > Source NAT and click Add. Then configure
a NAT policy as follows.

Step 3 The root system administrator configures IP addresses, routes, security policies, and NAT
policies for VSYSB.
l The IP address of the inside interface is different.
l You do not need to create an IP address range for the non-R&D department. You only need
to configure a security policy to allow all IP addresses to access the Internet.
l The outbound interface of the NAT policy must be set to GE1/0/2, and the source address
must be set to any.
----End
Verification
Internet from the R&D department and use the PCs to access the Internet. If the results are
as expected, the IP addresses, security policies and NAT policies of VSYSA are correctly
configured.
l Access the Internet from the non-R&D department. If the access succeeds, the IP addresses,
security policies and NAT policies of VSYSB are correctly configured.
#
sysname NGFW
#
vsys enable
#
resource-class r1
#
vsys name vsysa 1
#
vsys name vsysb 2
#
return

#
ip address 10.1.1.8 255.255.255.0
#
ip address 10.3.0.1 255.255.255.0
#

firewall zone trust

set priority 85
#
set priority 5
#
address 0 range 10.3.0.2 10.3.0.10
#
ip route-static 0.0.0.0 0.0.0.0 10.1.1.1
#
security-policy
source-zone trust
action permit
source-zone trust
action deny
#
nat-policy
rule name nat1
source-zone trust
action nat easy-ip
#
return

#
ip address 10.1.1.9 255.255.255.0
#
ip address 10.3.1.1 255.255.255.0
#
firewall zone trust
set priority 85
#
set priority 5
#
ip route-static 0.0.0.0 0.0.0.0 10.1.1.1
#
security-policy
source-zone trust
action permit
#
nat-policy
rule name nat1
source-zone trust
action nat easy-ip
#
return


Enterprise Departments (Layer-2 Access)
When the NGFW connects to an intranet through Layer-2 access, configure virtual systems to
isolate enterprise departments and facilitate configuration management by different
administrators.
Medium-sized enterprise A deploys a firewall as the network gateway. The network of this
enterprise is divided into three subnets respectively for the R&D, financial, and administrative
department. The security policies for the three departments are different and must meet the
following requirements:
l The NGFW connects to an existing intranet through Layer-2 access, without changing the
intranet's network topology.
l Internet access is granted to all employees of the administrative department, some
employees of the R&D department, but none of the employees of the financial department.
l The three departments have similar traffic volumes and therefore are assigned the same
amount of virtual system resources.
networking diagram.
Figure 7-20 Networking diagram of network isolation (Layer-2 access)

Intranet
NGFW
Trust
R&D
department
10.3.0.2~
99 VSYSA
vlan10 vlan10
Trust
Financial
department
10.3.0.100~
199 GE1/0/2 VSYSB GE1/0/1
vlan20 vlan10,20,30 vlan20 vlan10,20,30
Trust
Administrative
department
10.3.0.200~
254 VSYSC
vlan30 vlan30

Data Planning
VSYSA l Virtual system name: Both the outside interface

VSYSA GE1/0/1 and inside interface
l Outside interface: GE1/0/2 are trunk interfaces
GE1/0/1 and can be assigned to
multiple virtual systems
l Security zone to which based on VLAN assignment.
belongs: Untrust
belongs: Trust
l VLAN assigned:
VLAN10
l Administrator:
admin@@vsysa
10.3.0.2 to 10.3.0.10

VSYSB
GE1/0/1
belongs: Untrust
belongs: Trust
l VLAN assigned:
VLAN20
l Administrator:
admin@@vsysb

VSYSC l Virtual system name: -

VSYSC
GE1/0/1
belongs: Untrust
belongs: Trust
l VLAN assigned:
VLAN30
l Administrator:
admin@@vsysc
Resource class l Name: r1 The three departments have

l Reserved Number for similar traffic volumes and
Session: 10000 therefore are assigned the
same resource class.
50000
l User: 300
l User Group: 10
l Policy: 300
100000 kbps
1. Configure GE1/0/1 and GE1/0/2 as trunk interfaces and add them to VLANs.
2. The root system administrator creates three virtual systems VSYSA, VSYSB, and VSYSC,
assigns VLANs and resources, and configures an administrator for each virtual system.
3. The administrator of the R&D department logs in to the NGFW to configure security
policies for VSYSA.
4. The administrator of the financial department logs in to the NGFW to configure security
policies for VSYSB.
5. The administrator of the administrative department logs in to the NGFW to configure
security policies for VSYSC.
Procedure
Step 1 Configure GE1/0/1 and GE1/0/2 as trunk interfaces and add them to VLANs.

configure the GE1/0/1 interface as a trunk interface as follows.
3. Configure the GE1/0/2 interface as a trunk interface by referring to the preceding substeps.
Step 2 The root system administrator creates virtual systems VSYSA, VSYSB, and VSYSC and assigns
VLANs to them.

4. Click the Assign VLAN tab and click to assign the VLAN vlan 10 to VSYSA.

6. Create virtual systems VSYSB and VSYSC by referring to the preceding substeps and
assign the VLAN vlan 20 to VSYSB and the VLAN vlan 30 to VSYSC.
Step 3 The root system administrator configures administrators for virtual systems.
1. Select the virtual system vsysa from the Virtual System drop-down list at the upper right
corner.
2. Choose System > Administrator > Administrator and click Add. Then configure
parameters for VSYSA. The following figure shows the example parameter settings.

3. Configure administrators admin@@vsysb for VSYSB and admin@@vsysc for VSYSC

by referring to the preceding substeps.
Step 4 The administrator of the R&D department configures security zones and security policies for
VSYSA.
1. Use the virtual system administrator account admin@@vsysa to log in to the NGFW web
UI.
configure a security zone for the GE1/0/2 interface as follows.
3. Assign the GE1/0/1 interface to the Untrust zone by referring to the preceding substep.

security policy A as follows. This security policy allows intranet users of a specific network
6. Configure a security policy B by referring to the preceding substeps, which blocks all the

Step 5 The financial department administrator admin@@vsysb and administrative department

administrator admin@@vsysc log in to the NGFW web UI and configure IP addresses, security
zones, and security policies for VSYSB and VSYSC, respectively.
l You do not need to create an IP address range for the financial department. You only need
to configure a security policy to prevent the IP address segment 10.3.0.0/24 from accessing
the Internet.
l You do not need to create an IP address range for the administrative department. You only
need to configure a security policy to allow the IP address segment 10.3.0.0/24 to access the
Internet.
----End
Verification
Internet from the R&D department to access the Internet. If the results are as expected, the
security policies of VSYSA are correctly configured.
l Access the Internet from the financial department. If the access fails, the security policies
of VSYSB are correctly configured.
l Access the Internet from the administrative department. If the access succeeds, the security
policies of VSYSC are correctly configured.

#
sysname NGFW
#
vsys enable
#
resource-class r1
#
vsys name vsysa 1
assign vlan 10
#
vsys name vsysb 2
assign vlan 20
#
vsys name vsysc 3
assign vlan 30
#
vlan 10
#
vlan 20
#
vlan 30
#
return

#
firewall zone trust
set priority 85
#
set priority 5
#
aaa
#
manager-user admin@@vsysa
password cipher %@%@@~QEN4"Db/xmvR'5@=5)^`WN]~h`Mwn-{BNPy#ZYE>`6`f]X%@%@
level 15
#
bind manager-user admin@@vsysa role system-admin
#
address 0 range 10.3.0.2 10.3.0.10
#
security-policy
source-zone trust
action permit

source-zone trust
action deny
#
return

#
firewall zone trust
set priority 85
#
set priority 5
#
aaa
#
manager-user admin@@vsysb
password cipher %@%@zG{;O|!gEN4"Db/xmvR'5@=5)^`WN]~h`Mwn-{BNPy#ZYE>`6`f]
level 15
#
bind manager-user admin@vsysb role system-admin
#
security-policy
source-zone trust
action deny
#
return
Configuration script of VSYSC

#
firewall zone trust
set priority 85
#
set priority 5
#
aaa
#
manager-user admin@@vsysc
password cipher %@%@zG{;x|!gEN5"Db/6dvR'5@=5)^`WN]~h`Mwn-{BNPy#ZYE>`6`f]
level 15
#
bind manager-user admin@@vsysc role system-admin
#
security-policy
source-zone trust
action permit
#
return

7.8.4 Web Example for Configuring Virtual Systems on a Cloud

Computing Gateway
This section provides an example for configuring virtual systems to protect a cloud computing
data center.
A cloud computing data center uses a NGFW for security protection of the egress gateway to
meet the following requirements:
l Customers of the data center can independently manage and access their server resources.
l The NGFW has only one outside interface but provides sufficient public IP addresses. NAT
polices are configured on the NGFW so that customers have independent public IP
addresses to access their own server resources.
l Enterprises A and B have similar traffic volumes and purchase the same amount of
resources: a quota of 10,000 guaranteed sessions, a maximum of 50,000 sessions, and a
maximum of 100,000 kbit/s bandwidth.
networking diagram.
Figure 7-21 Security gateway for cloud computing centers

Cloud computing
center
Trust NGFW
GE1/0/2.1
… 10.3.0.1/24
Enterprise A
10.3.0.2/24
Enterprise A VSYSA
10.3.0.0/24
Trust GE1/0/1
root 1.1.1.1/24
… GE1/0/2.2
10.3.1.1/24 Enterprise B
10.3.1.2/24
Enterprise B
10.3.1.0/24 VSYSB

Data Planning
root l Outside interface: In this example, all intranet

GE1/0/1 servers provide services to
l Outside interface IP Internet users through the
address: 1.1.1.1/24 root system's outside
interface.
belongs: Untrust
l Inside interface: root's
virtual interface
Virtualif0
belongs: Trust
l IP address of the carrier
network gateway:
1.1.1.254/24
VSYSA l Virtual system name: In this example, IP address

VSYSA mapping must be configured
l Outside interface: so that the server at the
VSYSA's virtual private address 10.3.0.2 can
interface use the public address 1.1.1.2
to provide services to users of
l Security zone to which enterprise A.
belongs: Untrust The root system
administrator configures and
l Inside interface: manages virtual systems, and
GE1/0/2.1 no virtual system
l Inside interface IP administrator is required.
address: 10.3.0.1/24
10.3.0.0/24
belongs: Trust
l Private address and port
of the internal server for
Internet users:
10.3.0.2:80
l Public address and port
mapped to the internal
server for Internet users:
1.1.1.2:8080

VSYSB l Virtual system name: In this example, IP address

VSYSB mapping must be configured
l Outside interface: so that the server at the
VSYSB's virtual interface private address 10.3.1.2 can
use the public address 1.1.1.3
l Security zone to which to provide services to users of
the outside interface enterprise B.
belongs: Untrust
The root system
l Inside interface: administrator configures and
GE1/0/2.2 manages virtual systems, and
l Inside interface IP no virtual system
address: 10.3.1.1/24 administrator is required.
10.3.1.0/24
belongs: Trust
l Private address and port
of the internal server for
Internet users:
10.3.1.2:80
l Public address and port
mapped to the internal
server for Internet users:
1.1.1.3:8080
Resource class l Name: r1 In the example, the

l Reserved Number for requirements of both
Session: 10000 enterprises are the same.
Therefore, create only one
l Maximum for Session: resource class and bind it to
50000 the two virtual systems.
100000 kbps
1. The root system administrator creates virtual systems VSYSA and VSYSB and allocates
resources to them.
2. Create subinterfaces GE1/0/2.1 and GE1/0/2.2 on the GE1/0/2 and configure these two
subinterfaces as inside interfaces of VSYSA and VSYSB, respectively.
3. The root system administrator configures IP address mapping for VSYSA and VSYSB.
4. The root system administrator configures routes and security policies for VSYSA and
VSYSB.

Procedure
Step 1 The root system administrator creates virtual systems VSYSA and VSYSB and allocates
resources to them.

6. Configure basic information for VSYSB by referring to the preceding substeps.
Step 2 Configure inside interfaces, outside interfaces, and virtual interfaces on the root system.
1. Choose Network > Interface and click Add. Create the subinterface GE1/0/2.1 and assign
this subinterface to VSYSA.
2. Click Add. Create the subinterface GE1/0/2.2 and assign this subinterface to VSYSB.

3. Click corresponding to the GE1/0/1 interface. Then configure a security zone and an IP
address for the GE1/0/1 interface as follows.

4. Assign the virtual interface Virtualif0 of the root system to the Trust zone, Virtualif1 of
VSYSA the Untrust zone, and Virtualif2 of VSYSB the Untrust zone by referring to the
preceding substeps.
NOTE
The ID of a virtual interface is automatically assigned based on existing IDs in the system. Therefore,
the actual interface may not be Virtualif1 or Virtualif2. You can view the mapping between virtual
systems and virtual interfaces in Interface List.
Step 3 Configure routes, security policies, and NAT policies on the root system.
as follows.
VSYSA the server traffic requested by users of enterprise A.
VSYSB the server traffic requested by users of enterprise B.

security policy as follows. This security policy allows intranet users to access servers on
the intranet.
5. Choose Policy > NAT Policy > NAT Server and click Add. Then configure IP address
mapping as follows for servers connected to VSYSA.

6. Click Add and configure IP address mapping as follows for servers connected to VSYSB.

1. Select the virtual system vsysa from the Virtual System drop-down list at the upper right
corner.

as follows. This static route is used to divert to the root system the server traffic requested
by users of enterprise A.
security policy as follows. This security policy allows intranet users to access servers on
the intranet.

The details are omitted because the configurations are the same as those of VSYSA, except the
IP addresses.
----End
Verification
l Access http://1.1.1.2:8080 from enterprise A. If the access succeeds, IP address mapping
and security policies are correctly configured.
l Access http://1.1.1.3:8080 from enterprise B. If the access succeeds, IP address mapping
and security policies are correctly configured.
#
sysname NGFW
#
vsys enable
#
nat server publicserver_vsysa protocol tcp global 1.1.1.2 8080 inside 10.3.0.2 www
no-reverse
nat server publicserver_vsysb protocol tcp global 1.1.1.3 8080 inside 10.3.1.2 www
no-reverse
#
resource-class r1
#
vsys name vsysa 1
assign interface GigabitEthernet1/0/2.1
#
vsys name vsysb 2
assign interface GigabitEthernet1/0/2.2
#
ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/2.1
vlan-type dot1q 10
ip address 10.3.0.1 255.255.255.0
#
vlan-type dot1q 20
ip address 10.3.1.1 255.255.255.0
#
firewall zone trust
set priority 85
#
set priority 5
#

ip route-static 10.3.0.0 255.255.255.0 vpn-instance vsysa

ip route-static 10.3.1.0 255.255.255.0 vpn-instance vsysb
#
security-policy
rule name internet_to_server
source-zone untrust
destination-zone trust
action permit
#
return

#
vlan-type dot1q 10
ip address 10.3.0.1 255.255.255.0
#
firewall zone trust
set priority 85
add interface GigabitEthernet1/0/2.1
#
set priority 5
#
#
security-policy
source-zone untrust
action permit
#
return

#
vlan-type dot1q 20
ip address 10.3.1.1 255.255.255.0
#
firewall zone trust
set priority 85
#
set priority 5
#
#
security-policy
source-zone untrust
action permit
#
return

7.9 References
This section describes specifications, supported services, and release history of the Virtual
System feature.
7.9.1 Specifications
This section describes the virtual system specifications of the NGFW.
The virtual system specifications of the NGFW are as follows:
l Number of supported virtual systems

– USG6310/6320: 10 by default, and can be increased to 20 after an upgrade of the license.
– USG6306/6308/6330/6350/6360/6507/6530: 10 by default, and can be increased to 50
after an upgrade of the license.
– USG6370/6380/6390/6550/6570: 10 by default, and can be increased to 100 after an
– USG6620/6630: 10 by default, and can be increased to 200 after an upgrade of the
license.
– USG6650/6660/6670: 10 by default, and can be increased to 500 after an upgrade of
the license.
– USG6680: 10 by default, and can be increased to 1000 after an upgrade of the license.
– ET1D2FW00S00: 10 by default, and can be increased to 500 after an upgrade of the
license.
– ET1D2FW00S01 and ET1D2FW00S02: 10 by default, and can be increased to 1000
after an upgrade of the license.
l Number of SSL VPN gateways supported by each virtual system: 4.
l Number of security zones supported by each virtual system: 8 (four default zones and four
user-defined zones).
l Number of address pools on each virtual system: 128.
l Number of IPv4 relay servers supported by each virtual system: 20.
l Number of virtual system administrators for the entire NGFW: 1024.
7.9.2 Function Availability for Virtual Systems

This section describes the function availability for virtual systems.
Table 7-5 describes the function availability for virtual systems.
Table 7-5 Function availability for virtual systems
Function Supported or Not Description
System Administrat Supported -

ors

Time Not supported -
SNMP Not supported -
Across- Supported The SNMP server access

Layer-3 interval and timeout period
MAC can be set only on the root
Identificatio system, not on virtual
n systems.
Information Supported Only available to the anti-

Push virus function.
Information Not supported -

Center
File System Not supported -
Signature Not supported -

Database
Update
System Not supported -

Upgrade
Configuratio Supported -
n File
Management
NetStream Not supported -
Agile Not supported -

Network
High Hot Standby Not supported -

Availability
Bypass Not supported -
Link-group Not supported -
IP-Link Supported -
BFD Not supported -
Networks Interfaces Supported -
Security Supported -
Zones
DNS Not supported -
DHCP Supported DHCPv6 and DHCP

Snooping are not supported.

PPP Not supported -
PPPoE Not supported -
Intelligent Global Route Not supported -

Uplink Selection
Selection Policies
Carrier Not supported -

Address
Library Link
Selection
PBR Supported Link selection based on

policy-based routes is not
supported.
Router IP Static Supported -

Route
Dynamic Not supported -

route
Object User Supported SSO functions and portal

authentication are not
supported.
Address and Supported -

Address
Group
Domain Supported -
Group
Region and Supported -

Region
Group
Service and Supported -

Service
Group
Application Supported -
and
Application
Group
Device and Not supported -

Device
Group

Certificate Supported Certificates can be

referenced or viewed but not
configured on virtual
systems.
Schedule Supported -
ACL Supported -
Link Health Not supported -

Check
Policy Security Supported l Setting access modes and

Policy and devices is not supported.
Security l Spam filtering is not
Profile supported.
l URL category server
cannot be configured on
virtual systems.
Policy Not supported -

Redundancy
Analysis
Policy Not supported -

Matching
Analysis
Application Not supported -

Policy
Tuning
Authenticati Supported Specifying portal

on Policy authentication templates is
not supported.
Audit Policy Supported -

and Audit
Profile
NAT Policy Supported Server load balancing is not

supported.
Bandwidth Supported -
Management
Policy
Quota Supported -
Control
Policy
Proxy Policy Supported -

VPN IPSec Not supported -
L2TP Not supported -
GRE Not supported -
BGP/MPLS Not supported -

IP VPN
SSL VPN Supported -
Security Attack Supported Only DDoS attack defense is

Protection Defense supported.
Ping proxy Supported -
Blacklist Supported -
IP-MAC Supported -
Binding
ASPF Supported -
IDS Not supported -

Interworking
Monitoring Logs and Supported -

Reports
Session Supported -
Table
Server Map Supported -
System Not supported -

Statistics
Quintuple Not supported -

Packet
Capture
Diagnosis Supported -
Center
IPv6 IPv6 Not supported -
Maintenance Port Not supported -

Mirroring,
System
Restart,
NTP, NQA,
and LLDP


This section describes the versions and changes in the Virtual System feature.
V100R001C30SPC l Added the function for configuring the DHCP server and DHCP
100 relay.
l Added DHCP Dynamic Address Lease and DHCP Static
Address Lease to the resource items that the root system
administrator allocates to virtual systems.
l Added DHCP Server in Popedom of new administrator roles in
virtual systems.
V100R001C20SPC l Added Security Groups in the resource items that the root system
700 administrator allocates to each virtual system.
l When you create a virtual system administrator, the
administrator@virtual system name format is changed to the
administrator@@virtual system name format.
V100R001C10SPC Added New Session Rate in the resource items that the root system
100 administrator allocates to each virtual system.
V100R001C10 Functions of virtual systems are enhanced as follows:

l Virtual system administrators can use Telnet or STelnet to log in
to the CLI of a virtual system.
l The following functions are added: authentication policy,
bandwidth policy, audit policy, policy-based routing, application
and application group, user and user group, region and region
group, SSL VPN, IP-Link, IP-MAC binding, blacklist, and DHCP.
l All types of reports and logs can be queried.

Administrator Guide 8 Networks
8 Networks
8.1 Interface and Interface Pair

This section describes the concepts, configuration procedure, and configuration examples of
interfaces and interface pairs.
8.1.1 Overview
A NGFW uses interfaces to exchange data with other devices on a network.
Interface Types
A NGFW supports physical and logical interfaces. Table 8-1 describes types of interfaces and
their configuration methods.
Table 8-1 Interface types and their configuration methods
Interface Type Description Configuration Methods
Web UI CLI
Physic Layer 3 Works at the network Configured by Configured by

al Ethernet layer to process following the following the
interfa interface Layer 3 packets with procedure in 8.1.2.1 procedure in 8.1.3.1
ces an IPv4 or IPv6 Configuring a Configuring a
address specified and Layer 3 Ethernet Layer 3 Ethernet
supports routing Interface. Interface.
functions.
Layer 2 Works at the data Configured by Configured by

Ethernet link layer and following the following the
interface processes Layer 2 procedure in 8.1.2.2 procedure in 8.1.3.2
packets, Configuring a Configuring a
implementing rapid Layer 2 Ethernet Layer 2 Ethernet
Layer 2 forwarding. Interface. Interface.

Web UI CLI
Logic Virtual Helps a Point-to- Automatically Configured by

al template Point Protocol over created when you following the
interfa (VT) Ethernet (PPPoE) configure L2TP on procedure in 8.8.3
ces interface server with PPP the NGFW. For Configuring the
negotiation or information about IPv4 PPPoE Server
encapsulates Layer 2 how to configure or 20.3.6
Tunneling Protocol L2TP, see 20.3.5 Configuring L2TP
(L2TP) packets. Configuring L2TP Using the CLI.
Using the Web UI.

Web UI CLI
Dialer Used by a PPPoE Automatically Configured by

interface client. configured by a following the
NGFW before the procedure in 8.8.4
NGFW runs PPPoE Configuring an
to assign an IPv4 or IPv4 PPPoE Client
IPv6 address to one or 8.8.5 Configuring
of the following an IPv6 PPPoE
interfaces: Client.
l Layer 3 Ethernet
interface: For
information
about how to
configure a Layer
3 Ethernet
interface, see
8.1.2.1
Configuring a
Layer 3
Ethernet
Interface.
l VLAN interface:
For information
about how to
configure a
VLAN interface,
see 8.1.2.5
Configuring a
VLAN
Interface.
l Ethernet
subinterface: For
information
about how to
configure an
Ethernet
subinterface, see
8.1.2.3
Configuring a
Layer 3
Ethernet
Subinterface.
l Eth-Trunk
interface: For
information
about how to
configure an Eth-

Web UI CLI
Trunk interface,
see 8.1.2.6
Configuring an
Eth-Trunk
Interface.
Tunnel Applies to packet l IPSec: By l IPSec:

interface encapsulation and default, tunnel Configuring
decapsulation and interfaces created IPSec through the
IPv6 transition through the Web CLI involves the
technologies. GRE use only IPSec, configuration of
and IPSec are that is, supporting tunnel interfaces.
common only IPSec For details, see
encapsulation tunnels.. and 20.2.9
protocols. l GRE: Tunnel Configuring
interfaces are Manual IPSec
automatically Policies Using
created and the CLI.
configured when l GRE:
you configure Configuring GRE
GRE through the through the CLI
Web. For details, involves the
see 20.5.3 configuration of
Configuring tunnel interfaces.
GRE Using the For details, see
Web UI. 20.5.4
Configuring
GRE Using the
CLI.
l For details on the
application of
tunnel interfaces
in IPv6 transition
technologies, see
and 24.3.2
Configuring an
IPv4 over IPv6
Tunnel.
Null Discards all packets Cannot be Configured by

interface received by a configured using the following the
NGFW. Web UI. procedure in 8.1.3.9
Configuring a Null
Interface.

Web UI CLI
VLAN A Layer 3 logical Configured by Configured by

interface interface that is following the following the
assigned an IPv4 or procedure in 8.1.2.5 procedure in 8.1.3.5
IPv6 address. VLAN Configuring a Configuring a
interfaces transmit VLAN Interface. VLAN Interface.
packets between
VLANs.
Layer 3 Layer 3 Ethernet Configured by Configured by

Ethernet subinterfaces are following the following the
subinterfac Layer 3 logical procedure in 8.1.2.3 procedure in 8.1.3.3
e interfaces created on Configuring a Configuring a
a physical interface. Layer 3 Ethernet Layer 3 Ethernet
Subinterface. Subinterface.
Layer 2 Layer 2 Ethernet Configured by Configured by

Ethernet subinterfaces are following the following the
subinterfac Layer 2 logical procedure in 8.1.2.4 procedure in 8.1.3.4
e interfaces created on Configuring a Configuring a
a physical interface. Layer 2 Ethernet Layer 2 Ethernet
Subinterface. Subinterface.
Eth-Trunk A logical interface Configured by Configured by

interface that consists of following the following the
(interface multiple Layer 2 or procedure in 8.1.2.6 procedure in 8.1.3.6
aggregatio Layer 3 Ethernet Configuring an Configuring an
n) interfaces. An Eth- Eth-Trunk Eth-Trunk
Trunk interface Interface. Interface or 8.6
provides high Link Aggregation.
bandwidth and
reliability.
Loopback Remains in the Up Configured by Configured by

interface state and is assigned following the following the
a 32-bit subnet mask. procedure in 8.1.2.7 procedure in 8.1.3.8
Configuring a Configuring a
Loopback Loopback
Interface. Interface.
IPv4 Addresses
An IPv4 address consists of four binary octets separated by dots. Each octet can be expressed
in a decimal number. For example, 10.0.0.1 is an IPv4 address.
l IPv4 address classes

An IPv4 address consists of the following fields:

– Network ID field: distinguishes a networks from each other. The network ID is called
a class field, and network ID bits are called class bits.
– Host ID field: identifies a host on a network.
IPv4 addresses have five classes to facilitate address management and networking. Figure
8-1 shows classes of IPv4 addresses.
Figure 8-1 IPv4 address classes

0 7 15 23 31
A 0 Net-id Host-id
B 10 Net-id Host-id
C 110 Net-id Host-id
D 1110 Multicast-address
E 11110 Reserved
Most IPv4 addresses in use belong to class A, B, or C. Class D addresses are multicast
addresses. Class E addresses are reserved. For more information, see RFC 1166 "Internet
Numbers."
Some IPv4 addresses are reserved for special use. Table 8-2 lists the range of each class
of IPv4 addresses.

Table 8-2 IPv4 address classes and ranges
Netw Address Available Description

ork Range IPv4
Network
Range
Class 0.0.0.0 to 1.0.0.0 to Special class A IPv4 addresses are as

A 127.255.255.25 126.255.255. follows:
5 0 l IPv4 address with a host ID that is all 0s:
a network address used for routing.
l IPv4 address with a host ID that is all 1s:
a broadcast address used to send packets
to all hosts on a network.
l 0.0.0.0: an ineffective destination
address only used by a NGFW to send a
Dynamic Host Configuration Protocol
(DHCP) Discovery request.
l 127.0.0.0.0 to 127.255.255.255:
reserved for loopback tests. A NGFW
sends a packet with an address within
this range to the NGFW itself and
processes the packet without forwarding
it.
Class 128.0.0.0 to 128.0.0.0 to Special class B IPv4 addresses are as

B 191.255.255.25 191.255.255. follows:
Class 192.0.0.0 to 192.0.0.0 to Special class C IPv4 addresses are as

C 223.255.255.25 223.255.255. follows:
Class 224.0.0.0 to None Class D IPv4 addresses are multicast

D 239.255.255.25 addresses.
5
Class 240.0.0.0 to None Class E IPv4 addresses are reserved for

E 255.255.255.25 future use. 255.255.255.255 is a LAN
5 broadcast address.
l Special IPv4 addresses

Some special IPv4 addresses exist in real-world situations. Table 8-3 lists special IPv4
addresses.
Table 8-3 Special IPv4 addresses
Net ID Subnet Host Used as Used as a Description

ID ID a Source Destinatio
Address n Address
All 0s - 0 Yes No Used by all hosts on a

network.
All 0s - host-id Yes No Used by specified hosts

on a network.
127 - Any Yes Yes Used as loopback

value addresses.
All 1s - All 1s No Yes Used to broadcast packets

but not to forward them.
net-id - All 1s No Yes Used to broadcast packets

to networks with specified
net IDs.
net-id subnet- All 1s No Yes Used to broadcast packets

id to subnets with specified
net and subnet IDs.
net-id All 1s All 1s No Yes Used to broadcast packets

to all subnets with
specified net IDs.
NOTE
net-id and subnet-id are non-0 values.

l Private IPv4 addresses
To help alleviate the problem of exhausting IPv4 addresses, private networks and their
hosts, not public networks, are assigned private IPv4 addresses. As defined in RFC 1918,
the Internet Assigned Numbers Authority (IANA) has reserved three IPv4 address blocks
for private networks.
Table 8-4 lists private network IPv4 addresses.
Table 8-4 Private IPv4 addresses
Network IPv4 Address Range
Class A 10.0.0.0 to 10.255.255.255
Class B 172.16.0.0 to 172.31.255.255
Class C 192.168.0.0 to 192.168.255.255

IPv4 Address Assignment

You can use one of the following methods to assign IPv4 addresses to interfaces:
l Static IP
Specify IPv4 addresses for Layer 3 Ethernet interfaces and their subinterfaces, VLAN
interfaces, Eth-Trunk interfaces, and loopback interfaces.
l DHCP
Configure DHCP to automatically assign IPv4 addresses for Layer 3 Ethernet interfaces
and their subinterfaces, VLAN interfaces, and Eth-Trunk interfaces.
l PPPoE
Configure PPPoE to perform PPP negotiation to assign IPv4 addresses to Layer 3 Ethernet
interfaces and their subinterfaces, VLAN interfaces, and Eth-Trunk interfaces.
l Unnumbered IPv4 address mechanism
Use IP addresses of other interfaces as the IP addresses of tunnel and VT interfaces.
IPv6 Addresses
Internet Protocol Version 6 (IPv6), also called IP Next Generation (IPng), is a set of
specifications designed by the Internet Engineering Task Force (IETF).
IPv6 is a second-generation network protocol and an upgraded version of IPv4. Different from
IPv4, IPv6 extends an address to 128 bits long.
l IPv6 address formats
IPv6 addresses are expressed in either of the following formats:
– X:X:X:X:X:X:X:X
An IPv6 address is divided into eight groups, separated by colons. Each group has 16
bits. Each 16–bit group is represented by four hexadecimal digits, including 0 to 9 and
A to F. For example, 2031:0000:130F:0000:0000:09C0:876A:130B is an IPv6 address.
For convenience, all 0s in a group are displayed as a single 0. The example address can
be written as 2031:0:130F:0:0:9C0:876A:130B.
Two or more consecutive groups of 0s can be replaced with an empty group using a pair
of colons (::), which helps minimize the IPv6 address length. The example address can
also be written as 2031:0:130F::9C0:876A:130B.
NOTE
An IPv6 address can only contain a single pair of colons (::). If an IPv6 address contains more
than one pair of colons, a NGFW cannot restore the compressed address to the original 128-bit
address because it cannot identify the number of zeros in the IPv6 address.
– X:X:X:X:X:X:d.d.d.d
Each "X" is 16 bits long and consists of four hexadecimal digits. Each "d" is 8 bits long
and is presented by a decimal number. "d.d.d.d" is an IPv4 address. The following
addresses are expressed in this format:
– 0:0:0:0:0:0:IPv4-address: an IPv4-compatible IPv6 address. The most significant
96 bits of 0s precede a 32-bits IPv4 address. The IPv4 address must be reachable on
an IPv4 network and can only be a unicast address, but not a multicast address, a

broadcast address, a loopback address, or an unspecified address (0.0.0.0, for

example).
An IPv4-compatible IPv6 address is used to configure an IPv6 over IPv4 tunnel.
– 0:0:0:0:0:FFFF:IPv4-address: IPv4-mapped IPv6 address that is mapped to an
IPv4 address of an IPv4 node.
An IPv6 address is divided into two parts:
– Network prefix: equivalent to the network ID of an IPv4 address.
– Interface ID: equivalent to the host ID in an IPv4 address. The interface ID length is as
follows:
Interface ID length = 128 bits – n bits, where n is the length of the network ID
Figure 8-2 illustrates the structure of IPv6 address 2001:A304:6101:1::E0:F726:4E58 /64.
Figure 8-2 IPv6 address 2001:A304:6101:1::E0:F726:4E58 /64
Network Prefix Interface Identifier
64 bits 64 bits
2001:A304:6101:0001 0000:00E0:F726:4E58
l IPv6 address classification

IPv6 addresses are classified into unicast, anycast, and multicast addresses.
– Unicast address: uniquely identifies an interface. An IPv6 unicast address is similar to
an IPv4 unicast address. Packets bound for a unicast address are transmitted to an
interface uniquely identified by the unicast address.
Unicast addresses are classified into the following types:
– Link-local IPv6 unicast addresses
– Site-local IPv6 unicast addresses
– Loopback address
– Unspecified address
– Global unicast address
Table 8-5 lists these five types of addresses.
– Anycast address: identifies a group of interfaces on different nodes. Packets bound for
an anycast address reach the interface that is nearest to the source node among interfaces
in the interface group identified by the anycast address. A routing protocol determines
the shortest path.
NOTE
A NGFW currently does not support anycast addresses.

– Multicast address: identifies a group of interfaces on different nodes. A multicast IPv6
address is similar to an IPv4 multicast address. Packets bound for a specified multicast
address reach all interfaces identified by the multicast address.

Although no IPv6 broadcast addresses exist, IPv6 multicast addresses provide broadcast
address functions.
l Unicast address types
A unicast address is used for one-to-one transmission. Similar to a unicast IPv4 address, a
unicast IPv6 address only identifies a single interface. Table 8-5 lists types of IPv6 unicast
addresses.
Table 8-5 IPv6 unicast addresses
Type Binary Prefix IPv6 Prefix Remarks

Notation
Link-local IPv6 1111111010 FE80::/10 Used by a neighbor

unicast address discovery protocol or by
nodes on a local link to
perform stateless address
autoconfiguration. Packets
with a link-local IPv6
unicast address as a source
or destination address are
forwarded only on a local
link. A link-local IPv6
unicast address can be
automatically configured on
any interface using a link-
local prefix FE80::/10 (1111
1110 10 in binary) and an
EUI-64 interface ID.
Site-local IPv6 1111111011 FEC0::/10 Defined in RFC 4291 and

unicast address used as a global unicast
address.
Loopback address 00...1 (128 bits) ::1/128 Functions similarly to IPv4

loopback address 127.0.0.1.
A node sends an IPv6 packet
with the loopback address to
itself. An IPv6 loopback
address is not allocated to
any interface. Site-local
unicast addresses can be
global unicast addresses,
unless otherwise specified.

Type Binary Prefix IPv6 Prefix Remarks

Notation
Unspecified 00...0 (128 bits) ::/128 Used in the Source Address

address field of an IPv6 packet sent
by an initializing host before
the host obtains an address.
a Neighbor Solicitation
(NS) packet carries an
unspecified unicast address
in the Source Address field
to perform Duplicate
Address Detection (DAD).
An unspecified address
cannot be allocated to any
host or used as a destination
address.
Global unicast Others - Equivalent to an IPv4 public

address address. Network service
providers use global unicast
addresses to aggregate links.
The structure of a global
unicast address enables
route prefix aggregation,
which maximizes the
number of global routing
entries. A global unicast
address consists of a 48-bit
routing prefix that is
managed by an operator, a
16-bit subnet ID that is
managed by a local site, and
a 64-bit interface ID.
l Interface ID in EUI-64 format

A 64-bit interface ID in an IPv6 address identifies a unique interface on a link. The interface
ID is derived from a 48–bit MAC address. The process for converting a MAC address into
an EUI-64 interface ID is as follows:
1. The hexadecimal number FFFE (1111 1111 1111 1110 in binary) is inserted in the
middle of a MAC address.
2. The U/L bit (the most significant seventh bit) is set to 1.
3. An EUI-64 interface ID is obtained.
Figure 8-3 shows the process for converting a MAC address to an EUI-64 interface ID.

Figure 8-3 Converting a MAC address to an EUI-64 interface ID
MAC: 0012:3400:ABCD
Binary:
00000000 00010010 00110100 00000000 10101011 11001101
Insert FFFE:
00000000 00010010 00110100 11111111 11111110 00000000
10101011 11001101
Set U/L bit:
00000010 00010010 00110100 11111111 11111110 00000000
10101011 11001101
EUI-64: 0012:34FF:FE00:ABCD
IPv6 Address Assignment

You can use one of the following methods to assign IPv4 addresses to interfaces:
l Static IP
Specify IPv6 addresses for Layer 3 Ethernet interfaces and their subinterfaces, VLAN
interfaces, Eth-Trunk interfaces, and loopback interfaces.
l DHCP
Configure DHCP to automatically assign IPv6 addresses for Layer 3 Ethernet interfaces
and their subinterfaces, VLAN interfaces, and Eth-Trunk interfaces.
l PPPoE
Configure PPPoE to perform PPP negotiation to assign IPv6 addresses to Layer 3 Ethernet
interfaces and their subinterfaces, VLAN interfaces, and Eth-Trunk interfaces.
l Neighbor Discovery (ND) Router Advertisement (RA)
Configure stateless address autoconfiguration to enable interfaces to obtain IPv6 prefixes
from RA messages. The interfaces then use IPv6 prefixes and local interface IDs to form
EUI-64 IPv6 addresses.
The interfaces can be Layer 3 Ethernet interfaces or their subinterfaces, VLAN interfaces,
or Eth-Trunk interfaces.
8.1.2 Configuring Interfaces and Interface Pairs Using the Web UI

This section describes how to configure interfaces and interface pairs using the web UI.
8.1.2.1 Configuring a Layer 3 Ethernet Interface

This section describes how to configure a Layer 3 Ethernet interface. A Layer 3 Ethernet interface
supports the routing functions and uses routes to forward packets.

Context
A Layer 3 Ethernet interface uses an IPv4 address to connect to an IPv4 network or an IPv6
address to connect to an IPv6 network.
Procedure
Step 2 Click in the same line as the interface to be configured.
Step 3 Set the following Ethernet interface parameters.
Interface Name Interface type and number.

The parameter cannot be modified.
Alias Another interface name specified by an administrator.

An alias name appears in parentheses next to an interface name
but does not appear in logs.
Virtual System Name of a virtual system for an interface.

The virtual system must exist on the device.
This parameter can only be set when Mode is set to Route.
Zone Security zone to which an interface is to be assigned.

You can directly add an interface to an existing security zone. If
the desired security zone does not exist, create one and add the
interface to the created security zone. For details, see 8.2.3 Zone
Configuration Using the Web UI.
Mode Working mode:

l Route: The interface works at Layer 3. Route is selected in
this example.
l Switch: The interface works at Layer 2.
IPv4

Connection Type Method used by the interface to obtain an IPv4 address in routing
mode.
Perform one of the following steps to set a connection type:
l Static IP: specifies an IPv4 address for the interface. For
information about static IP address parameters, see Table
8-6.
l DHCP: allows the interface to run DHCP to automatically
obtain an IPv4 address.
l PPPoE: allows the interface to obtain an IPv4 address
through PPP negotiation. For PPPoE parameters, see Table
8-7.
Multi-egress options After you select Multi-egress options, the interface will function
as an intelligent uplink selection member interface.
For details on intelligent uplink selection, see Intelligent Uplink
Selection.
Carrier Select the name of the ISP directly connected to the interface.
Selecting the ISP of the interface equals to binding an interface
to an ISP interface group.
Default route After you select this option, the NGFW will generate a default
route in its routing table.
A default route is a special static route. When the destination
address of a data packet does not match any routing table of the
NGFW, the NGFW will use the default route to forward the data
packet. Both the destination network address and the subnet mask
of the default route are 0.0.0.0.
If the interface serves as an intranet interface and has the sticky
load balancing function enabled, the default route must be
canceled. Otherwise, the interface cannot access extranets.
Carrier Route After you enable the ISP route function, the NGFW will generate
static routes in a batch to the ISP network. In the generated static
routes, the destination is an IP address in the ISP address file, and
the next hop is the gateway address specified on the outbound
interface. These static routes are called ISP routes. They have the
same priority as common static routes, and the default priority is
60.
Choose Network > Router > Routing Table. You can view the
generated ISP route entries.

Sticky load balancing In the multi-ISP load balancing NAT server scenario, the
NGFW looks up the routing table for an outgoing interface to
send the return traffic from a server. As a result, the return traffic
from the server may take a path on ISP2, although the request to
the server takes a link on ISP1. The inconsistent forward and
return paths may slow down or even interrupt services. To
resolve this issue, configure the sticky load balancing function
on the incoming interface of ISP1.
The NGFW uses the incoming interface of the forward packets
as the outgoing interface of return packets instead of searching
for policy-based routes, specific routes, and default routes.
NOTE
If equal-cost multipath (ECMP) routes are configured, the sticky load
balancing function is enabled by default. Otherwise, configure the sticky
load balancing function.
Link Health Check Apply the link health check group to the interface.
IPv6
IPv6 Enable IPv6 on a specified interface.

Enabling IPv6 on the interface is a prerequisite for using IPv6
functions. Choose Dashboard > System Information and
enable IPv6 globally to allow the NGFW to forward IPv6
packets.
Connection Type Method used by a VLAN interface to obtain an IPv4 address:

l Static IP: manually specifies an IPv6 address for the VLAN
interface. For static IP address parameter descriptions, see
Table 8-8.
l DHCP: uses DHCP to automatically obtain an IPv6 address.
l PPPoE: uses PPP negotiation to obtain an IPv6 address. For
PPPoE parameter descriptions, see Table 8-9.
l ND-RA: uses ND-RA to obtain an IPv6 address.
Static Neighbor Static neighbor address for a VLAN interface.

This setting allows a neighbor relationship to be established and
enables a device to resolve the neighbor IPv6 address into a data
link layer address.
Interface Bandwidth
Upstream Bandwidth Maximum bandwidth for upstream traffic on the interface.
Downstream Bandwidth Maximum bandwidth for downstream traffic on the interface.

Overload Protection Bandwidth usage of the link.

Threshold After you select Multi-egress options, you can set overload
protection thresholds for the inbound and outbound bandwidths
of the interface. If an interface is overloaded, the interface no
longer participates in intelligent uplink selection.
Management Access
Management Access This function allows an administrator to access to a NGFW using

HTTP, HTTPS, ping, SSH, SNMP, or Telnet. Interface access
control takes precedence over security policies. This means that
an administrator can use an access control-enabled interface to
access to a NGFW even if no security policy is configured for
communication between the zone of the interface and a local
zone.
Select one of the following parameters:
l HTTP: allows an administrator to use the web browser
(HTTP) to access a device through a VLAN interface. If
HTTP is not selected, the interface discards HTTP packets
after receiving them. This parameter takes effect only after
the HTTP service is enabled.
l HTTPS: allows an administrator to use the web browser
(HTTPS) to access a device through a VLAN interface. If
HTTPS is not selected, the interface discards HTTPS packets
the HTTPS service is enabled.
l Ping: allows a VLAN interface to respond to ping requests.
A ping checks interface connectivity. If Ping is not selected,
the ping function is disabled.
l SSH: allows an administrator to use SSH to access a device
through a VLAN interface. If SSH is not selected, the
interface discards SSH packets after receiving them.
l SNMP: allows administrators to use an SNMP NMS to access
a device through a VLAN interface. If SNMP is not selected,
the interface discards SNMP packets after receiving them.
l Telnet: allows an administrator to use Telnet to access a
device through a VLAN interface. If Telnet is not selected,
the interface discards them after receiving them.
By default, the management interface (GE0/0/0) allows HTTP,
HTTPS, ping, SSH, SNMP, and Telnet access to a NGFW, and
a non-management interface denies HTTP, HTTPS, ping, SSH,
SNMP, and Telnet access to a NGFW.
Advanced

Negotiation If you deselect this parameter, the interface is disabled from

working in auto-negotiation mode.
Disable the interface from working in auto-negotiation mode
before you configure the interface rate and duplex mode.
This configuration takes effect on the Ethernet electrical
interface.
Speed Transmission rate of the Ethernet interface:

l 10M: 10 Mbit/s
l 100M: 100 Mbit/s
l 1000M: 1000 Mbit/s
The transmission rate of an Ethernet interface must be the same
as that on the peer end.
Duplex Working mode of the Ethernet interface:

l Half: enables the interface to work in half-duplex mode. An
interface works in half-duplex mode can only send or receive
data packets at the same time.
l Full: enables the interface to work in full-duplex mode. An
interface works in full-duplex mode can send and receive data
packets at the same time.
The working mode of an Ethernet interface must be the same as
that on the peer end.
This parameter is required only when Speed is set to 10M or
100M.
MTU Maximum transmission unit of the interface. After the MTU of

an interface is modified, you need to restart the interface to
validate the MTU.
Table 8-6 Static IPv4 address parameters
IP Address IPv4 address of an interface.

The value must be different from IPv4 addresses of other
interfaces on the same device or other devices on the same
network.

Default Gateway IP address of the default gateway of an interface.

The default gateway must be on the same network segment as
the IPv4 address of the interface.
This setting allows the device to generate a default IPv4 route,
in which the current interface functions as an outbound interface,
and the default gateway functions as a next hop.
Preferred DNS server IP address of the preferred DNS server.

The configurations completed here will be automatically
synchronized to DNS Server List in Network > DNS > DNS.
Alternate DNS server IP address of the alternate DNS server.

Table 8-7 IPv4 PPPoE parameters
User Name User name for PPPoE dial-up.

The user name is provided by an ISP.
Password Password for PPPoE dial-up.

The password is provided by an ISP.
Online Mode PPPoE dial-up mode:

l Always Online: A device automatically attempts to dial up
to a peer end once a physical link connected to the peer end
is Up. If the dial-up connection attempt fails, the device
automatically re-attempts to dial up at specified intervals.
Automatic dial-up applies when the traffic volume and online
duration are not restricted, such as with the yearly-payment
service.
l Automatic disconnection after an idle period: A device
sets up a link only when there is data to be transmitted. If an
established PPPoE link has no traffic to transmit and the
specific link idle period elapses, the device disconnects the
PPPoE link. This dial-up mode applies when the traffic
volume and online duration are set, such as with the payment-
by-traffic service. The payment-by-traffic service allows a
specified amount of traffic to be transmitted within a specified
period.
If you select Automatic disconnection after an idle
period, you must also specify a link idle period.

Obtain an IP Address Obtain an IPv4 address that a PPPoE server assigns after
Automatically negotiating with a PPPoE client on a PPP link. The IPv4 address
to be assigned must be specified on the PPPoE server.
Use the Following IP Set an IPv4 address statically. This method requires the input of
Address an IPv4 address in IP Address. The IPv4 address must be one
that a PPPoE server can assign.
Obtain DNS Server Obtain a DNS address that a PPPoE server assigns after
Address Automatically negotiating with a PPPoE client on a PPP link.
Use the Following DNS Statically set a DNS address. This method requires the input of
Server Addresses DNS server addresses in Primary DNS Server and Secondary
DNS Server.
IPv6 Address IPv6 address of a VLAN interface.

The IPv6 address must be unique on a network.
Advertising RA Messages Enable a device to periodically advertise RA messages, which

contain the prefix option and flag bits, to announce the existence
of the device.




service.
period.
Step 4 Click OK.
----End
Follow-up Procedure
l Check the interface status.
2. Verify that the physical, IPv4, and IPv6 statuses of the VLAN interface are Up.
l Enable or disable the interface.
2. Perform either of the following operations as needed:
– To enable the interface, select the Enable check box of the interface.
– To disable the interface, clear the Enable check box of the interface.

This section describes how to configure a Layer 2 Ethernet interface that forwards Layer 2
frames.
Context
Ensure that you have performed the following operations:
l Select an Ethernet interface and switch it to Layer 2 mode.

l Assign the interface to a specific VLAN. For more information about VLANs, see 8.11
VLAN.
l Configure interface parameters, such as a duplex mode and a transmission rate.
NOTICE
If the interfaces work at Layer 2 and IPv6 needs to be processed on NGFW, you need to choose
Dashboard > System Information to enable the global IPv6 function.
Procedure
Step 2 Click for the interface.
Step 3 Set the following Ethernet interface parameters.
Interface Name Interface type and number.

The parameter cannot be modified.
Alias Another name for an interface.

The alias is not part of the interface name. A configured alias
appears in the (alias) format by the side of the interface name,
but does not appear in logs.
Zone Security zone, to which an interface is to be assigned.

You can directly add an interface to an existing security zone. If
the desired security zone does not exist, create one and assign the
interface to it. For details, see 8.2.3 Zone Configuration Using
the Web UI.

Mode Layer at which the interface works and whether to enable bypass
detection when the interface works at Layer 2:
l Select Switch to enable the interface to work at Layer 2 and
disable bypass detection.
l Select Bypass to enable the interface to work at Layer 2 and
enable bypass detection
After bypass detection is enabled, the device detects packets
received on this interface and then discards them.
When a Layer 3 Ethernet interface is configured to work in Layer
2 mode or bypass mode, the device automatically clears specific
configurations, such as, DHCP, DDNS, and route configurations
of the interface and retains specific configurations, such as HRP
heartbeat interface configurations of the interface. If the interface
is specified as a heartbeat interface, the interface cannot be
configured to work in Layer 2 mode. Therefore, before you
configure a Layer 3 Ethernet interface to work in Layer 2 mode
or bypass mode, ensure that the interface has no configuration.
Connection Type Link type of a Layer 2 Ethernet interface:

l Access: Access interfaces belong to a single VLAN and send
and receive packets within this VLAN. These interfaces are
connected to PCs.
NOTE
When the link type of a Layer 2 Ethernet interface is Access, the
virtual system to which the VLAN of the interface belongs and the
virtual system to which the configured security zones belong are the
same one.
l Trunk: Trunk interfaces belong to multiple VLANs and send
and receive packets between these VLANs. These interfaces
are connected to devices.
l Hybrid: Hybrid interfaces belong to multiple VLANs and
send and receive packets in these VLANs. These interfaces
can be connected to both PCs and devices.
A hybrid interface sends untagged packets of multiple VLANs,
while a trunk interface sends untagged packets only from the
default VLAN.
Access VLAN ID ID of a VLAN, to which an access interface belongs. This

parameter is set only when Connection Type is set to Access.
Trunk VLAN ID ID of a VLAN, to which a trunk interface belongs. This parameter

is set only when Connection Type is set to Trunk.
A Trunk interface joins multiple VLANs and connects to a
network device. To allow all packets from one or more VLANs
to pass through a trunk interface, specify VLAN IDs in Trunk
VLAN ID.

Default VLAN ID Default VLAN ID of a trunk interface. This parameter is set only
when Connection Type is set to Trunk.
Hybrid VLAN ID (With ID of a VLAN, to which a hybrid interface belongs. A hybrid

VLAN Tag) interface sends tagged frames with the specified VLAN ID. This
parameter is set only when Connection Type is set to Hybrid.
Hybrid VLAN ID ID of a VLAN, to which a hybrid interface belongs. A hybrid

(Without VLAN Tag) sends untagged frames with the specified VLAN ID. This
Default VLAN ID Default VLAN ID of a hybrid interface. This parameter is set

only when Connection Type is set to Hybrid.
Interface Bandwidth
Advanced
Negotiation If you deselect this parameter, the interface is disabled from

working in auto-negotiation mode.
Disable the interface from working in auto-negotiation mode
before you configure the interface rate and duplex mode.
This configuration takes effect on the Ethernet electrical
interface.
Speed Transmission rate of a Layer 2 Ethernet interface:

l 10M: 10 Mbit/s
l 100M: 100 Mbit/s
l 1000M: 1000 Mbit/s
The transmission rate of the Layer 2 Ethernet interface must be
the same as that on the peer end.
Duplex Duplex mode of the Layer 2 Ethernet interface:

l Half: enables the interface to only send or receive data
packets at a time.
l Full: enables the interface to send and receive data packets
simultaneously.
An Ethernet interface must work in the same mode as its peer
interface.
This parameter is required only when Speed is set to 10M or
100M.
Step 4 Click OK.

----End

Follow-up Procedure
2. Check the physical status of the interface.
– To enable the interface, select the Enable check box.
– To disable the interface, clear the Enable check box.
8.1.2.3 Configuring a Layer 3 Ethernet Subinterface

This section describes how to configure a Layer 3 Ethernet subinterface.
Context
Subinterfaces are logical or virtual interfaces created on a physical interface. Subinterfaces share
the physical parameters of the physical interface on which they are created. However,
subinterfaces have their own data link layer and network layer parameters. A subinterface status
change does not affect the main interface status, whereas a main interface status change affects
the subinterface status. Subinterfaces work properly only when their main interface is in the Up
state.
Subinterfaces can be created on Layer 3 Ethernet and Eth-Trunk interfaces. To distinguish

VLAN packets on a Layer 3 Ethernet interface or an Eth-Trunk interface, configure subinterfaces
with different VLAN IDs. Each subinterface with a specific VLAN ID forwards packets carrying
the VLAN ID, which provides configuration flexibility.
Procedure
Step 2 Click Add.
Step 3 Set the following subinterface parameters.
Interface Name Alias name for a subinterface.
Type Type of a subinterface to be created.

When creating a subinterface, set this parameter to
Subinterface.
Primary Interface Type and number of a Layer 3 interface to which the new
subinterface belongs.
Virtual System Name of a virtual system for a subinterface.


Zone Security zone to which a subinterface is to be added.

You can directly add a subinterface to an existing security zone.
However, if the desired security zone does not exist, create one
and then add the interface to it. For details, see 8.2.3 Zone
Mode Subinterface working mode:

l Route: The interface works at Layer 3. In this example,
Route is selected.
l Switch: The interface works at Layer 2.
VLAN Tag ID of a VLAN to which a subinterface belongs. Traffic on

subinterfaces of a physical interface is distinguished by VLANs.
IPv4
Connection Type Method for a subinterface to obtain an IPv4 address:

l Static IP: allows an administrator to specify an IPv4 address
for the interface. For static IP address parameter descriptions,
see Table 8-10.
Selection.

60.
NOTE
IPv6
IPv6 Enable IPv6 on an specified interface.

packets.
Connection Type Method for a subinterface to obtain an IPv4 address:

l Static IP: manually specifies an IPv6 address for the
Table 8-12.

Static Neighbor Static neighbor address for a subinterface.

link layer address.
Interface Bandwidth

longer participate in intelligent uplink selection.
Management Access


zone.
This parameter is set only when Mode is set to Route.
(HTTP) to access a device through a subinterface. If HTTP
is not selected, the subinterface discards HTTP packets after
receiving them. This parameter takes effect only after the
HTTP service is enabled.
(HTTPS) to access a device through a subinterface. If
HTTPS is not selected, the subinterface discards HTTPS
packets after receiving them. This parameter takes effect only
after the HTTPS service is enabled.
l Ping: allows a subinterface to respond to ping requests. A
ping checks interface connectivity. If Ping is not selected, the
ping function is disabled.
through a subinterface. If SSH is not selected, the
subinterface discards SSH packets after receiving them.
a device through a subinterface. If SNMP is not selected, the
subinterface discards SNMP packets after receiving them.
device through a subinterface. If Telnet is not selected, the
subinterface discards them after receiving them.
IP Address IPv4 address of a subinterface.


Default Gateway IP address of the default gateway of a subinterface.

the IPv4 address of the subinterface.
in which the current subinterface functions as an outbound
interface, and the default gateway functions as a next hop.





service.
period.

Use the Following IP Set an IPv4 address statically. This method requires the input of
Address a fixed IPv4 address in IP Address. The IPv4 address to be
entered is the one that a PPPoE server can assign.
DNS Server.
IPv6 Address IPv6 address of a subinterface.

Default Gateway IP address of the default gateway of a subinterface.

in which the default gateway functions as a next hop.

of the device.




service.
period.
Step 4 Click OK.

If the operation is successful, the new subinterface is displayed among Layer 3 interfaces in
Interface List.
Repeat previous steps to create other subinterfaces.
----End
Follow-up Procedure
l Check the subinterface status.
2. Verify that the physical, IPv4, and IPv6 statuses of the subinterface are Up.

Context

state.
The device supports creating subinterfaces on Layer 2 Ethernet and Layer 2 Eth-Trunk interfaces.
Using a subinterface to terminate a VLAN allows for inter-VLAN forwarding.
Procedure
Step 2 Click Add.
Step 3 Set the following subinterface parameters.
Interface Name Alias name for a subinterface.
Type Type of a subinterface to be created.

When creating a subinterface, set this parameter to
Subinterface.
Primary Interface Type and number of a Layer 2 interface to which the new
subinterface belongs.
Virtual System Name of a virtual system for a subinterface.

Zone Security zone to which a subinterface is to be added.

You can directly add a subinterface to an existing security zone.
However, if the desired security zone does not exist, create one
and then add the interface to it. For details, see 8.2.3 Zone
disable bypass detection.
enable bypass detection
VLAN Tag Specifies the VLAN tag (ID of the VLAN to which the new
subinterface belongs). Each subinterface receives or forwards
only packets that carry the specified VLAN tag.
Access VLAN ID Specifies the access VLAN ID. Subinterfaces must be added to
the same VLAN to communicate with each other.
Interface Bandwidth

Step 4 Click OK.
If the operation is successful, the new subinterface is displayed among Layer 2 interfaces in
Interface List.
Repeat previous steps to create other subinterfaces.
----End
Follow-up Procedure
l Check the subinterface status.

2. Verify that the physical, IPv4, and IPv6 statuses of the subinterface are Up.

8.1.2.5 Configuring a VLAN Interface

This section describes how to configure a virtual local area network (VLAN) interface. VLAN
interfaces transmit packets between VLANs.
Context
A LAN can be divided into logical broadcast domains. A broadcast domain is a VLAN. Devices
on a LAN logically belong to different VLANs, regardless of their physical locations.
When hosts on a VLAN need to communicate with a device at the network layer, you can create
a VLAN interface on the device. The VLAN interface functions as a Layer 3 interface to provide
Layer 3 functions, such as IPv4 or IPv6 address settings.
Procedure
Step 2 Click Add.
Step 3 Set the following VLAN parameters.

Interface Name Alias name for a VLAN interface.
Type Type of a VLAN interface to be created.

When you create a VLAN interface, set this parameter to
VLAN.
Virtual System Name of a virtual system for a VLAN interface.

The virtual system must exist.
Zone Security zone to which a VLAN interface is to be assigned.

You can directly assign a VLAN interface to an existing security
zone. If the desired security zone does not exist, create one and
assign the VLAN interface to it. For details, see 8.2.3 Zone
VLAN ID ID of a VLAN interface. If the specified VLAN does not exist,

the system automatically creates a VLAN when the VLAN
interface is created.
Interface Members Number of a Layer 2 interface to be assigned to a VLAN.

A Layer 2 interface can only be assigned to a single VLAN. If a
Layer 3 interface is used, switch its Mode from Route to
Switch before assigning the interface to a VLAN.
Select either of the following operations:
l In Available, select the desired interface and click to add
it to the VLAN.
l In Select, select the desired interface and click to remove
the interface from a VLAN.
IPv4

for the VLAN interface. For static IP address parameter
descriptions, see Table 8-14.
Selection.

60.
NOTE
IPv6

packets.


l Static IP: manually specifies an IPv6 address for the VLAN
Table 8-16.
Static Neighbor Static neighbor address for a VLAN interface.

link layer address.
Interface Bandwidth

Management Access


an administrator can use an access control-enabled interface
toaccess to a NGFW even if no security policy is configured for
zone.
(HTTP) to access a device through a VLAN interface. If
(HTTPS) to access a device through a VLAN interface. If
HTTPS is not selected, the interface discards HTTPS packets
the HTTPS service is enabled.
l Ping: allows a VLAN interface to respond to ping requests.
A ping checks interface connectivity. If Ping is not selected,
the ping function is disabled.
through a VLAN interface. If SSH is not selected, the
a device through a VLAN interface. If SNMP is not selected,
the interface discards SNMP packets after receiving them.
device through a VLAN interface. If Telnet is not selected,
the interface discards them after receiving them.


Default Gateway IPv4 address of the default gateway of an interface.

This setting allows the device to generate a default IPv4 route
with the current interface as an outbound interface and the default
gateway as a next hop.





service.
period.

Use the Following IP Statically set an IPv4 address. This method requires the input of
Address an IPv4 address in IP Address. The IPv4 address must be one
that a PPPoE server can assign.
DNS Server.
IPv6 Address IPv6 address of a VLAN interface.


of the device.




service.
period.
Step 4 Click OK.

If the operation is successful, the new interface is displayed in Interface List.
Repeat previous steps to create other VLAN interfaces.
----End
Follow-up Procedure
l Check the VLAN interface status.
2. Verify that the physical, IPv4, and IPv6 statuses of the VLAN interface are Up.
8.1.2.6 Configuring an Eth-Trunk Interface

This section describes how to configure an Eth-Trunk interface. An Eth-Trunk interface balances
traffic loads across devices, increases bandwidth, and improves traffic reliability.
Context
Many Ethernet interfaces are bundled into an Eth-Trunk interface. An Eth-Trunk interface
provides bandwidth that is equal to the total bandwidth of all its member interfaces. If a member

interface goes Down, traffic transmission over other member interfaces continues, which
increases link reliability.
An Eth-Trunk interface directs traffic to different links to balance traffic loads.
A physical interface can only be assigned to a single Eth-Trunk at a time. Before assigning the
physical interface to another Eth-Trunk, you must first remove it from the Eth-Trunk to which
it is currently attached.
Procedure
Step 2 Click Add.
Step 3 Set the following Eth-Trunk interface parameters.
Interface Name Alias name for an Eth-Trunk interface.
Type Type of an Eth-Trunk interface to be created.

Before creating an Eth-Trunk interface, set this parameter to
Aggregate Interface.
Virtual System Name of a virtual system for an interface.

Zone Security zone to which an Eth-Trunk interface is to be assigned.

You can directly assign an Eth-Trunk interface to an existing
security zone. If the desired security zone does not exist, create
one and assign an Eth-Trunk interface to it. For details, see 8.2.3
Zone Configuration Using the Web UI.
l Select Route to enable the interface to work at Layer 3.
disable bypass detection. For the description of parameter
Connection Type in switching mode, see Table 8-22.
enable bypass detection. For the description of parameter
Connection Type in switching mode, see Table 8-22.

Interface Members Ethernet interface to be bundled to an Eth-Trunk interface.

A physical interface can only be added to a single Eth-Trunk
interface. If Mode is set to Route, the interface to be bundled
works at Layer 3. If Mode is set to Switch or Bypass, the
interface to be bundled works at Layer 2.
Perform either of the following operations as needed:
l In Available, select a desired physical interface and click
to bundle it into the Eth-Trunk interface.
l In Select, select a desired physical interface and click to
remove the physical interface from the Eth-Trunk interface.
IPv4
Connection Type Method used by an Eth–Trunk interface to obtain an IPv4 address

in routing mode.
see Table 8-18.
PPPoE parameter descriptions, seeTable 8-19.
Selection.

60.
NOTE
IPv6

packets.
Connection Type Method used by an Eth-Trunk interface to obtain an IPv4

address:
see Table 8-20.

Static Neighbor Static neighbor address for an Eth-Trunk interface.

link layer address.
Interface Bandwidth

Management Access


zone.
(HTTP) to access a device through an Eth-Trunk interface. If
(HTTPS) to access a device through an Eth-Trunk interface.
If HTTPS is not selected, the interface discards HTTPS
packets after receiving them. This parameter takes effect only
after the HTTPS service is enabled.
l Ping: allows an Eth-Trunk interface to respond to ping
requests. A ping checks interface connectivity. If Ping is not
selected, the ping function is disabled.
through an Eth-Trunk interface. If SSH is not selected, the
a device through an Eth-Trunk interface. If SNMP is not
selected, the interface discards SNMP packets after receiving
them.
device through an Eth-Trunk interface. If Telnet is not
selected, the interface discards them after receiving them.
Advanced

Lower Limit of Up Links Lower limit of member interfaces in the Up state before an Eth-
Trunk interface goes Down. If the number of member links in
the Up state is smaller than the lower limit, the Eth-Trunk
interface goes Down, and all its member interfaces cannot
forward data. This prevents a small number of member links in
the Up state from discarding packets due to overload.
To ensure proper forwarding, configure the same lower limit for
an Eth-Trunk interface on both ends of a link.
MAC Address MAC address of an Eth-Trunk interface. If multiple Eth-Trunk

interfaces are created on a device, you can re-define a unique
MAC address for each interface to prevent MAC address
conflicts.
MTU Maximum transmission unit of an Eth-Trunk interface.

Increase the MTU to prevent packet loss or increase the
transmission speed if a great number of fragments are generated.
After the MTU of an interface is modified, restart the interface
to make the MTU take effect.
Directly connected interfaces must have the same MTU.
IP Address IPv4 address of an Eth-Trunk interface.

Default Gateway IPv4 address of the default gateway of an Eth-Trunk interface.

This setting allows the device to generate a default IPv4 route
with the current interface as an outbound interface and the default
gateway as a next hop.






service.
period.
Use the Following IP Statically set an IPv4 address. This method requires the input of
Address a fixed IPv4 address in IP Address. The IPv4 address must be
one that a PPPoE server can assign.
DNS Server.

IPv6 Address IPv6 address of an interface.


of the device.



service.
period.

Table 8-22 Parameters of the switching mode
Connection Type Lnk type of an Eth-Trunk interface:

l Access: Access interfaces belong to a single VLAN and send
and receive packets within this VLAN. These interfaces are
connected to PCs.
l Trunk: Trunk interfaces belong to multiple VLANs and send
and receive packets between these VLANs. These interfaces
are connected to devices.
l Hybrid: Hybrid interfaces belong to multiple VLANs and
send and receive packets in these VLANs. These interfaces
can be connected to both PCs and devices.
A hybrid interface sends untagged packets of multiple VLANs,
while a trunk interface sends untagged packets only from the
default VLAN.
Access VLAN ID ID of a VLAN to which an Access interface belongs. This

parameter is set only when Connection Type is set to Access.
Trunk VLAN ID ID of a VLAN, to which a trunk interface belongs. This parameter

is set only when Connection Type is set to Trunk.
A Trunk interface joins multiple VLANs and connects to a
network device. To allow all packets from one or more VLANs
to pass through a trunk interface, specify VLAN IDs in Trunk
VLAN ID.
Default VLAN ID Default VLAN ID of a trunk interface. This parameter is set only
when Connection Type is set to Trunk.
Hybrid VLAN ID (With ID of the VLAN to which the hybrid interface belongs. Frames
VLAN Tag) on the VLAN are sent from this interface in Tagged mode. This
Hybrid VLAN ID ID of a VLAN, to which a hybrid interface belongs. Frames on

(Without VLAN Tag) the VLAN are sent from this interface in Untagged mode. This
Default VLAN ID Default VLAN ID of a hybrid interface. This parameter is set

only when Connection Type is set to Hybrid.
Step 4 Click OK.
If the operation is successful, the new Eth-Trunk interface is displayed in Interface List.
Repeat previous steps to create other Eth-Trunk interfaces.
----End

Follow-up Procedure
l Check interface status.

2. Verify that the physical, IPv4, and IPv6 statuses of the interface are Up.

– To enable the interface, select the Enable check box of the interface.
– To disable the interface, clear the Enable check box of the interface.
8.1.2.7 Configuring a Loopback Interface

This section describes how to configure a loopback interface. Once created, a loopback interface
remains in the Up state. Loopback interface characteristics are used to improve reliability.
Context
This section describes how to configure a loopback interface. A loopback interface is a virtual
interface. The IP address of a loopback interface is specified as a source address for packets to
improve network reliability.
Procedure
Step 2 Click Add.
Step 3 Configure the following loopback interface parameters.
Interface Name Alias name for a loopback interface.
Type Type of an interface to be created.

When creating a loopback interface, set this parameter to
Loopback Interface.
IPv4
Connection Type Method used by an interface to obtain an IPv4 address.

Only Static IP is available to manually set an IPv4 address and
subnet mask for the interface.

This value must be unique on a network.
IPv6

IPv6 Enable the IPv6 capability on the specified interface.

Enabling IPv6 is a prerequisite for using IPv6 functions. Choose
Dashboard > System Information and enable IPv6 globally to
allow the NGFW to forward IPv6 packets.
Connection Type Method used by an interface to obtain an IPv6 address.

Only Static IP is available to manually set an IPv6 address and
subnet mask for the interface.
IPv6 Address IPv6 address of an interface.

This value must be unique on a network.
Step 4 Click OK.
If the operation is successful, the new loopback interface is displayed in Interface List.
Repeat previous steps to create other loopback interfaces.
----End
Follow-up Procedure
Check the interface status.

2. Verify that the physical, IPv4, and IPv6 statuses of the interface are Up.
8.1.2.8 Configuring the Tunnel Interface

Tunnel interfaces enable packet encapsulation and forwarding through tunnels.
Context
A tunnel interface is a logical interface for packet encapsulation. By default, tunnel interfaces
created through the Web use only IPSec, that is, supporting only IPSec tunnels. GRE is another
common encapsulation protocol. When configuring GRE through the Web, tunnel interfaces are
automatically created and configured. For details, see 20.5.3 Configuring GRE Using the Web
UI.
Procedure
Step 2 Click Add.
Step 3 Set tunnel interface parameters.

Interface Name Another name specified for the tunnel interface, facilitating
memorization and identification.
Type Type of the interface to be created.

Select Tunnel when you need to create a tunnel interface.
Zone Security zone to which the interface is to be assigned.

You can assign an interface to an existing security zone or create
a security zone and assign the interface to it. For details, see 8.2.3
Zone Configuration Using the Web UI.
IPv4
IP Address/Mask Ensure that the IP addresses of the tunnel interfaces at the two
ends of the IPSec tunnel are routable.
Selection.
60.

NOTE
Source IP Address for Source IP address of the quality detection packet.

Link Check NOTE
The quality detection source IP address and Tunnel interface IP address
must reside on the same subnet and must be available and routable IP
addresses. The quality detection source IP address must be permitted by
the IPSec ACL rules to enter the tunnels. Otherwise, the quality detection
result does not indicate the transmission quality of the IPSec tunnels.
Interface Bandwidth

Step 4 Click OK.
If the operation succeeds, Interface List displays the new tunnel interface.
Repeat the preceding steps to create other tunnel interfaces.
----End
Follow-up Procedure
2. Check the physical status of the interface.

l Disable or enable an interface.

2. Disable or enable an interface.
– Deselect the Enable check box corresponding to an interface to disable it.
– Select the Enable check box corresponding to an interface to enable it.
8.1.2.9 Configuring an Interface Pair

This section describes how to configure an interface pair.
Context
An interface pair is a pair of incoming and outgoing interfaces. After an interface pair is formed,
the traffic enters the incoming interface of the interface pair is forwarded out of the outgoing
interface in the interface pair, without MAC address table lookup.
If the incoming and outgoing interfaces are the same interface, the packets entering the interface
are forwarded out of the same interface after being processed.
Interfaces that can form an interface pair include Layer 2 Ethernet interfaces and their
subinterfaces and Layer 2 Eth-Trunk interfaces and their subinterfaces.
Procedure
Step 1 Choose Network > Interface Pair.
Step 2 Click Add and create an interface pair.
Working mode Specifies the working mode of the interface.

l Inject via another interface: An interface pair has two
interfaces. Packets entering on one interface exit on the other.
l Inject via the same interface: The interface pair has only one
interface. Packets entering the interface are forwarded out of
the same interface after being processed.
Member Select members for an interface pair.

When the working mode of the interface pair is Inject via
another interface, the two interfaces must be of the same type.
Step 3 Click OK.
----End
8.1.3 Configuring Interfaces and Interface Pairs Using the CLI

This section describes how to configure interfaces and interface pairs using the CLI.


This section describes how to configure a Layer 3 Ethernet interface that supports the routing
and forwarding functions.
Basic Layer 3 Ethernet Interface Configuration

A Layer 3 Ethernet interface uses an IPv4 address to connect to an IPv4 network or an IPv6
address to connect to an IPv6 network.
Step 1 Display the system view.

system-view
Step 2 Display the specified interface view.

Step 3 Assign an IPv4 address to the interface.

ip address ip-address { mask | mask-length } [ sub ]
To assign the second and subsequent IPv4 addresses to the interface, configure the sub parameter
in the ip address command.

1. Enable the IPv6 capability on the interface.
ipv6 enable
By default, the IPv6 capability is disabled on the interface.
Before performing IPv6 configurations in the interface view, enable the IPv6 capability in
the interface view.
To allow the interface to forward IPv6 packets, run the ipv6 command in the system view.
2. Perform either of the following operations to configure an IPv6 link-local address:
l To enable the system to automatically generate an IPv6 link-local address, run:
ipv6 address auto link-local
This is a recommended way to configure an IPv6 link-local address because the link-
local address is only used for protocol-based communication between link-local nodes,
regardless of communication between users.
If no IPv6 link-local address is specified for an interface, the device automatically
generates an IPv6 link-local address for the interface after an IPv6 global unicast address
is specified for the interface.
l To specify an IPv6 link-local address, run:
ipv6 address ipv6-address link-local
The prefix of an IPv6 link-local address is FE80::/10.
NOTE
Only a single link-local address can be configured on an interface. If you configure multiple link-local
addresses on the same interface, only the last configuration takes effect.
3. Assign a global unicast IPv6 address to the interface.
ipv6 address { ipv6-address | ipv6-address/prefix-length } [ eui-64 ]

An EUI-64 address supports the same function as a global unicast address. The difference
between the two addresses is as follows:
l Only the network bits need to be specified for the EUI-64 address, because the host bits
are transformed from the MAC addresses of the interface. The prefix length of the
network bits in an EUI-64 address must not be longer than 64 bits.
l A complete 128-bit address needs to be specified for the global unicast address.
The EUI-64 address and global unicast address can be configured simultaneously or
separately. However, IP addresses configured for the same interface cannot be on the same
network segment.
Step 5 Optional: Disable an interface from working in auto-negotiation mode.
undo negotiation auto
By default, an interface works in auto-negotiation mode. To set parameters duplex and speed
to adjust the duplex mode and rate of an interface, run the undo negotiation auto command to
disable the interface from working in auto-negotiation mode.
This command applies only to Ethernet electrical interfaces and Ethernet optical interfaces that
work in electrical interface mode.
Step 6 Optional: Specify a duplex mode.

duplex { full | half }
Step 7 Optional: Set a working rate.

speed { 10 | 100 | 1000 }
Step 8 Optional: Set the interface MTU.

l To set an IPv4 MTU for the interface, run:
mtu mtu
l To set an IPv6 MTU for the interface, run:
ipv6 mtu mtu
NOTE
If a packet is added with a non-fragment flag and the packet length exceeds the interface MTU, the
NGFW drops the packet. To ensure service continuity, you can run the clear ip df command to enable the
clearing function, delete non-fragment flags, and forward packets in fragments.
Step 9 Optional: Configure an interface description.

description interface-description
Step 10 Optional: Specify the alias for an interface.

alias alias
Step 11 Optional: Set the maximum bandwidth for upstream traffic on the interface.
bandwidth ingress bandwidth-number

Step 12 Optional: Set the maximum bandwidth for downstream traffic on the interface.
bandwidth egress bandwidth-number
Step 13 Optional: Enable access control on an interface.

By default, access control is enabled on interfaces.
Step 14 Optional: Allow or block HTTP, HTTPS, ping, SSH, SNMP, or Telnet access to the NGFW.
service-manage { http | https | ping | ssh | snmp | telnet } { permit | deny }
The service-manage command allows an administrator to access to a NGFW through a specified

interface even if no security policy is enforced for traffic between the Local zone and the security
zone to which the interface belongs.
By default, the management interface (GE0/0/0) allows HTTP, HTTPS, ping, SSH, SNMP, and
Telnet access to a NGFW, and a non-management interface denies HTTP, HTTPS, ping, SSH,
Step 15 Optional: Restore the access control management function of an interface to the default setting.
reset service-manage
After you run this command, the access control management function of the management
interface (GE0/0/0) is enabled, and the administrator is allowed to use HTTP, HTTPS, Ping,
SSH, SNMP, and Telnet to access the device. For non-management interfaces, the access control
management function is enabled, but the administrator is not allowed to use HTTP, HTTPS,
Ping, SSH, SNMP, or Telnet to access the device.
Step 16 Optional: Set a gateway address for the interface.
gateway gateway-address [ no-route ]
Step 17 Optional: Enable the sticky load balancing function.
reverse-route nexthop nexthop-address
If a gateway address is configured on the interface, you are advised to set nexthop-address the
same as the gateway address.
In the multi-ISP load balancing NAT server scenario, the NGFW looks up the routing table for
an outgoing interface to send the return traffic from a server. As a result, the return traffic from
the server may take a path on ISP2, although the request to the server takes a link on ISP1. The
inconsistent forward and return paths may slow down or even interrupt services. To resolve this
issue, configure the sticky load balancing function on the incoming interface of ISP1.
The NGFW uses the incoming interface of the forward packets as the outgoing interface of return
packets instead of searching for policy-based routes, specific routes, and default routes.
NOTE
If equal-cost multipath (ECMP) routes are configured, the sticky load balancing function is enabled by
default. Otherwise, configure the sticky load balancing function.
----End

Advanced Layer 3 Ethernet Interface Configuration

A Layer 3 Ethernet interface supports interface flapping control, traffic suppression, and
loopback.
l Interface flapping control

This function prevents interfaces from frequently alternating between Up and Down, which
helps devices and networks to operate stably.
The interface flapping control mechanism operates using the following parameters:
– Penalty value: a suppress penalty value. A suppression algorithm calculates this value
based on the interface status. The suppress penalty value increases each time the
interface status changes and decreases by half when the interface in a stable state.
– Suppress: a suppress threshold. If the suppress penalty value reaches the suppress
threshold, the interface is suppressed.
– Reuse: a reuse threshold. If the suppress penalty value is less than or equal to the reuse
threshold, the interface is not suppressed.
– Ceiling: a maximum suppress penalty value. The suppress penalty value stops
increasing after it reaches the maximum suppress penalty value.
– Decay-ok: half-life time in seconds when an interface remains Up. A suppress penalty
value reduces by half after the specified half-life time elapses.
– Decay-ng: half-life time in seconds when an interface remains Down. A suppress
penalty value reduces by half after the specified half-life time elapses.
Note that the following formula applies:
Reuse < Suppress < Ceiling
Configure interface flapping control.
control-flap [ suppress reuse ceiling decay-ok decay-ng ]
By default, flapping control is disabled.
Run the reset control-flap command to clear existing flapping control statistics before you
collect statistics in a specified period.
l Interface traffic suppression
This function enables an interface to suppress broadcast, multicast, and unknown unicast
traffic, which facilitates effective bandwidth use.
The device suppresses traffic based on either of the following parameters:
– Suppression ratio (ratio): a percentage of the maximum traffic that an interface can
transmit to the transmission capability
– Packet rate (pps): a maximum number of packets that can be forwarded per second
When traffic exceeds a specified value, the device discards subsequent packets so that
traffic is lowered within a specified range, which secures proper services transmission.
Perform the following step to configure interface traffic suppression:

NOTICE
For broadcast traffic suppression and multicast traffic suppression based on packet rates,
the granularity of parameter max-pps is 125. For example, if you set max-pps to 5, the actual
value is 125. If you set max-pps to 126, the actual value is 250. The rest can be done in the
same manner.
The mode of broadcast traffic suppression and multicast traffic suppression of all interfaces
on the same LPU must be the same. For example, if traffic suppression based on packet
rates is configured for interface GE1/0/1, you cannot configure traffic suppression based
on suppression ratio for interface GE1/0/2.
After you configure multicast traffic suppression, the NGFW does not suppress the
registered multicast traffic designated by protocols, such as IGMP, DVMRP, PIM, and
OSPF.
– Configure broadcast traffic suppression.

broadcast-suppression { ratio | pps max-pps }
– Configure multicast traffic suppression.
multicast-suppression { ratio | pps max-pps }
Traffic suppression is disabled by default.
The following formula applies:
Packet rate (pps) = Interface bandwidth x Suppression ratio/672
Where,
– Interface bandwidth: expressed in bit/s.
– 672 bytes: average packet length (84 x 8). Each packet consists of a 64-byte packet body
and 20-byte frame spacing and check information. Each byte contains 8 bits.
l Ethernet interface loopback
Loopback helps you check whether an interface works properly.
Enable loopback.
loopback
When an interface works properly, disable the loopback. By default, the loopback is
disabled.

This section describes how to configure a Layer 2 Ethernet interface that forwards Layer 2
frames.
Basic Layer 2 Ethernet Interface Configuration

system-view


Step 3 Switch the Layer 3 Ethernet interface to Layer 2 mode.

portswitch
An Ethernet interface works at Layer 3 by default. To use the Layer 3 Ethernet interface as a
Layer 2 interface, switch the Ethernet interface to Layer 2 mode.
When a Layer 3 Ethernet interface is configured to work in Layer 2 mode, the device
automatically clears specific configurations, such as, DHCP, DDNS, and route configurations
of the interface and retains specific configurations, such as HRP heartbeat interface
configurations of the interface. If the interface is specified as a heartbeat interface, the interface
cannot be configured to work in Layer 2 mode. Therefore, before you configure a Layer 3
Ethernet interface to work in Layer 2 mode, ensure that the interface has no configuration.
To switch Layer 3 Ethernet interfaces to Layer 2 mode in a batch, run the portswitch batch
interface-type { interface-number1 [ to interface-number2 ] } &<1-10> command in the system
view.
By default, a Layer 2 Ethernet interface belongs to VLAN 1 and works as an access port. For
information about how to configure a VLAN, see VLAN.
NOTICE
If the interfaces work at Layer 2 and IPv6 needs to be processed on NGFW, you need to run the
ipv6 command to enable the global IPv6 function.
Step 4 Optional: Enable the bypass detection function on the interface.

bypass-detection
After bypass detection is enabled, the device detects packets received on this interface and then
discards them.
Step 5 Optional: Disable an interface from working in auto-negotiation mode.

undo negotiation auto
By default, an interface works in auto-negotiation mode. To set parameters duplex and speed
to adjust the duplex mode and rate of an interface, run the undo negotiation auto command to
disable the interface from working in auto-negotiation mode.
Step 6 Optional: Specify a duplex mode.

duplex { full | half }
Step 7 Optional: Set a working rate.

speed { 10 | 100 | 1000 }



alias alias
bandwidth engress bandwidth-number
----End
Advanced Layer 2 Ethernet Interface Configuration

A Layer 2 Ethernet interface supports traffic suppression and loopback. For information about
traffic suppression and loopback, see Advanced Layer 3 Ethernet Interface Configuration.
l Configure traffic suppression on an Ethernet interface.
NOTICE
For broadcast traffic suppression and multicast traffic suppression based on packet rates,
the granularity of parameter max-pps is 125. For example, if you set max-pps to 5, the actual
value is 125. If you set max-pps to 126, the actual value is 250. The rest can be done in the
same manner.
The mode of broadcast traffic suppression and multicast traffic suppression of all interfaces
on the same LPU must be the same. For example, if traffic suppression based on packet
rates is configured for interface GE1/0/1, you cannot configure traffic suppression based
on suppression ratio for interface GE1/0/2.
After you configure multicast traffic suppression, the NGFW does not suppress the
registered multicast traffic designated by protocols, such as IGMP, DVMRP, PIM, and
OSPF.
– Configure broadcast traffic suppression.broadcast-suppression { ratio | pps max-

pps }
– Configure multicast traffic suppression.multicast-suppression { ratio | pps max-
pps }
Traffic suppression is disabled by default.

l Enable loopback.
loopback
When an interface is working properly, disable loopback. By default, loopback is disabled.
----End


Context
state.
Subinterfaces can be created on Layer 3 Ethernet and Eth-Trunk interfaces. To distinguish
VLAN packets on a Layer 3 Ethernet interface or an Eth-Trunk interface, configure subinterfaces
with different VLAN IDs. Each subinterface with a specific VLAN ID forwards packets carrying
the VLAN ID, which provides configuration flexibility.
Procedure
system-view
Step 2 Display the Ethernet subinterface view.
interface interface-type interface-number.subinterface-number
The subinterface-number parameter specifies the number of an Ethernet subinterface.
Step 3 Specify an encapsulation mode and a VLAN ID for the subinterface.
vlan-type dot1q vlan-id
By default, no encapsulation mode or VLAN ID is configured on a subinterface.
To ensure VLAN connectivity, set the same VLAN ID on two subinterfaces at two ends of a
link.
1. Enable the IPv6 capacity on the interface.
ipv6 enable
the interface view.
l To enable the system to automatically generate an IPv6 link-local address, run:ipv6
address auto link-local

Allowing the system to automatically generate a link-local address is recommended.

This is because the link-local address is only used for protocol-based communication
between link-local nodes, regardless of communication between users.
of the interface is specified.
l To specify an IPv6 link-local address, run:ipv6 address ipv6-address link-local
NOTE
Only a single link-local address can be configured on an interface. If you repeatedly configure link-local
addresses, the last configuration takes effect.
network segment.


alias alias



NOTE
----End

This section describes how to configure a Layer-2 Ethernet subinterface.
Context
state.

Procedure
Step 2 Run the interface interface-type interface-number command to access the interface view.
Step 3 Run the portswitch command to configure a Layer 3 Ethernet interface to work in Layer 2 mode.
Step 4 Run the quit command to return to the system view.
Step 5 Run the interface interface-type interface-number.subinterface-number command to create a

subinterface and access the subinterface view.
Step 6 Run the vlan-type dot1q vlan-id command to configure the encapsulation type for the
subinterface and associate a VLAN ID with the subinterface.
Step 7 Run the portswitch command to configure the subinterface as a Layer 2 subinterface.
bandwidth engress bandwidth-number
Step 10 Optional: Run the bypass-detection command to enable the bypass detection function on the
interface.
discards them.
----End
8.1.3.5 Configuring a VLAN Interface

This section describes how to configure a VLAN interface for inter-VLAN communication.
Context
A LAN can be divided into several logical LANs. Each logical LAN is a broadcast domain,
which is called a VLAN. Devices on a LAN logically belong to different VLANs, regardless of
their physical locations. VLANs separate broadcast domains within a LAN from each other.
When hosts on a VLAN need to communicate with a device at the network layer, you can create
a VLAN interface on the device. The VLAN interface functions as a Layer 3 interface to provide
Layer 3 functions, such as IPv4 or IPv6 address settings.
Procedure
system-view


portswitch

quit
Step 5 Create a VLAN and display the VLAN view.

vlan vlan-id
If a VLAN already exists, running this command directly displays the VLAN view.
Step 6 Assign specified interfaces to the VLAN.

port interface-type { interface-number1 [ to interface-number2 ] } &<1-10>
Only access interfaces can be added to a VLAN using this command.

quit
Step 8 Create a Vlanif interface for a specific VLAN and display the Vlanif interface view.
If a Vlanif interface already exists, running this command directly displays the Vlanif interface
view.
A VLAN must exist before a Vlanif interface is created for it.


ipv6 enable
Enable the IPv6 capability in the interface view before performing IPv6 configurations in
the interface view.

NOTE
network segment.


alias alias



NOTE
----End
8.1.3.6 Configuring an Eth-Trunk Interface

This section describes how to configure an Eth-Trunk interface, which can load-balance traffic
between devices, increase bandwidth, and improve link reliability.
Context
Many Ethernet interfaces are bundled into an Eth-Trunk interface. An Eth-Trunk interface
provides bandwidth that is equal to the total bandwidth of all its member interfaces. If a member
interface goes Down, traffic keeps being transmitted by other member interfaces, which
increases link reliability.
An Eth-Trunk interface directs traffic to different links, which load-balances traffic.
A physical interface can only be added to a single Eth-Trunk interface. If a physical interface
needs to be added to other Eth-Trunk interfaces, remove the physical interface from the existing
Eth-Trunk interface before adding the physical interface to another Eth-Trunk interface.
Procedure
system-view
Step 2 Create an Eth-Trunk interface.

interface eth-trunk trunk-id


quit
Step 4 Display the Ethernet interface view.
Step 5 Add the interface to the Eth-Trunk interface.
eth-trunk trunk-id
The Eth-Trunk must be already created.
quit
Step 7 Display the Eth-Trunk interface view.
ipv6 enable
the interface view.
NOTE
ipv6 address{ ipv6-address | ipv6-address/prefix-length } [ eui-64 ]

network segment.


alias alias



NOTE
Step 19 Optional: Switch the Layer 3 interface to Layer 2 mode.

portswitch
Step 20 Optional: Enable the bypass detection function on the interface.

bypass-detection
discards them.
----End
8.1.3.7 Configuring the Combo Interface

Before using the combo interface, you need to configure the working status of the combo
interface.
Context
A combo interface is an optical/electrical Ethernet interface, but it can work only as an optical
or electrical interface at a time.
By default, the combo interface works as an electrical interface. When it works as an optical
interface, you need to further specify the working status of the combo interface through the
following steps.
Procedure
Step 1 Run:
system-view
Step 2 Run:
The combo interface view is displayed.
Step 3 Run:
combo enable { copper | fiber }
The working status of the combo interface is configured.

l fiber: indicates that the interface works as an optical interface.

l copper: indicates that the interface works as an electrical interface.
----End
8.1.3.8 Configuring a Loopback Interface

This section describes how to configure a loopback interface. Once created, a loopback interface
remains in the Up state. Loopback interface characteristics are used to improve reliability.
Context
Loopback interface usage is as follows:
l The IPv4 or IPv6 address of a loopback interface is designated as the source address of
packets.
l The IPv4 or IPv6 address of a loopback interface is used to control access to an interface
and filter information, such as logs.
Because the loopback interface is always Up, its address can be used as a router ID, a label
switching router (LSR) ID, or an unnumbered address.
Procedure
system-view
Step 2 Create a loopback interface and display the loopback interface view.
interface loopback loopback-number


ipv6 enable
By default, the IPv6 capability is disabled.
Enable the IPv6 capability in the interface view before performing IPv6 configurations in
the interface view.


NOTE
ipv6 address{ ipv6-address | ipv6-address/prefix-length } [ eui-64 ]
network segment.


alias alias
----End
8.1.3.9 Configuring a Null Interface

This section describes how to configure a null interface. A null interface implements the
blackhole route function.
Context
A null interface is similar to a null device supported by an operating system. Any network data
packets sent to this interface are discarded.
Procedure
system-view
Step 2 Display the null interface view.

interface null 0A null interface remains in the Up state all the time. It cannot forward data
packets, be assigned an IP address, or enabled with protocols.

alias alias
----End
Example
# Configure a blackhole route to allow a null interface on the NGFW to discard all received
packets destined for 10.1.1.0/24.
<NGFW> system-view
[NGFW] ip route-static 10.1.1.0 24 NULL 0
8.1.3.10 Configuring an Interface Pair

This section describes how to configure an interface pair.
Context
An interface pair is a pair of incoming and outgoing interfaces. After an interface pair is formed,
the traffic enters the incoming interface of the interface pair is forwarded out of the outgoing
interface in the interface pair, without routing table or MAC address table lookup.
If the incoming and outgoing interfaces are the same interface, the packets entering the interface
are forwarded out of the same interface after being processed.
Interfaces that can form an interface pair include Layer 2 Ethernet interfaces and their
subinterfaces and Layer 2 Eth-Trunk interfaces and their subinterfaces.
Procedure
Step 2 Run the pair-interface [ pair-id ] interface-type interface-number1 interface-type interface-

number2 command to create an interface pair.
----End
8.1.3.11 Maintaining Interfaces

This section describes how to display the configuration and status of a specific interface.
You can run a display command to check the configuration and status of a specific interface.
Table 8-23 lists the display commands.
Table 8-23 Displaying the interface configuration and status
Action Command
Display the status of a specified Ethernet display interface [ interface-type [ interface-

interface. number ] ] [ | { begin | exclude | include }
regular-expression ]
Display brief information about Ethernet display interface ethernet brief [ | { begin |
interfaces. include | exclude } regular-expression ]

Action Command
Display brief information about interfaces. display interface brief [ | { begin | include |
exclude } regular-expression ]
Display the status of the null interface. display interface null [ number ] [ | { begin
| include | exclude } regular-expression ]
Display the status of the loopback interface. display interface loopback [ number ] [ |
{ begin | include | exclude } regular-
expression ]
Display the configuration and statistics display ip interface [ interface-type

related to the IPv4 address of the interface. interface-number ]
display ip interface brief [ interface-type ]
[ interface-number ]
Display the configuration and statistics display ipv6 interface [ interface-type

related to the IPv6 address of the interface. interface-number ]
display ipv6 interface brief [ interface-
type ] [ interface-number ]

This section provides examples for configuring various interfaces to access networks.
8.1.4.1 Example for Accessing the Internet Using a Static IPv4 Address
This section provides an example for configuring a NGFW to obtain a static IPv4 address from
a carrier and allow PCs attached to the NGFW to access broadband Internet services.
An enterprise shown in Figure 8-4 subscribes to broadband Internet services and obtains a static
IPv4 address 1.1.1.1/24. The IP addresses of both a gateway and a DNS server are 1.1.1.254.
The enterprise assigns the static IPv4 address to a NGFW to allow PCs attached to the NGFW
to access the Internet.
Figure 8-4 Accessing the Internet using a static IPv4 address

Trust Untrust
PC NGFW 1.1.1.254
Intranet
GE1/0/3 GE1/0/1
10.3.0.1/24 1.1.1.1/24
Router
PC

1. Obtain an IPv4 address from the carrier and assign this static IPv4 address to
GigabitEthernet 1/0/1 on the NGFW.
2. Assign an IP address to GigabitEthernet 1/0/3 that connects the NGFW to the intranet.
3. Configure a security policy and a NAT policy (easy-IP) on the NGFW.
4. Set the IP address of the gateway to 10.3.0.1 and the IP address of a DNS server to 1.1.1.254.
The following example describes the configuration procedure of the NGFW. The
configuration procedure for the PCs is not provided.
Procedure
Step 1 Configure GigabitEthernet 1/0/1.
2. Click and set the following parameters for GE1/0/1.
Table 8-24 Interface parameters
Zone untrust
Mode Route
IPv4
IP Address 1.1.1.1/255.255.255.0
3. Click OK.

Zone trust
Mode Route
IPv4
IP Address 10.3.0.1/255.255.255.0
3. Click OK.

Step 3 Configure a security policy to allow the PCs to access the Internet.
2. Click Add and set the following parameters.
The following example provides basic security policy parameters. You can set other
parameters as needed.
Table 8-26 Security policy parameters
Name policy_sec_1
Source Zone trust

Region
Action Permit
3. Click OK.
Step 4 Configure a NAT policy to translate private network IP addresses into public network IP
addresses before PCs access the Internet.
2. Click Add in Source NAT Policy List. Then set the following parameters.
Table 8-27 NAT policy parameters
Name policy_nat_1
Source Zone trust
Destination Type Outgoing Interface
Outgoing Interface GE1/0/1
Before NAT
Source Address 10.3.0.0/24
Action NAT
After NAT
Source Address Outbound Interface IP Address
3. Click OK.
----End

1. Check the status of GigabitEthernet 1/0/1 (uplink).
b. Verify that the physical status and IPv4 status of GigabitEthernet 1/0/1 are Up.
2. Check whether the PC on the intranet can use domain names to access the Internet. If the
PC can access the Internet, the configuration is successful. If the PC fails to access the
Internet, modify the configuration and try again.
#
sysname NGFW
#
ip address 1.1.1.1 255.255.255.0
#
ip address 10.3.0.1 255.255.255.0
#
firewall zone trust
set priority 85
#
set priority 5
#
#
security-policy
rule name policy_sec_1
source-zone trust
action permit
#
nat-policy
rule name policy_nat_1
source-zone trust
24
action nat easy-ip
#
return
8.1.4.2 Example for Accessing the Internet Using DHCP

This section provides an example for configuring a NGFW as a DHCP client that applies for an
IPv4 address to access the Internet.
Figure 8-5 shows that a NGFW functions as an egress gateway and connect PCs in an intranet
to the Internet. The network plan is as follows:
l An administrator manually specifies an IPv4 address for each PC on the network segment
10.3.0.0/24.

l An interface with a static IPv4 address connects the NGFW to the intranet.
l Another interface on the NGFW that functions as a DHCP client applies for a client IPv4
address and a DNS server IP address from a DHCP server and connects the intranet to the
Internet.
Figure 8-5 Networking diagram for accessing the Internet using DHCP
Trust Untrust
PC NGFW
Intranet
GE1/0/3 GE1/0/1
10.3.0.1/24 DHCP Client
DHCP Server
PC
1. Enable the DHCP client function on GigabitEthernet 1/0/1 of the NGFW to obtain a client
IPv4 address and a DNS server address from a DHCP server.
2. Specify a static IPv4 address on GigabitEthernet 1/0/3 that connects the NGFW to the
intranet.
4. Enable the DNS proxy on the NGFW.
5. Set the IP addresses of the PCs' gateway and a DNS server to 10.3.0.1. By default, DNS
proxy is enabled on the NGFW. This example provides the configuration procedure on the
NGFW. The configuration procedure for the PCs is not provided.
NOTE
After the NGFW obtains an IPv4 address from a DHCP server, the DHCP server issues a default route to
the NGFW that function as a DHCP client. The next hop of the default route is a carrier's device. Therefore,
there is no need to configure a default route.
Procedure
Zone untrust
Mode Route
IPv4
Connection Type DHCP

3. Click OK.

Zone trust
Mode Route
IPv4
IP Address 10.3.0.1/255.255.255.0
3. Click OK.
Name policy_sec_1
Source Zone trust

Region
Action Permit
3. Click OK.
addresses before PCs access the Internet.
Name policy_nat_1

Source Zone trust
Before NAT
Action NAT
After NAT
3. Click OK.
Step 5 Enable the DNS proxy on the NGFW.
NOTE
This function can be configured only on the CLI.

<NGFW> system-view
[NGFW] dns proxy enable
----End
b. Verify that the physical status and IPv4 status of GigabitEthernet 1/0/1 are Up, the
connection type is DHCP, and the interface obtained an IPv4 address.
#
dns resolve
dns server unnumbered interface GigabitEthernet1/0/1
#
dns proxy enable
#
sysname NGFW
#
dhcp client enable
#
ip address 10.3.0.1 255.255.255.0
#
firewall zone trust
set priority 85
#

set priority 5
#
ip route-static 0.0.0.0 0.0.0.0 1.1.1.254 preference 245
#
security-policy
source-zone trust
action permit
#
nat-policy
source-zone trust
action nat easy-ip
#
return
8.1.4.3 Example for Accessing the Internet Using IPv4 PPPoE

This section provides an example for configuring a NGFW as a PPPoE client that dials up to a
carrier's server to obtain IPv4 addresses for users and enable the users to access the Internet.
The NGFW show in Figure 8-6 functions as an egress gateway that connects PCs on the LAN
to the Internet.
The NGFW is configured as a PPPoE client. After the NGFW obtains IPv4 addresses for users
and a DNS address from the carrier's server, users on the intranet can access the Internet.
Figure 8-6 Networking diagram for accessing the Internet using IPv4 PPPoE
Trust Untrust
PC NGFW DSLAM
Intranet
GE1/0/3 GE1/0/1
10.3.0.1/24 PPPoE Client
PPPoE
PC Server
1. Enable the PPPoE client function on GigabitEthernet 1/0/1 of the NGFW to obtain IPv4
addresses and a DNS server address from a PPPoE server.
2. Specify a static IPv4 address on GigabitEthernet 1/0/3 that connects the NGFW to the
intranet.

5. Set the IP addresses of the PCs' gateway and a DNS server to 10.3.0.1. By default, DNS
proxy is enabled on the NGFW. This example provides the configuration procedure on the
NGFW. The configuration procedure for the PCs is not provided.
Procedure
In the following example, a carrier provides a user name user and password Password.
The settings vary depending on real-world situations.
Zone untrust
Mode Route
IPv4
Connection Type PPPoE
User Name user
Password Password
Online Mode Always Online
Obtain an IP Address Select

Automatically
Obtain DNS Server Select

Address Automatically
3. Click OK.

Zone trust
Mode Route
IPv4
IP Address 10.3.0.1/255.255.255.0

3. Click OK.
Name policy_sec_1
Source Zone trust

Region
Action Permit
3. Click OK.
addresses before the PCs access the Internet.
Name policy_nat_1
Source Zone trust
Before NAT
Action NAT
After NAT
3. Click OK.
NOTE

<NGFW> system-view
----End
b. Verify that the physical status and IPv4 status of GigabitEthernet 1/0/1 are Up, the
connection type is PPPoE.
#
dns resolve
dns server unnumbered interface Dialer0
#
dns proxy enable
#
sysname NGFW
#
interface Dialer0
link-protocol ppp
ppp chap user user
ppp chap password cipher %$%$={~dOY5l1Xs<t&F{j)~R,md[%$%$
ppp pap local-user user password cipher %$%$={~dOY5l1Xs<t&F{j)~R,md[%$%$
ppp ipcp dns admit-any
ip address ppp-negotiate
dialer user user
dialer bundle 1
#
pppoe-client dial-bundle-number 1 ipv4
#
ip address 10.3.0.1 255.255.255.0
#
firewall zone trust
set priority 85
#
set priority 5
add interface Dialer0
#
ip route-static 0.0.0.0 0.0.0.0 Dialer 0
#
security-policy
source-zone trust
action permit
#
nat-policy
source-zone trust

action nat easy-ip
#
return
8.1.4.4 Example for Configuring Static IPv6 Addresses for Devices to Communicate
This section describes how to configure static IPv6 addresses for devices to communicate. The
interfaces connecting two devices are configured with IPv6 addresses.
NGFW_A and NGFW_B are connected, as shown in Figure 8-7. Global unicast IPv6 addresses
can be assigned to interfaces that directly connect NGFW_A and NGFW_B to allow the two
devices to communicate with each other.
Figure 8-7 Communication between NGFWs using IPv6 addresses

Untrust
GE1/0/1 GE1/0/1
3000::1/64 3000::2/64
NGFW_A NGFW_B
1. Assign IPv6 addresses to interfaces that directly connect NGFW_A to NGFW_B.

2. Configure a security policy on NGFW_A and NGFW_B.
Procedure
1. Choose Dashboard > System Information and enable IPv6 globally to allow the
NGFW to forward IPv6 packets.
2. Configure GigabitEthernet 1/0/1.
b. Click and set the following parameters for GE1/0/1.
Zone untrust
Mode Route
IPv6
IPv6 Enable Protocol

IPv6 Address 3000::1/64
c. Click OK.
3. Configure a security policy.
a. Choose Policy > Security Policy > Security Policy.
b. Click Add and set the following parameters.
In this example, only basic security policy parameters are set. You can set other
Name policy_sec_1
Source Zone local, untrust
Destination Zone untrust, local
Action Permit
c. Click OK.
The configuration of NGFW_B is similar to that of NGFW_A. Therefore, the configuration

details are not provided.
----End
1. Check the status of GigabitEthernet 1/0/1. The following example uses GigabitEthernet
1/0/1 on NGFW_A.
b. Verify that both the physical and IPv6 statuses of GigabitEthernet 1/0/1 are Up.
2. Run the ping command on NGFW_A to test the connectivity between the devices.
Configuration script for NGFW_A:
#
ipv6
#
sysname NGFW_A
#
ipv6 enable
ipv6 address 3000::1 64
#

set priority 5
#
security-policy
source-zone local
source-zone untrust
action permit
#
return
Configuration script for NGFW_B:

#
ipv6
#
sysname NGFW_B
#
ipv6 enable
#
set priority 5
#
security-policy
source-zone local
source-zone untrust
action permit
#
return
8.1.4.5 Example for Configuring VLAN Interfaces to Allow VLANs to

Communicate
This section provides an example for configuring VLAN (Vlanif) interfaces to allow VLANs to
communicate with each other.
As shown in Figure 8-8, two project teams in the same R&D department belong to different
VLANs that need to communicate.
Figure 8-8 Networking diagram for configuring VLAN Interfaces to allow VLANs to
communicate
Trust Untrust
PC NGFW PC
VLAN2 VLAN3
10.3.0.0/24 Vlanif2 Vlanif3 10.3.1.0/24
GE1/0/2 GE1/0/3
10.3.0.1/24 10.3.1.1/24
PC PC

1. Switch GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3 of the NGFW to Layer 2 mode
and assign GigabitEthernet 1/0/2 to VLAN2 and GigabitEthernet 1/0/3 to VLAN3.
2. Create and configure Vlanif2 and Vlanif3 on the NGFW.
3. Configure security policies on the NGFW.
4. Set the gateway address used by VLAN2 PCs to 10.3.0.1 and the gateway address used by
VLAN3 PCs to 10.3.1.1. This example describes the configuration procedure on the
NGFW. The configuration details on PCs are not provided.
Procedure
2. Click and set the following parameters for GigabitEthernet 1/0/2.
Zone trust
Mode Switch
Access VLAN ID 2
3. Click OK.

2. Click and set the following parameters for GigabitEthernet 1/0/3.
Zone untrust
Mode Switch
Access VLAN ID 2
3. Click OK.
Step 3 Create Vlanif2.


Table 8-40 Vlanif2 parameters
Interface Name Vlanif2
Type VLAN
Zone trust
VLAN ID 2
Interface Members GE1/0/2
IPv4
IP Address 10.3.0.1/255.255.255.0
3. Click OK.
Step 4 Create Vlanif3.

Table 8-41 Vlanif3 parameters
Interface Name Vlanif3
Type VLAN
Zone untrust
VLAN ID 3
Interface Members GE1/0/3
IPv4
IP Address 10.3.1.1/255.255.255.0
3. Click OK.
Step 5 Configure a security policy to allow PCs of VLANs 2 and 3 to communicate.

parameters to the desired values.
Name policy_sec_1

Source Zone trust, untrust
Destination Zone untrust, trust
Action Permit
3. Click OK.
----End
1. Check the status of Vlanif2 and Vlanif3.
b. Verify that the physical and IPv4 statuses of each Vlanif interface are Up.
2. After completing the configuration, verify that PCs of VLANs 2 and 3 can communicate.
If they can, the configuration is successful. If they cannot, modify the configuration and
try again.
#
vlan batch 1 to 3
#
sysname NGFW
#
interface Vlanif2
alias Vlanif2
ip address 10.3.0.1 255.255.255.0
#
interface Vlanif3
alias Vlanif3
ip address 10.3.1.1 255.255.255.0
#
portswitch
port link-type access
port access vlan 2
#
portswitch
port access vlan 3
#
firewall zone trust
set priority 85
add interface Vlanif2
#
set priority 5
add interface Vlanif3
#
security-policy
source-zone trust
source-zone untrust

action permit
#
return
8.1.4.6 Example for Configuring VLANs on Layer 3 Subinterfaces to Allow the

VLANs to Communicate
This section provides an example for configuring VLANs on Layer 3 subinterfaces to allow the
VLANs to communicate. As the number of physical interfaces is limited, you can configure
multiple subinterfaces on a physical interface. Each subinterface belongs to a specific VLAN.
VLANs can communicate with each other on a single physical interface.
Three project teams in the R&D department shown in Figure 8-9 are deployed separately and
belong to VLAN10, VLAN20, and VLAN30, respectively. PCs of these project teams need to
communicate with each other to enable project teams to work with each other.
Figure 8-9 Networking diagram for configuring VLANs on Layer 3 subinterfaces to allow the
VLANs to communicate with each other
NGFW
Trust GE1/0/3
GE1/0/3.1 GE1/0/3.2 GE1/0/3.3

10.3.1.1/24 10.3.2.1/24 10.3.3.1/24
Switch
R&D1 R&D2 R&D3

VLAN10 VLAN20 VLAN30
10.3.1.0/24 10.3.2.0/24 10.3.3.0/24
1. Enable the subinterface function on GigabitEthernet 1/0/3 of the NGFW and create a
subinterface for each VLAN to allow inter-VLAN communication, which enables Layer 3
communication between different VLANs.

2. Configure a VLAN on the switch and assign interfaces to VLANs. The configuration details
are not provided.
3. Use the IP address of a VLAN-specific subinterface as the gateway address for the PCs on
a specific VLAN. The configuration details on PCs are not provided.
Procedure
Step 1 Create GigabitEthernet 1/0/3.1.
Interface Name GigabitEthernet 1/0/3.1
Type Subinterface
Primary Interface GE1/0/3
Zone trust
VLAN ID 10
IPv4
IP Address 10.3.1.1/255.255.255.0
3. Click OK.

Type Subinterface
Zone trust
VLAN ID 20
IPv4
IP Address 10.3.2.1/255.255.255.0

3. Click OK.
Type Subinterface
Zone trust
VLAN ID 30
IPv4
IP Address 10.3.3.1/255.255.255.0
3. Click OK.
----End
1. Check the status of each subinterface.
b. Verify that the physical and IPv4 statuses of each subinterface are Up.
2. Check whether PCs in VLAN10, VLAN20, and VLAN30 can communicate. If they can
communicate, the configuration is successful. If they fail to communicate, modify the
configuration and try again.
#
sysname NGFW
#
vlan-type dot1q 10
alias GigabitEthernet1/0/3.1
ip address 10.3.1.1 255.255.255.0
#
vlan-type dot1q 20
ip address 10.3.2.1 255.255.255.0
#
vlan-type dot1q 30
ip address 10.3.3.1 255.255.255.0
#

firewall zone trust

set priority 85
#
return
8.1.4.7 Example for Configuring VLAN Trunk Interfaces to Enable VLANs on

Different Network Segments to Communicate
This section provides an example for configuring VLAN trunk interfaces when VLANs are
deployed across devices. Data of a specific VLAN is identified by an 802.1q tag and is
transmitted over trunk links formed by connected trunk interfaces.
As shown in Figure 8-10, PCs of the financial and marketing departments of an enterprise are
distributed in two buildings, each of which is connected to a NGFW. The two NGFWs are
connected to each other. To improve service security, the NGFWs can be configured to forbid
inter-department communication so that only PCs of the same department can communicate
with each other.
Figure 8-10 Networking diagram for configuring VLAN trunk interfaces
VLAN5 VLAN5
Financial Financial
Department Trust Trust
Department
GE1/0/2 VLAN5 GE1/0/2
GE1/0/1 GE1/0/1
NGFW_A NGFW_B
GE1/0/3 VLAN9 GE1/0/3
VLAN9 VLAN9
Marketing Marketing
Department Department
1. Create VLAN5 and VLAN9 on both NGFW_A and NGFW_B. Add interfaces of each
NGFW to two VLANs so that PCs connected to each interface can access separate VLANs.
2. Configure trunk interfaces on NGFW_A and NGFW_B to allow VLAN5 and VLAN9
packets through.

Procedure
l Configure NGFW_A.
Zone trust
Mode Switch
IP Address 5
c. Click OK.
Zone trust
Mode Switch
IP Address 9
c. Click OK.
Zone trust
Mode Switch
Connection Type Trunk
Trunk VLAN ID 5, 9
Default VLAN ID 1

c. Click OK.
l Configure NGFW_B.
The configuration of NGFW_B is similar to that of NGFW_A. The configuration details
are not provided.
----End
1. Check the status of GigabitEthernet 1/0/1, GigabitEthernet 1/0/2 and GigabitEthernet
1/0/3.
b. Verify that the physical status of GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and
GigabitEthernet 1/0/3 is Up.
2. After completing the configuration, verify that PCs only in the same department can
communicate with each other.
#
vlan batch 1 5 9
#
sysname NGFW_A
#
portswitch
port link-type trunk
undo port trunk permit vlan 1
port trunk permit vlan 5 9
#
portswitch
port access vlan 5
#
portswitch
port access vlan 9
#
firewall zone trust
set priority 85
#
return

#
vlan batch 1 5 9
#
sysname NGFW_B
#
portswitch

undo port trunk permit vlan 1

port trunk permit vlan 5 9
#
portswitch
port access vlan 5
#
portswitch
port access vlan 9
#
firewall zone trust
set priority 85
#
return
8.1.5 Troubleshooting for Interface Faults

This section describes how to troubleshoot interface problems.
8.1.5.1 Physical Status of an Electronic Ethernet Interface Cannot Be Up

This section describes the troubleshooting flow when the physical status of the electronic
Ethernet interface cannot go Up.
Symptom
Figure 8-11 shows the networking diagram for the Ethernet interface. The indicator connected
to the interface is off, or the physical status of the NGFW is Down.
Figure 8-11 Networking diagram for the Ethernet interface
GE1/0/1 GE1/0/1
NGFW_A NGFW_B
Possible Causes
The possible causes are as follows:
l Cause one: Faults occur in the cable.

l Cause two: The shutdown command is executed on an interface.
l Cause three: The auto negotiation protocols of the forwarding layer chips on the devices
on both ends are inconsistent.

l Cause four: The interfaces on both ends are configured with different rates or working
modes.
l Cause five: A subcard of the NGFW fails.
Fault Diagnosis
Figure 8-12 shows the troubleshooting flow when the electronic interface cannot go Up.
Figure 8-12 Flowchart for troubleshooting the fault that the electronic interface cannot go Up
The indicator of the
interface is off.
Yes Yes
Is the cable faulty? Replace the cable. Is the fault rectified?
No
No
Is the shutdown Yes Yes

Run the undo
command executed on Is the fault rectified?
shutdown command.
the interface?
No
No
Is auto Yes Configure the
negotiation adopted by
mandatory rate and
interfaces at both
duplex mode. Yes
ends?
Is the fault rectified?
No
Are the rates

Yes Configure the same
and working modes of
rate and duplex mode
interfaces at both ends
respectively.
inconsistent?
No
No
Yes Replace the local Yes

Is the interface card
interface or interface Is the fault rectified?
faulty?
card.
No
No
Replace the remote Yes

interface or interface Is the fault rectified?
card.
No
Seek technical
End
support

Procedure
l Run the display interface GigabitEthernet interface-number command in the user or
system view to view the current running status of the interfaces of NGFWs on both ends.
For example, run the display interface GigabitEthernet 1/0/1 command on NGFW_A.
<NGFW_A> display interface GigabitEthernet
1/0/1
GigabitEthernet1/0/1 current state :
UP
Line protocol current state : Administratively
DOWN
Description : GigabitEthernet1/0/1 Interface, Route Port
The Maximum Transmit Unit is 1500 bytes, Hold timer is 10
(sec)
Internet Address is
10.11.1.1/24
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0022-
b130-0001
Media type is twisted pair, loopback not set, promiscuous mode not
set
1000Mb/s-speed mode, Full-duplex mode, link type is auto negotiation
QoS max-bandwidth : 1000000
Kbps
Output queue : (Urgent queue : Size/Length/Discards)
0/50/0
Output queue : (Frag queue : Size/Length/Discards)
0/1000/0
Output queue : (Protocol queue : Size/Length/Discards)
0/1000/0
Output queue : (FIFO queue : Size/Length/Discards)
0/256/0
---- More ----
The preceding command output shows the following information:

– auto negotiation: the negotiation mode of the current interface
– 1000Mb/s: the interface rate after auto negotiation is performed
– full-duplex mode: the working mode of the interface
The preceding command output contains the following fields:
– current state: current interface physical status:
– UP: The physical status of the interface is normal.
– Administratively DOWN: The interface is shut down manually. The shutdown
command is executed on an interface.
If Administratively DOWN is displayed, go to Cause two.
– DOWN: The interface is not started.
If the status of the interface is Down, perform all steps except Cause two.
– Link type: negotiation mode of the interface:
– auto negotiation: The interface is enabled with auto negotiation.
If auto negotiation is displayed and the cable and subcard hardware are working
properly, go to Cause three.
– negotiation disable: The interface is configured with the mandatory rate and
mandatory working mode, and no negotiation is needed.

If negotiation disable is displayed and the cable and subcard hardware are working
properly, go to Cause four.
– Current BW: rate of the interface.
– full-duplex mode: The interface is working in full-duplex mode.
– Loopback: none: The loopback function is disabled. The loopback command is used
to test whether the hardware of the interface is faulty. If not fault occurs, disable the
Loopback function.
l Cause one: Faults occur in the cable.
1. Run the loopback command in the interface view.
2. Run the display interface interface-type interface-number command to view the
physical status of the interface.
If the physical status of the interface is Up, local hardware works properly. The cable
may be abnormal and needs to be replaced.
l Cause two: The shutdown command is executed on an interface.
1. Run the undo shutdown command on the interface to start the interface.
l Cause three: The auto negotiation protocols of the bottom chips on the devices on both ends
are inconsistent.
1. Run the speed and duplex commands in the interface view on both ends.
For example, you can configure the rate as 100 Mbit/s and the negotiation mode as
full-duplex on NGFW_A.
Run the speed 100 and duplex full commands in the interface view of NGFW_A.
Run the display this command in the interface view of NGFW_A to view the interface
configuration.
[NGFW_A-GigabitEthernet 1/0/1] display
this
#
interface GigabitEthernet
1/0/1
speed
100
duplex
full
#
return
l Cause four: The interfaces on both ends are configured with different rates or working
modes.
1. Check whether the configured rates and working modes of the interfaces on both ends
are consistent. If the rates and working modes are inconsistent, change them to the
same settings.
l Cause five: A subcard of the NGFW fails.
1. Run the loopback command in the interface view.
2. Run the display interface interface-type interface-number command to view the
physical status of the interface.
If the physical status of the interface is Down, hardware is abnormal.
3. Run the undo loopback command to disable the loopback function.

NOTE
After testing and troubleshooting the cable or hardware, run the loopback command to disable
the loopback function.
4. Replace the interface on the local device. If possible, replace the original interface
with an interface of another subcard of the same type. Then, check whether the fault
is removed.
– If the fault persists, go to Step 5.
– If the fault does not occur on other subcards, contact technical support personnel
to repair the faulty subcard.
5. Replace the interface on the remote device. If possible, replace the original interface
with an interface of another subcard of the same type. Then, check whether the fault
is removed. If the fault persists, contact technical support personnel to repair the faulty
subcard.
----End
8.1.5.2 Physical Status of an Optical Interface Cannot Be Up

This section describes the troubleshooting flow when the physical status of an optical interface
cannot be Up.
Symptom
NOTICE
When maintaining devices that have optical modules or interfaces, note the following issues:
l Do not look into the fiber connector when installing and maintaining fibers.
l Do not look into the fiber connector without eye protection when replacing a pluggable
optical module.
l Wear an electrostatic discharge (ESD) wrist strap when replacing a pluggable optical module.
l Only engineers with professional training are allowed to operate optical modules or fibers.
Configure the subcard on which the optical interface resides on the NGFW with the SFP optical
or electronic module.
After optical interfaces are interconnected, the LINK indicator is off, or the interface is in Down
state. Figure 8-13 shows the typical networking.
Figure 8-13 Networking diagram for the optical interface

ODF ODF
Receive Send
Send Receive
NGFW_A NGFW_B

Possible Causes
l Cause one: The optical modules or fibers on both ends are inconsistent.
l Cause two: An optical fiber or module is abnormal.
l Cause three: The interface configurations on both ends are inconsistent.
l Cause four: An interface or a subcard fails.
Fault Diagnosis
Figure 8-14 Flowchart for troubleshooting the fault that the physical status of the optical
interface cannot be Up
The optical interface
cannot be in Up state.
Change to the
Does the optical No Yes
optical module and
module match the LPU Is the fault rectified?
fibers that match
and fibers? each other.
No
Yes
No Yes
Are the fibers normal? Replace the fibers. Is the fault rectified?
No
Yes
Adjust the received

Is the sent optical No and sent optical Yes
power of the optical power of the optical Is the fault rectified?
module normal? module or replace
the optical module.
No
Yes
Are the No Configure the Yes

configurations of rate and duplex Is the fault rectified?
interfaces at both ends mode.
consistent?
Yes No
No Yes
Is the interface card or Replace the
Is the fault rectified?
slot normal? interface card.
No
Yes
Seek technical End

support.

When troubleshooting faults, you may use tools, meters, and materials listed in Table 8-49.
Table 8-49 Tools, meters, and materials
Tools, Meters, and Model Mandatory Accessories or

Materials Remarks
Optical power meter OLP-55 (ACTERNA) The model is included.
Procedure
l Run the display interface command on both ends to view the current status of the interfaces.
For example, run the display interface GigabitEthernet 1/0/1 command on NGFW_A.
[NGFW_A] display interface GigabitEthernet 1/0/1
GigabitEthernet1/0/1 current state : DOWN
Line protocol current state : Administratively DOWN
The Maximum Transmit Unit is 1500 bytes, Hold timer is 10(sec)
Internet Address is 10.1.8.1/24
a100-0008
Media type is SFP,Loopback not set,promiscuous mode not set
1000Mb/s-speed mode, full-duplex mode, link type is auto negotiation
Vendor Name: huawei
Vendor PN: 02310CRM
SN: AD1342R001C
Transceiver max BW: 1G
Transceiver Mode: SingleMode
WaveLengh: 1310nm
Transmission Distance: 52km
Current SFP module temperature(-128c/128c): 41.93 c
Current SFP module supply(0/6.55V): 3.29 V
Current SFP module Tx bias(0/131mA): 23.26 mA
Current SFP module Rx power(<8.129dBm): 2.79 dBm
---- More ----
The preceding command output contains the following fields:
– current state: current interface physical status:

– UP: The physical status of the interface is normal.
– Administratively DOWN: The interface is shut down manually. The shutdown
command is executed on an interface.
If Administratively DOWN is displayed, go to next step.
– DOWN: The interface is not started.
If the status of the interface is Down, perform all steps except Cause one.
– Link type: negotiation mode of the interface:
– auto negotiation: The interface is enabled with auto negotiation.
– negotiation disable: The interface is configured with the mandatory rate and
mandatory working mode, and no negotiation is needed.
– full-duplex mode: The interface is working in full-duplex mode.

l Cause one: The optical modules or fibers are inconsistent.

1. Verify that the fibers for sending and receiving packets are correctly connected. If the
fibers are reversely inserted, reconnect the fibers and tightly insert the fibers to prevent
bad connections.
2. Verify that the subcard of the interface supports the module type. For example, some
interfaces only support optical modules.
3. Verify that the optical modules of the interfaces on both ends are consistent. For
example, a single-mode module cannot be connected to a multi-mode module, and an
FE optical module cannot be connected to a GE optical module.
4. Verify that the optical module and fiber are consistent. For example, a single-mode
optical module does not match a multi-mode fiber (orange), and a multi-mode optical
module does not match a single-mode fiber (light yellow).
l Cause two: The fibers or optical modules are abnormal.
You can test the input optical power based on segments by using the optical power meter
to locate the segment on which the fault occurs. If the input optical power is not in the
sensitivity range of the optical interface, a fault of the optical power may occur on the
remote end, or a fault may occur in the optical cable.
1. Remove the receiving fiber from the interface on NGFW_A.

2. Measure the input optical power on NGFW_A.
– If the input optical power is normal, the output optical power of NGFW_B, the
optical cable, and the packet-receiving fiber of NGFW A are working properly.
The optical module on NGFW_A may receive packets abnormally. Check whether
the optical module is tightly inserted.
If the optical module is correctly installed, replace it with a new one.
– If the physical status of the interface is Up after the replacement, the original
optical module is abnormal, and the fault is rectified.
– If the physical status of the interface is still Down after the replacement, the
fault is irrelevant to the optical module. Go to Cause three.
– If the input optical power is abnormal, go to Step 3.
3. Measure the input optical power on the ODF of NGFW_A.
– If the input optical power is normal, the output optical power of NGFW_B, and
the optical cable are working properly. The packet-receiving fiber connected to
the interface of NGFW_A may be damaged. Replace the fiber. After the
replacement, check the physical status of the interface.
– If the physical status of the interface is Up, the fault is rectified.
– If the status of the interface is still Down, go to Cause three.
– If the input optical power is abnormal, the optical cable, fiber of NGFW_B, or
optical module of NGFW_B may be abnormal. Go to Step 4.
4. Measure the input optical power on the ODF of NGFW_B.
– If the input optical power is normal, a fault may occur in the optical cable. Check
the optical cable to troubleshoot the fault. After troubleshooting the fault in the
optical cable, check the physical status of the interface.


– If the input optical power is abnormal, the fiber or optical module of NGFW_B
may be abnormal. Replace the fiber.
After the replacement, check whether the physical status of the interface is Up.
– If the physical status of the interface is still Down, replace the optical module.
After the replacement, check whether the physical status of the interface is Up.
5. Repeat the previous steps to troubleshoot the fault in the optical cable of the input
optical power of NGFW_B.
Perform the following based on the input optical power:
– If the input optical power is lower than the indicator, clean with dust-free cotton to
ensure that the optical interface for the output optical power is free of dust.
The coupling of the optical signal in optical cables may be affected by dust or even the
optical cables are blocked. This may cause faults, such as low optical power, low
sensitivity, and no optical power.
– If the input optical power is too high, the optical module at the receiving end receives
the overload optical power. The input optical power is higher than packet-receiving
sensitivity, the bit error ratio increases, and the LINK indicator is off. Add an optical
attenuator to the packet-receiving optical fiber.
– If the input optical power is too low, the fiber or optical module at the sending end may
be damaged. Replace the fiber or optical module of the sending end.
l Cause three: The configurations of the interfaces on both ends are inconsistent.
1. Verify that interfaces on both ends have the same the negotiation mode, rate, and
duplex mode.
– If the value of the Link type field is auto negotiation, the negotiation mode of the
interfaces on both ends is auto negotiation. perform the following operations:
– Run the speed command in the interface view on both ends to configure the
rate.
– Run the duplex command in the interface view on both ends to configure the
duplex mode.
In auto negotiation mode, the rates of the interfaces on both ends are different. This
may be due to that the auto negotiation protocols of the forwarding layer chips on
the devices on both ends are inconsistent. In this case, configure the same rate and
duplex mode on the devices on both ends.
For example, set the rate to 1000 Mbit/s and the negotiation mode to full-duplex on
NGFW_A.
[NGFW_A] display interface GigabitEthernet 1/0/1
GigabitEthernet1/0/1 current state : DOWN
Line protocol current state : Administratively DOWN
a100-0008

Media type is SFP,Loopback not set,promiscuous mode not set

Vendor Name: huawei
Vendor PN: 02310CRM
SN: AD1342R001C
Transceiver max BW: 1G
Transceiver Mode: SingleMode
WaveLengh: 1310nm
Transmission Distance: 52km
Current SFP module temperature(-128c/128c): 41.93 c
Current SFP module supply(0/6.55V): 3.29 V
Current SFP module Tx bias(0/131mA): 23.26 mA
Current SFP module Rx power(<8.129dBm): 1.17 dBm
---- More ----
Run the display this command in GigabitEthernet 1/0/1 view of NGFW_A to view
the interface configuration.
[NGFW_A-GigabitEthernet 1/0/1] display this
#
speed 1000
duplex full
#
return
l Cause four: Faults occur on interfaces or cards.

1. Insert the optical module into other interfaces of the same type, and check whether
the status is Up.
If the status of the interface is still Down after several changes, perform the following
operations to check whether faults occur on the subcard.
2. Run the display device command onNGFWs on both ends to view the current status
of the subcard on which the interface resides.
<sysname> display device
USG6680's Device status:
Slot # Type Online Register Status

Primary
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
1 2XG8GE Present Registered Normal N/
A
2 8GE Present Registered Normal N/
A
3 2XG8GE Present Registered Normal N/
A
9 PWR Present Registered Normal N/
A
10 PWR Present Registered Abnormal N/
A
11 RPU Present Registered Normal
Master
12 SPUB Present Registered Normal N/
A
13 FAN Present Registered Normal N/
A
The Status field shows the subcard status. If the status of the subcard is Normal, the
subcard is working properly.
If the status of the subcard is abnormal, contact technical support personnel.
----End


During device deployment, technical support personnel must verify that the optical module and
fiber connector comply with specified requirements and that the connection is correct, which
prevents mistakes caused by human factors.

This section describes the versions and changes in the interfaces features.
V100R001C20SPC l Added interface off-line detection configuration on the interface

100 configuration page on the web UI. After you enable the off-line
detection mode, the NGFW will implement content security
checks on the packets received from the interface and discard the
packets after checking.
l Added the function of creating Tunnel interfaces that use IPSec for
encapsulation on the interface configuration page on the web UI
to implement IPSec tunneling.
V100R001C10 l Added layer 2 Ethernet sub-interfaces and Eth-Trunk sub-

interfaces.
l Added layer 2 interface pairs. Each pair has two Layer 2 interfaces.
Packets come in from one interface and go out from the paired one,
without the need to search the MAC forwarding table. Interface
pairs are mainly used for connecting NGFW modules and switches
through Layer 2 interfaces.
8.2 Security Zones

This section describes security zone concepts and how to configure a security zone.
8.2.1 Overview
A security zone or zone is a security concept introduced by the device. Most security policies
are implemented based on security zones.
Definition
A security zone is a set of the networks connected by interfaces. Users on these networks have
the same security attributes.
Purpose
In the application of network security, if the network security device checks all packets one by
one, a large number of resources are consumed and performance is severely degraded. Moreover,

it is unnecessary to check all packets. Therefore, a packet check mechanism based on the security
zone is brought forward in the network security field.
Then the network administrator can classify the network devices at the same security level into
one security zone. Since the network devices in the same security zone are at the same security
level, the NGFW considers that data flows in the same security zone bring no security risks and
thus no security policy is required. The NGFW triggers the security check and implements
security policies only on data flows between security zones.
All in all, in addition to the direct forwarding of packets, the NGFW supports creating security
zones, and allows the network administrator to implement security check on special packets and
enable the security function on the basis of security zones.
8.2.2 Mechanism
This section describes the security zone mechanism.
Security Zones
A security zone is a set of the networks connected by interfaces. Users on these networks have
same security attributes.
The NGFW considers that data flows within a single security zone are trustful and require no
security policy. The NGFW enforces security policies only on data flows between security zones.
The security level value ranges from 1 to 100. The larger the value, the higher the security level.
Table 8-50 lists default security zones on the NGFW.
NOTE
Default security zones cannot be deleted, and their security levels cannot be reset.
You can create security zones and specify their security levels as needed.
Table 8-50 Default security zones
Zone Security Description

Name Level
Untrust zone 5 Defines insecure networks, such as the Internet.

Zone Security Description

Name Level
DMZ 50 Short for demilitarized zone. It is an area in which intranet

servers reside. Intranet servers are frequently accessed by
extranet devices but cannot proactively access the extranet,
which causes huge security risks. These servers are deployed
in a DMZ with a lower level than a Trust zone but a higher level
than an Untrust zone.
NOTE
A DMZ is an intermediate zone between a military zone and a public
zone. A DMZ zone configured on a NGFW is logically and physically
separated from internal and external networks.
Devices that provide network services for external users are deployed
in a DMZ zone. These devices include WWW and FTP servers. The
servers run security risks if they are placed on an external network. If
the servers are placed on an internal network, their security
vulnerabilities may provide an opportunity for external malicious users
to attack the internal network. The DMZ zone is developed to solve the
preceding problems.
Trust zone 85 An area in which intranet terminal users reside.
Local area 100 A local zone is a device itself, including interfaces on the
(highest) device. The Local zone is equivalent to the device.
Users cannot change Local area configurations, for example,
adding interfaces to the Local area.
NOTE
A security policy for exchanging packets between the Local zone and
the security zone of a peer can be configured in the following scenarios:
l A local device itself requires management using Telnet, web, or
SNMP NMS.
l A local device serves as a client to initiate requests or as a server to
processes requests in the FTP, PPPoE dial-up, NTP, or IPSec VPN
scenario.
An interface is added to a security zone. A network connected to the
interface is in the security zone, and the interface is in the Local zone.
Security Interzone and Directions

A security interzone describes a single traffic transmission channel that connects security zones.
A security policy is used to control traffic that passes along a channel. A security policy delivered
to an interzone takes effect on traffic that passes along the interzone, but not on traffic traveling
within the interzone.
An interzone connects any two security zones. An interzone provides a specific view, in which
firewall configurations are performed.
Traffic travels through an interzone in the following directions:
l Inbound: An interzone forwards traffic from a lower-level security zone to a higher-level

security zone.

l Outbound: An interzone forwards traffic from a higher-level security zone to a lower-level

security zone.
Although an interzone forwards packets to both parties that exchange packets, the interzone
determines a traffic direction based on the first packet.
For example, a client in a Trust zone sends the first packet to request for an HTTP connection
to a web server in an Untrust zone with a security level lower than that of the Trust zone. The
NGFW considers that the packet is transmitted in the outbound direction and uses an outbound
security policy to determine whether to permit or deny the packet. After the HTTP connection
is successfully established, the NGFW creates a session table, which records the quintuple of
the connection in a session entry. The quintuple includes the source and destination IP addresses,
source and destination port numbers, and protocol type.
If packets exchanged between the client and web server match the quintuple, the NGFW
processes the packets based on the outbound security policy, without re-checking the packet
transmission direction.
If a user only enables an outbound security policy for Trust-to-Untrust traffic in an interzone,
the following situations occur:
l A terminal in a Trust zone proactively initiates a connection to another terminal in an

Untrust zone. Packets replied by the Untrust zone can pass through the interzone.
l Terminals in an Untrust zone can only receive requests for connections initiated by
terminals in a Trust zone.
8.2.3 Zone Configuration Using the Web UI

This section describes how to use the Web UI to configure a security zone.
Creating a Security Zone

A NGFW has four default security zones. You can create security zones and define security
levels.
Step 2 Click Add.
Step 3 Set the following security zone parameters.
Zone Name Name of a security zone. The name of the security zone cannot
be changed once it is configured.
The value must be different from the name of an existing security
zone.
Priority Priority of a security zone. The priority cannot be changed once

it is configured. The higher the priority, the higher the security
level.
The value must be different from the priority of an existing
security zone.

Description Description of a security zone.

To help users learn about a security zone, enter a meaningful
description. Use a specific description for each security zone.
Step 4 Click Apply.
If the Operation succeeded dialog box is displayed, the security zone is successfully
created.
Repeat the previous operations to create more security zones with different security levels.
----End
Assigning Interfaces to Security Zones

You have to add interfaces to a security zone, except a local zone, before using the security zone.
After that, all packets on the interface are considered as in the security zone.
An interface can only be assigned to a single security zones.
NOTE
A Local zone defines a device itself, including the interfaces on the device. Although an interface is assigned
to a security zone, only the network connected to the interface is in the security zone, and the interface is
in the Local zone.
Step 2 Perform either of the following methods to enter the operation page before adding interfaces to
security zones:
l After a security zone is created, perform operations on the Add Zone page.
l Click of the line where the entry to be modified resides and enter the Modify Zone
operation page.
Step 3 In Select Zone Interface, perform one of the following operations:

l On the Un-Added Interface page, double-click a desired interface. This interface appears
in the Added Interface window.
l On the Un-Added Interface page, select a desired interface and click . This interface
appears in the Added Interface window.
l Click to assign all interfaces to the current security zone.
Step 4 Click OK.
----End
8.2.4 Zone Configuration Using the CLI

This section describes how to use a command line interface (CLI) to configure a security zone.

Creating a Security Zone and Adding an Interface to It

A system has four default security zones. You can create security zones and define security
levels. After creating a security zone, add an interface to it. After that, all packets on the interface
are considered as in the security zone. An interface does not belong to any security zone by
default and is unable to communicate with interfaces in security zones.
Specify the priority after creating a security zone. If no priority is set, you cannot proceed with
other security zone configurations.

system-view
Step 2 Create a security zone and display the security zone view.
firewall zone [ name ] zone-name
The name parameter is configured based on the following situations:
l A security zone already exists.

Run this command without the name parameter configured to enter the security zone view.
l No security zone exists.
Run the firewall zone [ name ] command to create a security zone and enter the security
zone view.
Default security zones cannot be deleted.
Step 3 Set a priority value for the created security zone.

set priority security-priority
Set a security level (priority) for a security zone based on the following rules:
l A security level is only set for a user-defined security zone. A new security zone without a
security level configured cannot take effect.
l A security level cannot be changed after being configured.
Step 4 Assign an interface to a security zone.

add interface interface-type interface-number
Add an interface to a security zone based on the following rules:
l Interfaces can only be manually assigned to security zone, except for the Local zone.
l Either a physical or logical interface can be assigned to a security zone.
l A maximum of 1024 interfaces can be assigned to a security zone.
Step 5 Optional: Configure the description of the security zone.

description text
Appropriate descriptions help the administrator learn system configurations and device
maintenance.
----End

Entering the Security Interzone View

The device performs security checks only on data flows between security zones. Before
controlling traffic between security zones, enter the security interzone and apply various security
policies.
Two related security zones must be already created. For details, see Creating a Security Zone
and Adding an Interface to It.
After a new security zone is created, the view of the interzone between the security zone and
another security zone is automatically created.

system-view
Step 2 Display the view of the interzone between two security zones.
firewall interzone zone-name1 zone-name2
Security policy checks are triggered when the data flows in security interzones. After entering
the security interzone view, you can configure security functions, such as application specific
packet filter (ASPF).
----End
Maintaining Security Zones

By checking the configurations and traffic status of security zones, you can learn the network
status and determine how to deploy security policies in an interzone.
Table 8-51 lists the commands used to display security zone configurations.
Table 8-51 Displaying security zone configurations
Action Command
Display information about display zone [ name zone-name ] [ interface | priority ]

existing security zones, their
security levels, and added
interfaces.
Display information about display interzone [ zone-name1 zone-name2 ]

security policies configured in
a security interzone.

This section describes the versions and changes in the security zones feature.
V100R001C20SPC The root system supports a maximum of 100 security zones which is
200 changed from the maximum of 32.

8.3 DNS
This section describes the basic concepts, configuration procedures, and configuration examples
of DNS, DDNS, DNS transparent proxy, and smart DNS.
8.3.1 Overview
The Domain Name System (DNS) establishes the mapping between domain names and IP
addresses.
Definition
TCP/IP uses IP addresses to connect to devices. Users find it is difficult to memorize the IP
address of each device. Therefore, the host naming mechanism is specially designed to match
IP addresses with host names in the string format. The DNS provides the conversion and query
mechanism between IP addresses and host names.
Objective
The DNS uses a hierarchical naming mode to specify a meaningful name for each device on a
network, set the DNS server, and establish the mapping between the domain name and the IP
address.
8.3.2 Mechanism
This section describes the mechanisms of DNS, DDNS, DNS transparent proxy, and smart
DNS.
8.3.2.1 DNS
This section describes the mechanism of the domain name system (DNS).
DNS over the Internet

Host names constitute a non-hierarchical namespace. Each name contains a character sequence.
The network information center (NIC) manages the namespace and processes new names. The
non-hierarchical namespace cannot manage a large number of names for the following reasons:
l Names consist of characters, which allows for name overlapping.

l The namespace management architecture resides at a specific site. As the number of host
names increases, so does the management workload.
l The mapping between names and IP addresses frequently changes. Therefore, maintaining
the domain namespace is a huge undertaking.

TCP/IP designs a hierarchical DNS structure. The domain name structure of the Internet is
defined by the DNS in the TCP/IP protocol stack. The DNS divides the Internet into multiple
top-level domains (TLDs). Table 8-52 lists the domain name of each TLD. TLDs are classified
in either organization or geography mode. The geography mode is used to classify domain names
based on countries. Each country must register a TLD with the NIC before joining the Internet.
For example, "cn" represents China, and "us" represents the United States.
Table 8-52 TLDs and their meanings
TLD Meaning
com Commercial organizations
edu Educational agencies
gov Governmental agencies
mil Military departments
net Main network support centers
int International organizations
org Other organizations
country code Other countries (classified in geography mode)
NOTE
The first seven domains are defined in organization mode, and the country code domain is defined in
geography mode.
The NIC authorizes management agencies to classify domains into subdomains. The agencies
in charge of this can authorize subordinate agencies to continue classifying domains. As a result,
the Internet has a hierarchical domain architecture.
Static Domain Name Resolution

DNS supports dynamic and static domain name resolution. Static domain name resolution is
used to resolve a domain name. If it fails, dynamic domain name resolution is used.
Static domain name resolution requires a static domain name resolution table, which lists the
mapping created manually between domain names and IP addresses. This table is similar to the
hosts file in a Windows 9X. The table contains commonly used domain names. After searching
for a specified domain name in the resolution table, clients can obtain the IP address mapped to
it. This process improves domain name resolution efficiency.
Dynamic Domain Name Resolution

Dynamic domain name resolution requires a special DNS server. This server runs the domain
name resolution program, maps domain names to IP addresses, and collects DNS requests from
clients.
The dynamic domain name resolution process is as follows:

1. A client uses a specific application, such as ping or Telnet, to send a DNS request to a
device.
2. The device queries a local cache for the required mapping entry. If the device does not find
an entry, the device sends a query packet to the DNS server.
3. The DNS server checks whether the requested domain name is within the domain it manages
and responds to the device.
4. The device resolves the packet and decides what to do next based on the contents of the
packet.
Dynamic domain name resolution also supports a domain name suffix list. Pre-defining some
domain name suffixes allows you to enter only a field of a domain name to be resolved. The
system automatically adds a specific suffix to the domain name before resolving the domain
name.
For instance, If you configure "com" in the suffix list and enter "example" in a domain name
query, the system automatically associates "example" with the suffix "com" and searches for
"example.com."
You may encounter the following situations during a resolution process:
l If you enter a domain name without a dot (.), such as "example", the system considers it as
a host name and adds suffixes one by one used for search. If there are no matched domain
names, the system searches for an IP address mapped to "example."
l If you enter a domain name with a dot (.), such as "www.example", the system immediately
searches for it. If the system does not find a matched entry, the system adds every configured
suffix to the domain name to search for an IP address mapped to the domain name.
l If you enter a domain name with a dot (.) at the end, such as "example.com.", the system
removes the last dot (.) before searching for an IP address mapped to the domain name. If
the search fails, the system adds every configured suffix to the domain name without the
last dot to search for an IP address mapped to the domain name.
8.3.2.2 DNS Client

This section describes the mechanism of DNS client.
As shown in Figure 8-15, the NGFW serves as the DNS client.
After receiving request packets on the LAN (by running the Ping or Tracert command), the
NGFW sends query packets to the DNS server. Upon receiving the DNS reply packets from the
DNS server, the NGFW parses these packets to resolve domain names.
Figure 8-15 Application scenario of the DNS client
Network Internet
DNS Client DNS Server

8.3.2.3 DNS Proxy

This section describes the mechanism of DNS proxy.
A DNS proxy is deployed to relay DNS request and response packets exchanged between the
DNS client and server.
A DNS client uses a DNS proxy as a DNS server and sends DNS query messages to the DNS
proxy. The DNS proxy forwards request packets to a real DNS server and response packets to
the DNS client.
After the DNS proxy function is enabled and the IP address of a DNS server changes, you only
need to change the DNS proxy configurations, not those on all DNS clients on the LAN.
Therefore, the DNS proxy simplifies network management.
Figure 8-16 shows a typical DNS proxy network.
Figure 8-16 Typical DNS proxy network

DNS client
DNS server
DNS proxy
DNS client DNS client
The working process of a DNS proxy is as follows:

1. A DNS client uses a DNS proxy as a DNS server and sends DNS query messages to the
DNS proxy. The destination IP address in the request packets is the IP address of the DNS
proxy.
2. After receiving the request packets, the DNS proxy searches the local static domain name
resolution table.
l If the DNS proxy finds an IP address mapped to the DNS name carried in the request,
the DNS proxy sends DNS response packets carrying a domain name resolution result
to the DNS client.
l If the DNS proxy finds no IP address mapped to the DNS name carried in the request,
the DNS proxy forwards the packets to a DNS server, which performs domain name
resolution on them.
3. After receiving the response packets from the DNS server, the DNS proxy forwards the
packets to the DNS client. The DNS client uses the domain name resolution result to access
the Internet.
8.3.2.4 DDNS
This section describes the mechanism of Dynamic Domain Name System (DDNS).

TCP/IP defines both the string-based DNS host naming mechanism and IP addressing. The DNS
only provides the static mapping between domain names and IP addresses. If an IP address
mapped to a domain name changes, the DNS cannot dynamically update the mapping. If a host
attempts to use the domain name to access the node with the IP address, host name resolution
fails, which causes an access failure.
The Dynamic Domain Name System (DDNS) addresses this problem.
DDNS can dynamically update the mapping on a DNS server, which ensures that the resolved
IP address is correct.
Figure 8-17 shows a typical DDNS network.
Figure 8-17 Typical DDNS network
DDNS server
GE1/0/1
DDNS client
DNS server
(NGFW)
PC
NOTE
l DDNS deployment must be supported by a DDNS service provider. The following DDNS service
providers currently support DDNS deployment: www.3322.org, dyndns.org, freedns.afraid.org,
zoneedit.com, and no-ip.com.
l Since a DDNS server is deployed on the Internet, ensure that the DDNS client (NGFW) can access the
Internet properly before using DDNS.
The IP address of GigabitEthernet 1/0/1 on the NGFW (DDNS client) can be obtained
dynamically from the network carrier on the network shown in Figure 8-17. Since the IP address
obtained each time is different, the PC needs to use the domain name to access the NGFW. DNS
cannot dynamically update the mapping between domain names and IP addresses. As a result,
the PC fails to access the NGFW. To allow successful access, DDNS can be deployed.
After DDNS is deployed, the NGFW automatically sends a request to the DDNS server to update
the mapping between a domain name and the changed IP address of GigabitEthernet 1/0/1. The
DDNS server processes this request and sends the updated mapping to the DNS server. The PC
can obtain the correct IP address for the NGFW before accessing the NGFW again using the
domain name.
8.3.2.5 DNS Transparent Proxy

This section describes the mechanism of DNS transparent proxy.

As shown in Figure 8-18, an enterprise rents multiple ISP links as network egresses, and each
ISP network deploys the same Web servers. Generally speaking, the same DNS server address
(such as the DNS server address of ISP1) is configured on the clients of all intranet users. The
DNS server then resolves domain names to the address of the Web server (such as the Web
server address of ISP1) on the same ISP network. Therefore, the Internet access traffic from all
intranet users is forwarded on the same ISP link, causing link congestion and compromising
users' Internet access experiences. At the same time, other ISP links are not used, causing
resource waste.
Figure 8-18 Forwarding Internet access traffic on the same ISP link
www.example.com
Web server on ISP1 Web server on ISP2
ISP1 ISP2
DNS server on IPS1 DNS server on IPS2
Common gateway
Intranet
DNS requests
Internet access traffic
The DNS transparent proxy function on the NGFW can change the destination address of some
DNS query messages to the DNS server addresses on other ISP networks (such as the DNS
server address on ISP2 network). The DNS requests are then forwarded to different ISP
networks, and the resolved Web server addresses belong to different ISPs. Therefore, the Internet
access traffic will be forwarded over different ISP links. In this way, all link resources are made
full use of, as shown in Figure 8-19.

Figure 8-19 Forwarding Internet access traffic to different ISP links

www.example.com
ISP1 ISP2
DNS server on ISP1 DNS server on ISP2
NGFW
Intranet
DNS requests
Figure 8-20 shows how DNS transparent proxy processes the packet from an intranet user to a
specific domain name.

Figure 8-20 Packet processing workflow of DNS transparent proxy
Start
Is the domain
name in the DNS query
Yes
message an excluded
domain name?
No
Does the DNS No

server require
transparent proxy?
Yes
Use the outbound

interface selected Yes Does the DNS
by the policy-based query message match a
route. policy-based
否 route?
No
Use the outbound interface

selected by the global route
selection policy.
Replace the destination

address of the DNS query
message with the DNS
server address bound to the
interface.
End
The following section illustrates the workflow based on Figure 8-21.

1. When a DNS query message reaches the NGFW, the NGFW checks whether the DNS
server address requires transparent proxy. Only the specified DNS server addresses require
transparent proxy processing. You can also exclude some domain names. When users
access these domain names, even if the DNS server address requires transparent proxy
processing, the NGFW will directly forward the packets without any processing.
DNS transparent proxy examines each DNS query message even though the request packets
are from the same user.
2. The DNS transparent proxy function substitutes the destination addresses of DNS query
messages to balance traffic to different ISP links. The substitute DNS server address is
determined by the outbound interface.
If the DNS query message matches a policy-based route, the DNS transparent proxy
function will use the outbound interface specified by the policy-based route. If the DNS
query message does not match any policy-based route, the DNS transparent proxy function
will use the outbound interface specified by the global link selection policy.

If the policy-based route specifies multiple outbound interfaces, then different link selection
modes can meet different load balancing requirements, such as selecting an outbound
interface based on the interface bandwidth or weight, which is the same as the global link
selection policy. However, the link selection result differs. Link selection results are
dynamic. Therefore, two requests from the same user may use different outbound interfaces,
and the two interfaces may belong to different ISPs. Hence the substitute DNS server
addresses also differ.
3. The NGFW binds two DNS servers (one preferred DNS server and one alternate DNS
server) on each outbound interface. Both DNS servers belong to the ISP network directly
connecting to the outbound interface. After the NGFW determines the outbound interface
of a DNS query message, the DNS transparent proxy function preferentially uses the
preferred DNS server to substitute the destination address of the DNS query message. If
the preferred DNS server is Down, the alternate DNS server is used.
4. The DNS server returns the resolved Web server address to the user. The Web server and
DNS server belong to the same ISP.
5. The user then uses the returned address to access the Web server. At this time, you need to
enable ISP address database link selection to forward traffic to corresponding outbound
interfaces and ensure that the traffic is forwarded to the Web server over the ISP network
of the destination address.
Figure 8-21 DNS transparent proxying on the NGFW

www.example.com
3.3.3.3
ISP2
ISP1
DNS server on ISP1

Preferred:8.8.8.8 The user accesses
Alternative: 8.8.8.9 5 the Web server of DNS server on ISP2
ISP1. Preferred: 9.9.9.8
The destination address of Alternative: 9.9.9.9
the DNS query message is 3
substituted to 8.8.8.8.
GE1/0/0 GE1/0/1 The intelligent uplink selection
function selects interface
NGFW 2 GE1/0/0 as the outbound
interface for forwarding DNS
query messages.
A user access website

The resolved Web server
4 1 www.example.com. The DNS
address is 3.3.3.3.
server address is 10.1.1.10.
Intranet

8.3.2.6 Smart DNS

This section describes the mechanism of smart DNS.
An enterprise network has a DNS server. The DNS server has the mappings between the domain
name of a Web server and one or multiple public IP addresses. When a user accesses the domain
name to connect to the Web server, the packet destination address after resolution is the public
IP address of the Web server. The NGFW then uses the NAT Server function to map the packet
destination address to the private address of the Web server.
The IP address after DNS resolution may belong to a different ISP from the user's IP address,
causing access delay. Or multiple users may access the Web server using the same link, causing
link congestion.
You can configure the smart DNS function for the NGFW to intelligently change the resolved
address in DNS reply packets, so that each user can have the most appropriate address after
resolution.
Single-server Smart DNS

If the DNS server on the enterprise network has the mapping between the domain name of the
Web server and one public IP address, configure single-server smart DNS.
As shown in Figure 8-22, the enterprise or data center is connected to multiple ISP networks
through several links. The private address of the web server is 10.1.1.10, and the public address
of the web server is 2.2.2.10. The intranet DNS server has only mappings between the domain
names (such as www.example.com) and public addresses (such as 2.2.2.10) of web servers.
When users on ISP2 access a web server on the intranet through domain name
www.example.com, the domain name is mapped to IP address 2.2.2.10. The NGFWthen uses
the NAT server function to translate the destination address of packets from 2.2.2.10 to the
private address (10.1.1.10) of the NAT server.
When smart DNS is not configured and a user from another ISP network (such as ISP1 users)
accesses the Web service provided by the enterprise through domain name
www.example.com, the address that the DNS server provides after domain name resolution is
2.2.2.10, which resides on a different ISP network as the user's IP address (the ISP1 user address
is 1.1.1.1). Therefore, the traffic of ISP1 user needs to make a detour on ISP2 network to reach
the Web server, which increases the service access delay and inter-ISP settlement. Besides, all
traffic from external users to the Web server is forwarded over ISP2 network. This may cause
network congestion on the link from the NGFW to ISP2 network, but other links (such as ISP1
link) are idle.

Figure 8-22 Single-server Smart DNS
www.example.com
DNS Server 2.2.2.10
ISP1
Web Server 1.1.1.1
NGFW
www.example.com
ISP2
Serves ISP2 network.
Private IP address: 10.1.1.10
Public IP address: 2.2.2.10
2.2.2.2
To resolve the preceding problem, you can configure ISP egress-based smart DNS for ISP1
users, so that the NGFW can map the resolved address to an address on ISP1 network (such as
1.1.1.10 obtained from ISP1 network). In this way, ISP1 users can access the web server directly
from ISP1 network without taking a detour on ISP2 network.
As shown in Figure 8-23, it is assumed that the ISP egress-based smart DNS function is
configured for ISP1 users on the NGFW. The NGFW maps the resolved address in the DNS
reply packet with the outbound interface of GE1/0/1 to 1.1.1.10. The process for an ISP1 user
to access the web server is as follows:
1. The ISP1 user sends a DNS request to access the web server through domain name
www.example.com.
2. The DNS server returns resolved IP address 2.2.2.10.
3. According to the smart DNS mapping table, the NGFW changes the IP address in the DNS
reply packet to 1.1.1.10 that belongs to the same ISP network as the ISP1 user. Outbound
interface GE1/0/1 in the mapping table is mapped to address 1.1.1.10.
4. The ISP1 user initiates a packet destined to 1.1.1.10 for access. The packet reaches the
NGFW through ISP1 network.
5. With the NAT server function, the NGFW translates the destination address (1.1.1.10) of
the packet into the private address (10.1.1.10) of the web server.
As for users on ISP2 network, the NGFW retains the address returned by the DNS server
unchanged, namely, 2.2.2.10. With the NAT server function, the NGFW translates the
destination address (2.2.2.10) of the packet into the private address (10.1.1.10) of the web server.
Then ISP2 users can access the web server through ISP2 network. In this way, idle ISP1 links
or congested ISP2 links no longer exist, and the user access speed and user experience are
increased.

Figure 8-23 ISP egress-based single-server smart DNS
www.example.com
DNS server 2.2.2.10
3 ISP1
2
1
4
GE1/0/1
Web server 1.1.1.1
GE1/0/2
5
NGFW
www.example.com Smart DNS mapping table ISP2
Outbound interface Mapped address
Public IP address: 2.2.2.10 GE1/0/1 1.1.1.10
Server-map table
Address before Address after 2.2.2.2
translation translation
1.1.1.10 10.1.1.10
2.2.2.10 10.1.1.10
With the round robin- or weighted round robin-based smart DNS function, the NGFW can
allocate addresses to users based on weights. The NGFW changes the destination addresses of
user access requests to divert traffic to web servers over various links, implementing load
balancing. As shown in Figure 8-24, it is assumed that round robin-based smart DNS is
configured for ISP1 users on the NGFW. The NGFW maps the resolved address in the DNS
reply packet with the outbound interface of GE1/0/1 to 1.1.1.9 and 1.1.1.10. The process for an
ISP1 user to access the web server is as follows:
www.example.com.
2. The DNS server returns resolved IP address 2.2.2.10.
reply packet to 1.1.1.9 or 1.1.1.10 in round robin mode. Outbound interface GE1/0/1 in the
mapping table is mapped to 1.1.1.9 and 1.1.1.10.
4. The ISP1 user initiates a packet destined to 1.1.1.9 or 1.1.1.10 for access. The packet reaches
the NGFW.
5. With the NAT server function, the NGFW translates the destination address (1.1.1.9 or
1.1.1.10) of the packet into the private address (10.1.1.10) of the web server.

Figure 8-24 Round robin-based or weighted round robin-based single-server smart DNS
www.example.com
DNS服务器 2.2.2.10
3 ISP1
2
1
4
GE1/0/1
Web Server 1.1.1.1
GE1/0/2
5
NGFW
www.example.com Smart DNS mapping table
Outbound Mapped
ISP2
Private IP address: 10.1.1.10 interface address
Public IP address: 2.2.2.10 1.1.1.9
GE1/0/1
1.1.1.10
Server-map table 2.2.2.2
Address before Address after
1.1.1.9
10.1.1.10
1.1.1.10
2.2.2.10 10.1.1.10
Multi-server Smart DNS

If the DNS server on the enterprise network has the mapping between the domain name of the
Web server and multiple public IP addresses, configure multi-server smart DNS.
As shown in Figure 8-25, a large enterprise or data center provides the Web service (such as
website access) for external users and usually provides multiple Web server addresses (1.1.1.10
and 2.2.2.10) for users on different ISP networks to access. The DNS server of the enterprise or
data center has the mapping between multiple Web service domain names and multiple server
addresses.
If smart DNS is not configured and a user of one ISP (such as ISP1) enters a domain name to
access the Web service (such as www.example.com), the user first initiates a DNS request to
the DNS server on the intranet. The DNS server resolves the domain name and returns multiple
server addresses (1.1.1.10 and 2.2.2.10) to the user. The ISP1 user selects one of them randomly
to initiate an access, but the selected server address may belong to the other ISP (the ISP1 user
may accidentally select the ISP server address 2.2.2.10). As a result, the ISP1 user needs to make
a detour on ISP2 network before reaching the server, which increases the service access delay
and inter-ISP settlement.

Figure 8-25 Multi-server smart DNS
www.example.com
1.1.1.10
www.example.com DNS Server 2.2.2.10

ISP1
Web Server 1.1.1.1
NGFW
ISP2
www.example.com
2.2.2.2
If you configure ISP egress-based smart DNS, the NGFW will return only one server address
to each user, and the server address is on the same ISP network as the user. In this way, the user
does not need to make a detour on other ISP networks to access the Web server.
As shown in Figure 8-26, it is assumed that the ISP egress-based smart DNS function on the
NGFW. The NGFW maps the resolved address in the DNS reply packet with the outbound
interface of GE1/0/1 to 1.1.1.10 and the resolved address in the DNS reply packet with the
outbound interface of GE1/0/2 to 2.2.2.10. The process for an ISP1 user to access the web server
is as follows:
www.example.com.
2. The DNS server returns resolved IP addresses 1.1.1.10 and 2.2.2.10.
reply packet to 1.1.1.10. Outbound interface GE1/0/1 in the mapping table is mapped to
address 1.1.1.10.
4. The ISP1 user sends a packet destined for IP address 1.1.1.10 for access. The packet reaches
the NGFW. In this way, ISP1 users can access the web server directly from ISP1 network
without taking a detour on ISP2 network, which increases the user access speed and user
experience.
5. With the NAT server function, the NGFW translates the destination address (1.1.1.10) of
the packet into the private address (10.1.1.10) of the web server.
Similarly, when an ISP2 user accesses the web server through domain name www.example.com,
the NGFW changes the IP address in the DNS reply packet to 2.2.2.10 according to the smart
DNS mapping table. The ISP2 initiates a packet destined to IP address 2.2.2.10 for access. With

the NAT server function, the NGFW translates the destination IP address (2.2.2.10) of the packet
into the private address (10.1.2.10) of the web server.
Figure 8-26 ISP egress-based multi-server smart DNS
www.example.com
3 ISP1
2
1
4
GE1/0/1
Web Server 1.1.1.1
GE1/0/2
5
NGFW
Smart DNS mapping table

ISP2
www.example.com Outbound interface Mapped address

Serves ISP2 network. GE1/0/1 1.1.1.10
Private IP address: 10.1.2.10 GE1/0/2 2.2.210
Public IP address: 2.2.2.10 2.2.2.2
Server-map table
1.1.1.10 10.1.1.10
2.2.2.10 10.1.2.10
With the round robin- or weighted round robin-based smart DNS function, the NGFW can
allocate addresses to users based on weights. The NGFW changes the destination addresses of
user access requests to divert traffic to web servers over various links, implementing load
balancing. As shown in Figure 8-27, it is assumed that the ISP egress-based smart DNS function
is configured for ISP1 users on the NGFW. The NGFW maps the resolved address in the DNS
reply packet with the outbound interface of GE1/0/1 to 1.1.1.9 and 1.1.1.10. The process for an
ISP1 user to access the web server is as follows:
www.example.com.
2. The DNS server returns resolved IP addresses 1.1.1.9 and 1.1.1.10.
reply packet to 1.1.1.9 or 1.1.1.10 in round robin mode. Outbound interface GE1/0/1 in the
mapping table is mapped to 1.1.1.9 and 1.1.1.10.
4. The ISP1 user initiates a packet destined to 1.1.1.9 or 1.1.1.10 for access. The packet reaches
the NGFW.

5. With the NAT server function, the NGFW translates the destination address (1.1.1.9 or
1.1.1.10) of the packet into the private address (10.1.1.10 or 10.1.1.11) of the web server.
Figure 8-27 Round robin-based or weighted round robin-based multi-server smart DNS
www.example.com
1.1.1.10

3 ISP1
2
1
4
GE1/0/1
Web Server 1.1.1.1
GE1/0/2
5
NGFW
Smart DNS mapping table
ISP2
Outbound interface Mapped address
www.example.com 1.1.1.10
GE1/0/1
Serves ISP2 network. 2.2.2.10
Private IP address: 10.1.2.10 1.1.1.10
GE1/0/2
Public IP address: 2.2.2.10 2.2.2.10 2.2.2.2
Server-map table
1.1.1.10 10.1.1.10
2.2.2.10 10.1.2.10

Read the restrictions and precautions before you configure DNS functions.
Precautions
l When the NGFW functions as an egress gateway and a DNS server is deployed on the
enterprise intranet, the DNS transparent proxy function does not take effect, because DNS
query messages are forwarded to the intranet DNS server for domain name analysis, and
the NGFW is not used for DNS transparent proxy on these DNS query messages.
l DNS transparent proxy must function with intelligent uplink selection (Policy-based
Routeor Global Link Selection Policy) and ISP Address Database Link Selectionto
implement load balancing. Intelligent uplink selection selects the outbound interface for
forwarding DNS query messages, and ISP address database link selection ensures that the
service traffic is forwarded to the Web server over the ISP network of the destination
address. It is meaningless to configure DNS transparent proxy independently, because the

configuration does not take effect after delivery. For details on the implementation of DNS
transparent proxy, see DNS Transparent Proxy.
l When you configure smart DNS on multi-egress networks, you must configure sticky load
balancing on the outbound interface.
l Smart DNS modifies DNS reply packets based on the smart DNS mapping table. The
mapping table records the mapping between outbound interfaces and the substituted DNS
server addresses. The substituted DNS server addresses must be public IP addresses.
8.3.4 DNS Configuration Using the Web UI

This section describes how to configure DNS, DDNS, DNS transparent proxy, and smart
DNS on the web UI.
8.3.4.1 DNS
After you specify a DNS server address on a device, the device can serve as a DNS client or
DNS proxy agent to send domain name resolution requests to a specific DNS server.
Context
A DNS server accepts the domain name resolution requests initiated by a DNS client. You can
manually set an address for the DNS server connected to a device. The DNS server address is
generally provided by an Internet Service Provider (ISP). The address can also be automatically
obtained using Dynamic Host Configuration Protocol (DHCP) or Point-to-Point Protocol over
Ethernet (PPPoE) on an interface. For information about how to configure interfaces, see
Interface.
The DNS server whose address is manually configured has a higher priority than the one whose
address is dynamically obtained. If two DNS servers obtain addresses in the same way, the one
that obtains an address earlier enjoys a higher priority. When resolving domain names, the device
sends query packets (based on the priorities) to DNS servers until the query succeeds.
When forwarding DNS request packets to the DNS server, the NGFW uses the IP address of the
source port as the default source IP address of the DNS request packets. However, in some cases,
you need to set the source IP address of DNS request packets to other IP addresses.
As shown in Figure 8-28, when the NGFW forwards DNS request packets to the DNS server
using interface A, the NGFW uses the IP address of interface A as the source IP address of the
request packets by default. If the DNS server has only a route to the IP address of interface B,
you need to set the source IP address of DNS request packets to the IP address of interface B.
Otherwise, the route query fails, and the DNS server fails to send DNS response packets.
Figure 8-28 Networking diagram for setting a source address for DNS request packets
Client NGFW DNS Server

Interface A
Interface B

Procedure
Step 1 Choose Network > DNS > DNS.
Step 2 In DSN Server List, click Add.
Step 3 Set an IP address for the DNS server.

l If you do not select a WAN interface, the specified DNS server address is a global address.
In the DNS server address text box, enter the IPv4 or IPv6 address of the DNS server and
click OK.
l If you select a WAN interface, the specified DNS server address is the address bound to the
interface (applicable only to this interface). For configuration and description, see
Configuring DNS Transparent Proxy.
If the operation succeeds, the new configuration with Obtaining Mode of Manual is displayed
in DNS Server List.
Repeat the previous operations to assign IPv4/IPv6 addresses to multiple DNS servers.
NOTE
In addition to Manual, the following address allocation modes can be selected from DNS Server List:
l DHCP: The address of the DNS server is obtained dynamically using DHCP.
l PPPoE: The address of the DNS server is obtained dynamically using PPPoE.
Step 4 Optional: In Configure DNS Query Packets's Source Address, set the Source Interface or
Source Address.
Source Interface Select an interface name from the drop-down list. The source
address of request packets are the IP address of the source port.
Source Address Enter a source IP address in the text box.
NOTE
You cannot set the source address of DNS request packets to an IPv6 address on the NGFW.
Step 5 Click Apply.
----End
Follow-up Procedure
When deleting a DNS server, you can delete only the DNS server addresses that are obtained
manually, but not those obtained using DHCP or PPPoE. If the interface that is connected using
DHCP or PPPoE is physically Down, or the interface fails to be connected using DHCP or
PPPoE, the corresponding DNS server address is deleted automatically from the DNS server
list.

8.3.4.2 Configuring DDNS

When a NGFW serves as a DDNS client, a DNS server dynamically updates the mapping
between domain names and IPv4 addresses after being notified by a DDNS service provider.
This process ensures that domain names are resolved into correct IPv4 addresses.
Enabling DDNS
Enable DDNS before using other related DDNS functions. If DDNS disabled, DDNS-related
configurations do not take effect.
Step 1 Choose Network > DNS > DDNS.
Step 2 Select the Enable check box corresponding to DDNS in Configure DDNS.
Step 3 Click Apply.

If the Operation succeeded dialog box is displayed, the function is successfully enabled.
----End
Creating a DDNS Policy

A DDNS policy is a collection of information, including the DDNS server address, login user
name, password, DDNS client domain name, and DDNS interface. A single DDNS policy can
be bound to multiple interfaces, which simplifies the DDNS configuration.
Step 2 Click Add in DDNS Policy List.
Step 3 Set the following DDNS policy parameters.
Policy Name Unique DDNS policy name.

IIf the specified policy name is the same as an existing one, the
new configuration overwrites the previous one.
To identify DDNS policies easily, you can configure easy-to-
remember and meaningful names.
Domain Name Register the DDNS client domain name to the DDNS service
provider.
Service Provider Domain name of the supported DDNS service provider.
User Name User name used by the DDNS client to access the DDNS service
provider.
The user name must be registered to the DDNS service provider
in advance.
Password Password for the user name used by the DDNS client to access
the DDNS service provider.
Confirm Password Enter a value in Password.

Bound Interface Bind a DDNS policy to an existing interface.

You can perform either of the following operations:
l To bind another interface to the DDNS policy, click .
l To delete a binding entry, click .
Step 4 Click Confirm.

If the operation is successful, the new configuration is displayed in DDNS Policy List.
Repeat the previous operations to create multiple DDNS policies.
----End
Viewing the DDNS Policy Status

If the DDNS function enabled and a DDNS policy is bound to an interface, the interface
automatically initiates an update request to a DDNS service provider. If the IP address or status
of the interface changes, the interface initiates an update request to the DDNS service provider
again.
With the DDNS policy status, you can learn about the dynamic update of the mapping between
IP addresses and domain names on the DNS server.

Step 2 View Status of the DDNS policy in DDNS Policy List. The following lists the values and their
descriptions.
Initial The DDNS function has not been enabled. The device does not initiate
update requests to the DDNS service provider.
Updating The device is initiating update requests to the DDNS service provider to
update the mapping between domain names and IP addresses of the DDNS
client in this policy on the DNS server.
Active The device initiates DDNS update requests and updates succeeds. The
mapping between domain names and IP addresses of the DDNS client in
this policy is updated on the DNS server.
Inactive The device initiates DDNS update requests but updates fails. The mapping
between domain names and IP addresses of the DDNS client in this policy
is not updated on the DNS server.
----End
8.3.4.3 Configuring DNS Transparent Proxy

This section describes how to configure DNS transparent proxy on the web UI.

Prerequisites
l One or two DNS server addresses are obtained from each ISP as the DNS server addresses
bound on interfaces.
l You cannot deploy any DNS server on the intranet. If a DNS server is deployed on the
intranet, the DNS transparent proxy function does not take effect, because DNS query
messages are forwarded to the intranet DNS server for domain name analysis, and the
NGFW is not used for DNS transparent proxy on these DNS query messages.
Context
DNS transparent proxy must function with intelligent uplink selection (Policy-based Route or
Global Link Selection Policy) and ISP Address Database Link Selection to implement load
balancing. Intelligent uplink selection selects the outbound interface for forwarding DNS query
messages, and ISP address database link selection ensures that the service traffic is forwarded
to the Web server over the ISP network of the destination address. It is meaningless to configure
DNS transparent proxy independently, because the configuration does not take effect after
delivery. For details on the implementation of DNS transparent proxy, see DNS Transparent
Proxy.
Procedure
Step 2 Click Add in DNS Server List.
Step 3 Bind interfaces to the DNS servers, as shown in Figure 8-29. For parameter description, see
Table 8-53.
Figure 8-29 Binding interfaces to the DNS servers

Table 8-53 Parameters for binding interfaces to the DNS servers
WAN interface Interface on the NGFW connecting to different ISP links.

When a DNS query message is forwarded through this interface,
the packet destination address is substituted with the DNS server
address bound on the interface.
Preferred DNS server Address of the DNS server on the ISP network connecting to the
WAN interface.
The NGFW substitutes the destination addresses of DNS query
messages with the address of the preferred DNS server
preferentially.
Alternate DNS server Address of the DNS server on the ISP network connecting to the
WAN interface.
When the preferred DNS server is Down, the NGFW will
substitute the destination addresses of DNS query messages with
the address of the alternate DNS server.
Step 4 Click OK.
Step 5 Enable the DNS transparent proxy function and specify the DNS server addresses requiring
proxy processing, as shown in Figure 8-30. For parameter description, see Table 8-54.
Figure 8-30 Configuring DNS transparent proxy
Table 8-54 Parameters of configuring DNS transparent proxy
DNS Transparent Proxy Select Enable to enable the DNS transparent proxy function.

Enter DNS server IP Specify the address of the DNS server that requires DNS
addresses transparent proxy.
When an intranet user initiates a DNS request, the NGFW
substitutes the destination address of the DNS query message
with the DNS server address bound to the outbound interface.
You need to enter the DNS server address specified on the client
of the intranet user. After you bind interfaces to DNS servers, the
addresses of the preferred and alternate DNS servers will
automatically become addresses requiring transparent proxy
processing.
Step 6 In Domain Name Exception, clickAdd, and specify the domain names that do not require DNS
transparent proxy.
When an intranet user accesses a domain name that does not require DNS transparent proxy,
even if the DNS server address is in the Enter DNS server IP addresses list, the NGFW will
not do DNS transparent proxying but directly forwards the DNS query message.
If the preferred DNS server address is specified for a domain name that exempts DNS transparent
proxy, the DNS request will be forwarded to this server, not the DNS server specified on the
client.
If both preferred and alternate DNS server addresses are specified, DNS requests will be
forwarded to the preferred DNS server. If the preferred DNS server is Down, DNS requests will
be forwarded to the alternate DNS server.
A maximum of 64 domain names that exempt DNS transparent proxy can be set.
----End
8.3.4.4 Configuring Single-Server Smart DNS

This section describes how to configure single-server smart DNS.
Prerequisites
l A web server has been deployed on an enterprise intranet, and web services have been
enabled.
l A DNS server has been deployed on the enterprise intranet and has the mappings between
domain names and the web server global address.
l Extranet users can access the web and DNS servers on the enterprise intranet.
Context
Single-server smart DNS must work with the NAT server function.
The address before smart DNS is the public address of the web server. The address after smart
DNS is the public address requested from other ISP networks.

The address before NAT server is the public address of the intranet web server or the public
network after smart DNS. The address after NAT server is the private address of the web server.
Procedure
Step 1 Choose Network > DNS > Smart DNS.
Step 2 Select Enable of Smart DNS and click Apply.
Step 3 In Smart DNS List, click Add.
Step 4 Enter the global IP address of the internal web server in DNS Reply Address.
Step 5 In Traffic Distribution Mode, select Based on ISP egresses, Round Robin, or Weighted
Round Robin as required.
NOTE
To ensure that the DNS reply address is on the same ISP network as the user's address and that traffic from
the same ISP arrives at the web server over the same link, select Based on ISP egresses.
To ensure that different DNS reply addresses are allocated to users so that traffic arrives the web server
over different links for load balancing, select Round Robin or Weighted Round Robin.
l If you select Based on ISP egresses, click Add to configure ISP egress mappings in ISP
WAN Interface Mapping List.
As shown in Figure 8-31, the NGFW returns 3.3.3.10 to ISP1 users, 2.2.2.10 to ISP2 users.
Figure 8-31 Configuring ISP egress-based single-server smart DNS
l If you select Round Robin, select ISP egresses in ISP WAN Interface. In ISP WAN
Interface Mapping List, click Add to configure the public address of the ISP server.
As shown in Figure 8-32, for ISP1 or ISP2 users, the NGFW returns the configured address
(2.2.2.10 or 3.3.3.10) in round robin mode.

Figure 8-32 Round robin-based single-server smart DNS
l If you select Weighted Round Robin, select ISP egresses in ISP WAN Interface. In ISP
WAN Interface Mapping List, click Add to configure the public address and weight of
the ISP server.
As shown in Figure 8-32, for ISP1 or ISP2 users, the NGFW returns the configured address
(2.2.2.10 or 3.3.3.10) in weighted round robin mode.

Figure 8-33 Weighted round robin-based single-server smart DNS
For details on parameter settings, see Table 8-55.
Table 8-55 Single-server smart DNS parameters
Scenario Select Single-server when only one web server is deployed on

the enterprise intranet.
Description Enter the description of smart DNS.
DNS Reply Address Enter the public IP address of the intranet web server.
Traffic Distribution Mode Select Based on ISP egresses, Round Robin, or Weighted
Round Robin as required
ISP WAN Interface Select the interface connected to ISP network.
ISP Server Public Enter the server address to be sent to ISP users.
Address
Weight Set the weight for the public address of the ISP server. The
NGFW allocates public addresses of ISP servers based on
weights. This parameter is set only when Traffic Distribution
Mode is set to Weighted Round Robin.
Step 6 Click OK.

Step 7 Choose Policy > NAT Policy > Server Mapping.
Step 8 In Server Mapping List, click Add.
Step 9 In New Server Mapping, configure server mapping. The following table lists server mapping
parameters.
Name Enter the name of server mapping.
Public IP Address Enter ISP Server Public Address, namely, the server global
address sent to ISP users.
Private IP Address Enter the private IP address of the internet web server.
Step 10 Click OK.

NOTE
If multiple ISP egresses and public ISP server addresses are configured, configure server mapping repeatedly
to translate each public ISP server address into the private IP address of the ISP server.
----End
8.3.4.5 Configuring Multi-Server Smart DNS

This section describes how to configure multi-server smart DNS.
Prerequisites
l Multiple web servers have been deployed on an enterprise intranet, and web services have
been enabled.
domain names and web server global addresses.
Context
Multi-server smart DNS must work with the NAT server function.
In a multi-server smart DNS scenario, you need to create multiple smart DNS mappings
(mappings between ISP egresses and public ISP server addresses).
The address before NAT server is the public address of the intranet web server. The address
after NAT server is the private address of the web server.
Procedure
Step 2 Select Enable of Smart DNS and click Apply.

Step 4 In Traffic Distribution Mode, select Based on ISP egresses, Round Robin, or Weighted
Round Robin as required.
NOTE
To ensure that the DNS reply address is on the same ISP network as the user's address and that traffic from
the same ISP arrives at the web server over the same link, select Based on ISP egresses.
To ensure that different DNS reply addresses are allocated to users so that traffic arrives the web server
over different links for load balancing, select Round Robin or Weighted Round Robin.
l If you select Based on ISP egresses, click Add to configure ISP egress mappings in ISP
WAN Interface Mapping List.
As shown in Figure 8-34, the NGFW returns ISP1 server's public IP address 2.2.2.10 to
ISP1 users, ISP2 server's public IP address 3.3.3.10 to ISP2 users.
Figure 8-34 Configuring ISP egress-based multi-server smart DNS
l If you select Round Robin, select ISP egresses in ISP WAN Interface. In ISP WAN
Interface Mapping List, click Add to configure the public addresses of the ISP servers.
As shown in Figure 8-35, for ISP1 or ISP2 users, the NGFW returns the configured ISP
server public address (2.2.2.10 or 3.3.3.10) in round robin mode.

Figure 8-35 Round robin-based multi-server smart DNS
l If you select Weighted Round Robin, select ISP egresses in ISP WAN Interface. In ISP
WAN Interface Mapping List, click Add to configure the public addresses and weights
of the ISP servers.
As shown in Figure 8-36, for ISP1 or ISP2 users, the NGFW returns the configured ISP
server public address (2.2.2.10 or 3.3.3.10) in weighted round robin mode.

Figure 8-36 Weighted round robin-based multi-server smart DNS
For details on parameter settings, see Table 8-56.

Table 8-56 Multi-server smart DNS parameters
Scenario Select Multi-server when multiple web servers are

deployed on the enterprise intranet.
Description Enter the description of smart DNS.
DNS Reply Address Indicates the internet server address sent by the DNS
server to users.
The value is automatically generated on the basis of ISP
Server Public Address in ISP WAN Interface Mapping
List.
Traffic Distribution Select Based on ISP egresses, Round Robin, or Weighted

Mode Round Robin as required
ISP WAN Interface Select the interface connecting the NGFW to ISP.
ISP Server Public Enter the public address of ISP server.

Address
Weight Set the weight for the public address of the ISP server. The
NGFW allocates public addresses of ISP servers based on
weights. This parameter is set only when Traffic Distribution
Mode is set to Weighted Round Robin.
Step 5 Click OK.
Step 8 In New Server Mapping, configure server mapping. The following table lists server mapping
parameters.
Name Enter the name of server mapping.
Public IP Address Enter ISP Server Public Address, namely, the server global
address sent to ISP users.
Private IP Address Enter the private IP address of the internet web server.
Step 9 Click OK.

NOTE
If multiple ISP egresses and public ISP server addresses are configured, configure server mapping repeatedly
to translate each public ISP server address into the private IP address of the ISP server.
----End

8.3.5 Configuring DNS Using the CLI

This section describes how to configure DNS, DDNS, DNS transparent proxy, and smart DNS
on the CLI.
8.3.5.1 Configuring the DNS Client

To ensure that the NGFW adopts the domain name to access the website or other devices, you
need to configure the DNS client.
Configuring IPv4 Static Domain Name Resolution

If the NGFW need to communicate with other devices by using domain names, you can configure
static domain name resolution on the NGFW. A DNS entry maps a domain name to an IPv4
address.
Prior to configuring IPv4 static domain name resolution, you must know the mapping between
the domain name and the IPv4 address. In case of a change in the mapping, you must modify
the DNS entry manually.
Step 1 Run:
system-view
Access the system view.
Step 2 Specify a host name and an IPv4 address mapped to the host name.
ip host host-name ip-address
The host-name parameter is case insensitive.
A host name is mapped to only a single IPv4 address. When you configure an IPv4 address for
a host several times, only the IPv4 address configured at the latest is valid. Repeat Step 2 to
allow the device to resolve several host names.
----End
Configuring IPv4 Dynamic Domain Name Resolution

Prerequisites
Before configuring IPv4 dynamic domain name resolution, complete the following tasks:
l Configure routes between the NGFW and DNS server.

l Configure a DNS server.
Context
Dynamic domain name resolution supports the domain name suffix list function. You can
configure specific domain name suffixes and enter some fields of a domain name before the
system automatically adds different suffixes to the domain name for resolution.
Procedure

system-view

Step 2 Enable dynamic IPv4 domain name resolution.

dns resolve
By default, dynamic domain name resolution is enabled.

Step 3 Specifies an IPv4 DNS server.
dns server { ip-address | unnumbered interface interface-type interface-number }
Step 4 Optional: Add a suffix of the domain name.

dns domain domain-name
Step 5 Enables the DNS query function for a specific VPN instance.
dns server vpn-instance vpn-instance-name
If the interface connecting the NGFW to the DNS server belongs to a specific VPN instance,
you must enable DNS query for the VPN instance so that the interfaces of the VPN instance can
exchange DNS packets with the DNS server.
By default, the NGFW supports DNS query only for the public network VPN instance.
NOTE
Currently, the DNS query function takes effect only for the public network VPN instance or a specific VPN
instance. If you run the dns server vpn-instance command several times, the latest configuration
overwrites the previous ones.
----End
Configuring IPv6 Static Domain Name Resolution

Before configuring static IPv6 static domain name resolution, you need to obtain the mapping
between domain names and IPv6 addresses and manually modify an IPv6 DNS entry if a
mapping entry changes.

system-view
Step 2 Specify a host name and an IPv6 address mapped to the host name.
ipv6 host host-name ipv6-address
If you run this command repeatedly, the command configured firstly takes effect.
----End
Configuring IPv6 Dynamic Domain Name Resolution

Prerequisites
Before configuring IPv6 dynamic domain name resolution, complete the following tasks:

Context
An IPv6 DNS server is configured on a NGFW. If the IPv6 DNS server is configured with a
link-local address, the type and number of the outbound interface to the link-local address must
be configured on the NGFW.

NOTICE
If the IPv4 and IPv6 DNS servers are configured, query requests are processed based on their
types. If a IPv4 query request is generated, query packet A is sent to an IPv4 DNS server, and
then query packet AAAA to an IPv6 DNS server. If an IPv9 query packet is generated, the IPv6
DNS server is queried, and then the IPv4 DNS server.
If multiple IPv4 or IPv6 DNS servers are configured, the query packet is sent to DNS servers of
the same type in configuration order until a correct response packet is received.
Procedure

system-view
Step 2 Enable IPv6 dynamic domain name resolution.

dns resolve
Step 3 Configure the IPv6 DNS server.

dns server ipv6 ipv6-address [ interface-type interface-number ]
Step 4 Configure the suffix of a domain name.

dns domain domain-name
If the DNS fails in searching for a host name, it appends a domain name to the host name
following a dot (.) and continues the DNS search. You can configure some commonly used
domain names like "com", and "net". For example, if the search for the host name "example"
fails, the system then searches for "example.com" or "example.net".
----End
8.3.5.2 Configuring DNS Proxy

DNS proxy is deployed between the DNS client and DNS server to forward DNS request and
response packets, and serves as the DNS server to perform domain name resolution.
Configuring IPv4 DNS Proxy

Prerequisites
Before configuring IPv4 DNS proxy, complete the following tasks:

Context
If DNS proxy is configured and the IPv4 address of a DNS server changes, change the DNS
proxy configuration, but not the configuration on each client on the LAN, which simplifies
network management.
When forwarding DNS request packets to the DNS server, the NGFW uses the IP address of the
source port as the default source IP address of the DNS request packets. However, in some cases,
you need to set the source IP address of DNS request packets to other IP addresses.

As shown in Figure 8-37, when the NGFW forwards DNS request packets to the DNS server
using interface A, the NGFW uses the IP address of interface A as the source IP address of the
request packets by default. If the DNS server has only a route to the IP address of interface B,
you need to set the source IP address of DNS request packets to the IP address of interface B.
Otherwise, the route query fails, and the DNS server fails to send DNS response packets.
Figure 8-37 Networking diagram for setting a source address for DNS request packets
Client NGFW DNS Server

Interface A
Interface B
Procedure

system-view
Step 2 Enable IPv4 DNS proxy.

dns proxy enable
By default, the IPv4 DNS proxy function is disabled.
Step 3 Specify a DNS server.

dns server { ip-address | unnumbered interface interface-type interface-number }
Step 4 Optional: Specify the source address of request packets.

dns host source { interface-type interface-number | ip-address }
----End
Configuring IPv6 DNS Proxy

Prerequisites
Before configuring IPv6 DNS proxy, complete the following tasks:

Procedure
system-view
Step 2 Enable IPv6 DNS proxy.

dns proxy ipv6 enable
Step 3 Specify a IPv6 DNS server.

dns server ipv6 { ipv6-address [ interface-type interface-number ] | unnumbered

interface interface-type interface-number { dhcpv6 | nd-ra } }
l If ipv6-address is set to a link-local address, such as FE80::1, you must set interface-type
interface-number to the outbound interface to the link-local address.
l To enable the interface to automatically obtain an IPv6 DNS server address, select dhcpv6
or nd-ra.
----End
8.3.5.3 Configuring DDNS

If the IPv4 address of a node changes, the DNS cannot dynamically update the mapping between
domain names and IPv4 addresses, while the DDNS can dynamically update the mapping on a
DNS server.
Configuring a DDNS Policy

A DDNS policy contains various DDNS server parameters. After a DDNS policy is created, you
can apply the same DDNS policy to different interfaces, which simplifies the DDNS
configuration.
Perform the following steps on a DDNS client.

system-view
Step 2 Create a DDNS policy and access the DDNS policy view.
ddns policy policy-name
Step 3 Specify the user name and password for accessing the website of a DDNS service provider
through the DDNS client.
ddns username username password password
Step 4 Specify the DDNS client domain name registered on the website of the DDNS service provider.
ddns client domain-name
Step 5 Specify the domain name of a DDNS service provider.

ddns server domain-name
The following domain names of DDNS service providers are supported:

l www.3322.org
l dyndns.org
l freedns.afraid.org
l zoneedit.com
l no-ip.com
----End
Applying a DDNS Policy

ADDNS client sends a request to update the mapping between domain names and IPv4 addresses
to a DDNS server only after a DDNS policy applies to an interface.


system-view
Step 2 Enable the DDNS client function.

ddns client enable

Step 4 Apply the DDNS policy to the interface.

ddns apply policy policy-name
----End
Manually Updating DDNS

Manually updating DDNS can update the mapping between domain names and IPv4 addresses.
A DNS server provides the latest information to the DNS client.

system-view
Step 2 Access the DDNS policy view.

ddns policy policy-name
Step 3 Manually update the mapping between domain names and IPv4 addresses.
ddns refresh
----End
8.3.5.4 Configuring DNS Transparent Proxy

This section describes how to configure DNS transparent proxy on the CLI.
Prerequisites
l One or two DNS server addresses are obtained from each ISP as the DNS server addresses
bound to interfaces.
l You cannot deploy any DNS server on the intranet. If a DNS server is deployed on the
intranet, the DNS transparent proxy function does not take effect, because DNS query
messages are forwarded to the intranet DNS server for domain name resolution, and the
NGFW is not used for DNS transparent proxy on these DNS query messages.
Context
DNS transparent proxy must function with intelligent uplink selection (Policy-based Route or
Global Link Selection Policy) and ISP Address Database Link Selection to implement load
balancing. Intelligent uplink selection selects the outbound interface for forwarding DNS query
messages, and ISP address database link selection ensures that the service traffic is forwarded
to the Web server over the ISP network of the destination address. It is meaningless to configure
DNS transparent proxy independently, because the configuration does not take effect after
delivery. For details on the implementation of DNS transparent proxy, see DNS Transparent
Proxy.

Procedure
system-view
Step 2 Enable the DNS transparent proxy function.
dns transparent-proxy enable
By default, the DNS transparent proxy function is enabled.
Step 3 Set the IP address of the DNS server bound to the interface.
dns server bind interface interface-type interface-number preferred preferred-dns-address

[ alternate alternate-dns-address ]
The NGFW uses the address of the preferred DNS server (preferred preferred-dns-address) to
replace the destination addresses of DNS query messages. When the preferred DNS server is
down, the NGFW will replace the destination addresses of DNS query messages with the address
of the alternate DNS server (alternate alternate-dns-address).
Step 4 Set the address of the DNS server that requires DNS transparent proxy.
dns transparent-proxy server server-address
The DNS server address specified in this command is the DNS server address specified on
clients. DNS transparent proxy uses the DNS server address bound to the interface to replace
this IP address.
Step 5 Specify the domain names that do not require DNS transparent proxy.
dns transparent-proxy exclude domain domain-name [ server preferred preferred-dns-

address [ alternate alternate-dns-address ] ]
If you exclude a domain name from DNS transparent proxy, even if DNS transparent proxy is
configured on the DNS server specified on the client, the NGFW directly forwards the DNS
query messages without honoring the messages.
If the preferred DNS server address is specified (server preferred preferred-dns-address) for
a domain name that exempts DNS transparent proxy, the DNS request will be forwarded to this
server, not the DNS server specified on the client.
If both preferred and alternate DNS server addresses are specified (server preferred preferred-
dns-address alternate alternate-dns-address), DNS requests will be forwarded to the preferred
DNS server. If the preferred DNS server is Down, DNS requests will be forwarded to the alternate
DNS server.
If the preferred DNS server address is deleted, the alternate DNS server automatically becomes
the preferred one.
If multiple domain names exempt DNS transparent proxy, run this command for the specified
times. A maximum of 64 domain names that exempt DNS transparent proxy can be set.
If multiple domain names do not require DNS transparent processing, you need to perform this
step for these domain names.
----End

8.3.5.5 Configuring Single-Server Smart DNS

This section describes how to configure single-server smart DNS using the CLI.
Prerequisites
l A web server has been deployed on an enterprise intranet, and web services have been
enabled.
domain names and the web server address.
Context
Single-server smart DNS must work with the NAT server function.
The address before smart DNS mapping is the intranet web server address, and the address after
smart DNS mapping is a public address obtained from another ISP.
The address before NAT server is the public address of the intranet web server and the public
network after smart DNS. The address after NAT server is the private address of the web server.
Procedure
system-view
Step 2 Enable the smart DNS function.
dns-smart enable
By default, the smart DNS function is disabled.
Step 3 Create a smart DNS group and access the smart DNS group view.
dns-smart group group-id type single
Step 4 Set the orginal IP address of the source server before smart DNS mapping.
real-server-ip ip-address
This command applies only to single-server smart DNS scenarios. ip-address specifies the IP
address of the Web server on the enterprise intranet.
Step 5 Select a traffic allocation mode.
metric { out-interface | weightrr | roundrobin }
The ISP egress mode is used by default.

NOTE
After the metric command is executed, the smart DNS mapping table configured under the smart DNS group
is cleared. You need to run the out-interface map to reconfigure the mapping table.
To ensure that the DNS reply address is on the same ISP network as the user's address and that traffic from the
same ISP arrives at the web server over the same link, select the ISP egress mode.
To ensure that different DNS reply addresses are allocated to users so that traffic arrives the web server over
different links for load balancing, select the Round Robin or Weighted Round Robin mode.
If the round robin mode is selected, run the weight-rule roundrobin ip-address &<1–8>
command to configure weight rules. The default weight of each IP address is 32 and cannot be
changed.
If the weighted round robin mode is selected, run the weight-rule weightrr ip-address weight-
value &<1–8> command to configure weight rules. Each IP address can be allocated a different
weight.
Step 6 Configure smart DNS mapping.

l If the ISP egress-based traffic allocation mode is used, run the out-interface interface-type
interface-number map new-ip-address command to configure the outbound interface
mapping.
interface-type interface-number is the outbound interface on the NGFW connecting to a
specific ISP. new-ip-address is the IP address after smart DNS mapping. This address must
be obtained from the ISP network connected to interface-type interface-number.
NOTE
The NGFW takes the outbound interface and original server address configured in the out-interface
map command as matching conditions to match the payload information in the DNS reply packet.
If the information is consistent, the NGFW changes the DNS reply address to the mapped address
configured in the out-interface map command.
For example, if the original server address is 1.1.1.1 and mapping entry out-interface
GigabitEthernet 1/0/1 map 2.2.2.2 is configured, the NGFW takes 1.1.1.1 and GE1/0/1 as a pair of
matching conditions to match the payload information in the DNS reply packet.
If the address is 1.1.1.1 and the outbound interface is GE1/0/1 in the DNS reply packet, the NGFW
changes the address to 2.2.2.2. If the address is 2.2.2.2 and the outbound interface is GE1/0/1 in the
DNS reply packet, the NGFW does not change the address.
l If the traffic allocation mode is set to round robin or weighted round robin, run the out-
interface interface-type interface-number map weight-rule command to configure the
outbound interface mapping.
NOTE
The NGFW takes the outbound interface configured in the out-interface map command as a
matching condition to match the payload information in the DNS reply packet.
Step 7 Optional: Configure smart DNS group description information.
Step 8 Exit from the smart DNS group view.
quit
Step 9 Configure NAT Server.

nat server name [ vpn-instance vpn-instance-name1 ] global { global-address [ global-

address-end ] | interface interface-type interface-number } inside host-address [ host-address-
end ] [ no-reverse ] [ vpn-instance vpn-instance-name2 ]
nat server name [ vpn-instance vpn-instance-name1 ] protocol protocol-type global { global-

address | interface interface-type interface-number } [ global-port ] [ global-port-end ] inside
host-address [ host-address-end ] [ host-port ] [ no-reverse ] [ vpn-instance vpn-instance-
name2 ]
nat server name [ vpn-instance vpn-instance-name1 ] protocol protocol-type global global-

address global-address-end [ global-port ] inside host-address [ host-address-end ] [ host-
port ] [ no-reverse ] [ vpn-instance vpn-instance-name2 ]
nat server name [ vpn-instance vpn-instance-name1 ] zone zone-name global {global-

address [ global-address-end ] | interface interface-type interface-number } inside host-
address [ host-address-end ] [ no-reverse ] [ vpn-instance vpn-instance-name2 ]
nat server name [ vpn-instance vpn-instance-name1 ] zone zone-name protocol protocol-

type global { global-address | interface interface-type interface-number } [ global-port ]
[ global-port-end ] inside host-address [ host-address-end ] [ host-port ] [ no-reverse ] [ vpn-
instance vpn-instance-name2 ]

type global global-address global-address-end [ global-port ] [ global-port-end ] inside host-
address [ host-address-end ] [ host-port ] [ no-reverse ] [ vpn-instance vpn-instance-name2 ]
----End
8.3.5.6 Configuring Multi-Server Smart DNS

This section describes how to configure multi-server smart DNS using the CLI.
Prerequisites
l Multiple web servers have been deployed on an enterprise intranet, and web services have
been enabled.
domain names and web server global addresses.
Context
Multi-server smart DNS must work with the NAT server function.
In a multi-server smart DNS scenario, you need to create multiple smart DNS mappings
(mappings between ISP egresses and public ISP server addresses).
The address before NAT server is the public address of the intranet web server. The address
after NAT server is the private address of the web server.
Procedure

system-view
Step 2 Enable the smart DNS function.
dns-smart enable
By default, the smart DNS function is disabled.
Step 3 Create a smart DNS group and access the smart DNS group view.
dns-smart group group-id type multi
Step 4 Select a traffic allocation mode.
metric { out-interface | weightrr | roundrobin }
The ISP egress mode is used by default.
If you select round robin or weighted round robin, configure corresponding weight rules.
NOTE
After the metric command is executed, the smart DNS mapping table configured under the smart DNS group
is cleared. You need to run the out-interface map to reconfigure the mapping table.
To ensure that the DNS reply address is on the same ISP network as the user's address and that traffic from the
same ISP arrives at the web server over the same link, select the ISP egress mode.
To ensure that different DNS reply addresses are allocated to users so that traffic arrives the web server over
different links for load balancing, select the Round Robin or Weighted Round Robin mode.
If the round robin mode is selected, run the weight-rule roundrobin ip-address &<1–8>
command to configure weight rules. The default weight of each IP address is 32 and cannot be
changed.
If the weighted round robin mode is selected, run the weight-rule weightrr ip-address weight-
value &<1–8> command to configure weight rules. Each IP address can be allocated a different
weight.
Step 5 Configure smart DNS mapping.
l If the ISP egress-based traffic allocation mode is used, run the out-interface interface-type
interface-number map new-ip-address command to configure the outbound interface
mapping.
interface-type interface-number is the outbound interface on the NGFW connecting to a
specific ISP. new-ip-address is the address after smart DNS mapping, which is also the
public address of the ISP server on the intranet. One interface-type interface-number must
correspond to one new-ip-address. For example, interface GE1/0/0 on the NGFW
connecting to ISP1 must correspond to public IP address 1.1.1.10 of the ISP1 server.
NOTE
interface-type interface-number and new-ip-address in different mapping rules form a pair of matching
conditions. For example, if rules out-interface GigabitEthernet1/0/1 map 1.1.1.1 and out-interface
GigabitEthernet1/0/2 map 2.2.2.2 are configured, GigabitEthernet1/0/1 and 2.2.2.2 form a pair, and
GigabitEthernet1/0/2 and 1.1.1.1 form a pair.
If the address is 2.2.2.2 and the outbound interface is GigabitEthernet1/0/1 in the DNS reply packet, the
NGFW changes the address to 1.1.1.1. If the address is 1.1.1.1 and the outbound interface is
GigabitEthernet1/0/1 in the DNS reply packet, the NGFW does not change the address.
l If the traffic allocation mode is set to round robin or weighted round robin, run the out-
interface interface-type interface-number map weight-rule command to configure the
outbound interface mapping.

NOTE
The NGFW takes the outbound interface configured in the out-interface map command as a
matching condition to match the payload information in the DNS reply packet.
out-interface interface-type interface-number map new-ip-address

interface-type interface-number is the outbound interface on the NGFW connecting to a specific
ISP.
new-ip-address is the address after smart DNS mapping, which is also the public address of the
ISP server on the intranet.
One interface-type interface-number must correspond to one new-ip-address. For example,
interface GE1/0/0 on the NGFW connecting to ISP1 must correspond to public IP address
1.1.1.10 of the ISP1 server.
Step 6 Optional: Configure smart DNS group description information.
Step 7 Exit from the smart DNS group view.
quit
Step 8 Configure NAT Server.
nat server name [ vpn-instance vpn-instance-name1 ] global { global-address [ global-
address-end ] | interface interface-type interface-number } inside host-address [ host-address-
end ] [ no-reverse ] [ vpn-instance vpn-instance-name2 ]
nat server name [ vpn-instance vpn-instance-name1 ] protocol protocol-type global { global-
address | interface interface-type interface-number } [ global-port ] [ global-port-end ] inside
host-address [ host-address-end ] [ host-port ] [ no-reverse ] [ vpn-instance vpn-instance-
name2 ]
nat server name [ vpn-instance vpn-instance-name1 ] protocol protocol-type global global-
address global-address-end [ global-port ] inside host-address [ host-address-end ] [ host-
port ] [ no-reverse ] [ vpn-instance vpn-instance-name2 ]
nat server name [ vpn-instance vpn-instance-name1 ] zone zone-name global {global-
address [ global-address-end ] | interface interface-type interface-number } inside host-
address [ host-address-end ] [ no-reverse ] [ vpn-instance vpn-instance-name2 ]
type global { global-address | interface interface-type interface-number } [ global-port ]
[ global-port-end ] inside host-address [ host-address-end ] [ host-port ] [ no-reverse ] [ vpn-
instance vpn-instance-name2 ]
type global global-address global-address-end [ global-port ] [ global-port-end ] inside host-
address [ host-address-end ] [ host-port ] [ no-reverse ] [ vpn-instance vpn-instance-name2 ]
----End
8.3.5.7 Maintaining DNS

After configuring DNS, you can run the display commands to view the configuration. You can
also clear DNS entries or enable the debugging function if necessary.

Displaying DNS Configuration

Table 8-57 lists the commands to display DNS configuration.
Table 8-57 Displaying DNS configuration
Action Command
Display information about static display ip host

DNS entries. display ipv6 host
Display information about DNS display dns server

servers.
Check the configurations about display dns domain

domain name suffixes.
Display information about dynamic display dns dynamic-host

DNS entries in the domain name display dns ipv6 dynamic-host
cache.
Table 8-58 lists the commands to display DDNS configuration.
Table 8-58 Displaying DDNS configuration
Action Command
Display information about DDNS display ddns policy [ policy-name ]

policies.
Display information about a DDNS display ddns interface interface-type interface-

policy applied to a specific number
interface.
Display the current DDNS status. display ddns current-state
Table 8-59 shows the operations for displaying smart DNS configurations.
Table 8-59 Displaying smart DNS configurations
Action Command
Display smart DNS configurations. display dns-smart { group group-id | all }
Clearing DNS Entries

Table 8-60 lists the commands run in the user view to clear DNS entries.

Table 8-60 Clearing DNS entries
Action Command
Clear dynamic DNS entries statistics reset dns dynamic-host

in the domain name cache. reset dns ipv6 dynamic-host
Debugging DNS
Before enabling the debugging, you must run the terminal monitor command in the user view
to enable the terminal information display and the terminal debugging command in the user
view to terminal debugging information display functions.
NOTICE
Enabling the debugging deteriorates system performance. After the debugging is complete, run
the undo debugging all command to disable the debugging immediately.
For details on the description of the debugging commands, see Debugging Reference.
Table 8-61 lists the commands to debug DNS information.
Table 8-61 Debugging DNS
Action Command
Enable the dynamic DNS debugging dns

debugging.
Enable the DNS packet debugging. debugging dns packet
Enable the DNS proxy debugging. debugging dnsproxy
Table 8-62 lists the commands to debug DDNS.
Table 8-62 Debugging DDNS
Action Command
Enable the debugging of all DDNS debugging ddns all

information.
Enable the DDNS error debugging. debugging ddns error
Enable the DDNS event debugging. debugging ddns event
Enable the DDNS function debugging ddns function

debugging.

Action Command
Enable the DDNS packet debugging ddns packet

debugging.

This section provides examples for configuring DNS, DDNS, DNS proxy, DNS transparent
proxy, and smart DNS based on different requirements.
8.3.6.1 Web Example for Configuring DNS

This section provides an example for configuring the DNS function.
A NGFW functioning as a gateway connects PCs on an intranet to the Internet. The interface IP
addresses, a security zone, a security policy, and a NAT policy are configured on the NGFW.
The DNS function needs to be configured on the NGFW. The NGFW functions as a DHCP relay
agent and sends domain names that users on PCs enter to a DNS server on the Internet. Upon
receipt, the DNS server translates the domain names into IP addresses to allow the PCs to access
the Internet. The IP address of a DNS server on the Internet is 2.2.2.2.
Figure 8-38 DNS

Trust Untrust
DNS Server
PC NGFW 2.2.2.2
Intranet
GE1/0/3 GE1/0/1
10.3.0.1/24 1.1.1.1/24
PC
1. Configure the DNS function on the NGFW.

3. Set the IP address of the NGFW. This example provides the configuration procedure on
the NGFW, not on PCs.
Procedure
Step 1 Configure the DNS function on the NGFW.
1. Choose Network > DNS > DNS.

2. In DNS Server List, click Add.

3. In the DNS server address text box, enter the IP address of the DNS server 2.2.2.2.
4. Click OK.

NOTE

<NGFW> system-view
----End
1. View the DNS server status.
a. Choose Network > DNS > DNS.

b. View DNS server information.
2. Check whether the PC on the intranet can use a domain name to access the Internet. If the
PC can access the Internet, the configuration succeeds. If the PC fails to access the Internet,
modify the configuration and try again.
#
dns resolve
dns server 2.2.2.2
#
dns proxy enable
#
sysname NGFW
#
return
8.3.6.2 Web Example for Configuring DDNS

This section provides an example for configuring the DDNS function.
A company deploys a NGFW as the gateway to provide Internet access for the intranet and uses
the NAT server function of the NGFW to provide web services for Internet users. Interface
addresses, security zones, a security policy, and the NAT server function have been configured
on the NGFW. GigabitEthernet 1/0/1 on the NGFW dials up to log in and obtains a public IP
address that may change with each connection. The DDNS function is to be configured on the
NGFW to map the dynamic IP address to the domain name example.com. The configuration
allows users on the Internet to use the domain name to access the web server. A DNS server
(2.2.2.2) also needs to be configured on the NGFW to resolve the domain name of the DDNS
server for the NGFW.

Figure 8-39 DDNS networking
Web DMZ Untrust

Server DNS Server
NGFW 2.2.2.2
Intranet
GE1/0/3 GE1/0/1
10.3.0.1/24
DDNS Server
dyndns.org
1. Configure DNS and DDNS on the NGFW.

2. Assign 10.3.0.1 to the NGFW that functions as a gateway for the web server on the intranet.
This example provides the configuration procedure on the NGFW. The configuration
details on the web server are not provided.
Procedure
Step 1 Configure the DNS server function.
1. Choose Network > DNS > DNS.
2. Enter 2.2.2.2 in the text box.
3. Click OK.
Step 2 Configure the DDNS function.

1. Choose Network > DNS > DDNS.
2. In Configure DDNS, select the Enable check box.
3. Click Apply.
4. In DDNS Policy List, click Add and set the following parameters.
The following parameters are used as an example and vary depending on local operator
networks.
Table 8-63 DDNS policy parameters
Policy Name abc
Domain Name example.com
Service Provider dyndns.org
User Name abc
Password Admin@1234
Confirm Password Admin@1234

Bound Interface GigabitEthernet 1/0/1
5. Click OK.
----End
1. View the DNS server status.
a. Choose Network > DNS > DNS.
b. View DNS server information.
2. View the DDNS status.
a. Choose Network > DNS > DDNS.
b. View DDNS policy information in DDNS Policy List.
3. Check whether a user on the Internet can use the domain name example.com to access the
web server. If the user successfully accesses the web server, the configuration is successful.
If the user fails to access the web server, modify the configuration and try again.
#
dns resolve
dns server 2.2.2.2
#
dns proxy enable
#
ddns client enable
#
sysname NGFW
#
ddns apply policy abc
#
ddns policy abc
ddns username abc password %$%$;><#H@tZ'P-fu(/Ixr9H,{ri%$%$
ddns client
example.com
ddns server dyndns.org
#
return
8.3.6.3 Web Example for Configuring DNS Transparent Proxy

This section provides an example for configuring DNS transparent proxy.
As shown in Figure 8-40, an enterprise rents links from both ISP1 and ISP2. The bandwidth of
ISP1 link is 100M, and that of ISP2 link is 50M. The DNS server addresses of ISP1 are 8.8.8.8
and 8.8.8.9, and the DNS server addresses of ISP2 are 9.9.9.8 and 9.9.9.9. The DNS server
address specified on all intranet user clients is 10.2.0.70.

l The enterprise requires that the Internet access traffic of intranet users can be distributed
to ISP1 and ISP2 links in the ratio of 2:1 to ensure that the links are made full use of but
not congested to improve users' Internet access experience.
l When intranet users access domain name www.example.com, the firewall does not perform
DNS transparent proxying, but the Web server address of the domain name must be resolved
by the specified DNS server (8.8.8.10).
l To prevent link congestion when the bandwidth usage of one link reaches a specified value,
subsequent traffic must be forwarded to the other ISP link.
Figure 8-40 Intranet users accessing DNS servers

www.example.com
DNS server Web server on ISP1 Web server on ISP2
8.8.8.10
ISP2
ISP1
100M 50M
DNS server on ISP1 GE1/0/1 GE1/0/7 DNS server on ISP2
8.8.8.8 1.1.1.1 2.2.2.2 9.9.9.8
8.8.8.9 9.9.9.9
NGFW
GE1/0/3
10.3.0.1
Set the DNS server

address on all PCs to
10.2.0.70.
Intranet
DNS requests
Modified DNS requests
Configure the transparent proxy function on the NGFW to distribute DNS query messages from
intranet users in the ratio of 2:1 to the DNS servers on ISP1 and ISP2 networks. In this case, the
Internet access traffic from intranet users can also be distributed to ISP1 and ISP2 links in the
ratio of 2:1. When processing DNS query messages, the DNS transparent proxy function replaces
the destination addresses of the messages with the DNS server address bound to the outbound

interface. The selection of the outbound interface depends on the intelligent uplink selection
function. Because the enterprise requires that the Internet access traffic can be distributed in the
ratio of 2:1 to both links, you need to set the intelligent uplink selection mode to load balancing
by link bandwidth. In the example, global link selection policies are configured. To ensure that
the Internet access traffic is directly forwarded to the Web server on the ISP network of the
destination address without taking a detour on other ISP networks, you need to configure ISP
address database link selection.
1. Configure DNS transparent proxy.

Bind the DNS server address on the outbound interface, specify the DNS server addresses
requiring DNS transparent proxy, and specify the domain names to be excluded.
2. Configure ISP address database link selection.
If you use the predefined ISP address file, skip this step. If you import a new ISP address
file, you need to set an ISP name and specify the mapping between the ISP name and ISP
address file.
In this example, address files of ISP1 and ISP2 are imported, which are named respectively
to isp1_network and isp2_network.
3. Configures the outbound interface.
Set the interface IP address, gateway, bandwidth, and overload protection threshold and
specify the ISP name corresponding to the interface.
4. Configuring a global link selection policy.
Set the intelligent uplink selection mode to load balancing by link bandwidth and configure
the outbound interfaces on the NGFW connecting to ISP1 and ISP2 as intelligent uplink
selection member interfaces.
Procedure
Step 2 Click Add in DNS Server List and bind ISP1 DNS server address to interface GE1/0/1.
Step 3 Click Add in DNS Server List and bind ISP2 DNS server address to interface GE1/0/7.

Step 4 Select Enable of DNS Transparent Proxy and set the DNS server addresses requiring DNS
transparent proxy and the domain names to be excluded.
NOTE
DNS server addresses bound to the interface on the web UI will automatically become the addresses
requiring DNS transparent proxy. You can manually change them.
Step 5 Click Apply.
Step 6 Choose Network > Router > Intelligent Uplink Selection.
Step 7 Click the Carrier Address Library tab, then click Import, and set the following parameters.
Name isp1_network
Address Library File Click Browser and select the ISP1 address file to be uploaded.
Step 8 Click OK.
Step 9 Click Import again and set the following parameters.
Name isp2_network
Step 10 Click OK.

Step 12 Click of interface GE1/0/1 and set the following parameters.
NOTE
Because the DNS server addresses are bound to interfaces in DNS Server List, the addresses of the
preferred and alternate DNS servers are automatically displayed. If you change the addresses of the
preferred and alternate DNS servers, the configuration in DNS Server List is also changed.
Step 13 Click OK.
Step 14 Click of interface GE1/0/7 and set the following parameters.

Step 15 Click OK.
Step 17 Click the Global Route Selection Policy tab, then click Edit, and configure a global link
selection policy as follows:
----End
Choose Network > Router > Intelligent Uplink Selection. On the Global Route Selection
Policy tab, you can view the traffic statistics in the last five minutes, as shown in Figure 8-41.

Figure 8-41 Checking traffic statistics
#
dns transparent-proxy enable
dns server bind interface GigabitEthernet1/0/1 preferred 8.8.8.8 alternate
8.8.8.9
dns server bind interface GigabitEthernet1/0/7 preferred 9.9.9.8 alternate
9.9.9.9
dns transparent-proxy server 10.2.0.70
dns transparent-proxy exclude domain www.example.com server preferred 8.8.8.10
#
ip address 1.1.1.1 255.255.255.0
gateway 1.1.1.254
bandwidth ingress 100000 threshold 90
bandwidth egress 100000 threshold 90
#
ip address 2.2.2.2 255.255.255.0
gateway 2.2.2.254
#
isp name isp1_network
isp name isp1_network set filename isp1_network.csv
#
interface-group isp isp1_network interface GigabitEthernet1/0/1 route enable
#
multi-interface
mode proportion-of-bandwidth
#
return
8.3.6.4 Web Example for Configuring Single-server Smart DNS in ISP Egress Mode
This section provides an example for configuring single-server smart DNS in ISP egress mode.
As shown in Figure 8-42, an enterprise deploys ISP1 server to provide the web service whose
domain name is www.example.com. The private IP address of ISP1 server is 10.1.1.10, and the
public IP address is 1.1.1.10. The DNS server on the enterprise intranet has the mapping between
domain name www.example.com and ISP1 server public address 1.1.1.10.

When ISP1 users access www.example.com, the domain name can be resolved to public IP
address 1.1.1.10 of the ISP1 server, then the access traffic be transmitted over the ISP1 network
to the NGFW, and the NGFW can use the NAT Server function to map the public IP address to
the private IP address 10.1.1.10 of the ISP1 server.
The enterprise also applies for a public IP address 2.2.2.10 from ISP2. The enterprise requires
that when ISP2 users access www.example.com, the domain name can be resolved to this public
IP address, then the access traffic be transmitted over the ISP2 network to the NGFW, and the
NGFW can use the NAT Server function to map the public IP address to the private server IP
address 10.1.1.10.
Figure 8-42 ISP egress-based Single-server smart DNS networking

DNS entry
www.example.com
1.1.1.10 ISP1 user
1.0.0.1
DNS server
ISP1 server
Web server
10.1.1.10
Resolved Web address for
ISP1 users: ISP1
server address:
1.1.1.10 1.1.1.10
GE1/0/0
Web server
GE1/0/1
NGFW
Web server ISP2
address for
ISP2 users:
2.2.2.10
ISP2 user
2.1.1.1
To enable ISP2 users to obtain ISP2 address 2.2.2.10, configure smart DNS in ISP egress mode
to change IP address 1.1.1.10 after DNS resolution to 2.2.2.10.
Because only one web server is deployed on the intranet, you need to configure single-server
smart DNS in ISP egress mode. The configuration roadmap is as follows:
1. Enable smart DNS.

2. Configure single-server smart DNS in ISP egress mode.
3. Configure the NAT server function.
l Configure a NAT Server mapping for the NGFW to translate ISP1 public IP address
1.1.1.10 to the private IP address 10.1.1.10 of the ISP1 server, so that ISP1 users can
access the ISP1 server using a public IP addresses.

4. Configure the sticky load balancing function.
Procedure
Step 2 Select Enable and click Apply.
Step 4 In Create Smart DNS, configure single-server smart DNS and change the DNS server address
returned to ISP2 users from 1.1.1.10 (applied for from ISP1) to 2.2.2.10 (applied for from ISP2).
Step 5 Click OK.
Step 8 In Add Address Mapping, configure server mapping as follows to translate the public IP address
(1.1.1.10) of ISP1 server to the private IP address (10.1.1.10).
Name isp1_server_nat
Public IP Address 1.1.1.10
Private IP Address 10.1.1.10
Step 9 Click OK.
Step 10 Click Add again.
Step 11 In Add Address Mapping, configure server mapping as follows to translate IP address 2.2.2.10
after smart DNS mapping to private IP address 10.1.1.10 of the Web server.

Step 12 Click OK.
Step 14 Click of interfaces GE1/0/0 and GE1/0/1 respectively and configure sticky load balancing
(in the example, basic interface settings, such as the interface IP addresses and default gateways,
have been completed).
----End
1. Run the ping www.example.com on the PC of an ISP2 user. The command output shows
that the returned server address is 2.2.2.10.
2. On the NGFW, choose Monitor > Session Table. The session table has the session entry
with Destination Address being 2.2.2.10 and NAT Destination Address being
10.1.1.10.
#
nat server isp1_server_nat global 1.1.1.10 inside 10.1.1.10 no-reverse
nat server isp2_server_nat global 2.2.2.10 inside 10.1.1.10 no-reverse
#
dns-smart enable
#
dns-smart group 1 type single
real-server-ip 1.1.1.10
out-interface GigabitEthernet1/0/1 map 2.2.2.10
#
ip address 1.1.1.1
reverse-route nexthop 1.1.1.2
#
ip address 2.2.2.2
8.3.6.5 Web Example for Configuring Multi-server Smart DNS in ISP Egress Mode
This section provides an example for configuring multi-server smart DNS in ISP egress mode.
As shown in Figure 8-43, an enterprise deploys two web servers to provide the web service
whose domain name is www.example.com. The public address of ISP1 server is 1.1.1.10, and

the private address is 2.2.2.10. The public address of ISP2 server is 2.2.2.10, and the private
address is 10.2.2.10. The DNS server of on the intranet of the enterprise has the mappings
between domain name www.example.com and the two server public addresses (1.1.1.10 and
2.2.2.10).
The enterprise requires that when ISP1 users access www.example.com, the domain name can
be resolved to public IP address 1.1.1.10 of the ISP1 server, then the access traffic be transmitted
over the ISP1 network to the NGFW, and the NGFW can use the NAT Server function to map
the public IP address to the private IP address 10.1.1.10 of the ISP1 server. When ISP2 users
access www.example.com, the domain name can be resolved to public IP address 2.2.2.10 of
the ISP2 server, then the access traffic be transmitted over the ISP2 network to the NGFW, and
the NGFW can use the NAT Server function to map the public IP address to the private IP address
10.2.2.10 of the ISP2 server.
Figure 8-43 ISP egress-based multi-server smart DNS networking

DNS Entry
www.example.com
1.1.1.10
ISP1 user 2.2.2.10
1.0.0.1
DNS server
ISP1 server
ISP1 Public IP address: 1.1.1.10
GE1/0/0
Web server
GE1/0/1
NGFW
ISP2
ISP2 server
ISP2 user
2.1.1.1
As shown in Figure 8-43, ISP users usually obtain ISP server addresses 1.1.1.10 and 2.2.2.10.
To enable ISP1 users to obtain ISP1 server address and ISP2 users to obtain ISP2 server address,
configure smart DNS in ISP egress mode. The configuration roadmap is as follows:
1. Enable smart DNS.

2. Because two web servers are deployed on the intranet, configure multi-server smart DNS
in ISP egress mode. Multi-server smart DNS needs to associate the ISP egresses and public

ISP server addresses. For example, associate GE1/1/0 of ISP1 network with public ISP1
server address 1.1.1.10 and GE1/1/1 of ISP2 network with public ISP2 server address
2.2.2.10.
3. Configure NAT Server.
4. Configure the sticky load balancing function.
Procedure
Step 2 Select Enable and click Apply.
Step 4 In Create Smart DNS, configure multi-server smart DNS and set ISP1 server address returned
to ISP1 users to 1.1.1.10 and that to ISP2 users to 2.2.2.10.
Step 5 Click OK.

Step 9 Click OK.

Step 10 Click Add again.
Step 12 Click OK.

Step 14 Click of interfaces GE1/0/0 and GE1/0/1 respectively and configure sticky load balancing
(in the example, basic interface settings, such as the interface IP addresses and default gateways,
have been completed).
----End
#
nat server isp1_server_nat global 1.1.1.10 inside 10.1.1.10
nat server isp2_server_nat global 2.2.2.10 inside 10.2.2.10
#
dns-smart enable
#
dns-smart group 1 type multi
#
ip address 1.1.1.1
gateway 1.1.1.2
#

ip address 2.2.2.2

This section provides DNS references.

This section describes the versions and changes in the DNS feature.
V100R001C30SPC Supported the configuration of an alternate DNS server for the domain
100 names that exempt DNS transparent proxy.
V100R001C30 Added the round robin- and weighted round robin-based smart DNS
functions.
V100R001C20SPC Added the setting of the source address of request packets.

700
V100R001C20SPC Added the DNS transparent proxy and smart DNS functions.
100

This section provides DNS standards and protocols.
DNS standards and protocols are as follows:
l RFC 1034: Domain Names - Concepts and Facilities
l RFC 1035: Domain Names - Implementation and Specification
8.4 DHCP
This section describes Dynamic Host Configuration Protocol (DHCP) concepts and how to
configure DHCP, as well as provides configuration examples.
8.4.1 Overview
The Dynamic Host Configuration Protocol (DHCP) applies to IPv4 networks to dynamically
assign information, such as IPv4 addresses to clients.
Definition
DHCP is a technology used to dynamically manage and configure IPv4 addresses for clients.
DHCP uses the client/server model. A client applies to a server for parameters, such as the IPv4
address, default gateway address, DNS server address, and WINS server address. The server

replies with corresponding configuration parameters based on policies. DHCP dynamic allocates
IPv4 addresses and allows you to configure and manage other network parameters on a server
before delivering the parameters to clients.
Objective
As the network expands and network complexity increases, the number of PCs usually exceeds
the number of available IPv4 addresses. Furthermore, with the popularity of laptops and wireless
networks, PC locations and IPv4 addresses are changeable. To dynamically and properly assign
IPv4 addresses to hosts, DHCP is introduced.
DHCP is developed based on the Bootstrap Protocol (BOOTP). BOOTP runs in a static
environment where each host has a fixed network connection. An administrator configures a
specific BOOTP parameter file for each host, and the file keeps unchanged in a long period.
DHCP extends BOOTP in the following aspects:
l DHCP provides automatic allocation of reused network addresses and configuration

options, which enables a PC to obtain required configurations by sending a request.
l DHCP dynamically assigns an IPv4 address to each host, instead of specifying an IPv4
address for each host.
DHCP dynamically manages and configures IPv4 addresses for clients in a concentrated manner,
which simplifies manual configuration and enables enterprise users to adapt to frequent network
changes.

This section describes DHCP applications.
DHCP Server
You can use a DHCP server to assign IP addresses in the following situations:
l Manually assigning IP addresses on a large network causes increasing configurations.

l Only a few hosts on a network require fixed IP addresses.
l The number of hosts on the network exceeds the number of available IP addresses. This
means that not all hosts can obtain fixed IP addresses; therefore, DHCP must be enabled
for hosts to share IP addresses.
Typical Application
A DHCP server is used in the following application scenarios:
l The DHCP server and clients reside on the same network segment.
The NGFW functions as a DHCP server to connect to DHCP clients using a Layer 2 switch
(or hub) on the network shown in Figure 8-44.

Figure 8-44 Typical network and application of a DHCP server 1
WINS DHCP DHCP DHCP

server client client client
DHCP server
Layer 2 Layer 2
LAN switch LAN switch
NGFW
DNS FTP DHCP DHCP

server server client client
Network segment 1 Network segment 2
l The DHCP server and clients reside on different network segments.

A DHCP relay agent shown in Figure 8-45 is deployed on the same network segment as
the clients. The DHCP relay agent helps the DHCP server dynamically allocate IP addresses
to clients.
Figure 8-45 Typical network and application of a DHCP server 2
DHCP clients
Network
segment 1
Network
segment 2 DHCP relay DHCP server
Network segment 3
DHCP clients
You can use a DHCP server to implement the following functions:
l Configure address pools and an address lease, which enables the DHCP server to
dynamically allocate IP addresses to DHCP clients.

l Reserve IP addresses for devices with fixed IP addresses, such as an FTP server.
l Assign fixed IP addresses to servers and special hosts.
l Configure IP address detection to prevent the DHCP server from allocating a single IP
address to different clients.
l Configure network parameters on the DHCP server for the clients. The parameters include
DNS server addresses, default gateway addresses, and WINS server addresses.
DHCP Relay
A DHCP client sends a DHCP Request packet to apply for a dynamic IP address in broadcast
mode. This means that the DHCP server can receive the request only if the server is on the same
network segment as the client. Deploying a DHCP server on each network segment to assign IP
addresses is uneconomical.
DHCP relay can be used to address this problem. DHCP relay allows DHCP clients on different
network segments to communicate with a single DHCP server and obtain IP addresses. This
function helps reduce costs and facilitate centralized management.
Typical Application
The DHCP server and clients reside on different network segments, as shown in Figure 8-46.
A DHCP relay agent is deployed to enable DHCP clients to obtain configuration information,
such as IP addresses, from the DHCP server.
Figure 8-46 Typical networking application of DHCP relay
DHCP clients
Network
segment 1
Network
segment 2 DHCP relay DHCP server
Network segment 3
DHCP clients
DHCP Client

Some network border devices cannot obtain fixed IP addresses because IP addresses are
insufficient. To address this problem, the network devices can be configured as DHCP clients
and dynamically obtain IP addresses from a DHCP server.
Typical Application
A building shown in Figure 8-47 accesses the Internet through a router, and the router also works
as a DHCP server to assign IP addresses to enterprise users in the building. The NGFW function
as a gateway for a small enterprise in the building. The DHCP client function is enabled on
interface1 of the NGFW to enable interface1 to dynamically obtain network parameters,
including an IP address, from the DHCP server and to provide online services for enterprise
users.
Figure 8-47 Typical networking application of a DHCP client
Enterprise interface2 interface1

network 边缘网络
NGFW Router
A NGFW that functions as a DHCP client provides the following services:
l Dynamically obtains network parameters, such as an IP address, an egress gateway, a DNS

server, a domain name suffix, and a static route.
l Proactively refreshes network parameters, such as an IP address, an egress gateway, a DNS
server, a domain name suffix, and a static route.
The DHCP client and server functions can be enabled on different interfaces of the same device.
For example, the DHCP client function is enabled on the NGFW interface1 that connects to the
network shown in Figure 8-47, on which the building resides. The DHCP client function enables
the interface to obtain an IP address and configurations from the DHCP server. Meanwhile, the
DHCP server function is enabled on the NGFW interface2 that connects to the enterprise
network. The DHCP server function enables interface2 to allocate IP addresses to PCs on the
enterprise network.
8.4.3 Mechanism
This section describes Dynamic Host Configuration Protocol (DHCP) mechanism.
Interaction Between the DHCP Server and Client

DHCP client accessing a network for the first time
When a DHCP client accesses a network for the first time, the DHCP client sets up a connection
to a DHCP server. The process consists of four stages, as shown in Figure 8-48.

Figure 8-48 Process for obtaining an IP address before a DHCP client accesses a network for
the first time
DHCP client DHCP server
Discovering stage: DHCPDISCOVER

Step 1
Offering stage: DHCPOFFER

Step 2
Selecting stage: DHCPREQUEST
Step 3
Acknowledge stage: DHCPACK/DHCPNAK
Step 4
The process consists of the following pahses:
1. Discovering pahse: A DHCP client looks for a DHCP server.

The client broadcasts a DHCPDISCOVER message using the well-known UDP port 68.
Only the DHCP servers respond to the message.
2. Offering pahse: A DHCP server provides an IP address to the client.
After a DHCP server receives the DHCPDISCOVER message, the DHCP server selects
an unassigned IP address from an IP address pool and replies with a DHCPOFFER message
that contains the IP address, lease, and other settings (such as the gateway address and DNS
server address).
3. Selecting pahse: The DHCP client selects an IP address.
If several DHCP servers send DHCPOFFER messages to the client, the client accepts only
the first DHCPOFFER message. The client then broadcasts a DHCPREQUEST message
to each DHCP server and changes to the request status. The DHCPREQUEST message
contains the IP address request that was sent to the selected DHCP server.
4. Acknowledging pahse: The DHCP server acknowledges an IP address.
After a DHCP server receives the DHCPREQUEST message from the client, any of the
following situations occurs:
l If the DHCP server is the one selected by the client, the server searches for a lease record
based on the MAC address in the DHCPREQUEST message.
– If the server finds a lease record, the DHCP server sends a DHCPACK message that
contains the offered IP address and other settings to the client. After the DHCPACK
message arrives, the client broadcasts a gratuitous ARP packet to check whether the
assigned IP address is used by another host. If the client receives no response, the
client uses the IP address. If the client receives a response, the client sends a
DHCPDECLINE message to notify the server of the IP address conflict. The client
then re-applies for an IP address.
– If the server does not find a lease record, or cannot assign an IP address, the DHCP
server sends a DHCPNAK message to inform the client that the IP address cannot

be assigned. Upon receipt, the client sends another DHCPDISCOVER message

requesting an IP address.
l If the DHCP server is not the one selected by the client, the DHCP server can assign
the IP address that is not selected to another client.
DHCP client accessing a network not for the first time
If the DHCP client has successfully accessed the network once before, the DHCP client can set
up a connection to the DHCP server without broadcasting a DHCPDISCOVER message. Figure
8-49 describes the process for obtaining an IP address when the DHCP client accesses the
network not for the first time.
Figure 8-49 Process for obtaining an IP address when the DHCP client accesses the network
not for the first time
DHCP client DHCP server
Selecting stage: DHCPREQUEST

Step 1
Acknowledge stage: DHCPACK/DHCPNAK

Step 2
The process is as follows:

1. The DHCP client broadcasts a DHCPREQUEST message that contains the previously
assigned IP address.
2. Upon receipt, the DHCP server determines whether the IP address can be used by the client:
l If the IP address that the client requested is not assigned, the DHCP server sends a
DHCPACK message to notify the client of the available IP address. After receiving the
DHCPACK message from the DHCP server, the DHCP client continues to use the
original IP address and enters the binding state.
l If the IP address cannot be assigned to the client (because, for example, it has been
assigned to another client), the DHCP server sends a DHCPNAK message to the client.
After the client receives the DHCPNAK message, it enters the initial state and resends
a DHCPDISCOVER message requesting an IP address. The process between the DHCP
client and server is the same as that described in DHCP client accessing a network
for the first time.
DHCP client extending an IP address lease
There is a valid period for dynamically allocating a unique IP address to a client. A server
withdraws the IP address after the valid period elapses. If the client wants to continue using the
IP address, it needs to extend its IP address lease.
For detailed information about how to extend an IP address lease, see Leases and Timers.
DHCP client releasing its IP address
If a DHCP client no longer needs the IP address assigned to it, the DHCP client releases the IP
address and sends a DHCPRELEASE message to inform the DHCP server that the IP address

has been released. The DHCP server keeps the DHCP client settings and reuses the settings if
the client applies for a new IP address.
Interaction Between a DHCP Server and Client Using DHCP Relay

A DHCP client sends broadcast packets only when the DHCP client and server reside on the
same network segment. If the DHCP server and client reside on different network segments, a
DHCP relay agent needs to be configured to forward DHCP packets exchanged between the
DHCP server and client across network segments. There are two possible scenarios:
l The DHCP client requests for an address using DHCP relay for the first time.
l The DHCP client extends its address lease using DHCP relay.
The DHCP relay function is implemented on a specific interface, which is called the DHCP relay
interface. This interface must reside on the same network segment with the DHCP client and
can forward DHCP packets transparently between the DHCP client and server.
DHCP client using DHCP relay to request an address for the first time
Figure 8-50 shows the process for when a client uses DHCP relay to obtain an address for the
first time.
Figure 8-50 Process for a client using DHCP relay to request an address for the first time
DHCP client DHCP relay DHCP server
DHCPDISCOVER (Broadcast) DHCPDISCOVER (Unicast)

Step 1
DHCPOFFER (Unicast) DHCPOFFER (Unicast)

Step 2
DHCPREQUEST (Broadcast) DHCPREQUEST (Unicast)

Step 3
DHCPACK/DHCPNAK (Unicast) DHCPACK/DHCPNAK (Unicast)

Step 4
1. The DHCP client broadcasts a DHCPDISCOVER message on a local network.

2. A DHCP relay-enabled device connected to the local network receives and handles the
message as follows:
a. The agent checks the Hops field in the message. If the value in this field is greater
than 4 (which is the maximum number of hops allowed by DHCP relay), the DHCP
relay-enabled device discards the message. If the value is less than or equal to 4, the
device proceeds with the following steps.
b. The agent checks the Relay Agent IP Address field in the packet. If the value in this
field is 0.0.0.0, the device replaces the value with the IP address of the DHCP relay
interface. Then, the device forwards all received DHCP packets with the DHCP relay

interface IP address as a source IP address. If the value of Relay Agent IP Address

is not 0.0.0.0, the device leaves the value alone.
c. The agent increases the Hops value by one, which indicates that the message has
passed through a DHCP relay agent.
d. The agent changes the destination IP address in the message to the IP address of a
DHCP server or the next DHCP relay agent.
e. The agent then sends the message in unicast mode to a specified DHCP server or
another DHCP relay agent on another network.
3. After receiving the DHCPDISCOVER message, the DHCP server sends a unicast
DHCPOFFER message to the DHCP relay agent with the IP address matching the Relay
Agent IP Address field. The DHCPOFFER message carries assigned the DHCP client
settings, including an IP address that is on the same subnet as that in the Relay Agent IP
Address field.
4. Upon receiving the message, the DHCP relay agent handles the packet as follows:
a. The agent checks the Relay Agent IP Address field in the message. If the value in
the field is not the IP address of the DHCP relay interface, the DHCP relay agent
discards the packet. If the value is the IP address of the DHCP relay interface, the
DHCP relay agent proceeds with the following steps.
NOTE
If there are several DHCP relay agents, the DHCP relay agent whose address matches the Relay
Agent IP Address field is nearest to the client. Other relay agents connected to the client do
not check the Relay Agent IP Address field.
b. The agent checks the broadcasting flag of the packet. If the broadcasting flag is 1, the
DHCP relay agent broadcasts the packet to the DHCP client. If the value is not 1, the
agent sends the unicast packet to the client. The Your (Client) IP Address field in
the packet carries the IP address of the client, and the Client Hardware Address field
carries the MAC address of the client.
5. The DHCP client sends a DHCPREQUEST message to the DHCP relay agent in response
to the DHCPOFFER message. Upon receiving the packet, the DHCP relay agent handles
the packet in the same way described in step 2 and forwards the packet in unicast mode to
the DHCP server.
6. The DHCP server then sends a DHCPACK or DHCPNAK message to the DHCP relay
agent. The DHCP relay agent handles the packet in the same way described in step 4 and
forwards the packet to the DHCP client.
DHCP client extending its address lease using DHCP relay
Figure 8-51 shows the process for when the DHCP client extends its address lease using DHCP
relay.

Figure 8-51 Process for a client extending the address lease using DHCP relay
DHCP client DHCP relay DHCP server
T1
DHCPREQUEST (Unicast)
Step 1
DHCPACK/DHCPNAK (Unicast) Step 2

T2 DHCPREQUEST (Broadcast) DHCPREQUEST (Unicast)
Step 1
DHCPACK/DHCPNAK (Unicast) DHCPACK/DHCPNAK (Unicast)

Step 2
T1: Indicates that the Lease Renewing Timer expires.
T2: Indicates that the Rebinding Timer expires.
l After the Lease Renewing Timer on the DHCP client expires, the DHCP client attempts to
renew the IP address lease without using DHCP relay:
1. The DHCP client sends a DHCPREQUEST message in unicast mode to the DHCP
server that assigned an IP address to the client the last time.
2. Upon receiving the message, the DHCP server directly sends a DHCPACK or
DHCPNAK message to the client in unicast mode. If the DHCP client receives a
DHCPACK message, the client's lease is renewed. If the client receives a DHCPNAK
message, the lease was not renewed, and the client must apply for an IP address.
l After the Rebinding timer on the DHCP client expires, the DHCP client performs the
following steps to renew the lease using DHCP relay:
NOTE
After a DHCP relay agent receives a message from the client or server, the DHCP relay agent handles
the message as described in DHCP client using DHCP relay to request an address for the first
time.
1. The DHCP client broadcasts a DHCPREQUEST message. The DHCP relay agent
handles the message and forwards it to the DHCP server in unicast mode.
2. The DHCP server sends a DHCPACK or DHCPNAK message to the client through
the DHCP relay agent. If the client receives a DHCPACK message, the lease has been
renewed. If the client receives a DHCPNAK message, the release was not renewed,
and the client must apply for an IP address.
Address Pools
Address pool structure
A DHCP server establishes an address pool in a tree structure. The root of the tree is a natural
network segment address, the branches are subnet addresses, and the leaves are the manually
bound client addresses.

Figure 8-52 Address pool with a tree structure

Address pool
A 10.0.0.0
255.0.0.0
Address pool Address pool

10.1.0.0 B C 10.2.0.0
255.255.0.0 255.255.0.0
E
Address pool Address pool
10.1.1.0 D F 10.2.1.0
Static address pool
255.255.255.0 255.255.255.0
IP: 10.1.2.1
MAC: 00e0-4c86-58eb
Figure 8-52 shows the tree structure. This tree structure enables the subnet (child-node) and
natural network segment (parent-node) to inherit each other's configurations. This means that
you only need to configure parameters, such as IP addresses of DNS servers, for either the natural
network segment or the subnet.
The inheritance relationships are as follows:
l After you establish a parent-child relationship, a child address pool inherits the
configurations of a parent address pool.
l If you configure a parent address pool after you establish a parent-child relationship, either
of the following situations occurs:
– If a child address pool does not have settings, it inherits the parent address pool settings.
– If a child address pool already has settings, it does not inherit parent address pool
settings.
Address pool selection principles
After a client sends a DHCPREQUEST message to a DHCP server, the DHCP server selects an
IP address from an address pool based on the following principles before delivering parameters,
including an IP address, to the client:
l If the server has an address pool that contains an IP address that is statically bound to the
MAC address of the client, the server selects the address pool and assigns the IP address
to the client.
l If no address pool contains an IP address that is statically bound to the MAC address of the
client, either of the following address pools is selected:
– An address pool that uses the smallest mask and contains the destination IP address of
the DHCPREQUEST message when the client and server are on the same network
segment
– An address pool that uses the smallest mask and contains the IP address specified in the
Relay Agent IP Address field of the DHCPREQUEST message when the client and

server are on different network segments and the client obtains an IP address using
DHCP relay
If none of the IP addresses in the selected address pool are available, the server cannot
assign an IP address to the client, nor does the server assign an IP address from the parent
address pool to the client.
For example, two address pools are configured on a DHCP server, and the network
segments of IP addresses for dynamic allocation are 1.1.1.0/24 and 1.1.1.0/25. If the IP
address of the interface that receives the DHCPREQUEST messages is 1.1.1.1/25, the
server selects an IP address from address pool 1.1.1.0/25 for the client. If none of the IP
addresses in address pool 1.1.1.0/25 are available, the server cannot assign an IP address
to the client. If the destination IP address of the DHCPREQUEST messages is 1.1.1.130/25,
the server selects an IP address from address pool 1.1.1.0/24 for the client.
IP address allocation sequence
A DHCP server selects an IP address in the following sequence before assigning the IP address
to a client:
1. A static IP address that is statically bound to the client's MAC address

2. The IP address assigned to the client and carried in the IP Addr option in a
DHCPDISCOVERY message sent by the client
3. The IP address specified in Option 50 (IP address option) in a DHCPDISCOVER message
sent by the client
4. The first IP address found when the server searches a DHCP address pool for an available
IP address
5. An IP address with an expired lease
6. IP address that conflicts with an existing IP address
If all IP addresses are in use, the server sends an error message.
Leases and Timers

A lease is the period beginning when a DHCP client obtains an IP address assigned by a DHCP
server and ending when the DHCP client stops using the IP address. The DHCP client uses the
Lease renewal timer, Rebinding timer, and Lease expiration timer to control leases.
The DHCP server defines a specific lease for each address pool, and the addresses in the same
DHCP address pool have the same lease.
Table 8-64 lists timers and their values.
Table 8-64 Timers and their values
Timer Value
Lease renewal 50% of a specific lease
Rebinding 87.5% of a specific lease
Lease expiration A configured value on a DHCP server (The default

lease is 1 day)

On a DHCP client assigned an IP address, the three timers take effect as follows:
l After the Lease renewal timer expires, the DHCP client changes from the binding state to
the renewing state. The DHCP client automatically sends a DHCPREQUEST message to
the DHCP server that has assigned an IP address to the DHCP client.
l The follow-up procedure depends on the Rebinding timer:
– Upon receipt of the DHCPREQUEST message but before the Rebinding timer expires,
the DHCP server checks the IP address to be renewed before proceeding with either of
the following operations:
– If the IP address is valid, the DHCP server replies with a DHCPACK message to
the client to renew the lease. The DHCP client then re-enters the binding state and
resets the Lease renewal and Rebinding timers.
– If the IP address is invalid, the DHCP server replies with a DHCPNAK message to
the DHCP client. The DHCP client enters the initializing state and requests for a
new IP address.
– After the Rebinding timer expires and the client receives no response, the client
considers the original DHCP server to be unavailable and broadcasts a
DHCPREQUEST message.
l After the rebinding follow-up procedure, the follow-up procedure depends on the Lease
expiration timer:
– Before the Lease expiration timer expires, any DHCP server on the network may reply
to the DHCPREQUEST message:
– If the client receives a DHCPACK message, it enters the binding state and resets the
Lease renewal and Rebinding timers.
– If the client receives a DHCPNAK message, it enters the initializing state, stops
using the existing IP address, and requests a new IP address.
– After the Lease expiration timer expires and the client receives no response, it stops
using this IP address immediately, returns to the initializing state, and requests a new
IP address.
Address Conflict Detection

Before assigning an IP address to a DHCP client, a DHCP server pings the IP address to be
assigned to prevent IP address conflicts.
The ping command checks for IP address conflicts. If a DHCP server receives no response after
a specific period of time, the DHCP server resends ping packets to the address. If the server
sends a maximum number of ping packets and receives no response, the server considers the IP
address not to be in use and assigns this unique IP address to a client.
8.4.4 DHCP Configuration Using the Web UI

This section describes how to use the Web UI to configure DHCP.
8.4.4.1 Configuring a DHCP Server

A DHCP server provides dynamic and static address allocation and supports customized
configurations of DNS servers, gateways, WINS servers, NetBIOS node types, and Option fields
for clients.

Context
If a DHCP server and clients are on the same network segment, the DHCP server provides the
clients with dynamically assigned IP addresses, statically configured IP addresses, designated
DNS servers, gateways, and WINS servers. If the DHCP server and clients are on different
network segments, the DHCP server works with a DHCP relay agent to assign network
parameters, including IP addresses, to the clients.
The DHCP server and relay services cannot coexist on the same interface.
Procedure
Step 1 Choose Network > DHCP Server > Settings.
Step 2 Click Add.
Interface Name Name of the interface on which the DHCP server function is
configured.
The interface must be an existing one and Connection Type
must be set to Static IP.
Type DHCP protocol type on an interface:

l IPv4: enables DHCPv4. IPv4 is selected in this example.
l IPv6: enables DHCPv6.
Service Type Enable either the DHCP server or relay service on this interface.
When the DHCP server is enabled on the interface, the Service
Type must be set to Server.

IP Addresses Range Range of IP addresses assigned to a DHCP client.

By default, the system takes the IP address mask range for the
interface as the assignable IP address range. For example, the IP
address of an interface is 192.168.1.5 255.255.255.0. When you
create a DHCP server on the interface, the system considers IP
Addresses Range to be 192.168.1.1 to 192.168.1.254 by default.
Because 192.168.1.5 is the IP address of the interface, this IP
address will not be assigned. If the assignable IP address range
is different from the default value, you can specify this
parameter.
To assign a correct IP address, perform either of the following
operations:
l On a relay-disabled network, configure the range to be the
same as the network segment on which the IP address of the
interface for the DHCP server resides.
l On a relay-enabled network, configure the range to be the
same as the network segment, on which the IP address of the
interface for the DHCP relay resides.
NOTE
The DHCP relay interface transparently forwards DHCP messages
between the DHCP client and server.
Subnet Mask Subnet mask of the IP address assigned to a DHCP client. The
subnet mask determines which part of an IP address serves as the
network/subnet ID and which part serves as a host ID.
For example, the subnet mask of a relay-enabled network can be
the same as the mask of the IP address of a DHCP relay interface.
By default, the system uses the mask of the interface IP address
as the subnet mask. If necessary, you can change the subnet mask.
Default Gateway Default gateway assigned to a DHCP client.

the IP address of the DHCP client. If the DHCP client and server
reside on the same network segment, the default gateway is the
IP address of the interface on which the DHCP server is enabled.
If they reside on different network segments and DHCP relay is
enabled, the default gateway assigned by the DHCP server to the
DHCP client is the IP address of the DHCP relay interface.
NOTICE
The default gateway address cannot be a broadcast address or network
address.

DNS Service Method used to set the DNS server address:

l Use System DNS Setting: enables DNS proxy on the DHCP
server and takes the default gateway address as a DNS server
address.
l Specify: specifies a DNS server address.
This parameter must be specified when the DHCP client accesses
the Internet by using domain names. The DNS and DHCP servers
must be routable.
Primary DNS Server Primary DNS server address assigned to a DHCP client.
This parameter needs to be specified when DNS Service is
Specify.
Secondary DNS Server Secondary DNS server address assigned to a DHCP client.
When the DHCP client fails to resolve domain names using the
primary DNS server, the DHCP client requests the secondary
DNS server for domain name resolution.
This parameter can be specified when DNS Service is Specify.
The secondary DNS server address must be different from the
primary one.
Advanced
Domain Name Domain name suffix assigned to a DHCP client.

After a DHCP client obtains a domain name suffix assigned by
a server and accesses network resources using domain names,
the client automatically adds the domain name suffix to an
incomplete domain name that a user enters to form a complete
domain name.
Lease Duration Lase for an address assigned to a DHCP client. The lease
specifies how long the DHCP client can use the IP address
assigned by the server.
You can set an address lease based on the duration of a
connection between a client and a physical network in an address
pool. If clients on a wireless network frequently disconnect from
the network, you can decrease the address lease, such as to 0 days
8 hours 0 minutes. If clients are connected to the network for a
stably long period of time, you can increase the lease or even set
an infinite period.

Primary WINS Server Primary WINS server address assigned to a DHCP client.
Hosts running the Windows operating system and NetBIOS
resolve NetBIOS host names to IP addresses. The resolution
methods for NetBIOS host name include local name resolution,
broadcast query, and WINS server resolution. WINS server
resolution is implemented by a WINS server.
The primary WINS server and DHCP server must be routable.
Secondary WINS Server Secondary WINS server address assigned to a DHCP client.
When the DHCP client fails to resolve NetBIOS host names
using the primary WINS server, the client requests the secondary
WINS server for host name resolution.
The secondary WINS server and DHCP server must be routable.
Reserved IP Address IP addresses that cannot be automatically assigned.

The IP addresses that are already assigned, such as to a DNS
server, cannot be automatically assigned to clients. You reserve
the assigned IP addresses. This configuration prevents address
conflicts and shortens the detection time during address
assignment, which improves DHCP address assignment
efficiency.
Before you designate IP addresses as reserved, enable the DHCP
and DHCP server function on the interface. If these prerequisites
are not addressed, perform operations on the dialog box that is
displayed when you create a reserved IP address.
l To create a reserved IP address:
1. Click Add and enter the first and last IP addresses. For
parameters, see the following information.
2. Click Confirm.
Repeat as needed to create multiple reserved IP addresses or
an IP address range.
l To delete a reserved IP address,
1. Select the check box of the reserved IP address or
addresses you wish to delete or the check box in the table
header to select all of the entries.
2. Click Delete.
Start IP Address First IP address in a range of IP addresses that are not assigned
automatically.
The configuration takes effect when the first IP address is listed
in IP Addresses Range.

End IP Address Last IP address in a range of IP addresses that are not assigned
automatically.
The last IP address must be on the same network segment with
the first IP address and higher than the first IP address. The
configuration takes effect when the last IP address is listed in IP
Addresses Range.
If you do not specify the last IP address, only the first IP address
is reserved.
Static Address Binding Bind IP addresses to be assigned in IP Addresses Range to MAC

addresses of clients.
When the DHCP server receives an IP address request with a
MAC address of a client, the DHCP server assigns a unique IP
address bound to the MAC address to the client.
Before you configure static address binding, enable the DHCP
service and the DHCP server function on the interface. If these
prerequisites are not addressed, perform operations on the dialog
box that is displayed when you create static address binding.
l To add an entry:
1. Click Add and enter the IP address and MAC address of
a host. For parameters, see the following information.
2. Click Confirm.
Repeat as needed to create multiple bindings between IP
addresses and MAC addresses. The IP and MAC addresses
must be unique.
l To delete entries:
1. Select the check boxes of an entry in the static IP address
binding list or entries you want to delete or the check box
in the table header to select all of the entries.
2. Click Delete.
Bound Host IP Address IP address to be bound to a MAC address.

The configuration takes effect when the IP address to be bound
to a MAC address is listed in IP Addresses Range.
Bound Host MAC MAC address to be bound to an IP address.

Address
Step 4 Click Apply.
If the operation is successful, DHCP Service Information List is displayed on the page, and
new configuration items are added to the list.
Repeat as needed to configure the DHCP server function on multiple interfaces.
----End

8.4.4.2 Configuring DHCP Relay

This section describes how to configure DHCP relay. DHCP relay helps a DHCP client on a
specific network segment obtain an IP address from a DHCP server on another network segment.
DHCP relay also allows DHCP clients on different network segments to share a DHCP server.
Prerequisites
l A DHCP server has been configured based on a global address pool.
No interface address pool can be configured for the DHCP server interface that connects
to the DHCP relay agent.
l The DHCP server and DHCP relay interface are reachable to each other.
l The DHCP relay interface and client reside on the same network segment.
The IP address of the DHCP relay interface must be on the same network segment as the
IP address that the DHCP server assigns to the client.
l The default gateway address of the DHCP client must be the IP address of the DHCP relay
interface.
Context
The DHCP server and relay cannot be configured on the same interface.
Procedure
Step 2 Click Add.
Interface Name Name of the interface on which the DHCP relay function is
configured.
The interface must exist. Connection Type can be set only to
Static IP, and the interface IP address must be on the same
network segment as the DHCP client.
Type Protocol type:

Service Type Enable either the DHCP server or relay service on this interface.
When DHCP relay is enabled on the interface, the Service
Type must be Relay.
IPv4 Server IP Address IP address that a DHCP server assigns and the DHCP relay agent
forwards to a client.
Step 4 Click Apply.

Repeat previous operations to configure the DHCP relay function on multiple interfaces.
----End
8.4.4.3 Monitoring DHCP

By querying address lease information on a DHCP server, you can view the IP address assigned
by the DHCP server, user MAC addresses, and IP address binding type. You can also determine
whether the lease has expired.
Refreshing the Address Lease

Step 1 Choose Network > DHCP Server > Monitor.
Step 2 Click Refresh to refresh the latest information about address lease duration.
----End
Querying Address Leases

You can query only the IP addresses that are assigned by a DHCP server and do not expire, as
well as the static IP addresses that are not assigned to clients yet.
Step 2 Perform either of the following operations to query address leases:

l Select All from the search box.
l Select Interface Name from the search box and select interface names.
l Select IP Address from the search box and select IP addresses.
Step 3 Click Query.
IP Address IP address that a DHCP server assigns to a client.
MAC Address MAC address of a client to which a DHCP server that assigns an
IP address.
Lease Expiration Expiration date and time of the lease for an IP address assigned
by a DHCP server. Values and their meanings are as follows:
l Specific time (such as 2011-11-7 18:01:20): Date and time
when a lease expires.
l NOT used: A statically bound lease is not assigned to the
specific client yet.
l Unlimited: A lease does not expire.

Status Binding status of an IP address assigned by a DHCP server.

Values and their meanings are as follows:
l Static address binding: The DHCP server statically assigns
a fixed IP address to the client with a specified MAC address.
l Dynamic assignment: To be confirmed: The DHCP server
assigns an IP address dynamically, and the binding between
the IP address and MAC address is temporarily specified after
the DHCP server sends a DHCPOFFER packet.
l Dynamic assignment: Succeeded: The DHCP server
assigns an IP address dynamically, and the binding between
the IP address and MAC address is successfully specified
after the DHCP server sends a DHCPACK packet.
l Released: After the client applies for IP address release, the
DHCP server cancels the binding between the IP address and
MAC address.
----End
8.4.5 DHCP Configuration Using the CLI

This section describes how to use a command line interface (CLI) to configure DHCP.
8.4.5.1 Configuring a DHCP Server

A DHCP server provides dynamic address allocation and static address allocation services, and
achieves the customized configurations of the DNS servers, gateways, WINS servers, NetBIOS
node types, and Option fields of a client.
Configuration Flow
The flow for configuring a DHCP server helps you focus on your interested configuration
operations.

Figure 8-53 Flow for configuring a DHCP server
Start
Enabling DHCP service
Select either or two of the follwing
Assigning client IP addresses and network Assigning client IP addresses and network
parameters (based on a global address pool) parameters (based on an interface address pool)
Adjusting address collision Creating an interface address pool

Configuring a reserved IP address detection parameters (configuring interface IP address)
Configuring dynamic address allocation Enabling Authorized ARP Enabling an interface address pool
and network parameters
Configuring static address allocation Configuring a reserved IP address

End
and client network parameters
Configuring network parameters for

Enabling a global address pool DHCP clients
Configuring the dynamic address

allocation
Configuring the static address

Mandatory Optional
allocation
Table 8-65 Procedure for configuring a DHCP server
No. Configuration Task Description
1 Enabling DHCP Service Mandatory.

By default, the DHCP
service is enabled.
2 Assigning Client IP Configuring a Reserved Optional.

Addresses and Network IP Address When a device using a
Parameters (Based on a fixed IP address exists,
Global Address Pool) specify a reserved IP
Use a global address pool address.
on a large network on
which the DHCP server
connects to the DHCP
clients using multiple
interfaces. You are also


required to use a global Configure dynamic Mandatory.
address pool when a address allocation and Centrally plan and
DHCP server employs network parameters. configure important
DHCP relay to assign IP network parameters, such
addresses for DHCP as domain name suffixes,
clients on different DNS servers, and egress
network segments. gateways, for the DHCP
clients on the DHCP
server, to prevent network
access errors caused by
incorrect configurations
of the DHCP client
network parameters.
Configure static address Optional.

allocation and client Assign fixed IP addresses
network parameters. to the DHCP server and
hosts of high access
priorities.
The address pools for
static address allocation
can inherit network
parameters of their parent
address pools; therefore,
the network parameters,
such as domain name
suffixes, DNS server
addresses, and egress
gateways, do not need to
be configured.
Enable a global address Mandatory.

pool. By default, the global
address pool is enabled.
2 Assigning Client IP Create an interface Mandatory.

Addresses and Network address pool (configure After an interface IP
Parameters (Based on an interface IP address). address is specified, the
Interface Address Pool) related interface address
Use an interface address pool is automatically
pool to assign client IP created.
addresses on a small
network on which the Enable an interface Mandatory.
DHCP server and the address pool.
DHCP client reside on the
same network segment.

Configuring a Reserved Optional.

IP Address When a device using a
fixed IP address exists,
specify a reserved IP
address.
Configure network Optional.

parameters for DHCP Centrally plan and
clients. configure important
network parameters, such
as domain name suffixes,
DNS servers, and egress
gateways, for the DHCP
clients on the DHCP
server, to prevent network
access errors caused by
incorrect configurations
of the DHCP client
network parameters.
Configure dynamic Mandatory.

address allocation.
Configure static address Optional.

allocation. Assign fixed IP addresses
to the DHCP server and
hosts of high access
priorities.
3 Adjusting Address Collision Detection Parameters Optional.

You can adjust
parameters when the
network delay is long or
the network is unstable.

4 Enabling Authorized ARP Optional.

After authorized ARP is
enabled, the DHCP server
not only assigns an IP
address to a client, but
also adds an ARP entry
containing the MAC and
IP addresses of the client
automatically to the ARP
table. The DHCP server
prevents attackers from
forging IP or MAC
addresses of valid DHCP
clients to launch attacks,
which helps improve
network security.
Enabling the DHCP Service

Before implementing the DHCP server function, enable the DHCP service. By default, the
DHCP service is enabled.

system-view
Step 2 Enable the DHCP service.

dhcp enable
----End
Assigning Client IP Addresses and Network Parameters (Based on a Global

Address Pool)
You can use a global address pool to assign client IP addresses and network parameters on a
large network. You are also required to use a global address pool when a DHCP server employs
DHCP relay to assign IP addresses for DHCP clients on different network segments. The DHCP
server provides two allocation modes: dynamic and static address allocation.
Prerequisites
l The link between the DHCP client and server is working properly.
l Before a client domain name and a DNS server are configured, the DHCP client must
support the DNS client functions.
l Before a client WINS server address is configured, the DHCP client must support the WINS
client functions.
l The DHCP server and server or the WINS server are routable to each other (unnecessary
if the two servers are not configured).

l IP addresses to be assigned using static address allocation are not used.

Context
l Reserved IP addresses
The reserved IP addresses will not be assigned automatically. For example, if some IP
addresses have been assigned to other services (such as the DNS server), they cannot be
automatically assigned to the clients again, so those IP addresses need to be reserved. This
prevents IP address collision and shortens the detection time before address allocation,
increasing DHCP allocation efficiency.
l Address pool planning
Dynamic address allocation and static address allocation require different global address
pools. Only a single IP address can be configured in the global address pool for static address
allocation. An IP address in the address pool can be bound to a MAC address.
Global address pools are arranged in a tree structure. The global address pool for dynamic
address allocation is a parent address pool, and that for static address allocation is a child
address pool. After the client network parameters are configured for the parent address
pool, they are automatically inherited by the child address pool. The parameters include
the egress gateway address, domain name, DNS server address, WINS server address,
NetBIOS node type, and Option value. Using the global address pools simplifies
configurations.
l NetBIOS protocol
When the DHCP client initiates communication using the NetBIOS protocol on a TCP/IP
network, the WINS server resolves host names into IP addresses. The DHCP server assigns
an IP address to the WINS server and a NetBIOS node type for the DHCP client.
l Option field
The undefined control information and parameters of some common protocols in the Option
field of a DHCP message can be saved. If the Option field is configured on a DHCP server,
the DHCP client obtains the configuration in the Option fields of DHCP messages
responded by the server after the DHCP client applies for an IP address.
The option code command cannot be used to configure frequently used parameters, such
as a DNS server address, a WINS server address, a NetBIOS node type, and a lease. The
following part in this section describes how to configure these parameters.
NOTICE
The system does not verify the configuration during the Option field configuration;
therefore, you must confirm the configuration correctness.
Configure self-defined options with caution because the DHCP working process may be
affected.
Procedure

system-view
Step 2 Configure the reserved IP address.

dhcp server forbidden-ip start-ip-address [ end-ip-address ]

By default, the IP addresses in the DHCP address pool, except for the DHCP server interface IP
addresses, can be assigned automatically.
l To reserve one IP address, specify only start-ip-address.

For example, 10.1.1.3 has been assigned to the DNS server and needs to be reserved.
[NGFW] dhcp server forbidden-ip 10.1.1.3
l To reserve an IP address range, specify both start-ip-address and end-ip-address. Note that
start-ip-address is less than end-ip-address, and they are on the same network segment.
For example, 10.1.1.3 to 10.1.1.9 have been used as fixed IP addresses and need to be
reserved.
[NGFW] dhcp server forbidden-ip 10.1.1.4 10.1.1.9
NOTE
l After repeatedly running the dhcp server forbidden-ip command, you can configure multiple reserved
IP addresses or segments that cannot be automatically assigned.
l Before using the undo dhcp server forbidden-ip command to delete the setting, ensure that the
specified parameters are consistent with the previously configured parameters. You cannot delete only
some originally configured addresses.
Step 3 Configure dynamic address allocation and client network parameters.

The following procedure is used to dynamically allocate IP addresses and client network
parameters on one network segment. To continue configuring the parameters on other network
segments, repeat the procedure.
1. Create a global address pool for dynamic allocation of IP addresses and network
parameters.:
dhcp server ip-pool pool-name
By default, the global address pool is not created on the NGFW.
pool-name is a unique identifier of the global address pool. You can define an easily
recognizable name for the global address pool. For example, the IP addresses in a global
address pool are assigned to department A, and then you can name "dept_a."
2. Specify the IP address range available for dynamic address allocation in the global address
pool.
network ip-address [ mask { mask | mask-length } ]
When you configure the network segment of an address pool, specify an address segment
to each address pool and determine the address range by the subnet mask or mask length.
For example, set the IP address range for dynamic address allocation in a global address
pool to 10.1.1.0/24.
l [NGFW-dhcp-dept_a] network 10.1.1.0 mask 255.255.255.0
l [NGFW-dhcp-dept_a] network 10.1.1.0 mask 24
If mask is not specified, the NGFW automatically uses a natural mask. For example,
network 10.1.1.1 indicates network 10.0.0.0 mask 255.0.0.0.
NOTE
The IP address range available for dynamic address allocation must be on the same network segment
as the DHCP server interface address or the DHCP relay interface address.
3. Specify an egress gateway address for the DHCP client.

gateway-list ip-address &<1-8>
NOTICE
Do not configure the egress gateway address allocated to DHCP clients as a broadcast
address or network address.
This command must be run if the DHCP client needs to access other network segments.
To balance traffic loads and enhance network reliability, you can configure multiple egress
gateway addresses.
On a network with DHCP relay, the egress gateway address that is assigned to the DHCP
client by the DHCP server must be the same as the IP address of the DHCP relay interface.
4. Specify a domain name suffix to be allocated to the DHCP client.
domain-name domain-name
When the DHCP client with a domain name suffix uses the specified domain name to
attempt to access network resources and even if you do not enter the name suffix, the client
automatically adds the name suffix to enable the access.
For example, a domain name suffix obtained by the DHCP client is example.com, and after
you enter ping xyz, domain name xyz.example.com is queried.
5. Specify a DNS server address to be assigned to the DHCP client.
dns-list { ip-address &<1-8> | unnumbered interface interface-type interface-
number }
This command must be run when the DHCP client accesses Internet using its domain name.
The NGFW supports two configuration methods:
l If the DNS server address is already obtained, you can specify ip-address.
l If an interface (for example, a dialer interface) has obtained a DNS server address, you
can specify unnumbered interface. For example, Dialer 1 is a PPPoE Dialer interface,
and it dynamically obtains DNS server addresses on Internet, you can run the dns-list
unnumbered interface dialer 1 command to assign the DNS server address that is
dynamically obtained by Dialer 1 to the DHCP client.
The two methods can be used simultaneously.
To balance traffic loads and enhance network reliability, you can configure multiple DNS
servers. You can configure a maximum of eight DNS servers by specifying ip-address.
6. Optional: Specify a WINS server address to be assigned to the DHCP client.
nbns-list ip-address &<1-8>
In the Windows operating system, the name of a host that uses the NetBIOS protocol needs
to be resolved to an IP address. A NetBIOS host name can be resolved using local name
resolution, broadcast query, and WINS server resolution. The WINS server resolution must
be performed by a WINS server.
To balance traffic loads and enhance network reliability, you can configure multiple WINS
servers.

7. Optional: Specify the type for the NetBIOS node that is assigned to the DHCP client.
netbios-type { b-node | h-node | m-node | p-node }
By default, the NetBIOS node type is not specified for a client.
You can configure one of the following parameters:
l b-node: The host name is resolved using broadcast query, not the WINS server. This
method increases the network traffic loads and cannot be performed across network
segments.
If b-node is configured, there is no need to specify the WINS server address.
l h-node: The host name is first resolved using the WINS server and then using broadcast
query if the first resolution attempt fails.
l p-node: The host name is resolved using the WINS server, not broadcast query.
l m-node: The host name is first resolved using broadcast query and then using the WINS
server if the first resolution attempt fails.
NOTE
Each operating system has a default node types. Normally, a DHCP server does not need to change
client node types.
8. Optional: Specify the DHCP Option field.
option code { ascii ascii-string | hex hex-string | ip-address ip-address
&<1-8> }
9. Specify the IP address lease for a global address pool.

expired { day day [ hour hour [ minute minute ] ] | unlimited }
The default lease is one day.
The DHCP server can specify different lease values for different address pools, but must
specify a unique lease for IP addresses in one address pool.
Before you specify a lease, consider the duration of connections between the clients related
to the address pool and the physical network. For example, on a wireless network, clients
are continuously connected to and disconnected from the network; therefore, you can
configure a short lease. (For example, set 8 hours instead of eight days.)
# Set the IP address lease to 8 hours.

[NGFW-dhcp-0] expired day 0 hour 8
If a client's connection to the network is stable, you can configure a long lease or even an
infinite lease.
# Set the IP address lease to infinite.

[NGFW-dhcp-0] expired unlimited

quit
Step 4 Configure static address allocation and client network parameters.

The following procedure is used to statically assign one IP address. To continue allocating IP
addresses, repeat the procedure.
1. Create a global address pool for static address allocation.
dhcp server ip-pool pool-name

2. Configure static address allocation.
If a client requires a fixed IP address, bind the IP address that has been assigned to it to its
MAC address.
a. Specify the IP address to be bound to the MAC address.

static-bind ip-address ip-address [ mask { mask | mask-length } ]
b. Specify the MAC address to be bound to the IP address.

static-bind mac-address mac-address
The static-bind ip-address command and the static-bind mac-address command must
be executed together to statically allocate the IP address to a client with the specified MAC
address. After the commands are executed multiple times, the latest configuration overrides
the previous one.
NOTICE
If the IP address for static allocation is selected from the global address pool and does not
have a parent address pool, it cannot automatically inherit network parameter
configurations from the parent address pool; therefore, configure the network parameters
for the IP address manually. For details, see steps c to g in Step 3.
By default, the lease of statically-allocated IP addresses is infinite. It is not restricted by
the expired command.
Step 5 Enable a global address pool on an interface.
By default, the global address pool has been enabled on interfaces.
l Apply the global address pool configuration on designated interfaces in the system view.
dhcp select global { all | interface interface-type interface-number.sub-
interface-number1 [ to interface-type interface-number.sub-interface-number2 ]
| interface interface-type interface-number }
The clients can use these interfaces to obtain IP addresses and network parameters from the
global address pool.
NOTE
l If multiple Ethernet subinterfaces are designated, the subinterfaces must belong to a single physical
interface.
l The all parameter indicates all interfaces with IP addresses. The interfaces can be GE interfaces
and subinterfaces, Vlanif interfaces, and Eth-trunk interfaces.
l Apply the global address pool configuration on designated interfaces in the system view.
dhcp select global
The clients that log in using the specified interface obtain IP addresses and network parameter
configurations from the global address pool.
NOTE
The address pool configurations apply only to the current interface. The interface can be a GE interface
or its subinterface, a Vlanif interface, or an Eth-trunk interface.
After the global address pool is configured, interface IP addresses to use the configurations of
the global address pool need to be specified. After this, the DHCP clients related to the interfaces
can obtain IP addresses and network parameters from the global address pool.

l If the DHCP client and the NGFW (working as the DHCP server) are on the same network
segment, and no DHCP relay is in between, the NGFW selects a global address pool that
resides on the same network segment as the interface to assign IP addresses. If the interface
has no IP address, or no address pool is on the same network segment as the interface, the
client fails to obtain an IP address.
l If the DHCP client and the NGFW (working as the DHCP server) are on different network
segments, and a DHCP relay is in between, the NGFW resolves the Relay Agent IP
Address fields in received DHCP request packets to assign an IP address. If the IP address
does not match any address pool, the client fails to obtain an IP address.
----End
Assigning Client IP Addresses and Network Parameters (Based on an Interface

Address Pool)
You can use the interface address pool to assign client IP addresses and network parameters on
a small network where the DHCP server and the DHCP client reside on the same network
segment.
Prerequisites
l The link between the DHCP client and server is working properly.
l Before a client domain name and a DNS server are configured, the DHCP client must
support the DNS client functions.
l Before a client WINS server address is configured, the DHCP client must support the WINS
client functions.
l The DHCP server and server or the WINS server are routable to each other (optional only
when the two servers are configured).
l IP addresses for static address allocation are not used.
Context
l Reserved IP addresses
The reserved IP addresses will not be assigned automatically. For example, if some IP
addresses have been assigned to other services (such as the DNS server), they cannot be
automatically assigned to the clients again, so those IP addresses need to be reserved. This
prevents IP address collision and shortens the detection time before address allocation,
increasing DHCP allocation efficiency.
l NetBIOS protocol
When a DHCP client uses the NetBIOS protocol on a TCP/IP network, the WINS server
resolves host names to IP addresses. The DHCP server assigns an IP address to the WINS
server and a NetBIOS node type for the DHCP client.
l Option field
The undefined control information and parameters of some common protocols in the Option
field of a DHCP message can be saved. If the Option field is configured on a DHCP server,
the DHCP client obtains the configuration in the Option fields of DHCP messages
responded by the server after the DHCP client applies for an IP address.
The option code command cannot be used to configure frequently used parameters, such
as a DNS server address, a WINS server address, a NetBIOS node type, and a lease. The
following part in this section describes how to configure these parameters.

NOTICE
The customized Option field may affect the DHCP working process. Perform this operation
with caution.
l The dhcp select interface, dhcp server expired, dhcp server domain-name, dhcp server
netbios-type, dhcp server nbns-list, and dhcp server option commands can be executed
in the interface and system views. In the system view, you can configure multiple or all
interfaces in a batch for improved efficiency. This section uses the configuration in the
interface view as an example.
NOTE
If multiple Ethernet subinterfaces are designated, the subinterfaces must belong to a single physical
interface.
For example, to enable the interface address pool for subinterfaces from GigabitEthernet
1/0/1.1 to GigabitEthernet 1/0/1.3:
[NGFW] dhcp select interface interface GigabitEthernet 1/0/1.1 to
GigabitEthernet 1/0/1.3
Perform the following steps to assign an IP address of an interface address pool.
Procedure

system-view
Step 2 Create an interface address pool.

1. Access the interface view.
interface interface-type interface-number [ .sub-interface-number ]
NOTE
The interface can be a GE interface or its subinterface, an Ethernet interface or its subinterface, a
Vlanif interface, a Virtual-Ethernet interface, or an Eth-trunk interface.
2. Assign an IP address to the interface.
ip address ip-address { mask | mask-length }
The address range of the interface address pool is the network segment on which the IP
address of the interface resides. The range only takes effect on the interface.
Step 3 Enable an interface address pool.

dhcp select interface
You can configure other network parameters of the interface address pool only after the interface
address pool is enabled.
Step 4 Configure the reserved IP address.

dhcp server forbidden-ip start-ip-address [ end-ip-address ]
By default, the IP addresses in the DHCP address pool, except for the DHCP server interface IP
addresses, can be assigned automatically.
l To reserve one IP address, specify only start-ip-address.

For example, 10.1.1.3 has been assigned to the DNS server and needs to be reserved.

[NGFW-GigabitEthernet1/0/1] dhcp server forbidden-ip 10.1.1.3
l To reserve an IP address range, specify both start-ip-address and end-ip-address. Note that
start-ip-address is less than end-ip-address, and they are on the same network segment.
For example, 10.1.1.3 to 10.1.1.9 have been used as fixed IP addresses and need to be
reserved.
[NGFW-GigabitEthernet1/0/1] dhcp server forbidden-ip 10.1.1.4 10.1.1.9
NOTE
l After repeatedly running the dhcp server forbidden-ip command, you can configure multiple reserved
IP addresses or segments that cannot be automatically assigned.
l Before using the undo dhcp server forbidden-ip command to delete the setting, ensure that the
specified parameters are consistent with the previously configured parameters. You cannot delete only
some originally configured addresses.
Step 5 Configure network parameters for the DHCP client.

1. Specify the default gateway IP address for the DHCP client.
dhcp server gateway-list ip-address &<1-8>
NOTICE
Do not configure the default gateway address allocated to DHCP clients as a broadcast
address or network address.
This command must be run if the DHCP client needs to access other network segments.
To balance traffic loads and enhance network reliability, you can configure multiple
gateway addresses.
On a network with DHCP relay, the gateway address that is assigned to the DHCP client
by the DHCP server must be the same as the IP address of the DHCP relay interface.
2. Specify a domain name suffix for the DHCP client.
dhcp server domain-name domain-name
When the DHCP client with a configured domain name suffix uses a domain name to
attempt to access network resources and even if you do not enter the name suffix, the client
automatically adds the name suffix to enable the access.
For example, a domain name suffix obtained by the DHCP client is example.com, and after
you enter ping xyz, domain name xyz.example.com is queried.
3. Specify a DNS server address to be assigned to the DHCP client.
dhcp server dns-list { ip-address &<1-8> | unnumbered interface interface-type
interface-number }
This command must be run when the DHCP client accesses Internet using its domain name.
The NGFW supports two configuration methods:
l If the DNS server address is already obtained, you can specify ip-address.
l If an interface (for example, a dialer interface) has obtained a DNS server address, you
can specify unnumbered interface. For example, Dialer 1 is a PPPoE Dialer interface,
and it dynamically obtains DNS server addresses on Internet, you can run the dhcp

server dns-list unnumbered interface dialer 1 command to assign the DNS server
address that is dynamically obtained by Dialer 1 to the DHCP client.
The two methods can be used simultaneously.
To balance traffic loads and enhance network reliability, you can configure multiple DNS
servers. You can configure a maximum of eight DNS servers by specifying ip-address.
4. Optional: Specify a WINS server address to be assigned to the DHCP client.
dhcp server nbns-list ip-address &<1-8>
In the Windows operating system, the name of a host that uses the NetBIOS protocol needs
to be resolved to an IP address. A NetBIOS host name can be resolved using local name
resolution, broadcast query, and WINS server resolution. The WINS server resolution must
be performed by a WINS server.
To balance traffic loads and enhance network reliability, you can configure multiple WINS
servers.
5. Optional: Specify a type for the NetBIOS node allocated to the DHCP client.
dhcp server netbios-type { b-node | h-node | m-node | p-node }
By default, the NetBIOS node type is not specified for a client.

Therefore, if the node type is configured as b-node, the WINS server address is not required.
You can configure one of the following parameters:
l b-node: The host name is resolved using broadcast query, not the WINS server. This
method increases the network traffic loads and cannot be performed across network
segments.
If b-node is configured, there is no need to specify the WINS server address.
l h-node: The host name is first resolved using the WINS server and then using broadcast
query if the first resolution attempt fails.
l p-node: The host name is resolved using the WINS server, not broadcast query.
l m-node: The host name is first resolved using broadcast query and then using the WINS
server if the first resolution attempt fails.
NOTE
An operating system has a default node type. The DHCP server does not need to change client node
types.
6. Optional: Specify the DHCP Option field.
dhcp server option code { ascii ascii-string | hex hex-string &<1-10> | ip-
address ip-address &<1-8> }
Step 6 Specify the IP address lease for an interface address pool.

dhcp server expired { day day [ hour hour [ minute minute ] ] | unlimited }
The default lease is one day.

The DHCP server can specify different lease values for different address pools, but must specify
a unique lease for IP addresses in one address pool.
Before you specify a lease, consider the duration of connections between the clients related to
the address pool and the physical network. For example, on a wireless network, clients are
continuously connected to and disconnected from the network; therefore, you can configure a
short lease. (For example, set 8 hours instead of eight days.)

# Set the IP address lease to 8 hours.

[NGFW-GigabitEthernet1/0/1] dhcp server expired day 0 hour 8
If a client's connection to the network is stable, you can configure a long lease or even an infinite
lease.
# Set the IP address lease to infinite.

[NGFW-GigabitEthernet1/0/1] dhcp server expired unlimited
Step 7 Statically allocate an IP address.

dhcp server static-bind ip-address ip-address mac-address mac-address
The IP address in the interface address pool is manually bound to its MAC address.
If a client requires a fixed IP address, bind the IP address that has been assigned to it to its MAC
address.
This command is used to bind one pair of IP-MAC addresses and can be executed many times
to bind many pairs. The IP addresses to be bound must be available for dynamic address
allocation in interface address pool.
----End
Adjusting Address Collision Detection Parameters

Before assigning an address to a client, the DHCP server detects the IP address to prevent address
collision. When the network delay is long or the network is unstable, you can adjust the address
collision detection parameters.
Prerequisites
Before you adjust the address collision detection parameters, you must finish the DHCP server
configurations.
Context
The DHCP server sends ping packets to detect the address collision by checking whether
responses are received in the designated period of time. A DHCP server sends the ping packets
destined for the IP address to be allocated. If no response is received within the maximum
response time of the ping command, the server continues sending ping packets until the number
of sent ping packets reaches the upper limit. If no response is received, the server allocates the
IP address to a client. This ensures that the IP address allocated to the client is unique.
Procedure

system-view
Step 2 Specify the time for waiting the response after the ping packets is sent by a DHCP server.
dhcp server ping timeout milliseconds
By default, the longest waiting time for ping response packets is 500 ms. The value 0 indicates
no ping operation.
It is recommended not to change this parameter. You can increase the waiting time to reduce
the network delay.

Step 3 Set the maximum number of ping packets sent by the DHCP server.
dhcp server ping packets number
By default, the maximum number of ping packets being sent is 2. The value 0 indicates no ping
operation.
It is recommended not to change this parameter. A large value of this parameter adds the DHCP
server loads. However, if the network is unstable, increase the maximum number of ping packets.
NOTE
If the value of either address detection parameter is set to 0, the DHCP server does not perform address
detection and directly assigns an IP address to a client.
----End
Enabling Authorized ARP

Authorized ARP enables a DHCP server not only to assign an IP address to a client, but also to
automatically add an ARP entry containing the MAC address and IP address of the client to the
ARP table. Authorized ARP helps the DHCP server prevent attackers from forging the IP
addresses or MAC addresses of valid DHCP clients to launch attacks, which improves network
security.
Prerequisites
Before enabling authorized ARP, configure the DHCP server.
Context
Authorized ARP, valid on only devices on which the DHCP server is enabled, applies when the
DHCP server and client reside on the same network segment, but not in the DHCP relay scenario.
Authorized ARP prevents a DHCP server from dynamically learning illegitimate ARP
responses. Only clients to which the DHCP server assigns IP addresses can add ARP entries
(called authorized ARP entries) automatically based on ARP response packets.
If an attacker forges the IP or MAC address of a legitimate DHCP client to originate an ARP
request, the IP or MAC address does not match authorized ARP entries recorded by the gateway
(the DHCP server), and no response is returned. As a result, the attacker fails to access the
network by forging a legitimate IP or MAC address.
Authorized ARP entries do not age. After DHCP clients apply for logouts, their authorized ARP
entries are automatically deleted from the ARP table.
The priorities of authorized ARP entries are higher than those of dynamic ARP entries, but lower
than those of static ARP entries. A new authorized ARP entry overrides the duplicate dynamic
ARP entry, but not the static ARP entry. However, the authorized ARP entry can be overridden
by a duplicate static ARP entry.
Procedure

system-view
Step 2 Enable authorized ARP is enabled.

dhcp arpbind enable

By default, the authorized ARP function is disabled on the device.
----End
Verifying Configuration
This section describes how to verify the DHCP server configuration.
Step 1 Configure a DHCP client (using a Windows XP-based PC as an example).

Set the network connection properties.
Set Internet Protocol (TCP/IP) Properties to Obtain an IP address automatically and
Obtain DNS server address automatically.
Step 2 On the DHCP client, run the ipconfig /all command and check whether the DHCP client has
obtained the key configuration, including an IP address, a default gateway, and a DNS server.
l If all key information is displayed, no action is required.
l If some PCs fail to obtain the information, such as IP addresses, troubleshoot the PC settings
and network connections. Then, go to Step 3.
l If some PCs obtain IP addresses but fail to obtain other network parameters, restart the PC
NIC to disable and enable the network connection. Or, run the ipconfig /release command
and the ipconfig /renew command in sequence to apply for new IP addresses and network
parameters. Then, go to Step 2.
l If all PCs fail to obtain information, go to Step 3.
Step 3 On the DHCP server, run the display dhcp server statistics command to view DHCP server
statistics.
Check whether the statistics in the Boot Request and Boot Reply fields are 0. If the statistics
are 0, communication between the DHCP server and the client is interrupted.
l If statistics are 0, verify that the dhcp select command has been executed on the server
interface. If the command has been executed but the result remains 0, go to Step 4 and Step
5.
l If statistics are not 0, go to Step 6.
Step 4 On the DHCP client, run the ping command to view the communication information between
the DHCP server and client. If they are not routable to each other, troubleshoot the network
connection and routing problems.
Step 5 Verify that security policy rules are correct. Add the interfaces to security zones and enable the
security policy between the security zone on which the DHCP client resides and the Local zone,
to allow packets through.
Step 6 On the DHCP server, run the display dhcp server ip-in-use command to view IP address
allocation information.
Check whether the static address allocation is successful.
l If addresses are successfully allocated, go the next step.
l If some addresses are not allocated, check whether the IP addresses failed to be statically
allocated are used by other hosts. If the IP addresses are used by other hosts, change the
configurations of the address pool for static address allocation. Then, go to Step 7.
Step 7 On the DHCP server, run the display dhcp server conflict command to view the IP address
collision information.

l If no collision exists, no action is required.

l If a collision exists, restart the PC NIC to disable and then enable the network connection.
Or, run the ipconfig /release command and the ipconfig /renew command in sequence to
obtain a dynamic IP address. Then, go to Step 7.
----End
8.4.5.2 Configuring DHCP Relay

A DHCP client communicates with and obtains an IP address from a DHCP server on another
network segment through a DHCP relay agent. DHCP relay allows DHCP clients on different
network segments to share a DHCP server, which reduces costs and manage information
uniformly.
Prerequisites
l A DHCP server has been configured based on a global address pool.
No interface address pool can be configured for the DHCP server interface that connects
to the DHCP relay.
l The DHCP server and the DHCP relay interface are routable to each other.
l The DHCP relay interface and the DHCP client reside on the same network segment.
The IP address of the DHCP relay interface is on the same network segment as the IP
address of the client that is assigned by the DHCP server.
l The default gateway address of the DHCP client must be the IP address of the DHCP relay
interface.
Context
During certain phases in DHCP configuration, the DHCP client sends broadcast packets;
therefore, the DHCP relay interface must support the broadcast mode.
A DHCP relay interface supports a maximum of 20 DHCP server addresses.
The ip relay address and dhcp select relay commands can be executed in either of the following
views:
l In the interface view, you can set the current interface as a DHCP relay interface.
l In the system view, you can configure a specific interface, multiple subinterfaces, or all
interfaces as the DHCP relay interfaces for an improved efficiency.
This section uses the configuration in the interface view as an example.
NOTE
If multiple Ethernet subinterfaces are designated, the subinterfaces must belong to a single physical
interface.
For example, allocate a DHCP server for GigabitEthernet 1/0/1.1 and GigabitEthernet 1/0/1.2
and apply the DHCP relay configurations.
[NGFW] ip relay address 10.1.1.2 interface GigabitEthernet 1/0/1.1 to
GigabitEthernet 1/0/1.2
[NGFW] dhcp select relay interface GigabitEthernet 1/0/1.1 to GigabitEthernet
1/0/1.2
Perform the following steps to configure one DHCP relay interface.

NOTE
A DHCP message sent from a client to a server can be relayed for a maximum of four times. If more than
four times, the packet will be discarded. If more than one DHCP relay agent exists on the network, the
DHCP relay function must be enabled on each DHCP relay agent, and the client, relay agents, and DHCP
server are routable to each other. The last DHCP relay agent specifies the IP address of the DHCP server
as the source IP address. The other DHCP relay agents specify the IP address of the next DHCP relay as
the source IP address.
Procedure
system-view
Step 2 Enable DHCP.

dhcp enable
By default, the DHCP service is enabled.
Step 3 Access the DHCP relay interface view.

NOTE
The interface can be a GE interface or its subinterface, a Vlanif interface, or an Eth-trunk interface.
Step 4 Specify the DHCP server IP address for the DHCP relay interface.
ip relay address ip-address
NOTE
When more than one DHCP relay agents exist on a network, the last DHCP relay agent specifies the IP
address of the DHCP server. The other DHCP relay agents specify the IP address of the next DHCP relay
agent.
Step 5 Apply the DHCP relay interface configurations to the current interface.
dhcp select relay
----End
Follow-up Procedure
1. Configure a DHCP client (using a Windows XP-based PC as an example).
Set the network connection properties.
Set Internet Protocol (TCP/IP) Properties to Obtain an IP address automatically and
2. On each DHCP client, run the ipconfig /all command to view the configuration of the
DHCP client. Check whether the DHCP client has obtained the key configuration, including
an IP address, a default gateway, and a DNS server.
l If all key information is displayed, no action is required.
l If some PCs fail to obtain the information, such as IP addresses, troubleshoot the PC
settings and network connections. Then, go to 2.
l If some PCs obtain IP addresses but fail to obtain other network parameters, restart the
PC NIC to disable and enable the network connection. Or, run the ipconfig /release
command and the ipconfig /renew command in sequence to apply for new IP addresses
and network parameters. Then, go to 2.

l If all PCs fail to obtain the information, such as IP addresses, go to 3.

3. On the DHCP relay agent, run the display dhcp relay statistics command to view DHCP
relay statistics, including the numbers of false packets and different types of DHCP
messages.
If the number of packets sent and received between the DHCP relay, server, and client is
0, the communication is down.
l If the number is 0, verify that the dhcp select relay command has been executed on the
relay interface. Run the display dhcp relay address command to check whether the
specified DHCP server address is correct. If the number remains 0, go to 4, 5, and 6.
l If the number is not 0 but DHCP messages received from servers is 0, go to 5, 6, and
7.
l If the number is not 0 but DHCP messages received from clients is 0, go to 4, 6, and
7.
4. On the DHCP client, run the ping command to check whether the DHCP client and relay
agent are routable to each other. If they are not routable, troubleshoot the network
connection problem.
5. On the DHCP relay, run the ping command to check whether the DHCP relay interface
and the DHCP server are routable to each other. If they are not routable, troubleshoot the
network connection and routing problems.
6. Check whether the security policy rules are correct. Add the interfaces to security zones
and enable security policy between the security zone where the DHCP relay interface
resides and the Local zone, to allow packets through.
7. If static address allocation fails or IP address collisions occur, see Verifying
Configuration of the DHCP server to rectify server configuration errors.
8.4.5.3 Configuring a DHCP Client

After an interface of the device is specified as a DHCP client, parameters, such as IP addresses
can be dynamically obtained from a DHCP server using DHCP. This facilitates configurations
and centralized management.
Prerequisites
On a DHCP relay-based network, the IP address of the DHCP relay interface is used as a client
default gateway address.
Context
The interface IP addresses can be obtained by manual configuration (both primary and secondary
IP addresses), PPP negotiation, or DHCP. Note that these methods are mutually exclusive;
therefore, you can use only a single method.
An interface can use DHCP to obtain network parameters from a DHCP server. The parameters
include IP addresses, egress gateway addresses, static routes, IP address leases, domain name
suffixes, DNS server addresses, and WINS server addresses. WINS server addresses are
reserved, and the WINS client function is not supported currently.
The obtained domain name suffix is invalid. If necessary, run the dns domain domain-name
command to manually create a suffix. If the device works as a DHCP client and accesses the

Internet using its domain name, run the dns resolve command to enable the dynamic domain
name resolution.
If the DHCP client function is enabled on an interface, the interface cannot be added to an Eth-
Trunk interface. If an interface is added to an Eth-Trunk interface, the DHCP client function
cannot be enabled on the interface.
In the dual-uplink networking, the interworking between DHCP and IP-Link or BFD can be
configured. Traffic is switched to the standby link if the active link fails. After the faulty link is
restored, the traffic is switched back to the active link. For details, see Configuring the
Interworking Between IP-Link and DHCP and Configuring the Interworking Between
BFD and DHCP.
Procedure
system-view
Step 2 Enable DHCP.

dhcp enable
By default, the DHCP service is enabled.

NOTE
The interface can be a GE interface or its subinterface, a Vlanif interface, or an Eth-trunk interface.
Step 4 Enable the DHCP client function.

dhcp client enable
The DHCP client function allows the interface to use DHCP to obtain network parameters, such
as an IP address.
By default, an interface does not obtain its IP address using DHCP.
NOTE
If the IP address assigned to the interface by the DHCP server resides on the same network segment as the
IP addresses of other interfaces on the device, the interface fails to apply for an IP address from the DHCP
server. To rectify this fault, manually delete the conflicting interface IP address.

dhcp client forbid apply gateway-option
The gateway-option parameter allocated by the DHCP server is not allowed on the DHCP client.
By default, the gateway-option parameter allocated by the DHCP server is allowed on the DHCP
client. The obtained egress gateway addresses are added to the FIB table. The route priority is
245.
You can run the ip route-static 0.0.0.0 0.0.0.0 nexthop-address command to manually configure
a default route and forbid the gateway-option parameter allocated by the DHCP server. If a
device has a default route that is manually configured and permits the gateway-option parameter
allocated by the DHCP server, the device uses the default route for the default route has a higher
priority.

Step 6 Optional: Prevent the DHCP client from using the static-route-option parameter allocated by
the DHCP server.
dhcp client forbid apply static-route-option
By default, the static-route-option parameter allocated by the DHCP server is allowed on the
DHCP client. The obtained static route is added to the FIB table.
You can run the ip route-static command to manually configure a static route and prevent the
client from using the static-route-option parameter. If a device has a static route that is manually
configured and permits the static-route-option parameter, the DHCP client has multiple routes
for load balancing.
----End
Follow-up Procedure
1. Run the display dhcp-client command to view the interface configuration. Check whether
the interface obtains the information, such as an IP address, egress gateway, and DNS
server.
l If the following message is displayed, the interface obtains the configuration, and no
action is required.
<NGFW> display dhcp-client interface GigabitEthernet 1/0/1 verbose
GigabitEthernet1/0/1 dhcp client : enable
current state : BOUND
Begin time : 2011.01.06 09:29:23
Server IP : 192.168.0.1
Client IP : 192.168.0.2
Subnet mask : 255.255.255.0
Gateway : 192.168.0.1
Static route : (10.1.1.1,192.168.0.2)
domain name : example.com
dns server : 192.168.0.1
Wins :
Bound time : 2011.01.06 09:29:30
Lease : 86400s
Renew time : 43200s
Rebind time : 75600s
l If the following message is displayed, the interface does not obtain the configuration.
=>2.
GigabitEthernet1/0/1 dhcp client : enable current state : SELECTING
Begin time : 2011.01.06 09:45:30
Or
2. Check the network connectivity and route configurations. Ensure that the link between the
DHCP client and server is working properly.
3. Check whether the security policy rules are correct. Add the interfaces to security zones
and enable security policy between the security zone where the DHCP relay interface
resides and the Local zone, to allow packets through.
4. Check whether the DHCP server and the DHCP relay are properly configured.
l For details on how to troubleshoot a DHCP server, see Verifying Configuration.

l For details on how to troubleshoot a DHCP relay, see the follow-up procedure in 8.4.5.2
Configuring DHCP Relay.
8.4.5.4 Maintaining DHCP

After configuring DHCP, you can run the display commands to view the configuration. You can
also clear statistics or enable the debugging function if necessary.
Displaying the DHCP Configuration

Displaying DHCP Server Configuration
Table 8-66 lists the commands to display the DHCP server configuration.
Table 8-66 Displaying the DHCP server configuration
Action Command
Display information about available IP display dhcp server free-ip

addresses in a DHCP address pool.
Display information about the IP addresses display dhcp server expired { all |
with expired leases in the DHCP address interface [ interface-type interface-number ]
pool. | ip ip-address | pool [ pool-name ] }
Display address allocation information. display dhcp server ip-in-use { all |

interface [ interface-type interface-number ]
| ip ip-address | pool [ pool-name ] }
Display statistics about a DHCP server. display dhcp server statistics
Display information about the tree structure display dhcp server tree { all | interface
of a DHCP address pool. [ interface-type interface-number ] | pool
[ pool-name ] }
Display information about the conflict display dhcp server conflict { all | ip ip-
addresses in the DHCP address pool. address }
Display the path at which DHCP database is display dhcp server database
saved and file information about the database.
Displaying DHCP Relay Configuration
Table 8-67 lists the commands to display the DHCP relay configuration.
Table 8-67 Displaying DHCP relay configuration
Action Command
Display the DHCP relay interface status. (An display ip interface [ interface-type
interface is a relay interface if its DHCP interface-number ]
message deal mode is relay.)

Action Command
Display statistics about the DHCP relay. display dhcp relay statistics
Display the DHCP server address that is display dhcp relay address { all |
configured for the DHCP relay interface. interface interface-type interface-number }
Displaying DHCP Client Configuration

Table 8-68 lists the commands to display the DHCP client configuration.
Table 8-68 Displaying DHCP client configuration
Action Command
Display information about DHCP client on display dhcp-client { all | interface

the interface. interface-type interface-number }
[ verbose ]
Resetting DHCP
You can remove connections by resetting DHCP address allocation information on a DHCP
server. This function is used to delete DHCP dynamic address allocation information when new
IP addresses need to be assigned.
NOTICE
Resetting DHCP connections using the reset dhcp command interrupts the operations on the
DHCP server. Exercise caution when using this command.
Table 8-69 lists commands run in the user view to reset DHCP.
Table 8-69 Resetting DHCP address allocation information
Action Command
Reset the address allocation information of a reset dhcp server ip-in-use ip ip-address
designated IP address.
Reset the address allocation information of a reset dhcp server ip-in-use pool [ pool-
global address pool. name ]
Reset the address allocation information of an reset dhcp server ip-in-use interface
interface address pool. [ interface-type interface-number ]
Reset the address allocation information of all reset dhcp server ip-in-use all
address pools.

Releasing an IP Address
To prevent IP address collisions and reassign IP addresses after a PC is re-allocated or the settings
of a network device are modified, you can proactively release client IP addresses on the DHCP
server, DHCP relay agent, and DHCP clients.
Releasing a conflicting IP address on a DHCP server
Run the display dhcp server conflict command. If an IP address collision is detected, run the
following commands in the user view.
Table 8-70 Releasing a conflicting IP address on a DHCP server
Action Command
Release a designated conflicting IP address reset dhcp server conflict ip ip-address

on the DHCP server.
Release all conflicting IP addresses on the reset dhcp server conflict all
DHCP server.
DHCP relay's request to release a client IP address on the DHCP server
The original DHCP relay interface does not function as a relay agent or the clients on the LAN
change, you can run a following commands to forcibly release the IP addresses on a DHCP
server.
Table 8-71 DHCP relay's request for releasing a client IP address on a DHCP server
Action Command
Require all DHCP servers to release the client dhcp relay release client-ip-address mac-
IP addresses (in the system view). address
Require a designated DHCP server to release dhcp relay release client-ip-address mac-
the client IP addresses (in the system view). address server-ip-address
Require the DHCP server on which a dhcp relay release client-ip-address mac-
specified interface resides to release the client address [ server-ip-address ]
IP addresses (in the interface view).
Automatically updating an IP address by a DHCP client
When the configurations of the DHCP server change, you can run the following command in
the system view on a DHCP client to automatically update the lease and IP address.

Table 8-72 Automatically updating an IP address by the DHCP client
Action Command
Update the IP address obtained from the dhcp client renew

DHCP server.
NOTE
The dhcp client renew command can be successfully executed only when the interface is configured with
the DHCP client function and has obtained an IP address.
Clearing DHCP Statistics

Before diagnosing DHCP faults, collect DHCP statistics for a period of time and check the
consistency between sent and received packets. Therefore, before you restart a statistics
operation, run the reset command to clear the historical statistics.
NOTE
DHCP statistics cannot be restored after you clear it. So, confirm the action before you use the command.
Table 8-73 lists commands run in the user view to clear DHCP statistics.
Table 8-73 Clearing DHCP statistics
Action Command
Clear DHCP server statistics. reset dhcp server statistics
Clear DHCP relay statistics. reset dhcp relay statistics
Debugging DHCP
When a DHCP running fault occurs, run the following debugging commands in the user view
to debug DHCP, view the debugging information, and locate and analyze the faults.
NOTICE
Table 8-74 shows commands to debug DHCP server information.

Table 8-74 Debugging DHCP server information
Action Command
Enable the debugging of all server debugging dhcp server all

information.
Enable DHCP server error debugging. debugging dhcp server error
Enable DHCP server event debugging. debugging dhcp server event
Enable DHCP server packet debugging. debugging dhcp server packet
Table 8-75 shows commands to debug DHCP relay information.
Table 8-75 Debugging DHCP relay information
Action Command
Enable the debugging of all DHCP relay debugging dhcp relay all
information.
Enable the DHCP relay error debugging. debugging dhcp relay error
Enable the DHCP relay event debugging. debugging dhcp relay event
Enable the DHCP relay packet debugging. debugging dhcp relay packet
Table 8-76 shows commands to debug DHCP client information.
Table 8-76 Debugging DHCP client information
Action Command
Enable the debugging of all DHCP client debugging dhcp client all
information.
Enable the DHCP client error debugging. debugging dhcp client error
Enable the DHCP client event debugging. debugging dhcp client event
Enable the DHCP client packet debugging. debugging dhcp client packet

This section provides examples for configuring the DHCP server and relay to dynamically assign
IP addresses to clients.

8.4.6.1 Example for Configuring a DHCP Server

After learning this configuration example, you can understand how the device on a small network
uses the Layer-3 Ethernet Interfaces to dynamically allocate IP addresses to DHCP clients and
to specify IP addresses of their gateways, DNS servers, and WINS servers.
The network is small and tens of PCs and two servers are deployed on network segment
192.168.0.0/24. The NGFW shown in Figure 8-54 connects to a Layer 2 switch using
GigabitEthernet 1/0/1 and assigns IP addresses to clients attached to this interface.
The network topology is as follows:
l Two PCs use DHCP to obtain IP addresses.
l The address lease is 10 days and 12 hours, a domain name suffix is example.com, a DNS
server address is 192.168.0.253, a WINS server address is 192.168.0.254, and an egress
gateway address is 192.168.0.1.
Figure 8-54 Networking diagram for configuring a DHCP server

Trust
WINS server
DHCP client
192.168.0.254
NGFW
GE1/0/1
192.168.0.1/24
LAN switch DHCP server
DNS server
DHCP client
192.168.0.253
1. Enable DHCP service on the NGFW.
2. Configure DHCP client network parameters on the NGFW. The parameters include domain
name suffixes, DNS server addresses, WINS server addresses, and egress gateway
addresses.
3. Set Internet Protocol (TCP/IP) Properties to Obtain an IP address automatically and
Obtain DNS server address automatically on each DHCP client. The settings enable the
DHCP clients to automatically obtain IP addresses and other network parameters allocated
by a DHCP server.
NOTE
Correctly plan and configure important network parameters, such as the domain name suffixes, DNS server
addresses, and egress gateway addresses, for the DHCP clients on the DHCP server. The plan helps prevent
network access errors caused by incorrect DHCP client parameters.

Procedure
Step 1 Configure GigabitEthernet 1/0/1 on the NGFW.
Zone trust
Mode Route
IPv4
IP Address 192.168.0.1/255.255.255.0
3. Click OK.
Step 2 Configure the NGFW as a DHCP server.

1. Choose Network > DHCP Server > Settings.
Table 8-78 DHCP server parameters
Interface Name GigabitEthernet 1/0/1
Type IPv4
Service Type Server
IP Addresses Range 192.168.0.1 to 192.168.0.254
Subnet Mask 255.255.255.0
DNS Service Specify
Primary DNS Server 192.168.0.253
Advanced
Lease Duration 10 Day 12 Hour
Primary WINS Server 192.168.0.254
3. Click OK.
Step 3 Configure a DHCP client. The following example uses a PC running Windows XP.

1. Right-click Network Neighborhood on the desktop, and choose Attributes > Network
Connections.
2. Right-click Local Area Connection of the connected network adapter, and choose
Properties.
3. Select Internet Protocol (TCP/IP) and click Properties. The Internet Protocol (TCP/
IP) Properties window is displayed. Select Obtain an IP address automatically and
----End
1. Check the address lease duration list of the DHCP server to determine whether IP addresses
are assigned to PCs on the LAN.
a. Choose Network > DHCP Server > Monitor.
b. Check the client IP address assigned by the DHCP server.
2. On a PC (DHCP client), press Start > Run and enter cmd to display the DOS screen. Run
the ipconfig /all command and verify that the client has obtained the network parameters.
The parameters include an IP address, default gateway address, WINS server address, and
DNS server address.
C:\Documents and Settings\Administrator> ipconfig /all
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : example.com

Description . . . . . . . . . . . : Realtek RTL8139/810x Family Fast
Ethernet NIC
Physical Address. . . . . . . . . : 00-21-97-c7-4a-18
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.0.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1
DHCP Server . . . . . . . . . . . : 192.168.0.1
DNS Servers . . . . . . . . . . . : 192.168.0.253
Primary WINS Server . . . . . . . : 192.168.0.254
Lease Obtained. . . . . . . . . . : Tuesday, December 6, 2011, 05:58:28
AM
Lease Expires . . . . . . . . . . : Friday, December 16, 2011, 05:58:28
AM
#
sysname NGFW
#
ip address 192.168.0.1 255.255.255.0
dhcp server ip-range 192.168.0.1 192.168.0.254
dhcp server gateway-list 192.168.0.1
dhcp server dns-list 192.168.0.253
dhcp server domain-name example.com
dhcp server nbns-list 192.168.0.254
dhcp server expired day 10 hour 12
#
firewall zone trust
set priority 85
#
return

8.4.6.2 Example for Configuring a Global Address Pool-based DHCP Server(Using

the Layer-3 Ethernet Interface)
After learning this configuration example, you can understand how to use the Layer-3 Ethernet
Interfaces to configure a DHCP server based on global address pools, and enable the DHCP
server to provide services for clients, including dynamic address allocation, static address
allocation, egress gateway address, DNS server address, and WINS server address.
As shown in Figure 8-55, an enterprise has two offices, which are connected to the NGFW using
the Layer 2 switches. To save resources, the NGFW also works as the DHCP server for the hosts
in the two offices to assign IP addresses, gateways, DNS servers, and WINS servers.
l Fixed IP addresses have been assigned to the four hosts (DNS server, WINS server, and
two hosts in the offices). The IP addresses are respectively are 10.1.1.2/25, 10.1.1.4/25,
10.1.1.126/25, and 10.1.1.254/25.
l The two hosts require higher access permissions, and apply for new fixed IP addresses
10.1.1.5/25 and 10.1.1.253/25.
l Office 1 resides on network segment 10.1.1.0/25. Its address lease is 10 days and 12 hours,
domain name suffix is example.com, DNS server address is 10.1.1.2/25, WINS server
address is 10.1.1.4/25, and egress gateway address is 10.1.1.1/25.
l Office 2 resides on network segment 10.1.1.128/25. Its address lease is 5 days, domain
name suffix is example.com, DNS server address is 10.1.1.2/25, no WINS server is
configured, and egress gateway address is 10.1.1.129/25.
Figure 8-55 Networking diagram for configuring a global address pool-based DHCP server
using the Layer-3 Ethernet Interfaces
WINS DHCP DHCP DHCP

server client client client
GE1/0/1 GE1/0/2
Layer 2 Trust Trust Layer 2
LAN switch LAN switch
NGFW
DNS DHCP
Host1 Host2
server client
Network: 10.1.1.0/25 Network: 10.1.1.128/25

NGFW Interface number: Interface GigabitEthernet

GigabitEthernet 1/0/1 1/0/1 connected to network
IP address: 10.1.1.1/25 segment 10.1.1.0/25 where
office 1 resides
Interface number: Interface GigabitEthernet

GigabitEthernet 1/0/2 1/0/2connected to network
IP address: 10.1.1.129/25 segment 10.1.1.128/25
where office 2 resides
WINS server IP address: 10.1.1.4/25 WINS server allocated to

DHCP clients on network
segment 10.1.1.0/25
DNS server IP address: 10.1.1.2/25 DNS server allocated to

segments 10.1.1.0/25 and
10.1.1.128/25
Domain name suffix example.com Domain name suffix

assigned to DHCP clients on
network segments
10.1.1.0/25 and
10.1.1.128/25
Address lease 10 days 12 hours Address lease assigned to

segment 10.1.1.0/25
5 days Address lease assigned to

segment 10.1.1.128/25
Egress gateway IP address: 10.1.1.1/25 Egress gateway allocated to

segment 10.1.1.0/25
IP address: 10.1.1.129/25 Egress gateway allocated to

segment 10.1.1.128/25
Host1 IP address: 10.1.1.5/25 Host requiring a fixed IP

MAC address: address
0021-97cf-2238
Host2 IP address: 10.1.1.253/25 Host requiring a fixed IP

MAC address: address
00e0-4c86-58eb

The configuration roadmap of DHCP server is as follows:
1. Enable DHCP service.
2. Reserve the IP addresses that have been specified (such as DNS server address, WINS
server address, and two host addresses) to avoid reassigning them.
3. Dynamically allocate IP addresses and other network parameters.
On the network, the NGFW connects to clients using a Layer 2 switch and multiple
interfaces; therefore, you are advised to assign IP addresses based on global address pools.
To simplify the configuration, you can employ three address pools. Address pool 0 (network
segment 10.1.1.0/24) specifies the common attributes of all clients (such as their domain
name suffix and DNS server). Address pool 1 (network segment 10.1.1.0/25) and address
pool 2 (network segment 10.1.1.128/25) specify the unique attributes of each network
segment (such as their address ranges, address lease, gateway addresses, and WINS
servers).
NOTE
You can also employ two address pools, pool 1 and pool 2. The two address pools cannot inherit the
configurations of their parent node; therefore, their unique attributes must be configured separately.
4. To meet the requirement of the hosts for using fixed IP addresses, allocate IP addresses
statically and configure other network parameters.
Create two global address pools 3 and 4, each of which has one IP address (10.1.1.5/25 and
10.1.1.253/25 respectively) for static address allocation. Address pool 3 inherits the
common attributes of address pool 0 and address pool 1. Address pool 4 inherits common
attributes of address 0 and address 2. No other network parameter needs to be configured
for address pools 3 and 4.
Obtain DNS server address automatically on each DHCP client, enabling the DHCP
clients to automatically obtain IP addresses and other network parameters allocated by the
DHCP server.
NOTE
It is recommended to centrally plan and configure important network parameters, such as domain name suffix,
DNS server, and egress gateway, for the DHCP clients on the DHCP server, to avoid network access errors
caused by incorrect configurations of the DHCP client network parameters.
Procedure
Step 1 Enable DHCP service.
<NGFW> system-view
[NGFW] dhcp enable
Step 2 Reserve IP addresses, including addresses of the DNS server, the WINS server, Host1, and
Host2.
Step 3 Configure the global address pool attributes of the DHCP server.
# In address pool 0, specify the IP address range of DHCP address pool 0, and configure common
attributes (domain name suffix and DNS server address) for address pools 0, 1, and 2.

[NGFW] dhcp server ip-pool 0

[NGFW-dhcp-0] network 10.1.1.0 mask 255.255.255.0
[NGFW-dhcp-0] domain-name example.com
[NGFW-dhcp-0] dns-list 10.1.1.2
[NGFW-dhcp-0] quit
# Configure the attributes of address pool 1 (the IP address range of the address pool, the egress
gateway, and the address lease).
[NGFW-dhcp-1] gateway-list 10.1.1.1
[NGFW-dhcp-1] quit
# Configure the attributes of address pool 2 (the IP address range of the address pool, the egress
gateway, the WINS server address, and the address lease).
[NGFW-dhcp-2] nbns-list 10.1.1.4
[NGFW-dhcp-2] expired day 5
[NGFW-dhcp-2] quit
# Configure the attributes of address pool 3, and perform IP-MAC address binding in the address
pool.
[NGFW-dhcp-3] static-bind ip-address 10.1.1.5 mask 255.255.255.128
[NGFW-dhcp-3] static-bind mac-address 0021-97cf-2238
[NGFW-dhcp-3] quit
# Configure the attributes of address pool 4, and perform IP-MAC address binding in the address
pool.
[NGFW-dhcp-4] static-bind ip-address 10.1.1.253 mask 255.255.255.128
[NGFW-dhcp-4] static-bind mac-address 00e0-4c86-58eb
[NGFW-dhcp-4] quit
Step 4 Specify the interface IP address, and configure the clients under the interface to obtain IP
addresses from global address pools.
# Configure the clients under interface GigabitEthernet 1/0/1 to obtain IP addresses from global
address pools.
[NGFW-GigabitEthernet1/0/1] dhcp select global
# Configure the clients under interface GigabitEthernet 1/0/2 to obtain IP addresses from global
address pools.
[NGFW-GigabitEthernet1/0/2] dhcp select global
Step 5 Add interfaces to corresponding security zones and configure the security policy.

[NGFW-policy-security] rule name sec_policy
[NGFW-policy-security-rule-sec_policy] source-zone trust
[NGFW-policy-security-rule-sec_policy] source-zone local
[NGFW-policy-security-rule-sec_policy] destination-zone local
[NGFW-policy-security-rule-sec_policy] destination-zone trust
[NGFW-policy-security-rule-sec_policy] action permit
Step 6 Configure DHCP clients (using a Windows XP-based PC as an example).

Connections.
Properties.
----End
1. On any PC on the two network segments where office 1 and office 2 reside, run the cmd
command to enter the DOS environment. Run the ipconfig /all command to verify whether
the client has obtained the network parameters, such as an IP address, default gateway
address, WINS server address, and DNS server address. If the configurations are correct,
host 1 and host 2 are specified with fixed IP addresses.
NOTE
If the information obtained by the DHCP client is incomplete (for example, only the IP address is
obtained but other network parameters are not), run the ipconfig /release command to lease the
dynamic IP address, and then run the ipconfig /renew command to apply for a new IP address and
other network parameters.
Windows IP Configuration
Host Name . . . . . . . . . . . . : example

Primary Dns Suffix . . . . . . . : example.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : example.com

Eth
ernet NIC
Physical Address. . . . . . . . . : 00-1B-B9-7A-7D-61
Dhcp Enabled. . . . . . . . . . . : Yes
IP Address. . . . . . . . . . . . : 10.1.1.3
Subnet Mask . . . . . . . . . . . : 255.255.255.128
Default Gateway . . . . . . . . . : 10.1.1.1
DHCP Server . . . . . . . . . . . : 10.1.1.1
DNS Servers . . . . . . . . . . . : 10.1.1.2
Lease Obtained. . . . . . . . . . : Saturday, January 15, 2011 15:56:34
PM

Lease Obtained. . . . . . . . . . : Wednesday, January 26, 2011 03:56:34

AM
2. On the DHCP server NGFW, run the display dhcp server tree command to view the tree
structure of the DHCP address pool, including the information about the DNS server
address, egress gateway address, and address lease.
[NGFW] display dhcp server tree all
Global pool:
Pool name: 0
Child node:1
dns-list 10.1.1.2(S)
domain-name example.com
expired day 1 hour 0 minute 0
network 10.1.1.0 mask 255.255.255.0
Pool name: 1
Parent node:0
Child node:3
Sibling node:2
gateway-list 10.1.1.1
network 10.1.1.0 mask 255.255.255.128
Pool name: 3
Parent node:1
expired unlimited
static-bind ip-address 10.1.1.5 mask 255.255.255.128
static-bind mac-address 0021-97cf-2238
Pool name: 2
Parent node:0
Child node:4
PrevSibling node:1
nbns-list 10.1.1.4
network 10.1.1.128 mask 255.255.255.128
Pool name: 4
Parent node:2
nbns-list 10.1.1.4
expired unlimited
static-bind mac-address 00e0-4c86-58eb
3. On the DHCP server NGFW, run the display dhcp server statistics command to view the
statistics information.
[NGFW] display dhcp server statistics
Global Pool:
Pool Number: 5
Binding
Auto: 2
Manual: 2
Expire: 0
Interface Pool:
Pool Number: 0

Binding
Auto: 0
Manual: 0
Expire: 0
Boot Request: 46
Dhcp Discover: 16
Dhcp Request: 22
Dhcp Decline: 0
Dhcp Release: 0
Dhcp Inform: 8
Boot Reply: 32
Dhcp Offer: 8
Dhcp Ack: 22
Dhcp Nak: 2
Bad Messages: 0
HA Message:
BatchBackup send msg: 0
BatchBackup recv msg: 0
BatchBackup send lease: 0
BatchBackup recv lease: 0
4. On the DHCP server NGFW, run the display dhcp server ip-in-use command to verify
whether the correct IP address is specified.
[NGFW] display dhcp server ip-in-use all
Global pool:
IP address Hardware address Lease expiration Type
10.1.1.5 0021-97cf-2238 Unlimited Manual
10.1.1.253 00e0-4c86-58eb Unlimited Manual
10.1.1.130 0efc-0505-86e3 Jan 20 2011 15:56:25 PM
Auto:COMMITED
10.1.1.3 001B-B97A-7D61 Jan 26 2011 03:56:34 AM
Auto:COMMITED
5. On the DHCP server NGFW, run the display dhcp server conflict command to check for
conflicting IP addresses.
[NGFW] display dhcp server conflict all
Info:No ip conflicted!
#
sysname NGFW
#
dhcp server forbidden-ip 10.1.1.2
#
dhcp server ip-pool 0
network 10.1.1.0 mask 255.255.255.0
dns-list 10.1.1.2
#
network 10.1.1.0 mask 255.255.255.128
expired day 10 hour 12
#
network 10.1.1.128 mask 255.255.255.128
nbns-list 10.1.1.4
expired day 5

#
static-bind mac-address 0000-e03f-0305
#
static-bind mac-address 00e0-4c86-58eb
#
ip address 10.1.1.1 255.255.255.128
#
ip address 10.1.1.129 255.255.255.128
#
firewall zone local
set priority 100
#
firewall zone trust
set priority 85
#
security-
policy
rule name sec_policy

source-zone local
source-zone trust
action permit
#
return
NOTE
By default, the DHCP service is enabled and IP addresses are assigned from global address pools (in
global mode); therefore, the dhcp enable command and the dhcp select global command are not mentioned
in this configuration script.
8.4.6.3 Example for Configuring a Global Address Pool-based DHCP Server(Using

Subinterfaces)
After learning this configuration example, you can understand how to use theNGFW
subinterfaces to configure a DHCP server based on global address pools, and enable the DHCP
server to provide services for DHCP clients on VLANs, including dynamic address allocation,
egress gateway address, DNS server address, and WINS server address.
An enterprise attempts to divide different VLANs for different departments using a Layer 2
switch. To save resources, the NGFW works as the DHCP server to specify network parameters
to all hosts on VLANs, including allocating IP addresses, configuring domain names, DNS
server addresses, WINS server addresses, and egress gateway addresses.
As shown in Figure 8-56, the NGFW connects to the Layer 2 switch using interface
GigabitEthernet 1/0/1, and divides interface GigabitEthernet 1/0/1 to two subinterfaces that
connect to VLAN 10 and VLAN 20 respectively.

NOTE
To focus on how to assign IP addresses to DHCP clients on VLANs using subinterfaces, this section
highlights a part of the network.
l Two servers are specified with fixed IP addresses: 10.1.2.2/24 and 10.1.1.4/24.
l For hosts on VLAN 10, their address lease is 10 days and 12 hours, domain name is
example.com, DNS server address is 10.1.2.2/24, WINS server address is 10.1.1.4//24, and
egress gateway address is 10.1.1.1/24.
l For hosts on VLAN 20, their address lease is 5 days, domain name is example.com, DNS
server address is 10.1.2.2/24, no WINS server is configured, and egress gateway address
is 10.1.2.1/24.
Figure 8-56 Networking diagram for configuring a global address pool-based DHCP server
using subinterfaces
WINS server
DHCP client
10.1.1.4/24
VLAN10
NGFW
GE1/0/1.1
Layer 2 Trust
LAN switch
GE1/0/1.2
Trust DHCP
VLAN20 server
10.1.2.2/24
DHCP client
DNS server
NGFW Interface number: Subinterface

GigabitEthernet 1/0/1.1 GigabitEthernet 1/0/1.1 is
IP address: 10.1.1.1/24 associated with VLAN 10.
The DHCP server assigns IP
Security zone: Trust addresses and specifies
network parameters using
this subinterface to DHCP
clients on VLAN 10.

Interface number: Subinterface

GigabitEthernet 1/0/1.2 GigabitEthernet 1/0/1.2 is
IP address: 10.1.2.1/24 associated with VLAN 20.
The DHCP server assigns IP
Security zone: Trust addresses and specifies
network parameters using
this subinterface to DHCP
clients on VLAN 20.
WINS server IP address: 10.1.1.4 WINS server assigned to

DHCP clients on VLAN 10.
DNS server IP address: 10.1.2.2 DNS server assigned to

Domain name suffix example.com Domain name suffix

assigned to DHCP clients on
VLAN 10 and VLAN 20.
Address lease 10 days and 12 hours Address lease assigned to

5 days Address lease assigned to

Egress gateway IP address: 10.1.1.1 Egress gateway assigned to

IP address: 10.1.2.1 Egress gateway assigned to

1. To assign IP addresses and specify network parameters for DHCP clients on VLANs using
interfaces, you need to configure the following items on DHCP servers.
a. Enable the DHCP service.

b. Reserve the IP addresses that have been specified (such as DNS server address and
WINS server address) to avoid reassigning them.
c. Dynamically allocate IP addresses and other network parameters.
You are advised to use global address pools to assign IP addresses on a large network.
To simplify the configuration, you can employ three address pools. Address pool 0
(network segment 10.1.0.0/16) specifies the common properties of all clients (such as
their domain name suffix and DNS server). Address pool 1 (network segment
10.1.1.0/24) and address pool 2 (network segment 10.1.2.0/24) specify the unique
properties of each network segment (such as their address ranges, address lease,
gateway addresses, and WINS servers).

d. Associate two subinterfaces to VLAN 10 and VLAN 20. Enable global address pools
for the two subinterfaces.
2. Set the switch interface connected to the NGFW as a Trunk interface. Add the switch
interfaces connected to PCs to related VLANs in default mode. (The configuration
procedure is not mentioned here. )
Obtain DNS server address automatically on each DHCP client, enabling the DHCP
clients to automatically obtain IP addresses and other network parameters allocated by the
DHCP server.
NOTE
It is recommended to centrally plan and configure important network parameters, such as domain name
suffix, DNS server, and egress gateway, for the DHCP clients on the DHCP server, to avoid network access
errors caused by incorrect configurations of the DHCP client network parameters.
Procedure
Step 1 Enable DHCP service.
<NGFW> system-view
[NGFW] dhcp enable
Step 2 Reserve IP addresses (including DNS server addresses and WINS server addresses).
Step 3 Configure the global address pool attributes of the DHCP server.
# In address pool 0, specify the IP address range of DHCP address pool 0, and configure common
attributes (domain name suffix and DNS server address) for address pools 0 and 1.
[NGFW-dhcp-0] domain-name example.com
[NGFW-dhcp-0] dns-list 10.1.2.2
[NGFW-dhcp-0] quit
# Configure the attributes of DHCP address pool 1 (the IP address range of the address pool, the
egress gateway, the WINS server address, and the address lease).
[NGFW-dhcp-1] nbns-list 10.1.1.4
[NGFW-dhcp-1] quit
# Configure the attributes of DHCP address pool 2 (the IP address range of the address pool, the
egress gateway, the WINS server address, and the address lease).
[NGFW-dhcp-2] expired day 5
[NGFW-dhcp-2] quit
Step 4 Configure subinterfaces, and assign IP addresses and specify network parameters to clients in
VLANs.
# Configure subinterface GigabitEthernet 1/0/1.1, and assign IP addresses and specify network
parameters to clients on VLAN 10.

[NGFW] interface GigabitEthernet 1/0/1.1

[NGFW-GigabitEthernet1/0/1.1] vlan-type dot1q 10
[NGFW-GigabitEthernet1/0/1.1] ip address 10.1.1.1 255.255.255.0
[NGFW-GigabitEthernet1/0/1.1] dhcp select global
[NGFW-GigabitEthernet1/0/1.1] quit
# Configure subinterface GigabitEthernet 1/0/1.2, and assign IP addresses and specify network
parameters to clients on VLAN 20.
[NGFW] interface GigabitEthernet 1/0/1.2
[NGFW-GigabitEthernet1/0/1.2] vlan-type dot1q 20
[NGFW-GigabitEthernet1/0/1.2] ip address 10.1.2.1 255.255.255.0
[NGFW-GigabitEthernet1/0/1.2] dhcp select global
[NGFW-GigabitEthernet1/0/1.2] quit
[NGFW-zone-trust] add interface GigabitEthernet 1/0/1.1
[NGFW-zone-trust] add interface GigabitEthernet 1/0/1.2
[NGFW-policy-security] rule name sec_policy
[NGFW-policy-security-rule-sec_policy] source-zone trust
[NGFW-policy-security-rule-sec_policy] source-zone local
[NGFW-policy-security-rule-sec_policy] destination-zone local
[NGFW-policy-security-rule-sec_policy] destination-zone trust
[NGFW-policy-security-rule-sec_policy] action permit
Step 6 Configure DHCP clients (using a Windows XP-based PC as an example).

Connections.
Properties.
----End
1. On any PC on a VLAN, run the cmd command to enter the DOS environment. Run the
ipconfig /all to verify whether the client has obtained the network parameters, such as an
IP address, default gateway address, WINS server address, and DNS server address.
NOTE
If the information obtained by the DHCP client is incomplete (for example, only the IP address is
obtained but other network parameters are not), run the ipconfig /release command to lease the
dynamic IP address, and then run the ipconfig /renew command to apply for a new IP address and
other network parameters.
Host Name . . . . . . . . . . . . : example

Primary Dns Suffix . . . . . . . : example.com
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : example.com


Eth
ernet NIC
Physical Address. . . . . . . . . : 00-1B-B9-7A-7D-61
Dhcp Enabled. . . . . . . . . . . : Yes
IP Address. . . . . . . . . . . . : 10.1.1.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.1.1.1
DHCP Server . . . . . . . . . . . : 10.1.1.1
DNS Servers . . . . . . . . . . . : 10.1.2.2
Lease Obtained. . . . . . . . . . : Monday, January 10, 15:00:34 PM
Lease Obtained. . . . . . . . . . : Friday, January 21, 03:00:34 AM
2. On the DHCP server NGFW, run the display dhcp server tree command to view the tree
structure of the DHCP address pool, including the information about the DNS server
address, egress gateway address, and address lease.
[NGFW] display dhcp server tree all
Global pool:
Pool name: 0
Child node:1
network 10.1.0.0 mask 255.255.0.0
Pool name: 1
Parent node:0
Sibling node:2
nbns-list 10.1.1.4
network 10.1.1.0 mask 255.255.255.0
Pool name: 2
Parent node:0
PrevSibling node:1
network 10.1.2.0 mask 255.255.255.0
3. On the DHCP server NGFW, run the display dhcp server statistics command to view the
statistics information.
[NGFW] display dhcp server statistics
Global Pool:
Pool Number: 3
Binding
Auto: 2
Manual: 0
Expire: 0
Interface Pool:
Pool Number: 0
Binding
Auto: 0
Manual: 0
Expire: 0
Boot Request: 131
Dhcp Discover: 125

Dhcp Request: 5
Dhcp Decline: 0
Dhcp Release: 1
Dhcp Inform: 0
Boot Reply: 38
Dhcp Offer: 33
Dhcp Ack: 5
Dhcp Nak: 0
Bad Messages: 0
HA Message:
BatchBackup send msg: 0
BatchBackup recv msg: 0
BatchBackup send lease: 0
BatchBackup recv lease: 0
4. On the DHCP server NGFW, run the display dhcp server ip-in-use command to verify
whether the correct IP address is specified.
[NGFW] display dhcp server ip-in-use all
Global pool:
IP address Hardware address Lease expiration Type
10.1.2.5 0efc-0505-86e3 Jan 20 2011 15:00:05 PM
Auto:COMMITED
10.1.1.3 001B-B97A-7D61 Jan 21 2011 03:00:34 AM
Auto:COMMITED
5. On the DHCP server NGFW, run the display dhcp server conflict command to check for
conflicting IP addresses.
[NGFW] display dhcp server conflict all
Info:No ip conflicted!
Configuration scripts of NGFW:
#
sysname NGFW
#
#
network 10.1.0.0 mask 255.255.0.0
dns-list 10.1.2.2
#
network 10.1.1.0 mask 255.255.255.0
nbns-list 10.1.1.4
expired day 10 hour 12
#
network 10.1.2.0 mask 255.255.255.0
expired day 5
#
vlan-type dot1q 10
ip address 10.1.1.1 255.255.255.0
#
vlan-type dot1q 20
ip address 10.1.2.1 255.255.255.0
#
firewall zone local

set priority 100

#
firewall zone trust
set priority 85
#
security-
policy
rule name sec_policy

source-zone local
source-zone trust
action permit
#
return
8.4.6.4 Example for Configuring DHCP Relay

This section provides an example for configuring DHCP relay to connect a DHCP server to
DHCP clients when the server and clients are on different networks.
The IP address plan of a department on the network shown in Figure 8-57 is as follows:
l IP addresses are available on network segment 192.168.20.0/24. An FTP server is deployed

and assigned 192.168.20.254.
l A DHCP server is on another network segment 10.1.1.0/24.
l The domain name extension of a DHCP client is example.com, and the IP address of a DNS
server is 3.3.3.3.
l The address release is 10 days.
A DHCP relay agent needs to be deployed on the same network segment as a DHCP client to
connect the DHCP client and server across network segments. DHCP relay enables the DHCP
client to request the DHCP server for configurations, such as the IP address and DNS server
address.
Figure 8-57 DHCP relay networking

Trust DMZ
DHCP client NGFW_A NGFW_B
(DHCP relay) (DHCP server)
GE1/0/1
10.1.1.2/24
GE1/0/1 GE1/0/2
192.168.20.1/24 10.1.1.1/24
FTP server
0021-97cf-2238

1. To enable the DHCP server to assign network parameters, including an IP address, to the
DHCP client across different network segments, configure an available IP address range
(includes the DHCP relay interface address) on NGFW_B and specify DHCP client
parameters, such as an egress gateway, a domain name suffix, and a DNS server address.
a. Enable DHCP.
b. Configure dynamic IP address allocation and other network parameters assigned to
the DHCP client.
c. Configure static IP address allocation and other network parameters assigned to the
FTP server.
d. Configure a route between the DHCP server and the relay interface.
2. Enable the DHCP relay function on NGFW_A to enable communication between the
DHCP client and server across different network segments:
a. Enable DHCP.
b. Specify a DHCP server IP address on the relay interface.
Obtain DNS server address automatically on the DHCP client, which enables the DHCP
client to automatically obtain the IP address and other network parameters allocated by the
DHCP server.
Procedure
Step 1 Configure GigabitEthernet 1/0/1 on NGFW_A.
Zone trust
Mode Route
IPv4
IP Address 192.168.20.1/255.255.255.0
3. Click OK.
Step 2 Configure GigabitEthernet 1/0/2 on NGFW_A.


Zone dmz
Mode Route
IPv4
IP Address 10.1.1.1/255.255.255.0
3. Click OK.
Step 3 Configure GigabitEthernet 1/0/1 on NGFW_B.

Zone dmz
Mode Route
IPv4
IP Address 10.1.1.2/255.255.255.0
3. Click OK.
Step 4 Configure DHCP server NGFW_B to dynamically assign an IP address and other network
parameters to the DHCP client.
Type IPv4
Service Type Server
IP Addresses Range 192.168.20.1-192.168.20.254
Subnet Mask 255.255.255.0
DNS Service Specify
Primary DNS Server 3.3.3.3

Advanced
Lease Duration 10 Day
Static Address Binding Bound Host IP Address: 192.168.20.254

Bound Host MAC Address: 0021-97cf-2238
3. Click OK.
Step 5 On NGFW_B, configure a reachable static route between the DHCP server and relay interface.
NOTE
The IP address of the DHCP relay interface and the IP address of the DHCP server reside on different
network segments. Configure the DHCP server with a static route to the DHCP relay interface or enable a
dynamic routing protocol.
1. Choose Router > Static > Static Route.
2. Click Add in Static Route List. Then set the following parameters.
Table 8-83 Static route parameters
Destination Address 192.168.20.0
Mask 255.255.255.0
Next Hop 10.1.1.1
3. Click OK.
Step 6 Configure DHCP relay NGFW_A.

Table 8-84 DHCP relay parameters
Type IPv4
Service Type Relay
IPv4 Server IP 10.1.1.2

Address
3. Click Apply.
Step 7 Configure DHCP clients. (A Windows XP-based PC is used in this example).

Connections.

Properties.
----End
1. On any PC in the department, press Start > Run and enter cmd to display the DOS screen.
Run the ipconfig /all command to view the network parameters obtained by the client, such
as an IP address, a default gateway address, a WINS server address, and a DNS server
address. Also, verify that the FTP server has obtained a fixed IP address 192.168.20.254.
NOTE
If the DHCP client obtains incomplete information (for example, only the IP address is obtained),
run the ipconfig /release command to lease the dynamic IP address, and run the ipconfig /renew
command to apply for a new IP address and other network parameters.

Ethernet NIC
Physical Address. . . . . . . . . : 00-50-ba-50-73-25
Dhcp Enabled. . . . . . . . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.20.2
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.20.1
DHCP Server . . . . . . . . . . . : 10.1.1.2
DNS Servers . . . . . . . . . . . : 3.3.3.3
Primary WINS Server . . . . . . . :
Lease Obtained. . . . . . . . . . : Tuesday, December 13, 2011, 17:52:10
PM
Lease Expires . . . . . . . . . . : Friday, December 23, 2011, 17:52:10
PM
2. Check the address lease duration list of the DHCP server to determine whether the DHCP
server assigns IP addresses to the PC and FTP server on the LAN.
a. Choose Network > DHCP Server > Monitor.
b. Verify the client IP address assigned by the DHCP server.
#
sysname NGFW_A
#
ip address 192.168.20.1 255.255.255.0
ip relay address 10.1.1.2
dhcp select relay
#
ip address 10.1.1.1 255.255.255.0
#
firewall zone trust

set priority 85
#
firewall zone dmz
set priority 50
#
return

#
sysname NGFW_B
#
ip address 10.1.1.2 255.255.255.0
dhcp server ip-range 192.168.20.1 192.168.20.254
dhcp server static-bind ip-address 192.168.20.254 mac-address 0021-97cf-2238
dhcp server gateway-list 192.168.20.1
dhcp server dns-list 3.3.3.3
dhcp server domain-name example.com
dhcp server expired day 10
#
firewall zone dmz
set priority 50
#
ip route-static 192.168.20.0 255.255.255.0 10.1.1.1
#
return

This section provides DHCP references.
8.4.7.1 Specifications
This section provides DHCP specifications.
The specifications of the DHCP service are as follows:
l Number of DHCP dynamic address leases supported by the entire system: 15000
l Number of DHCP static address leases supported by the entire system: 5000

This section describes the versions and changes in the DHCP feature.

This section provides DHCP standards and protocols.
DHCP standards and protocols are as follows:

l RFC 1534: Interoperation Between DHCP and BOOTP

l RFC 1542: Clarifications and Extensions for the Bootstrap Protocol
l RFC 2131: Dynamic Host Configuration Protocol
l RFC 2132: DHCP Options and BOOTP Vendor Extensions
l RFC 2241: DHCP Options for Novell Directory Services
l RFC 2485: DHCP Option for The Open Group's User Authentication Protocol
l RFC 2563: DHCP Option to Disable Stateless Auto-Configuration in IPv4 Clients
l RFC 2610: DHCP Options for Service Location Protocol
l RFC 2937: The Name Service Search Option for DHCP
l RFC 2939: Procedures and IANA Guidelines for Definition of New DHCP Options and
Message Types
l RFC 3004: The User Class Option for DHCP
l RFC 3011: The IPv4 Subnet Selection Option for DHCP
l RFC 3046: DHCP Relay Agent Information Option
l RFC 3361: Dynamic Host Configuration Protocol (DHCP-for-IPv4) Option for Session
Initiation Protocol (SIP) Servers
l RFC 3397: Dynamic Host Configuration Protocol (DHCP) Domain Search Option
l RFC 3442: The Classless Static Route Option for Dynamic Host Configuration Protocol
(DHCP) version 4
l RFC 3495: Dynamic Host Configuration Protocol (DHCP) Option for CableLabs Client
Configuration
8.5 DHCPv6
This section describes Dynamic Host Configuration Protocol version 6 (DHCPv6) concepts and
how to configure DHCPv6, as well as provides configuration examples.
8.5.1 Overview
Dynamic Host Configuration Protocol for IPv6 (DHCPv6) applies to IPv6 networks to
dynamically assign information, such as IPv6 addresses/prefixes to clients.
Definition
DHCPv6, designed on the basis of the dynamic addressing scheme on IPv6 networks, assigns
IPv6 addresses/prefixes and other network configuration to clients.
Objective
DHCPv6 simplifies the settings of IPv6 addresses/prefixes and minimizes errors caused by
manual IPv6 address setting. With DHCPv6, network administrators can manage the IPv6
addresses/prefixes and other configuration in a centralized way.

8.5.2 Mechanism
This section describes the mechanism of Dynamic Host Configuration Protocol version 6
(DHCPv6).
Overview
Designed based on the dynamic addressing scheme on an IPv6 network, DHCPv6 provides
clients with network configuration information, including IPv6 addresses and prefixes.
Methods in which a client can obtain an IPv6 address/prefix and other configuration
information
A client can obtain an IPv6 address/prefix and other configuration information using one of the
following methods:
l Manual configuration: A user statically configures an IPv6 address/prefix and other
configuration information.
l Stateless autoconfiguration: The client uses the Neighbor Discovery (ND) protocol to
obtain an IPv6 address/prefix and other configuration information from adjacent routers.
l DHCPv6-PD: The server functions as a delegating router (DR), and the client functions as
a requesting router (RR). The DR assigns prefixes and other configuration information to
the RR. The RR saves the prefixes in a local prefix pool and allocates them to other clients.
l Stateful DHCPv6: The client obtains an IPv6 address/prefix and other configuration
information from a DHCPv6 server.
l Stateless DHCPv6: The client uses stateless autoconfiguration to obtain an IPv6 prefix and
a hot limit and runs DHCPv6 to obtain other configuration information, such as the IP
address of a DNS server.
DHCPv6-PD, stateful DHCPv6, and stateless DHCPv6 are DHCPv6 applications.
DHCPv6 outperforms manual configuration and stateless autoconfiguration in terms of the
following:
l Network resource management
– A DHCPv6 server maintains IPv6 addresses/prefixes and renews their leases.
– A DHCPv6 server assigns other configuration information, such as the IP addresses of
the DNS server and SIP server to the client.
l IP address assignment control
In the DHCPv6-PD scenario, the DHCPv6 server assigns some of prefixes to a client, and
the client segments and assigns prefixes to other clients. This facilitates network
autoconfiguration and management. You can assign a fixed prefix to a client.
DHCPv6 communication modes
DHCPv6 uses the client/server (C/S) communication mode. A client applies for configurations
from a server. The server then replies to the client with configuration information, such as an
IPv6 address. DHCPv6 dynamically configures parameters, such as the IPv6 address and prefix,
for the client.
The client and server exchange DHCPv6 messages using UDP ports 546 and 547. The client
receives DHCPv6 messages using UDP port 546, and the server and relay agent receive DHCPv6
messages using UDP port 547.

DUID
A DHCP unique identifier (DUID) uniquely identifies a client or server. The server uses a client
DUID to assign a local address.
A DUID is generated using one of the following methods:
l Manual configuration: A user manually sets a DUID.
l DUID based on Link-layer Address Plus Time (DUID-LLT): The DUID is generated based
on a link-layer address and a time value.
l DUID Assigned by Vendor Based on Enterprise Number (DUID-EN): The DUID is
generated based on an enterprise number registered in IANA.
l DUID Based on Link-layer Address (DUID-LL): The DUID is generated based on a link-
layer address.
A NGFW uses DUID-LL to generate a DUID.
Multicast DHCPv6 addresses
Like a DHCPv4 client, a DHCPv6 client locates a DHCPv6 server by sending a Solicit message
destined for a multicast address, without setting the IPv6 address of the DHCPv6 server. The
client selects a server based on a specified policy (for example, the Preference option).
DHCPv6 defines the following multicast addresses:
l All_DHCP_Relay_Agents_and_Servers (FF02::1:2): applies to all servers and relay agents
on a link. A client uses this address to exchange DHCPv6 messages with all servers and
relay agents.
l All_DHCP_Servers (FF05::1:3): applies to all servers at a site. A DHCP relay agent uses
this address to forward packets to all servers at a site, without obtaining the unicast address
of a server.
DHCPv6 Principles
DHCPv6 client-server exchange modes
DHCPv6 uses the client/server (C/S) communication mode. A client sends a packet to a server
for requesting configuration information, including a valid dynamic IPv6 address and a prefix.
Upon receiving the message, the server replies with a packet carrying configuration information
based on a specific policy. The modes for exchanging messages between the client and server
are as follows:
l Client-server exchange involving two messages (two-step exchange)
Figure 8-58 Flowchart for client-server exchange involving two messages

DHCPv6 Client DHCPv6 Server
(1) Solicit (contains a

Rapid Commit option)
(2) Reply

1. Upon connecting to a network, the DHCPv6 client sends a multicast DHCPv6 Solicit
message with a Rapid Commit option to a DHCPv6 server.
2. If the DHCPv6 server that supports the two-step exchange receives the DHCPv6
Solicit message, the server selects an unassigned IP address/prefix from an IPv6
address/prefix pool and replies with a unicast DHCPv6 Reply message carrying the
IPv6 address/prefix and other configuration information. If the DHCPv6 server that
does not support the two-step exchange receives the DHCPv6 Solicit message, the
DHCPv6 server replies with a unicast DHCPv6 Advertise message and proceeds with
client-server exchanges involving four messages.
l Client-server exchange involving four messages
Figure 8-59 Flowchart for client-server exchange involving four messages

DHCPv6 Client DHCPv6 Server
(1) Solicit
(2) Advertise
(3) Request
(4) Reply
The process consists of the following phases:
1. Discovery phase: A client sends a multicast DHCPv6 Solicit message to search for an
available DHCP server.
2. Providing phase: After a DHCPv6 server receives the DHCPv6 Solicit message, it
selects an unassigned IP address/prefix from the IPv6 address/prefix pool and replies
with a unicast DHCPv6 Advertise message carrying the IPv6 address/prefix and other
configuration information.
3. Selection phase: If many DHCPv6 servers reply with DHCPv6 Advertise messages,
the client selects a server based on a specific policy and sends a unicast DHCPv6
Request message to the server to apply for an IPv6 address/prefix.
4. Confirmation phase: After the DHCPv6 server receives the DHCPv6 Request
message, it replies with a unicast DHCPv6 Reply message carrying an IPv6 address/
prefix and other configuration information.
Client extending the lease of an IPv6 address/prefix

A DHCPv6 server specifies a lease before assigning an IPv6 address/prefix to a client. After the
lease expires, the DHCPv6 server withdraws the IPv6 address/prefix. To continue to use the
IPv6 address/prefix, the client needs to renew the lease.
A DHCPv6 Reply message sent by the DHCPv6 server carries the preferred lifetime, valid
lifetime, renew time, and rebinding time, in addition to an IPv6 address/prefix to a client. These
time settings determine the IPv6 address/prefix status and the actions that the client performs.
The following formula applies:
Renew time < Rebinding time < Preferred lifetime < Valid lifetime
After the client obtains an IPv6 address/prefix, the client enters the binding state. The client sets
three timers for lease renewal, rebinding, and lease expiration. Table 8-85 lists timers and their
default settings.
Table 8-85 Timers and their default settings
Timer Default Value
Lease 50% of the preferred lifetime (The default preferred lifetime is 2 days.)
renewal
Rebinding 80% of the preferred lifetime
Lease Valid lifetime (The default valid lifetime is 3 days.)

expiration
Before assigning an IPv6 address/prefix to a client, a DHCPv6 server can specify timer values.
If the server does not specify timer values, the client uses the default settings.
l If the lease is about to expire, the client automatically sends a DHCPv6 Renew message to
the server to renew the IPv6 address/prefix lease.
If the IPv6 address/prefix is valid, the DHCPv6 server replies with a DHCPv6 Reply
message carrying a new IPv6 address/prefix lease. After the client receives the DHCPv6
Reply message, its IPv6 address/prefix lease is renewed.
l If the IPv6 address/prefix lease is not renewed after the rebinding time elapses, the client
multicasts a DHCPv6 Rebind message to all available DHCPv6 servers.
If the IPv6 address/prefix is valid, the DHCPv6 server replies with a DHCPv6 Rebind
message carrying a new IPv6 address/prefix lease. After the client receives the DHCPv6
Reply message, its IPv6 address/prefix lease is renewed.
l After the lease expires, the DHCPv6 server withdraws the IPv6 address/prefix. To continue
to use the IPv6 address/prefix, the client needs to renew the lease before the valid lifetime
expires.
Client checking the IPv6 address/prefix availability if a link changes
If a link on which a client resides changes, for example, when a network cable is inserted or
removed, the client sends a message to a DHCPv6 server to check whether the previously
obtained IPv6 address/prefix is available.
Either of the following situations occurs based on the contents to be checked by the server:

l To check IPv6 address availability, the DHCPv6 client sends a multicast DHCPv6 Confirm
message carrying the IPv6 address to be checked.
If the IPv6 address is still available, the DHCPv6 server sends a Reply message to the client
to declare that the address can be used. The client continues to use this IPv6 address.
l To check IPv6 prefix availability, the DHCPv6 client sends a multicast DHCPv6 Rebind
message carrying the IPv6 prefix to be checked. The DHCPv6 server receives and processes
the Rebind message and replies with a Reply message. If the lifetime contained in the Reply
message is not 0s, the client continues to use this prefix, and the lease is renewed.
Client discovering an IPv6 address conflict
If the client detects an IPv6 address conflict, it sends a DHCPv6 Decline message carrying the
conflicting IPv6 address.
After receiving the Decline message, the DHCPv6 labels the IPv6 address as conflicting and no
longer assigns it to any clients.
Client releasing IPv6 addresses/prefixes
If a client is no longer using an IPv6 address/prefix assigned by a DHCPv6 server, the client
sends to the server a DHCPv6 Release message carrying the IPv6 address/prefix to be released.
After receiving the Release message, the DHCPv6 server releases the IPv6 address/prefix and
replies with a Reply message.
8.5.3 DHCPv6 Configuration Using the Web UI

This section describes how to use the Web UI to configure DHCPv6.
8.5.3.1 Configuring a DHCPv6 Server

This section describes how to configure a DHCPv6 server. A DHCPv6 server dynamically
assigns information, such as IPv6 prefixes, DHCPv6 clients.
Prerequisites
Choose Dashboard > System Information and enable IPv6 globally to allow the NGFW to
forward IPv6 packets.
Context
A DHCPv6 server globally maintains parameters, such as IPv6 addresses, prefixes, and
information leases. DHCPv6 also assigns configuration information, such as the IPv6 addresses
of DNS and SIP servers, to DHCPv6 clients.
The DHCPv6 server and relay services cannot be configured on the same interface.
Procedure
Step 2 Click Add.

Step 3 Set the following basic DHCPv6 server parameters.
Interface Name Name of the interface on which the DHCPv6 server function is
configured.
The interface must be an existing one and Connection Type
must be set to Static IP.
Type Protocol type on the interface:

l IPv6: enables DHCPv6. Select IPv6 in this example.
Service Type Enable either the DHCPv6 server or the DHCPv6 relay service
on this interface.
When the DHCPv6 server is enabled on the interface, the Service
Type must be set to Server.
Primary DNS Server Primary DNS server address to be assigned to a DHCPv6 client.
Secondary DNS Server Secondary DNS server address to be assigned to a DHCPv6

client.
Step 4 Set DHCPv6 prefix parameters.
The following DHCPv6 prefix pools are used:
l Address prefix pool: used in a stateful DHCPv6 scenario, in which a network administrator
uses a DHCPv6 server to globally manage network resources, such as IPv6 prefixes. A
DHCPv6 server assigns an IPv6 prefix (for example, 3000::/32) to the DHCPv6 client.
l Delegation prefix pool: used in a DHCPv6-PD scenario, in which a DHCPv6 client needs to
segment an IPv6 address space assigned by a server. A DHCPv6 server assigns a set of IPv6
prefixes to a DHCPv6 client. For example, if the assigned prefix is 3000::/32 and the
delegating prefix length is 33 bits, the DHCPv6 server assigns IPv6 prefixes 3000::/33 and
3000:0:8000::/33.
1. Click Add in Delegated Prefix. In the dialog box, click OK.
2. Configure DHCPv6 prefix parameters.
l Configure a delegation prefix pool.
a. Set the following prefix pool parameters.
Delegation Type Type of a DHCPv6 prefix pool.

Select Prefix for a DHCPv6 delegation prefix pool.
Prefix IPv6 prefix address/prefix length.

Delegation Prefix Length of the IPv6 prefix that is assigned by the device
Length (delegating router) to the requesting router.
The length of a prefix to be assigned must be longer
than or equal to the length of Prefix.
Lease Duration Use Unlimited or set a specific lease period.
b. Statically bind a DHCPv6 prefix to a DUID.

1) Click Add in Static Prefix Binding. In the dialog box, click OK.
2) Set the static prefix and DUID.
Prefix IPv6 prefix.

An assigned IPv6 prefix is reserved for the client
and cannot be assigned to another client.
User DUID Client DUID that the DHCPv6 server uses to

identify a client.
3) Click OK.
l Set the following address prefix pool parameters.
Delegation Type Type of a DHCPv6 prefix pool.

Select Address for a DHCPv6 address prefix pool.
Prefix IPv6 prefix address/prefix length.
Lease Duration Select Unlimited or set a specific lease period.
3. Click OK.
Step 5 Set the following advanced DHCPv6 server parameters.
Domain Name DNS suffix that a DHCPv6 server assigns to a DHCPv6 client.
SNTP Server SNTP server address that a DHCPv6 server assigns to a DHCPv6
client.
SIP Server SIP server address that a DHCPv6 server assigns to a DHCPv6
client.
Step 6 Click Apply.

If the operation is successful, DHCPv6 Service Information List is displayed on the page, and
Repeat previous operations to configure the DHCPv6 server function on multiple interfaces.
----End
8.5.3.2 Configuring DHCPv6 Relay

This section describes how to configure DHCPv6 relay. DHCPv6 relay helps a DHCPv6 client
on a specific network segment obtain an IP address from a DHCPv6 server on another network
segment. DHCPv6 relay also allows DHCPv6 clients on different network segments to share a
DHCPv6 server.
Prerequisites
l A DHCPv6 server has been configured based on a global address pool.
No interface address pool can be configured for the DHCPv6 server interface that connects
to the DHCP relay agent.
l The DHCPv6 server and DHCPv6 relay interface are reachable to each other.
l The DHCPv6 relay interface and client reside on the same network segment.
The IPv6 address of the DHCPv6 relay interface must be on the same network segment as
the IPv6 address that the DHCPv6 server assigns to the client.
l The default gateway address of the DHCPv6 client must be the IP address of the DHCP
relay interface.
l Choose Dashboard > System Information and enable IPv6 globally to allow the
NGFW to forward IPv6 packets.
Context
The DHCPv6 server and DHCPv6 relay cannot be configured on the same interface.
Procedure
Step 2 Click Add.
Step 3 Set the following DHCPv6 relay parameters.
Interface Name Name of an interface enabled with DHCPv6 relay.

The interface must exist. Connection Type must be set to Static
IP, and the interface IPv6 address must be on the same network
segment as a DHCPv6 client.
Type Protocol type on the interface:

l IPv6: enables DHCPv6. In this example, select IPv6.

Service Type Enable either the DHCPv6 server or relay service on this
interface.
When DHCPv6 relay is enabled on the interface, the Service
Type must be Relay.
IPv6 Server IP Address IPv6 address that the DHCPv6 server assigns and the DHCPv6
relay agent forwards to the client.
Interface Connected to Name of the interface that connects the DHCPv6 relay agent to
IPv6 Server the DHCPv6 server.
Step 4 Click Apply.
Repeat previous operations to configure the DHCPv6 relay function on multiple interfaces.
----End
8.5.3.3 Monitoring DHCPv6

This section describes how to monitor DHCPv6 performance. You can view DHCPv6 server
information, including the address lease, allocated IPv6 prefixes, and lease expiration time.
Refreshing an Address Lease

Step 2 Click Refresh to refresh the address leases.
----End
Querying Address Leases

You can query only IP addresses that are assigned by a DHCP server and do not expire, as well
as static IPv6 addresses that are not assigned to clients.
Step 2 Select one of the following methods to query the address lease:
l Select All from the search box.
l Select Interface Name from the search box and select a desired interface name.
l Select IP Address from the search box and enter a desired IPv6 address.
Step 3 Click Query.
IP Address Displays the IPv6 address that a DHCPv6 server assigns to a

client.

MAC Address Displays the MAC address for a DHCPv6 server to assign an
IPv6 address to a client.
Lease Expiration Displays the expiration attribute of the lease for an IPv6 address
assigned by a DHCP server:
l A specific date and time when the lease expires. For example,
the value is "2011-11-7 18:01:20."
l NOT used: The statically bound lease is not assigned to the
specific client.
l Unlimited: The lease is permanent.
Status Displays the binding status of the IPv6 address assigned by the
DHCP server:
l Static address binding: The DHCP server statically assigns
a fixed IPv6 address to the client at the specified MAC
address.
l Dynamic assignment: To be confirmed: The DHCP server
assigns an IPv6 address dynamically, and the binding
between the IPv6 address and MAC address is temporarily
specified after the DHCP server sends a DHCPOFFER
packet.
l Dynamic assignment: Succeeded: The DHCP server
assigns an IPv6 address dynamically, and the binding
between the IPv6 address and MAC address is successfully
specified after the DHCP server sends a DHCPACK packet.
l Released: After the client applies for IPv6 address release,
the DHCP server cancels the binding between the IPv6
address and MAC address.
----End
8.5.4 DHCPv6 Configuration Using the CLI

This section describes how to use a command line interface (CLI) to configure DHCPv6.
8.5.4.1 Configuring a DHCPv6 Server

This section describes how to configure a DHCPv6 server. A DHCPv6 server dynamically
assigns information, such an IPv6 prefix, to a client.
Configuration Flow
Figure 8-60 shows the flowchart for configuring a DHCPv6 server.

Figure 8-60 Flowchart for configuring a DHCPv6 server
Start
Enable the DHCPv6

Server Function
Configure the prefix pool
Configure the address Configure the delegating

prefix pool prefix pool
Configure the DHCPv6

Address Pool
Configure the Interface to

Reference the DHCP
Address Pool
Configure the
Authentication Function
End
Mandatory
Optional
Table 8-86 DHCPv6 server configuration tasks
1 Enabling the DHCPv6 Server Function Mandatory.
2 Configuring the Creating a DHCPv6 prefix Mandatory.

DHCPv6 Prefix pool Either of the following modes
Pool can be used to allocate
Mandatory. prefixes:
l Stateful DHCPv6 mode:
configure an address prefix
pool.
l DHCPv6 Prefix
Delegation (DHCPv6-PD)
mode: configure a
delegation prefix pool.

Configuring an address Mandatory.

prefix/prefix length
Configuring a delegating Optional.

prefix length of a prefix When the DHCPv6 prefix pool
pool is a delegation one, perform
this operation.
Locking a DHCPv6 prefix Optional.

pool Perform this operation when
users are forbidden to obtain
the prefix information from
the DHCPv6 Server.
Configuring the lifetime of Optional.

the DHCPv6 prefix pool Configure the preferred
lifetime and valid lifetime. The
preferred lifetime is used to
calculate the renew time and
rebinding time, and the valid
lifetime is used to set the
expiration time of the IPv6
prefix.
Resolving the IPv6 address Optional.

conflict When an IPv6 address is
identified as in conflict state,
you can use this function to
resolve the IPv6 address
conflict, so that the DHCPv6
server can allocate this IPv6
address to the client.
Binding the client DUID to Optional.

the specified prefix in the When the DHCPv6 prefix pool
delegation prefix pool is a delegation one, perform
this operation to statically
assign the prefix to a client.
3 Configuring the Creating a DHCPv6 Mandatory.

DHCPv6 Address address pool
Pool
Configuring the DHCPv6 Mandatory.
Mandatory.
address pool to reference
the DHCPv6 prefix pool

Configuring the priority of Optional.

the DHCPv6 address pool Set the priority to the reference
for the client to select a
DHCPv6 server. The larger the
value, the higher the priority.
Configuring the unicast Optional.

option function of the The function applies to the
DHCPv6 server scenario in which the locations
of the client and server are
clear to improve client-server
exchanges efficiency.
Configuring the DHCPv6 Optional.

exchanges involving two The function applies to the
messages of the DHCPv6 scenario in which only one
server server is available on the
network to improve client-
server exchanges efficiency.
Locking the DHCPv6 Optional.

address pool Perform this operation when
users are forbidden to obtain
the address information from
the DHCPv6 Server.
Setting the DNS server Optional.

address in the address pool Perform this operation to
assign DNS server parameters
to clients.
Setting the DNS suffix in Optional.

the address pool Perform this operation to
assign DNS suffixes to clients.
Setting the SIP server Optional.

address and domain name Perform this operation to
in the address pool assign DNS server parameters
to clients.
Setting the SNTP server Optional.

address in the address pool Perform this operation to
assign SNTP server
parameters to clients.
4 Configuring an Interface to Reference the Mandatory.

DHCP Address Pool

5 (Optional) Configuring the Authentication Optional.

Function Implement this operation to
perform authentication and
accounting on clients.
Enabling the DHCPv6 Server Function

After an interface is enabled with the DHCPv6 server function, the interface can be used as a
DHCPv6 server to assign parameters, such as IPv6 prefixes, to DHCPv6 clients.
Prerequisites
Before enabling the DHCPv6 server function of an interface, run the ipv6 command to enable
a device to send and receive IPv6 packets and run the ipv6 enable command to enable IPv6 on
the interface.
Procedure
Step 1 Display the interface view.

system-view

Step 3 Enable the DHCPv6 server function on the interface.

dhcpv6 server enable
By default, the DHCPv6 server function is disabled on the interface.
----End
Configuring the DHCPv6 Prefix Pool

Before configuring the DHCPv6 address pool, you need to create a DHCPv6 prefix pool and set
the parameters (such as IPv6 addresses and prefixes) that are to be allocated by the DHCPv6
server for DHCPv6 clients.
DHCPv6 prefix pools contain the following address prefix pools:
l Address prefix pool: used in a stateful DHCPv6 scenario, in which a network administrator
uses a DHCPv6 server to globally manage network resources, such as IPv6 prefixes. A
DHCPv6 server assigns an IPv6 prefix (for example, 3000::/32) to the DHCPv6 client.
l Delegation prefix pool: used in a DHCPv6-PD scenario, in which a DHCPv6 client needs
to segment an IPv6 address space assigned by a server. A DHCPv6 server assigns a set of
IPv6 prefixes to a DHCPv6 client. For example, if the assigned prefix is 3000::/32 and the
delegating prefix length is 33 bits, the DHCPv6 server assigns IPv6 prefixes 3000::/33 and
3000:0:8000::/33.
Step 1 Configure the DHCPv6 prefix pool.

DHCPv6 prefix assignment can be performed in one of the following scenarios:

l Stateful DHCPv6 and stateless DHCPv6 scenario

1. Display the interface view.
system-view
2. Create a DHCPv6 prefix pool and display the DHCPv6 prefix pool view.
dhcpv6 prefix-pool address-prefix prefix-pool-name
The prefix-pool-name value is a string of 1 to 32 characters that can be letters, digits,

and underscores (_).
3. Specify an IPv6 prefix address or prefix length.
prefix [ prefix-name ] prefix-address/prefix-length
prefix-name specifies the prefix name of a DHCPv6 prefix pool and is used only in the
DHCPv6-PD scenario. After the client obtains prefixes, the client becomes a DHCPv6
server and assigns the prefixes to other clients.
l DHCPv6-PD scenario
system-view
2. Create a DHCPv6 prefix pool and display the DHCPv6 prefix pool view.
dhcpv6 prefix-pool delegation-prefix prefix-pool-name
The prefix-pool-name value is a string of 1 to 32 characters that can be letters, digits,

and underscores (_).
3. Specify an IPv6 prefix address or prefix length.
prefix prefix-address/prefix-length
4. Specify the delegating prefix length of the delegation prefix pool.

delegating-prefix-length delegating-prefix-length
The delegating-prefix-length value is the length of the IPv6 prefix that is assigned by
the device (Delegating Router) to the Requesting Router.
The delegating-prefix-length value cannot be shorter than the prefix-length value.
Otherwise, the configuration fails.
5. Optional: Bind the specified prefix in the delegation prefix pool to the client DUID.
client-duid client-duid bind prefix prefix-address
This command reserves an IPv6 prefix for a client, which means that the IPv6 prefix
cannot be assigned to another client.
Step 2 Optional: Specify the preferred lifetime and valid lifetime of the prefix pool.
lifetime preferred-lifetime { second-value | unlimited } valid-lifetime { second-
value | unlimited }
The following parameters can be configured in this command:

l preferred-lifetime: used to calculate the renew time and rebinding time of an IPv6 address.
The default value is two days.
l valid-lifetime: sets the expiration time of an IPv6 prefix. The default value is three days.
The valid-lifetime value must be greater than or equal to the preferred-lifetime value.
----End

Configuring a DHCPv6 Address Pool

You can create a DHCPv6 address pool on an interface and enable the DHCP address pool to
reference a configured DHCPv6 prefix pool. The interface uses the address pool to assign
information, such as IPv6 prefixes, to DHCPv6 clients.
A DHCPv6 server by default exchanges information with a client using four messages and the
multicast function. The DHCPv6 server and client can also communicate using the following
functions to simplify communication and effectively use network resources:
l Client-server exchanges involving two messages: The DHCPv6 client uses only two
messages for information exchange with the DHCPv6 server to assign data such as IPv6
prefixes. This function is applicable when only one server is available on the network.
l Unicast option function: The DHCPv6 client and server use the unicast option function,
not the multicast function, to exchange information. This function is applicable when the
DHCPv6 client and server obtain each other's location information.
NOTE
The preceding functions are available only when both the DHCPv6 client and server support them.
Step 1 Configure a DHCPv6 address pool.

system-view
2. Create a DHCPv6 address pool and display the address pool view.
dhcpv6 pool pool-name
The pool-name value is a string of 1 to 32 characters that can be letters, digits, and
underscores (_).
3. Configure the DHCPv6 address pool to use a specific DHCPv6 prefix pool.
prefix-pool prefix-pool-name
NOTE
Contents assigned by the DHCPv6 server to the DHCPv6 client vary depending on the type of the bound
DHCPv6 prefix pool.
If an address prefix pool is bound to an address pool, a single IPv6 prefix can be assigned. If a delegation
prefix pool is bound to an address pool, a set of IPv6 prefixes can be assigned.
4. Optional: Set the priority of the DHCPv6 address pool.
preference preference-value
The client selects the DHCPv6 server with the highest priority. The larger the value, the
higher the priority.
5. Optional: Enable the unicast option function of the DHCPv6 server.
dhcpv6 unicast-option
After the command is executed, the DHCPv6 server can receive DHCPv6 unicast packets
and inform the client of unicast communication.
6. Optional: Enable the function of client-server exchanges involving two messages.
dhcpv6 rapid-commit
After the command is executed, the DHCPv6 client and server use two types of messages,
not four types of messages, to communicate with each other.
7. Optional: Set the ratios of the renew time to the preferred time and the rebinding time to
the preferred time.

renew-time-percent renew-time-percent rebind-time-percent rebind-time-percent
Step 2 Optional: Configure server information that can be assigned by the DHCPv6 address pool.
1. Specify a DNS server address that the DHCPv6 server assigns to a DHCPv6 client.
dns-server ipv6-address &<1-2>
2. Specify a DNS suffix that the DHCPv6 server assigns to a DHCPv6 client.
dns-search-list dns-search-list-name
3. Specify the SIP server address and domain name that the DHCPv6 server assigns to a
DHCPv6 client.
sip-server { address ipv6-address | domain-name domain-name }
4. Specify an SNTP server address that the DHCPv6 server assigns to a DHCPv6 client.
sntp-server ipv6-address
----End
Configuring an Interface to Reference the DHCP Address Pool

After an interface references a DHCP address pool and receives a client request, the interface
that functions as a DHCPv6 server assigns an IPv6 prefix to the client.

system-view

Step 3 Specify the DHCPv6 address pool to be referenced by the interface.

dhcpv6 pool pool-name
NOTE
An interface can only use a single DHCPv6 address pool.
----End
(Optional) Configuring the Authentication Function

This section describes only how to enable authentication on an interface. An authentication-
enabled DHCPv6 server authenticates request information sent by a DHCPv6 client.
Before using authentication functions, configure authentication domain information, including

an authentication scheme, an authentication mode, and relationships between the authentication
scheme and the authentication domain and between the authentication mode and the
authentication domain. Configure users before local authentication. For details, see User
Management and Authentication.

system-view
Step 2 Display the AAA view.

aaa

Step 3 Configure the mode used to generate a default username in the authentication domain.
default-user-name [ template template-name ] include { mac-address { separator |
noseparator } | option18 } *
A default username is generated in one of the following modes:

l The user name is generated based on the MAC address carried in a request message sent by
a client. For example, the user MAC address is set to 111122223333, and the authentication
domain is named dom. The user name 111122223333@dom is generated.
l The user name is generated based on Option 18 carried in a request packet sent by a client.
Option 18 includes the interface and system names of a DHCPv6 server or relay agent.
l The user name is generated based on the MAC address and Option 18 carried in a request
message sent by a client.
Step 4 Specify a default password in the authentication domain.

default-password cipher cipher-password

quit

Step 7 Enable the DHCPv6 server authentication function.

dhcpv6 authentication enable
By default, the DHCPv6 server authentication function is disabled.
Step 8 Specify the authentication domain to be associated with the interface.

dhcpv6 authentication default-domain domain-name
After the authentication function of the DHCPv6 server is enabled, use the authentication scheme
and authentication mode associated with the authentication domain.
Step 9 Optional: Specify a default username template.

default-user-name-template template-name
NOTE
This step does not need to be configured if you use the default-user-name command without the template-
name parameter configured.
Parameter template-name in this command must be the same as template-name in the default-user-
name command.
----End
8.5.4.2 Configuring DHCPv6 Relay

This section describes how to configure DHCPv6 relay. When the DHCPv6 client and server
reside on different network segments, you can enable DHCPv6 relay to facilitate communication
between the DHCPv6 client and server.

Context
The DHCPv6 relay device is transparent to both the client and server. Therefore, you do not
need to associate the client and server with a DHCPv6 relay agent.
Specify either of the following DHCPv6 relay parameters:
l DHCPv6 server address: an IPv6 address of an interface on a DHCPv6 server. The interface
is connected to the DHCPv6 relay agent.
l Outbound interface on the relay agent: an interface on the DHCPv6 relay agent. The
interface is connected to the DHCPv6 server.
NOTE
When there are some routers between DHCPv6 relay and server, the IPv6 address of DHCPv6 server must
be specified on the DHCPv6 relay agent.
Procedure
system-view

Step 3 Enable the IPv6 capability on the interface.

ipv6 enable
Before performing IPv6 configurations in the interface view, enable the IPv6 capability in the
interface view.
Step 4 Enable the DHCPv6 relay function.
dhcpv6 relay enable
By default, the DHCPv6 relay function is disabled on the interface.
Step 5 Specify the DHCPv6 server address or the name of the outbound interface.
dhcpv6 relay { destination ipv6-address | interface interface-type interface-
number [ server-address | server-relay-address ] }
----End
Example
# Enable DHCPv6 relay on GigabitEthernet 1/0/1 connected to a client and set the IPv6 address
of GigabitEthernet 1/0/1 to 2000::1/64 and the IPv6 address of the DHCPv6 server to 3000::1.
<NGFW> system-view
[NGFW] ipv6
[NGFW-GigabitEthernet1/0/1] ipv6 enable
[NGFW-GigabitEthernet1/0/1] dhcpv6 relay enable
[NGFW-GigabitEthernet1/0/1] ipv6 address 2000::1 64
[NGFW-GigabitEthernet1/0/1] dhcpv6 relay destination 3000::1

Follow-up Procedure
Run the display this command in the interface view to view the configuration of GigabitEthernet
1/0/1.
[NGFW-GigabitEthernet1/0/1] display this
#
interface
description connect-to-client
ipv6 enable
dhcpv6 relay enable
dhcpv6 relay destination 3000::1
#
return
8.5.4.3 Configuring a DHCPv6 Client

A DHCPv6 client dynamically obtains information, such as IPv6 prefixes from a DHCPv6
server.
Prerequisites
Choose Dashboard > System Information and enable IPv6 globally to allow the NGFW to
Context
By default, a DHCPv6 server exchanges information with a client using four messages and
multicast function. In special scenarios, the DHCPv6 server can use two messages (Rapid
Commit) and unicast option function (Unicast Option) to simplify the information exchange
with the client. In this way, network resources are saved.
l Client-server exchanges involving two messages: The DHCPv6 client uses only two
messages for information exchange with the DHCPv6 server to assign data, such as IPv6
prefixes, instead of default four messages. This function applies to the scenario where only
one server is available.
l Unicast option function: The DHCPv6 client and server use the unicast option function
rather than the multicast function to exchange information. This function applies to the
scenario where the locations of the DHCPv6 client and server are clear.
NOTE
The unicast option function and the function of client-server exchanges involving two messages are
available only when both the DHCPv6 client and server support the functions.
Procedure
system-view
Step 3 Enable the IPv6 capability on the interface.

ipv6 enable
By default, the IPv6 capability is disabled on an interface.

Before performing IPv6 configurations in the interface view, you must enable the IPv6 capability
in the interface view.
Step 4 Enable the DHCPv6 client function of the interfaced.
dhcpv6 client enable
By default, the DHCPv6 client function is disabled on an interface.
On a DHCPv6 network, both the DHCPv6 server and client need to have a DHCPv6 Unique
Identifiers (DUIDs) to identify them each other during DHCPv6 information exchange. The
DUID on the server is called Server DUID, and that on the client is called Client DUID.
The server uses the Client DUID to identify the client, and the client uses the Server DUID to
identify the server.
The DUID is automatically generated by the device.
Step 5 Configure the DHCPv6 client to apply for an IPv6 address from the server.
dhcpv6 client ia-address [ ipv6-address ] [ rapid-commit | unicast-option ] *

This function is configured on the DHCPv6 client in the stateful DHCPv6 scenario.
Step 6 Configure the DHCPv6 client to apply for an IPv6 prefix from the server.
dhcpv6 client ia-prefix prefix-name prefix-name [ prefix-address/prefix-length ] [ rapid-
commit | unicast-option ] *
This function is configured for the device that acts as the Requesting Router in the DHCPv6-
PD scenario.
Step 7 Manually update the IPv6 address/prefix obtained by the DHCPv6 client.
dhcpv6 client renew
----End
Example
Enable the DHCPv6 client function of GigabitEthernet 1/0/1, and apply for IPv6 address
5000::200.
<NGFW> system-view
[NGFW] ipv6
[NGFW-GigabitEthernet1/0/1] ipv6 address auto link-local
[NGFW-GigabitEthernet1/0/1] dhcpv6 client enable
[NGFW-GigabitEthernet1/0/1] dhcpv6 client ia-address 5000::200
Follow-up Procedure
You can run the display dhcpv6 client command in any view to check whether the DHCPv6
client obtains an IPv6 address.
[NGFW] display dhcpv6 client interface GigabitEthernet1/0/1

Current State : BOUND

Server DUID : 0003000100005e3c0002
Configuration parameters :
IA NA : IA ID 16941568, T1 86400, T2 138240
Address : 5000::200/64
Preferred lifetime : 172800, Valid lifetime : 259200
Renew at : 2011.05.31 11:33:05
Expire at : 2011.06.02 11:33:05
DNS server :
SIP server :
SNTP server :
Domain name :
SIP Domain :
8.5.4.4 Maintaining DHCPv6

After configuring DHCPv6, you can run the display commands to view the configuration. If
necessary, you can lock the DHCPv6 prefix pool or DHCPv6 address pool or resolve IPv6
address conflicts.
Displaying DHCPv6 Configurations

You can run the commands listed in Table 8-87 in all views to display DHCPv6 configurations.
Table 8-87 Displaying DHCPv6 configurations
Action Command
Display information about a DHCPv6 display dhcpv6 pool [ pool-name ]

address pool.
Display information obtained by a DHCPv6 display dhcpv6 client { all | interface

client. interface-type interface-number }
Display information about a DHCPv6 prefix display dhcpv6 prefix-pool [ prefix-pool-

pool. name [ verbose | used ] ]
Display information about a DHCPv6 client. display dhcpv6 server [ ipv6-address ipv6-
address | mac-address mac-address ]
Locking the DHCPv6 Prefix Pool or Address Pool

You can run commands listed in Table 8-88 to lock the DHCPv6 prefix pool or DHCPv6 address
pool.
Table 8-88 Locking DHCPv6 prefix pool or address pool
Action Command
Lock a DHCPv6 prefix pool (in the DHCPv6 lock

prefix pool view).
Lock a DHCPv6 address pool (in the lock

DHCPv6 address pool view).

Resolving an IPv6 Address Conflict

After detecting that the IPv6 address assigned by a DHCPv6 server is used by another client on
the same network segment, a client sends a DHCPv6 DECLINE packet to the DHCPv6 server.
The DHCPv6 server identifies the conflicting IPv6 address after receiving the packet. In this
case, this IPv6 address is no longer assigned to another client.
You can run the command listed in Table 8-89 in the DHCPv6 prefix pool view to resolve an
IPv6 address conflict.
Table 8-89 Resolving an IPv6 address conflict
Action Command
Resolve an IPv6 address conflict. reset conflict-ipv6-address [ ipv6-address |

all ]

This section provides examples for configuring various DHCPv6 functions.
8.5.5.1 Example for Configuring a DHCPv6 Server

This section provides an example for configuring a NGFW as a DHCPv6 server.
The PC shown in Figure 8-61 runs Windows 7 Professional.
The NGFW that functions as a DHCPv6 server, which assigns the following information to the
PC:
l IPv6 prefix: 2000::/32

l DNS server address: 3001::2
l AAA domain name: example.com
l SIP server address: 3001::3
l SNTP server address: 3001::4
l IP lease: 12 days

Figure 8-61 Network diagram for configuring a NGFW as the DHCPv6 server
SIP Server
3001::3
DNS Server SNTP Server
3001::2 3001::4
example.com
GE1/0/2
3001::1/64
DMZ
Untrust
IPv6 Network
GE1/0/1
3000::1/64
PC Trust
NGFW
DHCPv6 Server
1. Configure a DHCPv6 prefix pool and define prefixes that the DHCPv6 server can assign
to a DHCPv6 client.
2. Configure a DHCPv6 address pool, and associate it with the DHCPv6 prefix pool, and
define parameters, such as a DNS server address that the DHCPv6 server can assign to a
DHCPv6 client.
3. Configure security policies.
Procedure
Step 1 Choose Dashboard > System Information and enable IPv6 globally to allow the NGFW to

Zone trust
Mode Route
IPv6

IP Address 3000::1/64
3. Click OK.

Zone dmz
Mode Route
IPv6
3. Click OK.
Step 4 Configure a DHCPv6 server.

2. Click Add.
3. Set the following parameters.
Table 8-92 DHCPv4 server parameters
Interface Name GE1/0/1
Type IPv6
Service Type Server
Primary DNS Server 3001::2
4. In Delegated Prefix, click Add. In the window, click OK.

5. Set the following parameters.
Table 8-93 Assignment parameters
Delegation Type Address

Prefix 2000::/32
Lease Duration 12 days
6. Click OK.
7. In Advanced, set the following parameters.
SNTP Server 3001::4
SIP Server 3001::3
8. Click OK.
Step 5 Configure a security policy to allow the PC to access a server in the DMZ and an IPv6 network
in the Untrust zone.
Name policy_sec_1
Source Zone trust
Destination Zone dmz,local,untrust
Action Permit
3. Click OK.
----End
# On the PC, verify that an IPv6 global unicast address is automatically generated.
C:\> ipconfig/all

Description. . . . . . . . . . . : Realtek RTL8169/8110
Physical Address. . . . . . . . .: 00-E0-4C-97-3E-94
DHCP Enabled . . . . . . . . . . : No
Autoconfiguration Enabled. . . . : Yes

IPv6 Address . . . . . . . . . . : 2000::448e:2cc2:8ce3:cbe5(Preferred)

Lease Obtained . . . . . . . . .: Friday, November 12, 2010 8:12:19 PM
Lease Expires . . . . . . . . . : Saturday, November 15, 2010 8:12:19 PM
Link-local IPv6 Address. . . . . : fe80::2e0:4cff:fe90:3dc9%11(Preferred)
IPv4 Address . . . . . . . . . . : 10.2.2.2(Preferred)
Subnet Mask . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . .:
DHCPv6 IAID . . . . . . . . . . .: 234938444
DHCPv6 Client DUID . . . . . . .: 00-01-00-01-15-0B-47-82-00-E0-4C-97-3E-94
DNS Servers . . . . . . . . . . : 1::1

NetBIOS over Tcpip . . . . . . .: Enabled
Connection-specific DNS Suffix :
example.com
The preceding command output shows that the PC has obtained an IPv6 global unicast address
2000::448e:2cc2:8ce3:cbe5.
#
ipv6
#
sysname NGFW
#
ipv6 enable
dhcpv6 pool gigabitethernet1_0_1
#
ipv6 enable
#
firewall zone trust
set priority 85
#
firewall zone dmz
set priority 50
#
dhcpv6 prefix-pool address-prefix gigabitethernet1_0_1_1343810878
prefix 2000::/32
lifetime preferred-lifetime 1036800 valid-lifetime 1036800
#
dns-search-list
example.com
dns-server 3001::2
sip-server address 3001::3
sntp-server 3001::4
prefix-pool gigabitethernet1_0_1_1343810878
#
security-policy
source-zone trust
destination-zone dmz
action permit
#
return

8.5.5.2 Example for Configuring the DHCPv6 Server with the Authentication
Function
This section provides an example for configuring the DHCPv6 server with the authentication
function.
The PC shown in Figure 8-62 runs Windows 7 Professional.
The NGFW that functions as a DHCPv6 server, which assigns the following information to the
PC:

l Preferred lifetime: three days
l Valid lifetime: four days
The NGFW employs the local authentication mode to authenticate and charge PCs.
Figure 8-62 Network diagram for configuring a NGFW as the DHCPv6 server
SIP Server
3001::3
3001::2 3001::4
example.com
GE1/0/2
3001::1/64
DMZ
Untrust
IPv6 Network
GE1/0/1
3000::1/64
PC Trust
NGFW
DHCPv6 Server

1. Configure the authentication function of the DHCPv6 server to enable the DHCPv6 server
to authenticate the requests from the PC.
2. Configure a DHCPv6 prefix pool and define prefixes that the DHCPv6 server can assign
to a DHCPv6 client.
3. Configure a DHCPv6 address pool, and associate it with the DHCPv6 prefix pool, and
define parameters, such as a DNS server address that the DHCPv6 server can assign to a
DHCPv6 client.
4. Configure the users.
5. Configure security policies.
Procedure
Step 1 Enable the IPv6 packet forwarding function of the NGFW.
NOTE
You can perform other IPv6 configurations only after you enable the IPv6 packet forwarding function on the
NGFW.
<NGFW> system-view
[NGFW] ipv6
Step 2 Configure the authentication function.
# Configure authentication scheme authen1 and set the authentication mode to local
authentication.
[NGFW] aaa
[NGFW-aaa] default-user-name include mac-address -
[NGFW-aaa] default-password cipher Admin@123
[NGFW-aaa] authentication-scheme authen1
[NGFW-aaa-authen-authen1] authentication-mode local
[NGFW-aaa-authen-authen1] quit
# Configure authentication domain dom and associate it with the authentication scheme.
[NGFW-aaa] domain dom
[NGFW-aaa-domain-dom] authentication-scheme authen1
[NGFW-aaa-domain-dom] quit
[NGFW-aaa] quit
Step 3 Configure a DHCPv6 prefix pool. Create address prefix pool pool111, assign prefix 2000::/32
to it, and set the preferred lifetime and valid lifetime to three and four days respectively.
[NGFW] dhcpv6 prefix-pool address-prefix pool111
[NGFW-dhcpv6-prefix-pool-pool111] prefix 2000::/32
[NGFW-dhcpv6-prefix-pool-pool111] lifetime preferred-lifetime 259200 valid-
lifetime 345600
[NGFW-dhcpv6-prefix-pool-pool111] quit
Step 4 Configure a DHCPv6 address pool. Create address pool pool222, associate it with DHCPv6
prefix pool pool111, and configure the information about the DNS server, SIP server, and SNTP
server to be assigned.
[NGFW] dhcpv6 pool pool222
[NGFW-dhcpv6-pool-pool222] prefix-pool pool111
[NGFW-dhcpv6-pool-pool222] dns-server 3001::2
[NGFW-dhcpv6-pool-pool222] dns-search-list example.com
[NGFW-dhcpv6-pool-pool222] sip-server address 3001::3
[NGFW-dhcpv6-pool-pool222] sntp-server 3001::4
[NGFW-dhcpv6-pool-pool222] quit

Step 5 Configure the users. Refer to the following example of 00e04c973e94.

[NGFW] user-manage user 00e04c973e94
[NGFW-localuser-00e04c973e94] password Admin@123
[NGFW-localuser-00e04c973e94] quit
Step 6 Configure interface GigabitEthernet 1/0/1.
# Enable the IPv6 server function on the interface and set an IPv6 address for it.
[NGFW-GigabitEthernet1/0/1] dhcpv6 server enable
[NGFW-GigabitEthernet1/0/1] ipv6 address 3000::1/64
# Associate the interface with the DHCPv6 address pool.

[NGFW-GigabitEthernet1/0/1] dhcpv6 pool pool222
# Enable the DHCPv6 authentication function and associate it with the authentication domain.
[NGFW-GigabitEthernet1/0/1] dhcpv6 authentication enable
[NGFW-GigabitEthernet1/0/1] dhcpv6 authentication default-domain dom
Step 7 Configure interface GigabitEthernet 1/0/2.

[NGFW-GigabitEthernet1/0/2] ipv6 address 3001::1/64
Step 8 Assign the interfaces into security zones and configure security policies.
[NGFW] firewall zone dmz
[NGFW-zone-dmz] add interface GigabitEthernet 1/0/2
[NGFW-zone-dmz] quit
[NGFW-policy-security] rule name sec_policy_1
[NGFW-policy-security-rule-sec_policy_1] source-zone trust
[NGFW-policy-security-rule-sec_policy_1] source-zone local
[NGFW-policy-security-rule-sec_policy_1] destination-zone local
[NGFW-policy-security-rule-sec_policy_1] destination-zone trust
[NGFW-policy-security-rule-sec_policy_1] action permit
[NGFW-policy-security-rule-sec_policy_1] quit
[NGFW-policy-security] rule name sec_policy_2
[NGFW-policy-security-rule-sec_policy_2] source-zone trust
[NGFW-policy-security-rule-sec_policy_2] destination-zone dmz
[NGFW-policy-security-rule-sec_policy_2] destination-zone untrust
[NGFW-policy-security-rule-sec_policy_2] action permit
----End
# On the PC, verify that an IPv6 global unicast address is automatically generated.
C:\> ipconfig/all


DHCP Enabled . . . . . . . . . . : No
Link-local IPv6 Address. . . . . : fe80::2e0:4cff:fe90:3dc9%11(Preferred)
Subnet Mask . . . . . . . . . . : 255.255.255.0
DHCPv6 IAID . . . . . . . . . . .: 234938444
DNS Servers . . . . . . . . . . : 1::1

example.com
2000::448e:2cc2:8ce3:cbe5.
#
ipv6
#
sysname NGFW
#
ipv6 enable
dhcpv6 authentication enable
dhcpv6 pool pool222
dhcpv6 authentication default-domain dom
#
ipv6 enable
#
firewall zone trust
set priority 85
#
firewall zone dmz
set priority 50
#
aaa
authentication-scheme authen1
#
domain
dom
authentication-scheme authen1
#
default-user-name include mac-address noseparator
default-password cipher %$%$@5.j"ILN\AkdI]U5OqX*kkbY%$%$
#
dhcpv6 prefix-pool address-prefix pool111
prefix 2000::/32
#
dhcpv6 pool pool222
dns-search-list
example.com
dns-server 3001::2
sntp-server 3001::4

prefix-pool pool111
#
security-policy
rule name sec_policy_1
source-zone local
source-zone trust
action permit
source-zone trust
action permit
#
return
8.5.5.3 Example for Configuring the IPv6 Prefix Assignment in DHCPv6-PD Mode
This section provides an example for assigning IPv6 prefixes to users in delegation mode.
As shown in Figure 8-63, on the IPv6 network, NGFW_A and NGFW_B are connected through
interfaces GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2. NGFW_A is also connected to the
DNS server, SIP server, and SNTP server. NGFW_A acts as the Delegation Router to assign
information such as the IPv6 prefix, DNS server address, SIP server address, and SNTP server
address to NGFW_B that acts as the Requesting Router. NGFW_B re-assigns obtained
information to PCs.
Figure 8-63 Network diagram of assigning IPv6 prefixes to users in delegation mode
DNS Server
GE1/0/1 GE1/0/1 DMZ

Trust Trust
SIP Server
GE1/0/2
Trust
PC NGFW_B NGFW_A
SNTP Server
NGFW_A Interface number: GigabitEthernet The NGFW assigns IPv6 prefix

1/0/1 2000::/32 to PCs, and the delegating
IPv6 address: 3000::1/64 prefix length is 33 bits.
NGFW_B Interface number: GigabitEthernet -

1/0/2
IPv6 address: 3000::2/64
Interface number: GigabitEthernet -

1/0/1
IPv6 address: 2000::1/64

DNS server IPv6 address: 1::1 -

Suffix: example.com
SIP server IPv6 address: 2::2 -
SNTP IPv6 address: 3::3 -

server
1. Configure the DHCPv6 server (Delegation Router).
a. Enable the IPv6 packet forwarding function of NGFW_A, so that NGFW_A can send
and receive IPv6 packets.
b. Configure the DHCPv6 prefix pool in delegation mode and define that NGFW_A can
assign prefixes to DHCPv6 clients.
c. Configure the DHCPv6 address pool, associate it with the DHCPv6 prefix pool, and
define information such as the DNS server address that can be assigned by
NGFW_A to the DHCPv6 client.
d. Enable the DHCPv6 server function of interface GigabitEthernet 1/0/1, set the IPv6
address, and associate it with the DHCPv6 address pool, so that the interface can act
as the DHCPv6 server to provide services for the DHCPv6 client.
2. Configure the DHCPv6 client (Requesting Router).
a. Enable the IPv6 packet forwarding function of NGFW_B, so that NGFW_B can send
and receive IPv6 packets.
b. Enable the DHCPv6 client function and set an IPv6 address for interface
GigabitEthernet 1/0/2, so that the interface can act as the DHCPv6 client to obtain
information assigned by the DHCPv6 server.
c. Set an IPv6 address and configure Neighbor Discovery (ND), so that the interface can
assign prefixes to PCs.
Procedure
[NGFW_A-policy-security] rule name sec_policy_1
[NGFW_A-policy-security-rule-sec_policy_1] source-zone trust
[NGFW_A-policy-security-rule-sec_policy_1] source-zone local
[NGFW_A-policy-security-rule-sec_policy_1] destination-zone local
[NGFW_A-policy-security-rule-sec_policy_1] destination-zone trust
[NGFW_A-policy-security-rule-sec_policy_1] action permit
[NGFW_A-policy-security-rule-sec_policy_1] quit
[NGFW_A-policy-security] rule name sec_policy_2
[NGFW_A-policy-security-rule-sec_policy_2] source-zone trust
[NGFW_A-policy-security-rule-sec_policy_2] destination-zone dmz
[NGFW_A-policy-security-rule-sec_policy_2] action permit

[NGFW_A-policy-security-rule-sec_policy_2] quit
[NGFW_B] firewall zone trust
[NGFW_B-zone-trust] add interface GigabitEthernet 1/0/1
[NGFW_B-zone-trust] quit
Step 2 Configure the DHCPv6 server (Delegation Router).

# Enable the IPv6 packet forwarding function of NGFW_A.
NOTE
You can implement other IPv6 configurations only after the IPv6 packet forwarding function is enabled on the
device.
[NGFW_A] ipv6
# Configure the DHCPv6 prefix pool. Create delegation prefix pool pool111, assign prefix
2000::/32, and set the delegating prefix length to 33.
[NGFW_A] dhcpv6 prefix-pool delegation-prefix pool111
[NGFW_A-dhcpv6-prefix-pool-pool111] prefix 2000::/32
[NGFW_A-dhcpv6-prefix-pool-pool111] delegating-prefix-length 33
[NGFW_A-dhcpv6-prefix-pool-pool111] quit
# Configure the DHCPv6 address pool. Create address pool pool222, associate it with the
DHCPv6 prefix pool, and configure the information about the DNS server, SIP server, and SNTP
server to be assigned.
[NGFW_A] dhcpv6 pool pool222
[NGFW_A-dhcpv6-pool-pool222] prefix-pool pool111
[NGFW_A-dhcpv6-pool-pool222] dns-server 1::1
[NGFW_A-dhcpv6-pool-pool222] dns-search-list example.com
[NGFW_A-dhcpv6-pool-pool222] sip-server address 2::2
[NGFW_A-dhcpv6-pool-pool222] sntp-server 3::3
[NGFW_A-dhcpv6-pool-pool222] quit
# Configure the basic IPv6 function of interface GigabitEthernet 1/0/1 and associate it to the
DHCPv6 address pool.
1. Enable the IPv6 server function and set IPv6 addresses for the interface.
[NGFW_A-GigabitEthernet1/0/1] description connect-to-relay
[NGFW_A-GigabitEthernet1/0/1] ipv6 enable
[NGFW_A-GigabitEthernet1/0/1] dhcpv6 server enable
[NGFW_A-GigabitEthernet1/0/1] ipv6 address 3000::1/64
2. Associate the interface with the DHCPv6 address pool.

[NGFW_A-GigabitEthernet1/0/1] dhcpv6 pool pool222
Step 3 Configure the DHCPv6 client (Requesting Router).

# Enable the IPv6 packet forwarding function of NGFW_B.
NOTE
You can implement other IPv6 configurations only after the IPv6 packet forwarding function is enabled on the
device.
[NGFW_B] ipv6
# Enable the DHCPv6 client function of interface GigabitEthernet 1/0/2, set the IPv6 address of
the interface, and configure the interface to save prefix 2000:0:8000::/33 obtained from the
server to prefix pool abc.


[NGFW_B-GigabitEthernet1/0/2] description connect-to-server
[NGFW_B-GigabitEthernet1/0/2] ipv6 enable
[NGFW_B-GigabitEthernet1/0/2] ipv6 address 3000::2/64
[NGFW_B-GigabitEthernet1/0/2] dhcpv6 client enable
[NGFW_B-GigabitEthernet1/0/2] dhcpv6 client ia-prefix prefix-name abc
2000:0:8000::/33
# Set the IPv6 address of interface GigabitEthernet 1/0/1 and configure ND.
[NGFW_B-GigabitEthernet1/0/1] description connect-to-pc
[NGFW_B-GigabitEthernet1/0/1] ipv6 address 2000::1/64
[NGFW_B-GigabitEthernet1/0/1] undo ipv6 nd ra halt
[NGFW_B-GigabitEthernet1/0/1] ipv6 nd ra prefix abc 3333::/64 500 300
----End
# On the PC, check whether an IPv6 global unicast address is automatically generated. This
example describes configurations on the PC installed with the Windows 7 Professional operating
system.
C:\> ipconfig/all

DHCP Enabled . . . . . . . . . . : No
IPv6 Address . . . . . . . . . . : 2000::8000:3333:613f:773e:a9af:b520
(Preferred)
Link-local IPv6 Address. . . . . : fe80::2ff:f9ff:fe51:d92%11(Preferred)
Subnet Mask . . . . . . . . . . : 255.255.255.0
DHCPv6 IAID . . . . . . . . . . .: 234938444
DNS Servers . . . . . . . . . . : 1::1

example.com
The information that is displayed shows that the client has obtained IPv6 global unicast addresses
2000::8000:3333:613f:773e:a9af:b520.
#
ipv6
#
sysname NGFW_A

#
description connect-to-relay
ipv6 enable
dhcpv6 pool pool222
#
dhcpv6 prefix-pool delegation-prefix pool111
prefix 2000::/32
delegating-prefix-length 33
#
dhcpv6 pool pool222
dns-search-list example.com
dns-server 1::1
sntp-server 3::3
prefix pool111
#
firewall zone trust
set priority 85
#
security-policy
source-zone local
source-zone trust
action permit
source-zone trust
action permit
#
return

#
ipv6
#
sysname NGFW_B
#
description connect-to-server
ipv6 enable
dhcpv6 client ia-prefix prefix-name abc 2000:0:8000::/33
#
description connect-to-pc
ipv6 enable
ipv6 nd ra prefix abc 3333::/64 500 300
undo ipv6 nd ra halt
#
firewall zone trust
set priority 85
#
return

8.5.5.4 Example for Configuring a DHCPv6 Relay Agent

This section provides an example for configuring a NGFW as a DHCPv6 relay agent.
The PC shown in Figure 8-64 runs Windows 7 Professional. NGFW_A functions as a DHCPv6
server, which assigns information to the PC. NGFW_B functions as a DHCPv6 relay agent,
which relays information between the PC and the DHCPv6 server.
NGFW_A assigns the following information to the PC:

l IP lease: 12 days
Figure 8-64 Network diagram for configuring a NGFW as a DHCPv6 relay agent
SIP Server
3001::3
3001::2 3001::4
example.com
GE1/0/2
3001::1/64
GE1/0/1 GE1/0/2 DMZ
2000::1/64 3000::1/64
Untrust
Trust Untrust IPv6 Network
GE1/0/1
3000::2/64
PC Trust
NGFW_B NGFW_A
DHCPv6 Relay DHCPv6 Server
1. Configure a DHCPv6 server.

a. Configure a DHCPv6 prefix pool and define prefixes that the DHCPv6 server can
assign to a DHCPv6 client.

b. Configure a DHCPv6 address pool, and associate it with the DHCPv6 prefix pool, and
define parameters, such as a DNS server address that the DHCPv6 server can assign
to a DHCPv6 client.
c. Configure security policies.
2. Configure DHCPv6 relay.
a. Configure GigabitEthernet 1/0/2 to communicate with the DHCPv6 server.
b. Enable DHCPv6 relay on GigabitEthernet 1/0/1 and specify a DHCPv6 server address
to enable GigabitEthernet 1/0/1 to properly relay packets from the PC to the DHCPv6
server.
c. Configure security policies.
Procedure
Step 1 Choose Dashboard > System Information and enable IPv6 globally to allow the NGFW to
Step 2 Configure the DHCPv6 server.

Zone trust
Mode Route
IPv6
c. Click OK.
Zone dmz
Mode Route
IPv6

c. Click OK.
3. Configure a DHCPv6 server.
a. Choose Network > DHCP Server > Settings.
b. Click Add.
c. Set the following parameters.
Table 8-98 DHCPv6 server parameters
Type IPv6
Service Type Server
Primary DNS Server 3001::2
d. In Delegated Prefix, click Add.

e. Set the following parameters.
Delegation Type Address
Prefix 2000::/32
Lease Duration 12 days
f. Click OK.
g. In Advanced, set the following parameters.
SNTP Server 3001::4
SIP Server 3001::3
h. Click OK.
4. Configure a security policy to allow the PC to access a server in the DMZ and an IPv6
network in the Untrust zone.

Name policy_sec_1
Source Zone trust
Destination Zone dmz,local,untrust
Action Permit
c. Click OK.
Step 3 Configure DHCPv6 relay.

Table 8-101 DHCPv6 relay parameters
Zone trust
Mode Route
IPv6
c. Click OK.
Zone untrust
Mode Route
IPv6
c. Click OK.

3. Configure DHCPv6 relay.

a. Choose Network > DHCP Server > Settings.
b. Click Add.
c. Set the following parameters.
Table 8-103 DHCPv6 relay parameters
Type IPv6
Service Type Relay
IPv6 Server IP 3000::2

Address
Interface Connected GE1/0/2

to IPv6 Server
d. Click OK.
4. Configure a security policy to allow the PC to access the IPv6 network in the Untrust zone.
Name policy_sec_1
Source Zone trust
Action Permit
c. Click OK.
----End
# On the PC, verify that an IPv6 global unicast address is automatically generated. The following
example uses configurations on a PC running Windows 7 Professional.
C:\> ipconfig/all


DHCP Enabled . . . . . . . . . . : No
Link-local IPv6 Address. . . . . : fe80::200:5eff:feba:1a00%11(Preferred)
Subnet Mask . . . . . . . . . . : 255.255.255.0
DHCPv6 IAID . . . . . . . . . . .: 234938444
DNS Servers . . . . . . . . . . : 1::1

example.com
2000::448e:2cc2:8ce3:cbe5.
#
ipv6
#
sysname NGFW_A
#
ipv6 enable
#
ipv6 enable
#
firewall zone trust
set priority 85
#
firewall zone dmz
set priority 50
#
dhcpv6 prefix-pool address-prefix gigabitethernet1_0_1_1343810878
prefix 2000::/32
#
dns-search-list
example.com
dns-server 3001::2
sntp-server 3001::4
prefix-pool gigabitethernet1_0_1_1343810878
#
security-policy
source-zone trust

action permit
#
return

#
ipv6
#
sysname NGFW_B
#
ipv6 enable
dhcpv6 relay enable
dhcpv6 relay destination 3000::2
dhcpv6 relay interface GigabitEthernet1/0/2
#
ipv6 enable
#
firewall zone trust
set priority 85
#
set priority 5
#
security-policy
source-zone trust
action permit
#
return

This section provides DHCPv6 references.

This section describes the versions and changes in the DHCPv6 feature.

This section provides DHCPv6 standards and protocols.
DHCPv6 standards and protocols are as follows:

l RFC 3315: Dynamic Host Configuration Protocol for IPv6 (DHCPv6)
l RFC 2461: Neighbor Discovery for IP Version 6 (IPv6)

l RFC 3736: Stateless Dynamic Host Configuration Protocol (DHCP) Service for IPv6
l RFC 2462: IPv6 Stateless Address Autoconfiguration
l RFC 3633: IPv6 Prefix Options for Dynamic Host Configuration Protocol (DHCP) version
6
8.6 Link Aggregation

This section describes link aggregation concepts and how to configure link aggregation, as well
as provides configuration examples.
8.6.1 Overview
This section describes link aggregation.
Definition
Link aggregation refers to the technology used to bundle multiple physical interfaces into a
logical Ether-Trunk interface to increase link bandwidth. Member interfaces can be classified
into active and inactive interfaces. Interfaces forwarding data are active interfaces, while
interfaces that do not forward data are inactive interfaces.
Link aggregation is classified into the following modes:

l Manual mode
You must manually create an Ether-Trunk interface, add member interfaces, and specify
active interfaces.
l Static LACP mode
You must manually create an Eth-Trunk interface and add member interfaces to it. The
status of the member interfaces is determined by the Link Aggregation Control Protocol
(LACP).
Purpose
Link aggregation increases the link bandwidth and reliability.
Link aggregation supports a higher transmission rate than a single interface without upgrading
interfaces (for example, using FE interfaces to replace GE interfaces), which reduces hardware
upgrade costs.
Link aggregation increases link reliability. If a member interface that is transmitting traffic goes
down, traffic can be switched to another active member interface.
NOTICE
You must configure link aggregation before laying out cables, which prevents loops.


This section describes the application scenario for link aggregation.
As shown in Figure 8-65, an aggregation link is established between NGFW_A and
NGFW_B, two GigabitEthernet interfaces (Port1 and Port2) are added to the Eth-Trunk
interface. The total bandwidth of the Eth-Trunk interface doubles that of each GigabitEthernet
interface.
Figure 8-65 Link aggregation
NGFW_A NGFW_B
Eth-Trunk
Port1 Port1
Port2 Port2
The two member interfaces share the traffic load and back up each other up, which prevents
congestion and improves link availability.
8.6.3 Mechanism
This section describes the link aggregation mechanism.
Introduction to LACP
Manual link aggregation, as a link aggregation technique, helps increase bandwidth by bundling
multiple physical interfaces into an Eth-Trunk interface. Nevertheless, the Eth-Trunk technique
is not good at fault detection. It can detect only link disconnections, but not other faults, such as
incorrect link connections. The Link Aggregation Control Protocol (LACP) is used to improve
fault tolerance of Eth-Trunk interfaces and supports M:N backup for Eth-Trunk interfaces, which
provides high reliability for trunk member links.
For instance, an aggregation link is established between NGFW_A and NGFW_B. Four Ethernet
interfaces are bundled into an Eth-Trunk interface and connect NGFW_A to interfaces on
NGFW_B. One Ethernet interface is incorrectly connected to an interface on NGFW_C. The
Eth-Trunk interface cannot detect the fault and sends data to NGFW_C. To prevent incorrect
data transmission, LACP can be enabled on both NGFWs. NGFW_A and NGFW_B performs
LACP negotiation before properly exchanging data with each other.
Basic Concepts
LACP provides a standard negotiation mechanism for switching devices. This mechanism
ensures that switching devices automatically create and enable aggregated links. After
aggregated links are created, LACP maintains the link status. If the status of an aggregated link
changes, LACP automatically adjusts or disables the link.
l LACP system priority
An LACP system priority is configured to distinguish priority levels of devices on both
ends of a link. In static LACP mode, both devices must select the same active member
interfaces. An active member inconsistency causes link aggregation group (LAG) to fail

to be established. To keep active member interfaces consistent at both ends, set a higher
priority for one end (the actor). The other end (the partner) selects active member interfaces
based on selection of the peer.
The smaller an LACP system priority value, the higher an LACP system priority. The device
with a smaller priority value functions as the actor. If the two ends of a link have the same
priority, the end with a lower MAC address functions as the actor.
l LACP interface priority
An LACP interface priority is set for a member interface to determine whether it can be
selected as an active member interface. The smaller the LACP interface priority value, the
higher the LACP interface priority.
l Active and inactive interfaces
Member interfaces can be classified into active and inactive interfaces. Active interfaces
forward services, but inactive interfaces do not.
If an active member link fails, a backup link changes from inactive to active.
l M:N backup
Interfaces working in static LACP mode negotiate parameters to determine active member
links. The static LACP mode is also called an M:N mode. M is the number of active links,
and N is the number of backup links. This mode provides high reliability and allows M
active links to load-balance services.
If one active link fails, LACP selects a backup link to replace the faulty link. This process
ensures that the actual bandwidth of aggregated link is still the sum of the bandwidth of M
links.
l LACP preemption
This function ensures that an interface with the highest LACP priority can be an active
interface. When an interface with the highest priority becomes inactive due to a failure and
then recovers, the interface can become active if the LACP preemption function is enabled.
If the LACP preemption function is disabled, the interface cannot become active.
Link Aggregation in Manual Mode

Link aggregation in manual mode is widely used. This mode allows you to add multiple
interfaces to an Eth-Trunk, and all the added interfaces forward data and load-balance data. This
mode applies to the scenario in which high link bandwidth is required and LACP is not supported.
Link Aggregation in Static LACP Mode

LACP, defined in IEEE 802.3ad, is a protocol to implement dynamic link aggregation and de-
aggregation. LACP allows both ends of a link to exchange LACPDUs.
After member interfaces are added to a trunk interface in static LACP mode, each end sends
LACPDUs to inform the peer of its system priority, MAC address, member interface priorities,
interface numbers, and keys. After the peer receives the parameters, it compares them with local
parameters and selects interfaces that can be aggregated. Then, LACP negotiation is performed
to select active interfaces and links. Figure 8-66 shows the process for establishing active links.

Figure 8-66 Process for establishing active links
NGFW_A NGFW_B
Interface priority Eth-Trunk Interface priority
1 3
2 2
3 1
System priority 10 System priority 11
Step 1: Compare system priority
and determine the actor
NGFW_A NGFW_B
1 3
2 2
3 1
Actor Partner
Step 2: Select active interfaces
according to the Actor
NGFW_A NGFW_B
1 3
2 2
3 1
Actor Partner
The process for establishing active links is as follows:

1. Devices at both ends exchange LACPDUs. Both devices determine the actor based on the
LACP system priority and MAC address.
The smaller an LACP system priority value, the higher an LACP system priority. The device
with a smaller priority value functions as the actor. If the two devices have the same priority,
the device with a lower MAC address functions as the actor.
2. Devices at both ends determine active interfaces based on LACP priorities and interface
numbers of the actor.
After the devices select the same active interfaces, the active interfaces properly forward
data.
In static LACP mode, a link switchover is triggered if a device at one end detects one of the
following events:
l An active link goes Down.
l LACP detects a link fault.
l If LACP preemption is enabled, the priority of a backup interface is changed to be higher
than that of the current active interface.
The backup link with the highest priority is switched to the active mode and forwards data.
8.6.4 Configuring Link Aggregation in Manual Mode

This section describes how to configure link aggregation in manual mode.

8.6.4.1 Configuring the Eth-Trunk to Work in Manual Mode

Before implementing link aggregation, you must create an Eth-Trunk interface (link aggregation
group).
Context
Link aggregation can be classified into the following two types:
l Layer 3 link aggregation
An Eth-Trunk works at the network layer. The Eth-Trunk aggregates links and forwards
packets at the network layer.
An Eth-Trunk works at the data link layer. The Eth-Trunk aggregates links and forwards
packets at the data link layer.
Procedure
system-view
Step 2 Access the Layer 3 Eth-Trunk interface view.

By default, an Eth-Trunk works in Layer 3 mode.
Step 3 Optional: Switch the Layer 3 Eth-Trunk interface to Layer 2 mode.

portswitch
NOTE
If Layer 3 link aggregation is configured, skip this step.
Step 4 Set the working mode of the Eth-Trunk is to manual load balancing mode.
mode manual load-balance
By default, an Eth-Trunk works in manual load balancing mode.
----End
Follow-up Procedure
The IP address, maximum transmission unit (MTU), routing, and security functions are usually
configured to ensure the proper packets forwarding on a Layer 3 Eth-Trunk. Their configuration
details are not provided here.
8.6.4.2 Adding Member Interfaces to an Eth-Trunk Interface

An Eth-Trunk interface must have at least one member interface to forward packets.
Prerequisites
The Eth-Trunk interface must be already created.

Context
The following restrictions must be met before member interfaces are added to an Eth-Trunk:
l Only Layer 3 Ethernet interfaces can be added to a Layer 3 Eth-Trunk interface. Only Layer
2 Ethernet interfaces can be added to a Layer 2 Eth-Trunk interface
l Each Eth-Trunk interface can contain a maximum of eight physical member links. An
Ethernet interface can join only a single Eth-Trunk interface.
l When electrical and optical Ethernet interfaces are added to a single Eth-Trunk interface,
configure the link-layer attributes of the electrical interface to be the same as those of the
optical interface.
l Member interfaces cannot contain the security zone, VLAN, and IP address configurations
before being added to an Eth-Trunk interface.
l After an interface is added to an Eth-Trunk interface, some interface-specific services
cannot take effect. Re-enable them on the Eth-Trunk interface as required.
Procedure
system-view
Step 2 Access the Ethernet interface view.

Step 3 Add the current interface to an Eth-Trunk interface.

eth-trunk trunk-id
----End
Follow-up Procedure
Run the display trunk-membership eth-trunk trunk-id command to display information about
Eth-Trunk member interfaces.
<NGFW> display trunk-membership eth-trunk 1
Trunk ID : 1
Used Status : VALID
TYPE : Ethernet
Working Mode : Load-balance
Working State : Normal
Number Of Ports In Trunk : 2
Number Of Up Ports In Trunk : 0
Operate Status : Down
Interface GigabitEthernet1/0/1, valid, operate down, weight=1,standby interface
NULL

NULL
8.6.4.3 (Optional) Configuring the Master/Slave Mode for a Layer 3 Eth-Trunk

Interface
When an Eth-Trunk interface works in master/slave mode, traffic passes through the master
member interface. If the master interface goes Down, traffic passes through a slave interface.

Prerequisites
Before configuring a master/slave interface failover, you must add two member interfaces (and
you can add only two member interfaces) to an Eth-Trunk interface.
Context
After the master/slave failover is configured, traffic is forwarded by the master interface when
the master interface is working properly. If the master interface goes Down, traffic is switched
to the slave interface. The availability of the Eth-Trunk interface is improved.
NOTICE
Only Layer 3 Eth-Trunk interfaces support this function.
The master/slave interface failover can be implemented in the following two modes:
l auto: If a device detects that the link to the master interface is faulty or recovered, the
device automatically implements a switchover between master and slave interfaces.
l manual: If the link to the master interface is faulty or recovered, you need to manually
switch the data flow to the slave or master interface.
The default switchover mode is auto.
Procedure
system-view
Step 2 Access the Eth-Trunk interface view.

Step 3 Configure the Eth-Trunk interface to work in master/slave mode and specify the master and
slave member interfaces.
port-master interface-type interface-number port-slave interface-type interface-
number
By default, the load balancing mode is configured.

Step 4 Optional: Configure a switchover mode in either of the following methods:
l Enable an automatic switchover.
1. Enable the automatic switchover mode for the Eth-Trunk interfaces.
master-slave switch mode auto
2. Optional: Enable the preemption function for the master interface of the Eth-Trunk
interface.
port-master preempt enable
The preemption is disabled by default.

After the preemption for the master interface of an Eth-Trunk interface is enabled, if
the master interface goes Down, the slave interface takes over traffic. If the status of
the master interface goes Up, the system automatically performs a master/slave
switchover and the master interface takes over traffic using preemption. If the

preemption is disabled, the slave interface is still forwarding traffic after the master
interface goes Up.
l Configuring manual switchover
1. Enable the manual switchover mode of an Eth-Trunk interface.
master-slave switch mode manual
2. Manually switch traffic and specify the master and slave interfaces.
switch data-flow to { master-port | slave-port }
----End
8.6.5 Configuring Link Aggregation in Static LACP Mode

This section describes how to configure link aggregation in static LACP mode.
8.6.5.1 Configuring the Eth-Trunk to Work in Static LACP Mode

Before implementing link aggregation, you must create an Eth-Trunk interface (link aggregation
group).
Context
Link aggregation can be classified into the following two types:
An Eth-Trunk interface works at the network layer. The Eth-Trunk interface aggregates
links and forwards packets at the network layer.
An Eth-Trunk interface works at the data link layer. The Eth-Trunk interface aggregates
links and forwards packets at the data link layer.
Procedure
system-view
Step 2 Access the Layer 3 Eth-Trunk interface view.

By default, an Eth-Trunk interface works in Layer 3 mode.
Step 3 Optional: Switch the Layer 3 Eth-Trunk interface to Layer 2 mode.

portswitch
NOTE
If Layer 3 link aggregation is configured, skip this step.
Step 4 Configure the Eth-Trunk interface to work in static LACP mode.

mode lacp-static
By default, an Eth-Trunk interface works in manual load balancing mode.
----End

8.6.5.2 Configuring the Actor

In static LACP mode, active member interfaces selected by both devices must be consistent. An
inconsistency causes the LAG to fail to be established. To keep active member interfaces
consistent on both ends, set a higher priority for one end (the actor). In this manner, the other
end (the partner) selects active member interfaces based on the selection of the peer.
Context
The system automatically negotiates and determines the actor and partner based on LACP
priorities. The lower the LACP system priority value, the higher the LACP system priority. The
device with a lower priority value functions as the actor. If the two ends have the same priority,
the device with a lower MAC address as the actor. If Layer 2 link aggregation is enabled, the
MAC address of the device is used. If Layer 3 link aggregation is enabled, the MAC address of
the Eth-Trunk interface is used.
Procedure
system-view
Step 2 Set the LACP system priority.

lacp priority lacp-priority
The default LACP system priority is 32768.

Step 4 Determine whether the local device proactively sends LACPDUs.

lacp mode { active | passive }
By default, the system actively sends LACPDUs.
Either of the following parameters can be configured:
l active: the active mode, in which the local device sends LACPDUs.
l passive: the passive mode, in which the local device does not send LACPDUs.
Devices of two ends of an Eth-Trunk interface cannot be set to passive mode at the same time.
----End
8.6.5.3 Configuring the Active Interfaces Selection Method

This section describes how to configure the method for selecting LACP active interfaces. A
NGFW selects active interfaces based on interface transmission rates and LACP priorities.
Context
Eth-Trunk member interfaces work in either active or inactive state. An interface changes from
inactive to active only after the active interface fails.
A NGFW uses either of the following two methods to select active interfaces:

l Based on the interface transmission rate

The NGFW selects the interface transmitting traffic at a higher transmission rate as the
active interface. If the interfaces support the same transmission rate, the NGFW selects the
interface with the smaller interface ID as an the active interface.
l Based on the interface LACP priority
The NGFW selects the interface with a higher LACP priority (a smaller value) as the an
active interface. If the two interfaces have the same LACP priority, the NGFW selects the
interface with the smaller ID as the an active interface.
Procedure
system-view
Step 2 Display the Eth-Trunk interface view.


lacp selected { priority | speed }
By default, active interfaces are selected based on their LACP priority values.

quit

Step 6 Optional: Set the LACP interface priority value.

lacp priority lacp-priority
The default LACP priority value is 32768.
This command takes effect only when the active interfaces are selected based on their LACP
priority values.
----End
8.6.5.4 Enabling LACP Preemption

The LACP preemption function ensures that the interface with the highest LACP priority can
be an active interface.
Context
When an interface with the highest priority becomes inactive due to a failure and then recovers,
the interface can become an active interface if the LACP preemption function is enabled.
The LACP preemption delay is the period of time during which an inactive interface waits before
it becomes active. The LACP preemption delay can be set to prevent the unstable transmission
of the whole link caused by frequent link status changes.
To ensure the smooth running of an Eth-Trunk interface, simultaneously enable or disable the
LACP preemption function on both ends of the Eth-Trunk interface.

Procedure
system-view

Step 3 Enable the LACP preemption function.

lacp preempt enable
By default, the LACP preemption function is disabled.
Step 4 Optional: Set the LACP preemption delay.

lacp preempt delay delay-time
The default delay time is 30 seconds.
If the LACP preemption delay of a local device is different from that of a remote device, the
local device chooses a smaller value.
----End
8.6.5.5 Adding Member Interfaces to an Eth-Trunk Interface

An Eth-Trunk interface must have at least one member interface to forward packets.
Context
The following restrictions must be met before member interfaces are added to an Eth-Trunk:
l Only Layer 3 Ethernet interfaces can be added to a Layer 3 Eth-Trunk interface. Only Layer
2 Ethernet interfaces can be added to a Layer 2 Eth-Trunk interface
l Each Eth-Trunk interface can contain a maximum of eight physical member links. An
Ethernet interface can join only a single Eth-Trunk interface.
optical interface.
l Member interfaces cannot contain the security zone, VLAN, and IP address configurations
before being added to an Eth-Trunk interface.
l After an interface is added to an Eth-Trunk interface, some interface-specific services
cannot take effect. Re-enable them on the Eth-Trunk interface as required.
Procedure
system-view

Step 3 Add the current interface to an Eth-Trunk interface.

eth-trunk trunk-id

The Eth-Trunk interface must be already created.
----End
Follow-up Procedure
Run the display trunk-membership eth-trunk trunk-id command to display information about
Eth-Trunk member interfaces.
Trunk ID : 1
Used Status : VALID
TYPE : Ethernet
Operate Status : Down
NULL

NULL
8.6.5.6 Setting a Timeout Interval at which LACP Packets Are Received

By setting the timeout interval at which LACP packets are received, you can control how long
the LACP takes effect if faults occur.
Context
A local end informs the peer end of the timeout interval using LACP packets, and then the peer
end adjusts its interval at which LACP packets are sent based on the received timeout interval.
If a local end member interface cannot receive the LACP packets from the peer end after the
timeout interval elapses, the local interface goes Down and stops forwarding data. The local end
timeout interval falls into two types:
l Fast mode: The interval at which LACP packets are sent is 1 second, and the timeout interval
at which LACP packets are received is 3s.
l Slow mode: The interval at which LACP packets are sent is 30 second, and the timeout
interval at which LACP packets are received is 90s.
In fast mode, the response between two ends is quick, and more system resources are consumed.
In slow mode, the response is slow, and less system resources are consumed.
Procedure
system-view

Step 3 Set the timeout interval at which LACP packets are received.
lacp timeout { fast | slow }

By default, the slow mode is used.
----End
8.6.6 Configuring the Load Balancing Mode

This section describes how to configure the load balancing mode. The load balancing mode falls
into two types: per-flow and per-packet load balancing. Member interfaces share traffic more
evenly in per-packet mode than in per-flow mode, but consume more system resources.
Context
Load balancing can be carried out in the following ways:
l Session-by-session load balancing:
– Layer-2 Eth-Trunk interface: Packets with the same source MAC address, destination
MAC address, source IP address, and destination IP address go through the same
member link.
– Layer-3 Eth-Trunk interface: Packets with the same source IP address and destination
IP address go through the same member link.
l Packet-by-packet load balancing: One packet travels out on one link and the next packet is
sent out on another link.
On an Eth-Trunk interface, the greater the proportion of the weight of a member interface to the
sum of weights of all member interfaces, the heavier the load over the member interface.
Procedure
l Configure the load-balancing mode.
1. Display the system view.
system-view
2. Display the Eth-Trunk interface view.

3. Configure load balancing for the Eth-Trunk interface.

load-balance { ip | packet-all }
By default, load balancing is carried out based on IP addresses, which implements

per-flow load balancing.
l Configure the load-balancing weight.
system-view
2. Display the Ethernet interface view.

3. Set the load-balancing weight for the Eth-Trunk member interface.

distribute-weight weight-value
By default, the load-balancing weight of a member interface is 1.

Sum of weights of all member interfaces of an Eth-Trunk interface cannot be greater
than 24.
----End

8.6.7 Setting Upper and Lower Thresholds for the Number of Active
Interfaces
By setting the upper and lower threshold for the number of active interfaces, you can flexibly
control the active interface selection of an Eth-Trunk interface.
Context
When the number of member interfaces in the Up state falls under the lower threshold, an Eth-
Trunk interface goes Down. Otherwise, the Eth-Trunk interface goes Up.
When the number of member interfaces in the Up state exceeds the upper threshold, the rest
interfaces function as backups. Otherwise, there is no backup interfaces.
NOTICE
The upper threshold can be set only in static LACP mode. If the upper thresholds on both ends
are different, the smaller upper threshold takes effect.
The upper threshold must be greater than the lower threshold.
For static LACP link aggregation, the M:N backup can be implemented if the number of the
member interfaces added into the Eth-Trunk interface exceeds the upper threshold.
Procedure
system-view

Step 3 Set the upper and lower thresholds.

l Set the lower threshold.
least active-linknumber link-number
The default lower threshold is 1.

l Set the upper threshold.
max active-linknumber link-number
The default upper threshold is 8.
----End
8.6.8 Maintaining Link Aggregation

After configuring link aggregation, you can run the display commands to view the configuration.
You can also clear statistics or enable the debugging function if necessary.

8.6.8.1 Displaying Link Aggregation Configuration

After configuring link aggregation, you can run the display commands in any view to view and
verify the configuration.
Table 8-105 lists the commands to display link aggregation configuration.
Table 8-105 Displaying link aggregation configuration
Action Command
Display information about Eth-Trunk display trunk-membership eth-trunk trunk-id

member interfaces.
Display the Eth-Trunk interface status. display interface eth-trunk [ trunk-id ] [ |

{ begin | include | exclude } regular-expression ]
Display the forwarding table of the Eth- display trunk-forwarding-table eth-trunk

Trunk interface. [ trunk-id ]
Display statistics about sent and display lacp statistics eth-trunk [ trunk-id
received LACP packets. [ interface interface-type interface-number ] ]
Display the Eth-Trunk interface display eth-trunk [ trunk-id ] [ interface interface-

configuration. type interface-number | verbose ]
8.6.8.2 Clearing Link Aggregation Statistics

To clear link aggregation statistics, you can run the reset commands.
NOTICE
Cleared statistics cannot be restored. Exercise caution when performing the operation.
Table 8-106 lists the commands run in the user view to clear link aggregation statistics.
Table 8-106 Clearing link aggregation statistics
Action Command
Clear Eth-Trunk interface statistics. reset counters interface eth-trunk [ trunk-

id ]
Clear LACP packet statistics. reset lacp statistics eth-trunk [ trunk-id

[ interface interface-type interface-
number ] ]

8.6.8.3 Debugging the Eth-Trunk Interface

When a running fault occurs on an Eth-Trunk interface, you can run the debugging commands
in the user view to debug the Eth-Trunk interface, view the debugging information, and locate
and analyze faults.
NOTICE
For the description of the debugging commands, see Debugging Reference.
Table 8-107 lists the commands to debug an Eth-Trunk interface.
Table 8-107 Debugging an Eth-Trunk interface
Action Command
Enable the error debugging of an Eth-Trunk debugging trunk error

interface.
Enable the event debugging of an Eth-Trunk debugging trunk event

interface.
Enable the message debugging of an Eth- debugging trunk msg

Trunk interface.
Enable the debugging for the Up/Down debugging trunk updown

information of an aggregation group.

This section describes the example for configuring link aggregation.
8.6.9.1 Example for Configuring Link Aggregation in Manual Mode

This section provides an example for configuring link aggregation in manual mode to increase
link bandwidth.
A company has two branches on LAN 1 and LAN 2. LAN 1 is connected to NGFW_A, and
LAN 2 is connected to NGFW_B, as shown in Figure 8-67.

A large amount of traffic continuously goes between LAN 1 and LAN 2. Links can be bundled
in to an Eth-Trunk interface to increase the link bandwidth. LAN 1 and LAN 2 are on the same
network segment 192.168.0.1/24.
Figure 8-67 Link aggregation in manual mode

NGFW_A NGFW_B
GE1/0/1 GE1/0/1
GE1/0/2 GE1/0/2
Eth-Trunk 1 Eth-Trunk 1
GE1/0/3 GE1/0/3
Untrust Untrust
Trust Trust
LAN 1 LAN 2
1. Create a Layer-2 Eth-Trunk interface. Because LAN 1 and LAN 2 are on the same network
segment, the Layer-2 Eth-Trunk interface is used.
2. Switch a physical interface to Layer 2 mode and add the interface to the Eth-Trunk interface.
3. Assign interfaces to security zones and configure security policies.
Procedure
# Create a Layer-2 Eth-Trunk interface.
[NGFW_A] interface eth-trunk 1
[NGFW_A-Eth-Trunk1] portswitch
[NGFW_A-Eth-Trunk1] quit
# Add a physical interface into the Eth-Trunk interface.

[NGFW_A-GigabitEthernet1/0/1] portswitch
[NGFW_A-GigabitEthernet1/0/1] eth-trunk 1
[NGFW_A-GigabitEthernet1/0/2] portswitch
# Assign interfaces to security zones.


[NGFW_A-zone-untrust] add interface eth-trunk 1
# Configure security policies.

[NGFW_A-policy-security] rule name policy_sec_1
[NGFW_A-policy-security-rule-policy_sec_1] source-zone trust
[NGFW_A-policy-security-rule-policy_sec_1] destination-zone untrust
[NGFW_A-policy-security-rule-policy_sec_1] action permit
[NGFW_A-policy-security-rule-policy_sec_1] quit
[NGFW_A-policy-security-rule-policy_sec_2] source-zone untrust
[NGFW_A-policy-security-rule-policy_sec_2] destination-zone trust
The configuration of NGFW_B is similar to that of NGFW_A. The configuration details are not
provided.
----End
View Eth-Trunk 1 information on NGFW_A.
<NGFW_A> display trunk-membership eth-trunk 1
Trunk ID : 1
Used Status : VALID
TYPE : Ethernet
Operate Status : Up
Interface GigabitEthernet1/0/1, valid, operate up, weight=1,standby interface NULL
The previous information shows that GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 have
already become member interfaces of Eth-Trunk 1.
Use a PC in LAN 1 and a PC in LAN 2 to ping each other. Check whether the two PCs can ping
each other. If they fail to ping each other, modify the configuration and try again.
#
sysname NGFW_A
#
interface Eth-Trunk1
portswitch
#
portswitch
eth-trunk 1

portswitch
eth-trunk 1
#
firewall zone trust
set priority 85
#
set priority 5
add interface Eth-Trunk1
#
security-policy
source-zone trust
action permit
source-zone untrust
action permit
#
return
8.6.9.2 Example for Configuring Link Aggregation in LACP Mode

This section provides an example for configuring link aggregation in LACP mode to increase
link bandwidth and reliability.
A company has two branches: LAN 1 and LAN 2. LAN 1 and LAN 2 are connected by
NGFW_A and NGFW_B, as shown in Figure 8-68.
A large amount of traffic is continuously transmitted between LAN 1 and LAN 2. Link
aggregation needs to be configured to increase link bandwidth. Meanwhile, link aggregation in
LACP mode uses 2:1 backup to enhance reliability. LAN 1 is on the network segment
10.1.1.0/24, and LAN 2 is on the network segment 10.1.3.0/24.
Figure 8-68 Networking diagram for link aggregation in LACP mode

NGFW_A NGFW_B
GE1/0/1 GE1/0/1
GE1/0/2 GE1/0/2
GE1/0/3 GE1/0/3
GE1/0/4 Eth-Trunk 1 Eth-Trunk 1
GE1/0/4
Trust Untrust Untrust
Trust
10.1.1.1/24 10.1.2.1/24 10.1.2.2/24
10.1.3.1/24
LAN 1 LAN 2
10.1.1.0/24 10.1.3.0/24

1. Create a Layer 3 Eth-Trunk interface that connects LAN 1 and LAN 2 across network
segments.
2. Configure link aggregation in LACP mode.
3. Add physical interfaces to the Eth-Trunk interface.
4. Set the upper limit of active interfaces to 2 to implement 2:1 backup.
5. Assign interfaces to security zones and configure security policies.
6. Configure reachable routes.
Procedure
# Create an Eth-Trunk interface.

[NGFW_A-Eth-Trunk1] ip address 10.1.2.1 24
# Configuring link aggregation in LACP mode.

[NGFW_A-Eth-Trunk1] mode lacp-static
# Add physical interfaces to the Eth-Trunk interface.

# Set the maximum threshold of active interfaces to 2 to implement 2:1 backup.

[NGFW_A-Eth-Trunk1] max active-linknumber 2
# Set the IP addresses of GigabitEthernet 1/0/4.


[NGFW_A-zone-untrust] add interface eth-trunk 1

[NGFW_A-policy-security-rule-policy_sec_1] source-address 10.1.1.0 24
[NGFW_A-policy-security-rule-policy_sec_1] destination-address 10.1.3.0 24
# Configure routes.
[NGFW_A] ip route-static 0.0.0.0 0 10.1.2.2

The configuration of NGFW_B is similar to that of NGFW_A. Therefore, the configuration
details are not provided.
----End
View Eth-Trunk 1 information. The following example uses the command output of
NGFW_A.
<NGFW_A> display trunk-membership eth-trunk 1
Trunk ID : 1
Used Status : VALID
TYPE : Ethernet
Operate Status : Up
Interface GigabitEthernet1/0/2, valid, operate up, weight=1,standby interface

NULL
The Number Of Ports in Trunk field value is 3, and the Number Of UP Ports in Trunk field
value is 2. This 2:1 backup complies with the configuration.
Use a PC in LAN 1 and a PC in LAN 2 to ping each other. Check whether the two PCs can ping
each other. If the ping fails, modify the configuration and try again.
#
sysname NGFW_A
#
ip address 10.1.2.1 255.255.255.0
mode lacp-static

max active-linknumber 2
#
ip address 10.1.1.1 255.255.255.0
#
eth-trunk 1
eth-trunk 1
eth-trunk 1
#
firewall zone trust
set priority 85
#
set priority 5
add interface eth-trunk1
#
ip route-static 0.0.0.0 0 10.1.2.2
#
security-policy
source-zone trust
action permit
source-zone untrust
action permit
#
return
8.6.10 Troubleshooting Link Aggregation Faults

This section describes how to troubleshoot link aggregation problems.
8.6.10.1 Connection Between Manual Eth-Trunk Interfaces Is Disconnected

This section describes the troubleshoot flow when the connection between manual Eth-Trunk
interfaces is disconnected.
Symptom
Figure 8-69 shows the typical networking of Eth-Trunk interfaces:
l Eth-Trunk interfaces are created, and their IP addresses are specified.

l Ethernet interfaces are added to Eth-Trunk interfaces.
Manual Eth-Trunk interfaces are disconnected on the network shown in Figure 8-69.

Figure 8-69 Eth-Trunk networking

NGFW_A Eth-Trunk1 NGFW_B
100.1.1.1/24
GE1/0/1 GE1/0/1
GE1/0/2 GE1/0/2
Eth-Trunk1
100.1.1.2/24
Possible Causes
The possible causes are as follows:
l Cause one: Ethernet interfaces on NGFWs on both ends are not directly connected using
cables.
l Cause two: The member Eth-Trunk interfaces on both ends are in the Down state at the
physical layer.
l Cause three: The number of member links in the Up state is less than the lower threshold.
l Cause four: The numbers of interfaces added to Eth-Trunk interfaces on both ends are
inconsistent.
Fault Diagnosis
Figure 8-70 shows the process for troubleshooting the disconnection between Eth-Trunk
interfaces.

Figure 8-70 Troubleshooting flowchart for the Eth-Trunk fault

The Eth-Trunk interfaces
cannot ping through each
other.
Are Ethernet
interfaces at both ends No Directly connect Yes
directly connected Ethernet interfaces at Is the fault rectified?
through the cable? both ends.
Yes No
Is the physical No Yes

Troubleshoot the fault
status of the member Is the fault rectified?
of the interface.
interfaces Up?
Yes No
Adjust the lower

Is the number Yes
No threshold to make it
of the links in Up state
smaller than the Is the fault rectified?
larger than the lower
number of the links in
threshold?
Up state.
No
Yes
Adjust the
Are the numbers
configuration to make
of the interfaces No Yes
the number of the
added to Eth-Trunk Is the fault rectified?
interfaces added to
interfaces at both ends
consistent? Eth-Trunk interfaces at
both ends consistent.
Yes No
Seek technical
End
support
Procedure
l Cause one: Ethernet interfaces on NGFWs on both ends are not directly connected.
1. Check whether Ethernet interfaces on NGFWs on both ends are directly connected
using cables. If they are not connected, connect the Ethernet interfaces on two ends
using one cable.
NOTE
When the interfaces on both ends are directly connected, and the interfaces are in the Up state,
if you run the shutdown command on the Ethernet interface on one end, the status of the
Ethernet interface at the other end automatically changes from Up to Down.
l Cause two: The member Eth-Trunk interfaces on both ends are in the Down state at the
physical layer.
1. For details about how to troubleshoot Eth-Trunk interfaces, see 8.1.5.1 Physical
Status of an Electronic Ethernet Interface Cannot Be Up.
l Cause three: The number of member links in the Up state is less than the lower threshold.

In a single Eth-Trunk interface, the number of member links that are in the Up state affects
the status and bandwidth of the Eth-Trunk interface. When the number of member links in
the Up state is less than the lower threshold, the status of the Eth-Trunk interface goes
Down.
1. Run the display trunk-membership eth-trunk trunk-id command to display the

number of member interfaces (that are in the Up state) added to the Eth-Trunk
interface.
For example:
Trunk ID :
1
Used Status :
VALID
TYPE :
Ethernet
Working Mode : Load-
balance
Working State :
Normal
Number Of Ports In Trunk :
2
Number Of Up Ports In Trunk :
2
Operate Status :
Up
Interface GigabitEthernet1/0/1, valid,selected,operate
up,weight=1,standby interface NULL

The preceding bold information shows that two member interfaces added to the Eth-
Trunk interface are in the Up state.
2. Run the display current-configuration interface Eth-Trunk command to display
the lower threshold configured on the Ethernet interface.
For example:
<NGFW> display current-configuration interface eth-trunk
#
ip address 10.11.1.1 255.255.0.0
least active-linknumber 2
#
The preceding bold information indicates the lower threshold of the link (that is in the
Up state) of the Eth-Trunk interface.
3. If the number of member interfaces that are in the Up state is less than the lower
threshold, reduce the lower threshold.
l Cause four: The numbers of interfaces added to the Eth-Trunk interface are inconsistent.
1. As the Eth-Trunk interface must be configured symmetrically on devices on both ends,
run the display trunk-membership eth-trunk trunk-id command to display the
numbers of the members (that are in the Up state) of the Eth-Trunk interface on both
ends.
2. Check whether the numbers of the members that are in the Up state are consistent.

When the Ethernet interfaces on both ends are directly connected, the interfaces on
both ends are in the Up or Down state. Check whether an Ethernet interface is added
to the Eth-Trunk interface.
For example:
Trunk ID :
1
Used Status :
VALID
TYPE :
Ethernet
Working Mode : Load-
balance
Working State :
Normal
Number Of Ports In Trunk :
2
Number Of Up Ports In Trunk :
2
Operate Status :
Up

The preceding bold information shows that two member interfaces added to the Eth-
Trunk interface are in the Up state.
If the fault persists, contact technical support personnel.
----End
8.6.10.2 Eth-Trunk Interface Working in LACP Mode Cannot Go Up

This section describes how to troubleshoot the problem that the Eth-Trunk interface working in
LACP mode cannot go Up.
Symptom
An Eth-Trunk link connects two devices that support LACP. When LACP runs on both devices,
the Eth-Trunk link cannot be Up.
Possible Causes
Cause one: The number of member interfaces is less than the lower threshold.
Cause two: The Eth-Trunk interfaces on both ends of the link are in passive mode and therefore
do not send LACP packets proactively.
Procedure
Step 1 Cause one: The number of member interfaces is less than the lower threshold.
Run the display trunk-membership eth-trunk command to display information about Eth-
Trunk member interfaces.

Run the display this command in the Eth-Trunk interface view to view the lower threshold (the
default value is 1). Check whether the number of member interfaces is less than the lower
threshold.
l If the number of member interfaces is greater than the lower threshold, go to Cause two.
l If the number of member interfaces is less than the lower threshold, run the least active-
linknumber command to change the lower threshold.
Step 2 Cause two: The Eth-Trunk interfaces on both ends of the link are in passive mode and therefore
do not send LACP packets proactively.
Run the display this command in the Eth-Trunk interface view to check whether the interfaces
on both ends are in passive mode.
l If the system displays lacp mode active, go to Step 3.

l If the system displays lacp mode passive, the Eth-Trunk interface is in passive mode. Run
the lacp mode active command to set the interface to active mode.
Step 3 If the fault persists, contact the technical support personnel.
----End
8.6.10.3 No Member Interfaces of an Eth-Trunk Interface Working in LACP Mode

Can Become the Active Interface
This section describes how to troubleshoot the problem that no member interfaces of an Eth-
Trunk interface working in LACP mode can become the active interface.
Symptom
No member interfaces of an Eth-Trunk interface working in LACP mode can become the active
interface.
Possible Causes
The configurations of the interfaces conflict. Therefore, some member interfaces cannot become
the active interfaces.
Procedure
Step 1 Check the interface configurations.
Conditions for an active interface are as follows:

l The interface is correctly connected.
l The interface is added to a link aggregation group. You are advised to configure the same
attributes for the interface, such as the interface rate (running the speed command) and duplex
working mode (running the duplex command).
optical interface.

l The interface type must be the same. For example, GE interfaces can be bound only to GE
interfaces, not to 10GE interfaces.
Run the display this command in each interface view and check whether the interface
configurations are consistent. Modify the configuration if any inconsistency is found.
----End

This section provides link aggregation references.

This section describes the versions and changes in the link aggregation feature.

This section provides link aggregation standards and protocols.
Link aggregation standards and protocols are as follows:
IEEE 802.3AD: IEEE Std 802.3ad - 2005 IEEE Standard for Link Aggregation operation, Link
Aggregation Control, Link Aggregation Control Protocol, Marker protocol and Configuration
capabilities and restrictions
8.7 PPP
This section describes Point-to-Point Protocol (PPP) concepts and how to configure PPP.
8.7.1 Overview
The Point-to-Point Protocol (PPP) is a data link-layer protocol used to transmit and encapsulate
network layer packets on point-to-point (P2P) links.
Definition
A P2P connection is a simple WAN connection. Link layer protocols for PPP links are as follows:
l PPP: supports both synchronous and asynchronous transmission.
l High-level Data Link Control protocol (HDLC): only supports synchronous transmission.
PPP defines a set of protocols:
l Link Control Protocol (LCP): used to establish, monitor, and terminate data links.

l Network Control Protocol (NCP): used to establish and configure different network layer
protocols and negotiate the format and type of packets transmitted over data links.
l Authentication protocols: include Password Authentication Protocol (PAP) and Challenge-
Handshake Authentication Protocol (CHAP).
Objective
Located at the data link layer of the Open Systems Interconnection (OSI) model, PPP supports
both synchronous or asynchronous full-duplex links to transmit data. PPP is widely used because
it has the following advantages:
l Provides user authentication.
l Supports synchronous and asynchronous communications.
l Is easily expanded.
8.7.2 Mechanism
This section describes the mechanism of Point-to-Point Protocol (PPP).
PPP Operation Process

Two devices establish a PPP link after they negotiate parameters using the following PPP
protocols:
l Link Control Protocol (LCP): establishes, monitors, and tears down PPP data links and
determines data link layer parameters, such as the maximum receive unit (MRU) and
authentication mode.
l Network Control Protocol (NCP): used by devices to negotiate formats and types of packets
transmitted on data links and IP addresses.
PPP-enabled devices on two ends of a link must send LCP packets to set up a P2P link.
After the LCP configuration parameters have been negotiated, the two communicating devices
choose the authentication mode according to the authentication parameters in the Configure-
Request packets.
By default, the devices on the two ends do not authenticate each other. After the negotiation of
the LCP configuration parameters, the devices negotiate NCP configuration parameters without
any authentication. After all the negotiations, the two devices on the P2P link can transmit
network-layer packets, and the whole link is available.
A link is torn down and a PPP session ends if one of the following situations occurs:
l The device on either end receives an LCP or an NCP Terminate frame that aims at closing
the link.
l The physical layer cannot detect a carrier.
l The network administrator shuts down the link.
NCP does not have the capability to close a link. The packets used to close the link are generated
during the LCP negotiation phase or application session phase.
Figure 8-71 shows the setup process of a PPP session and status transition.

Figure 8-71 PPP operation process
UP OPENED
Dead Establish Authenticate
SUCCESS/NONE
FAIL FAIL
DOWN CLOSING
Terminate Network
The PPP operation process is described as follows:
l the Link Establishment phase is the first phase to set up a PPP link.
l LCP negotiation is performed, during which the working mode, MRU, authentication
mode, magic number, and asynchronous character mapping are negotiated. The working
mode can be Single-link PPP (SP) or Multilink PPP (MP). If the LCP negotiation is
successful, the LCP status turns to Opened.
l If no authentication is configured, the communicating devices directly enter the NCP
negotiation phase. If authentication is configured, the communicating devices enter the
Authentication phase and perform CHAP or PAP authentication.
l If the authentication fails, the devices enter the Terminate phase and disconnect the link,
and LCP status becomes Down. If the authentication is successful, the devices enter the
NCP negotiation phase. The LCP status remains Opened, while the NCP status changes
from Inital to Starting.
l The devices run an NCP protocol to negotiate parameters. The NCP suite includes the
Internet Protocol Control Protocol (IPCP), Multiprotocol Label Switching Control Protocol
(MPLSCP), and Open System Interconnection Control Protocol (OSCICP). Devices run
IPCP to negotiate IP addresses. A network layer protocol is selected during NCP
negotiation. The network layer protocol sends packets over the PPP link only after
negotiation of the network layer protocol is successful.
l The PPP link remains in Up until an LCP or NCP frame is generated to close the link or
traffic is interrupted.
A PPP link undergoes the following phases:
l Link Dead phase

The Link Dead phase is also called the unavailable phase. During this phase, there is no
physical layer link established between two devices. PPP link setup always begins and ends
with the Link Dead phase.
After the communicating devices on both ends detect that a physical link is activated,
generally, the carrier signal is detected on the link, and the devices enter the Link
Establishment phase.
If a link is in the Link Dead phase, the LCP status is Initial or Starting. After the link becomes
available, the LCP status changes.

After a link is torn down, the link returns to the Link Dead phase. In real-world situations,
this state does not last long and is only used to detect the existence of a peer device.
l Link Establishment phase
The Link Establishment phase is the most complex PPP phase.
The two devices on both ends of a PPP link exchange packets, which do not include network
layer protocol parameters. Both devices enter the Authentication or Network-Layer
Protocol phase.
In the Link Establishment phase, the LCP state machine changes twice:
– If the link is Up, the physical layer sends an Up event in a packet to the data link layer.
The data link layer changes the LCP status to Request-Sent. LCP then sends Configure-
Request packets to configure a data link.
– After one end receives the Configure-Ack packet, the LCP status changes to Opened.
The link enters the next phase.
Note that the link configurations on both ends are mutually independent. In the Link
Establishment phase, devices discard non-LCP packets.
l Authentication phase
Authentication is performed before devices on both ends enter the Network-Layer Protocol
phase.
PPP authentication is disabled by default. To enable authentication, specify an
authentication protocol in the Link Establishment phase.
PPP authentication is used on the following two types of links:
– Non-leased lines between hosts and devices
– Leased lines
PPP provides the following two authentication modes:
– PAP: Password Authentication Protocol
– CHAP: Challenge-Handshake Authentication Protocol
The authentication mode used is determined based on negotiation performed during the
Link Establishment phase. Link quality detection is also performed in the Link
Establishment phase. According to the PPP protocol, detection delays the authentication
process within a specified period of time.
The link control protocol, authentication protocol, and quality detection packets are
supported in the Authentication phase. The packets of other types are discarded. If a device
receives a Configure-Request packet in the Authentication phase, the link restores the Link
Establishment phase.
l Network-Layer Protocol phase
Network protocols, such as IP, IPX, and AppleTalk, are negotiated using NCPs, which can
be enabled or disabled during any phase. After an NCP state machine turns to Opened, PPP
links can transmit network layer packets.
If a device receives a Configure-Request packet in the Network-Layer Protocol phase, the
device and its peer device enter the Link Establishment phase.
l Termination phase
PPP can terminate links at any time. In addition, a network administrator can manually
disconnect links. Carrier connection loss, authentication failures, or link-quality detection
failures can cause link disconnections. When devices exchange LCP Terminate frames

during the Link Establishment phase, the link in question is torn down. Therefore, NCP
does not need to close a PPP link.
PAP
PAP supports two-way handshake authentication and simple passwords. The authentication
process is performed in the Link Establishment phase.
After the Link Establishment phase is complete, the user name and password of a supplicant are
repeatedly sent to the authenticator until authentication is successful or the link is ended.
PAP authentication is the optimal option when a password transmitted in plain text must be used
to simulate logging into a remote host.
Figure 8-72 shows the PAP authentication process.
Figure 8-72 PAP authentication process
Authenticated Authenticator
Authenticate-Request
My user name and password are……
Authenticate-Ack
I found your name and password in my user

list. Authertication succeeded!
Authenticate-Nak
Sorry,your user name and

password are wrong.
Authentication failed!
The PAP authentication process is as follows:
1. The supplicant sends the local user name and password to the authenticator.
2. The authenticator checks the user list for the user name and whether the password is correct
and returns an appropriate response.

PAP is an unsecured protocol. Simple passwords are sent over links. After a PPP link is
established, the supplicant repeatedly sends the user name and password until authentication is
complete, which could leave the system vulnerable to malicious attacks.
CHAP
CHAP is a three-way handshake authentication protocol. CHAP authentication only allows user
names to be transmitted over a network. Compared with PAP, CHAP provides higher security
because passwords are not transmitted.
CHAP authentication is generally performed before the link is set up. However, it can be
performed at any time using CHAP negotiation packets.
After the Link Establishment phase ends, an authenticator sends a Challenge packet to a
supplicant. After performing the "one-way hash" algorithm, the supplicant returns a calculated
value to the authenticator.
The authenticator compares the value it itself has calculated using the hash algorithm with the
value provided by the supplicant. If the two values match, authentication is successful. If the
values do not match, the authentication fails, and the link is torn down.
Figure 8-73 shows the CHAP authentication process.
Figure 8-73 CHAP authentication process
Authenticated Authenticator
Challenge
My user name (optional) and

Challenge packet are……
Response
My user name and

encrypted packet are
Success
Authentication succeeds and

a Success packet returns
Failure
Authentication fails and a

Failure packet returns

CHAP authentication is performed in either of the following modes:
l Unidirectional: One end acts as the authenticator, while the other end acts as a supplicant.
l Bidirectional: Two ends act as both the authenticator and supplicant.
Unidirectional authentication is usually used.
There are two possible scenarios for unidirectional CHAP authentication: the authenticator is
configured with a user name and the authenticator is not configured with a user name.
Configuring a user name for the authenticator is recommended for improved connection security.
l When the authenticator is configured with a user name, the authentication process is as
follows:
1. The authenticator sends a randomly generated Challenge packet and the host name to
the supplicant.
2. The supplicant searches for the local password in the local user list according to the
user name of the authenticator. Based on the found password and the Challenge packet,
a supplicant obtains a value calculated using the message digest algorithm 5 (MD5)
algorithm. The supplicant then sends its host name and the calculated value in a
response packet to the authenticator.
3. After receiving the response packet, the authenticator searches for the supplicant's
password in the local user list based on the supplicant's host name.
l When the authenticator is not configured with a user name, the authentication process is as
follows:
1. The authenticator sends the Challenge packet to a supplicant.
2. The supplicant uses the message digest algorithm 5 (MD5) algorithm to calculate a
value based on the local password and the Challenge packet. The supplicant then sends
its host name and the calculated value in a response packet to the authenticator.
3. The authenticator searches for the supplicant's password in the local user list based on
the supplicant's host name.
8.7.3 Configuring PPP

PPP provides communications on point-to-point links and supports PAP and CHAP
authentication.
8.7.3.1 Encapsulating the Interface with PPP

This section describes how to encapsulate the interface with PPP. You can configure PPP to use
PPP encapsulation to transmit packets over a point-to-point link at the data link layer.
Procedure
system-view


Only the dialer interface supports PPP.
Step 3 Configure PPP as a data link layer protocol.

link-protocol ppp
By default, PPP is used as a data link layer protocol of dialer interfaces.
----End
8.7.3.2 Configuring PAP Authentication

This section describes how to configure Password Authentication Protocol (PAP) authentication.
PAP uses simple passwords.
Prerequisites
A NGFW functions as an authenticator and uses PAP to authenticate its peer. PAP authentication
is performed locally on the authenticator or on a remote authentication server. To implement
PAP authentication, configure user accounts and the authentication mode. If remote
authentication is used, configure an authentication server as well. For more information about
PAP authentication, see Users and Authentication.
Context
PAP uses simple passwords and is the least secure authentication protocol. After a PPP link is
established, the device to be authenticated repeatedly sends a user name and a password until
authentication is complete. During PAP authentication, the transmitted user name and password
are susceptible to interception.
By default, PPP packets are not authenticated.
Procedure
l Configure an authenticator to authenticate the peer end in PAP mode.
system-view

3. Configure the local end to authenticate its peer end in PAP mode.
ppp authentication-mode [ chap ] pap
The ppp authentication-mode chap pap command enables CHAP negotiation to

take precedence over PAP negotiation during LCP negotiation. If the authenticator
supports neither of these two modes, negotiation fails.
l Configure the peer end to perform PAP authentication.
system-view

3. Enable the local end to be authenticated by the peer end in PAP mode and send a PAP
user name and a password.

ppp pap local-user user-name password cipher password
8.7.3.3 Configuring CHAP Authentication

This section describes how to configure Challenge Handshake Authentication Protocol (CHAP)
authentication. CHAP is a three-way handshake authentication protocol.
Prerequisites
A NGFW functioning as an authenticator supports local and remote authentication. If local
authentication is used, you must configure a user account and an authentication mode. If remote
authentication is used, you must also configure an authentication server. For more information,
see Users and Authentication.
If the NGFW is a supplicant, you must configure a user name, authentication mode, and an
authentication server if a user name is configured on the authenticator. For more information,
see Users and Authentication.
Context
Devices enabled with CHAP authentication only transmit user names over a network. CHAP
supports higher security than the Password Authentication Protocol (PAP) because passwords
are not transmitted.
By default, Point-to-Point Protocol (PPP) packets are not authenticated using CHAP.
Procedure
l Configure an authenticator to use CHAP to authenticate the peer end when the user name
is specified.
NOTE
When an authenticator sets a user name, the authenticator must set the same password the same as
that for the authenticated end.
– Configure a NGFW that authenticates a peer end.
system-view

3. Configure a local end to use CHAP to authenticate the peer end.

ppp authentication-mode chap [ pap ]

take precedence over PAP negotiation during Link Control Protocol (LCP)
negotiation. If the authenticator does not support CHAP or PAP, LCP negotiation
between the two devices fails.
4. Specify a local user name.
ppp chap user user-name
– Configure a NGFW that is authenticated by the local NGFW.

system-view



l Configure the authenticator to authenticate the peer end in CHAP mode if the user name
is not specified.
During authentication, the authenticator searches locally configured AAA user names. If
the user name and password configured on the peer interface match those on the local end,
authentication succeeds.
– Configure a NGFW that authenticates a peer end.
system-view

3. Configure a local end to use CHAP to authenticate the peer end.

ppp authentication-mode chap [ pap ]

take precedence over PAP negotiation during LCP negotiation. If the authenticator
does not support CHAP or PAP, LCP negotiation between the two devices fails.
– Configure a NGFW that is authenticated by the local NGFW.
system-view


4. Set a password for the peer end to use CHAP to authenticate the local end.
ppp chap password cipher password
8.7.3.4 Setting PPP Negotiation Parameters

PPP negotiation parameters are available, including the negotiation timeout period, IP address
negotiation, DNS server address negotiation, and WINS server address negotiation.
Context
l Negotiation timeout period: If no response is received from the peer end within a specified
interval during PPP negotiation, PPP resends a negotiation request.
l IP address negotiation: implemented in two modes based on device roles:
– Client: When PPP is enabled on an interface, the interface IP address is not specified,
and the IP address of the peer end is specified, you can configure the IP address
negotiation function for the local interface. The local interface is assigned an IP address
by the peer end during PPP negotiation. The configuration is applicable when a
NGFW accesses the Internet through an ISP network and obtains an IP address assigned
by the ISP.

– Server: Before a server assigns an IP address to a peer device, you must configure a
local IP address pool in the authentication domain view, specify the range of IP
addresses in the address pool, and determine the address pool used by an interface in
the interface view.
l DNS server address negotiation: You can implement both DNS server address negotiation
and PPP address negotiation on a NGFW simultaneously. The NGFW can be configured
with a DNS server address assigned by or provided for the peer end.
A network access server (NAS) can allocate IP addresses to PPP users through PPP address
negotiation. The address allocation rules are as follows:
l For the user not to be authenticated:

– If the interface is configured with an IP address to be allocated to the peer, the NAS
allocates the address to the peer directly.
– If the interface is configured with an IP address in the address pool, the NAS allocates
the address in the global address pool to the peer.
l For the default domain user passing the authentication process (The default user name has
two types: the name excluding @, such as "aaa" and the name including @, such as
"aaa@default"):
– If the server has delivered an IP address, the NAS directly allocates this address to the
peer.
– If the server has delivered an IP address pool ID, the NAS allocates the address in the
global or domain address pool to the peer.
– If the server has not delivered an address pool ID but the interface has an IP address
pool, the NAS allocates the address in this global address pool to the peer. If the interface
is configured with an IP address pool, the NAS allocates the address in the address pool
to the peer.
l For the authenticated common domain user:
– If the server has delivered an IP address, the NAS directly allocates this address to the
peer.
– If the server has delivered an IP address pool ID, the NAS allocates the address in the
domain address pool to the peer.
– If the server has not delivered either an IP address or address pool ID, the NAS traverses
from the first address pool in the domain to search for an available IP address.
NOTE
In the above three cases, both the global address pool and domain address pool are traversed for one time.
If all the addresses in the specified global address pool or the domain address pool are used, the NAS no
longer traverses the address pool for an available IP address and directly returns an invalid IP address
0.0.0.0.
The following addresses cannot be configured as valid start or end addresses of an address pool:
l Class A addresses X.255.255.255 and X.0.0.0
l Class B addresses X.X.255.255 and X.X.0.0
l Class C addresses X.X.X.25 and X.X.X.0
If the address pool contains these addresses, the addresses cannot be allocated.

Procedure
l Set the negotiation timeout.
system-view

3. Set the negotiation timeout period.

ppp timer negotiate seconds
By default, the PPP negotiation timeout period is 3 seconds.

l Set the negotiation IP address.
– When the device serves as the server, perform the following steps:
system-view
2. Select either of the following methods to assign an IP address to the peer device.
– Configure a global IP address pool to assign IP addresses to PPP users.
a. Access the AAA view.
aaa
b. Access the default authentication domain view.

domain default
c. Define the global IP address pool.

ip pool pool-number low-ip-address [ high-ip-address ]
d. Return to the AAA view.

quit
e. Return to the system view.

quit
f. Access the interface view.

g. Prevent the client from using its own IP address when the server is
configured to assign an IP address to it.
ppp ipcp remote-address forced
h. Specify the IP address pool that is used when IP addresses are assigned to
users.
remote address pool [ pool-number ]
If pool-number is not specified, global IP address pool 0 is used by default.

– Configure a domain IP address pool to assign IP addresses to PPP users.
a. Access the AAA view.
aaa
b. Access the authentication domain view.

domain domain-name
c. Define the domain IP address pool.

ip pool pool-number low-ip-address [ high-ip-address ]
d. Return to the AAA view.

quit
e. Return to the system view.

quit
f. Access the interface view.

g. Prevent the client from using its own IP address when the server to assign
an IP address to it.
h. Specify the IP address pool that is used when IP addresses are assigned to
users.
remote address pool [ pool-number ]
If pool-number is not specified, domain IP address pool 0 is used by

default.
– Specify an IP address for the peer end.
a. Access the interface view.
b. Assign an IP address to the peer end.

remote address ip-address
– When the device serves as the client, perform the following steps:
system-view

3. Specify the IP address negotiation function of the interface.

l Set the negotiation DNS server address.

– When the device serves as the server, perform the following steps:
system-view

3. Specify the IP address of the DNS server for the peer end.
ppp ipcp dns primary-dns-address [ secondary-dns-address ]
By default, the NGFW does not provide the DNS server address for the peer end.
– When the device serves as the client, perform the following steps:
system-view

3. Configure the local end to request the peer end for the IP address of the DNS server.
ppp ipcp dns request
4. Enable the device to use any DNS server address proposed by the peer end.
ppp ipcp dns admit-any

By default, the DNS server address proposed by the peer end is not accepted.
l Set the negotiation WINS server address.
system-view

3. Enable the device to use any WINS server address proposed by the peer end.
ppp ipcp nbns request
By default, the device does not request for the IP address of the WINS server from
the peer end.
8.7.3.5 Configuring the Polling Interval

Link-layer protocols, such as PPP use the polling timer to check whether the link status is normal.
Context
If the network delay is long or congestion is serious, you can lengthen the polling interval to
reduce network flapping.
During the settings of polling intervals, ensure that the settings on both ends are identical.
Procedure
system-view

Step 3 Set the pooling interval.

timer hold seconds
----End
8.7.3.6 Preventing the Peer Host Route from Being Added to the Local Routing
Table as a Direct Route
You can decide whether a peer host route is added to the local routing table as a direct route.
Context
A PPP link does not strictly require that the peer and local routes exist on the same network
segment. Two ends of the PPP link on different network segments can communicate. In addition,
the peer host route on a different network segment is automatically added to local routing table
of direct routes.
However, when one end is configured with an incorrect IP address, the other end automatically
adds the incorrect peer host route to the local routing table of direct routes. As a result, the
incorrect routing information is advertised across the network.

Procedure
system-view

Step 3 Prevent the peer host route from being added to the local routing table as a direct route.
ppp peer hostroute-suppress
NOTE
The local routing table does not contain the peer host route as a direct route after the ppp peer hostroute-
suppress command is performed.
----End
8.7.4 Maintaining PPP

After configuring PPP, you can run the display command to view the configuration. You can
also enable the debugging function if necessary.
8.7.4.1 Displaying the PPP Configuration

After configuring PPP, you can run the display command to view the configuration.
You can display the PPP configurations by run the command listed in Table 8-108 in any view.
Table 8-108 Displaying the PPP configuration
Action Command
Display the specified VT status. display interface virtual-template

[ number ] [ | { begin | exclude | include }
8.7.4.2 Debugging PPP

If PPP running faults occur, you can run the debugging commands in the user view to debug
PPP, view the debugging information, and locate and analyze faults.
NOTICE

Table 8-109 lists the commands to debug PPP information.
Table 8-109 Debugging PPP
Action Command
Enable the debugging of all PPP information. debugging ppp all [ verbose ] [ interface
interface-type interface-number ]
Enable the debugging of PPP control debugging ppp { ccp | chap | ipcp | lcp |
protocols. mplscp | osicp | pap } { all | error | event |
packet [ verbose ] | state } [ interface
Enable the debugging of PPP EAP packets. debugging ppp eap { all | error | event |
packet | state }
Enable the debugging of PPP packets. debugging ppp { ip | lqc | mpls-multicast |

mpls-unicast | osi-npdu | scp | vjcomp }
packet [ verbose ] [ interface interface-type
interface-number ]
Enable the debugging of PPP core events. debugging ppp core event [ interface

This section provides PPP references.

This section describes the versions and changes in the Point-to-Point Protocol (PPP) feature.

This section provides PPP standards and protocols.
PPP standards and protocols are as follows:
RFC 1661: The Point-to-Point Protocol (PPP)

8.8 PPPoE
This section describes Point-to-Point Protocol over Ethernet (PPPoE) concepts and how to
configure PPPoE, as well as provides configuration examples.
8.8.1 Overview
PPPoE describes the method used to set up PPPoE sessions and encapsulate Point-to-Point
Protocol (PPP) datagram over the Ethernet. These functions require a point-to-point (P2P)
relationship between the peers instead of the multi-point relationships that are available in the
Ethernet and other multi-access environments.
Definition
PPP provides a standard method for transporting multi-protocol datagrams over point-to-point
links. Although PPP is widely used, it does not apply to an Ethernet. Therefore, the PPPoE
technology was introduced. PPPoE is an extension to PPP and applies PPP to an Ethernet.
PPPoE connects a network of Ethernet hosts to a remote access device to gain access to the
Internet. PPPoE allows you to perform access control and accounting on a per-host basis. PPPoE
is widely used because it is highly cost-effective. A common application scenario for PPPoE is
constructing a network in a residential area.
Purpose
PPPoE performs the following functions when multiple users access a server using PPP links:
l Provides cost effective access services for users and allows a few or no configuration
changes. An Ethernet is the most cost-effective networking mode.
l Allows a service provider to connect multiple hosts at a remote site to the same access
server and supports access control and accounting functions in a way similar to dial-up
services using PPP.
PPPoE enables a bridged access server to connect multiple hosts on a network to a remote access
server.
NOTE
A NGFW currently supports IPv4 PPPoE server and client functions and IPv6 client functions.
8.8.2 Mechanism
This section describes the Point-to-Point Protocol over Ethernet (PPPoE) mechanism.
PPPoE works in the client/server mode. PPPoE provides point-to-point connectivity over
Ethernet networks by encapsulating PPP packets in Ethernet frames.
Figure 8-74 shows the process for establishing an IPv4 PPPoE connection.

Figure 8-74 Process for establishing an IPv4 PPPoE connection
PPPoE client PPPoE server
PADI
PADO
Discovery
phase PADR
PADS
Session PPP Negotiation

phase
Discovery Phase
After the Discovery phase is complete, both ends of a connection obtain the PPPoE Session_ID
and peer Ethernet address. The PPPoE Session_ID and peer Ethernet address together define a
unique PPPoE session.
The Discovery phase consists of the following steps:
1. A host broadcasts a PPPoE Active Discovery Initial (PADI) packet within a local Ethernet.
This packet contains service information required by the host.
NOTE
A PPPoE server checks service names as follows:

l If a PPPoE server is configured with a service name, a PPPoE client sends a PADI packet at the
Discovery phase to the server to request for a connection.
l If this PADI packet contains a non-null service name, the server examines whether the configured
service name matches the service name in this packet. If the service names match, the server
provides follow-up services. If the service names do not match, the server does not provide
services.
The preceding situation applies when two service names are not null. If either of the service names
is null, the server does not check the service names and proceeds with the packet processing.
2. After receiving this PADI packet, the servers on the Ethernet compare the requested
services with the services the servers can provide. Then, the server that can provide the
requested services send back a PPPoE Active Discovery Offer (PADO) packet.
3. Upon receipt, the host obtains information from the PADO packet and sends a PPPoE
Active Discovery Request (PADR) packet to the server.

4. The server generates a unique session identifier to identify a PPPoE session. Then, the
server sends this session identifier in a PPPoE Active Discovery Session-confirmation
(PADS) packet to the host.
If the server successfully sends and the host received the PADS packet, both the server and
host enter the PPPoE Session phase.
Session Phase
The host encapsulates a PPP packet as the payload of a PPPoE frame into an Ethernet frame
before sending the Ethernet frame to its peer. The Ethernet frame carries a Session_ID
determined at the Discovery phase and a peer MAC address. The PPP packet section in the frame
begins at the Protocol ID. An Ethernet packet is a unicast packet.
In the Session phase, either the host or server may send PPPoE Active Discovery Terminate
(PADT) packets to instruct the other to end this session.
8.8.3 Configuring the IPv4 PPPoE Server

This section describes the basic configurations of an IPv4 PPPoE server.
8.8.3.1 Configuring a PPPoE Server

This section describes how to configure an IPv4 PPPoE server.
Prerequisites
PPPoE authentication works in either local or remote mode. You must configure a user account
and an authentication mode to implement authentication. If remote authentication is used, you
must also configure an authentication server. For more information, see Users and
Authentication.
A PPPoE server uses address pools to allocate IP addresses to many clients. The ip pool
command creates an address pool.
Context
You can use PPPoE to allow many hosts on a single Ethernet to connect to a peer server and
create PPPoE sessions to implement access control and the accounting.
NOTICE
A NGFW serves both as a PPPoE server to provide local access services and as a Layer 2
Tunneling Protocol (L2TP) access concentrator (LAC) to provide remote dial-up services. After
a PPPoE server is started and LAC configuration is implemented on the NGFW, L2TP
configuration takes precedence over PPPoE server configuration. For example, if a user name
is set to user123 in both L2TP and PPPoE configurations, the NGFW initiates a dial-up using
the user name user123 and performs L2TP authentication, not PPPoE authentication.

Procedure
Step 1 Configure a Virtual-Template (VT) interface.
A PPPoE server communicates with its clients using a VT interface. If no IP address is specified
on a client, the PPPoE server allocates an IP address to the client. The IP address to be allocated
must be specified on the VT interface.
system-view
2. Create a VT interface and display the VT interface view.

interface virtual-template number
3. Set an IP address.
ip address ip-address { mask | mask-length }
4. Optional: Enable local PPP authentication.

ppp authentication-mode { chap | eap | pap } *
By default, no authentication is performed.

NOTE
PAP is not a secure protocol, and CHAP is recommended.
5. Optional: Prevent the client from using its own IP address when the server is configured
to assign an IP address to it.
By default, the peer is allowed to use its own IP address.

6. Optional: Specify the IP address pool that is used when IP addresses are assigned to users.
remote address { ip-address | pool [ pool-name ] }
7. Optional: Set an IP address of the DNS server for the peer end.
ppp ipcp dns primary-dns-address [ secondary-dns-address ]
By default, no IP address of a DNS server is configured.

system-view
Step 2 Bind the VT interface to an Ethernet interface.

1. Display the Ethernet interface view.
2. Bind a VT interface to the Ethernet interface.

pppoe-server bind virtual-template number
Step 3 Optional: Specify a PPPoE service name.

pppoe-server service-name service-name
The server name identifies a service type required by a client. If the server name is rejected by
the client, the client replies with service error information to the server. Upon receipt, the server
terminates the connection to the client.
l The interface must be bound to the VT interface before you configure the PPPoE server name
on the server interface.
l After specifying the PPPoE server name, restart the interface to allow the clients to be
reconnected.
----End

8.8.3.2 Configuring PPPoE Parameters

After the basic PPPoE functions of are configured, you can set PPPoE parameters of as required
to optimize links.
Context
After configuring PPPoE, configure PPPoE parameters as required to optimize links. The
configurations include:
l Log the PPPoE user status changes.
l Specify the maximum number of PPPoE sessions that can be set up using a local MAC
address.
l Specify the maximum number of PPPoE sessions that can be set up using a peer MAC
address.
l Specify the maximum number of PPPoE sessions that can be set up on the local system.
Procedure
l Log PPPoE user status changes.
system-view
2. Specify the maximum number of sessions that can be created using a local MAC
address.
pppoe-server max-sessions local-mac number
l Set the maximum number of sessions that can be created using a local MAC address.
system-view
2. Specify the maximum number of sessions that can be created using a local MAC
address.
pppoe-server max-sessions local-mac number
l Set the maximum number of sessions that can be created using a peer MAC address.
system-view
2. Specify the maximum number of sessions that can be created using a peer MAC
address.
pppoe-server max-sessions remote-mac number
l Set the maximum number of sessions that can be created in the system.
system-view
2. Specify the maximum number of sessions that can be created in the system is specified.
pppoe-server max-sessions total number
----End
8.8.4 Configuring an IPv4 PPPoE Client

This section describes how to configure an IPv4 PPPoE client.

Context
Before establishing a PPPoE session, configure a dialer interface and its dialer bundle.
Each PPPoE session maps to a single dialer bundle, and each dialer bundle maps to a single
dialer interface. A PPPoE session can be created using a dialer interface.
Procedure
system-view
Step 2 Configure a dialer ACL for the dialer access group.

dialer-rule rule-number { ip { deny | permit } | acl acl-number }
Step 3 Create a dialer interface.

interface dialer number
Step 4 It is recommended that both PAP and CHAP user names and passwords be specified on the
client. Configure an authentication mode using either of the following methods:
l Configure PAP authentication.
Specify a PAP user name and a password.
l Configure CHAP authentication.

– Specify a user name for the peer end to use CHAP to authenticate the local end.
– Set a password for the peer end to use CHAP to authenticate the local end.
Step 5 Specify a dial-up user name.

dialer user username
The user name is a string of 1 to 32 characters.
Step 6 Enable the IP address negotiation function.

NOTE
The IP address negotiated by the device is a host IP address with a 32-digit mask. If the device needs to
communicate with other PPPoE clients, run the ip route-static command to manually configure the static
route to the network segment.
Step 7 Configure the dialer bundle.

dialer bundle bundle-number
Step 8 Configure a dialer group.

dialer-group group-number
NOTE
The same group-number value must be specified in the dialer-rule and dialer-group commands.

quit

Step 11 Create a PPPoE session and specify the dialer bundle for the session.
pppoe-client dial-bundle-number number [ no-hostuniq ] [ idle-timeout seconds
[ queue-length packets ] ] [ ipv4 | ipv6 ]
----End
8.8.5 Configuring an IPv6 PPPoE Client

This section describes how to configure an IPv6 PPPoE client.
Context
Before establishing a PPPoE session, configure a dialer interface and its dialer bundle.
Each PPPoE session maps to a single dialer bundle, and each dialer bundle maps to a single
dialer interface. A PPPoE session can be created using a dialer interface.
The way a dialer interface obtains an IPv6 address depends on the application scenario of an
IPv6 PPPoE client.
l When a device serves as a client that needs to access the Internet, the dialer interface can
obtain an IPv6 address using one of the following methods:
– Stateless address autoconfiguration
– DHCPv6
l When a device serves as a gateway, the device supports the following functions:
– (Optional) Obtains an IPv6 address using stateless address autoconfiguration.
– Obtains a prefix using DHCPv6-PD and assigns prefixes to intranet users.
Procedure
system-view
Step 2 Create a dialer interface and display the dialer interface view.
interface dialer number
Step 3 Configure an authentication mode. The server may use PAP or CHAP authentication.
Configuring both PAP and CHAP user names and passwords is recommended.
l Configure PAP authentication.
Specify a PAP user name and a password.
l Configure CHAP authentication.

– Specify a CHAP user name.
– Set a CHAP password.

Step 4 Specify a dial-up user name.

dialer user username

The user name is a string of 1 to 32 characters.
Step 5 Configure the device to automatically obtain an IPv6 address as follows:

l When the device serves as a client, perform the following steps:
– Enable stateless address autoconfiguration.
ipv6 address autoconfig
– Configure the DHCPv6 client to obtain an IPv6 address from the server.
dhcpv6 client ia-address [ ipv6-address ] [ rapid-commit | unicast-option ] *
l When the device serves as a gateway, perform the following steps:

1. Enable stateless address autoconfiguration.
2. Configure the DHCPv6 client to obtain an IPv6 prefix from the server.
dhcpv6 client ia-prefix prefix-name prefix-name [ prefix-address/prefix-
length ] [ rapid-commit | unicast-option ] *
Step 6 Configure the dialer bundle.

dialer bundle bundle-number

quit

interface GigabitEthernet interface-number
Step 9 Create a PPPoE session.

pppoe-client dial-bundle-number number [ no-hostuniq ] [ idle-timeout seconds
[ queue-length packets ] ]
----End
Follow-up Procedure
After the configurations are complete, the device obtains an IPv6 address or prefix.
l To view the obtained IPv6 address or prefix, run either of the following commands:
– display ipv6 auto-configuration prefix all: displays the IPv6 prefix and the derived
IPv6 address that the device uses stateless address autoconfiguration to obtain.
– display dhcpv6 client { all | interface interface-type interface-number }: displays the
IPv6 address that the device uses DHCPv6 to obtain.
l If the device serves as a gateway and uses DHCPv6-PD to obtain a prefix, the device uses
RA messages to assign prefixes to intranet users.
1. Run the display dhcpv6 client { all | interface interface-type interface-number }
command to view the IPv6 address obtained by the DHCPv6 client.
2. Run the undo ipv6 nd ra halt command in the interface view to enable RA
advertisement.
3. Run the ipv6 nd ra prefix { ipv6-address ipv6-prefix-length | [ prefix-name ] ipv6-
prefix/ipv6-prefix-length } valid-lifetime preferred-lifetime [ no-autoconfig ] [ off-
link ] command in the interface view to configure a prefix in an RA message.

8.8.6 Maintaining PPPoE

This section describes how to maintain PPPoE.
8.8.6.1 Displaying the PPPoE Configuration

After configuring PPPoE, you can run the display commands to view the configurations.
In any view, you can check the PPPoE configuration by running the commands listed in Table
8-110.
Table 8-110 Displaying the PPPoE configuration
Action Command
Display display pppoe-server session { all | packet | statistic interface interface-

information type interface-number }
about all
PPPoE
sessions.
Display display pppoe-client session packet [ dial-bundle-number dial-bundle-

statistics about number ]
PPPoE session
packets.
Display brief display pppoe-client session summary [ dial-bundle-number dial-

information bundle-number ]
about PPPoE
session
packets.
8.8.6.2 Debugging PPPoE

If PPPoE running faults occur, you can run the debugging commands in the user view to debug
PPPoE, view the debugging information, and locate and analyze the faults.
NOTICE

Table 8-111 lists the commands to debug PPPoE.

Table 8-111 Debugging PPPoE
Action Command
Enable the debugging pppoe-client all [ interface interface-type interface-

debugging of all number ]
PPPoE client
information.
Enable the debugging pppoe-client [ data | error | event | packet | verbose ]

debugging of a [ interface interface-type interface-number ]
PPPoE client.
Enable debugging debugging pppoe-server all [ interface interface-type interface-

of all PPPoE server number ]
information.
Enable the debugging pppoe-server [ data | error | event | packet ] [ interface

debugging of a interface-type interface-number ]
PPPoE server.
8.8.6.3 Clearing Statistics About PPPoE Sessions

This section describes how to clear statistics about PPPoE sessions on a specified interface.
NOTICE
Cleared PPPoE statistics cannot be recovered. Exercise caution when performing this operation.
You can run the command in Table 8-112 in the user view to clear PPPoE statistics.
Table 8-112 Clearing PPPoE statistics
Action Command
Clear statistics about PPPoE sessions on a reset pppoe-server session statistic

specified interface. interface interface-type interface-number
8.8.6.4 Resetting a PPPoE Session

This section describes how to reset a PPPoE session.
You can run the command in Table 8-113 in the user view to reset a PPPoE session.

Table 8-113 Resetting a PPPoE session
Action Command
Reset a session on a PPPoE client and re- reset pppoe-client { all | dial-bundle-
establish a session later. number number }

This section provides examples for configuring IPv4 and IPv6 PPPoE clients.
8.8.7.1 Example for Configuring IPv4 PPPoE

This section provides an example for configuring basic IPv4 PPPoE functions.
As shown in Figure 8-75, NGFW_A functions as a PPPoE client, and NGFW_B functions as a
PPPoE server. NGFW_B assigns an IP address to NGFW_A allowing PCs on networks A and
B to communicate.
NGFW_B (server) runs PAP to authenticate NGFW_A (client). The user name is set to usera,
and the password is set to Password1. NGFW_B assigns NGFW_A an IP address 10.2.0.2.
Figure 8-75 IPv4 PPPoE networking

Trust Untrust Trust
PC PC
NGFW_A NGFW_B
GE1/0/1
NetworkA NetworkB
GE1/0/3 GE1/0/1 GE1/0/3
10.3.0.1/24 PPPoE Client 10.4.0.1/24
PPPoE
PC Server PC
Procedure
Step 1 # Configure NGFW_B.
# Configure interfaces and assign them to security zones.
[NGFW_B] firewall zone untrust
[NGFW_B-zone-untrust] add interface GigabitEthernet 1/0/1
[NGFW_B-zone-untrust] quit


# Add a PPPoE user.

[NGFW_B] user-manage user usera
[NGFW_B-localuser-usera] password Password1
[NGFW_B-localuser-usera] quit
# Configure an IP address pool.

[NGFW_B] aaa
[NGFW_B-aaa] domain default
[NGFW_B-aaa-domain-default] ip pool 1 10.2.0.2
# Set VT interface parameters.
NOTE
PAP is not a secure protocol, and CHAP is recommended.
[NGFW_B] interface virtual-template 1
[NGFW_B-Virtual-Template1] ppp authentication-mode pap
The command is used to configure the PPP authentication mode on the local end.
Confirm that the peer end adopts the corresponding PPP authentication. Continue[Y/
N]: y
[NGFW_B-Virtual-Template1] ip address 10.2.0.1 24
[NGFW_B-Virtual-Template1] remote address pool 1
[NGFW_B-Virtual-Template1] quit
[NGFW_B] firewall zone untrust
[NGFW_B-zone-untrust] add interface virtual-template 1
[NGFW_B-zone-untrust] quit
# Bind the VT interface to the physical interface.

[NGFW_B-GigabitEthernet1/0/1] pppoe-server bind virtual-template 1

[NGFW_B] security-policy
[NGFW_B-policy-security] rule name policy_sec_1
[NGFW_B-policy-security-rule-policy_sec_1] source-zone trust
[NGFW_B-policy-security-rule-policy_sec_1] source-address 10.4.1.0 24
[NGFW_B-policy-security-rule-policy_sec_1] destination-zone untrust
[NGFW_B-policy-security-rule-policy_sec_1] destination-address 10.3.1.0 24
[NGFW_B-policy-security-rule-policy_sec_1] action permit
[NGFW_B-policy-security-rule-policy_sec_1] quit
[NGFW_B-policy-security-rule-policy_sec_2] source-zone untrust
[NGFW_B-policy-security-rule-policy_sec_2] source-address 10.3.1.0 24
[NGFW_B-policy-security-rule-policy_sec_2] destination-zone trust
[NGFW_B-policy-security-rule-policy_sec_2] destination-address 10.4.1.0 24
[NGFW_B-policy-security] quit
# Configure a static route.

[NGFW_B] ip route-static 10.3.0.0 24 virtual-template 1
# Configure interfaces and assign them to security zones.



# Configure PPPoE dial-up.

[NGFW_A] dialer-rule 1 ip permit
[NGFW_A] interface dialer 1
[NGFW_A-Dialer1] dialer user usera
[NGFW_A-Dialer1] dialer-group 1
[NGFW_A-Dialer1] dialer bundle 1
[NGFW_A-Dialer1] ip address ppp-negotiate
[NGFW_A-Dialer1] ppp pap local-user usera password cipher Password1
[NGFW_A-Dialer1] quit
[NGFW_A-zone-untrust] add interface dialer 1
# Configure a PPPoE session.

[NGFW_A-GigabitEthernet1/0/1] pppoe-client dial-bundle-number 1 ipv4

# Configure a static route.

[NGFW_A] ip route-static 10.4.0.0 24 dialer 1
----End
Example
After completing the configuration, check statistics about PPPoE session packets.
l Check statistics about PPPoE packets of the PPPoE server.
[NGFW_B] display pppoe-server session all
SID Intf State OIntf RemMAC LocMAC
1 Virtual-Template1:0 UP GE1/0/1 0022.a100.11ab 0018.82cf.ebed
l Check statistics about PPPoE packets of the PPPoE client.

[NGFW_A] display pppoe-client session summary dial-bundle-number 1
PPPoE Client Session:
ID Bundle Dialer Intf Client-MAC Server-MAC State
1 1 1 GE1/0/1 0022a10011ab 001882cfebed PPPUP

#
dialer-rule 1 ip permit
#
sysname NGFW_A
#
interface Dialer1
link-protocol ppp
ppp pap local-user usera password cipher %$%$UQ"HLOehx>*n^PPqyBQVaNE<%$%
$
dialer user usera
dialer-group 1
dialer bundle 1
#
ip address 10.3.0.1 255.255.255.0
#
firewall zone trust
set priority 85
#
set priority 5
add interface dialer 1
#
ip route-static 10.4.0.0 24 dialer 1
#
security-policy
source-zone trust
action permit
source-zone untrust
action permit
#
return

#
sysname NGFW_B
#
interface Virtual-Template1
ppp authentication-mode pap
ip address 10.2.0.1 255.255.255.0
remote address pool 1
#
pppoe-server bind Virtual-Template 1
ip address 10.4.0.1 255.255.255.0
#
firewall zone trust
set priority 85


#
set priority 5
add interface virtual-template 1
#
aaa
#
domain default
ip pool 1 10.2.0.2
#
#
ip route-static 10.3.0.0 255.255.255.0 virtual-template1
#
security-policy
source-zone trust
action permit
source-zone untrust
action permit
#
return
8.8.7.2 Example for Configuring an IPv6 PPPoE Client (Stateless Address

Autoconfiguration)
This section describes how to configure an IPv6 PPPoE client. A NGFW functions as an IPv6
PPPoE client to obtain an IPv6 address and access the Internet.
The NGFW shown in Figure 8-76 functions as an IPv6 PPPoE client and uses stateless address
autoconfiguration to obtain an IPv6 address from an IPv6 PPPoE server.
Figure 8-76 Networking diagram for configuring an IPv6 PPPoE client
GE1/0/1 GE0/0/1
Trust 3001::1/64 IPv6
Network
NGFW
IPv6 PPPoE Server
IPv6 PPPoE Client

1. Create a PPPoE session and bind it to GigabitEthernet 1/0/1 of the NGFW to enable the
interface to access an IPv6 network.
2. Create a PPPoE user on a PPPoE server.
3. Enable stateless address autoconfiguration on NGFW so that a dialer interface can
automatically obtain an IPv6 address.
4. Configure a global unicast address for GigabitEthernet 1/0/1 on the PPPoE server and
enable RA advertisement to advertise the IPv6 prefix to GigabitEthernet 1/0/1 of the
NGFW using a router advertisement (RA) message.
Procedure
# Configure the NGFW as an IPv6 PPPoE client.
<NGFW> system-view
[NGFW] interface Dialer1
[NGFW-Dialer1] link-protocol ppp
[NGFW-Dialer1] ppp pap local-user admin-example password cipher Admin@123
[NGFW-Dialer1] dialer user admin-example
[NGFW-Dialer1] dialer bundle 1
[NGFW-Dialer1] quit
# Enable IPv6.
[NGFW] ipv6
# Assign a link-local IPv6 address to a dialer interface.

[NGFW]interface Dialer1
[NGFW-Dialer1] ipv6 enable
[NGFW-Dialer1] ipv6 address auto link-local
# Enable stateless address autoconfiguration.

[NGFW-Dialer1] ipv6 address autoconfig
[NGFW-Dialer1] quit

[NGFW-GigabitEthernet1/0/1] pppoe-client dial-bundle-number 1 ipv6
# Assign the dialer interface to a security zone.

[NGFW-zone-trust] add interface Dialer 1
Step 2 Configure a PPPoE server. The actual configuration varies depending on devices.
# Create a PPPoE user and set the user name to admin-example and the password to
Admin@123, which are the same as those specified on the PPPoE client.
# Set the global unicast address to 3001::1/64 for the interface that directly connects the PPPoE
server to the PPPoE client.
# Enable RA message advertisement.
----End

1. After complete the configuration, run the display ipv6 auto-configuration prefix
command on the NGFW. The NGFW has obtained an IPv6 address with a prefix
3001::/64.
2. The PPPoE client can access the IPv6 network.
#
sysname NGFW
#
ipv6
#
interface Dialer1
link-protocol ppp
ppp pap local-user admin-example password cipher (TT8F]Y\5SQ=^Q`MAF4<1!!
dialer user admin-example
dialer bundle 1
ipv6 enable
#
#
firewall zone trust
set priority 85
add interface Dialer 1
#
return
8.8.7.3 Example for Configuring an IPv6 PPPoE Client for DHCPv6-PD Address
Assignment
This section provides an example for configuring an IPv6 PPPoE client for DHCPv6-PD Address
Assignment. A NGFW functions as an IPv6 PPPoE client and obtains an IPv6 prefix before
assigning the prefix to PCs attached to the NGFW. After obtaining the IPv6 addresses, the PCs
can access IPv6 networks.
The NGFW shown in Figure 8-77 functions as an IPv6 PPPoE client and uses DHCPv6-PD to
obtain an IPv6 prefix from an IPv6 PPPoE server. The NGFW then connects PCs to the IPv6
network.

Figure 8-77 Networking diagram for configuring an IPv6 PPPoE client (for DHCPv6-PD
address assignment)
PC
GE1/0/3 GE1/0/1 GE0/0/1

IPv6 Trust Untrust 3001::1/64 IPv6
Network Network
NGFW
IPv6 PPPoE Server
IPv6 PPPoE Client
1. Create a PPPoE session and bind it to GigabitEthernet 1/0/1 of the NGFW to enable the
interface to access an IPv6 network.
2. Create a PPPoE user on a PPPoE server.
3. Enable stateless address autoconfiguration on NGFW so that the dialer interface can
automatically obtain an IPv6 address and an IPv6 prefix and assign the prefix to the PCs
on the intranet.
4. Configure an address pool on the PPPoE server for DHCPv6-PD address assignment.
Procedure
# Configure the NGFW as an IPv6 PPPoE client.

<NGFW> system-view
[NGFW-Dialer1] link-protocol ppp
[NGFW-Dialer1] ppp pap local-user admin-example password cipher Admin@123
[NGFW-Dialer1] dialer user admin-example
[NGFW-Dialer1] dialer bundle 1
[NGFW-Dialer1] quit
# Enable IPv6.
[NGFW] ipv6
# Configure the link-local address of the interface.

[NGFW-Dialer1] ipv6 enable
[NGFW-Dialer1] ipv6 address auto link-local

[NGFW-Dialer1] ipv6 address autoconfig
# Enable the DHCPv6 client to obtain IPv6 prefix 2001::1/64 and save the prefix in prefix pool
abc.

[NGFW-Dialer1] dhcpv6 client enable

[NGFW-Dialer1] dhcpv6 client ia-prefix prefix-name abc 2001::1/64

[NGFW-GigabitEthernet1/0/1] pppoe-client dial-bundle-number 1 ipv6
# Enable RA message advertisement to send prefix 2001::1/64 to PCs on the intranet.

[NGFW-GigabitEthernet1/0/3] undo ipv6 nd ra halt
[NGFW-GigabitEthernet1/0/3] ipv6 nd ra prefix abc 2001::1/64

[NGFW-zone-untrust] add interface Dialer 1

[NGFW-policy-security] rule name policy_sec_1
[NGFW-policy-security-rule-policy_sec_1] source-zone trust
[NGFW-policy-security-rule-policy_sec_1] destination-zone untrust
[NGFW-policy-security-rule-policy_sec_1] action permit
[NGFW-policy-security-rule-policy_sec_1] quit
[NGFW-policy-security-rule-policy_sec_2] source-zone untrust
[NGFW-policy-security-rule-policy_sec_2] destination-zone trust
Step 2 Configure a PPPoE server. The configuration varies with devices. The configuration details are
not provided.
# Create a PPPoE user with a user name admin-example and a password Admin@123, which
are the same as those on the PPPoE client.
# Configure a delegated prefix pool.
----End
1. If the configurations are successful, a PC can obtain an IPv6 address with the prefix 2001::.
2. Check whether a PC can access the IPv6 network. If the PC can access the IPv6 network,
the configuration is successful. If the PC fails to access the IPv6 network, modify the
configuration and try again.
#
sysname NGFW
#
ipv6

#
interface Dialer1
link-protocol ppp
ppp pap local-user admin-example password cipher (TT8F ] Y\5SQ=^Q`MAF4<1!!
dialer user admin-example
dialer bundle 1
ipv6 enable
dhcpv6 client ia-prefix prefix-name abc 2001::1/64
#
#
ipv6 nd ra prefix abc 2001::1/64
#
firewall zone trust
set priority 85
#
set priority 5
add interface Dialer 1
#
security-policy
source-zone trust
action permit
source-zone untrust
action permit
#
return

This section provides PPPoE references.

This section describes the versions and changes in the Point-to-Point Protocol over Ethernet
(PPPoE) feature.

This section provides PPPoE standards and protocols.
PPPoE standards and protocols are as follows:

l RFC 2516: A Method for Transmitting PPP Over Ethernet (PPPoE)

l RFC 1661: The Point-to-Point Protocol (PPP)
8.9 MAC Address Table

This section describes MAC address table concepts and how to configure a MAC address table,
as well as provides a configuration example.
8.9.1 Overview
A MAC address table is an interface-based Layer 2 forwarding table. It stores information about
the MAC addresses learned by a device.
MAC Address Table

Before implementing the express packet forwarding, the MAC address table of a NGFW must
be maintained.
The maintenance items in the MAC address table are as follows:
l MAC address of a device connected to a NGFW

l Number and VLAN ID of an interface connecting the NGFW to the device
MAC Address Entries

MAC address entries are classified into the following types:
l Static MAC address entry: manually configured. It can be added or deleted manually and
never ages. Using static MAC address entries can reduce broadcast traffic on a network.
MAC address entries apply to networks where devices are seldom changed.
l Dynamic MAC address entry: manually configured by a user or learned by a device. It ages
after the specified aging time elapses.
l Blackhole MAC address entry: a special type of MAC addresses manually configured.
After receiving a packet whose source or destination MAC address is a blackhole MAC
address, the device discards the packet.
Table 8-114 lists the classifications and features of MAC address entries.
Table 8-114 Classifications and features of MAC address entries
MAC Address Configuration Aging Time Be Saved After the

Entry Method Device Restarts
(Configurations are
saved.)
Static MAC address Manually configured None Yes

entry

MAC Address Configuration Aging Time Be Saved After the

Entry Method Device Restarts
(Configurations are
saved.)
Dynamic MAC Manually configured A specified value No

address entry by a user or learned
by the device
Blackhole MAC Manually configured None Yes

address entry
The following rules apply:

l If a dynamic MAC address is used, it can be changed to a static or blackhole one, and the
VLAN ID in the entry is changed to a newly specified value.
l If a static or blackhole MAC address is used, a message indicating that the MAC address
already exists is displayed, and the entry is not changed.
Process for Learning MAC Address Entries

If a port (for example, port A) receives a data frame, a NGFW analyzes the source MAC address
of the data frame and allows the data frames with the MAC address as the destination to be
forwarded through port A.
l If the MAC address table contains this entry, the NGFW updates the related entry.
l If the MAC address table does not contain this entry, the NGFW adds the new MAC address
and port A mapped to the MAC address as a new entry to the MAC address table.
Figure 8-78 shows how the NGFW learns MAC addresses. In the MAC address table on the
NGFW, MAC A and MAC B map to port 1, and MAC C and MAC D map to port 2. A data
frame whose destination MAC address is MAC C, and source MAC address is MAC A is to
travels from port 1 to port 2 on the NGFW.
1. When the data frame arrives at the NGFW, the NGFW analyzes the source MAC address
in the data frame and searches for the matching address in the MAC address table.
2. As the MAC address entry already exists in the MAC address table, the NGFW updates
the entry.
3. The NGFW then checks the destination MAC address of the data frame.
4. As the destination address entry also already exists in the MAC address table and maps to
port 2, the NGFW forwards the data frame through port 2.

Figure 8-78 Process for learning MAC address entries
MAC Address Port

MAC A 1
MAC B 1
MAC C 2
MAC D 2
MAC A MAC C
MAC B MAC D
Port 1 Port 2
NGFW
When forwarding packets, the NGFW takes the following measures based on the mapping
between the destination MAC address in the received packet and the entry in the MAC address
table:
l If a mapping entry exists, the NGFW directly forwards the packet through the
corresponding port.
l If no mapping entry exists, the NGFW forwards the packet in broadcast mode.
After the broadcast packet is sent, the following situations may occur:
– The packet reaches the device with the destination MAC address. The destination device
replies to the broadcast packet, and the MAC address of the destination device is
included in the reply packet (namely, the source MAC address of the reply packet).
After receiving the reply packet, the NGFW learns the source MAC address of the reply
packet and adds the MAC address to the MAC address table.
Therefore, packets with the source MAC address of the reply packet as the destination
MAC address are directly forwarded based on the entry.
– The packet cannot reach the device with the destination MAC address, the NGFW
broadcasts the packet.
8.9.2 Configuring a MAC Address Table

This section describes how to configure a static MAC address entry and the aging time of
dynamically learned MAC address entries.
Prerequisites
Interfaces mapped to the MAC addresses in the MAC address table work in Layer 2 mode.

Procedure
system-view
Step 2 Configure MAC address entries.

l To configure MAC address entries in the system view, perform the following steps:
– Configure a blackhole MAC address entry.
mac-address blackhole mac-address interface-type interface-number vlan vlan-
id
– Configure a dynamic MAC address entry.

mac-address dynamic mac-address interface-type interface-number vlan vlan-id
– Configure a static MAC address entry.

mac-address static mac-address interface-type interface-number vlan vlan-id
l To configure MAC address entries in the interface view, perform the following steps:
2. Run the following commands to configure MAC address table entries:

– Configure a blackhole MAC address entry.
mac-address blackhole mac-address interface-type interface-number vlan
vlan-id
– Configure a dynamic MAC address entry.

mac-address dynamic mac-address interface-type interface-number vlan
vlan-id
– mac-address static mac-address interface-type interface-number vlan

vlan-id
A static MAC address entry is configured.

quit
Step 3 Set the aging time of dynamic MAC address entries.

mac-address aging-time seconds
The value can be 0s or ranges from 30s to 65535s. If the seconds parameter is set to 0, a MAC
address entry never ages.
The default aging time is 300s.
----End
8.9.3 (Optional) Configuring a Limit Rule for Learning MAC

Addresses
You can configure a limit rule for learning dynamic MAC addresses.
Context
A limit rule for learning dynamic MAC addresses is applicable to insecure networks with fixed
access users, such as cell access network or intranet that lacks security management.
When the number of access users reaches the upper limit, the MAC addresses of new users
cannot be learned, and the packets of the new users are discarded.

NOTICE
Before configuring a limit rule for learning dynamic MAC addresses, if learned MAC addresses
exist on the port, run the undo mac-address dynamic command in the system view to clear the
MAC addresses. If this command is not run, the limit rule cannot function properly.
Procedure
system-view


portswitch
Step 4 Configure a limit rule for learning MAC addresses.

mac-limit { maximum max | action { discard | forward } } *
----End
8.9.4 Maintaining the MAC Address Table

After configuring the MAC address table, you can run the display commands to view the
configuration.
You can run the commands listed in Table 8-115 in any view to display the configurations of
the MAC address table.
Table 8-115 Displaying the MAC address table configuration
Action Command
Display information about MAC display mac-address [ count ]

address entries. display mac-address mac-address [ vlan vlan-id ]
[ count ]
display mac-address { all | blackhole | static |
dynamic } [ interface-type interface-number ]
[ vlan vlan-id ] [ count ]
Display the aging time the MAC display mac-address aging-time

address entries.
Display the limit rules for learning display mac-limit [ interface-type interface-
MAC addresses. number ]
8.9.5 Example for Configuring the MAC Address Table

This section provides an example for configuring the MAC address table. You can set the MAC
address of the server statically to improve the stability and security of entries.

GigabitEthernet 1/0/3 on a NGFW works at Layer 2 and is connected to a server with MAC
address 00e0-fa33-dc51 on the network shown in Figure 8-79.
To help prevent the NGFW from flooding the server with packets, a static MAC address entry
is configured on the NGFW. This entry maps MAC address 00e0-fa33-dc51 to both
GigabitEthernet 1/0/3 and VLAN1, to which GigabitEthernet 1/0/3 is assigned. The NGFW
sends packets destined for the server out of GigabitEthernet 1/0/3, instead of flooding the server
with packets.
Figure 8-79 NGFW with a MAC address table

GE1/0/3
VLAN1
NGFW Server
MAC:00E0-FA33-DC51
Procedure
<NGFW> system-view
Step 2 Switch GigabitEthernet 1/0/3 to a Layer 2 port.

Step 3 Configure a static MAC address entry.

[NGFW-GigabitEthernet1/0/3] mac-address static 00e0-fa33-dc51 GigabitEthernet
1/0/3 vlan 1
----End
#
sysname NGFW
#
portswitch
mac-address static 00e0-fa33-dc51 GigabitEthernet1/0/3 vlan 1
#
return

This section describes the versions and changes in the MAC address table feature.

8.10 ARP
This section describes Address Resolution Protocol (ARP) concepts and how to configure ARP,
as well as provides configuration examples.
8.10.1 Overview
The Address Resolution Protocol (ARP) is at the link layer of the TCP/IP protocol suite. An
Ethernet device must support ARP. ARP dynamically map Layer 3 IP addresses and Layer 2
Medium Access Control (MAC) addresses.
Definition
ARP maps IP addresses to MAC addresses. ARP entries are classified as static and dynamic
ARP entries. In addition, ARP provides extension application functions, such as proxy ARP and
gratuitous ARP.
Objective
Each host or router in a local area network (LAN) has a 32-bit IP address for communicating
with other hosts. IP addresses are independent of hardware addresses. On an Ethernet, a host or
a router transmits Ethernet frames based on 48-bit MAC addresses. A MAC address is also called
a physical or hardware address. It is allocated to an Ethernet interfaces when a device is produced.
In actual networking, MAC and IP addresses must be mapped using an address resolution
mechanism.
ARP supports the following functions:
l Dynamic ARP
ARP dynamically resolves an IP address into an Ethernet MAC address based on ARP
packets. No network administrator interference is required.
l Static ARP
Static ARP establishes a fixed mapping between the IP and MAC addresses, which cannot
be dynamically adjusted on a host or router. Network administrator interference is required.
l Proxy ARP
Also called routed proxy ARP. If a host is not configured with a default gateway address,
the host can send an ARP Request packet to request the destination host MAC address.
After the device enabled with proxy ARP receives the packet, it sends an ARP Reply packet
containing its own MAC address so that internal hosts on different physical networks but
on the same network segment can communicate.
l Gratuitous ARP
Gratuitous ARP checks existing IP addresses and declares new MAC addresses.

l Authorized ARP
Authorized ARP, valid on only devices enabled with the DHCP server function, applies
when the DHCP server and DHCP client reside on the same network segment to prevent
attackers from forging the IP addresses or MAC addresses of legitimate DHCP clients to
launch attacks.
8.10.2 Mechanism
This section describes the mechanism of the Address Resolution Protocol (ARP).
Address Resolution Process

ARP was developed for the Ethernet network that supports broadcast functions. A host can use
ARP to obtain the MAC address of a destination host on the same physical network though the
host only obtains the IP address of the destination host. The mapping between IP and MAC
addresses are dynamically updated. The dynamic mapping update allows IP addresses to be
translated into MAC addresses even if hosts change, for example, when the number of hosts is
changed or a network interface card (NIC) is replaced.
The address resolution process is as follows:
1. ARP request
Host A shown in Figure 8-80 knows only the IP address of host B. Host A broadcasts an
ARP request packet to request the MAC address of host B.
Figure 8-80 ARP request
Ethernet
ARP Request
Host A Host B
2. ARP reply
All hosts on the network, including host B, receive the ARP request packet. Only host B
responds to the ARP request packet. Host B shown in Figure 8-81 sends an ARP reply
packet carrying a local MAC address to host A.
Host A obtains host B's MAC address and uses this MAC address to communicate with
host B.

Figure 8-81 ARP reply
Ethernet
ARP Reply
Host A Host B
ARP Aging Mechanism

l ARP cache
Host A broadcasts an ARP Request packet before sending a packet to host B each time,
which causes traffic to increase. All hosts have to receive and process the ARP Request
packets, which decreases network efficiency.
To solve the preceding problems, each host maintains an ARP cache. This cache maintains
recently created mappings between IP and MAC addresses.
Before sending a packet, a sender searches the cache for a MAC address mapped to the
destination IP address. If the sender finds a matched MAC address, the sender directly sends
the packet to a host with the MAC address, without sending an ARP Request packet. If the
sender does not find a matching MAC address, the sender broadcasts an ARP Request
packet.
l Aging time of dynamic ARP entries
After host A shown in Figure 8-81 obtains host B's MAC address from an ARP Reply
packet sent by host B, host A generates a mapping entry between the IP and MAC addresses
of host B in the ARP cache. If host B fails or its NIC is replaced, host A fails to update the
mapping entry and keeps sending packets to host B.
A timer can be set to allow host A to delete cached ARP entries after the timer expires.
Using the timer helps only reduce address resolution errors because the sender can detect
a fault and delete invalid ARP entries only after the timer expires.
l Probes for aging dynamic ARP entries
A specified upper limit of probes can be set on a device to reduce errors that occur during
address resolution. If the device receives no response after the number of times probes can
be set on a device reaches the upper limit, the device deletes an ARP entry.
Static ARP
Static ARP supports the fixed mappings between IP and MAC addresses. Hosts and routers
involved cannot change mappings dynamically. Static ARP is configured manually by network
administrators.
Static ARP entries are used in the following situations:

l A gateway on a local network segment is used to forward packets with destination addresses
on other network segments.
l Packets with invalid IP addresses can be filtered out by binding these IP addresses to a
nonexistent MAC address.
l IP addresses are bound to MAC addresses to defend against attacks, such as ARP flood
attacks.
Static ARP entries have a higher priority than dynamic ARP entries. When you configure a static
ARP entry for an IP address that maps to a dynamic ARP entry in the ARP table, the static ARP
entry replaces the dynamic ARP entry.
Proxy ARP
Proxy ARP is a technique by which a device on a given network answers the ARP queries for
a network address that is not on that network.
Proxy ARP has the following features:
l All processes are performed on ARP Subnet Gateways. Hosts on the networks have no
change.
l Any host faces a standard IP network, not a subnet.
l Proxy ARP affects only the ARP high-speed caches on hosts, not the ARP high-speed
caches or routing tables on gateways.
l After proxy ARP is enabled, a small ARP aging time should be set to rapidly invalidate
invalid ARP entries to reduce the number of packets that are sent to routers but the routers
cannot forward.
The NGFW supports two proxy ARP modes:
l Routed proxy ARP
Allows communication between hosts or routers in the same network segment but on
different physical networks.
In actual situations, if no default gateway address is set on a host connected to a router (the
proxy to this network is unknown), the router cannot forward data for this host. Routed
proxy ARP can resolve this issue. The host sends an ARP request (to request the MAC
address of the destination host), the proxy ARP-enabled router uses its MAC address to
return an ARP reply.
l Inner-VLAN proxy ARP
Allows communication between hosts or routers in the same VLAN configured with user
isolation.
If two users belong to one VLAN and the VLAN is configured with user isolation, inner-
VLAN proxy ARP must be enabled on the interface associated with the VLAN for
communication between the users.
As shown in Figure 8-82, HOST_A and HOST_B are attached to the NGFW. The interfaces
connecting the NGFW to the hosts belong to VLAN 10, and the hosts are isolated on the
switch. The hosts cannot communicate at Layer 2. You can enable inner-VLAN proxy ARP
on the interfaces of the NGFW to resolve this issue. If the NGFW receives an ARP request
that is not destined for itself, it does not discard the packet. Instead, it searches the ARP
table for an ARP entry related to HOST_B. If the ARP entry is found, the NGFW sends its
MAC address to HOST_A and forwards the packets from HOST_A to HOST_B. In this
manner, the NGFW serves as a proxy for HOST_B.

Figure 8-82 Networking diagram for inner-VLAN proxy ARP
NGFW
GE1/0/2
VLANIF10
Switch
Host_A Host_B
VLAN 10
Dynamic ARP
Dynamic ARP dynamically and automatically resolves IP addresses into Ethernet MAC
addresses. Dynamic ARP does not require the involvement of an administrator.
A NGFW creates or updates an ARP entry if a received ARP packet satisfies any of the following
conditions:
l The ARP packet carries a non-broadcast source address that is on the same network segment
as the inbound interface address. The ARP packet is bound for the IP address of the inbound
interface.
l The ARP packet carries a non-broadcast source address that is on the same network segment
as the inbound interface address. The ARP packet is bound for the virtual IP address of a
Virtual Router Redundancy Protocol (VRRP) backup group created on the inbound
interface.
l The ARP packet is bound for an address in a Network Address Translation (NAT) address
pool configured on the inbound interface.
If the source IP address of the received ARP packet maps to an ARP entry of the inbound
interface, the NGFW also updates the ARP entry.
Gratuitous ARP
Gratuitous ARP enables a device to send an ARP Request packet to its own IP address. Gratuitous
ARP provides the following functions:

l IP address conflicts: If a device receives no reply to a gratuitous ARP request packet, the
device has a unique IP address. If the device receives an ARP reply packet in response to
a gratuitous ARP request packet, there is an IP address conflict.
l New MAC address advertising: If a device has its NIC replaced and its MAC address is
changed, the device sends a gratuitous ARP to notify all hosts of the MAC address update
before the ARP entry aging time elapses.
Authorized ARP
Authorized ARP allows a DHCP server to automatically add an ARP entry that contains the
MAC and IP addresses of the client after assigning an IP address to the client.
l Authorized ARP entries

Authorized ARP entries do not age. After a DHCP server logs out DHCP clients, the DHCP
server automatically deletes their authorized ARP entries from an ARP table.
Authorized ARP entries have higher priorities than dynamic ARP entries, but lower than
static ARP entries. A new authorized ARP entry overrides a duplicate dynamic ARP entry,
but not a duplicate static ARP entry. The authorized ARP entry can be overridden by a
duplicate static ARP entry.
l Working mechanism
Authorized ARP combines the ARP and DHCP working mechanisms. The authorized ARP
function is only available on devices with the DHCP server function enabled when the
DHCP server and client reside on the same network segment. Authorized ARP is not
applicable to DHCP relay scenarios.
The authorized ARP mechanism is as follows:
1. A DHCP client broadcasts a DHCPDISCOVER message. After receiving this
message, a DHCP server replies with a DHCPOFFER message carrying network
parameters, including an IP address.
2. If many DHCP servers send DHCPOFFER messages to the client at the same time,
the client accepts the first DHCPOFFER message. The client then broadcasts a
DHCPREQUEST message to all DHCP servers. The DHCPREQUEST message
contains the MAC address of the DHCP client and IP address request.
3. After the selected DHCP server receives the DHCPREQUEST message, the DHCP
server sends a DHCPACK message to the client. The message contains network
parameters, including the assigned IP address. Meanwhile, the DHCP server
automatically adds an authorized ARP entry that contains the IP and MAC addresses
of the DHCP client.
4. The DHCP server uses the authorized ARP entry to prevent DHCP clients from
dynamically learning MAC addresses in invalid ARP responses. An attacker forges
the IP or MAC address of a valid DHCP client to originate an ARP request. Upon
receipt, the DHCP server (gateway) finds that the IP or MAC address in the request
does not match an authorized ARP entry and sends no response. The attacker,
therefore, cannot access the network, which improves network security. The address
of the DHCP server is the same as the gateway address when the DHCP server and
client reside on the network segment.

8.10.3 Configuring Static ARP

Static ARP entries record the fixed mapping between IP and MAC addresses. They are
configured manually.
Context
A static ARP entry is manually added. It does not age and cannot be overwritten by a dynamic
ARP entry. Static ARP entries are valid as long as the device works properly.
Static ARP entries improve communication security. Static ARP entries ensure communication
between a local device and a specified device using the specified MAC address. Attackers cannot
modify the mapping between IP and MAC addresses in static ARP entries.
Procedure
system-view

l To configure a common static ARP entry, run:
arp static ip-address mac-address
l To configure a common static ARP entry in a virtual local area network (VLAN), perform
the following steps:
– Configure a static ARP entry.
arp static ip-address mac-address vid vlan-id
If the interface of a specified VLAN is bound to a virtual private network (VPN), the
device can automatically associate the configured static ARP entry with the VPN. This
command is applicable to port-based VLANs.
– Bind the static entry to a VPN instance.
arp static ip-address mac-address [ vpn-instance vpn-instance-name ] vid vlan-
id
This command is applicable to a sub-interface that supports VLAN and can be bound to
a VPN instance.
l To configure a static ARP entry in a VPN instance, run:
arp static ip-address mac-address vpn-instance vpn-instance-name
----End
Example
# Map the Ethernet MAC address 0022-a101-2259 to the IP address 192.168.0.1.
<NGFW> system-view
[NGFW] arp static 192.168.0.1 0022-a101-2259
Follow-up Procedure
Run the display arp static command to view the static ARP entry.
<NGFW> display arp static
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE

VLAN/PVC
------------------------------------------------------------------------------
192.168.0.1 0022-a101-2259 S
------------------------------------------------------------------------------
Total:1 Dynamic:0 Static:1 Interface:0 Authorized:0 SNMP:
0
The TYPE field displays S, which indicates a static ARP entry. If the EXPIRE (M) field is null,
the entry does not age.
8.10.4 Optimizing Dynamic ARP

Dynamic ARP is enabled without the need to be enabled. To optimize this function, you can
modify some dynamic ARP parameters.
Context
If the device needs to update ARP entries frequently, reduce the aging timeout period of ARP
entries and increase the aging detection frequency.
Procedure
system-view

Step 3 Set the timeout period for aging dynamic ARP entries.
arp expire-time expire-times
By default, the aging timeout period is 1200 seconds.
Step 4 Set the maximum number of ARP probe packets to be sent.

arp detect-times detect-times
The default value is 3.
Each time the aging time of a dynamic ARP entry elapses, the device sends an ARP probe packet
to the peer device. If the device does not receive an ARP Reply packet from the peer device after
sending a maximum number of probe packets, it deletes the ARP entry.
For example, the aging time of dynamic ARP entries is 60s, and the maximum number of ARP
probe packets to be sent is 6. After 60s since an ARP entry is generated, the device sends an
ARP probe packet every 5s. If the device does not receive any response after sending six ARP
probe packets, it deletes the ARP entry. Therefore, the actual aging time of the ARP entry is 90s
(60 + 6 x 5).
If the number of aging detection times is set to 0, the device deletes dynamic ARP entries
immediately when the entries age.
Step 5 Enable multicast MAC address learning.

arp multi-mac-permit
If the multicast MAC address learning function is disabled, the NGFW can learn only unicast
MAC addresses from ARP packets.

On the network shown in Figure 8-83, the NGFW works at Layer 3 and the switch works at
Layer 2. The server cluster has a virtual IP address and a virtual MAC address which is a multicast
address. The NGFW needs the virtual MAC address of the server cluster in order to forward
service packets from clients to the server cluster. Enable MAC address learning on interface
GigabitEthernet1/0/2 so that the NGFW can learn this address.
Figure 8-83 A standalone firewall learning the MAC address
Client
GE 1/0/1
NGFW
GE 1/0/2
Switch
Virtual IP: 10.10.10.1
Virtual MAC: 0100-5e00-0001
Server cluster
To enhance network availability, you can deploy two NGFWs to implement dual-system hot
backup, as shown in Figure 8-84. A routing loop is formed if multicast MAC address learning
is enabled on the NGFWs in dual-system hot backup deployment. The following example
explains how the routing loop is formed on Switch_Active.
1. NGFW_Active (the active firewall) encapsulates the MAC address of the server cluster
into a service packets from a client, and forwards the packet to Switch_Active.
2. Switch_Active broadcasts this packet. Switch_Standby receives the broadcast packet and
forwards it to NGFW_Standby (the standby firewall).
3. NGFW_Standby looks up the routing table and ARP table and sends the packet back to
Switch_Active.
4. Switch_Active receives the packet and broadcasts it again. Then NGFW_Active receives
the packet again.
This process repeats and the same packet is sent forth and back between the active and
standby NGFWs, forming a routing loop. In addition, the server cluster receives duplicate
packets because Switch_Active broadcasts the packet repeatedly.

Figure 8-84 Firewalls in dual-system hot backup learning the MAC address
client
GE1/0/1 GE1/0/1
NGFW_Active NGFW_Standby
GE1/0/2 GE1/0/2
Switch_Active
Switch_Standby
Virtual IP: 10.10.10.1
Virtual MAC: 0100-5e00-0001
Server cluster
To resolve the routing loop problem, configure MAC address-based packet filtering on both
active and standby NGFWs as follows:
2. Run the acl 4001 command to access the ACL view
3. Run the rule deny dest-mac 0100-5e00-0001 FFFF-FFFF-FFFF command to create a
MAC address-based ACL rule.
The dest-mac parameter specifies the virtual MAC address of the server cluster. This
example uses 0100-5e00-0001 as the virtual MAC address.The Mask is FFFF-FFFF-FFFF.
4. Run the interface GigabitEthernet 1/0/2 to access the interface view.
5. Run the firewall ethernet-frame-filter 4001 inbound command to apply a MAC address-
based packet filter.
With the preceding configurations, the active and standby NGFWs filter out the packets from
Switch_Active by the ACL rule, preventing the routing loop problem.
----End
Follow-up Procedure
Run the display arp interface command to view all ARP entries on an interface.
<NGFW> display arp interface GigabitEthernet 1/0/2
VLAN/PVC

------------------------------------------------------------------------
192.168.1.11 0000-0a41-0201 I GE1/0/2
192.168.1.1 0000-0a41-0200 15 D GE1/0/2
-------------------------------------------------------------------------
0
If the TYPE field is I in an ARP entry, the entry contains the mapping between the local IP and
MAC addresses of the interface. If the EXPIRE (M) field is null, the entry does not age. If the
TYPE field is D, the entry is dynamically learned and ages in 15 minutes.
8.10.5 Configuring Proxy ARP

The firewall can serve as a proxy for the destination hosts of ARP requests to answer these ARP
requests.
8.10.5.1 Configuring Routed Proxy ARP

Routed proxy ARP enables communication between devices in the same network segment but
on different physical networks.
Prerequisites
Before configuring routed proxy ARP, set an IP address for the interface enabled with routed
proxy ARP. For details on how to set the IP address, see 8.1 Interface and Interface Pair.
The IP address of the interface must be in the same network segment as the IP address of the
LAN host connected to the interface.
Context
Two physical networks of an enterprise belong to one IP network but different subnets (separated
by a router). To allow communication between these physical networks, you can enable routed
proxy ARP on the interfaces connecting the router to the physical networks.
The network IDs in the IP addresses of hosts on the subnets must be the same. No default gateway
needs to be configured on the hosts.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number [ .subinterface-number ]
Step 3 Run:
arp-proxy enable
Routed proxy ARP is enabled.

By default, routed proxy ARP is disabled.
----End
Follow-up Procedure
Run the display arp interface command to view ARP entries on the interface.
VLAN/PVC
------------------------------------------------------------------------
10.10.1.1 0022-a101-b5db I GE1/0/2
10.10.1.2 0021-97cf-2238 20 D GE1/0/2
-------------------------------------------------------------------------
0
8.10.5.2 Configuring Inner-VLAN Proxy ARP

Inner-VLAN proxy ARP enables isolated PCs or routers in one VLAN to communicate.
Prerequisites
Before configuring proxy ARP, set an IP address for the interface enabled with proxy ARP. For
details on how to set the IP address, see 8.1 Interface and Interface Pair.
The IP address of the interface must be in the same network segment as the IP address of the
LAN host connected to the interface.
Context
If two users belong to one VLAN and the VLAN is configured with user isolation, inner-VLAN
proxy ARP must be enabled on the interface associated with the VLAN for communication
between the users.
Procedure
Step 1 Run:
system-view
Step 2 Run:
interface interface-type interface-number [ .subinterface-number ]
Step 3 Run:
arp-proxy inner-sub-vlan-proxy enable
Inner-VLAN proxy ARP is enabled.
By default, inner-VLAN proxy ARP is disabled.
----End

Follow-up Procedure
Run the display arp interface command to view ARP entries on the interface.
VLAN/PVC
------------------------------------------------------------------------
10.10.10.65 0022-a111-1112 I GE1/0/2
10.10.10.1 0018-8244-5566 20 D GE1/0/2
10.10.10.250 0018-8244-5566 20 D GE1/0/2
-------------------------------------------------------------------------
0
8.10.6 Configuring Gratuitous ARP

A gratuitous ARP packet is a special ARP packet whose sender and destination IP addresses are
both the local IP addresses, the sender MAC address is the MAC address of the local MAC
address, and destination MAC address is the broadcast address. Configuring gratuitous ARP
enables a device to proactively learn and send gratuitous ARP packets.
8.10.6.1 Configuring the Learning of Gratuitous ARP Packets

After the learning of gratuitous ARP packets is configured, a device adds the source IP address
and source MAC address carried in gratuitous ARP packets to the dynamic ARP mapping table
when no ARP entry matches the source IP address in ARP packets.
Prerequisites
Before configuring gratuitous ARP, set the IP address of the interface enabled with gratuitous
ARP. For details on how to set the IP address, see 8.1 Interface and Interface Pair.
Context
If an ARP entry matches the source IP address of ARP packets, the device updates this dynamic
ARP entry, regardless of the learning of gratuitous ARP packets.
Procedure
system-view

Step 3 Enable the device to learn gratuitous ARP packets.

gratuitous-arp learn enable
By default, this function is enabled on the interface.
----End

8.10.6.2 Configuring the Sending of Gratuitous ARP Packets

After the sending of gratuitous ARP packets is configured, the device can send user packets to
the correct gateway and prevent malicious attackers from intercepting these packets.
Prerequisites
Before configuring gratuitous ARP, set the IP address of the interface enabled with gratuitous
ARP. For details on how to set the IP address, see 8.1 Interface and Interface Pair.
Context
A device functions as a gateway to send gratuitous ARP packets (using the IP address of the
gateway as the destination IP address) to update the gateway MAC address of valid ARP entries,
which ensures that packets are forwarded to the gateway and prevents malicious interception by
attackers.
Procedure
system-view

Step 3 Enable the interface to periodically send gratuitous ARP packets.

gratuitous-arp send enable [ interval interval ]
By default, this function is disabled.
After this function is enabled, the device sends gratuitous ARP packets every 60 seconds by
default. To customize the interval, set interval.
----End
8.10.7 Configuring Authorized ARP

After authorized ARP is enabled, the DHCP server not only assigns an IP address to a client,
but also adds an ARP entry containing the MAC and IP addresses of the client automatically to
the ARP table. The DHCP server prevents attackers from forging the IP addresses or MAC
addresses of valid DHCP clients to launch attacks, which improves network security.
Prerequisites
Before enabling authorized ARP, complete the DHCP server configuration.
Context
Authorized ARP, valid on only devices enabled with the DHCP server function, applies when
the DHCP server and client reside on the same network segment, not in the DHCP relay scenario.
Authorized ARP prevents a DHCP server from dynamically learning illegitimate ARP
responses. Only clients to which the DHCP server assigns IP addresses can add ARP entries

(called authorized ARP entries) automatically based on ARP response packets. If an attacker
forges the IP or MAC address of a legitimate DHCP client to originate an ARP request, the IP
or MAC address does not match authorized ARP entries recorded by the gateway (the DHCP
server), and no response is returned. In this way, the attacker fails to access the network by
forging a legitimate IP or MAC address.
Authorized ARP entries do not age. After DHCP clients apply for logouts, their authorized ARP
entries are automatically deleted from the ARP table.
The priorities of authorized ARP entries are higher than those of dynamic ARP entries, but lower
than those of static ARP entries. A new authorized ARP entry overrides the duplicate dynamic
ARP entry, but not the static ARP entry. However, the authorized ARP entry can be overridden
by a duplicate static ARP entry.
Procedure
system-view
Step 2 Enable authorized ARP function.

dhcp arpbind enable
By default, the authorized ARP function is disabled.
----End
8.10.8 Maintaining ARP

After configuring ARP, you can run the display commands to view the ARP configuration. You
can also clear ARP entries or enable the debugging function if necessary.
8.10.8.1 Displaying ARP Configuration

After configuring ARP, you can run the display commands in any view to view the ARP
configuration.
Table 8-116 lists commands used to display the ARP configuration.
Table 8-116 Displaying the ARP configuration
Action Command
Display information about ARP display arp [ network net-number [ net-mask ] ]

mapping tables. [ dynamic | static | authorized ] [ | { begin | exclude |
include } regular-expression ]
Display information about ARP display arp vpn-instance vpn-instance-name

mapping tables based on VPN [ dynamic | static | authorized ] [ | { begin | exclude |
instances. include } regular-expression ]
Display information about ARP display arp interface interface-type interface-

mapping tables based on interfaces. number [ vid vlan-id ] [ | { begin | exclude | include }

8.10.8.2 Clearing ARP Entries

The mapping between IP and MAC addresses is deleted after you clear ARP entries. As a result,
users may fail to access some devices. Exercise caution when clearing ARP entries.
NOTE
Static ARP entries cannot be restored after being deleted. Exercise caution when you delete static ARP
entries.
Table 8-117 list the commands to clearing ARP entries. You need to perform this action in the
user view.
Table 8-117 Clearing ARP entries
Action Command
Clear ARP entries in the reset arp [ all | dynamic [ ip-address ip-address [ vpn-
ARP mapping table. instance { vpn-instance-name | public } ] ] | interface interface-
type interface-number | static ]
8.10.8.3 Debugging ARP

If an ARP fault occurs, run the following debugging command in the user view to debug ARP
information, view the debugging information, and locate and analyze faults.
NOTICE
For details on the description of the debugging command, see Debugging Reference.
Table 8-118 lists the commands to debug ARP information.
Table 8-118 Debugging ARP
Action Command
Enable the ARP packet debugging arp packet

debugging.

This section provides examples for configuring ARP in different networking scenarios.

8.10.9.1 Example for Configuring Static ARP

This section describes how to configure static ARP. Static ARP helps provide communication
security between enterprise departments.
A NGFW shown in Figure 8-85 connects departments of a company, and each department joins
different VLANs. Hosts in the headquarters office and a file backup server are allocated manually
configured IP addresses. Hosts in departments dynamically obtain IP addresses using DHCP.
Hosts in the marketing department can access the Internet and are often attacked by ARP packets.
Attackers attack the NGFW and modify dynamic ARP entries on the NGFW. As a result,
communication between hosts in the headquarters and external devices is interrupted, and hosts
in departments fail to access the file backup server. The company requires that static ARP entries
be configured on the NGFW. Static ARP allows hosts in the headquarters to communicate with
external devices and hosts in departments to access the file backup server.
Figure 8-85 Network diagram for configuring static ARP entries

File backup server
10.10.10.1/24
0025-1185-8C21
Trust PC_A
GE1/0/2
10.10.10.10/24 10.10.1.1/24
GE1/0/3 0021-97cf-2238
Marketing GE1/0/4 VLAN10
VLAN20 10.10.1.20/24
Headquarters
department office
GE1/0/5
VLAN30 NGFW
10.10.2.0/24 10.10.1.0/24
VLAN 20 VLAN 10
R&D
department
10.10.3.0/24
VLAN 30
NOTE
This example describes only ARP-related configurations, but not other configurations, such as DHCP.

1. Configure static ARP entries of hosts in the headquarters on the NGFW to prevent ARP
attack packets from altering ARP entries, which prevents communication interruptions.
2. Configure static ARP entries of the file backup server on the NGFW to prevent ARP attack
packets from altering ARP entries, which prevents failures in accessing the file backup
server.
Procedure
Step 1 Configure static ARP entries for the host in the headquarters.
# Create VLAN 10.

<NGFW> system-view
[NGFW] vlan 10
[NGFW-vlan-10] quit
# Add GigabitEthernet 1/0/3 to VLAN 10.

# Configure an IP address for Vlanif 10.

[NGFW] interface Vlanif 10
# Configure static ARP entries for hosts in the headquarters. The following example uses the
configuration on PC_A. In the static ARP entry, PC_A IP address 10.10.1.1 is mapped to the
MAC address 0021-97cf-2238, and the VLAN ID is 10.
[NGFW] arp static 10.10.1.1 0021-97cf-2238 vid 10
Step 2 Configure a static ARP entry for the file backup server.
# Configure an IP address for GigabitEthernet 1/0/2.

# Configure a static ARP entry for the file backup server to map the IP address 10.10.10.1/24
to the MAC address 0025-1185-8C21.
[NGFW] arp static 10.10.10.1 0025-1185-8C21
Step 3 Add interfaces to a security zones.
# Assign interfaces to the Trust zone.

----End

1. Run the display arp static command on the NGFW to view static ARP entries.
[NGFW] display arp static
VLAN/PVC
------------------------------------------------------------------------------
10.10.1.1 0021-97cf-2238 S
10/-
10.10.1.2 0021-97cf-2239 S
10/-
10.10.1.3 0021-97cf-2240 S
10/-
10.10.10.1 0025-1185-8c21 S
------------------------------------------------------------------------------
Total:4 Dynamic:0 Static:4 Interface:0 Authorized:0
SNMP:0
2. Headquarters devices properly communicate with other departments, without interruptions.

3. All departments can access the file backup server.
#
sysname NGFW
#
vlan batch 1 10 20 30
#
interface Vlanif 10
ip address 10.10.1.20 255.255.255.0
#
ip address 10.10.10.10 255.255.255.0
#
portswitch
port access vlan 10
#
firewall zone trust
set priority 85
#
arp static 10.10.1.1 0021-97cf-2238 vid 10
arp static 10.10.10.1 0025-1185-8C21
#
return
8.10.9.2 Example for Configuring Proxy ARP

This section provides an example for configuring proxy ARP. Proxy ARP implements
communication between branches on the same network segment but on different physical
networks.
Branches A and B of a company shown in Figure 8-86 are located in different cities. Multiple
routing devices are deployed between branches, and routes are reachable. IP addresses of the

routing devices are on the same network segment 10.10.0.0/16. Branches A and B belong to
different broadcast domains and cannot communicate on a LAN. Hosts of branches with default
gateway addresses cannot communicate across network segments.
The company requires that branches A and B communicate without changing host
configurations.
Figure 8-86 Proxy ARP
Trust Trust
GE1/0/3 GE1/0/3
Branch A 10.10.1.1/24 10.10.2.1/24 Branch B
Host_A NGFW_A NGFW_B Host_B

10.10.1.2/16 10.10.2.2/16
0021-97cf-2238 0025-1185-8C21
NOTE
This example describes only ARP-related configurations, but not configurations, such as routes between
branches A and B.
1. Enable proxy ARP on the interface of NGFW_A connected to branch A.

2. Enable proxy ARP on the interface of NGFW_B connected to branch B.
3. Configure routes to ensure that NGFW_A and branch B are reachable to each other, and
NGFW_B and branch A are reachable to reach other.
Procedure

[NGFW_A-GigabitEthernet1/0/3] ip address 10.10.1.1 255.255.255.0
# Enable proxy ARP.

[NGFW_A-GigabitEthernet1/0/3] arp-proxy enable



[NGFW_B-GigabitEthernet1/0/3] ip address 10.10.2.1 255.255.255.0
# Enable proxy ARP.

[NGFW_B-GigabitEthernet1/0/3] arp-proxy enable

----End
# Select host_A in branch A and select host_B in branch B. Run the ping command on host_A
to ping host_B. The ping is successful.
C:\Documents and Settings\Administrator>ping 10.10.2.2


# View the ARP table of host_A. You can see that the MAC address of host_B is the MAC
address of GigabitEthernet 1/0/3 on NGFW_A.
C:\Documents and Settings\Administrator>arp -a
Interface: 10.10.1.2 --- 0x3
Internet Address Physical Address Type
10.10.1.1 00-22-a1-01-b5-db dynamic
10.10.2.2 00-22-a1-01-b5-db dynamic
# View the ARP table of host_B. You can see that the MAC address of host_A is the MAC
address of GigabitEthernet 1/0/3 on NGFW_B.
C:\Documents and Settings\Administrator>arp -a
Interface: 10.10.2.2 --- 0x2

Internet Address Physical Address Type
10.10.1.2 00-e0-fc-00-00-00 dynamic
10.10.2.1 00-e0-fc-00-00-00 dynamic
#
sysname NGFW_A

#
ip address 10.10.1.1 255.255.255.0
arp-proxy enable
#
firewall zone trust
set priority 85
#
return
Configuration script for for NGFW_B:

#
sysname NGFW_B
#
ip address 10.10.2.1 255.255.255.0
arp-proxy enable
#
firewall zone trust
set priority 85
#
return
8.10.9.3 Example for Configuring Inner-VLAN Proxy ARP

Inner-VLAN proxy ARP enables isolated users in one VLAN to communicate.
As shown in Figure 8-87, a switch connects to GigabitEthernet 1/0/2 on the NGFW. VLAN 10
is set on GigabitEthernet 1/0/2.
Host_A and Host_B are attached to the switch. The interfaces connecting the switch to the hosts
belong to one VLAN but are isolated.
Inner-VLAN proxy ARP can be enabled on GigabitEthernet 1/0/2 of the NGFW to allow Host_A
to communicate with Host_B.

Figure 8-87 Networking diagram for inner-VLAN proxy ARP
NGFW
GE1/0/2
VLANIF10
10.10.1.12/24
Trust
Switch
Host_A Host_B
10.10.1.10/24 10.10.1.100/24
VLAN 10
NOTE
This example focuses on ARP-related configurations. Port isolation and switch-related configurations are
not described.
1. Create a VLAN and a VLANIF interface on the NGFW and set an IP address for
2. Enable inner-VLAN proxy ARP on GigabitEthernet 1/0/2 of the NGFW.
Procedure
Step 1 Create a VLAN and a VLANIF interface on the NGFW and set an IP address for GigabitEthernet
1/0/2.
# Create VLAN 10.

<NGFW> system-view
[NGFW] vlan 10
[NGFW-vlan10] quit
# Add GigabitEthernet 1/0/2 to VLAN 10.

[NGFW-GigabitEthernet1/0/2] port link-type trunk
[NGFW-GigabitEthernet1/0/2] port trunk vlan 10 tagged
# Create a VLANIF interface and set an IP address for the interface.

NOTE
The gateway address of Host_A must be the IP address of a VLANIF interface. Host_A and Host_B
configurations are not described in detail.
Step 2 Enable inner-VLAN proxy ARP in VLAN 10 on the interface.
# Enable inner-VLAN proxy ARP.

[NGFW-vlanif10] arp-proxy inner-sub-vlan-proxy enable
[NGFW-vlanif10] quit
# Add the interface to a security zone.

----End
# Host_A and Host_B can ping through each other.
C:\Documents and Settings\Administrator>ping 10.10.1.100


#
sysname NGFW
#
vlan batch 10
#
portswitch
port trunk vlan 10 tagged
#
interface Vlanif 10
ip address 10.10.1.12 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
#
firewall zone trust
set priority 85
#
return

8.10.10 Troubleshooting ARP Faults

This section describes the procedure for troubleshooting ARP faults.
Symptom
Figure 8-88 shows the typical networking, The connection and configuration of physical links
are correct. The interface is in Up state, but cannot ping the remote device.
Figure 8-88 Typical ARP networking
GE1/0/3
NGFW Router
Possible Causes
VLAN attributes are incorrect.

Fault Diagnosis
Figure 8-89 Flowchart for troubleshooting ARP faults

The interface is in Up state but the
remote device cannot be pinged
through
Yes
Yes Is it a Vlanif No Check the ARP entries of the
Are remote ARP entries
learned? interface? specified Vlanif interface
No
Run the ping command to

trigger the receiving and Are the ARP
sending of ARP packets and No
entries of the interface
view debugging output correct?
information
Yes
Are the receiving No View the receiving and

and sending of ARP packets sending of ICMP packets
normal?
Yes
Are the statistics on Are the receiving

No No
received and sent packets and sending of ICMP
correct? packets normal?
Record the location
Yes process, displayed Yes
debugging information,
and statistics on the
interface
No Is the fault Yes

Seek technical support End
rectified?
Procedure
Step 1 Run the display arp command and check whether remote ARP entries are learned.
<NGFW> display arp
VLAN/PVC
------------------------------------------------------------------------------
10.1.196.208 0018-8239-1e63 I GE1/0/3
10.1.196.20 0021-97cf-cfc1 16 D GE1/0/3
10.1.196.4 001e-90a0-154f 16 D GE1/0/3

10.1.196.8 001e-9060-405a 20 D GE1/0/3

10.1.196.216 00e0-fcfc-1010 20 D GE1/0/3
------------------------------------------------------------------------------
0
The IP ADDRESS: IP address. The MAC ADDRESS: MAC address.

The TYPE field displays the following values:
l I: a MAC address of the interface itself.
l D: a dynamic entry obtained using ARP packets
l If remote ARP entries are learned by NGFW, verify the Vlanif interface configuration and
go to Step 4.
l If remote ARP entries are not learned by NGFW, go to Step 2.
Step 2 Check whether ARP packets are properly sent and received.
Run the debugging arp packet command on the NGFW.
<NGFW> debugging arp packet
Info:Current terminal monitor is on
Info:Current terminal debugging is on
If ARP packets are correctly sent and received, the following information is displayed.
*0.1090420 NGFW ARP/7/arp_send:Send an ARP Packet, operation : 1, send
er_eth_addr : 0018-8239-1e63,sender_ip_addr : 10.1.196.208, target_eth_addr :
00e0-4c84-0b04, target_ip_addr : 10.1.196.2
*0.1083955 NGFW ARP/7/arp_rcv:Receive an ARP Packet, operation : 2, se

nder_eth_addr : 00e0-fcfc-1010, sender_ip_addr : 10.1.196.216, target_eth_addr
: 0000-0000-0000, target_ip_addr : 10.1.196.216
If the remote end can be pinged, both request and reply packets are displayed. If a fault occurs,
only the request packets are displayed, or none of the request or reply packets is displayed.
If packets are properly sent and received by the upper layer, run the debugging ethernet packet
arp interface GigabitEthernet 1/0/3 command and check whether packets are properly sent at
the data link layer.
<NGFW> debugging ethernet packet arp interface GigabitEthernet 1/0/3
Info:Current terminal monitor is on
Info:Current terminal debugging is on
*0.3743890 NGFW ETH/7/eth_rcv:Receive an Eth Packet, interface : GigabitEthernet

1/0/3, eth format: 0, length: 60, prototype: 0806 arp, src_eth_addr:
001e-9060-405a, dst_eth_addr: 0018-8239-1e63
*0.3743789 NGFW ETH/7/eth_send:Send an Eth Packet, interface : GigabitEthernet

1/0/3, eth format: 0, length: 42, prototype: 0806 arp, src_eth_addr : 0
018-8239-1e63, dst_eth_addr : ffff-ffff-ffff
The previous information shows that ARP request packets are properly sent at the data link layer.
Go to Step 3.
Step 3 Check whether statistics about sent and received packets are correct.
Run the display this interface command in the interface view or the display interface interface-
type interface-number command in any view to view packet statistics.

<NGFW> display interface GigabitEthernet 1/0/3

GigabitEthernet1/0/3 current state : UP
Line protocol current state : UP
Description : Route Port
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 0022-a106-0e5b
Media type is twisted pair, loopback not set, promiscuous mode not set
QoS max-bandwidth : 1000000 Kbps
Output queue : (Urgent queue : Size/Length/Discards) 0/50/0
Output queue : (Frag queue : Size/Length/Discards) 0/1000/0
Output queue : (Protocol queue : Size/Length/Discards) 0/1000/0
Output queue : (FIFO queue : Size/Length/Discards) 0/256/0
Last 300 seconds input rate 2619 bytes/sec, 16 packets/sec
Last 300 seconds output rate 28627 bytes/sec, 26 packets/sec
Input: 277618 packets, 46890659 bytes
275866 unicasts, 1740 broadcasts, 12 multicasts, 0 pauses
0 overruns, 0 runts, 0 jumbos, 0 FCS errors
0 length errors, 0 code errors, 0 align errors
0 fragment errors, 0 giants, 0 jabber errors
0 dribble condition detected, 0 other errors
Output: 303774 packets, 157242945 bytes
285539 unicasts, 6 broadcasts, 18229 multicasts, 0 pauses
0 underruns, 0 runts, 0 jumbos, 0 FCS errors
0 fragment errors, 0 giants, 0 jabber errors
0 collisions, 0 late collisions
0 ex. collisions, 0 deferred, 0 other errors
In the preceding command output, check the following fields:

l Input: the number of received packets
l Output: the number of sent packets
l unicasts: the number of unicast packets
l broadcasts: the number of broadcast packets
l multicasts: the number of multicast packets
l On ARP request packets, view broadcast packet statistics.

l On ARP reply packets, view unicast packet statistics.
If either of the following fault occurs, record the locating process, debugging information (that
is displayed), and statistics about the interface, and contact technical support personnel.
l The upper layer does not send or incorrectly sends ARP request or replay packets.
l The upper layer correctly sends ARP request or reply packets, but the data link layer does
not send or incorrectly sends ARP packets.
l The upper layer correctly sends ARP request or reply packets, and the data link layer properly
sends and receives these packets. The interface, however, does not collect statistics about
sent and received packets.
Step 4 Check the Vlanif interface.
On the Vlanif interface, synchronously update host routes. Run the display fib command to
check whether the FIB table is updated. On physical interfaces and other logical interface, skip
this step.
<NGFW> display fib
Fib Flags: B - blackhole, D - dynamic, G - gateway, H - host, S - static
U - up
------------------------------------------------------------------------------

FIB Table:
Total number of Routes : 4
Destination/Mask Nexthop Flag TimeStamp Interface TunnelID
10.2.0.1/32 10.2.0.1 HU t[77] InLoop0 0x0
10.2.0.0/8 10.2.0.1 U t[77] InLoop0 0x0
10.3.1.1/32 10.2.0.1 HU t[105] InLoop0 0x0
10.3.1.0/24 10.3.1.1 U t[105] GE1/0/3 0x0
NOTE
Collect information, preserve the faulty scenario, and contact technical support personnel in either of the
following situations:
l ARP entries on the main processing unit (MPU) of the Vlanif interface are inconsistent with those on
a line interface processing unit (LPU).
l ARP entries are consistent but host routes are not updated.
Step 5 Check whether ICMP packets are properly sent and received.
Perform the following operations:
1. Run the debugging ip packet acl acl-number command in the user view and check
information about both sent and received IP packets.
2. Run the debugging ip icmp command and collect more information to locate the fault.
If the fault persists, contact technical support personnel.
----End

This section provides ARP references.

This section describes the versions and changes in the address resolution protocol (ARP) feature.
V100R001C20SPC Added proxy ARP in a VLAN.

700

This section provides ARP standards and protocols.
ARP standards and protocols are as follows:
l RFC 826: Ethernet Address Resolution Protocol

l RFC 903: Reverse Address Resolution Protocol
l RFC 1027: Using ARP to Implement Transparent Subnet Gateways
l RFC 1042: Standard for the Transmission of IP Datagrams over IEEE 802 Networks

8.11 VLAN
This section describes virtual local area network (VLAN) concepts and how to configure a
VLAN, as well as provides configuration examples.
8.11.1 Overview
The virtual local area network (VLAN) technology adds a VLAN tag to the traditional Ethernet
frame header to identify the VLAN in a data packet.
Definition
A LAN is divided into several logical "LANs" (VLANs), with each VLAN functioning as a
broadcast domain.
Objective
The following problems occur in a traditional LAN:
l Conflicts occur if more than one node attempts to send messages at the same time.
l The information from any node is sent to all other nodes. A method is required to send a
message that is destined for a node or multiple nodes, instead of all nodes.
l Information security is reduced because all hosts share the same transmission channel.
With the growth of computers on a network, the collisions increase, and network efficiency
deteriorates. As a result, collision areas form in the network. The Ethernet network uses the
Carrier Sense Multiple Access/Collision Detect (CSMA/CD) to detect collisions, which cannot
completely remove the collision impact.
The Ethernet network is also a broadcast network. If a large number of computers send
information at the same time, broadcast traffic consumes a great deal of bandwidth.
Therefore, two problems occur in the traditional network: collision area and broadcast area. In
addition, the traditional network cannot ensure information security.
To expand a traditional LAN to accommodate more computers and to prevent collisions, the
following methods are introduced:
l Bridge
l Layer 2 switch
Bridges and switches forward information from an inbound interface to an outbound interface
in switching mode. Collisions occurs only on ports and do not affect the shared media.
NOTE
The switch in this chapter refers to the Layer 2 LAN switch.
The introduction of switches into the networking solves the problem of the collision area using
the Layer 2 rapid switching. This, however, does not ensure information security caused by the
broadcast domain problem.
To reduce broadcast storms, the hosts that do not need to access each other must be isolated from
each other. Routers select a route based on IP addresses. Therefore, using a router to connect

two network segments can effectively control the broadcast problems. Routers, however, are
costly. In this case, the VLAN is introduced.
The VLAN technology divides a LAN into logical "LANs" (VLANs), with each VLAN
functioning as a broadcast area. Hosts in each VLAN communicate with each other in the same
way as hosts in a LAN. VLANs cannot interact with each other directly. Therefore, broadcast
packets are transmitted within a single VLAN.
VLANs can improve data security. For example, different enterprise clients rent a building and
require developing their own LANs. The total cost of LANs is high. If all clients share a LAN,
information security cannot be guaranteed.
VLANs allow different clients to share a LAN and improves information security.
Figure 8-90 VLAN networking
Router
Switch1 Switch2 Switch3
VLAN-A
VLAN-B
VLAN-C
As shown in Figure 8-90, the network is a typical VLAN application. Three switches are placed
at sites. This is more or less the same as different floors in a building. Each switch is connected
to three PCs. These PCs belong to three VLANs, which are enclosed by dashed blocks. Each
VLAN corresponds to an enterprise client.
8.11.2 Mechanism
This section describes the virtual local area network (VLAN) mechanism.

VLAN Frame Format

The IEEE 802.1q standard modifies the Ethernet frame format by adding a 4-byte 802.1q tag
between the source MAC address and the protocol type fields, as shown in Figure 8-91.
Figure 8-91 VLAN frame format defined in 802.1q
6 bytes 6 bytes 4 bytes 2 bytes 42-1500 bytes 4 bytes
Destination Source 802.1Q Length FCS

Data
Address Address Tag /Type （CRC-32)
Type PRI CFI VID
16 bits 3 bits 1 bit 12 bits
An 802.1q tag contains the following fields:
l Type field: a 16–bit frame type. The value 0x8100 indicates an 802.1q tagged frame, which
is discarded by devices that do not support the 802.1q standard.
l PRI field: a 3-bit priority value of a frame. The value ranges from 0 to 7. The greater the
value, the higher the priority. If a switch is blocked, the switch preferentially forwards
packets with high priorities.
l Canonical format indicator (CFI) field: This field is 1 bit long. The value 1 indicates the
non-canonical format, and the value 0 indicates the canonical format.
l VID field: specifies the ID of a VLAN to which a frame belongs. This field is 12 bits long.
Link Types
VLAN links are classified into the following types:
l Access links: connect switches to hosts. The access links shown in Figure 8-92 connect
switches to PCs and transmit untagged Ethernet frames.
l Trunk links: connect switches. The trunk links shown in Figure 8-92 connect switches and
transmit tagged Ethernet frames.

Figure 8-92 Link types
Access Link
Trunk Link
VLAN2
VLAN3
Port Types
Ports only on some devices can identify VLAN frames defined in 802.1q. Based on their ability
of identifying VLAN frames, the ports are classified into the following types:
l Access ports
Access ports are switch ports that connect hosts only along access links. An access port has
the following characteristics:
– Only allows frames tagged with access port PVIDs to pass through. A PVID is a default
VLAN ID.
– Sends untagged Ethernet frames to the peer device.
l Trunk ports
Trunk ports connect a local switch to other switches. In other words, trunk ports can only
connect to trunk links. A trunk port has the following characteristics:
– Allows tagged frames of many VLANs to pass through.
– Only removes a tag with a default VLAN ID from a frame before sending the frame.
l Hybrid ports
Hybrid ports are switch ports that connect a local switch to hosts and to other switches.
Hybrid ports can be connected to both access and trunk links. A hybrid port allows tagged
frames of different VLANs to pass through and removes tags from some VLAN frames
before forwarding the frames.

VLAN Classification
VLANs can be classified into the following types:
l Port-based VLANs
A computer belongs to a VLAN that is connected to a network device port on the computer.
This method allows hosts to be easily grouped into VLANs. If a host of a VLAN is moved
to another place, the VLAN needs to be reconfigured.
l MAC address-based VLANs
Devices are allocated to VLANs based on MAC addresses of network interface cards.
VLAN settings remain even if hosts are moved to other places. All hosts within a VLAN
must be configured.
l Network layer protocol-based VLANs
Devices are allocated to VLANs based on network layer protocols. For example, hosts
running IP are grouped into a VLAN, and hosts running IPX are grouped into another
VLAN.
The NGFW supports only port-based VLANs.
VLAN Communication Principles

To help improve frame processing efficiency, frames are tagged when being processed within
a device.
The device processes frames based on the type of ports that receive the frames. Table 8-119
describes VLAN packet processing on different port types of a device.
Table 8-119 VLAN packet processing on different types of ports
Port Type Processing a Received Frame Processing a Frame to

Be Sent
Access port 1. Checks whether the frame carries a VLAN Removes the PVID from
tag: the frame before sending
l If the frame does not carry a VLAN tag, it.
the port adds its PVID to the frame and
goes to step 2.
l If the frame carries a VLAN tag with a
PVID, the device goes to step 2. If the
tag does not contain a PVID, the port
discards the frame.
2. The device selects an outbound port based
on the destination MAC address and VLAN
ID carried in the frame.


Be Sent
Trunk port 1. Checks whether the frame carries a VLAN Checks the VLAN
tag: attribute of the port:
l If the frame is not tagged, the port adds l If the frame carries a
its PVID to the frame and goes to step VLAN tag that
2. contains the port
l If the frame carries a VLAN tag, the port PVID, the port
checks whether the VLAN ID in the tag removes the tag from
is permitted. If the VLAN ID is the frame before
permitted, the switch goes to step 2. If sending the frame.
the VLAN ID is not permitted, the port l If the frame carries a
discards the frame. VLAN tag that does
2. The device selects an outbound port based not contain the port
on the destination MAC address and VLAN PVID, and the port
ID carried in the frame. supports the VLAN
ID, the port sends the
frame as it is. If the
port does not support
the VLAN tag with a
non-PVID, the port
discards the frame.


Be Sent
Hybrid port 1. Checks whether the frame carries a VLAN Checks the VLAN
tag: attribute of the port:
l If the frame is not tagged, the port adds l If the port supports the
its PVID to the frame and goes to step tagged frame, the port
2. checks which type of
l If the frame carries a VLAN tag, the port outgoing frame can be
checks whether the VLAN ID in the tag sent:
is permitted. If the VLAN ID is – If it permits
permitted, the device goes to step 2. If untagged outgoing
the VLAN ID is not permitted, the port frames, the port
discards the frame. removes the tag
2. The device selects an outbound port based from the frame
on the destination MAC address and VLAN before sending the
ID carried in the frame. frame.
NOTE – If it permits tagged
Trunk and hybrid ports use the same rules to process outgoing frames, it
received data frames. sends the frame as
it is.
l If the port does not
support tagged frames,
the port discards it.
NOTE
If a hybrid port permits
untagged frames, the hybrid
port removes the VLAN
Tag field the same as the
PVID Tag field from a
frame before sending it.
If a hybrid port permits
tagged frames, the hybrid
port still removes the VLAN
Tag field the same as the
PVID Tag field from a
frame before sending it.
Intra-VLAN Communication
Hosts on a VLAN in the same area can directly communicate with each other. Hosts on the same
VLAN but in different areas (with multiple devices between them) can communicate with each
other using trunk links.
Figure 8-93 shows that hosts in the same department of an enterprise communicate with each
other across two NGFWs. Each department belongs to a specific VLAN. You can configure
trunk links to isolate service data of different departments to ensure data communication within
a department.

Figure 8-93 VLAN trunk links
NGFW_A NGFW_B
Trunk Link
VLAN 2 VLAN 3 VLAN 2 VLAN 3
Inter-VLAN Communication
Hosts of different VLANs use VLAN interfaces or Ethernet subinterfaces to communicate with
each other.
l Inter-VLAN communication using VLAN interfaces

VLAN interfaces function as Layer 3 physical interfaces to implement Layer 3 functions,
such as IP address settings and inter-VLAN data communication.
Figure 8-94 shows hosts of two departments attached to a NGFW. Hosts of one department
belong to VLAN100, and hosts of the other department belong to VLAN200. You can
configure a VLAN interface for each VLAN on the NGFW to allow hosts of the two
departments to communicate with each other.
Figure 8-94 VLAN interfaces

NGFW
VLANIF100 VLANIF200
VLAN100 VLAN200
Note the following issues:

– Layer 2 Ethernet interfaces connect the NGFW to PCs and are added to separate VLANs.
– Each interface on the NGFW can be connected to a single PC, which causes low data
transmission efficiency.
l Inter-VLAN communication using Ethernet subinterfaces
Unlike VLAN interfaces, Ethernet subinterfaces on a switch connect multiple PCs to a
single interface of a NGFW to implement inter-VLAN communication.
Figure 8-95 shows hosts of two departments attached to a NGFW. Hosts in one department
belong to VLAN5, and host in the other department belong to VLAN6. You can configure
two subinterfaces on a single physical interface and add these subinterfaces to separate
VLANs. This approach allows VLANs to communicate with each other using a single
physical interface on a NGFW.
Figure 8-95 Ethernet subinterfaces
NGFW
GE1/0/0
GE1/0/0.1 VLAN5
GE1/0/0.2 VLAN6
Switch
VLAN5 VLAN6
The configuration requirements are as follows:

– Create two subinterfaces on an Ethernet interface that connects the NGFW to the switch
and add a subinterface to VLAN5 and the other to VLAN6 to enable the two VLANs
to communicate with each other.
– Configure 802.1Q encapsulation and assign an IP address to each subinterface.
– Change the type of the Ethernet interface that connects the switch to the NGFW from
access to trunk or hybrid to permit packets from VLAN5 and VLAN6.
8.11.3 Configuring a VLAN

This section describes how to configure a VLAN.
8.11.3.1 Basic VLAN Configurations

This section describes how to create a VLAN and add an interface to the VLAN.

Prerequisites
An interface has been switched to Layer 2 mode.
Context
IEEE 802.1q defines the following types of VLAN interfaces based on the ability of identifying
VLAN frames:
l Access ports
Access ports are ports that connect a switch to hosts. Access ports are connected only to
access links. An access port provides the following characteristics:
– Only frames tagged with a PVID of an access port can pass through the access port.
– Ethernet frames sent by an access port to a peer device never carry VLAN tags.
l Trunk ports
A trunk port connects a switch to another switch. A trunk port can only connect to a trunk
link. A trunk port provides the following characteristics:
– The trunk port allows tagged frames from multiple VLANs to pass through.
– Before a trunk port sends a tagged frame with a PVID, the trunk port removes the VLAN
tag from the frame. Frames sent by a trunk port do not carry tags only in this case.
l Hybrid ports
Hybrid ports are ports that connect a switch to hosts and other switches. Hybrid ports can
be connected to both access and trunk links. A hybrid port allows tagged frames of different
VLANs to pass through. An outbound hybrid port can remove tags of some VLAN frames
before sending the VLAN frames.
Procedure
l Configure an access port in the VLAN view.
system-view
2. Create a VLAN and display the VLAN view.

vlan vlan-id
3. Specify interfaces that can be added to the VLAN.
Only access ports can be successfully added using this command.

l Configure an access port in the Layer 2 Ethernet interface view.
system-view

vlan vlan-id
3. Display the Layer 2 Ethernet interface view in the system view.

4. Optional: Specify an interface type.

By default, a Layer 2 Ethernet interface works as an access port. If the type of an

interface is already set to Trunk or Hybrid, change it to Access using the port link-
type access command.
5. Set the ID of a VLAN to which the access port belongs.
port access vlan vlan-id
The command takes effect only on access ports.

l Configure a trunk port.
system-view

vlan vlan-id
4. Set the interface type to access.

By default, a Layer 2 interface functions as an access port.

5. Set the ID of a VLAN to which the trunk port belongs.
port trunk permit vlan { start-vlan [ to end-vlan ] & <1-10> | all }
The command takes effect only on trunk ports.

6. Set the default VLAN ID of the trunk port.
port trunk pvid vlan-id
l Configure a hybrid port.

system-view

vlan vlan-id
4. Set the interface type to hybrid.

port link-type hybrid
By default, a Layer 2 interface functions as an access port.

5. Set the ID of a VLAN to which the hybrid port belongs.
port hybrid vlan { start-vlan [ to end-vlan ] & <1-10> | all } { tagged |
untagged }
The command takes effect only on hybrid ports.

6. Set the default VLAN ID of the hybrid port.
port hybrid pvid vlan-id
----End

8.11.3.2 Configuring VLANIF Interfaces to Enable VLANs to Communicate

This section describes how to configure VLANIF interfaces to enable VLANs to communicate.
Context
You can create a VLANIF interface on a configured VLAN. The VLANIF interface functions
as a Layer 3 physical interface to implement Layer 3 features, such as IP address settings and
data communications among different VLANs.
Inter-VLAN communication through VLANIF interfaces applies only when the hosts in each
VLAN are located in different network segments. If the hosts of VLANs are located in the same
network segment, inter-VLAN communication can be implemented through Layer 2 interfaces.
For details, see 8.11.3.4 Configuring Inter-VLAN Communication Using Layer 2
Subinterfaces.
Procedure
system-view
Step 2 Create a VLANIF interface and access the VLANIF interface view.
If a VLANIF interface already exists, the VLANIF interface view is directly displayed after this
command is run.
Before you create a VLANIF interface, the VLAN must exist.
Step 3 Assign an IP address to the VLANIF interface.
The IP addresses of different VLANIF interfaces must be on different network segments so that
users on different VLANs can communicate.
----End
8.11.3.3 Configuring Layer 3 Subinterfaces to Enable VLANs to Communicate

This section describes how to configure Layer 3 subinterfaces to enable VLANs to communicate.
Context
The most direct method for inter-VLAN communication is connecting VLANs to different Layer
3 interfaces to route the packets between VLANs. However, this method requires physical
interfaces. In contrast, creating Ethernet subinterfaces can avoid the use of more physical
interfaces.
Ethernet and Eth-Trunk interfaces support subinterfaces.
You can configure multiple subinterfaces on a single physical interface and ensure that each
subinterface is assigned to a specific VLAN. VLANs can communicate after being connected
to only as single physical interface.
Inter-VLAN communication through Layer 3 subinterfaces applies only when the hosts in each
VLAN are located in different network segments. If the hosts of VLANs are located in the same

network segment, inter-VLAN communication can be implemented through Layer 2 interfaces.

For details, see 8.11.3.4 Configuring Inter-VLAN Communication Using Layer 2
Subinterfaces.
Procedure
system-view
Step 2 Create a subinterface and access the subinterface view.

interface interface-type interface-number.subinterface-number
Step 3 Set the encryption type and the VLAN ID of the subinterface.
vlan-type dot1q vlan-id
Step 4 Assign an IP address to the subinterface.

The subinterface and its main interface can be on the same primary network segment but must
use different subnet masks.
----End
8.11.3.4 Configuring Inter-VLAN Communication Using Layer 2 Subinterfaces

This section describes how to implement inter-VLAN communication by configuring Layer 2
subinterfaces.
Context
Procedure
Step 2 Switch the Layer 3 Ethernet interface to a Layer 2 Ethernet interface.

1. Run the interface interface-type interface-number command to access the interface view.
2. Run the portswitch command to configure a Layer 3 Ethernet interface to work in Layer
2 mode.
3. Run the quit command to return to the system view.
Step 3 Create Layer-2 subinterfaces.

1. Run the interface interface-type interface-number.subinterface-number command to
create a subinterface and access the subinterface view.
2. Run the vlan-type dot1q vlan-id command to configure the encapsulation type for the
subinterface and associate a VLAN ID with the subinterface.
Each subinterface receives or forwards only packets that carry the specified VLAN tag.
3. Run the portswitch command to configure the subinterface as a Layer 2 subinterface.

4. Run the quit command to return to the system view.

5. Repeat the previous substeps to create multiple Layer 2 subinterfaces.
Step 4 Add the subinterfaces created in Step 3 to a same VLAN so that the subinterfaces can
communicate.
1. Run the vlan vlan-id command to create a VLAN and access the VLAN view.
2. Run the port interface-type interface-number.subinterface-number command to add the
subinterfaces created in Step 3 to a same VLAN.
Subinterfaces must be added to the same VLAN to communicate with each other.
----End
8.11.4 Maintaining a VLAN

After the VLAN is configured, you can run the display commands to display the VLAN
configurations.
You can check the VLAN configuration by running the commands listed in Table 8-120 in any
view.
Table 8-120 Displaying the VLAN configuration
Action Command
Display the VLAN configuration. display vlan { vlan-id | all | brief |

interface interface-type interface-number |
port-default [ vid vlan-id ] | port-trunk
[ vid vlan-id ] }
Display information about Vlanif interfaces. display interface vlanif [ vlan-id ] [ |

{ begin | exclude | include } regular-
expression ]
Display information about the VLANs that display port vlan [ interface-type interface-
are allowed to pass through a trunk interface. number ]

This section provides VLAN references.

This section describes the versions and changes in the virtual local area network (VLAN) feature.


This section provides VLAN standards and protocols.
VLAN standards and protocols are as follows:

l RFC 3069: VLAN Aggregation for Efficient IP Address Allocation
l IEEE 802.1Q: IEEE Standards for Local and Metropolitan Area Networks: Virtual Bridged
Local Area Networks
l IEEE 802.1ad: IEEE Standards for Local and Metropolitan Area Networks: Virtual Bridged
Local Area Networks- Amendment 4
l IEEE 802.10: IEEE Standards for Local and Metropolitan Area Networks: Standard for
Interoperable LAN/MAN Security
l YD/T 1260-2003: Technical and Testing Specification of Virtual LAN Based on Port
8.12 DHCP Snooping

This section describes concepts and the configuration procedure of Dynamic Host Configuration
Protocol (DHCP) snooping, as well as provides configuration examples.
8.12.1 Overview
DHCP snooping defends against the attacks launched using DHCP messages.
Definition
The Dynamic Host Configuration Protocol (DHCP) snooping, a DHCP security feature, filters
untrusted DHCP messages by creating and maintaining a binding table. This binding table
contains the following items:
l MAC addresses
l IP addresses
l IP leases
l Binding types
l VLAN IDs
l Interface information
DHCP snooping acts as a firewall between a DHCP client and a DHCP server.
Objective
DHCP snooping is used to prevent the following problems:
l DHCP denial of service (DoS) attacks
l Bogus DHCP server attacks
l Address Resolution Protocol (ARP) middleman attacks
l IP/MAC spoofing attacks
A DHCP-enabled device supports the following features to secure data transmission:

l MAC address limitation

l DHCP snooping binding table
l Bindings of IP and MAC addresses
l Option 82
DHCP snooping can apply to both Layer 2 and Layer 3 interfaces as shown in Figure 8-96 and
Figure 8-97.
Figure 8-96 DHCP snooping application on Layer 2 Interfaces
L3 network
DHCP DHCP relay

snooping L2 network
enable
DHCP server
Trusted
Untrusted
User network

Figure 8-97 DHCP snooping application on Layer 3 Interfaces
DHCP
snooping L3
enable network
Trusted
Untrusted
DHCP relay
L2
network DHCP server
User network
DHCP snooping is used to prevent the following attacks:

l DHCP exhaustion attacks
l Bogus DHCP server attacks
l Middleman attack and IP/MAC spoofing attacks
l DoS attacks initiated by changing CHADDRs
The DHCP snooping working modes vary with the types of attacks, as shown in Table 8-121.
Table 8-121 Attack types and DHCP snooping working modes
Attack Type DHCP Snooping Working Mode
DHCP exhaustion attack MAC address limitation
Bogus DHCP server attack Trusted/untrusted
Middleman attack or IP/MAC address DHCP snooping binding table

spoofing attack
DoS attack initiated by changing Check on CHADDR fields in DHCP messages

CHADDRs
8.12.2 Mechanism
This section describes the mechanism of Dynamic Host Configuration Protocol (DHCP)
snooping.

Bogus DHCP Server Attacks

A bogus DHCP server intercepts a broadcast DHCPREQUEST message and replies to a DHCP
client with a message with an incorrect gateway IP address, an incorrect Domain Name System
(DNS) server address, or an incorrect client IP addresses. The bogus DHCP server uses this
approach to launch denial of service (DoS) attacks. Figure 8-98 shows a bogus DHCP server
attack.
Figure 8-98 Bogus DHCP server attack

DHCP server
DHCP client
DHCP pseudo server
DHCP discovery (broadcast)

DHCP offer (unicast from the pseudo server)
DHCP request (broadcast)
DHCP ack (unicast from the pseudo server)
To prevent bogus DHCP server attacks, configure DHCP snooping, which works in either trusted
or untrusted mode.
You can configure a trusted or untrusted physical or VLAN interface. DHCPRESPONSE
messages (Offer, ACK, or NAK messages) received by an untrusted interface are directly
discarded to prevent bogus DHCP server attacks. Figure 8-99 shows DHCP snooping that works
in trusted or untrusted mode.
Figure 8-99 DHCP snooping

DHCP snooping
Enable DHCP server
DHCP client
Untrusted Trusted
Untrusted
DHCP pseudo
server
Middleman Attacks
A middleman sends a packet carrying its own MAC address and the IP address of a DHCP server.
Upon receipt, the client learns the IP and MAC addresses and considers the middleman as a
DHCP server and sends all packets to the middleman, not the DHCP server. After receiving the
packets, the middleman forwards the packet carrying its own MAC and IP addresses to the server.

The DHCP server learns the IP and MAC address and considers the middleman a client. The
DHCP server sends packets to the middleman, not the client. Figure 8-100 shows a middleman
attack.
A middleman relays data between the DHCP server and client. The DHCP server and client
assume that they have exchanged packets with each other.
Figure 8-100 Diagram for a middleman attack

(3)
Middleman
(2) (1)
DHCP server DHCP client
IP/MAC Spoofing Attacks

An attacker sends a packet carrying the valid IP and MAC addresses of a client to a DHCP server.
The DHCP server mistakes the attacker as a legitimate client and learns the IP and MAC
addresses. The actual client, however, cannot access services provided by the DHCP server.
Figure 8-101 shows an IP/MAC spoofing attack.
Figure 8-101 IP/MAC spoofing attack

DHCP server
10.1.1.1/32
MAC:1-1-1
10.1.1.2/32
MAC:2-2-2
10.1.1.3/32 10.1.1.2/32
MAC:3-3-3 MAC:2-2-2
Attacker DHCP client
A DHCP snooping binding table can be used to prevent IP/MAC spoofing and middleman
attacks.

When an interface receives an ARP or IP packet, the interface matches the source IP and MAC
addresses of the packet with entries in a local DHCP snooping binding table. Packets that match
the entries are forwarded, whereas unmatched packets are discarded. Figure 8-102 shows data
transmission based on a DHCP snooping binding table.
ARP packets or IP packets sent by clients with static IP addresses are discarded. This is because
these clients do not obtain IP addresses by sending DHCPREQUEST messages, and no DHCP
snooping binding entry exists for them. As a result, these clients are prevented from accessing
the network illegally. To allow the users with statically allocated IP addresses to access the
network, configuring a static DHCP snooping binding table is mandatory.
Similarly, packets from a client that embezzle a legal IP address of other clients are discarded.
The client does not obtain IP addresses by sending DHCPREQUEST messages. Hence the MAC
address and interface information in the DHCP snooping binding table corresponding to the IP
address are inconsistent with those of the embezzler. In this way, these clients are prevented
from accessing the network illegally.
Figure 8-102 Data transmission based on a DHCP snooping binding table

Matched in the
binding table
DHCP snooping
enable
ISP network
Not matched in the

binding table
Entries in a DHCP snooping binding table are classified into the following types:
l Static entries: manually configured on a NGFW. These entries can only be manually
deleted.
l Dynamic entries: automatically learned by a NGFW using DHCP snooping. These entries
age after IP address leases expire.
Dynamic entries in a DHCP snooping binding table are automatically generated based on
DHCPACK messages sent by a DHCP server. The procedure for generating dynamic entries is
as follows:
l On a Layer 2 device:
– An Option 82-enabled Layer 2 device receives a DHCPREQUEST message and
appends Option 82 to the message. The Layer 2 device determines an outbound interface
to which a DHCPRESPONSE message is sent based on Option 82 and generates a
DHCP snooping binding entry.
– An Option 82-disabled Layer 2 device identifies interface information in messages
based on a MAC address table.
l On a Layer 3 device
A device obtains the IP address of an untrusted interface assigned by a DHCP server, the
MAC address of the interface, and the interface through which messages pass by monitoring

a DHCPRESPONSE message. An IP and MAC binding entry of the untrusted interface is

then generated. The dynamic binding entry has the same lease as the IP address of the client.
After the lease expires or the client releases the IP address, the entry is automatically
deleted.
DoS Attacks Initiated by Changing CHADDRs

An attacker may change Client Hardware Addresses (CHADDRs), not source MAC addresses,
in the frame header of DHCP messages in an attempt to continually apply for IP addresses. This
approach causes a device to fail to verify packets because the device checks only source MAC
addresses.
Figure 8-103 DoS attacks initiated by changing CHADDERs

0 7 15 23 31
OP Code Hardware Type Hardware Length HOPS
Transaction ID (XID)
Seconds Flags
Client IP Address (CIADDR)
Your IP Address (YIADDR)
Server IP Address (SIADDR)
Gateway IP Address (GIADDR)
Client Hardware IP Address (CHADDR)-16 bytes
Server Name (SNAME)-64 bytes
Filename-128 bytes
DHCP Options
To prevent DoS attacks, enable DHCP snooping to check the CHADDR field in a
DHCPREQUEST message. If the CHADDR field matches the source MAC address in the frame
header, the message is forwarded. If the CHADDR field does not match the source MAC address,
the message is discarded.
Option 82
l Format of a packet with an Option 82 field
Option 82 is a DHCP Relay Agent Information option that records location information
about a DHCP client. It is a special field contained in a DHCP message.
When a DHCPREQUEST message sent by a DHCP client passes through a DHCP relay
agent, the relay agent adds an Option 82 field to this DHCPREQUEST message. Upon
receipt, a DHCP server replies with a DHCPRESPONSE message containing the same
Option 82 field to the DHCP relay agent. The DHCP relay agent then determines for which
interface the DHCPRESPONSE message is destined based on the Option 82 field.

Figure 8-104 shows the format of a DHCP message with Option 82 field.
Figure 8-104 Format of a packet with an Option 82 field

Code Length Agent Information Field
82 N i1 i2 i3 i4 i5 … iN
The message contains the following fields:

– Code field: 82, a fixed value.
– Length field: the total number of bytes in the Agent Information field.
– iN field: sub-options in the Agent Information field, and each sub-option is a SubOpt/
Length/Value tuple.
Figure 8-105 shows the format of the Agent Information field.
Figure 8-105 Format of the Agent Information field

SubOpt Length Sub-Option Value
1 N a1 a2 a3 a4 a5 … aN
2 N b1 b2 b3 b4 b5 … bN
9 N c1 c2 c3 c4 c5 … cN
The Agent Information field contains the following fields:

– SubOpt field: a sub-option number.
– Length field: the number of bytes.
In an Option 82 field, at least one sub-option must be defined and can be set to null. The
minimum length of an Option 82 field is 2 bytes.
The initially assigned DHCP relay agent sub-options are agent circuit ID sub-option and
agent remote ID sub-option. A DHCP server uses the agent circuit ID sub-option for IP and
other parameter assignment policies.
The device also supports Sub-option 9, in addition to Sub-option 1. Sub-option 9 is used
to show added circuit IDs.
Sub-option 9 in a DHCPRESPONSE message supports the following functions:
– Enables a device to parse the Option 82 field and obtain interface information. The
device strips the Device Identifier field off Sub-option 9 before forwarding the
DHCPRESPONSE message.

– Enables a device to create a DHCP snooping binding table based on interface

information obtained from Sub-option 9.
Option 82 can be used on Layer 2 and Layer 3 devices. Layer 3 devices use Option 82 to
define address assignment or other policies for a DHCP server. Layer 2 devices determine
interfaces to which DHCPRESPONSE messages are sent and generate IP and MAC binding
entries based on Option 82. The following describes how to use Option 82 on Layer 2
devices and Layer 3 devices.
l Option 82 appended by a Layer 2 device
The client shown in Figure 8-106 accesses a Layer 2 device, and the Layer 2 device
connects the client to the DHCP relay agent and server over a Layer 2 network.
If DHCP snooping is enabled on the Layer 2 device, the Layer 2 interface may receive
broadcast DHCPRESPONSE messages. Upon receipt, the Layer 2 device performs the
following operations:
– Searches for a VLAN based on the MAC address carried in each message.
– Determines an outbound interface for the message.
– Generates an entry for the binding between the IP and MAC address.
If the DHCP Option 82 function is enabled, the Layer 2 device can monitor DHCP messages
and append Option 82 to a DHCPDISCOVERY message. After receiving a
DHCPDISCOVERY message, a DHCP server replies with the DHCPRESPONSE message
carrying Option 82. The Layer 2 device determines the interface to which the
DHCPRESPONSE message is sent based on Option 82 and generates DHCP snooping
binding entries. The Layer 2 device removes Option 82 before forwarding the
DHCPRESPONSE message to the client.

Figure 8-106 Option 82 appended by a Layer 2 device

Client DHCP relay DHCP server
Discover
Discover+Option82
Offer+Option82
Offer
Request
Request+Option82
Ack+Option82
Ack
Data exchange
l Option 82 appended by a Layer 3 device

Option 82 can be appended to message by Layer 3 DHCP relay agents.
After Option 82 is enabled on the DHCP relay agent shown in Figure 8-107, the DHCP
relay agent appends Option 82 to the DHCPREQUEST message to a DHCP server. The
DHCP server assigns an IP address and delivers network parameters based on Option 82.
The DHCP server also adds Option 82 into a DHCPRESPONSE message sent to the DHCP
relay agent. After the DHCPRESPONSE message arrives, the DHCP relay agent removes
Option 82 before forwarding the message to a client.

Figure 8-107 Option 82 appended by a Layer 3 device

Client Switch DHCP relay DHCP server
Discover
Discover+Option8
2
Offer+Option82
Offer
Request
Request+Option82
Ack+Option82
Ack
Data exchange
l Option 82 implementation
After the Option 82 function is enabled, a DHCP relay agent must check whether an Option
82 field is carried in a DHCPREQUEST message sent by a client.
– If the DHCPREQUEST message contains an Option 82 field, the agent checks the mode
Option 82 information was added in:
– Rebuild mode: The agent does not trust the Option 82 field contained in the received
message and modifies Sub-option 1 contained in the Option 82 field.
– Insert mode: The agent trusts the Option 82 field contained in a received message
and does not need to modify Sub-option 1 contained in the Option 82 field. The agent
checks whether there is Sub-option 9. If Sub-option 9 is not contained, the agent
adds Sub-option 9 to the message. If the message contains Sub-option 9, the agent
checks whether this option contains the Device Identifier field. If there is no Device
Identifier field, the agent adds the field that follows the manufacturer information
field in the message.
– If the DHCPREQUEST message does not contain an Option 82 field, the agent adds an
Option 82 field with Sub-option 1, regardless of the Insert or Rebuild mode.
The agent checks whether the message contains Sub-option 1 or Sub-option 9 and whether
a sub-option contains the Device Identifier field. If the message contains Sub-option 1 or
Sub-option 9 or if a sub-option contains the Device Identifier field, the agent properly parses
the Option 82 field. It strips the Device Identifier field off Sub-option 1 or Sub-option 9
before forwarding the DHCPRESPONSE message.

8.12.3 Configuring Defense Against Attacks Initiated by a Bogus

DHCP Server
A bogus DHCP server attack means that an attacker forges itself as a DHCP server to prevent a
target from accessing a network.
8.12.3.1 Configuring a Layer 2 Interface to Defend Against Attacks Initiated by a

Bogus DHCP Server
This section describes how to prevent an attacker connected to a Layer 2 interface from launching
bogus DHCP server attacks.
Prerequisites
Before preventing a bogus DHCP server attack on a Layer 2 interface, configure a DHCP server.
Context
NOTE
Note the following issues

l When DHCP snooping is disabled, only the VLAN or interface connected to a DHCP server is trusted
by default.
l When DHCP snooping is enabled, the VLAN or interface connected to a DHCP server is untrusted by
default.
The device discards messages sent by the untrusted VLAN or interface. To configure the VLAN or
interface to be trusted, run the dhcp snooping trusted command.
Procedure
system-view
Step 2 Enable DHCP snooping.

dhcp snooping enable
Enable DHCP snooping globally before enabling DHCP snooping on a VLAN.

Step 3 Access the VLAN view.
vlan vlan-id
Step 4 Assign a Layer 2 interface to the VLAN.

Only Layer 2 interfaces can be assigned to a VLAN.

dhcp snooping enable interface interface-type interface-number
Step 6 Trust the VLAN or interface connected to a DHCP server.

dhcp snooping trusted [ interface interface-type interface-number ]
DHCP messages sent by the trusted VLAN and interface are all forwarded properly.
----End

Follow-up Procedure
l Run the display dhcp snooping global command to view global DHCP snooping
information.
l Run the display dhcp snooping { vlan vlan-id [ interface interface-type interface-
number ] } command to view DHCP snooping information on a specified interface.
If the following results are displayed, the configuration is successful:

l DHCP snooping is enabled in both the system and interface views.
l The interface connected to a client is untrusted, while the interface connected to a network
is trusted.
l Statistics about the discarded ARP, IP, and DHCP packets are displayed.
<NGFW> display dhcp snooping vlan 10 interface GigabitEthernet 1/0/1
dhcp snooping enable interface GigabitEthernet
1/0/1
dhcp snooping trusted interface GigabitEthernet 1/0/1

arp total 0
ip total 0
dhcp-request total 0
chaddr&src mac total 0
dhcp-reply total 0
8.12.3.2 Configuring a Layer 3 Interface to Defend Against Attacks Initiated by a

Bogus DHCP Server
bogus DHCP server attacks.
Prerequisites
Before preventing a bogus DHCP server attack on a device, complete the following tasks:
l Configure the DHCP server.

l Configure a DHCP relay agent.
Context
Note the following issues
l When DHCP snooping is disabled, only the VLAN or interface connected to a DHCP server
is trusted by default.
l When DHCP snooping is enabled, the VLAN or interface connected to a DHCP server is
untrusted by default.
The device discards messages sent by the untrusted VLAN or interface. To configure the
VLAN or interface to be trusted, run the dhcp snooping trusted command.
Procedure
system-view


Enable DHCP snooping globally before enabling DHCP snooping on a Layer 3 interface.

DHCP snooping can be enabled on the following Layer 3 interfaces:
l Ethernet interfaces
l Ethernet sub-interfaces
l Vlanif interfaces
l Layer 3 Eth-Trunk interfaces
Step 4 Enable DHCP snooping on the interface.

Step 5 Trust the interface connected to a DHCP server.

dhcp snooping trusted
----End
Follow-up Procedure
information.
l Run the display dhcp snooping interface interface-type interface-number command to
view DHCP snooping information on a specified interface.

l The interface connected to a client is untrusted, while the interface connected to a network
is trusted.
<NGFW> display dhcp snooping interface GigabitEthernet 1/0/1
arp total 0
ip total 0
dhcp-reply total 0
8.12.4 Configuring Defense Against Man-in-the-Middle and IP/

MAC Spoofing Attacks
A man-in-the-middle attack means that an attacker pretends to be the server and client at the
same time, transmits packets between the real server and client, and obtains user data.

8.12.4.1 Configuring a Layer 2 Interface to Defend Against Man-in-the-Middle and

This section describes how to prevent an attacker connected to the Layer 2 interface from
launching man-in-the-middle or IP/MAC spoofing attacks.
Prerequisites
Before preventing the man-in-the-middle and IP/MAC spoofing attacks on a Layer 2 Interface,
configure a DHCP server.
Context
Dynamic entries in the DHCP snooping binding table do not need to be manually configured.
They are automatically generated after DHCP snooping is enabled. Static entries must be
manually configured.
NOTE
l If an IP address is dynamically assigned to a client, a device automatically learns the MAC address of
the client and generates an IP and MAC binding entry. This binding table requires no configuration.
l If an IP address is statically assigned to a client, a device cannot automatically learn the MAC address
of the client or generate an IP and MAC binding entry. You need to create IP and MAC binding table
manually.
If you do not create an IP and MAC binding table manually, the following two cases may occur:
l If the device is configured to forward packets without matching entries, packets from all
static IP addresses are forwarded, and all static clients can access the DHCP server properly.
By default, the device forwards mismatching packets.
l If the device is configured to discard packets without matching entries, packets from all
static IP addresses are discarded, and no static clients can access the DHCP server.
After receiving an ARP or an IP packet, the interface matches its source IP and MAC addresses
with entries in the DHCP snooping binding table and verify information about the MAC, IP,
interface and VLAN.
l If they do not match, the packet is discarded.

l If they totally match, the packet is forwarded.
Procedure
system-view


vlan vlan-id
Step 4 Assign a Layer 2 interfaces to the VLAN.



Step 6 Enable the VLAN packet check.

dhcp snooping check { arp | ip | dhcp-chaddr | dhcp-request } enable [interface
Step 7 Configure a static IP and MAC binding entry.

dhcp snooping bind-table static ip-address ip-address mac-address mac-address
[ interface interface-type interface-number ]

l To enable the device to add Option 82 information into packets, run:
dhcp option82 insert enable interface interface-type interface-number
If the original message does not carry Option 82, Option 82 is appended to DHCP messages.
If the message carries Option 82, Sub-option 9 is added to DHCP messages.
l Enable the device to forcibly add Option 82 into packets, run:
dhcp option82 rebuild enable interface interface-type interface-number
Option 82 is appended to DHCP messages if the original DHCP message is not appended
with Option 82. If the original DHCP message is appended with Option 82, the original
Option 82 is forcibly removed, and new Option 82 is appended.
A binding table with accurate interface information can be created after Option 82 is enabled.

system-view
Step 10 Specify a rule for processing mismatching packets.

dhcp snooping nomatch-packet [ arp | ip ] action { forward | discard }
If there is no matching entry for a packet in the DHCP snooping binding table, the device
processes the packet using a user-defined method.
----End
Follow-up Procedure
information.
l Run the display dhcp snooping bind-table { ip-address ip-address | mac-address mac-
address | vlan vlan-id [ interface interface-type interface-number ] | static | dynamic |
all } command to view information about the DHCP snooping binding table.
number ] } command to view DHCP snooping information on a specified interface.
l Run the display dhcp option82 { [ vlan vlan-id ] interface interface-type interface-
number } command to view the Option 82 status.

l Option 82 is enabled on the interface.

l Interface names and the matching MAC and IP addresses in the DHCP snooping binding
table are displayed.
dhcp snooping enable interface GigabitEthernet
1/0/1
dhcp snooping trusted interface GigabitEthernet

1/0/1
dhcp snooping check ip enable interface GigabitEthernet 1/0/1

arp total 0
ip total 0
dhcp-reply total 0
8.12.4.2 Configuring a Layer 3 Interface to Defend Against Man-in-the-Middle and

man-in-the-middle or IP/MAC spoofing attacks.
Prerequisites
Before preventing the man-in-the-middle and IP/MAC spoofing attacks on a Layer 3 Interfaces,
complete the following tasks:
l Configure a DHCP server.

Context
Dynamic entries in the DHCP snooping binding table do not need to be manually configured.
They are automatically generated after DHCP snooping is enabled. Static entries must be
manually configured.
NOTE
l If an IP address is dynamically assigned to a client, a device automatically learns the MAC address of
the client and generates an IP and MAC binding entry. This binding table requires no configuration.
l If an IP address is statically assigned to a client, a device cannot automatically learn the MAC address
of the client or generate an IP and MAC binding entry. You need to create IP and MAC binding table
manually.
If you do not create an IP and MAC binding table manually, the following two cases may be
encountered:
l If the device is configured to forward packets without matching entries, packets from all
static IP addresses are forwarded, and all static clients can access the DHCP server properly.
By default, the device forwards mismatching packets.
l If the device is configured to discard packets without matching entries, packets from all
static IP addresses are discarded, and no static clients can access the DHCP server.

interface and VLAN.

Procedure
system-view


l VlanIf interfaces
l Eth-Trunk interfaces

Step 5 Enable the device to check packets on the interface.

dhcp snooping check { arp | ip | dhcp-chaddr | dhcp-request } enable



system-view
Step 9 Specify a rule for processing mismatching packets.

dhcp snooping nomatch-packet [ arp | ip ] action { forward | discard }

If there is no matching entry for a packet in the DHCP snooping binding table, the device
processes the packet using a user-defined method.
----End
Follow-up Procedure
information.
view DHCP snooping information on an interface.
l Run the display dhcp option82 interface interface-type interface-number command to
view the Option 82 status.

dhcp snooping
enable
dhcp snooping
trusted
dhcp snooping check arp enable

arp total 0
ip total 0
dhcp-reply total 0
8.12.5 Configuring Defense Against Attacks Launched by

Changing the CHADDR Value
The attacker continuously applies for the IP address from the DHCP server by changing the
CHADDR value.
8.12.5.1 Configuring Defense on the Layer 2 Interfaces Against Attacks by

Changing CHADDRs
This section describes how to prevent the attacker connected to the Layer 2 interface from
changing the CHADDR value to launch attacks.

Procedure
system-view


vlan vlan-id


Step 6 Enable the device to check CHADDRs of packets from a specified VLAN.
dhcp snooping check dhcp-chaddr enable interface interface-type interface-number
----End
Follow-up Procedure
information.
number ] } command to view DHCP snooping information on an interface.

dhcp snooping enable interface GigabitEthernet 1/0/1
dhcp snooping check dhcp-chaddr enable interface GigabitEthernet 1/0/1
arp total 0
ip total 0
dhcp-reply total 0
8.12.5.2 Configuring Defense on the Layer 3 Interfaces Against Attacks by

Changing CHADDRs
changing the CHADDR value to launch attacks.
Prerequisites
Before preventing the attacker from changing CHADDR through a Layer 3 device, complete
the following tasks:


Procedure
system-view


l Vlanif interfaces

Step 5 Enable the device to checking CHADDRs of packets on the interface.

dhcp snooping check dhcp-chaddr enable
Enable checking CHADDRs. The device compares the CHADDR field in the received DHCP
Request message with the source MAC address in the frame header. If they are inconsistent, the
received DHCP request message is considered as an attack packet and is directly discarded.
----End
Follow-up Procedure
information.
l Run the display dhcp snooping { interface interface-type interface-number } command
to check DHCP snooping information on a specified interface.

arp total 0
ip total 0
dhcp-reply total 0

8.12.6 Configuring Defense Against Attacks by Sending Bogus

Packets for Extending IP Leases
The attacker continuously sends DHCP request packets to pretend to be a user for leasing the
IP address again. As a result, the expired IP addresses cannot be reclaimed properly.
8.12.6.1 Configuring Defense on the Layer 2 Interfaces Against Attacks by Sending

Bogus Packets for Extending IP Leases
launching bogus DHCP extended-releasing packet attacks.
Context
The dynamic entries in the DHCP snooping binding table require no configuration. They are
automatically generated when Enable DHCP snooping. The static entries, however, require to
be manually configured.
NOTE
l If the IP address is dynamically assigned to the client, the device automatically learns the MAC address
of the client and generates IP and MAC binding table. This binding table requires no configuration.
l If the IP address is statically assigned to the client, the device cannot automatically learn the MAC
address of the client and the IP/MAC binding table cannot be generated. You need to create IP and
MAC binding table manually.
If you do not create an IP and MAC binding table manually, the following two cases may be
encountered:
l If the packet without a matching entry is set to be forwarded, packets from all static IP
addresses are forwarded and all static clients can access the DHCP server properly. By
default, the device forwards mismatching packets.
l If the packet without a matching entry is set to be discarded, packets from all static IP
addresses are discarded, and no static clients can access the DHCP server.
interface and VLAN.

Procedure
system-view

Step 3 Set the rate at which DHCP messages are sent.

dhcp snooping check dhcp-rate rate
Step 4 Enable the check of the rate at which DHCP messages are sent.
dhcp snooping check dhcp-rate enable

vlan vlan-id


Step 8 Enable the device to check DHCP Request messages from a specified VLAN.
dhcp snooping check dhcp-request enable [ interface interface-type interface-
number ]


----End
Follow-up Procedure
information.
number ] } command to view DHCP snooping information on an interface.
l Run the display dhcp option82 { [ vlan vlan-id ] interface interface-type interface-
number } command to view the Option 82 status.


l Interface names and their matching MAC addresses and IP addresses in the DHCP snooping
binding table are displayed.
dhcp snooping enable interface GigabitEthernet 1/0/1
dhcp snooping check dhcp-request enable interface GigabitEthernet 1/0/1
arp total 0
ip total 0
dhcp-reply total 0
8.12.6.2 Configuring Defense on the Layer 3 Interfaces Against Attacks by Sending

Bogus Packets for Extending IP Leases
launching bogus DHCP extended-releasing packet attacks.
Prerequisites
Before preventing the attacker from sending bogus messages for extending IP leases, complete
the following tasks:

Context
The dynamic entries in the DHCP snooping binding table require no configuration. They are
automatically generated when Enable DHCP snooping. The static entries, however, require to
be manually configured.
NOTE
l If the IP address is dynamically assigned to the client, the device automatically learns the MAC address
of the client and generates IP and MAC binding table. This binding table requires no configuration.
l If the IP address is statically assigned to the client, the device cannot automatically learn the MAC
address of the client and the IP/MAC binding table cannot be generated. You need to create IP and
MAC binding table manually.
If you do not create an IP and MAC binding table manually, the following two cases may occur:
l If the packet without a matching entry is set to be forwarded, packets from all static IP
addresses are forwarded and all static clients can access the DHCP server properly. By
default, the device forwards mismatching packets.
l If the packet without a matching entry is set to be discarded, packets from all static IP
addresses are discarded, and no static clients can access the DHCP server.
interface and VLAN.


Procedure
system-view

Step 3 Set the rate at which DHCP messages are sent.

dhcp snooping check dhcp-rate rate
Step 4 Enable the check of the rate at which DHCP messages are sent.

l Vlanif interfaces

Step 7 Enable the device to check DHCP Request messages sent by a specified interface.
dhcp snooping check dhcp-request enable


----End
Follow-up Procedure
information.

l Run the display dhcp snooping bind-table {ip-address ip-address | mac-address mac-
address | static | dynamic | all } command to view information about the DHCP snooping
binding table.
view DHCP snooping information on the interface.
l Run the display dhcp option82 interface interface-type interface-number command to
view the Option 82 status.

arp total 0
ip total 0
dhcp-reply total 0
8.12.7 Configuring Alarms Used to Discard Packets

This section describes how to notify the NMS of attacks.
Prerequisites
Before configuring alarms about discarded packets, complete the following tasks:

l Configure the device to discard DHCP reply messages sent by untrusted interfaces.
l Enable the device to check the DHCP snooping binding table.
l Enable the device to check CHADDRs of DHCP request messages.
Procedure
system-view
Step 2 Perform either of the following operations to access a specific view:

l To access the VLAN view, run:
vlan vlan-id
l To access the interface view, run:

Step 3 Enable the alarm function.

dhcp snooping alarm { arp | ip |dhcp-request | dhcp-chaddr | dhcp-reply } enable

[ interface interface-type interface-number ]
Step 4 Set the alarm threshold of the maximum number of discarded packets.
In the VLAN view, run:

dhcp snooping alarm { arp | ip | dhcp-request | dhcp-chaddr | dhcp-reply }
threshold threshold interface interface-type interface-number
Or in the interface view, run:

dhcp snooping alarm { arp | ip |dhcp-request | dhcp-chaddr | dhcp-reply }
threshold threshold
----End
Follow-up Procedure
information.
l Run the display dhcp snooping { interface interface-type interface-number | vlan vlan-
id [ interface interface-type interface-number ] } command to view DHCP snooping
information on a specified interface.

8.12.8 Maintaining DHCP Snooping

This section describes how to maintain DHCP snooping.
8.12.8.1 Maintaining a DHCP Snooping Binding Table

This section describes how to maintain a DHCP snooping binding table.
Displaying DHCP Snooping Configurations

Table 8-122 lists the commands run in all views to check DHCP snooping configurations.
Table 8-122 Displaying DHCP snooping configurations
Action Command
Display Option82 information. display dhcp option82 [ vlan vlan-id ] interface interface-
type interface-number
Display information about display dhcp snooping [ vlan vlan-id ] interface interface-
DHCP snooping on a specific type interface-number
interface.

Action Command
Display information about display dhcp snooping bind-table { ip-address ip-

entries in a DHCP snooping address | mac-address mac-address | [ vlan vlan-id ]
binding table. interface interface-type interface-number | static |
dynamic | all }
Display global DHCP display dhcp snooping global

snooping information.
Maintaining a DHCP Snooping Binding Table

NOTE
Resetting the DHCP snooping binding table results in information loss in the binding table. Perform the
resetting of the DHCP snooping binding table with caution.
Table 8-123 lists the commands run in the system view to maintain a DHCP snooping binding
table.
Table 8-123 Maintaining a DHCP snooping binding table
Action Command
Back up a DHCP snooping dhcp snooping bind-table autosave filename

binding table.
Reset a DHCP snooping reset dhcp snooping bind-table { interface interface-

binding table. type interface-number | vlan vlanid [ interface interface-
type interface-number ] | static | dynamic }
8.12.8.2 Debugging the DHCP Snooping Function

If a fault occurs, you can run the following debugging command in the user view to enable the
debugging for locating the fault.
NOTICE
For the description of the debugging command, see Debugging Reference.
Table 8-124lists the commands to debug DHCP snooping information.

Table 8-124 Debugging DHCP snooping information
Action Command
Debug DHCP snooping debugging dhcp snooping

information.
8.12.9 Example for Configuring DHCP Snooping

This example describes how to adopt DHCP snooping to defend against DHCP packet attacks
launched by the attacker connected to the Layer 3 interface.
DHCP clients access the DHCP relay agent on the network shown in Figure 8-108. DHCP
snooping needs to be configured on Layer 3 interfaces GigabitEthernet 1/0/1 and GigabitEthernet
1/0/2 on NGFW. The interface on the DHCP client side is untrusted, and the interface on the
DHCP server agent side is trusted.
In such a case, NGFW is capable of preventing the following attacks:
l Bogus DHCP server attack

l Middleman attack or IP/MAC address attack
l DoS attack by changing CHADDR
l Attack by generating bogus DHCP messages to extend IP leases
DHCP client1 uses the dynamically allocated IP address, and DHCP client2 uses the statically
configured IP address.

Figure 8-108 Networking diagram for configuring DHCP snooping on the device
DHCP Server
10.11.1.2/24
Trusted
GE1/0/2
NGFW
10.11.1.1/24
DHCP Relay
Trust
GE1/0/1
Untrusted 10.1.1.254/24
Trust
Switch
DHCP client2
DHCP
IP:10.1.1.1/24
client1
mac:00e0-fc5e-008a
1. Enable DHCP snooping globally and in the interface view.
2. Configure interfaces to be trusted or untrusted to prevent bogus DHCP server attacks.
3. Configure DHCP snooping binding tables and enable matching ARP packets, IP packets,
and DHCPREQUEST messages with entries in the DHCP snooping tables to prevent
middleman attack or IP/MAC address attacks and bogus DHCP messages to extend IP
leases.
4. Configure CHADDR check to prevent attackers from changing CHADDRs in the
messages.
5. Configure Option 82 and create a binding table covering accurate interface information.
6. Configure the sending of alarms to the network management station (NMS).
Procedure
Step 1 Configure basic DHCP relay function.
# Assign an IP address to GigabitEthernet 1/0/2.
<NGFW> system-view
[NGFW] sysname DHCP-Relay

[DHCP-Relay] interface GigabitEthernet 1/0/2

[DHCP-Relay-GigabitEthernet1/0/2] ip address 10.11.1.1 24
[DHCP-Relay-GigabitEthernet1/0/2] quit
# Configure the sub-interface on which the DHCP relay agent is to be enabled and configure the
IP address and mask for the sub-interface. Ensure that the sub-interface and the DHCP client
must be at the same network segment.
[DHCP-Relay-GigabitEthernet1/0/1] ip address 10.1.1.254 24
[DHCP-Relay-GigabitEthernet1/0/1] dhcp select relay
[DHCP-Relay-GigabitEthernet1/0/1] ip relay address 10.11.1.2
# Enable DHCP snooping in the system and interface views.

[DHCP-Relay] dhcp snooping enable
[DHCP-Relay-GigabitEthernet1/0/1] dhcp snooping enable
[DHCP-Relay-GigabitEthernet1/0/2] dhcp snooping enable
Step 3 Configure the interface to be trusted.
# Configure the interface on the DHCP server side to be trusted and enable DHCP snooping on
all interfaces on the DHCP client side. If the interfaces on the DHCP client side are not set to
be trusted, they are untrusted by default after DHCP snooping is enabled. Configuring trusted
or untrusted interfaces prevents bogus DHCP server attacks.
[DHCP-Relay-GigabitEthernet1/0/2] dhcp snooping trusted
Step 4 Enable the interface to check specified types of packets and configure DHCP snooping binding
tables.
# Check ARP and IP packets on the interfaces on the DHCP client side to prevent IP/MAC
spoofing attacks.
[DHCP-Relay-GigabitEthernet1/0/1] dhcp snooping check arp enable
[DHCP-Relay-GigabitEthernet1/0/1] dhcp snooping check ip enable
# Enable the interfaces on the DHCP client side to check DHCPREQUEST messages to prevent
attackers from sending bogus DHCP messages to extend IP leases.
[DHCP-Relay-GigabitEthernet1/0/1] dhcp snooping check dhcp-request enable
# Enable checking CHADDRs on the interfaces on the DHCP client side to prevent attackers
from changing CHADDRs in the messages.
[DHCP-Relay-GigabitEthernet1/0/1] dhcp snooping check dhcp-chaddr enable
# Configure static binding entries.
If you use the static IP address, configure static DHCP snooping entries.
[DHCP-Relay-GigabitEthernet1/0/1] dhcp snooping bind-table static ip-address
10.1.1.1 mac-address 00e0-fc5e-008a
Step 5 Limit the rate at which DHCP messages are sent.

# Set the rate of sending DHCPREQUEST messages to the protocol stack to prevent excessive
DHCPREQUEST messages.
[DHCP-Relay] dhcp snooping check dhcp-rate 90
[DHCP-Relay] dhcp snooping check dhcp-rate enable
Step 6 Configure Option 82.

# Configure interface information to be carried in DHCP messages to make the DHCP snooping
table more accurate.
[DHCP-Relay-GigabitEthernet1/0/1] dhcp option82 insert enable
Step 7 Configure behaviors to process packets that do not match the entries.
# Configure the global behaviors to process ARP and IP packets that do not match the entries.
[DHCP-Relay] dhcp snooping nomatch-packet arp action discard
[DHCP-Relay] dhcp snooping nomatch-packet ip action discard
# Configure behaviors to process the ARP and IP packets that do not match the entries on the
interface.
[DHCP-Relay-GigabitEthernet1/0/1] dhcp snooping nomatch-packet arp action discard
[DHCP-Relay-GigabitEthernet1/0/1] dhcp snooping nomatch-packet ip action discard
Step 8 Enable the interface to send alarms to the NMS.

# Enable the interface to send specified alarms to the NMS.
[DHCP-Relay-GigabitEthernet1/0/1] dhcp snooping alarm dhcp-reply enable
[DHCP-Relay-GigabitEthernet1/0/1] dhcp snooping alarm arp enable
[DHCP-Relay-GigabitEthernet1/0/1] dhcp snooping alarm dhcp-chaddr enable
[DHCP-Relay-GigabitEthernet1/0/1] dhcp snooping alarm dhcp-request enable
[DHCP-Relay] dhcp snooping check dhcp-rate alarm enable
# Set the alarm threshold.

[DHCP-Relay-GigabitEthernet1/0/1] dhcp snooping alarm dhcp-reply threshold 10
[DHCP-Relay-GigabitEthernet1/0/1] dhcp snooping alarm arp threshold 10
[DHCP-Relay-GigabitEthernet1/0/1] dhcp snooping alarm dhcp-chaddr threshold 10
[DHCP-Relay-GigabitEthernet1/0/1] dhcp snooping alarm dhcp-request threshold 10
[DHCP-Relay] dhcp snooping check dhcp-rate alarm threshold 40
Step 9 Assign interfaces to security zones.

[DHCP-Relay] firewall zone trust
[DHCP-Relay-zone-trust] add interface GigabitEthernet 1/0/1
[DHCP-Relay-zone-trust] add interface GigabitEthernet 1/0/2
[DHCP-Relay-zone-trust] quit
----End
Result
l Run the display dhcp snooping global command on the DHCP relay agent. You can see
that DHCP snooping is enabled in the system and interface views. You can also view
statistics about alarms sent to the NMS.
[DHCP-Relay] display dhcp snooping global

dhcp snooping nomatch-packet ip action discard

dhcp snooping nomatch-packet arp action discard
dhcp snooping check dhcp-rate alarm enable
dhcp snooping check dhcp-rate 90
dhcp snooping check dhcp-rate alarm threshold 40
l View information about the binding table of DHCP snooping.

[DHCP-Relay] display dhcp snooping bind-table static
bind-table:
ifname vrf vsi p/cvlan mac-address ip-address tp lease
-------------------------------------------------------------------------
GE1/0/1 0000 - 0000/0000 00e0-fc5e-008a 10.1.1.1 S 0
-------------------------------------------------------------------------
binditem count: 1 binditem total count: 1
l View DHCP snooping information on the interface.

[DHCP-Relay] display dhcp snooping interface GigabitEthernet 1/0/1
dhcp snooping alarm arp enable
dhcp snooping alarm arp threshold 10
dhcp snooping check ip enable
dhcp snooping alarm dhcp-reply enable
dhcp snooping alarm dhcp-reply threshold 10
dhcp snooping alarm dhcp-chaddr enable
dhcp snooping alarm dhcp-chaddr threshold 10
dhcp snooping alarm dhcp-request enable
dhcp snooping alarm dhcp-request threshold 10
arp total 0
ip total 0
dhcp-reply total 0
[DHCP-Relay] display dhcp option82 interface GigabitEthernet 1/0/1
dhcp option82 insert enable
[DHCP-Relay] display dhcp snooping interface GigabitEthernet 1/0/2
arp total 0
ip total 0
dhcp-reply total 0
#
dhcp snooping check dhcp-rate 90
dhcp snooping check dhcp-rate alarm threshold 40
#
sysname DHCP-Relay
#
ip address 10.1.1.254 255.255.255.0
ip relay address 10.11.1.2
dhcp select relay

dhcp snooping alarm arp enable

dhcp snooping alarm arp threshold 10
dhcp snooping check ip enable
dhcp snooping alarm dhcp-reply enable
dhcp snooping alarm dhcp-reply threshold 10
dhcp snooping alarm dhcp-chaddr enable
dhcp snooping alarm dhcp-chaddr threshold 10
dhcp snooping alarm dhcp-request enable
dhcp snooping alarm dhcp-request threshold 10
dhcp option82 insert enable
dhcp snooping bind-table static ip-address 10.1.1.1 mac-address 00e0-fc5e-008a
#
ip address 10.11.1.1 255.255.255.0
#
firewall zone trust
set priority 85
#

This section provides DHCP snooping references.

This section describes the versions and changes in the dynamic host configuration protocol
(DHCP) snooping feature.

This section provides DHCP snooping standards and protocols.
DHCP standards and protocols are as follows:
l RFC 3046: DHCP Relay Agent Information Option

l RFC 2132: DHCP Options and BOOTP Vendor Extensions
8.13 IPv6 Neighbor Discovery

This section describes IPv6 neighbor discovery (ND) concepts and how to configure IPv6 ND,
as well as provides configuration examples.

8.13.1 Overview
IPv6 Neighbor Discovery (ND) defines a group of messages and processes for discovering
neighboring nodes. The IPv6 Secure Neighbor Discovery (SEND) protocol is an enhancement
of IPv6 ND.
Definition
The IPv6 NDP uses Internet Control Message Protocol version 6 (ICMPv6) messages to discover
neighbors. NDP functions include neighbor discovery, router discovery (RD), and ICMP
redirection.
SEND uses a set of new ND options to implement the authorization delegation discovery process,
address ownership proof mechanism, and message verification, which secures neighbor
discovery.
Purpose
ND does not provide any security mechanisms and is vulnerable to the following threats:
l NS/NA spoofing
Neighbor Solicitation/Advertisement Spoofing (NS/NA spoofing) is similar to IPv4 ARP
spoofing. An attacker sends NS/NA messages containing a forged link-layer address to
update the neighbor cache of a target node. Consequently, the target node sends packets to
the forged address.
l DAD attack
On networks where the hosts obtain their addresses using stateless address
autoconfiguration, an attacker can respond every duplicate address detection (DAD)
attempt made by the host to launch an attack. If the attacker claims the address, the host
will never be able to obtain an address.
l Redirect attack
An attacker uses the link-layer address of the default gateway of a target node as a source
address to send a Redirect message to the target node. The message carries a nonexistent
next-hop address for the target node. Upon receiving the messagept, the target node sends
packets to the nonexistent next-hop address. As a result, the packets fail to reach their
destinations.
l Parameter spoofing
An attacker impersonates a local router and sends a forged Router Advertisement (RA)
message to a target node. The forged RA message contains a fake network prefix with a
set autonomous flag. After the message arrives, the target node performs stateless address
autoconfiguration and uses the fake prefix to generate an IPv6 address. When the target
node uses this IPv6 address as a source address to communicate with other hosts, the traffic
destined for the target node is discarded by the local router.
l Replay attack
An attacker intercepts valid messages and replays them later to send expired messages to
a target node.
SEND effectively defends against these security threats to secure neighbor discovery.

8.13.2 Mechanism
This section describes the IPv6 ND and SEND mechanisms.
8.13.2.1 IPv6 ND
IPv6 neighbor discovery (ND) uses ICMPv6 messages to implement address resolution, verify
neighbor reachability, detect duplicate addresses, discover routers and prefixes, automatically
assign addresses, and perform the redirection function.
Before assigning an IPv6 address to a single node, a router checks whether the address is
available and unique and perform either of the following operations:
l If the node is a host, the router notifies the host of the ideal next-hop address for forwarding
messages to a specific destination address.
l If the node is another router, the router advertises its address, address prefix, and other
parameters to the router.
Before forwarding a IPv6 message, the node verifies the data link layer address of its neighbor
node and its reachability.
The IPv6 ND mechanism provides five types of ICMPv6 messages:
l Router solicitation (RS): After startup, a host sends an RS message to a router.

l Router advertisement (RA): A router replies with an RS message with an RA message to
a host and periodically sends RA messages carrying prefixes and some flag bits.
l Neighbor solicitation (NS): An IPv6 node sends NS messages to obtain data link layer
addresses of neighbors, check neighbor reachability, and perform address conflict
detection.
l Neighbor advertisement (NA): An IPv6 node responds NS messages with NA messages.
The IPv6 node also sends NA messages if the data link layer changes.
l Redirect: After a router finds that a received message carries the same inbound and
outbound interface name, the router sends Redirect messages to instruct a host to select a
better next hop.
Figure 8-109 shows the IPv6 ND process.

Figure 8-109 IPv6 ND process
IPv6 address: 3000::1 IPv6 address: 3000::2

MAC: 00e0-fe20-1f66 MAC: 00e0-fe20-1f67
Neighbor Solicitation
IPv6 source: 3000::1
Dest: ff02::1:ff 00:0002
Link source: 00e0-fe20-1f66
Dest: 3333-ff00-0002
Neighbor Advertisement
IPv6 source: 3000::2
Dest: 3000::1
Link source: 00e0-fe20-1f67
Dest: 00e0-fe20-1f66
The IPv6 ND protocol delivers the following functions:
Duplicate Address Detection

Duplicate Address Detection (DAD) is a detection mechanism that identifies whether the IPv6
address is available. The implementation process is as follows:
1. If an IPv6 address is specified for a node, the node sends the NS message to check whether
the address is used by any neighbor.
2. When receiving the message, a neighbor node checks whether the same IPv6 address exists.
If the local IPv6 address exists, the neighbor node replies a NA message that contains the
IPv6 address to the source node.
3. After the source node receives the reply message from the neighbor, the source node
considers that the IPv6 address is used by the neighbor. If the source node does not receive
the reply message from the neighbor, the IPv6 address is available.
Neighbor Discovery
The IPv6 ND function, similar to the IPv4 Address Resolution Protocol (ARP) function, resolves
neighbor addresses and detect neighbor reachability using NS and NA messages.
To obtain the data link layer address of another node on the same local link, a node sends an
ICMPv6 NS message of Type 135, which is similar to an IPv4 ARP request message. The
ICMPv6 NS message is transmitted using a multicast address, not a broadcast address. Only the
solicited node that has an IP address with the lest significant 24 bits the same as that of the
multicast address can receive the NS message, which minimizes broadcast storms. The
destination node adds its data link layer address to an NA message.

The NS message is also used to check the reachability of the neighbor with a known data link
layer address. The IPv6 NA message is sent in response to the IPv6 NS message. After receiving
the ICMPv6 NS message, the destination node replies with an ICMPv6 NA message of Type
136 on the local link. After the ICMPv6 NA message is received, the source and destination
nodes can communicate. A node also sends an NA message if its data link layer address on the
local link is changed.
Router Discovery
The RD function locates neighbor routing devices and learns the prefixes and parameters for
address autoconfiguration. The IPv6 RD function is implemented using the following
mechanism:
l Router solicitation
When no unicast address is specified for a host (for example, when the system is just
restarted), the host sends an RS message. The RS message helps the router quickly
implement autoconfiguration without waiting for an RA message sent by the IPv6 routing
device. The IPv6 RS message is an ICMPv6 message of Type 133.
l Router advertisement
After IPv6 RA is configured on interfaces of a routing device, the routing device
periodically sends an RA message. After receiving an RS message from an IPv6 node on
the local link, a routing device replies with an RA message. The IPv6 RA message is sent
to the multicast address (FF02::1) of all nodes or to the IPv6 unicast address of the node
that sends the RS message. The IPv6 RA message is an ICMPv6 message of Type 134. The
IPv6 RA message includes the following contents:
– Whether address autoconfiguration is enabled or disabled
– Supported autoconfiguration type, stateless or stateful
– One or multiple local link prefixes: The nodes on the local link can implement address
autoconfiguration using these prefixes.
– Lifecycle of an advertised prefix of the local link
– Whether the router that sends an RA message can serve as a default routing device. If
the router serves as a default routing device, the time (in seconds) for the router serving
as the default routing device is included.
– Other information about the host, including the hop limit and MTU specified for
messages initiated by the host.
The IPv6 node on the local link receives an RA message and obtains the default routing
device, prefix list, and other settings.
Address Autoconfiguration
By using RA messages and identifying each prefix, a routing device can instruct the host how
to implement the address autoconfiguration. For example, the routing device can configure the
host to use the stateful (DHCPv6) address setting or stateless address autoconfiguration.
If the stateless address autoconfiguration is used and an RA message arrives, the host
automatically generates an IPv6 address by using the prefix and local interface ID carried in the
message and sets the default routing device.

Redirection
A redirection message notifies a host of the ideal next-hop IPv6 address to the destination.
Similar to IPv4, the IPv6 routing device sends a redirection message to only redirect the message
to a better routing device. The node that receives the redirection message sends subsequent
messages to the new routing device. The routing device sends the redirection message only for
the unicast flow. The redirection message is only sent to and processed by the node (host) that
initiates the redirection message.
8.13.2.2 IPv6 SEND

This section describes the IPv6 Secure Neighbor Discovery (SEND) protocol.
SEND, enhanced IPv6 ND, introduces the following new types of message and extension fields:
The new types of message and extension fields are as follows:
l Extension fields: Cryptographically Generated Address (CGA), Revist-Shamir-Adleman

Algorithm (RSA), Timestamp, and Nonce
l Message types: Certification Path Solicitation (CPS) and Certification Path Advertisement
(CPA)
SEND supports the following enhanced security functions:
l Address ownership verification

A CGA binds IPv6 addresses to packets to prevent IPv6 address embezzlement.
Communication parties generate and authenticate CGA information. CGA information
helps prevent address spoofing and effectively defend against Neighbor Solicitation (NS)/
Neighbor Advertisement (NA) spoofing and duplicate address detection (DAD) attacks.
l Message protection
The communication parties use RSA signatures and authentication to protect message
integrity. The parties also check the Timestamp and Nonce fields, which enhances the time
sequence of packets and defends against replay attacks.
l Router authorization
Certificate authentication helps verify router identities, which prevents malicious packets
in the name of routers and defends against Redirect attacks and parameter spoofing.
CGA
A CGA is an IPv6 address that a node uses a public key and the hash algorithm to generate. A
node discards packets that fail CGA authentication to defend against spoofing attacks. CGAs
are used with the RSA signature mechanism to protect packet integrity.
The procedure for generating a CGA and an RSA signature on a node is as follows:
1. Obtains an RSA key pair.

2. Generates the CGA parameter data structure, including a public key.
3. Computes a hash value based on the CGA parameter data structure. The least significant
64 bits in the data structure represent a network ID.
4. Generates a CGA based on the prefix and network ID.

5. Forges a packet with the CGA as a source IP address, fills the CGA parameters data structure
in the CGA option, assigns the packet a private key, and fills a signature in the RSA option.
After receiving a packet with CGA and RSA options, a node authenticates the packet as follows:
1. Obtains the CGA parameter data structure from the CGA option.
2. Computes a hash value based on the CGA parameters data structure, with the least
significant 64 bits as the network ID.
3. Checks whether the generated network ID matches that in the source IP address of the
packet.
4. Obtains the public key from the CGA parameter data structure to authenticate the RSA
signature.
After a CGA is generated, ND packets to be sent by the interface must meet the following
requirements:
l NS (excluding DAD messages), NA, RA, and Redirect messages carry CGAs as source
addresses.
l NS, NA, RA, and Redirect messages carry the following options:
– CGA option: contains the CGA parameter data structure.
– RSA option: contains signatures.
– Timestamp option: the number of seconds elapsed since January 1, 1970, 00:00 UTC
time.
l The NS message carries the Nonce option that contains a random number. The NA message
responding to the NS message also carries the same Nonce option.
Timestamp
A SEND-enabled node uses timestamps carried in ND messages to defend against replay attacks
during non-NS/NA message transmission. After receiving ND messages, the node checks for
message mis-sequence on RFC 3971 and discards incorrect messages.
Nonce
Nonce is a random value that serves as a label of a current session. Nonce is used to defend
against replay attacks during NS/NA message transactions. A node generates a random value
and adds it to NS messages before sending the NS messages to request link-layer addresses of
other nodes. After receiving the NS messages, the receivers send NA messages that carry the
same random value in the received NS messages.
Router Authorization
To prevent attackers from sending packets in the name of routers, SEND introduces CPS and
CPA messages to verify router identities.
Routers must apply for certificates from the Certificate Authority (CA). The certificates contain
routers' identity information, public keys, and CA digital signatures.
In the stateless address autoconfiguration scenario, after receiving an RA message, a host sends
a CPS message to request the certificate of a router. The router responds by sending its certificate
in a CPA message. After receiving the CPA message, the host attempts to authenticate the

certificate and considers the router as a default router only after the certificate is successfully
authenticated.
8.13.3 Configuring IPv6 ND

This section describes how to configure IPv6 ND.
8.13.3.1 Configuring a Static Neighbor

A neighbor relationship can be established between a local device and its neighbor after a
neighbor is manually configured.
Prerequisites
Before configuring a static neighbor, configure the IPv6 address for an interface.
Procedure
system-view

Step 3 Specify a static neighbor.

ipv6 neighbor ipv6-address mac-address
----End
Follow-up Procedure
Run the display ipv6 neighbors command to check the cache of the neighbor information
containing neighbors' IPv6 addresses and the specified interfaces.
<NGFW> display ipv6 neighbors GigabitEthernet 1/0/1
IPv6 Addr: FE80::222:A1FF:FE01:B23C Link-layer: 0022-a101-b23c
State : STALE Interface : GE1/0/1
Age : 3 VLAN : -
IPv6 Addr: 8000::2 Link-layer: 0022-a101-b23c

State : REACH Interface : GE1/0/1
Age : - VLAN : -
-----------------------------------------------------------------------------
Total:2 Dynamic:1 Static:1
8.13.3.2 Configuring RA Message Advertisement

If no limit is set on RA message advertisement, a device periodically advertises RA messages,
which contain the prefix option and flag bits, to announce the existence of itself.
Procedure

system-view

Step 3 Enable the interface to advertise RA messages.

Step 4 Optional: Set the interval at which RA messages are advertised.

ipv6 nd ra { max-interval maximum-interval | min-interval minimum-interval }
By default, the maximum interval is 600 seconds, and the minimum interval is 200 seconds. The
maximum interval cannot be shorter than the minimum interval.
----End
Follow-up Procedure
Run the display ipv6 interface command to view the interval at which RA messages are
advertised.
<NGFW> display ipv6 interface GigabitEthernet 1/0/1
IPv6 protocol current state : UP
IPv6 is enabled, link-local address is FE80::222:A1FF:FE00:2259
Global unicast address(es):
2001:1::1:1, subnet is 2001:1::/64
2002:1::222:A1FF:FE00:2259, subnet is 2002:1::/64
Joined group address(es):
FF02::1:FF01:1
FF02::9
FF02::1:FF00:2259
FF02::2
FF02::1
MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND retransmit interval is 1000 milliseconds
ND advertised reachable time is 0 (unspecified)
ND advertised retransmit interval is 0 (unspecified)
ND router advertisement max interval 600 seconds, min interval 200 seconds
ND router advertisements live for 1800 seconds
Hosts use stateless autoconfig for addresses
8.13.3.3 Configuring RA Message Parameters

You can configure whether to send RA messages and the interval at which RA messages are
sent on an interface. Moreover, you can set parameters in RA messages to be sent to a host. After
receiving RA messages, the host can use these parameters to perform operations.
Context
Table 8-125 lists the description of parameters in an RA message.

Table 8-125 Description of parameters in an RA message
Cur Hop Limit Maximum number of hops.

After sending an IPv6 message, the host fills the Hop Limit field in
the IPv6 message header with the value of Cur Hop Limit.
Meanwhile, the parameter value also appears in the Hop Limit field
in a response message.
Prefix Information IPv6 address prefix.

After receiving a prefix is sent by a device, a host (on the same link
with the device) can perform stateless autoconfiguration.
M flag Whether stateful or stateless autoconfiguration is used to obtain an

IPv6 address:
l 1: Stateful autoconfiguration (for example, through the DHCP
server) is used.
l 0: Stateless autoconfiguration is used.
O flag Whether stateful or stateless autoconfiguration is used to obtain

information, excepting an IPv6 address:
l 1: Stateful autoconfiguration (for example, through the DHCP
server) is used.
l 0: Stateless autoconfiguration is used.
Router Lifetime Time elapses since a router advertising RA messages functions as the
default router.
A host determines whether to use a router that advertises RA messages
as the default router based on the lifetime of the router in the RA
messages.
Retrans Timer Interval between NS message retransmissions.

A device re-sends an NS message if no response is received after the
specified time interval elapses.
Reachable Time Neighbor unreachability detection (NUD) interval, during which a

device considers its neighbor recheable.
After a device detects that a neighbor is reachable, the device
considers the neighbor reachable within the specified reachable time.
After the reachable time elapses, the device continues to check
neighbor reachability.
Procedure
system-view
Step 2 Set the ND hop limit.

ipv6 nd hop-limit limit

The default ND hop limit is 64.

Step 4 Set the prefix of RA messages.

ipv6 nd ra prefix { ipv6-address ipv6-prefix-length | [ prefix-name ] ipv6-prefix/
ipv6-prefix-length } valid-lifetime preferred-lifetime [ no-autoconfig ] [ off-
link ]
By default, the prefix of RA messages is not configured. The IPv6 address of the interface that
sends RA messages is used as a prefix.
Step 5 Set the autoconfiguration flag bit for obtaining an IPv6 address to 1.
ipv6 nd autoconfig managed-address-flag
By default, the flag bit is set to 0, which enables a host to use stateless autoconfiguration to
obtain its IPv6 address.
If the flag bit is set to 1, the host uses stateful autoconfiguration to obtain its IPv6 address.
Step 6 Set the autoconfiguration flag bit for obtaining information excluding an IPv6 address.
ipv6 nd autoconfig other-flag
By default, the flag bit is set to 0, which enables a host to use stateless autoconfiguration to
obtain other information.
If the flag bit is set to 1, a host uses stateful autoconfiguration to obtain other information..
Step 7 Set the lifetime of RA messages.

ipv6 nd ra router-lifetime ra-lifetime
The default lifetime is 1800 seconds.
The interval at which RA messages are advertised must be less than or equal to the life duration.
Step 8 Set the interval at which NS messages are re-sent.

ipv6 nd ns retrans-timer value
The default interval is 1000 seconds.
Step 9 Set the neighbor unreachability detection (NUD) interval.

ipv6 nd nud reachable-time value
The default NUD interval is 30000 milliseconds.
----End
Follow-up Procedure
Run the display ipv6 interface command to view RA message parameters.
2001:1::1:1, subnet is 2001:1::/64
2002:1::222:A1FF:FE00:2259, subnet is 2002:1::/64
FF02::1:FF01:1

FF02::9
FF02::1:FF00:2259
FF02::2
FF02::1
MTU is 1500 bytes
ND advertised reachable time is 30000 milliseconds
ND advertised retransmit interval is 1000 milliseconds
Hosts use DHCP to obtain routable addresses.
Hosts use DHCP to obtain other configuration.
8.13.3.4 Configuring DAD

This section describes how to configure duplicate address detection (DAD). After obtaining an
IPv6 address, an interface sends a DAD message.
Context
DAD is a process of IPv6 automatic address configuration. You can configure the number of
DAD messages that can be sent.
After obtaining an IPv6 address, an interface sends a DAD request message to its neighbor. If
no response is received within a period specified using the ipv6 nd ns retrans-timer command,
the interface continues to send a request message. If the number of sending times exceeds the
specified upper limit, and no response is received, the IPv6 address is considered valid.
Procedure
system-view

Step 3 Set the number of times when DAD messages can be sent.
ipv6 nd dad attempts value
The default value is 1. The value 0 indicates that no DAD message is sent.
----End
Follow-up Procedure
Run the display ipv6 interface command to view the number of DAD messages that can be
sent.
2001:1::1:1, subnet is 2001:1::/64
2002:1::222:A1FF:FE00:2259, subnet is 2002:1::/64
FF02::1:FF01:1

FF02::9
FF02::1:FF00:2259
FF02::2
FF02::1
MTU is 1500 bytes
ND advertised reachable time is 30000 milliseconds
ND advertised retransmit interval is 1000 milliseconds
Hosts use DHCP to obtain routable addresses.
Hosts use DHCP to obtain other configuration.
8.13.3.5 Configuring Stateless Address Autoconfiguration

Stateless address autoconfiguration allows an interface to obtain an IPv6 prefix and derive an
EUI-64 IPv6 address.
Prerequisites
Before you configure stateless address autoconfiguration, complete the following tasks:
l Enable the IPv6 forwarding on an interface, configure a link-local address, and bring the
interface Up. For details, see 8.1 Interface and Interface Pair.
l Configure a global unicast address or link-local address, specify a prefix for RA
advertisement, and enable RA advertisement on a peer router. For details, see 8.13.3.2
Configuring RA Message Advertisement and 8.13.3.3 Configuring RA Message
Parameters.
NOTE
The prefix advertised in RA messages must be 64 bits or shorter for stateless address
autoconfiguration.
Procedure
system-view

Step 3 Enable stateless address autoconfiguration.

----End
Follow-up Procedure
# Run the display ipv6 auto-configuration prefix all command to view IPv6 prefixes and
derived IPv6 addresses of all interfaces.
<NGFW> display ipv6 auto-configuration prefix all
Current Total Autoconfig Prefix Number: 1
-----------------------------------------------------------------------------
Index : 1
Interface name : GigabitEthernet1/0/1

Prefix : 3001::/64
IPv6 address : 3001::200:5EFF:FE5C:8900
Preferred Lifetime(sec) : 604800
Preferred Lifetime Left(sec): 604750
Valid Lifetime(sec) : 2592000
Valid Lifetime Left(sec) : 2591950
Link-local address of router: FE80::200:5EFF:FE87:4003
-----------------------------------------------------------------------------
The preceding command output shows that the automatically obtained Prefix is 3001::/64. The
IPv6 address derived from the prefix is 3001::200:5EFF:FE5C:8900.
After the IPv6 address is obtained, the device automatically creates a default route to the peer
device.
# Run the display ipv6 auto-configuration default-route-table command to view the default
routing information.
<NGFW> display ipv6 auto-configuration default-route-table
Current Total Autoconfig Default Route Number: 1
-----------------------------------------------------------------------------
Index : 1
Cur Hop Limit : 64
MTU : 1500
Reachable Time(ms) : 30000
Retrans Timer(ms) : 1000
Router Lifetime(sec) : 1800
Router Lifetime Left(sec) : 1599
Route Preference : 65
Link-local address of router: FE80::200:5EFF:FE87:4003
-----------------------------------------------------------------------------
# Run the display ipv6 routing-table or display ipv6 fib command to view the default routing
information. The output is not provided here.
8.13.4 Configuring IPv6 SEND

You can configure IPv6 SEND to filter out malicious attack packets, which increase ND security.
8.13.4.1 Configuring the CGA

This section descries how to configure a cryptographically generated addresses (CGA). Two
communication parties can authenticate the CGA of each other to defend against spoofing
attacks.
Context
The CGA is an IPv6 address generated using a public key and the hash algorithm. Nodes discard
packets that fail CGA authentication, which defends against spoofing attacks. The Revist-
Shamir-Adleman Algorithm (RSA) can be used to protect packet integrity.
The procedure for generating the CGA and RSA signature on a node is as follows:
1. Obtains an RSA key pair.

2. Generates CGA parameters data structure, including a public key.
3. Computes the hash value based on the CGA parameters data structure, with the last 64-bit
of the value as a network ID.

4. Generates the CGA based on the prefix and network ID.

5. Forges a packet with the CGA as a source IP address, fills the CGA parameters data structure
in the CGA option, assigns the packet a private key, and fills a signature in the RSA option.
After receiving a packet with CGA and RSA options, a node authenticates the packet as follows:
1. Obtains the CGA parameters data structure from the CGA option.
2. Computes the hash value based on the CGA parameters data structure, with the last 64-bit
of the value as a network ID.
3. Check whether the generated network ID matches that in the source IP address of the packet.
4. Obtains the public key from the CGA parameters data structure to authenticate the RSA
signature.
After CGAs are generated, the interface sends ND packets based on the following rules:
l The CGA is a source IP address of the NS (excluding DAD messages), NA, RA, and
Redirect messages sent by the interface.
l The NS, NA, RA, and Redirect messages sent by the interface all carry the following
information:
– CGA option: contains the CGA parameters data structure
– RSA option: contains signatures.
– Timestamp option: the number of seconds since January 1, 1970, 00:00 UTC. This value
represents the current time of the device.
l The NS message sent by the interface carries the Nonce option containing a random number.
The NA message replied by the interface also carries the Nonce option containing the Nonce
value in the received NS message.
NOTE
Content in the Timestamp and Nonce options is automatically generated.
Procedure
system-view
Step 2 Set the local public and private key pair.
NOTICE
After the command is executed, you are prompted to enter the length of host key. To enhance
security, the length of host key is recommended to be longer than 1024 bits.
Step 3 Set CGA parameters.
ipv6 cga-parameters { create label key-label [ sec-level value ] | destroy label key-label }

The value parameter specifies the security level of CGA parameters. The value can be 0 or 1.
The default value is 0. The larger the value is, the higher the security level of CGA parameters
is, and the longer it takes to generate CGA parameters.
After the command is executed, CGA parameter file key-label.cga.params is generated based
on the RSA public and private key pairs, specified security level, and algorithm in RFC 3972,
and saved to the hda1:/.

Step 5 Configure the CGA parameter file for the interface.
ipv6 cga-parameters key-label
The CGA parameter file referenced in this command is generated in Step 3.
Before running this command, you must run the ipv6 enable command on the interface.
Step 6 Configure the interface to generate the CGA.
ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length | ipv6-address link-

local } cga
For RA and Redirect messages, CGAs must be generated for the link-local addresses of
interfaces.
By default, no CGA is generated on the interface.
Step 7 Configure the interface to work in full SEND mode.
ipv6 nd secured full-secure
After the interface is configured to work in full SEND mode, the system discards the ND packets
without the CGA, RSA, Timestamp, or Nonce option.
If this command is not executed, the system properly processes the received ND packets without
the CGA, RSA, Timestamp, or Nonce option. In other words, the device can communicate with
the node to which the SEND function is not applied.
----End
8.13.4.2 Adjusting Parameters for Authenticating Timestamps

This section describes how to adjusting parameters for authenticating timestamps, which allows
you to control the defense against replay attacks.
Context
According to the timestamp authentication mechanism in RFC 3971, Delta and Fuzz parameters
are used to defend against replay attacks. By default, the Delta value is 300s and the Fuzz value
is 1s. You can adjust the two parameters to control defense effects. The larger the values, the
looser the defense.
Procedure

system-view

Step 3 Set parameters for authenticating timestamps.
ipv6 nd secured timestamp { delta delta-value | fuzz fuzz-value } *
The following parameters can be configured:

l delta-value: specifies the timestamp increment. The value ranges from 100s to 3600s.
l fuzz-value specifies the fuzz factor. The value ranges from 1s to 50s.
----End
8.13.4.3 Configuring Router Authorization

This section describes how to configure router authorization. Router authorization enables a host
to authenticate the identity of a router using a certificate, which prevents an attacker from
launching attacks in the name of the router and defends against Redirect attacks and parameter
spoofing.
Prerequisites
A CA certificate and a local certificate are applied for and saved on the storage media on a
NGFW.
Context
After the certificate for the interface is configured, the interface replies the CPA message
containing the certificate information to the CPS message sent by the host. After receiving the
CPA message, the host authenticates the certificate. The host regards the router as the default
one only when the certificate passes the authentication.
Procedure
system-view

Step 3 Configure the certificate for the interface.
ipv6 nd secured local-certificate filename cert-filename
The cert-filename parameter specifies the name of a local certificate saved on a storage media.
The value is a string of 1 to 64 characters.
By default, the interface is not configured with a certificate.
----End

8.13.5 Maintaining ND
After configuring IPv6 ND, you can run the display commands to view the related configuration.
You can also clear configuration information or enable the debugging function if necessary.
8.13.5.1 Displaying IPv6 ND Configuration

After configuring IPv6 ND, you can run the display commands in any view to view and verify
the ND configuration.
Table 8-126 lists the commands to display the IPv6 ND configuration.
Table 8-126 Displaying IPv6 ND configuration
Action Command
Display IPv6 neighbor display ipv6 neighbors [ ipv6-address | [ vid vlan-id ] interface-
information in the type interface-number ]
cache.
Display the IPv6 prefix display ipv6 auto-configuration prefix all { all | interface
automatically obtained interface-type interface-number }
by an interface.
Display default routing display ipv6 auto-configuration default-route-table

information.
8.13.5.2 Clearing IPv6 ND Information

IPv6 ND cannot restore after you clear it. Exercise caution when using the commands.
Table 8-127 list the commands run in the user view to reset IPv6.
Table 8-127 Clearing IPv6 ND Information
Action Command
Clear IPv6 neighbor reset ipv6 neighbors { all | dynamic | static | vid vlan-id [ interface-
entries in the cache. type interface-number ] | interface-type interface-number }
Clear the IPv6 prefix reset ipv6 auto-configuration prefix { all | interface interface-
automatically obtained type interface-number }
by the interface.
Clear the automatically reset ipv6 auto-configuration default-route-table

obtained default
routes.

8.13.5.3 Debugging IPv6 ND

If an IPv6 fault occurs, run the following debugging commands in the user view to debug IPv6,
view the debugging information, and locate and analyze faults.
NOTICE
Table 8-128 lists the commands to debug IPv6 information.
Table 8-128 Debugging IPv6 ND

Action Command
Enable the debugging of IPv6 debugging ipv6 nd

neighbors status and ND
messages.
Enable the SEND debugging. debugging ipv6 nd secured

This section provides examples for configuring IPv6 ND and SEND.
8.13.6.1 Example for Configuring Stateless Address Autoconfiguration

This section provides an example for configuring stateless address autoconfiguration. An
interface on a device can automatically obtain an IPv6 address and can communicate with
another device.
NGFW_A and NGFW_B are connected on the network shown in Figure 8-110. GigabitEthernet
1/0/1 on NGFW_A automatically obtains an IPv6 address to communicate with NGFW_B.
Figure 8-110 Networking diagram for configuring stateless address autoconfiguration

Trust Trust
GE1/0/1
GE1/0/1 3001::1/64
NGFW_A NGFW_B

1. Enable stateless address autoconfiguration on NGFW_A to enable GigabitEthernet 1/0/1

to automatically obtain an IPv6 address.
2. Configure a global unicast address on NGFW_B and enable RA advertisement to use an
RA message to advertise an IPv6 prefix to NGFW_A.
Procedure
# Enable IPv6.
<NGFW> system-view
[NGFW_A] ipv6
# Assign a link-local address to GigabitEthernet 1/0/1.

[NGFW_A-GigabitEthernet1/0/1] ipv6 enable
[NGFW_A-GigabitEthernet1/0/1] ipv6 address auto link-local

[NGFW_A-GigabitEthernet1/0/1] ipv6 address autoconfig
# Assign GigabitEthernet 1/0/1 to a Trusted security zone.

# Configure a security policy.

[NGFW_A-policy-security-rule-policy_sec_1] source-zone local trust
[NGFW_A-policy-security-rule-policy_sec_1] destination-zone trust local
# Enable IPv6.
<NGFW> system-view
[NGFW_B] ipv6
# Assign a global unicast address to GigabitEthernet 1/0/1.

[NGFW_B-GigabitEthernet1/0/1] ipv6 address 3001::1 64
# Enable RA message advertisement.

[NGFW_B-GigabitEthernet1/0/1] undo ipv6 nd ra halt

# Assign GigabitEthernet 1/0/1 to a Trusted security zone.

# Configure a security policy.

[NGFW_B] security-policy
[NGFW_B-policy-security-rule-policy_sec_1] source-zone local trust
[NGFW_B-policy-security-rule-policy_sec_1] destination-zone trust local
[NGFW_B-policy-security] quit
----End
1. If the configurations are successful, the prefix obtained by NGFW_A is 3001::/64.
# Display the prefix obtained automatically by NGFW_A.
[NGFW_A] display ipv6 auto-configuration prefix all
Current Total Autoconfig Prefix Number:
1
-----------------------------------------------------------------------------
Index :
1
Prefix :
3001::/64
IPv6 address :
3001::200:5EFF:FEB5:400
Preferred Lifetime(sec) :
604800
Preferred Lifetime Left(sec):
604750
Valid Lifetime(sec) :
2592000
Valid Lifetime Left(sec) :
2591950
Link-local address of router:
FE80::200:5EFF:FE87:4003
-----------------------------------------------------------------------------
# Display default routing information that is automatically created on NGFW_A.

[NGFW_A] display ipv6 auto-configuration default-route-table
Current Total Autoconfig Default Route Number:
1
-----------------------------------------------------------------------------
Index :
1
Cur Hop Limit :
64
MTU :
1500
Reachable Time(ms) :
30000
Retrans Timer(ms) :

1000
Router Lifetime(sec) :
1800
Router Lifetime Left(sec) :
1599
Route Preference :
65
Link-local address of router:
FE80::200:5EFF:FE87:4003
-----------------------------------------------------------------------------
2. Display the IPv6 address of GigabitEthernet 1/0/1. The IPv6 address prefix is 3001::/64.
Run the display this ipv6 interface command to view the IPv6 address of GigabitEthernet
1/0/1.
[NGFW_A-GigabitEthernet1/0/1] display this ipv6 interface
IPv6 protocol current state :
UP
IPv6 is enabled, link-local address is
FE80::200:5EFF:FEB5:400
Global unicast address
(es):
3001::200:5EFF:FEB5:400, subnet is
3001::/64
Joined group address
(es):
FF02::1:FFB5:400
FF02::2
FF02::1
MTU is 1500
bytes
ND DAD is enabled, number of DAD attempts:
1
ND reachable time is 30000
milliseconds
ND retransmit interval is 1000
milliseconds
3. Display default routes in the IPv6 FIB table. The destination address is ::.
# Run the display ipv6 fib command to view the default routes in the IPv6 FIB table.
[NGFW_A] display ipv6 fib
FIB
Table:
Total number of Routes :
5
Destination: ::1 PrefixLength :

128
NextHop : ::1 Flag :
HU
Label : NULL Tunnel Token :
0
PortIndex : 4278190080 Tunnel ID :
0
TimeStamp : Date- 17:10:2011, Time- 14:28:23 reference :
1
Interface :
InLoopBack0
IP6Token :
0x0

Destination: FE80:: PrefixLength :

10
NextHop : :: Flag :
BU
0
0
1
Interface :
NULL0
IP6Token :
0x0
Destination: :: PrefixLength : 0
NextHop : FE80::200:5EFF:FE87:4003 Flag :
GSU
0
0
1
Interface : GigabitEthernet1/0/1
IP6Token :
0x0
Destination: 3001::200:5EFF:FEB5:400 PrefixLength :

128
NextHop : ::1 Flag :
HU
0
0
1
Interface :
InLoopBack0
IP6Token :
0x0
Destination: 3001:: PrefixLength :

64
NextHop : 3001::200:5EFF:FEB5:400 Flag :
U
0
0
1
Interface : GigabitEthernet1/0/1
IP6Token : 0x0
#
sysname NGFW_A
#
ipv6
#
ipv6 enable


#
firewall zone trust
set priority 85
#
security-policy
source-zone local
source-zone trust
action permit
#
return

#
sysname NGFW_B
#
ipv6
#
ipv6 enable
#
firewall zone trust
set priority 85
#
security-policy
source-zone local
source-zone trust
action permit
#
return
8.13.6.2 Example for Configuring SEND

This section provides an example for configuring IPv6 Secure Neighbor Discovery (SEND).
The NGFW shown in Figure 8-111 functions as a default router for a host on a local link and
is connected to an extranet. The NGFW has the following interfaces:
l GigabitEthernet 1/0/1 belongs to the Trust zone and connects to a local IPv6 link.
l GigabitEthernet 1/0/2 belongs to the Untrust zone and connects to the extranet.

Figure 8-111 Networking diagram for configuring SEND
Host
GE1/0/1 GE1/0/2 Host

Trust Untrust External
network
NGFW
IPv6 Local link Host
Networking requirements are as follows:
l A cryptographically generated address (CGA) is generated on GigabitEthernet 1/0/1 to

prevent address spoofing. GigabitEthernet 1/0/1 discards received ND packets if the
packets do not carry the CGA, Revist-Shamir-Adleman Algorithm (RSA), Timestamp, and
Nonce options.
l According to the timestamp authentication mechanism defined in RFC 3971,
GigabitEthernet 1/0/1 checks the timeliness of ND packets based on parameters Delta and
Fuzz. The Delta value is set to 100s, and the Fuzz value is set to 20s. The two values are
used to defend against replay attacks.
l After receiving a Certification Path Solicitation (CPS) message sent by a host,
GigabitEthernet 1/0/1 sends a Certification Path Advertisement (CPA) message that
contains certificate information to the host, which prevents an attacker from launching
attacks while pretending to be the NGFW.
Procedure
Step 1 Configure a CGA.
# Create a public and private key pair.

NOTES: A key shorter than 1024 bits may cause security risks.
Generating keys...
...++++++++
..++++++++
..................................+++++++++
............+++++++++
# Generate CGA parameters at level 0.

[NGFW] ipv6 cga-parameters create label cga
# Configure the CGA parameter file for GigabitEthernet 1/0/1.


[NGFW-GigabitEthernet1/0/1] ipv6 cga-parameters cga
# Configure GigabitEthernet 1/0/1 to generate a CGA.

[NGFW-GigabitEthernet1/0/1] ipv6 address 2001::1 64 cga
[NGFW-GigabitEthernet1/0/1] ipv6 address fe80::1 link-local cga
# Configure GigabitEthernet 1/0/1 to work in full SEND mode.

[NGFW-GigabitEthernet1/0/1] ipv6 nd secured full-secure
Step 2 Adjust parameters for authenticating the timestamp.
# Adjust parameters for authenticating the timestamp on GigabitEthernet 1/0/1. Set the Delta
value to 100s and the Fuzz value to 20s.
[NGFW-GigabitEthernet1/0/1] ipv6 nd secured timestamp delta 100 fuzz 20
Step 3 Configure router authorization.
# Configure the certificate for GigabitEthernet 1/0/1. In the following example, a local certificate
device.cer is saved to the storage media.
[NGFW-GigabitEthernet1/0/1] ipv6 nd secured local-certificate filename device.cer
Step 4 Assign interfaces to security zones.
# Add interfaces to a Trust zone.

Step 5 Configure security policies.

[NGFW-policy-security-rule-policy_sec_1] source-zone local trust
[NGFW-policy-security-rule-policy_sec_1] destination-zone trust local
[NGFW-policy-security-rule-policy_sec_2] source-zone trust untrust
[NGFW-policy-security-rule-policy_sec_2] destination-zone untrust trust
----End
#
sysname NGFW
#
ipv6
#
ipv6 enable
ipv6 cga-parameters cga
ipv6 nd secured timestamp delta 100 fuzz 20

ipv6 nd secured full-secure

ipv6 nd secured local-certificate filename device.cer
ipv6 address 2001:: 64 cga
ipv6 address FE80::CE0:FD77:C4AE:6E49 link-local cga
#
firewall zone trust
set priority 85
#
set priority 5
#
security-policy
source-zone local
source-zone trust
action permit
source-zone trust
source-zone untrust
action permit
#
return

This section provides IPv6 ND and SEND references.

This section describes the versions and changes in the IPv6 neighbor discovery feature.

This section provides standards and protocols related to IPv6 neighbor discovery (ND) and
security neighbor discovery (SEND).
ND and SEND standards and protocols are as follows:
l RFC 2461: Neighbor Discovery for IP Version 6 (IPv6)

l RFC 2462: IPv6 Stateless Address Autoconfiguration
l RFC 3756: IPv6 Neighbor Discovery (ND) Trust Models and Threats
l RFC 3971: SEcure Neighbor Discovery (SEND)
l RFC 3972: Cryptographically Generated Addresses (CGA)

8.14 IP Performance
This section describes IP performance parameter concepts and how to configure the parameters.
8.14.1 Overview
On specific networks, IPv4/IPv6 parameters must be adjusted to achieve optimal network
performance.
IPv4 Performance
You can achieve better performance by adjusting parameters of some IPv4 features in different
application scenarios.
IPv4 performance optimization can be performed only after a device is enabled with specific
functions, such as the interface maximum transmission unit (MTU), Internet Control Message
Protocol (ICMP) function, and TCP attributes.
ICMP messages are used by either the IP layer or the higher layer protocol (TCP or UDP). ICMP
error messages require your attention.
IPv6 Performance
Because 32-bit IPv4 addresses may be exhausted, 128-bit IPv6 addresses are increasingly used.
Most IPv6 applications are the same as IPv4 applications. Only some commands, interface
configurations, and parts of applications are different.
IPv6 PMTU
The problem that different networks have different maximum transmission units (MTU) can be
solved in the following ways:
l Devices fragment packets as required. A source host only fragments packets. An

intermediate router not only fragments packets but reassembles packets.
l A source host sends packets based on a proper MTU so that packets do not be fragmented
on an intermediate router. This reduces packet processing burden on the intermediate router.
During IPv6 packet transmission, only this way can be used because IPv6 intermediate
routers do not support packet fragmentation.
The path MTU (PMTU) discovery mechanism aims to discover a proper MTU value on a path
from between the source and destination nodes.
8.14.2 Improving IPv4 Performance

This section describes how to configure IPv4 parameters to improve IPv4 performance.
8.14.2.1 Verifying the Source IPv4 Address

Source IP address verification helps defend against attacks, such as IP spoofing.

Context
IP spoofing enables an attacker changes its own IP address into that of an intranet user or a
trusted external user to obtain information without authorization.
Source IP address verification: After receiving an IP packet, an interface verifies the source IP
address of the packet. If the source IP address does not belong to the network segment on which
the interface resides, the packet is discarded; otherwise, the packet is allowed to pass. Source IP
address verification helps defend against IP spoofing attacks.
Procedure
system-view

Step 3 Enable source IP address verification on the interface.

ip verify source-address
By default, the function is disabled on all interfaces.
If the source IP address of a received packet contains a 31-bit mask, a node considers an IP
address with a 31-bit mask valid, without checking the source IP address.
----End
8.14.2.2 Forwarding Broadcast Packet

This section describes how to configure a NGFW to forward broadcast packets.
Context
If the device is allowed to receive and forward broadcast packets with destination IP addresses
on the specific network where the interface resides, a hacker can use these packets to attack the
network system. By default, the device cannot receive or forward broadcast packets with the
destination IP addresses on the network segment, on which the interface resides.
Procedure
system-view

Step 3 Configure the interface to forward broadcast packets.

ip forward-broadcast [ acl acl-number ]
By default, broadcast packets are not forwarded by any interface.
----End

8.14.2.3 Configuring ICMP Attributes

The control over sending ICMP error packets defends against ICMP error packet-based attacks.
Context
ICMP error packets are used to notify a device of anomalies for control and management.
ICMP error packets fall into three types:

l ICMP redirect packets
l ICMP destination unreachable packets
l ICMP timeout packets
By default, a device is disabled from sending ICMP redirect, destination unreachable packets
(except those require fragmentation but are configured with the non-fragmentation bit), and
timeout packets.
NOTE
If a device is disabled from sending ICMP timeout packets, the device does not send ICMP timeout packet
with expired TTLs, but is able to send ICMP timeout packets with reassembly timed out.
Procedure
system-view
Step 2 Enable the device to send ICMP redirect packets.

ip redirects enable
Step 3 Enable the device to send ICMP destination unreachable packets, except those packets that
require fragmentation but carry the non-fragmentation bit.
ip unreachables enable
Step 4 Enable the device to send ICMP destination unreachable packets that require fragmentation but
are configured but with a non-fragmentation bit.
ip df-unreachables enable
Step 5 Enable the device to send ICMP timeout packets.

ip ttl-expires enable
----End
8.14.2.4 Configuring TCP Attributes

Configuring TCP attributes involves the adjustment in the TCP timer, the size of a TCP sliding
window, and TCP Maximum Segment Size (MSS).
Context
The TCP attributes are as follows:
l SYN-WAIT timer

TCP starts the SYN-WAIT timer before sending SYN packets. If no response packets are
received after the SYN-WAIT timer expires, a TCP connection is terminated.
l FIN-WAIT timer
The FIN-WAIT timer starts after a TCP connection changes from FIN_WAIT_1 to
FIN_WAIT_2. If no FIN packets are received after the FIN-WAIT timer expires, a TCP
connection is terminated. If FIN packets are received, the TCP connection changes to the
TIME_WAIT state. If non-FIN packets are received, TCP restarts the SYN-WAIT timer
upon receiving the last non-FIN packet and terminates the TCP connection after the SYN-
WAIT timer expires.
l TCP sliding window size
The TCP sliding window size is size of the buffer for sent and received packets on a TCP
socket.
l MSS
The MSS of a TCP packet is the maximum length allowed for a TCP packet sent from the
peer end to the local end. After a TCP connection is established, both ends notify each other
of their MSSs in TCP packets. After recording the peer end's MSS, the local end only sends
TCP packets smaller than the MSS. If a TCP packet from the peer end is smaller than the
local end's MSS, the packet is not segmented; otherwise, the peer end must send the packet
after segmenting it.
NOTICE
Modifying TCP attributes greatly affects the packet forwarding. Exercise caution when
performing this operation. Unless otherwise specified, use the default values.
Procedure
system-view
Step 2 Set the SYN-WAIT timer of setting up TCP connections.

tcp timer syn-timeout interval
The default SYN-WAIT time is 75 seconds.
Step 3 Set the FIN_WAIT timer of setting up TCP connections.

tcp timer fin-timeout interval
The default FIN-WAIT time is 75 seconds.
Step 4 Set the TCP window size of the TCP socket.

tcp window window-size
The default size is 8 KB.
Step 5 Set the MSS of TCP packets.

firewall tcp-mss mss-value
The default MSS is 1460 bytes.

The MSS is equal to the interface MTU deducted by 40 bytes (20-byte IP header and 20-byte
TCP header). If Point-to-Point Protocol over Ethernet (PPPoE) dialup is used, additional 8 bytes
(PPPoE header) must be deducted. The interface MTU deducted by 48 bytes is the MSS value.
For example:
If the interface MTU changes from 1500 bytes to 1450 bytes, the new MSS must be 1410 bytes.
If the interface MTU is 1500 and PPPoE dialup is used, the MSS must be set to 1452 bytes (1500
- 20 - 20 - 8).
NOTE
The firewall tcp-mss command only takes effect on subsequent TCP connections, not established ones.
----End
8.14.3 Improving IPv6 Performance

This section describes how to configure IPv6 parameters to improve IPv6 performance.
8.14.3.1 Configuring ICMPv6 Attributes

If many ICMPv6 error packets are sent on the network within a short period, network congestion
may occur. To prevent this situation, you can set the maximum number of ICMPv6 error packets
that can be sent within a specified period.
Context
ICMPv6 error packets can be classifiedinto the following types:
l Destination unreachable error packet

Unreachable destination packets are as follows:
– No route to the destination
– Address unreachable
– Port unreachable
NOTE
Only port unreachable messages are supported.

l Datagram Too Big message
l Timeout error packet
l Parameter error packet
Procedure
system-view
Step 2 Set the capacity of the token bucket and refreshing cycle for sending ICMPv6 error packets.
ipv6 icmp-error { bucket bucket-size | ratelimit interval } *
----End

8.14.3.2 Configuring TCPv6 Attributes

This section describes how to configure IPv6 TCP attributes, including the SYN-Wait timer,
FIN-Wait timer, and buffer size.
Context
For details on the SYN-Wait timer, FIN-Wait timer, and buffer size of TCP attributes, see
8.14.2.4 Configuring TCP Attributes.
Procedure
system-view
Step 2 Set the TCP6 SYN-WAIT timer.

tcp ipv6 timer syn-timeout timer-value
The default SYN-WAIT time is 75s.
Step 3 Set the TCP6 FIN-WAIT timer.

tcp ipv6 timer fin-timeout timer-value
The default FIN-WAIT time is 675s.
Step 4 Set the size of the TCP6 sliding window.

tcp ipv6 window window-size
The default size is 8 KB.
----End
8.14.3.3 Configuring Load Balancing for the IPv6 Traffic Transmission

This section describes how to configure load balancing for the IPv6 traffic transmission. When
multiple links are available for traffic transmission, you can configure load balancing to
distribute traffic between these links to prevent individual links from being overloaded.
NGFW only supports per-flow load balancing.
Context
When data flows to a specific destination IPv6 address are distributed on multiple links, the
packets of the same data flow are sent on the same link. A link is selected for the data flow based
on one of the following modes:
l Hash mode: The system uses the hash algorithm to calculate a value based on source and
destination IPv6 addresses and port numbers before selecting a link.
l Weightrr mode: The system uses the weighted round robin algorithm to distribute packets
to interfaces based on the weights assigned to the interfaces.
l Polling mode: Available links are selected sequentially to forward packets.

Procedure
system-view
Step 2 Configure per-flow load balancing for IPv6 traffic.

ipv6 fib-loadbalance-type { hash-based | weightrr }
By default, per-flow load balancing in polling mode is used.
----End
8.14.3.4 Configuring a PMTU

This section describes now to set a path maximum transmission unit (PMTU) on an interface.
This setting enables a device to send packets based on proper MTUs across a network. This helps
prevent packet fragmentation, reduce the burden of the devices, and efficiently use network
resources.
Setting an IPv6 MTU on an interface

Context
The MTU on an interface determines whether IP packets on the interface need to be fragmented.
The default value of the MTU on an interface varies with the interface type.

system-view

Step 3 Set the IPv6 MTU on the interface.

ipv6 mtu mtu
----End
Follow-up Procedure
If the IPv6 MTU value is changed, run the shutdown command and the undo shutdown
command in the interface view to make the configuration take effect.
Run the display ipv6 interface command to view the current IPv6 MTU on the interface.
2001:1::1:1, subnet is 2001:1::/64
FF02::1:FF01:1
FF02::1:FF00:2259
FF02::2
FF02::1
MTU is 1500 bytes


Creating Static PMTU Entries

Context
Static PMTU entries are manually configured and do not age.

system-view
Step 2 Set the PMTU value of a specified IPv6 address.

ipv6 pathmtu ipv6-address [ path-mtu ]
By default, the PMTU of an IPv6 address is 1500 bytes.
----End
Follow-up Procedure
Run the display ipv6 pathmtu command to view information about static PMTU entries.
<NGFW> display ipv6 pathmtu static
IPv6 Destination Address ZoneID PathMTU LifeTime(M) Type
2001:1::1:2 0 1500 - Static
-------------------------------------------------------------------------------
Static: 1
Configuring the PMTU Aging Time

Context
The PMTU aging time is used to change the lifetime of a PMTU entry in the cache.

system-view
Step 2 Set the PMTU aging time.

ipv6 pathmtu age age-time
By default, the dynamic PMTU aging time is 10 minutes.
----End
Follow-up Procedure
Run the display ipv6 pathmtu dynamic command to view information about the dynamic
PMTU entries.
<NGFW> display ipv6 pathmtu dynamic
IPv6 Destination Address ZoneID PathMTU LifeTime(M) Type
fe80::12 0 1300 40 Dynamic
-------------------------------------------------------------------------------
Total: 1 Dynamic: 1 Static: 0
8.14.4 Maintaining IP Performance

After configuring IP performance, you can run the display commands to view the configuration.
You can also clear statistics or enable the debugging function if necessary.

8.14.4.1 Checking IP Performance Configuration

After configuring IP performance, you can run the display commands in any view to view and
verify the related configuration.
Table 8-129 lists the commands to display the IP performance configuration.
Table 8-129 Displaying IP performance configuration
Action Command
Display the TCP display tcp status [ [ task-id task-id ] [ socket-id socket-id ] |
connection status. [ local-ip ipv4-address ] [ local-port local-port-number ] [ remote-
ip ipv4-address ] [ remote-port remote-port-number ] ]
Display TCP traffic display tcp statistics

statistics.
Display UDP traffic display udp statistics

statistics.
Check the IP traffic display ip statistics

statistics.
Display ICMP traffic display icmp statistics

statistics.
Display Rawlink display rawlink statistics

statistics.
Display all current display ip socket [ monitor ] [task-id task-id socket-id socket-id
socket information. | sock-type socket-type ]
Display TCP IPv6 display tcp ipv6 statistics

statistics.
Display the TCP IPv6 display tcp ipv6 status

connection status.
Display UDP IPv6 display udp ipv6 statistics

statistics.
Display information display ipv6 socket [ socket-type socket-type ] [ task-id socket-

about the specified id ]
socket.
Display all PMTU display ipv6 pathmtu { ipv6-address | all | dynamic | static }
entries.
Display IPv6 display ipv6 interface [ interface-type interface-number | brief ]

information about the
interface.

8.14.4.2 Clearing IP Performance Statistics

IP performance statistics cannot be restored after you clear it. Exercise caution when performing
this operation.
Table 8-130 list the commands run in the user view to clear IP performance statistics.
Table 8-130 Clearing IP performance statistics
Action Command
Clear the IP statistics. reset ip statistics [ interface interface-type interface-number ]
Clear information on reset ip socket monitor

the socket monitor.
Clear TCP traffic reset tcp statistics

statistics.
Clear UDP traffic reset udp statistics

statistics.
Clear the Rawlink reset rawlink statistics

statistics.
Clear IPv6 PMTU reset ipv6 pathmtu { all | dynamic | static }

entries in the cache.
Clear all TCPv6 reset tcp ipv6 statistics

statistics.
Clear all UDPv6 reset udp ipv6 statistics

statistics.
8.14.4.3 Debugging IP Performance

If an IPv4/IPv6 fault occurs, run the following debugging commands in the user view to debug
IPv4/IPv6 performance, view the debugging information, and locate and analyze faults.
NOTICE
Table 8-131 lists the commands to debug IPv4/IPv6 performance information.

Table 8-131 Debugging IP performance information
Action Command
Enable the IP packet debugging ip packet [ acl acl-number ]

debugging.
Enable the ICMP debugging ip icmp

debugging.
Enable the UDP packet debugging udp packet [ local-ip src-address ] [ local-port src-
debugging. port ] [ remote-ip dest-address ] [ remote-port dest-port ]
debugging udp packet [ task-id task-id ] [ socket-id socket-id ]
Enable the TCP packet debugging tcp packet [ local-ip src-address ] [ local-port src-
debugging. port ] [ remote-ip dest-address ] [ remote-port dest-port ]
debugging tcp packet [ task-id task-id ] [ socket-id socket-id ]
[ flag flag-number ]
Enable the TCP event debugging tcp event [ local-ip local-address ] [ local-port local-
debugging. port ] [ remote-ip remote-address ] [ remote-port remote-port ]
debugging tcp event [ task-id task-id ] [ socket-id socket-id ]
Enable the TCP MD5 debugging tcp md5 [ local-ip src-address ] [ local-port src-port ]
authentication [ remote-ip dest-address ] [ remote-port dest-port ]
debugging. debugging tcp md5 [ task-id task-id ] [ socket-id socket-id ]
Enable the RAWIP debugging rawip packet [ local-ip src-address ] [ remote-ip dest-
packet debugging. address ] [ protocol protocol-number ] [ verbose verbose-
number ]
debugging rawip packet [ task-id task-id ] [ socket-id socket-id ]
[ verbose verbose-number ]
Enable the RAWLINK debugging rawlink packet [ local-mac src-mac ] [ remote-mac

packet debugging. dest-mac ] [ verbose verbose-number ]
debugging rawlink packet [ task-id task-id ] [ socket-id socket-
id ] [ verbose verbose-number ]
Enable the ICMPv6 debugging ipv6 icmpv6

debugging.
Enable the TCPv6 debugging tcp ipv6 event

event debugging.
Enable the TCPv6 debugging tcp ipv6 packet

packet debugging.
Enable the UDPv6 debugging udp ipv6 packet [ task-id socket-id ]

packet debugging.
Enable the PMTU debugging ipv6 pathmtu

debugging.


This section describes the versions and changes in the IP performance feature.

Administrator Guide 9 Intelligent Uplink Selection
9 Intelligent Uplink Selection
9.1 Overview
This section describes the definition and objective of intelligent uplink selection.
Definition
When multiple links are available to the destination network, the NGFW can select the outbound
interface dynamically based on the specified link bandwidths, weights, priorities, or
automatically detected link quality to improve user experience and maximize the usage of link
bandwidths.
Objective
When the egress device of an enterprise has multiple links for load balancing, usually the egress
device randomly selects a link to forward the traffic regardless of the actual bandwidth and status
of each link. If the traffic volume is large, some links may be congested, and the others may be
idle, which causes a waste of link resources. When a link has poor transmission quality, Internet
access may fail, which compromises user experience. The user cannot select specific link to
forward the traffic. Therefore, there might be extra charges.
The intelligent uplink selection function enables the NGFW to forward traffic to each link based
on the specified link selection mode and dynamically tunes the link selection result in real time
to maximize the efficiency of link resources and improve user experience.
9.2 Restrictions and Precautions

Read the restrictions and precautions before you configure intelligent uplink selection.
Precautions
The intelligent uplink selection cannot be used together with the IP spoofing attack defense or
URPF function. If the IP spoofing attack defense or URPF function is enabled, the NGFW may
discard packets.

9.3 Mechanism
This section describes the mechanisms of intelligent uplink selection, ISP address library link
selection, and link health check.
9.3.1 Intelligent Uplink Selection Overview

When a policy-based route has multiple outbound interfaces or the NGFW has multiple default
routes, the intelligent uplink selection function can be enabled to select the optimal outbound
interface for traffic forwarding based on enterprise requirements.
Background
As shown in Figure 9-1, an enterprise usually deploys multiple links at the network egress to
ensure Internet access stability and availability. This, to a certain extent, achieved the desired
effects. However, because the egress device does not evaluate the link performance differences
and real-time status, many problems may occur in actual application scenarios.
l If each link has different bandwidths, the links with large bandwidths may be idle, and the
links with small bandwidth may be congested.
l Because each ISP link provides different transmission quality and requires different service
charges, the enterprise sometimes needs to ensure service quality and sometimes to use the
link with a low charge. However, equal traffic distribution fails to meet these requirements.
l If the link between the egress device and destination device fails or the service on the
destination device is unavailable but the traffic is forwarded to the faulty link or destination
device with unavailable service, the access fails.

Figure 9-1 Networking diagram of intelligent uplink selection
Internet
ISP1 ISP2 ISP3
NGFW
Intelligent uplink selection on the NGFW can resolve the preceding problem in multi-egress link
selection scenarios on the basis of ensuring network stability and availability. Intelligent uplink
selection comprises global route selection and intelligent uplink selection based on policy-based
routes. The two link selection modes can be used at the same time without producing any
conflicts because they take effect in a certain order during link selection.
When forwarding traffic, the NGFW looks up the policy-based routes, detailed routes, and
default route in sequence to match traffic. Detailed routes are the most common routes, including
dynamic and static routes. When traffic matches a route, the NGFW forwards the traffic on the
route (ECMP routes are not considered here). However, traffic forwarding on such routes is
based on the packet destination address and fails to provide differentiated services. Therefore,
policy-based routes are used to forward traffic based on information, such as the source address,
destination address, and service type. If the traffic does not match any policy-based route or
detailed route, the NGFW forwards the traffic on the default route to prevent packet discarding.
If multiple outbound interfaces are available for traffic forwarding when the traffic matches a
policy-based route, intelligent uplink selection based on policy-based routes is used. If multiple
default routes are available for traffic forwarding when the traffic matches a default route, global
route selection is used.
Intelligent uplink selection is a policy-based route selection technology. You can configure
intelligent uplink selection modes based on the specific requirements to implement desired traffic
distribution effects. The NGFW supports four intelligent uplink selection modes:
l Load balancing by link bandwidth: The NGFW forwards traffic to each link based on the
link bandwidth ratio. This mode maximizes the link bandwidth efficiency.
l Load balancing by link weight: The NGFW forwards traffic to each link based on the link
weight ratio. This mode controls the ratio of traffic to be forwarded to each link and uses

specific links to forward more traffic, which maximizes the efficiency of all link resources
and enterprise interests and improves user experience.
l Active/Standby backup by link priority: The NGFW preferentially use the link with the
highest priority to transmit traffic and all the other links as backup links or load balancing
links. This mode preferentially uses some link to forward traffic, improving forwarding
availability and user experience.
l Load balancing by link quality: Intelligent uplink selection based on policy-based routes
supports load balancing by link quality, but global route selection does not. The NGFW
tunes traffic distribution dynamically based on real-time traffic transmission quality. You
can use packet loss ratio, delay, and/or jitter to evaluate the traffic transmission quality of
a link to select the link with the best quality for traffic forwarding.
Intelligent Uplink Selection Process

When the NGFW has multiple outbound interfaces, Figure 9-2 shows the intelligent uplink
selection process.

Figure 9-2 Schematic diagram of the intelligent uplink selection process

Service
Target device server
ISP1
Client NGFW
ISP2
Policy-based Intelligent Quality
route/Default route uplink selection detection
Target device Service

server
Health probe
Service request
1
packet
Query to use which
2 outbound interface.
3
Query the link
health status.
4
Link quality probe
6
5
Save the quality
detection result.
Intelligent uplink
selection result
7
Service request packet
8
Service reply packet

9
The intelligent uplink selection process illustrated in Figure 9-2 is described as follows:
1. If you have configured Link Health Check, the NGFW will send probe packets to the
probed device to check whether the link between the local end and the destination network
is reachable. When the NGFW requires intelligent uplink selection, link health check will
report the real-time link status to facilitate forwarding availability improvement. If you
have not configured link health check, the NGFW considers all links as available.
2. When a service request from a client reaches the NGFW, the NGFW forwards the traffic
based on the route that the traffic matches.
3. If the traffic matches a policy-based route or default route and multiple outbound interfaces
are available for traffic forwarding, the NGFW needs to determine the optimal outbound
interface for forwarding the traffic (intelligent uplink selection).

4. Before intelligent uplink selection, the NGFW checks whether the link of each outbound
interface is available. Faulty links do not participate in intelligent uplink selection. The
NGFW uses link health check results to determine whether a link is available.
5. When intelligent uplink selection mode is set to load balancing by link quality, the
NGFW sends link quality probe packets to the service server on health links to obtain the
transmission quality information of each link. In other intelligent uplink selection modes,
link health check is not required.
6. The NGFW saves link health check results in a link quality detection table. When receiving
follow-up traffic destined to the same service server, the NGFW selects a link based on the
information in the link quality detection table. When the link quality detection table ages
and service traffic reaches the NGFW, the NGFW triggers link quality probing again.
7. The NGFW calculates based on the specified intelligent uplink selection mode to obtain
link selection result.
8. The NGFW uses the specified outbound interface to forward service request packets based
on the link selection result.
9. The service server sends reply packets to the client.
9.3.2 ISP Address Library Link Selection

In multi-egress link selection scenarios, you can enable ISP address library link selection to
forward traffic by ISPs so that the traffic destined for different ISP addresses is forwarded from
the corresponding outbound interfaces.
ISP address library link selection is also called ISP link selection. When the NGFW functions
as an egress gateway and connects to multiple ISP networks, you can enable ISP address library
link selection on the NGFW to forward the traffic to a specific ISP network from the
corresponding outbound interface. This ensures that the traffic is forwarded on the shortest path.
As shown in Figure 9-3, the NGFW has two ISP links to the Internet. If an intranet user accesses
Server2 on ISP2 network and the NGFW has ECMP routes, the NGFW can forward the access
traffic from two different paths to Server2. Apparently, path 2 is not the best path, and path 1 is
the most desired path.
After you configure ISP address library link selection and intranet users access Server1 or
Server2, the NGFW selects an outbound interface based on the ISP network of the destination
address to forward the traffic from the shortest path to the server, as shown in path 3 and path 1
in Figure 9-3.

Figure 9-3 ISP address library link selection
Server 1
ISP1
Line3: shortest path
NGFW
Intranet
Line2: detour
Line1: shortest path ISP2
Server 2
Path to access Server1

Path to access Server2
Before you configure ISP address library link selection, you need to write the IP addresses of
each ISP network to a .csv file (ISP address file) and import these files to the NGFW. For
descriptions and requirements on writing ISP address files, see Figure 9-4.
Figure 9-4 ISP address file
The NGFW provides the ISP address files of the following carriers upon delivery:
l china-mobile.csv: China Mobile

l china-telecom.csv: China Telecom

l china-unicom.csv: China Unicom
l china-educationnet.csv: CERNET
NOTE
The ISP address files must be .csv files.

You can use the predefined ISP address files on the NGFW or change the addresses if necessary. You are
advised to export the predefined ISP address files as templates for editing to ensure that all contents are
filled correctly.
You can also obtain the latest ISP address file from the security center (sec.huawei.com).
The predefined and imported ISP address files are saved in the same folder named isp, and the
path is hda1:/isp/. Each ISP address file will automatically generate an ISP address group after
being imported. The ISP address group contains all IP addresses in the ISP address file. You can
reference the address group as the source or destination address in policy-based routes.
After you bind an outbound interface to an ISP name, the NGFW will generate static routes in
a batch to the ISP network. The destination is an IP address in the ISP address file, and the next
hop is the gateway address specified on the outbound interface. These static routes are called
ISP routes. They have the same priority as common static routes, and the default priority is 60.
Apparently, compared with manual collection of massive routes, using ISP address library link
selection is more convenient. Associating an outbound interface with an ISP name equals to
creating an ISP interface group and binding an interface to the ISP interface group. Both the
interface or ISP interface group can function as intelligent uplink selection member interfaces.
NOTE
You can view ISP route entries in the routing table, whose protocol is identified as ISP. However, the
NGFW will not automatically generate the command (ip route-static) for batch ISP route generation.
To improve traffic forwarding reliability, ISP address library link selection can function with
Link Health Check to ensure that traffic is not forwarded to faulty links. If the health check
result indicates that a link is faulty, the NGFW will delete the ISP route entry. Therefore, traffic
will neither match this route nor being forwarded to the faulty link. When the link recovers, the
ISP route entry is created again, and traffic can be forwarded on this route.
9.3.3 Intelligent Uplink Selection Mode

You can configure different intelligent uplink selection modes according to your situations.
The NGFW support four intelligent uplink selection modes: load balancing by link bandwidth,
load balancing by link weight, active/standby backup by link priority, and load balancing by
link quality. Global route selection does not support load balancing by link quality but support
the other three modes. Link selection based on policy-based routes supports all the four modes.
NOTE
Unless otherwise specified, the concepts of "interface" and "interface link" are the same when you configure
the intelligent uplink selection mode. You need to configure link bandwidths, weights, and priorities of
interfaces on the NGFW.
Load Balancing by Link Bandwidth

Load balancing by link bandwidth is the default intelligent uplink selection mode. When an
enterprise obtains links with different bandwidths from different ISPs, set the link selection mode
to load balancing by link bandwidth to maximize the efficiency of link bandwidths.

The bandwidth here is the bandwidth specified for each interface on the NGFW. Generally
speaking, you need to set a proper bandwidth for each link based on the actual link or interface
bandwidth. The NGFW forwards traffic to each link based on the bandwidth ratio. Therefore,
the link with larger bandwidth forwards more traffic, and the link with less bandwidth forwards
less traffic, but the efficiency of all links are maximized.
As shown in Figure 9-5, the NGFW has three different ISP links. The bandwidth for ISP1 link
is 200M, and those for ISP2 and ISP3 are both 100M. Therefore, the bandwidth ratio is 2:1:1.
After the NGFW has forwarded traffic for a while, the traffic statistics show that the history
traffic of each link accounts for 50%, 25%, and 25% of the total traffic. That is, the ratio of traffic
on each link is in proportion with the bandwidth ratio.
To ensure that the links are not overloaded, you can set an overload protection threshold for each
link (90% for all links). When the bandwidth usage of a link reaches 90%, the NGFW no longer
forwards traffic to this link and implements load balancing based on the bandwidth ratio of the
links that are not overloaded. When all links are overloaded, the NGFW continues to forward
traffic based on the bandwidth ratio of all links.
Figure 9-5 Load balancing by link bandwidth
Internet
ISP1 ISP2 ISP3
Link bandwidth: Link bandwidth: Link bandwidth:

200M 100M 100M
Overload protection Overload protection Overload protection
threshold: 90% threshold: 90% threshold: 90%
Transmits 50% of the Transmits 25% of the Transmits 25% of the
traffic. traffic. traffic.
NGFW
Load Balancing by Link Weight

If an enterprise has ISP links with different performances, you can select the link with the best
performance to ensure the experience of most users and maximize the efficiency of other links.
In such scenarios, you can set the link selection mode to load balancing by link weight.
Generally speaking, when you set weight for interfaces on the NGFW, you need to consider
factors, such as link bandwidth, forwarding delay, and link rent. The "link with the best

performance" does not mean the link with the fastest forwarding speed, but the link that best
meets enterprise interests. Therefore, you need to set proper weight for each link based on the
actual conditions. The NGFW forwards traffic to each link based on the weight ratio. Therefore,
the link with larger weight forwards more traffic, and the link with smaller weight forwards less
traffic, but all links are used in a manner to maximize link efficiency.
As shown in Figure 9-6, the NGFW has three different ISP links. The weights of ISP1, ISP2,
and ISP3 links are respectively 5, 3, and 2. The weight ratio is 5:3:2. After the NGFW has
forwarded traffic for a while, the traffic statistics show that the history traffic of each link
accounts for 50%, 30%, and 20% of the total traffic. That is, the ratio of traffic on each link is
in proportion with the weight ratio.
To ensure that the links are not overloaded, you can set an overload protection threshold for each
link (90% for all links). When the bandwidth usage of a link reaches 90%, the NGFW no longer
forwards traffic to this link and implements load balancing based on the weight ratio of the links
that are not overloaded. When all links are overloaded, the NGFW continues to forward traffic
based on the weight ratio of all links.
Figure 9-6 Load balancing by link weight
Internet
ISP1 ISP2 ISP3
Link weight: 5 Link weight: 3 Link weight: 2

Transmits 50% of the Transmits 30% of the Transmits 20% of the
traffic. traffic. traffic.
NGFW
Active/Standby Backup by Link Priority

If an enterprise has multiple ISP links with differentiated bandwidths, forwarding delay, and
link rents, you can preferentially use some link to transmit traffic and other links as backup links
or load balancing links to improve availability. In such scenarios, you can set the link selection
mode to active/standby backup by link priority.
After you set a proper priority for each interface, the interface with the highest priority is the
active interface, and all the other interfaces are standby interfaces. The NGFW uses the active

interface preferentially to forward traffic. If no overload protection threshold is specified for the
active interface, the NGFW will not use other links to transmit traffic even if the link is
overloaded. The standby interface with the second highest priority is activated to substitute the
active interface only after the link of the active interface fails. Other backup interfaces remain
backup. This condition is called active/standby backup.
To improve transmission reliability, you can set an overload protection threshold for each
interface. When the active interface is overloaded, the NGFW will use the standby interface with
the second highest priority to share the traffic load with the active interface. If both the active
interface and the standby interface with the highest priority are overloaded, the interface with
the highest priority among the other standby interfaces is activated to forward traffic. This
scenario is called load balancing.
As shown in Figure 9-7, the NGFW has three different ISP links. The priorities of ISP1, ISP2,
and ISP3 links are respectively 8, 3, and 1. ISP1 link has the highest priority. An overload
protection threshold of 90% is set for each link. The NGFW uses ISP1 link preferentially to
forward traffic. When the bandwidth usage of ISP1 link reaches 90%, ISP2 link is activated to
share traffic with ISP1 link. When both ISP1 and ISP2 links are overloaded, ISP3 link is activated
to share traffic with ISP1 and ISP2 links. If the three links are all overloaded, the NGFW will
forward traffic to the three links based on the bandwidth ratio, not by link priority.
Figure 9-7 Active/Standby backup by link priority
Internet
ISP1 ISP2 ISP3
Link priority: 8 Link priority: 3 Link priority: 1

NGFW
For some special scenarios, you may need to disable standby interfaces and enable them only
when the active interface is faulty or overloaded. In this case, you can enable the function of
disabling standby interfaces. In this case, the standby interfaces cannot forward any traffic. In
contrast, the standby interfaces in previous scenarios can transmit other types of traffic, such as
the traffic from the Internet to the intranet, if they are not selected as the forwarding interface.

Load Balancing by Link Quality

Link selection based on policy-based routes supports load balancing by link quality, but global
route selection does not.
If an enterprise has multiple ISP links and the NGFW needs to dynamically adjust traffic
forwarding based on real-time traffic transmission quality of the link, you can set the link
selection mode to load balancing by link quality.
The NGFW preferentially uses the link with the best quality to forward traffic. Packet loss ratio,
delay, and jitter are three parameters for the NGFW to evaluate link quality. You can set one or
more parameters as required. Among the three parameters, packet loss ratio is the most important.
If the packet loss ratio, delay, and jitter of two links are different, the NGFW considers the link
with a smaller packet loss ratio as the higher quality link.
The NGFW sends ICMP link quality probe packets to the specified device on the ISP network,
calculates the values of each link quality parameter based on the probe and reply packets, and
estimates the ISP link quality. Table 9-1 lists the methods for calculating each link quality
parameter.
Table 9-1 Methods for calculating link quality parameters
Link Quality Parameter Calculation Method
Packet loss ratio After sending multiple probe packets, the

NGFW counts the number of dropped packets
and calculates the packet loss ratio. The
packet loss ratio is the number of reply
packets divided by the number of probe
packets.
Delay Subtract the probe sending time from the

reply receiving time is the delay. The average
delay of the N probe packets sent by the
NGFW is the final delay.
Jitter The absolute value of the difference between

two adjacent probe delay is jitter. The average
jitter of the N probe packets sent by the
NGFW is the final jitter .
To simplify the configuration and relieve the probing impacts on device performance, the
NGFW can use the probe result of a specific IP address on a subnet as the result for the subnet.
You can determine the size of the subnet as required.
The link quality probe result is stored in the link quality probe table. When the NGFW receives
traffic, it firstly checks whether the traffic can be forwarded based on the entries in the probe
table. If no, the NGFW starts a link quality probe. After a link quality probe entry ages out, the
link quality probe can be triggered again by intelligent uplink selection. For the services with
high quality requirements, the NGFW can probe the link quality continuously. In this case, the
probe table is periodically updated, and you can learn the real-time link status and make
adjustment accordingly.

If an overload protection threshold is set for each link and the link with the highest quality is
overloaded, the link is excluded from intelligent uplink selection, and the NGFW will select the
link with the second highest quality to forward the traffic. When all links are overloaded, the
NGFW uses only the link with the highest quality to forward subsequent traffic.
As shown in Figure 9-8, the NGFW has three different ISP links. The NGFW sends five probe
packets to the specified device on each ISP network. No packet is dropped on ISP1 link, two
packets are dropped on ISP2 link, and ISP3 link does not have any reply packets. Therefore, the
NGFW determines that the ISP1 link has the highest quality and uses ISP1 link preferentially
to forward traffic, until the probe entry is not aged out. If you set an overload protection threshold
for each link and the bandwidth usage of ISP1 link reaches the threshold, IPS1 link is excluded
from intelligent uplink selection, and the NGFW will use the link with the second highest quality
(ISP2 link) to forward subsequent traffic.
Figure 9-8 Load balancing by link quality
Internet
ISP1 ISP2 ISP3
Packet loss Packet loss Packet loss

ratio: 0/5 ratio: 2/5 ratio: 5/5
Delay: 2ms Delay: 5ms Delay: -
Jitter: 2ms Jitter: 5ms Jitter: -
NGFW
9.3.4 Link Health Check

The NGFW enables the link health check function to evaluate the health condition of the link
from the outbound interface on the local end to the specified destination address to ensure that
traffic is not forwarded to faulty links.
Link health check is to probe the link availability and adjust traffic distribution based on probe
results to guarantee service quality.
With the increasing volumes of network traffic, the devices at network egresses are facing greater
and greater challenges. Enterprises usually expand link bandwidths to ensure access stability
and reliability. An enterprise usually obtains egress links from multiple ISPs to meet different

ISP network access requirements. However, the increase of egress links brings about a series of
problems:
l How to detect the fault of a link?

l How to ensure message credibility and avoid misjudgment upon the detection of a link
fault?
l How to discover that a link is available again and how to reuse it?
If the preceding problems cannot be resolved, the multiple egress links fail to implement the
functions that they are supposed to implement, and the enterprises fail to obtain the interests that
they are supposed to obtain from the huge investments in link bandwidth expansion. The link
health check function provides evidence to resolve the preceding problems. The NGFW enables
the link health check function to monitor the health condition of each link and make proper
adjustments to ensure that only healthy links are used for traffic forwarding. This ensures access
stability and reliability.
As shown in Figure 9-9, three outbound interfaces on the NGFW connect to the Internet through
different ISP networks. The users can access resources on the Internet through any of these
outbound interfaces. To check the health status of links connected to these outbound interfaces,
the NGFW sends probe packets to devices on the ISP networks. If a link is available, the
NGFW can receive a response packet from the connected device. To prevent misjudgment
caused by the fault of a detected device, the NGFW can send probe packets to multiple devices
through one outbound interface. The NGFW determines a link available only if the number of
response packets received through the link reaches the specified value. As shown in Figure
9-9, the final probe results indicate that the links though the ISP1 and ISP2 networks are faulty.
Therefore, the NGFW uses the link through the ISP3 network to forward traffic destined for the
Internet. The NGFW sends probe packets constantly to detect the status of each link. When a
link recovers, the NGFW will use it again for traffic forwarding.
Figure 9-9 Health check for multiple links

Server
Client
ISP1
NGFW
ISP2
Intranet
ISP3
Client
Server
Service traffic
Health check traffic

As shown in Table 9-2, the NGFW sends probe packets to destination devices using different
protocols based on the device types. Then the NGFW analyzes the reply packets to evaluate the
availability of the links.
Table 9-2 Protocols and principles of link health check
Protocol Principle
ICMP The NGFW sends an ICMP request to a device through a link. If the ICMP
response packet returned by the device contains the same Identifier and
Sequence Number fields as the request, the NGFW considers the link
available.
TCP The NGFW sends a TCP connection request to the specified device. If the
connection is established, the link is available, and the NGFW will send an
RST packet to close the TCP connection.
HTTP After the TCP three-way handshake, the NGFW uses HTTP to send a
request to the specified device to obtain the specified destination root
directory. If the NGFW receives an HTTP reply packet, the link is available,
and the NGFW will send an RST packet to close the TCP connection.
DNS The NGFW uses DNS to send a device a request with the query name of
www.huawei.com. If the Transaction ID field in the response packet is the
same as that in the request, the NGFW considers the link to the device
available.
9.4 Configuring Intelligent Uplink Selection Using the Web

UI
This section describes how to configure intelligent uplink selection on the web UI.
9.4.1 Configuration Flow

This section provides the configuration flow for you to learn the configuration method and major
configuration items of intelligent uplink selection.
Figure 9-10 shows the configuration flow of intelligent uplink selection.

Figure 9-10 Configuration flow of intelligent uplink selection
Start
Configure the ISP address

library link selection
Create a link health check group.
Configure link health check Set link health check parameters.
Add a probed member.
Complete basic interface settings.
Set the gateway address.
Configure intelligent uplink Specify the ISP.

selection member interfaces
Apply the link health check group.
Bind a member interface to an Set the interface bandwidth and

interface group overload protection threshold.
Select an intelligent uplink

selection mode.
Configure intelligent uplink Add intelligent uplink selection
Set intelligent uplink selection
parameters.
End
Mandatory Mandatory Optional

item sub-item item
Table 9-3 describes the content in the configuration flow.
Table 9-3 Configuration description of intelligent uplink selection
No. Task Sub- Description

task
1 (Optional) - You can configure the ISP address library link

Configuring the selection to forward traffic destined to a specific
ISP Address ISP network from the corresponding outbound
Library Link interface to ensure that the shortest path is used for
Selection traffic forwarding


task
2 (Optional) Create a The NGFW checks the health of links based on the
Configuring Link link link health check group. Only healthy links can be
Health Check health used to forward traffic.
check
group.
Set link If the NGFW receives a correct reply packet from

health the probed member, the NGFW can determine that
check the link between the NGFW and the probed
paramete member is active (status: Up).
rs. You can set the following link health check
parameters:
l Interval for sending probe packets: After you
apply the link health check group to the
interface, the NGFW will send probe packets
at the specified interval.
l Number of probes: When the NGFW fails to
receive a reply consecutively for the number of
probes, the NGFW considers the link inactive
and changes the link status to Down.
l Minimum number of active links: When the
number of active links is smaller than the
specified minimum number, the status of the
link health check group changes to Down
(indicating that the link is unavailable).
Add a A probed member is the destination device on the

probed other end of a link. Each link health check group
member. can contain one or multiple probed members.
3 Configuring (Optional Set interfaces IP addresses and subnet masks and

Intelligent Uplink ) assign interfaces to security zones.
Selection Member Complete
Interfaces basic
interface
settings.
Set the You must set a gateway address for each intelligent
gateway uplink selection member interface. Then the
address. NGFW will automatically generate default routes.
(Optional Specify an ISP for an intelligent uplink selection

) Specify member interface, that is, bind a member interface
the ISP. to an ISP interface group. You can choose whether
to deliver ISP routes on an interface.


task
(Optional If default routes are enabled, the NGFW

) Set the automatically generates a default route with the
default next hop being the gateway address set on its
route. interface. If default routes are disabled, the
NGFW does not automatically generate default
routes.
(Optional To improve the reliability of intelligent uplink

) Apply selection, you can apply the link health check
the link group to the specified member interface. The
health NGFW excludes faulty links during intelligent
check uplink selection and then selects a link from
group. healthy links.
(Optional If you set interface bandwidth and overload

) Set the protection threshold for a link and the bandwidth
interface usage of the link reaches the threshold, the
bandwidt NGFW will no longer use the link for traffic
h and forwarding.
overload In intelligent uplink selection, the NGFW firstly
protectio selects a link from the links that are not overloaded
n to maximize the efficiency of links and prevent
threshold. possible congestion. When all links are
overloaded, the NGFW will select links based on
the specified intelligent uplink selection mode,
regardless of whether the links are overloaded.
4 (Optional) - An interface group is a group of intelligent uplink

Binding a selection member interfaces. Adding an interface
Member Interface group equals to adding member interfaces in a
to an Interface batch.
Group You can use the following methods to bind a
member interface to an interface group:
l After you create a common interface group, add
member interfaces to the interface group.
l After you configure the ISP address library link
selection, create an ISP interface group, and
add member interfaces to the interface group.
You can choose whether to deliver ISP routes
on an interface.


task
5 Configuring Select an The intelligent uplink selection mode determines

Intelligent Uplink intelligen the standard of link selection. The NGFW will
Selection t uplink select a link based on the configured traffic
selection diversion policy. The NGFW supports four
mode. intelligent uplink selection modes:
l Load balancing by link bandwidth: Load
balancing by link bandwidth is the default
intelligent uplink selection mode. The NGFW
forwards traffic to each link based on the link
bandwidth ratio.
l Load balancing by link weight: The NGFW
weight ratio.
l Active/Standby backup by link priority: The
NGFW preferentially use the link with the
highest priority to transmit traffic and all the
other links as backup links or load balancing
links.
l Load balancing by link quality: Link selection
based on policy-based routes supports load
balancing by link quality, but global route
selection does not. The NGFW preferentially
use the link with the highest quality to transmit
traffic and the other links as load balancing
links.
Add In intelligent uplink selection, the NGFW selects

intelligen outbound interfaces only from intelligent uplink
t uplink selection member interfaces.
selection You can use individual interfaces or interface
member groups as intelligent uplink selection member
interfaces interfaces. Adding an interface group equals to
. adding member interfaces in a batch. The NGFW
will select outbound interfaces from all intelligent
uplink selection member interfaces.


task
Set After you select an intelligent uplink selection

intelligen mode, you need to set intelligent uplink selection
t uplink parameters.
selection l Member interface bandwidth and overload
paramete protection threshold: When you set the link
rs. selection mode to load balancing by link
bandwidth, you need to set bandwidth for the
member interface. To implement interface
overload protection, you also need to set the
overload protection threshold. When the link
bandwidth usage reaches the threshold, the
NGFW will no longer use the link for traffic
transmission, but uses a link that is not
overloaded.
l Member interface weight: When you set the
link selection mode to load balancing by link
weight, you need to set weight for the member
interface. If you do not set the weight, the
default weight is 1.
l Member interface priority: When you set the
link selection mode to active/standby backup
by link priority, you need to set priority for the
member interface. If you do not set the priority,
the default priority is 1.
l When you set the link selection mode to load
balancing by link quality, you can set one or
more link quality parameters to evaluate the
link quality. The NGFW supports three link
quality parameters:
– Packet loss ratio: Packet loss ratio is the
default link quality parameter. After
sending multiple probe packets, the
NGFW counts the number of dropped
packets and calculates the packet loss ratio.
The packet loss ratio is the number of reply
packets. Packet loss ratio is a decisive
parameter to evaluate link quality.
– Delay: Subtracting the probe sending time
from the reply receiving time is the delay.
The average delay of the N probe packets
sent by the NGFW is the final delay.
– Jitter: The absolute value of the difference
between two adjacent probe delay is jitter.


task
The average jitter of the N probe packets

sent by the NGFW is the final jitter .
9.4.2 Configuring the ISP Address Library Link Selection

This section describes how to configure the ISP address library link selection on the web UI.
Configuring ISP Address Library Link Selection

Step 2 Click the Carrier Address Library tab.
Step 3 Click Import, create a carrier, and import the ISP address file of the carrier, as shown in Figure
9-11. For parameter descriptions, see Table 9-4.
Figure 9-11 Importing the ISP address file
Table 9-4 Parameters for importing the ISP address file
Name Name of the carrier to be created.
Address Library File ISP address file of the carrier.

Each ISP address file will automatically generate an ISP address
group after being imported. The ISP address group contains all
IP addresses in the ISP address file. You can reference the
address group as the source or destination address in policy-
based routes.
NOTE
The ISP address file must be in the CSV format.

Repeat the preceding operations to import multiple ISP address files. Note that the NGFW does
not allow the import of empty files.
Step 4 Click OK.
Step 6 Click of the specified interface.
Step 7 Select Multi-egress options and configure the ISP route function, as shown in Figure 9-12. For
parameter descriptions, see Table 9-5.
Figure 9-12 Configuring ISP routes
Table 9-5 Parameters for configuring ISP routes
Carrier Select a carrier from the drop-down list. Usually, the carrier of
the link connecting to the outbound interface is selected.
60.

(Optional) Link Health Select an existing link health check group to check the health of
Check the link.
To improve traffic forwarding reliability, ISP address library link
selection can function with link health check to ensure that traffic
is not forwarded to faulty links. If the health check result
indicates that a link is faulty, the NGFW will delete the ISP route
entry. Therefore, traffic will neither match this route nor being
forwarded to the faulty link. When the link recovers, the ISP route
entry is created again, and traffic can be forwarded on this route.
Step 8 Click OK.
----End
Exporting an ISP Address Library File

Step 2 Click the Carrier Address Library tab.
Step 3 Select the file to be exported and click Export.
Step 4 Click Save to specify a file storage path.
----End
9.4.3 Configuring Link Health Check

This section describes how to configure link health check on the web UI.
Step 1 Choose Object > Link Health Check.
Step 2 Click Add in Link Health Check List.
Step 3 Configure link health check, as shown in Figure 9-13. Table 9-6 describes the parameters.

Figure 9-13 Configuring link health check
Table 9-6 Parameters for configuring link health check
Name Name of a link health check group.
Detection Interval between sending probe packets.

interval
Maximum tries Maximum number of consecutive probe failures.
Minimum Minimum number of active links for the link health check group.
number of
active nodes
Detection node
Click Add, set probe packet parameters, and click OK.
Protocol Protocol type of probe packets.

l TCP: sends TCP probe packets.
l HTTP: sends HTTP probe packets.
l DNS: sends DNS probe packets.
l ICMP: sends ICMP probe packets.

Detected IP Destination IP address for link health check.

The NGFW and destination device reside on the two sides of a link. The
NGFW sends probe packets to the IP address of the destination device to
check the health status of the link.
Port Port number of the destination device.
Step 4 Click OK.

The new link health check group is displayed in Link Health Check List.
Step 5 Apply the link health check group.
If the interface is an intelligent uplink selection member interface, apply the link health check
group on the interface. The following section describes the procedure for applying a link health
check group. For configuration details of intelligent uplink selection, see Configuring Global
Route Selection Policies.

2. Click of the specified interface.
3. Select Multi-egress options.
4. In the Link Health Check drop-down list, select an existing link health check group.
----End
9.4.4 Configuring Global Route Selection Policies

If the traffic does not match any policy-based route or static route but matches multiple default
ECMP routes, the global route selection policy takes effect and selects an outbound interface
for the NGFW to forward traffic.
Prerequisites
l To specify an outbound interface for an ISP, configure the ISP Address Library.
l To check the link health of the outbound interface, create a link healthcheck group.
Procedure
Step 2 Click of the specified interface.
The interface is an intelligent uplink selection member interface. Before you add a member
interface for intelligent uplink selection, you need to configure the interface first.
Step 3 Optional: Complete basic interface settings, such as setting the IP address and subnet mask and
assigning the interface to a security zone. The details are omitted.
Step 4 Select Multi-egress options and configure the intelligent uplink selection member interface, as
shown in Figure 9-14. For parameter descriptions, see Table 9-7.

Figure 9-14 Configuring intelligent uplink selection member interfaces
Table 9-7 Parameters for configuring intelligent uplink selection member interfaces
Default Gateway Gateway address of the interface.

When an interface functions as an intelligent uplink selection
member interface, you must set a gateway address for the
interface.
(Optional) Carrier Select a carrier from the drop-down list. Usually, the carrier of
the link connecting to the outbound interface is selected.
After you select a carrier for the intelligent uplink selection
member interface, the interface is added to the ISP interface
group.
(Optional) Carrier Route After you enable the ISP route function, the NGFW will generate
static routes in a batch to the ISP network. The destination is an
IP address in the ISP address file, and the next hop is the gateway
address specified on the outbound interface. These static routes
are called ISP routes. They have the same priority as common
static routes, and the default priority is 60.

(Optional) Default Route If default routes are enabled, the NGFW automatically generates
a default route with the next hop being the gateway address set
on its interface. If default routes are disabled, the NGFW does
not automatically generate default routes.
(Optional) Link Health Select an existing link health check group from the drop-down
Check list to check the health of the link.
The NGFW selects a link from only healthy links.
(Optional) Upstream Inbound bandwidth of the link.

Bandwidth
(Optional) Downstream Outbound bandwidth of the link.

Bandwidth
(Optional) Overload Bandwidth usage of the link.

Protection Threshold When the bandwidth usage exceeds the overload protection
threshold, the NGFW excludes the overloaded links during
intelligent uplink selection and selects a link from the links that
are not overloaded. When all links are overloaded, the NGFW
will forward traffic based on the specified intelligent uplink
selection mode, regardless of whether the links are overloaded.
Step 5 Click OK.
Step 7 Optional: Click the Interface Group tab and bind intelligent uplink selection member interfaces
to a common interface group, as shown in Figure 9-15. For parameter descriptions, see Table
9-8.
Figure 9-15 Binding member interfaces to a common interface group

Table 9-8 Parameters for binding member interfaces to a common interface group
Name Name of the common interface group.
Member Interface Intelligent uplink selection member interface bound to the

interface group.
You can use the following methods to add a member interface to
or delete a member interface from an interface group:
l Add a member interface: Click to bind all member
interface to an interface group. Or select the interfaces to be
bound in Selectable and click to bind the interfaces to the
interface group.
l Delete a member interface: Click to delete all member
interface from an interface group. Or select the interfaces to
be deleted in Selected and click to delete the interfaces
from the interface group.
Interfaces added to an ISP interface group are not displayed in
Selectable. That is, one member interface can be bound to only
one interface group.
Step 8 Click OK.
Step 9 Click the Global Route Selection Policy tab and then click Edit.
Step 10 Optional: On the Configure Global Route Selection Policy page, you can choose whether to
enable DNS Transparent Proxy. For configuration details, see Configuring DNS
Transparent Proxy.
Step 11 Select a link selection mode from the Selection Mode drop-down list.
NOTE
After the link selection mode is configured, subsequent traffic that passes through the NGFW will be
forwarded on the basis of link selection policies. For earlier traffic, the session is not aged. Therefore, such
traffic is not immediately forwarded on the basis of link selection policies. You can run the reset firewall
session table command to manually clear the session entry or wait until the session ages.
The service will be interrupted after you clear the session entry. Therefore, exercise caution when you
perform this operation. You can clear the session entry only after you confirm that services will not be
affected.
l When Selection Mode is Load balancing based on link bandwidth, Figure 9-16 shows
the configuration page. For parameter descriptions, see Table 9-9.

Figure 9-16 Configuring load balancing by link bandwidth
Table 9-9 Parameters for configuring load balancing by link bandwidth
WAN Interface/Carrier/ Intelligent uplink selection member interface.

Interface Group After you click Add, you can select member interfaces from
the drop-down list. The member interfaces can be single
interfaces, common interface groups, and ISP interface
groups. An interface group is a collection of one or more
intelligent uplink selection member interfaces. Interface
groups cannot be nested. That is, multiple interface groups
cannot form a new interface group.

Threshold This parameter is unavailable here. It must be configured when
you configure the interface. For details, see Step 4.
Incoming Inbound overload protection threshold.

This parameter is unavailable here. It must be configured when
Outgoing Outbound overload protection threshold.

l When Selection Mode is Load balancing based on link weights, Figure 9-17 shows the
configuration page. For parameter descriptions, see Table 9-10.

Figure 9-17 Configuring load balancing by link weight
Table 9-10 Parameters for configuring load balancing by link weight




Weight Weight of the member interface.

In intelligent uplink selection, the NGFW forwards traffic to
different links based on the link weight ratio. Therefore, the
link with a larger weight forwards more traffic, and the link
with a smaller weight forwards less traffic.

l When Selection Mode is Active/standby backup based on link priorities, Figure 9-18
shows the configuration page. For parameter descriptions, see Table 9-11.
Figure 9-18 Configuring active/standby backup by link priority
Table 9-11 Parameters for configuring active/standby backup by link priority
Standby interface After you enable this function, the status of all standby
automatic shutdown interfaces become Down. If the active interface is overloaded
(interface overload protection must be configured) or becomes
Down, the standby interface with the highest priority becomes
Up, but all the other standby interfaces remain Down. When
the active interface and the standby interface with the highest
priority are both overloaded or become Down, the standby
interface with the second highest priority becomes Up.





Priority Priority of the member interface.

A great priority value indicates a high priority.
Step 12 Click OK.
----End
Follow-up Procedure
After the configuration is complete, you can click the Global Route Selection Policy tab to
view the health status of the link ( indicates that the link is available, and indicates that
the link is unavailable) and the traffic statistics in the last five minutes, as shown in Figure
9-19.
Upstream Traffic Percentage and Downstream Traffic Percentage stand for the percentage
of actual traffic transmitted on an interface to the bandwidth threshold (the bandwidth threshold
is the interface bandwidth multiplies the overload protection threshold). When the actual traffic
transmitted on the interface reaches or exceeds the bandwidth threshold, the values of Upstream
Traffic Percentage and Downstream Traffic Percentage are 100%.
Figure 9-19 Viewing global route selection policies
9.5 Configuring Intelligent Uplink Selection on the CLI

This section describes how to configure intelligent uplink selection on the CLI.

9.5.1 Configuration Flow

This section provides the configuration flow for you to learn the configuration method and major
configuration items of intelligent uplink selection.
Figure 9-20 shows the configuration flow of intelligent uplink selection.
Figure 9-20 Configuration flow of intelligent uplink selection
Start
Configure the ISP address

library link selection
Create a link health check group.
Set link health check parameters.

Configure link health check
Add a probed member.
Set the IP address of the

detection source.
Complete basic interface settings.
Set the gateway address.

Configure intelligent uplink
selection member interfaces Apply the link health check group.
Set the interface bandwidth and

Bind a member interface to an overload protection threshold.
interface group
Select an intelligent uplink

selection mode.
Configure intelligent uplink Add intelligent uplink selection
Set intelligent uplink selection
parameters.
End
Mandatory Mandatory Optional

item sub-item item
Table 9-12 describes the content in the configuration flow.

Table 9-12 Configuration description of intelligent uplink selection

task
1 (Optional) - You can configure the ISP address library link

Configuring the selection to forward traffic destined to a specific
ISP Address ISP network from the corresponding outbound
Library Link interface to ensure that the shortest path is used for
Selection traffic forwarding
2 (Optional) Create a The NGFW checks the health of links based on the
Configuring Link link link health check group. Only healthy links can be
Health Check health used to forward traffic.
check
group.
Add a A probed member is the destination device on the

probed other end of a link. Each link health check group
member. can contain one or multiple probed members.
Set link If the NGFW receives a correct reply packet from

health the probed member after sending a probe packet,
check the NGFW can determine that the link between the
paramete NGFW and the probed member is active (status:
rs. Up).
You can set the following link health check
parameters:
l Interval for sending probe packets: After you
apply the link health check group to the
interface, the NGFW will send probe packets
at the specified interval.
l Number of probes: When the NGFW fails to
receive a reply consecutively for the number of
probes, the NGFW considers the link inactive
and changes the link status to Down.
l Minimum number of active links: When the
number of active links is smaller than the
specified minimum number, the status of the
link health check group changes to Down
(indicating that the link is unavailable).


task
(Optiona You can set the IP address of the detection source

l) Set the to a public or private IP address according to the
IP network deployment. This IP address must be
address available and routable. You can use the IP address
of the of the interface where the link health check group
detection resides or an IP address in the source NAT address
source. pool as the IP address of the detection source.
If you do not set the IP address of the detection
source, the NGFW will use the interface IP address
as the IP address of the detection source. If multiple
IP addresses are specified for the interface, the
NGFW selects the IP address on the same subnet
as the gateway address as the IP address of the
detection source.
3 Configuring (Optional Set interfaces IP addresses and subnet masks and

Intelligent Uplink ) assign interfaces to security zones.
Selection Member Complete
Interfaces basic
interface
settings.
Set the You must set a gateway address for each intelligent
gateway uplink selection member interface. If the no-
address. route parameter is configured, the NGFW does not
automatically generate default routes. If the no-
route parameter is not configured, then the
NGFW automatically generates default routes.
(Optiona To improve the reliability of intelligent uplink

l) Apply selection, you can apply the link health check
the link group to the specified member interface. The
health NGFW excludes faulty links during intelligent
check uplink selection and then selects a link from
group. healthy links.
(Optiona If you set interface bandwidth and overload

l) Set the protection threshold for a link and the bandwidth
interface usage of the link reaches the threshold, the
bandwid NGFW will no longer use the link for traffic
th and forwarding.
overload In intelligent uplink selection, the NGFW firstly
protectio selects a link from the links that are not overloaded
n to maximize the efficiency of links and prevent
threshol possible congestion. When all links are
d. overloaded, the NGFW will select links based on
the specified intelligent uplink selection mode,
regardless of whether the links are overloaded.


task
4 (Optional) - An interface group is a group of intelligent uplink

Binding a selection member interfaces. Adding an interface
Member Interface group equals to adding member interfaces in a
to an Interface batch.
Group You can use the following methods to bind a
member interface to an interface group:
l After you create a common interface group, add
member interfaces to the interface group.
l After you configure the ISP address library link
selection, create an ISP interface group, and
add member interfaces to the interface group.
You can choose whether to deliver ISP routes
on an interface.
5 Configuring Select an The intelligent uplink selection mode determines

Intelligent Uplink intelligen the standard of link selection. The NGFW will
Selection t uplink select a link based on the configured traffic
selection diversion policy. The NGFW supports four
mode. intelligent uplink selection modes:
l Load balancing by link bandwidth: Load
balancing by link bandwidth is the default
intelligent uplink selection mode. The NGFW
bandwidth ratio.
l Load balancing by link weight: The NGFW
weight ratio.
l Active/Standby backup by link priority: The
NGFW preferentially use the link with the
highest priority to transmit traffic and all the
other links as backup links or load balancing
links.
l Load balancing by link quality: Link selection
based on policy-based routes supports load
balancing by link quality, but global route
selection does not. The NGFW preferentially
use the link with the highest quality to transmit
traffic and the other links as load balancing
links.


task
Add In intelligent uplink selection, the NGFW selects

intelligen outbound interfaces only from intelligent uplink
t uplink selection member interfaces.
selection You can use individual interfaces or interface
member groups as intelligent uplink selection member
interface interfaces. Adding an interface group equals to
s. adding member interfaces in a batch. The NGFW
will select outbound interfaces from all intelligent


task
Set After you select an intelligent uplink selection

intelligen mode, you need to set intelligent uplink selection
t uplink parameters.
selection l Member interface bandwidth and overload
paramete protection threshold: When you set the link
rs. selection mode to load balancing by link
bandwidth, you need to set bandwidth for the
member interface. To implement interface
overload protection, you also need to set the
overload protection threshold. When the link
bandwidth usage reaches the threshold, the
NGFW will no longer use the link for traffic
transmission, but uses a link that is not
overloaded.
l Member interface weight: When you set the
link selection mode to load balancing by link
weight, you need to set weight for the member
interface. If you do not set the weight, the
default weight is 1.
l Member interface priority: When you set the
link selection mode to active/standby backup
by link priority, you need to set priority for the
member interface. If you do not set the priority,
the default priority is 1.
l When you set the link selection mode to load
balancing by link quality, you can set one or
more link quality parameters to evaluate the
link quality. The NGFW supports three link
quality parameters:
– Packet loss ratio: Packet loss ratio is the
default link quality parameter. After
sending multiple probe packets, the
NGFW counts the number of dropped
packets and calculates the packet loss ratio.
The packet loss ratio is the number of reply
packets. Packet loss ratio is a decisive
parameter to evaluate link quality.
– Delay: Subtracting the probe sending time
from the reply receiving time is the delay.
The average delay of the N probe packets
sent by the NGFW is the final delay.
– Jitter: The absolute value of the difference
between two adjacent probe delay is jitter.


task
The average jitter of the N probe packets

sent by the NGFW is the final jitter .
9.5.2 Configuring the ISP Address Library Link Selection

This section describes how to configure the ISP address library link selection on the CLI.
Prerequisites
An ISP address file is ready. For details on how to make an ISP address file, see ISP Address
Library Link Selection.
Procedure
Step 1 Import the ISP address file.
Use FTP, SFTP, or TFTP to upload the ISP address file to the NGFW. For details on how to
upload the file, refer to the file system chapter in the File System.
system-view
Step 3 Create an ISP name.
isp name isp-name
Step 4 Configure the mapping between the ISP name and ISP address file.
isp name isp-name set filename filename
Each ISP name corresponds to only one ISP address file, but one ISP address file can correspond
to multiple ISP names.
After you run this command, the NGFW uses the ISP address file to generate an ISP address
group. Content of the address group cannot be modified directly, but you can modify the ISP
address file and import it again to modify the address group. You can reference the ISP address
group in policy-based routes as the source or destination address.
Step 5 Add interfaces to the interface group that references the ISP name and deliver ISP routes.
interface-group isp isp-name interface interface-type interface-number route enable
When an interface group references the ISP name, the interface added to the interface group is
the interface bound to the ISP name, and the interface is considered as belonging to the ISP.
After you deliver ISP routes, the NGFW will generate static routes in a batch to the ISP network.
The destination is an IP address in the ISP address file, and the next hop is the gateway address
specified on the outbound interface.
Step 6 Optional: Access the view of the interface bound in step 5 and apply the link health check group
to the interface.

healthcheck link-group { group-id | group-name }

To improve traffic forwarding reliability, ISP address library link selection can function with
Link Health Check. Ensure that the link health check group is created in advance. If the health
check result indicates that a link is faulty, the NGFW will delete the ISP route entry. Therefore,
traffic will neither match this route nor being forwarded to the faulty link. When the link recovers,
the ISP route entry is created again, and traffic can be forwarded on this route.
----End
Follow-up Procedure
Run the rename isp old-name new-name command to change the ISP name.
Run the isp delete filename file-name command to delete an ISP address file.
NOTICE
If an interface has generated ISP routes, you cannot run the isp delete filename file-name
command to delete the corresponding ISP address file.
If an ISP address file is deleted by the delete [ /unreserved ] filename command by mistake,
import an ISP address file with the same name to ensure that ISP address library link selection
functions properly.
Run the display isp { name isp-name | all } command to view the ISP address file information.
<sysname> display isp all
isp information(total number: 5)
isp name: "china mobile"
file name: china-mobile.csv
next-hop: GigabitEthernet1/0/2, 10.1.10.10
status: enable
------------------------------------------------------------
isp name: "china unicom"

file name: china-unicom.csv
status: disable
------------------------------------------------------------
isp name: "china telecom"

file name: china-telecom.csv
------------------------------------------------------------
isp name: "china educationnet"

file name: china-educationnet.csv
------------------------------------------------------------
isp name: isp1

file name: isp1.csv
status: enable
------------------------------------------------------------
Run the display ip routing-table command to display the generated ISP routes. In the routing
table, the entries with protocol ISP are the routes that the ISP address library function generates.

<sysname> display ip routing-table

------------------------------------------------------------------------------
0.0.0.0/0 Static 60 0 D 10.7.7.1

10.1.1.0/24 Direct 0 0 D 10.1.1.1
10.1.2.0/24 ISP 60 0 D 10.7.7.1
10.1.3.0/24 ISP 60 0 D 10.7.7.1
10.1.4.0/24 ISP 60 0 D 10.7.7.1
9.5.3 Configuring Link Health Check

Link health check monitors the link status in real time to ensure traffic distribution to available
links.
Prerequisites
l The IP address of the target device for link health check is available.
l The source IP address of probe packets is available. For example, use a public IP address
as the source IP address if the destination device is on the Internet.
Procedure
system-view
Step 2 Create a link health check group and access its view.
healthcheck link-group [ group-id ] group-name
If you do not set an ID for a link health check group when creating it, the NGFW assigns an ID
to it.
Step 3 Add probed members to the link health check group.
destination ip-address protocol { dns | http [ destination-port port-number ] | icmp | tcp

destination-port port-number }
The probed member is the destination device on the other side of the link, and ip-address is its
IP address.
Step 4 Set the minimum number of active links for the link health check group.
least active-linknumber number
By default, the minimum number of active links is 1. That is, the link health check group is Up
as long as one link is Up.
The link health check group enters the Down state if the number of active links is less than the
minimum number of active links.

Step 5 Set the interval for sending probe packets.
tx-interval interval-time
By default, the interval between sending probe packets is 5 seconds.
Step 6 Set the number of consecutive probe failures.
times time
If the number of consecutive probe failures reaches the upper limit (time), the NGFW considers
the link unavailable and changes its status to Down.
By default, the maximum number of consecutive probe failures is 3.
quit
interface interface-type { interface-number | interface-number.subinterface-number }
Step 9 Set the source IP address of probe packets.
healthcheck source-ip ip-address
Use an available and routable IP address (public or private) based on network deployment as
the source IP address of probe packets. You can use the IP address of the interface where the
link health check group resides or an IP address in the source NAT address pool as the IP address
of the detection source.
If you do not set the IP address of the detection source, the NGFW will use the interface IP
address as the IP address of the detection source. If multiple IP addresses are specified for the
interface, the NGFW selects the IP address on the same subnet as the gateway address as the IP
address of the detection source.
Step 10 Apply the link health check group to the interface.
One interface can apply only one link health check group, one one link health check group can
be applied to multiple interfaces.
----End
Example
The NGFW connects to five devices through GE1/0/1. The IP addresses of the devices are
10.3.3.3 to 10.3.3.7. Link health check is performed on the links connected to these devices.
10.3.3.10 is used as the source IP address of probe packets. The NGFW sends an ICMP probe
packet every 3 seconds. When the number of consecutive probe failures on a link reaches 4, the
NGFW considers the link Down. When the number of active links is less than 2, the NGFW
considers the GE1/0/1 link unavailable.
# Create a link health check group named hchkgrp1.

[sysname] healthcheck link-group 1 hchkgrp1

# Add probed members to the link health check group.

[sysname-healthcheck-link-group-1] destination 10.3.3.3 protocol icmp
# Set the minimum number of active links for the link health check group.
[sysname-healthcheck-link-group-1] least active-linknumber 2
# Set the interval between sending probe packets and the maximum number of consecutive probe
failures.
[sysname-healthcheck-link-group-1] tx-interval 3
[sysname-healthcheck-link-group-1] times 4
[sysname-healthcheck-link-group-1] quit
# Apply the link health check group to GE1/0/1.

[sysname-GigabitEthernet1/0/1] healthcheck link-group hchkgrp1
# Set the source IP address of probe packets.

[sysname-GigabitEthernet1/0/1] healthcheck source-ip 10.3.3.10
[sysname-GigabitEthernet1/0/1] quit
Follow-up Procedure
Run the rename healthcheck link-group { group-id | group-name } new-group-name command
to change the name of the link health check group.
Run the display healthcheck link-group [ group-id | group-name | interface interface-type

{ interface-number | interface-number.subinterface-number } ] [ verbose ] command to view
information about the link health check group.
[sysname] display healthcheck link-group
Current Total Healthcheck Link-group Number : 1
ID Name Mem Interface State Up/Down/Init
1 hchkgrp1 5 GE1/0/1 up 5/0/0
Table 9-13 shows the description of the display healthcheck link-group command output.
Table 9-13 Description of the display healthcheck link-group command output
Item Description
Current Total Healthcheck Link-group Number of link health check groups on the
Number NGFW.
ID ID of a link health check group.
Name Name of a link health check group.
Mem Number of members in a link health check

group.
Interface Interface to which a link health check group

applies.

Item Description
State Status of a link health check group.
Up/Down/Init Number of link health check group members

in different status.
l Up: A link functions properly.
l Down: A link is faulty.
l Init: A link is in initialized state. Check
group members are in this state when a
link health check group is being created
and link health check is disabled.
Run the display healthcheck link [ destination ip-address ] [ protocol { icmp | http | dns |
tcp } ] [ app-id app-id-number ] [ verbose ] command to view information about link health
check.
[sysname] display healthcheck link
Current Total Number : 1
ID AppID Destination IP Protocol/Port State Out Interface
1 1 10.3.3.3 icmp/0 up GE1/0/1
2 1 10.3.3.4 icmp/0 up GE1/0/1
3 1 10.3.3.5 icmp/0 up GE1/0/1
4 1 10.3.3.6 icmp/0 up GE1/0/1
5 1 10.3.3.7 icmp/0 up GE1/0/1
Table 9-14 shows the description of the display healthcheck link command output.
Table 9-14 Description of the display healthcheck link command output
Item Description
ID ID for link health check.
AppID ID of the application module corresponding

to the link health check entry.
Destination IP Destination IP address for link health check.
Protocol/Port Protocol type and port number of probe

packets.
State Status of a link.
Out Interface Outbound interface of probe packets.
9.5.4 Configuring Global Route Selection Policies

If the traffic does not match any policy-based route or static route but matches multiple default
ECMP routes, the global route selection policy takes effect and selects an outbound interface
for the NGFW to forward traffic.

Prerequisites
l To specify an outbound interface for an ISP, configure the ISP Address Library.
l To check the link health of the outbound interface, create a Link Health Check Group.
Context
After the link selection mode is configured, subsequent traffic that passes through the NGFW
will be forwarded on the basis of link selection policies. For earlier traffic, the session is not
aged. Therefore, such traffic is not immediately forwarded on the basis of link selection policies.
You can run the reset firewall session table command to manually clear the session entry or
wait until the session ages.
NOTICE
The service will be interrupted after you clear the session entry. Therefore, exercise caution
when you perform this operation. You can clear the session entry only after you confirm that
services will not be affected.
Procedure
system-view
interface interface-type { interface-number | interface-number.subinterface-number }
The interface is an intelligent uplink selection member interface. Before you add a member
interface for intelligent uplink selection, you need to configure the interface first.
Step 3 Optional: Complete basic interface settings, such as setting the IP address and subnet mask and
assigning the interface to a security zone. The details are omitted.
Step 4 Set a gateway address for the interface.
You must set a gateway address for the interface if the interface functions as an intelligent uplink
selection member interface. If the no-route parameter is configured, the firewall does not
automatically generate default routes. If the no-route parameter is not configured, the firewall
automatically generates a default route with the next hop being the gateway address set for the
interface.
Step 5 Optional: Apply the link health check group.
The link health check group must already exist. One interface can apply only one link health
check group, one one link health check group can be applied to multiple interfaces.
Step 6 Optional: Set link bandwidth and overload protection threshold for the interface.

bandwidth { egress | ingress } bandwidth-value [ threshold threshold ]
When the interface is an intelligent uplink selection member interface, you can set bandwidth
and overload protection threshold for the link of the interface. If the link is overloaded, that is,
the bandwidth usage reaches the specified threshold, the member interface no longer participates
in intelligent uplink selection, and the NGFW selects an outbound interface from those that are
not overloaded. If the bandwidth usage of the overloaded link is smaller than threshold, the
member interface participates again in intelligent uplink selection. When all member interfaces
are overloaded, the NGFW will forward traffic based on the specified intelligent uplink selection
mode, regardless of whether the links are overloaded.
NOTE
When you set the intelligent uplink selection mode to load balancing by link bandwidth, you must set
bandwidth for the member interfaces, and you are advised to set overload protection threshold. When you
set the intelligent uplink selection mode to other modes, you are advised to set link bandwidth and overload
protection threshold to achieve the best effects.
quit
Step 8 Bind interfaces to the interface group.
You can use the following methods to bind a member interface to an interface group:
l After you create a common interface group, bind member interfaces to the common interface
group.
interface-group name interface-group-name
interface-group interface-group-name interface interface-type interface-number
An interface group is a group of intelligent uplink selection member interfaces. Adding an
interface group equals to adding member interfaces in a batch.
l Reference an ISP name as the interface group name, create an ISP interface group, and bind
member interfaces to the ISP interface group. Then the member interface is considered as
belonging to the ISP. You can choose whether to deliver ISP routes on an interface.
interface-group isp isp-name interface interface-type interface-number [ route { enable |
disable } ]
Step 9 Access the global multi-egress view.
multi-interface
Step 10 Set the intelligent uplink selection mode of the global route selection policy.
mode { priority-of-userdefine | proportion-of-bandwidth | proportion-of-weight }
The intelligent uplink selection mode determines the standard of link selection. The global route
selection policy supports three link selection modes:
l Load balancing by link bandwidth: Load balancing by link bandwidth is the default intelligent
uplink selection mode. The NGFW forwards traffic to each link based on the link bandwidth
ratio.
l Load balancing by link weight: The NGFW forwards traffic to each link based on the link
weight ratio.

l Active/Standby backup by link priority: The NGFW preferentially use the link with the
highest priority to transmit traffic and all the other links as backup links or load balancing
links.
Step 11 Add intelligent uplink selection member interfaces.
add { interface interface-type interface-number | interface-group { interface-group-name |

isp isp-name } } [ priority priority | weight weight ] *
The NGFW selects outbound interfaces from only intelligent uplink selection member interfaces.
You need to set related parameters for the member interfaces based on the specified intelligent
uplink selection mode.
l When you set the intelligent uplink selection mode to load balancing by link bandwidth, you
need to set bandwidth for the member interfaces. To implement interface overload protection,
you also need to set the overload protection threshold. When the link bandwidth usage reaches
the threshold, the NGFW will no longer use the link for traffic transmission, but uses a link
that is not overloaded.
l Member interface weight: When you set the intelligent uplink selection mode to load
balancing by link weight, you need to set weight for the member interfaces. If you do not set
the weight, the default weight is 1.
l Member interface priority: When you set the intelligent uplink selection mode to active/
standby backup by link priority, you need to set priority for the member interface. If you do
not set the priority, the default priority is 1.
Step 12 Optional: Set the parameter for intelligent uplink selection hashing.
load-balance flow hash { destination-ip | destination-port | source-ip | source-port } *
The default parameter for intelligent uplink selection hashing are the source IP address (source-
ip) and the destination IP address (destination-ip).
If multiple outbound interfaces are available for intelligent uplink selection, the NGFW will
select one of the interfaces as the outbound interface based on the hash result. For example, when
the intelligent uplink selection mode is load balancing by link bandwidth and the links of the
two interfaces have the same bandwidth and are both not overloaded, the NGFW will select one
of the interfaces as the outbound interface based on the hash result.
Step 13 Optional: Set the status of standby interfaces to Down.
standby-interface status down
When you set the intelligent uplink selection mode to active/standby backup by link priority,
the interface with the highest priority is the active interface, and all the other interfaces are
standby interfaces. After you run this command, the status of all standby interfaces become
down. If the active interface is overloaded (interface overload protection must be configured)
or becomes down, the standby interface with the highest priority becomes up, but all the other
standby interfaces remain down. When the active interface and the standby interface with the
highest priority are both overloaded or become Down, the standby interface with the second
highest priority becomes Up.
----End

Follow-up Procedure
Run the rename interface-group old-name new-name command to change the interface group
name.
9.6 Maintaining Intelligent Uplink Selection

After you configure intelligent uplink selection, you can use the CLI or web UI to view the
configuration and status information.
Displaying ISP Address Library Configurations

Table 9-15 lists the operations of checking ISP address library configurations on the CLI.
Table 9-15 Displaying ISP address library configurations
Action Command
Display ISP address library display isp { name isp-name | all

configurations.
Choose Network > Router > Intelligent Uplink Selection and click the Carrier Address
Library tab. You can view the ISP address library configurations, as shown in Figure 9-21.
Figure 9-21 Displaying ISP address library configurations
Displaying Link Health Check Configurations

Table 9-16 lists the operations of checking link health check configurations on the CLI.

Table 9-16 Displaying link health check configurations
Action Command
Display link health check display healthcheck link [ id id-number ]

configurations. [ verbose ]
display healthcheck link [ destination ip-address ]
[ protocol { icmp | http | dns | tcp } ] [ app-id app-
id-number ] [ verbose ]
Display link health check group display healthcheck link-group [ group-id | group-
configurations. name | interface interface-type { interface-number |
interface-number.subinterface-number } ]
[ verbose ]
Choose Object > Link Health Check on the web UI. You can view the link health check
configurations, as shown in Figure 9-22.
Figure 9-22 Displaying link health check configurations
Displaying Global Route Selection Policy Configurations

Choose Network > Router > Intelligent Uplink Selection and click the Global Route
Selection Policy tab. You can view the global route selection policy configurations, as shown
in Figure 9-23.
Figure 9-23 Displaying global route selection policy configurations
9.7 Configuration Examples

This section provides examples for configuring intelligent uplink selection in different scenarios.

9.7.1 Web Example for Configuring ISP Address Library Link

Selection
This section provides an example for configuring ISP address library link selection for the
NGFW to select an outbound interface based on the ISP network of the packet destination
address.
As shown in Figure 9-24, the NGFW is deployed at the network egress as the security gateway.
The enterprise has two links connected respectively to ISP1 and ISP2.
l The enterprise requires that packets to Server 1 be forwarded on ISP1 link and packets to
Server 2 be forwarded on ISP2 link.
l When one link is faulty, follow-up traffic will be forwarded on the other link to ensure
transmission availability.
Figure 9-24 Networking diagram for configuring ISP address library link selection
Server 1 Server 2
3.3.3.3/32 9.9.9.9/32
Internet
ISP1 ISP2
GE1/0/1 GE1/0/7
1.1.1.1/24 2.2.2.2/24
NGFW

1. Make two ISP address files, isp1_network.csv and isp2_network.csv, write Server 1 IP
address 3.3.3.3/32 into isp1_network.csv and Server 2 IP address 9.9.9.9/32 into
isp2_network.csv, and upload the two ISP address files to the NGFW.
2. Configure the link health check function and create a link health check group respectively
for ISP1 and ISP2.
3. Set interface IP addresses, security zones, and gateway addresses. After you set a gateway
address, the NGFW automatically generates a default route.
4. Apply link health check groups on the interfaces. If the health check result indicates that a
link is faulty, the NGFW will delete the ISP route entry. Therefore, traffic will neither match
this route nor being forwarded to the faulty link.
5. Configure ISP address library link selection to forward packets destined for Server 1 from
ISP1 link and packets destined for Server 2 link from ISP2 link.
Procedure
Step 2 Click the Carrier Address Library tab, then click Import, and set the following parameters.
Name isp1_network
Step 3 Click OK.
Step 4 Click Import again and set the following parameters.
Name isp2_network
Step 5 Click OK.
Step 7 In Link Health Check List, click Add and create a link health check group for ISP1 link as
follows:
NOTE
The destination IP addresses to be probed must be routable IP addresses.

Step 8 Click OK.
Step 9 Click Add again and create a link health check group for ISP2 link as follows:
Step 10 Click OK.

Step 12 Click of interface GE1/0/1, complete basic interface settings as follows, configure ISP
address library link selection, and apply the link health check group on the interface:
Step 13 Click OK.
Step 14 Click of interface GE1/0/3 and set the interface IP address and security zones as follows:
Step 15 Click OK.
Step 16 Click of interface GE1/0/7, complete basic interface settings as follows, configure ISP
address library link selection, and apply the link health check group on the interface:

Step 17 Click OK.
Step 18 Choose Policy > Security Policy.
Step 19 Click Add to configure a security policy between the Trust and Untrust zones to allow intranet
users to access extranet resources. It is assumed that the intranet user network segment is
10.3.0.0/24. Set parameters as follows:

Step 20 Click OK.
----End
Choose Network > Router > Routing Table and verify ISP route information.
#
ip address 1.1.1.1 255.255.255.0
gateway 1.1.1.254
healthcheck link-group isp1_health
#
ip address 10.3.0.1 255.255.255.0
#
ip address 2.2.2.2 255.255.255.0
gateway 2.2.2.254
#
firewall zone trust
set priority 85
#
set priority 5
#
security-policy
rule name policy_sec_trust_untrust
source-zone trust
action permit
#
#
#
healthcheck link-group 1 isp1_health
destination 3.3.10.10 protocol TCP destination-port 10001
#
return
9.7.2 CLI Example for Configuring ISP Address Library Link

Selection
This section provides an example for configuring ISP address library link selection for the
NGFW to select an outbound interface based on the ISP network of the packet destination
address.

As shown in Figure 9-25, the NGFW is deployed at the network egress as the security gateway.
The enterprise has two links connected respectively to ISP1 and ISP2.
l The enterprise requires that packets to Server 1 be forwarded on ISP1 link and packets to
Server 2 be forwarded on ISP2 link.
l When one link is faulty, follow-up traffic will be forwarded on the other link to ensure
transmission availability.
Figure 9-25 Networking diagram for configuring ISP address library link selection
Server 1 Server 2
3.3.3.3/32 9.9.9.9/32
Internet
ISP1 ISP2
GE1/0/1 GE1/0/7
1.1.1.1/24 2.2.2.2/24
NGFW
1. Make two ISP address files, isp1_network.csv and isp2_network.csv, write Server 1 IP
address 3.3.3.3/32 into isp1_network.csv and Server 2 IP address 9.9.9.9/32 into
isp2_network.csv, and upload the two ISP address files to the NGFW.
2. Configure the link health check function and create a link health check group respectively
for ISP1 and ISP2.
3. Set interface IP addresses, security zones, and gateway addresses. After you set a gateway
address, the NGFW automatically generates a default route.

4. Apply link health check groups on the interfaces. If the health check result indicates that a
link is faulty, the NGFW will delete the ISP route entry. Therefore, traffic will neither match
this route nor being forwarded to the faulty link.
5. Configure ISP address library link selection to forward packets destined for Server 1 from
ISP1 link and packets destined for Server 2 link from ISP2 link.
Procedure
Step 1 Switch to the directory hda1:/isp, upload the ISP address files to this directory, and use SFTP
to transfer the files. Details are omitted.
Step 2 Create ISP name isp1_network for ISP1 and ISP name isp2_network for ISP2 and associate
them with the corresponding ISP address files.
<NGFW> system-view
[NGFW] isp name isp1_network
[NGFW] isp name isp1_network set filename isp1_network.csv
[NGFW] isp name isp2_network
[NGFW] isp name isp2_network set filename isp2_network.csv
Step 3 Create a link health check group for ISP1 and ISP2 links separately.
[NGFW] healthcheck link-group 1 isp1_health
[NGFW-healthcheck-link-group-1] destination 3.3.10.10 protocol TCP destination-
port 10001
port 10002
[NGFW-healthcheck-link-group-1] quit
[NGFW] healthcheck link-group 2 isp2_health
port 10003
port 10004
[NGFW-healthcheck-link-group-2] quit
Step 4 Configure interface IP addresses and gateway addresses and bind them to specific link health
check groups.
[NGFW-GigabitEthernet1/0/1] gateway 1.1.1.254
[NGFW-GigabitEthernet1/0/1] healthcheck link-group isp1_health
[NGFW-GigabitEthernet1/0/7] gateway 2.2.2.254
[NGFW-GigabitEthernet1/0/7] healthcheck link-group isp2_health
Step 5 Assign the interfaces to security zones.

Step 6 Configure a security policy between the Trust and Untrust zones to allow intranet users to access
extranet resources. It is assumed that the intranet user network segment is 10.3.0.0/24.
[NGFW-policy-security] rule name policy_sec_trust_untrust

[NGFW-policy-security-rule-policy_sec_trust_untrust] source-zone trust

[NGFW-policy-security-rule-policy_sec_trust_untrust] destination-zone untrust
[NGFW-policy-security-rule-policy_sec_trust_untrust] source-address 10.3.0.0 24
[NGFW-policy-security-rule-policy_sec_trust_untrust] action permit
[NGFW-policy-security-rule-policy_sec_trust_untrust] quit
Step 7 Add interfaces to ISP interface groups and deliver ISP routes.
[NGFW] interface-group isp isp1_network interface GigabitEthernet1/0/1 route
enable
[NGFW] interface-group isp isp2_network interface GigabitEthernet1/0/7 route
enable
----End
#
ip address 1.1.1.1 255.255.255.0
gateway 1.1.1.254
#
ip address 10.3.0.1 255.255.255.0
#
ip address 2.2.2.2 255.255.255.0
gateway 2.2.2.254
#
firewall zone trust
set priority 85
#
set priority 5
#
security-policy
rule name policy_sec_trust_untrust
source-zone trust
action permit
#
#
#
#
return

9.7.3 Web Example for Configuring Load Balancing by Link

Bandwidth
This section provides an example for configuring load balancing by link bandwidth for the
NGFW to forward traffic to each link based on the specified bandwidth ratio to maximize the
efficiency of bandwidth resources.
As shown in Figure 9-26, an enterprise has a 100M link connected to ISP1 and a 50M link
connected to ISP2.
l The enterprise requires that traffic be forwarded to ISP1 and ISP2 links based on the
bandwidth ratio to ensure that bandwidth resources are used to the greatest extent.
l When one ISP link is overloaded (the threshold is 90%), follow-up traffic will be forwarded
on the other ISP link to ensure access availability.
Figure 9-26 Networking diagram of load balancing by link bandwidth
Internet
ISP1 ISP2
GE1/0/1 GE1/0/7
1.1.1.1 2.2.2.2
Link bandwidth: 100M Link bandwidth: 50M
Overload protection Overload protection
threshold: 95% threshold: 90%
NGFW
The enterprise requires traffic distribution by bandwidth ratio. Therefore, set the intelligent
uplink selection mode to load balancing by link bandwidth. To ensure that the NGFW can
forward traffic to other links when the one link is overloaded, set bandwidth and overload
protection threshold for the interface.

1. Configure the outbound interface.

Set the interface IP address, gateway, security zone, bandwidth, and overload protection
threshold.
2. Configure global route selection policies.
Set the intelligent uplink selection mode to load balancing by link bandwidth and configure
the outbound interfaces on the NGFW connecting to ISP1 and ISP2 networks as intelligent
Procedure
Step 2 Click of interface GE1/0/1, complete basic interface settings, and set the bandwidth and
overload protection threshold as follows:
NOTE
When the outbound interface is an intelligent uplink selection member interface, you must select Multi-
egress options.
Step 3 Click OK.

Step 5 Click OK.
Step 7 Click the Global Route Selection Policy tab, click Edit, and configure a global route selection
policy as follows:
Step 8 Click OK.
----End

Policy tab, you can view traffic statistics in the last five minutes, as shown in Figure 9-27.
Figure 9-27 Viewing traffic statistics
#
ip address 1.1.1.1 255.255.255.0
gateway 1.1.1.254
#
ip address 2.2.2.2 255.255.255.0
gateway 2.2.2.254
#
multi-interface
mode proportion-of-bandwidth
#
return
9.7.4 Web Example for Configuring Load Balancing by Link Weight

This section provides an example for configuring load balancing by link weight for the
NGFW to forward more traffic to the link with higher performance, which maximizes link
resource efficiency and improves the Internet access experience of most users.
As shown in Figure 9-28, an enterprise has a 50M link connected to ISP1. However, this link
delivers poor forwarding performance. Therefore, the enterprise rents a 150M link from ISP2,
which delivers good performance.
l The enterprise requires that the ISP2 link forward 80% of the traffic and ISP1 link forward
20% of the traffic to improve the Internet access experience of most users.
l When one link is overloaded (the threshold is 90%), follow-up traffic will be forwarded on
the other link to ensure transmission availability.

Figure 9-28 Networking diagram of load balancing by link weight
Internet
ISP1 ISP2
GE1/0/1 GE1/0/7
Link weight: 1 1.1.1.1 2.2.2.2 Link weight: 4
NGFW
The enterprise requires that the traffic ratio on ISP2 and ISP1 links is 4:1. Therefore, set the
intelligent uplink selection mode to load balancing by link weight and set the weights of ISP2
and ISP1 links respectively to 4 and 1. To ensure that the NGFW can forward traffic to other
links when the one link is overloaded, set bandwidth and overload protection threshold for the
interface.

threshold.
Set the intelligent uplink selection mode to load balancing by link weight, configure the
outbound interfaces on the NGFW connecting to ISP1 and ISP2 networks as intelligent
uplink selection member interfaces, and set weights for the interfaces.
Procedure

NOTE
When the outbound interface is an intelligent uplink selection member interface, you must select Multi-
egress options.
Step 3 Click OK.

Step 5 Click OK.
policy as follows:
Step 8 Click OK.
----End

Policy tab, you can view traffic statistics in the last five minutes, as shown in Figure 9-29.
Figure 9-29 Viewing traffic statistics
#
ip address 1.1.1.1 255.255.255.0
gateway 1.1.1.254
#
ip address 2.2.2.2 255.255.255.0
gateway 2.2.2.254
#
multi-interface
add interface GigabitEthernet1/0/7 weight 4
mode proportion-of-weight
#
return
9.7.5 Web Example for Configuring Active/Standby Backup by Link

Priority
This section provides an example for configuring active/standby backup by link priority for the
NGFW to use the standby interface link to forward traffic when the active interface link is faulty
to improve transmission availability.
As shown in Figure 9-30, an enterprise has two 50M links connected to ISP1 and one 10M link
connected to ISP2.
l The enterprise requires that the two ISP1 links be used preferentially to forward Internet
access traffic and ISP2 link be used only when both ISP1 links are faulty.
l The tax declaration service is forwarded on the ISP2 link preferentially. When the ISP2
link is faulty, the tax declaration service is forwarded on the ISP1 link.

Figure 9-30 Networking diagram of active/standby backup by link priority
Internet
ISP1 ISP2
GE1/0/0 GE1/0/7
1.1.1.1 2.2.2.2
GE1/0/1
1.1.2.2
NGFW
GE1/0/3
10.3.0.1
tax declaration service traffic
The enterprise needs to use ISP1 link preferentially. Therefore, set the global intelligent uplink
selection mode to load balancing by link priority and set the priorities of ISP1 and ISP2 links
respectively to 2 and 1. The tax declaration service needs to use the ISP2 link preferentially.
Therefore, configure intelligent uplink selection based on policy-based routes for the tax
declaration application, set the link selection mode to active/standby backup by link priority,
and set the priority of ISP2 link to 2 and priorities of two ISP1 links to 1. To ensure that the
NGFW can use the standby interface link to forward traffic when the active interface link is
faulty, configure the link health check function.
1. Configure the link health check function.

Configure a link health check group respectively for ISP1 and ISP2 (two ISP1 links use
the same link health check group).
Set the interface IP address, gateway, and security zone, and apply the link health check
groups respectively on the interfaces.
Set the intelligent uplink selection mode to active/standby backup by link priority, add
interfaces GE1/0/0 and GE1/0/1 to interface group ifgrp1, and configure interface group
ifgrp1 and interface GE1/0/7 both as intelligent uplink selection members. Set priorities

for interface group ifgrp1 and interface GE1/0/7. The priorities of both GE1/0/0 and
GE1/0/1 are the same as that of interface group ifgrp1.
4. Configure intelligent uplink selection based on policy-based routes.
Configure a policy-based route for the tax declaration application, set the intelligent uplink
selection mode to active/standby backup by link priority, and set priorities for interface
group ifgrp1 and interface GE1/0/7.
Procedure
follows:
NOTE
Step 3 Click OK.

Step 5 Click OK.
Step 7 Click of interface GE1/0/0, complete basic interface settings as follows, and apply the link
health check group on the interface:
Step 8 Click OK.

Step 10 Click OK.
Step 12 Click OK.
Step 13 Click of interface GE1/0/3 and set the interface IP address and security zones as follows:

Step 14 Click OK.
Step 16 On the Interface Group tab, click Add, and add interfaces GE1/0/0 and GE1/0/1 to interface
group ifgrp1.
Step 17 Click OK.
policy as follows:

Step 19 Click OK.
Step 20 On the Policy Route tab, click Add, and configure a policy-based route as follows.
UD_tax_system is a user-defined application, corresponding to the tax declaration application.
For details on how to configure a user-defined application, see Configuring a User-Defined
Application.

Step 21 Click OK.

----End
Policy tab, you can view the health status of each link and the traffic statistics in the last five
minutes, as shown in Figure 9-31.

Choose Network > Router > Intelligent Uplink Selection. On the Policy Route tab, you can
view the configured policy-based routes, as shown in Figure 9-32.
Figure 9-32 Viewing policy-based routes
#
ip address 1.1.1.1 255.255.255.0
gateway 1.1.1.254
#
ip address 1.1.2.2 255.255.255.0
gateway 1.1.2.254
#
ip address 2.2.2.2 255.255.255.0
gateway 2.2.2.254
#
ip address 10.3.0.1 255.255.255.0
#
firewall zone trust
set priority 85
#
set priority 5
#
interface-group name ifgrp1
interface-group ifgrp1 interface GigabitEthernet1/0/0
interface-group ifgrp1 interface GigabitEthernet1/0/1
#
policy-based-route
rule name tax_system
application app UD_tax_system
action pbr egress-interface multi-interface
add interface-group ifgrp1
add interface GigabitEthernet1/0/7 priority 2
mode priority-of-userdefine
#
multi-interface
add interface-group ifgrp1 priority 2
#


#
return
9.7.6 Web Example for Configuring Load Balancing by Link Priority

This section provides an example for configuring load balancing by link priority for the
NGFW to use the standby interface link to forward traffic when the active interface link is faulty
or overloaded to improve transmission availability.
As shown in Figure 9-33, an enterprise has a 50M link connected to ISP1 and a 10M link
connected to ISP2.
l The enterprise requires that ISP1 link be used preferentially for traffic forwarding. When
ISP1 link is faulty or overloaded (the threshold is 90%), ISP2 link can be used for traffic
forwarding.
l ISP2 link is charged by traffic (such as the 3G network). Therefore, you need to set ISP2
link to Down when the active interface link works properly.
Figure 9-33 Networking diagram of load balancing by link priority
Internet
ISP2
ISP1 3G network
GE1/0/1 GE1/0/7
1.1.1.1 2.2.2.2
NGFW

The enterprise needs to use ISP1 link preferentially. Therefore, set the intelligent uplink selection
mode to load balancing by link priority and set the priorities of ISP1 and ISP2 links respectively
to 2 and 1. To ensure that ISP2 link is Up only when transmitting traffic, you need to configure
the standby interface automatic shutdown function. To ensure that the NGFW can use other links
to forward traffic when a link is faulty or overloaded, you need to configure link health check
and link overload protection functions.
1. Configure the link health check function.

Configure a link health check group respectively for ISP1 and ISP2.
threshold, and apply the link health check groups respectively on the interfaces.
Set the intelligent uplink selection mode to load balancing by link priority, configure the
outbound interfaces on the NGFW connecting to ISP1 and ISP2 networks as intelligent
uplink selection member interfaces, and set priorities for each interface. You also need to
enable the standby interface automatic shutdown function.
Procedure
follows:
NOTE

Step 3 Click OK.
Step 5 Click OK.

Step 7 Click of interface GE1/0/1, complete basic interface settings, apply the link health check
group on the interface, and set the bandwidth and overload protection threshold as follows:
Step 8 Click OK.
Step 9 Click of interface GE1/0/7, complete basic interface settings, apply the link health check
group on the interface, and set the bandwidth and overload protection threshold as follows:

Step 10 Click OK.
policy as follows:
Step 13 Click OK.
----End

Policy tab, you can view the health status of each link and the traffic statistics in the last five
minutes, as shown in Figure 9-34.
#
ip address 1.1.1.1 255.255.255.0
gateway 1.1.1.254
#
ip address 2.2.2.2 255.255.255.0
gateway 2.2.2.254
#
multi-interface
standby-interface status down
add interface GigabitEthernet1/0/1 priority 2
#
#
return
9.8 Feature Reference

This section provides reference information about intelligent uplink selection.

This section describes the versions and changes in the intelligent uplink selection feature.

V100R001C20SPC The first version.

100

Administrator Guide 10 Router
10 Router
10.1 Routing Basics

The NGFW generates a routing table based on the IP routing protocol and forwards data packets
according to the routing table.
10.1.1 Overview
Multiple route protocols are applicable to the router. You can manually set the priority of routes
except the direct route to affect the route protocol selection of the router.
Route and Route Segment

Selecting the routes on the Internet requires a router. The router selects a proper route (through
a network) according to the destination IP address of the packet that is received, and sends the
packet to the next router. Then the last router on the route sends the packet to the destination
host.
The lengths of route segments differ with the size of networks. As a result, for different networks,
the number of route segments can be multiplied by a weighting coefficient, and the number of
weighted route segments is to measure the length of the path. If a router is regarded as the node
on the network, and a route segment on the Internet is regarded as a link on the network, the
route selection on the Internet is similar to that on a simple network. Sometimes, it is not optimum
to adopt the route with the minimum number of route segments. For example, the route passing
through three high-speed LAN segments may be much more rapid than that passing through two
low-speed MAN segments.
Routing Table
The routing table plays a key role in the packet forwarding of a router. Each router has a routing
table. In the table, each routing entry specifies the interface (on the router) through which packets
destined to a subnet or host are sent to the next router on the route, or sent to the destination host
that is directly connected to the network without passing through other routers.
Based on the sources, routes in the routing table are generally classified into the following
categories:

l Routes identified by link-layer protocols (also called interface routes or direct routes).
l Static routes configured by the network administrator manually.
l Routes identified by dynamic routing protocols.
The routing table contains the following key items:
l Destination address: indicates the destination IP address or destination network of an IP

package.
l Network mask: indicates the IP address of the destination host or the network address where
the router resides, together with the destination address. The IP address of the destination
host or the network address is obtained through the implementation of the logic AND on
the destination address and the network mask. For example, the network segment of the
host or router whose destination IP address is 10.102.8.10 and the mask is 255.255.0.0 is
addressed at 10.102.0.0. The mask, composed of multiple successive 1s, is expressed either
in dotted decimal notation or in the number of successive 1s.
l Output interface: indicates the interface from which the IP package is forwarded on the
router.
l Next-hop IP address: indicates the next router through which the IP package is to pass.
l Priority of the route added to the IP routing table: Multiple routes with different next-hop
IP addresses may reach the same destination. These different routes may be identified by
different routing protocols, or the static routes configured manually. The optimal route
should be of high priority (small value).
Categories of Routing Protocols

A router supports both static routes and dynamic routing protocols such as RIP, OSPF, IS-IS,
and BGP. Static routes are easy to configure and pose low requirements on the system. They are
applicable to small stable networks with simple topology structures; however, they cannot
automatically adapt to the changes of the network topology and thus require manual intervention.
Dynamic routing protocols have their own routing algorithms to automatically adapt to the
changes of the network topology, and are applicable to the networks with multiple layer-3
devices. However, they are complicated to configure, pose higher requirements on the system
than static routes, and occupy certain network resources.
Dynamic routing protocols can be classified based on the following conditions:
According to the application range, the routing protocols can be divided into the following types:
l Interior Gateway Protocol (IGP): runs inside an AS, such as RIP, OSPF, and IS-IS.
l Exterior Gateway Protocol (EGP): runs between different ASs, such as BGP.
According to the algorithm type, the routing protocols can be divided into the following types:
l Distance-Vector Routing Protocol: includes RIP and BGP (BGP is also called Path-Vector).
l Link-State Routing Protocol: includes OSPF and IS-IS.
The preceding algorithms mainly differ in the methods of route discovery and route calculation.
Route Priority
Different routing protocols (including the static route) can learn different routes to the same
destination, but not all these routes are optimal. At a time, only one routing protocol determines

the optimal route to a destination. To select the optimal route, each of these routing protocols
(including the static route) is configured with priority. When multiple routing information
sources coexist, the route learned by the routing protocol with the highest priority becomes the
optimal route (the smaller the value is, the higher the priority is). Routing protocols and the
default priority of the routes learned by the protocols are shown in Table 10-1.
In Table 10-1, 0 indicates the direct route, and 255 indicates any route learned from unreliable
sources. The smaller the value is, the higher the priority is.
Table 10-1 Routing protocols and their default priority of the routes
Routing Protocol or Route Type Route Priority
DIRECT 0
OSPF 10
IS-IS 15
STATIC 60
RIP 100
OSPF ASE 150
OSPF NSSA 150
IBGP 255
EBGP 255
UNKNOWN 255
Except for direct routes, the priority of the routing protocols can be manually configured. In
addition, the priority for each static route can be distinct.
Load Balancing and Route Backup

l Load Balancing
Configure multiple routes to the same destination, and specify the same priority for all
routes to ensure load balancing. This feature is referred to as equal cost multipath (ECMP).
NOTICE
The ECMP routes must be from the same routing protocol. If the routes are learned from
different routing protocols, they cannot become ECMP routes even when their costs are
the same.
The device supports a maximum of 8 equal-cost routes.
l Route Backup

Configure multiple routes to the same destination, and specify different priorities for those
routes to implement route backup. The route with the highest priority serves as the active
route, whereas all the other routes serve as the backup routes.
FRR
In Fast ReRoute (FRR), when a fault is detected at the physical or link layer, the forwarding
module rapidly responds to the fault and forwards packets through a backup link. In this manner,
the impact of the link fault on services is minimized.
NOTE
Currently, the device supports only IP FRR, not FRR in the Multiprotocol Label Switching (MPLS)
environment. Unless otherwise specified, FRR refers to IP FRR.
On traditional IP networks, the forwarding device such as the router detects the fault of the link
at the lower layer and then the routing module re-selects an available route (also called route
convergence). This takes a route calculation period (several seconds). Second-level convergence
is intolerable for services that are sensitive to packet loss and delay. This results in service
interruption. For example, Voice Over IP (VoIP) services can be interrupted up to about 50 ms.
Catering for such requirements, FRR is launched to implement millisecond-level switchover,
minimizing fault impacts.
FRR must interwork with the detection mechanism at the physical or link layer. Currently, the
device supports only interworking with the BFD mechanism.
As shown in Figure 10-1, two links exist between Router_A and Router_B. The active link is
Link_A (Router_A > Router_C > Router_B) and the standby link is Link_B (Router_A >
Router_D > Router_B).
A BFD session is created between Router_A and Router_B. When the active link is faulty, BFD
notifies FRR of the message. Then FRR rapidly switches the traffic to the standby link.
Figure 10-1 FRR application scenarios

Router_C
Link_A
Router_A Router_B
Link_B
BFD session
Router_D

10.1.2 Checking the Routing Table Using the Web UI

When the network is disconnected, you can check whether a route to the specified destination
exists in the routing table.
Context
NOTE
You can view only the active routes in the routing table.
Procedure
Step 1 Choose Network > Router > Routing Table.
Step 2 Configure the search conditions.
Figure 10-2 Search conditions
Protocol Type Select IPv4 or IPv6 to query IPv4 or IPv6 routes.
Route Type l Protocol: Query routes by protocol.

l Destination/Mask: Query routes by destination
address and mask.
Protocol/Destination (Mask) Select the protocol type when you query routes by
protocol.
l All: Query routes of all protocols.
l Direct: Query only the direct routes.
l Static: Query only the static routes.
l UNR: Query only user network routes.
l BGP: Query only the BGP routes.
l OSPF: Query only the OSPF routes.
l RIP: Query only RIP routes.
l ISP: Query only ISP (carrier) routes.
Enter the destination IP address and mask when you
query routes by destination address and mask. If you
do not enter a mask, the route to a specific host is
displayed.
----End

10.1.3 Route Basic Configuration-CLI

Certain dynamic routing protocols require router IDs. If the router IDs are not specified when
you enable the routing protocols, the default global router ID is employed. In this case, you need
to reset connections to set up the normal neighbor relationship after you specify the router IDs.
10.1.3.1 Configuring the Global Router ID

Certain dynamic routing protocols require router IDs. If the router IDs are not specified when
you enable the routing protocols, the default global router ID is employed. In this case, you need
to reset connections to set up the normal neighbor relationship after you specify the router IDs.
Context
The global router ID to be configured must be different from other router IDs on the network.
Generally, the router ID is set to the IP address of an interface on the router.
Procedure
system-view
Step 2 Configure the global router ID.
router id router-id
By default, the global router ID is not configured.
----End
Follow-up Procedure
Run the display router id command to query the configured router ID.
<NGFW> system-view
[NGFW] router id 192.168.1.205
[NGFW] display router id
RouterID:192.168.1.205
10.1.3.2 Configuring the Load Balancing of Equal-Cost Routes

When multiple links are available for packets destined for the same destination and the routes
for these links have the same priority (the routes are equal-cost routes), you can configure load
balancing to forward traffic from different links.
Prerequisites
You must configure equal-cost routes before configuring equal cost multi-path (ECMP) load
balancing. For details on how to configure static equal-cost routes, see 10.2 IP Static Route.
Context
The NGFW supports:

l Per-flow load balancing

In per-flow load balancing, traffic is distributed based on destinations by using the hash or
round robin algorithms.
Per-flow load balancing ensures packet sequence, but not bandwidth usage.
– Hash algorithm: The NGFW calculates a hash value based on the source and destination
IP addresses, source and destination ports of the packet. Packets with the same hash
value are forwarded on the same link.
– Round robin algorithm: The NGFW selects interfaces based on weighted round robin.
The larger the weight is, the heavier the traffic on the interface.
l Per-packet load balancing
In per-packet load balancing, traffic is distributed to different interfaces in packets based
on weighted round robin. The larger the weight is, the heavier the traffic on the interface.
Per-packet load balancing ensures bandwidth utilization efficiency, not packet sequence,
and causes different incoming and outgoing paths.
NOTICE
Load balancing can be implemented only on pure-router networks. Do not enable any functions
irrelevant to routers, such as packet filtering, NAT, UTM, and user management in load
balancing scenarios.
By default, the NGFW performs per-flow load balancing based on the hash value of the source
and destination IP addresses.
Procedure
l Configure the per-flow load balancing.
system-view
2. Select an algorithm for per-flow load balancing as required: (select either of them)
– Select the hash algorithm for link selection.
load-balance multi-interface flow [ hash { destination-ip | destination-port |
source-ip | source-port } * ]
– Select the round robin algorithm for link selection.
a. Access the interface view.
b. Specify the load balancing weight.
route weight weight-value
The larger the weight is, the heavier the traffic on the interface. By default,
the weight value is 1.
l Configure the per-packet load balancing.

system-view
2. Configure per-packet load balancing for forwarding IP packets.
load-balance packet

4. Specify the load balancing weight.
route weight weight-value
The larger the weight is, the heavier the traffic on the interface. By default, the weight
value is 1.
----End
10.1.3.3 Configuring the IP-Prefix List
Configuring an IPv4 Prefix List

An IPv4 prefix list is identified by its list name. Each prefix list contains multiple entries. Each
entry independently specifies a matching range in the format of network prefixes, and uses the
index number for identification.
During the matching, the system checks every entry in turn based on the index number in
ascending order. As long as the routing information matches one entry, the filtering list is passed,
and other entries are no longer matched.
system-view
Step 2 Configure an IPv4 prefix list.
ip ip-prefix ip-prefix-name [ index index-number ] { permit | deny } ip-address mask-length

[ greater-equal greater-equal-value ] [ less-equal less-equal-value ]
The range of mask length can be specified as greater-equal-value ≤ mask-length ≤ less-equal-

value ≤ 32. If you specify only greater-equal, the prefix ranges from greater-equal-value to
32. If you specify only less-equal, the prefix ranges from mask-length to less-equal-value.
An IPv4–prefix list is identified by its list name. Each prefix list contains multiple entries. Each
entry independently specifies a matching range in the format of network prefix and identifies
the range with an index number. For example, the following is a prefix list named abcd:
#
ip ip-prefix abcd index 10 permit 10.0.192.0 8
ip ip-prefix abcd index 20 permit 172.17.1.0 24
If all entries are in deny mode, no routes can pass this filtering list. You are advised to define
an permit 0.0.0.0/0 greater-equal 0 less-equal 32 entry after the multiple entries in the deny
mode to allow all the other IPv4 routes to pass the IP-prefix filtering.

NOTE
If you define more than one IP-prefix entry, at least one entry should be in permit mode.
----End
Configuring an IPv6 Prefix List

An IPv6 IP-prefix list is identified by its list name. Each prefix list contains multiple entries.
Each entry independently specifies a matching range in the format of network prefixes, and uses
the index number for identification.
system-view
Step 2 Configure an IPv6 prefix list.
ip ipv6-prefix ipv6-prefix-name [ index index-number ] { permit | deny } ipv6-address prefix-

length [ greater-equal greater-equal-value ] [ less-equal less-equal-value ]
An IPv6–prefix list is identified by its list name. Each prefix list contains multiple entries. Each
entry independently specifies a matching range in the format of network prefix and identifies
the range with an index number. For example, the following is a prefix list named abcd:
#
ip ipv6-prefix abcd index 10 permit 1:: 64
ip ipv6-prefix abcd index 20 permit 2:: 64
If all entries are in deny mode, no routes can pass this filtering list. You are advised to define
an permit :: 0 less-equal 128 entry after the multiple entries in the deny mode to allow all the
other IPv6 routes to pass the IP-prefix filtering.
NOTE
If you define more than one IPv6 prefix entry, at least one entry should be in permit mode.
----End
10.1.3.4 Configuring FRR

This section describes the configuration procedure and precautions of FRR.
Configuring the Backup Outbound Interface

When the link is faulty, FRR rapidly switches the traffic to the backup link. Before you enable
FRR, specify the backup link (that is, backup outbound interface). The next hop is optional:
l For P2P links, the next hop is optionally specified.
l For non-P2P links, the next hop must be specified.

Step 1 Run:
system-view
Step 2 Run:
route-policy route-policy-name { permit | deny } node node
The routing policy view is displayed.
Step 3 Optional: Configure the matching conditions of the standby link. For details, see 10.7.2.2
Configuring the If-Match Clause.
Route backup matching conditions consist of a series of if-match commands. If no matching
condition is specified, FRR sets all routes to backup ones. If any matching conditions are
specified, only matched routes serve as backup ones.
Step 4 Run:
apply backup-interface interface-type interface-number
The backup outbound interface is configured.
Step 5 Run:
apply backup-nexthop ip-address
The backup next hop is configured.
----End
Enabling FRR
To protect public network routes, perform configurations in the system view; to protect private
network routes, perform configurations in the VPN instance view. Configurations in the system
view are independent of those in the VPN instance view.
Only one policy can be configured within the time period; otherwise, new configurations
overwrite previous ones.
When FRR in load balancing mode is enabled and links are normal, traffic is forwarded in load
balancing mode. When one equal-cost link is faulty, traffic is forwarded over the other normal
link.
Step 1 Run:
system-view
Step 2 Run:
ip reroute
FRR in load balancing mode is enabled.
The function is disabled by default.

ip vpn-instance vpn-instance-name
The VPN instance view is displayed.

Step 4 Run:
ip frr route-policy route-policy-name
FRR is enabled.
The FRR function is disabled by default.
----End
10.1.3.5 Managing the Routing Table

After you configure routes, you can run the display commands to check the configurations. You
can also clear routes or enable debugging if necessary.
Displaying the Routing Table

After configuring routes, you can run the display commands in any view to display and verify
the configuration.
Table 10-2 and Table 10-3 list the commands for displaying the configurations of IP routes.
Table 10-2 Displaying IPv4 routing information
Action Command
Display the general information display ip routing-table

about the active routes in the routing
table.
Display the detailed information display ip routing-table verbose

about the routing table.
Display the routes to the specified display ip routing-table ip-address [ mask | mask-
destination IP address. length ] [ longer-match ] [ verbose ]
Display the routes to the addresses display ip routing-table ip-address1 { mask1 | mask-
in the specified destination IP length1 } ip-address2 { mask2 | mask-length2 }
address range. [ verbose ]
Display the routes defined in the display ip routing-table acl acl-number [ verbose ]
specified basic ACL.
Display the route filtered by the display ip routing-table ip-prefix ip-prefix-name

specified prefix list. [ verbose ]
Display the route learned using the display ip routing-table protocol protocol
specified protocol. [ inactive | verbose ]
Display the comprehensive display ip routing-table statistics

information about the routing table.
Display the general information display ip routing-table vpn-instance vpn-instance-

about the routing table on a private name [ filter-option ]
network.

Action Command
Display the detailed information display ip routing-table vpn-instance vpn-instance-

about the private network routing name [ filter-option ] verbose
table.
Table 10-3 Displaying IPv6 routing information
Action Command
Display the general information display ipv6 routing-table

about the active routes in the routing
table.
Display the detailed information display ipv6 routing-table verbose

about the routing table.
Display the routes to the specified display ipv6 routing-table ipv6-address prefix-
destination IP address. length [ longer-match ] [ verbose ]
Display the routes to the addresses display ipv6 routing-table ipv6-address1 prefix-
in the specified destination IP length ipv6-address2 prefix-length } [ verbose ]
address range.
Display the routes defined in the display ipv6 routing-table acl acl-number
specified basic ACL. [ verbose ]
Display the route filtered by the display ipv6 routing-table ip-prefix ipv6-prefix-
specified prefix list. name [ verbose ]
Display the route learned using the display ipv6 routing-table protocol protocol
specified protocol. [ inactive | verbose ]
Display the comprehensive display ipv6 routing-table statistics

information about the routing table.
Displaying Information About the Routing Management Module

Checking information about the routing management module is also a measure to locate routing
faults. You can run the display commands in any view to display and verify the configurations.
Table 10-4 lists the commands for displaying the information about the routing management
module.

Table 10-4 Displaying information about the routing management module
Action Command
Display the routing display rm interface [ interface-type interface-number ]

management information about
an interface.
Display the IPv6 routing display rm ipv6 interface [ interface-type interface-

management information about number ]
an interface.
Display the routing display rm interface [ interface-type interface-number |

management information about vpn-instance vpn-instance-name ]
an interface.
Display the configurations of display rm bfd-session [ vpn-instance vpn-instance-

BFD sessions in routing name ] [ destination destination-address ] [ source source-
management information. address ] [ interface interface-type interface-number ]
[ protocol ospf ]
Clearing Routes
If you need to manually add a route, perform the following actions to clear the dynamic routes.
Statistics on cleared routes cannot be restored. Exercise caution before you clear any routes.
Table 10-5 lists the commands for clearing routes. Perform these actions in the user view.
Table 10-5 Clearing routes
Action Command
Clear the dynamic route from the reset ip routing-table [ vpn-instance vpn-instance-
routing table. name ] { ip-address [ mask | mask-length ] | all }
Clear the statistics in the IPv4 reset ip routing-table [ vpn-instance vpn-instance-

routing table. name ] statistics protocol { all | protocol }
Clear the statistics in the IPv6 reset ipv6 routing-table statistics protocol { all |
routing table. protocol }
Debugging the Routing Management Module

Debugging the routing management module is another measure to locate routing faults. When
the error is not so obvious, this measure provides you with an overall information collection
channel for locating faults.
debugging commands in the user view to enable the terminal information display and terminal
debugging information display functions, so that the debugging information can be displayed
on the terminal.

NOTICE
Enabling the debugging function affects the system performance. Therefore, after debugging,
you need to run the undo debugging all command to disable the debugging function.
Table 10-6 lists the commands for debugging the routing management module.
Table 10-6 Debugging the routing management module
Action Command
Enable all the debugging debugging rm all

functions for routing
management.
Enable backup debugging for debugging rm backup

routing management.
Enable IPv4 debugging for debugging rm ipv4 { im | urt | usr | msr | rcom [ ip-
routing management. prefix ip-prefix-name ] | rr }
Enable IPv6 debugging for debugging rm ipv6 { im | urt | usr | rcom [ ipv6-prefix
routing management. ipv6-prefix-name ] | rr }
Enable Job debugging for debugging rm job

routing management.
Enable routing policy debugging rm policy [ ip-prefix ip-prefix-name ]

debugging for routing
management.
Enable system debugging for debugging rm system

routing management.
Enable task debugging for debugging rm task

routing management.
Enable timer debugging for debugging rm timer

routing management.
10.2 IP Static Route

Static routes are mainly applied to simply-structured IP networks.
10.2.1 Overview
The static route implements accurate control over route selection on the network. However, once
the network changes or fails, you needs to re-configure the static route manually.

Attribute and Function of the Static Route

On a simple network, static routes are enough to ensure the normal services on the network. The
proper configuration and application of static routes can exactly control the route selection,
improve the network performance, and ensure bandwidths for important applications.
The disadvantage of the static route is that when a fault occurs or the topology is changed on a
network, the static route cannot automatically adapt itself to the change. You must re-configure
the route manually.
The IPv6 static route, similar to the IPv4 static route, needs the administrator's manual
configuration, and applies to certain simply-structured IPv6 networks.
The IPv6 static route uses the IPv6 address as the next hop, while the IPv4 static route uses the
IPv4 address as the next hop. In addition, only the IPv4 static route supports the VPN instance.
Default Route
The default route is a special route. You can manually configure the default route, but sometimes,
dynamic routing protocols, such as OSPF and IS-IS, can generate the default route.
The default route is used only when no suitable routing entry is matched. In the routing table,
the destination IP address and subnet mask of the default route are both 0.0.0.0. The destination
IP address of the IPv6 default route is ::/0 (the mask length is 0).
If the destination IP address of a packet cannot match any entry in the routing table, the packet
adopts the default route. If no default route exists and the destination IP address of the packet is
not in the routing table, the NGFW discards the packet, and an ICMP packet is returned to the
source end to report that the destination IP address or network is unroutable.
Outgoing Interface and Next-Hop Address

When configuring a static route, you can specify either interface-type interface-number or next-
hop address. Whether to specify the outgoing interface or the next-hop address depends on the
actual situation.
You must specify next-hop addresses for all routing entries. When sending a packet, the router
first searches the matched route in the routing table based on the destination address. The link
layer can find the corresponding link-layer address and forward the packet only when the next
hop address is specified.
When you specify the outgoing interface, note the following:
l For Point-to-Point (P2P) interfaces, if you specify the outgoing interface, the next-hop
address is also specified. The address of the peer interface connected to this interface is the
next-hop address.
l For the NBMA interface that supports point-to-multipoint networks, you have to not only
configure IP routing but also set up the secondary route at the link layer, that is, the mapping
between the IP address and the link-layer address. In this circumstance, set the next-hop IP
address.
l For the Ethernet interface that functions as a broadcast interface, multiple next hops exist.
Therefore, you have to specify the next-hop IP address.

l For the virtual-template interface that can be associated with multiple Virtual Access
Interface (VAI), multiple next hops exist. Therefore, you have to specify the next-hop IP
address.
10.2.2 Configuring Static Route Using the Web UI

This section describes how to configure IPv4 and IPv6 static routes on the Web UI.
Configuring the Default Priority

The default priority of a static route is 60. You can change the default priority as follows:
Step 1 Choose Network > Router > Static Route.
Step 2 Under Configure Default Priority, enter the default priority for static routes in Default
Priority.
Step 3 Click Apply.
If the priority is updated on the Web UI, the operation succeeds.
----End
Creating a Static Route

Step 1 Choose Network > Router > Static Route.
Step 2 Under Static Route List, click Add.
Step 3 Set the parameters of the static route.
If the new static route is displayed, the operation succeeds.
Source Virtual System Source virtual system.
Destination IP address/mask Destination IP address and mask.

The destination IP address can be an IPv4 or IPv6
address.
For an IPv4 address, the format is similar to 10.1.1.1/24
or 10.1.1.1/255.255.255.0. For an IPv6 address, the
format is similar to 3::3/64.
Destination Virtual System Destination virtual system.
Next-hop IP address Next-hop IP address.
You must specify the outgoing interface or the next-

hop IP address when you configure a static route.
The destination IP address can be an IPv4 or IPv6
address. For an IPv4 address, the format is similar to
10.1.1.1/24 or 10.1.1.1/255.255.255.0. For an IPv6
address, the format is similar to 3::3/64.

Outgoing Interface Name of the outgoing interface.

During the configuration of static routes, you can
specify the next hop and the outgoing interface or
specify either of them based on actual situations.
l For point-to-point interface, you can specify either
the outgoing interface or the next hop. Specifying
an outgoing interface also designates a next-hop
address.
l For NBMA, Ethernet, and Virtual-template
interfaces, the next hop must be specified.
Priority Priority of static routes

You can configure different priorities for static routes
as needed. If multiple routes to the same destination
have the same priority, you can load balance the traffic
among the routes. If the routes have different priorities,
you can implement route redundancy.
The configured priority overrides the default route
priority.
Monitoring
Monitoring The monitoring function checks whether the link

between the device and the destination address is
normal and selects links based on the link status to
ensure service continuity. To detect the status of the
link to a destination address, enable this function.
IP Address/Domain Name Destination IP address or domain name whose mapping

link is to be monitored.
Step 4 Click OK.
----End
10.2.3 Configuring Static Route-CLI
10.2.3.1 Configuring an IPv4 Static Route

You can configure a static outbound interface or next-hop address and priority for the IPv4
packet to the destination address to accurately control the IPv4 route selection.
Context
By default, no static IPv4 route is configured.
When configuring an IPv4 unicast static route, note the following:

l When both the destination IP address and the mask are set to 0.0.0.0, the route is a default
route.
l During the configuration of static routes, you can specify the next hop and the outgoing
interface or specify either of them based on actual situations.
– For point-to-point interface, you can specify either the outgoing interface or the next
hop.
– For NBMA, Ethernet, and Virtual-template interfaces, the next hop must be specified.
You can set different priority levels for the static routes. This enables you to apply the routing
policies flexibly.
l Configure multiple routes to the same destination and specify the same priority for all routes
to implement load balancing. This feature is referred to as equal cost multipath (ECMP).
l Configure multiple routes to the same destination and specify different priorities for those
routes to implement route backup. The route with the highest priority serves as the active
route, whereas all the other routes serve as the backup routes.
Procedure
system-view
Step 2 Optional: Set the default priority for the static route.
ip route-static default-preference preference
By default, the priority of the static route is 60.
If you do not specify the priority, the static route uses the default priority. The reset default
priority is valid for only new IPv4 static routes.
Step 3 Configure the IPv4 static route.
ip route-static ip-address { mask | mask-length } { nexthop-address | interface-type interface-
number [ nexthop-address ] | vpn-instance vpn-instance-name nexthop-address }
[ preference preference ] [ track ip-link link-id ] [ track bfd-session cfg-name ]
[ description description ]
ip route-static vpn-instance source-vpn-name destination-ip-address { mask | mask-length }
{ nexthop-address [ public ] | interface-type interface-number [ nexthop-address ] | vpn-
instance destination-vpn-name nexthop-address } [ preference preference ] [ track ip-link
link-id ] [ track bfd-session cfg-name ] [ description text ]
track ip-link link-id: binding the configured IP-link items to specific static routes.
track bfd-session cfg-name: configuring BFD to interwork with a static route and bind a BFD
session to the static route. This helps detect link status and provides a detection mechanism for
static routes.
----End
10.2.3.2 Configuring an IPv6 Static Route

You can configure a static outgoing interface or the next-hop address and priority for the IPv6
packet to the destination address to accurately control the IPv6 route selection.

Prerequisites
Before you configure an IPv6 static route, complete the following tasks:
l Set the parameters and IPv6 addresses of link-layer protocols for the interface and change
the status of the link protocol to Up.
l Add the related interfaces to security zones and configure the interzone packet-filtering
rules.
Context
To configure an IPv6 static route, note the following:
l Outgoing interface and next-hop address

During the configuration of static routes, you can specify the next hop and the outgoing
interface or specify either of them based on actual situations.
– For point-to-point interface, you can specify either the outgoing interface or the next
hop.
– For NBMA, Ethernet, and Virtual-template interfaces, the next hop must be specified.
l Other attributes
You can set different priority levels for the static routes. This enables you to apply the
routing policies flexibly.
– If you configure the same priority for multiple routes to the same destination, load
balancing is implemented.
– If you configure different priorities for multiple routes to the same destination, route
backup is implemented.
– If you set the destination IP address and the mask to all 0s (::/0), the configured route
is a default route.
Procedure
system-view
Step 2 Configure an IPv6 static route.
ipv6 route-static ipv6-address prefix-length { interface-type interface-number | nexthop-

address } [ preference preference ] [ description text ]
When configuring a static route, you can specify the outgoing interface or next-hop address
based on the actual condition.
l If the outgoing interface is a PPP interface, specify the outgoing interface only.
l If the outgoing interface is a broadcast interface, you must specify the next-hop address.
If you do not specify parameter preference, the default priority of the static route is 60.
By default, no IPv6 static route is configured.
----End

10.2.3.3 Checking Static Route Configuration

After configuring a static route, you can run the display commands in any view to view and
verify the related configuration.
Table 10-7 shows the commands for checking the static route configuration.
Table 10-7 Checking the IPv4 and IPv6 static route information
Action Command
Check the display current-configuration

configuration script.
Check the abstract of display ip routing-table

the IPv4 routing table.
Check the details on display ip routing-table verbose

Check the abstract of display ipv6 routing-table

Check the details on display ipv6 routing-table verbose

10.2.4 Exmaple: Configuring IPv4 Static Route

This example describes how to configure the default gateway on hosts on a small IPv4 network
and how to configure the default route and static routes on the NGFW.
Figure 10-3 shows the IP addresses and masks of each NGFW interface and host. Static routes
must be configured to ensure the communication between any two hosts.

Figure 10-3 Configuring static routes on an IPv4 network
PC2
10.1.2.2/24
GE1/0/3
10.1.2.1/24
GE1/0/1 GE1/0/2
10.1.5.2/24 10.1.4.5/30
NGFW_B
NGFW_A NGFW_C
GE1/0/1 GE1/0/1
10.1.5.1/24 10.1.4.6/30
GE1/0/2 GE1/0/2
10.1.1.1/24 10.1.3.1/24
PC1 PC3
10.1.1.2/24 10.1.3.2/24
Item Data
NGFW_A Interface: GigabitEthernet 1/0/1

IP address: 10.1.5.1/24
Interface: GigabitEthernet 1/0/2

IP address: 10.1.1.1/24
NGFW_B Interface: GigabitEthernet 1/0/1

IP address: 10.1.5.2/24

IP address: 10.1.4.5/30

IP address: 10.1.2.1/24

Item Data
NGFW_C Interface: GigabitEthernet 1/0/1

IP address: 10.1.4.6/30

IP address: 10.1.3.1/24
Perform the following procedures to configure IPv4 static routes:
1. Specify interface addresses for the NGFWs.

2. Configure the default route and static routes on the NGFW.
3. Configure the default gateway on the hosts.
Procedure
l Configure NGFW_A.
1. Complete interface settings, such as IP address and security zone.
b. Click of GigabitEthernet1/0/1 and set the following parameters:
Zone trust
IPv4
c. Click OK.
d. Repeat the preceding steps to set the parameters of GigabitEthernet1/0/2.
Zone trust
IPv4
2. Configure the default IPv4 route.

a. Choose Network > Router > Static Route.
b. Click Add and set the parameters as follows:
Destination IP 0.0.0.0/0.0.0.0
address/mask

Next-hop 10.1.5.2
c. Click OK.
l Configure NGFW_B.
Zone trust
IPv4
c. Click OK.
Zone trust
IPv4
e. Repeat the preceding steps to set the parameters of GigabitEthernet1/0/3.
Zone trust
IPv4
2. Configure the static IPv4 route.

Destination IP 10.1.1.0/24
address/mask
Next-hop 10.1.5.1
c. Click OK.
d. Click Add and set the parameters as follows:
Destination IP 10.1.3.0/24
address/mask
Next-hop 10.1.4.6

e. Click OK.
l Configure NGFW_C.
Zone trust
IPv4
c. Click OK.
Zone trust
IPv4
2. Configure the default IPv4 route.

Destination IP 0.0.0.0/0.0.0.0
address/mask
Next-hop 10.1.4.5
c. Click OK.
l Configure hosts.
Set the default gateway to 10.1.1.1 for PC1, 10.1.2.1 for PC2, and 10.1.3.1 for PC3.
l Verify the configuration.
# Run the ping command to check the IP connectivity.

[NGFW_A] ping 10.1.3.1
PING 10.1.3.1: 56 data bytes, press CTRL_C to break
Reply from 10.1.3.1: bytes=56 Sequence=1 ttl=254 time=62 ms
--- 10.1.3.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 62/62/63 ms

# Run the tracert command to check the IP connectivity.

[NGFW_A] tracert 10.1.3.1
traceroute to 10.1.3.1(10.1.3.1), max hops: 30 ,packet length: 40
1 10.1.5.2 31 ms 32 ms 31 ms
2 10.1.4.6 62 ms 63 ms 62 ms
----End

This section describes the versions and changes in the static route feature.
10.3 RIP
This section describes Routing Information Protocol (RIP) concepts and how to configure
RIP, as well as provides configuration examples.
10.3.1 Overview
The Routing Information Protocol (RIP) applies to small and simply structured networks. RIP
is a routing protocol based on the distance vector and uses hop counts to measure distances to
destinations. There are two RIP versions: RIP-1 and RIP-2.
Definition
RIP is a simple Interior Gateway Protocol (IGP) and works based on the Distance-Vector (DV)
algorithm. It exchanges routing information using User Datagram Protocol (UDP) packets. RIP
uses port 520.
To prevent routing loops:

l RIP employs Hop Count (HC) to measure distances to destinations. The distance is called
the metric value. RIP defines that the default HC from a router to its directly connected
network is 0, and the HC from a router to a reachable network through another router is 1,
and so on. This means that the HC is equal to the number of routers passed from the local
network to the destination network. To speed up route convergence, RIP defines the HC
as an integer that ranges from 0 to 15. The HC equal to or greater than 16 is defined as
infinity, which indicates that the destination network or the host is unreachable. RIP does
not apply to large networks.
l RIP supports split horizon and poison reverse.
Purpose
As an earliest IGP, RIP is used in small and simply structured networks such as campus networks
and regional networks. Unlike static routes, RIP automatically adapts to network topology
changes.

Implementing RIP is simple. Configuring and maintaining RIP are easier than the Open Shortest
Path First (OSPF) and Intermediate System-to-Intermediate System (IS-IS) protocols.
Therefore, RIP is widely used.
10.3.2 Mechanism
This section describes the RIP mechanism.
Routing Database of RIP

Each router that runs RIP manages a routing database. The routing database includes all routing
entries to all the reachable destinations in a network. The entry contains the following
information:
l Destination address: indicates the IP address of a host or a network.

l Next hop address: indicates the interface IP address of the neighboring router through which
RIP packets reach the destination.
l Interface: indicates the interface through which the packet is forwarded.
l Metric value: indicates the cost of the route from the local router to the destination. The
cost is an integer that ranges from 0 to 15.
l Timer: indicates the time interval since the entry was last updated. The timer is reset to 0
when a routing entry is updated.
l Route flag: indicates a tag that is used to distinguish routes of internal routing protocols
from those of external routing protocols.
RIP Timers
RIP is controlled by the following timers:
l Update timer: triggers the sending of Update packets periodically.

l Age timer: If a RIP router does not receive any Update packet from its neighbor in the aging
time, the router considers the route to the destination as unreachable.
l Garbage-Collect timer: If the route is no longer valid after the timer times out, the entry is
removed from the RIP routing table.
Table 10-8 Relationship between timers
Name of Timer Timeout Period
Update Routers send Update packets every 30 seconds.
Age In the aging time, routers still send Update packets, even though they
do not receive any routing update.
When the age timer times out, but the garbage-collect timer does not
time out, the route sends the Update packet of metric value 16 every
30 seconds.
Garbage-Collect After the garbage-collect timer times out, the entry is removed from
the routing table.

RIP Operation and Route Calculation

Operating Process of RIP
1. After RIP is enabled on a router, the router sends request messages to the neighboring
router.
l If RIP is configured as RIP-2, the router sends request messages to the multicast address
224.0.0.9.
l if RIP is configured as RIP-1, the router sends request messages to the broadcast address.
The export policies of RIP routes on the interface at sending side are as follows:
– When the address of the route to be advertised and the IP address of the interface
are in the same major network segment, if the length of their masks are same, then
the route is advertised with the same mask length, and if the length of their masks
are not same, the route is advertised with the mask length of the major network
segment.
– If the address of the route and the IP address of the sending interface are not in the
same major network segment, the route is advertised with the aggregated major
network segment mask of the route.
2. After the neighboring RIP router receives the request message, it sends a response message
that carries the information about its local routing table. At the same time, the router starts
calculating routes.
If RIP is configured to RIP-1, the route is filtered according to the following import policy
on the interface at the receiving side :
l The received routes are compared with the mask on the interface. If the address of the
received route and the IP address of the interface are in the same major network segment,
then the route is received according to the mask on the interface. If the route address
and the IP address of the interface are not in the same natural network segment, the route
is received according to the major network segment mask of the route.
l If the directly connected subnet route of the same network segment exists in the routing
table of the local router, the route is received. If the directly connected subnet route of
the same network segment does not exist in the routing table of the local router, the
route is rejected.
3. The router modifies the local routing table after it receives the response message from its
neighbor.
If RIP is configured to RIP-1, the mask of the route can be viewed in the following case.
Figure 10-4 shows the networking diagram of RIP-1.

Figure 10-4 Networking diagram of RIP-1
10.2.1.0/24
GE1/0/1 GE1/0/1
10.1.1.1/24 10.1.1.2/24
10.2.2.0/24
RouterA RouterB
10.3.1.0/24
RouterA and RouterB run RIP-1. The RIP-1 packet does not carry the mask. Therefore,
only through the address of the outgoing interface can RouterA and RouterB obtain the
mask of the route to be sent. The routing table of RouterB, however, is as follows:
<RouterB> display rip 1 route
Route Flags: R - RIP, T - TRIP
P - Permanent, A - Aging, S - Suppressed, G - Garbage-collect
----------------------------------------------------------------------------
Peer 10.1.1.1 on GigabitEthernet1/0/1
Destination/Mask Nexthop Cost Tag Flags Sec
10.0.0.0/8 10.1.1.1 1 0 RA 12
10.2.1.0/24 10.1.1.1 1 0 RA 12
10.3.1.0/24 10.1.1.1 1 0 RA 12
In the routing table of RouterB, 10.2.1.0/24 and 10.3.1.0/24 are subnet addresses with
masks; therefore, the route is not advertised according to the natural network segment
10.0.0.0/8.
This is because the mask of GigabitEthernet1/0/1 on RouterA is 24. The mask of the
network segment to which the route is sent is also 24. The route and the network segment
belong to the same natural network segment (10.0.0.0). Therefore, the route is advertised
with the mask.
If RouterA and RouterB are configured with RIP-2, view the routing table of RouterB as
below:
<RouterB> display rip 1 route
Route Flags: R - RIP, T - TRIP
P - Permanent, A - Aging, S - Suppressed, G - Garbage-collect
----------------------------------------------------------------------------
10.2.1.0/24 10.1.1.1 1 0 RA 26
10.3.1.0/24 10.1.1.1 1 0 RA 26
10.2.2.0/24 10.1.1.1 1 0 RA 26
As shown in the preceding display, all entries have masks. This is because RIP-2 packet
carries the mask information.
Process of RIP Route Calculation
After a router receives a response packet, the router modifies its local routing table, and then
sends a triggered update to its neighboring routers to broadcast the updated routing information.

After the neighboring routers receive the triggered update, they send the triggered update to their
neighboring routers. After a serial of triggered updates are broadcast, each router can obtain and
keep the latest routing information.
RIP processes the routes that time out by using the aging mechanism to ensure the validity of
routes. The local RIP router, therefore, advertises the local routing table to its neighboring routers
periodically. After receiving Update packets, the neighboring routers update their local routing
tables. All RIP routers repeat this process.
Sending RIP Request and Response Messages

The versions of the request packets and response packets vary with the configured RIP version.
l If the RIP version is RIP-1, only RIP-1 broadcast packets are sent and only the RIP-1
broadcast packets are received.
l If the RIP version is RIP-2, the multicast RIP-2 packets are sent and received by default.
l If the RIP version is RIP-2 (broadcast mode), only RIP-2 packets are broadcast and both
RIP-1 and RIP-2 packet are received.
RIP Packet Authentication

The process of authenticating RIP packets is as follows:
l If the router is not configured with RIP-2 packet authentication, the following situations
occur:
– RIP-1 packets and unauthenticated RIP-2 packets are received.
– The authenticated RIP-2 packets are discarded.
l If the router is configured with RIP-2 packet authentication, the following situations occur:
– The RIP-2 packets that pass the authentication are received.
– The RIP-2 packets that are not configured with authentication and not correctly
authenticated are discarded.
NOTE
In RFC 2453, only the plain-text authentication is defined. For details of the MD5 authentication, refer to
RFC2082 "RIP-2 MD5 Authentication".
Split horizon
The principle of split horizon is that a route learnt by RIP on an interface is not sent to neighbors
from the interface. This reduces bandwidth consumption and avoids route loops.
As shown in Figure 10-5, RouterB sends a route to 10.0.0.0 to RouterA and RouterA does not
send the route back to RouterB.
Figure 10-5 Schematic diagram of split horizon

10.0.0.0/2
RouterA RouterB
10.0.0.0/2

Poison Reverse
The principle of poison reverse is that RIP sets the cost of the route learnt from an interface of
a neighbor to 16 (specifying the route as unreachable) and then sends the route from the interface
back to the neighbor. In this way, RIP can delete useless routes from the routing table of the
neighbor.
Poison reverse of RIP can also avoid route loops.
Figure 10-6 Schematic diagram of poison reverse

10.0.0.0/16
RouterA RouterB
10.0.0.0/2
As shown in Figure 10-6, if poison reverse is not configured, RouterB sends RouterA a route
that is learnt from RouterA and the cost of the route from RouterA to network 10.0.0.0 is 1. If
the route from RouterA to network 10.0.0.0 is unreachable and RouterB keeps sending RouterA
routes to network 10.0.0.0 because RouterB fail to receive the route update packet from RouterA,
a route loop forms.
If RouterA sends RouterB a message that the route is unreachable after receiving a route from
RouterB, RouterB no longer learns the reachable route from RouterA, thus avoiding route loops.
If both poison reverse and split horizon are configured, simple split horizon (the route learnt
from an interface is not sent back through the interface) is replaced by poison reverse.
Triggered Update
Triggered update occurs when the local routing information changes and the local router
immediately notifies its neighbors of the changes of routing information by sending the triggered
update packet.
Triggered update shortens the network convergence time. When the local routing information
changes, the local router immediately notifies its neighbors of the changes of routing information
rather than waiting for periodical update.

Figure 10-7 Schematic diagram of triggered update
As shown in Figure 10-7, when network 10.4.0.0 is unreachable, RouterC learns the information
first. Usually, the route update message is sent to neighbors every 30s. If the update message of
RouterB is sent to RouterC when RouterC is waiting for the route update message, RouterC
learns the faulty route to network 10.4.0.0 from RouterB. In this case, the routes from RouterB
or RouterC to network 10.4.0.0 point to RouterC or RouterB respectively, thus forming a route
loop. If RouterC detects a network fault and immediately sends a route update message to
RouterB before the new update interval reaches. Consequently, the routing table of RouterB is
updated in time, and routing loops are avoided.
There is another mode of triggering updates: The next hop of the route is unavailable because
the link is faulty. The local router needs to notify neighboring router about the unreachability of
this route. This is done by setting the cost of the route as 16 and advertising the route. This is
also called route-withdrawal.
Route Aggregation
When different subnet routes in the same natural network segment are transmitted to other
network segments, these routes are aggregated into one route of the same segment. This process
is called route aggregation. RIP-1 packets do not carry mask information, so RIP-1 can advertise
only the routes with natural masks. RIP-2 packets carry mask information, so RIP-2 supports
subnetting.
RIP-2 route aggregation can improve extendibility and efficiency and minimize the routing table
of a large-scale network.
Route aggregation is classified into two types as follows:

l Classful convergence based on RIP processes:

Aggregated routes are advertised with natural masks. When split horizon or poison reverse
is configured, classful aggregation becomes invalid due to the following reasons: split
horizon and poison reverse suppress routes to be advertised and when classful aggregation
is configured, an aggregated route may be the aggregation result of routes from different
interfaces. As a result, a conflict occurs on the aggregated route in advertisement.
For example, router 10.1.1.0 /24 (metric=2) and router 10.2.2.0 /24 (metric=3) are
aggregated as an aggregated route (10.0.0.0 /8(metric=2)) in the natural network segment.
RIP-2 aggregation is classful, thus obtaining the optimal metric.
l Interface-based aggregation:
A user can specify an aggregation address.
For example, router 10.1.1.0 /24(metric=2) and router 10.2.2.0 /24 (metric=3) are
aggregated as an aggregated route (10.0.0.0 /16(metric=2)).
Multi-process and Multi-instance

For easy management and effective control, RIP supports multi-process and multi-instance. The
multi-process feature allows a set of interfaces to be associated with a specific RIP process. This
ensures that the specific RIP process performs all the protocol operations only on this set of
interfaces. Thus, multiple RIP processes can work on a single router and each process is
responsible for a unique set of interfaces. In addition, the routing data is independent between
RIP processes; however, routes can be imported between processes.
For the routers that support the VPN, each RIP process is associated with a specific VPN instance.
In this case, all the interfaces attached to the RIP process should be associated with the RIP-
process-related VPN instance.
10.3.3 RIP Configuration Using the Web UI

This section describes how to use the Web UI to configure RIP.
Creating a RIP Process

Step 1 Choose Router > RIP.
Step 2 Click Add.
Step 3 Enter or select the parameters.
Process ID The system supports RIP multi-process. If multiple RIP

processes are enabled on one device, different process IDs need
to be specified. An RIP process ID is a local concept. The devices
with different process IDs can exchange packets in between.
Version Indicates the RIP version number.
Default Cost Indicates the cost of running the RIP protocol.
Balanced Paths Indicates the maximum number of equal-cost routes.

Update Interval Indicates the interval of updating packets regularly in the RIP
route.
Garbage Collection Time Indicates the interval for collecting RIP garbage routes.
Timeout Indicates the timeout interval of the RIP route.
Priority Indicates the preference of the RIP.
Enable Default Route Configures the default route for the situation that packets cannot
find corresponding routing entries in the routing table.
Default Route Cost Indicates the metric value of the default route.
This parameter is available when Enable Default Route is
enabled.
Source Address Verifies the source IP address of a received RIP route update
Verification packet.
Zero Field Check Checks the zero fields in a RIP-1 packet.

Certain fields in a RIP-1 packet must be zero. These fields are
called zero fields.
If the interface version is set to RIP-1, zero field check is required
on packets. This parameter is invalid for the RIP-2 packets
because the zero field does not exist in RIP-2 packets.
Host Route Indicates that host routes can be added to the routing table.
Route Aggregation Enables the RIP-2 automatic route aggregation.

The RIP-1 sends routes with natural masks, that is, the routes are
advertised in aggregation mode. The RIP-2 supports the subnet
mask and Classless Inter-Domain Routing (CIDR).
If all subnet routes need to be broadcasted, you can disable the
route aggregation function of the RIP-2 on the interface.
Step 4 Click OK.
If the new RIP process is displayed on the page, the operation succeeds.
----End
Configuring a Network Segment for a RIP Process

Step 2 Click corresponding to the RIP process to be modified.
Step 3 In the RIP Process ID:ID navigation tree, choose Basic Configuration > Network Settings.
Step 4 Click Add.

Step 5 Enter a network segment address to be added.

NOTE
RIP supports the following natural network segments:

1 to 126.0.0.0, 128 to 191.x.0.0, 192 to 223.x.x.0.
If the new network segment is displayed on the page, the operation succeeds.
----End
Modifying a RIP Interface

Step 3 In the RIP Process ID:ID navigation tree, choose Basic Configuration > Interface Settings.
Step 4 Click corresponding to the interface to be configured.
Interface Name Indicate the name of a RIP interface.
Authentication Mode Indicates the mode in which the interface authenticates packets.
l NONE: indicates that authentication is not performed on
packets.
l Simple: indicates that simple authentication is performed on
packets.
l MD5: indicates that MD5 authentication is performed on
packets.
MD5 Key Indicates the identifier of the MD5 authentication key.

This parameter is required when Authentication Mode is the
MD5 authentication.
Password Indicates the authentication key.

MD5 authentication or simple authentication.
Confirm Password Confirms the password.

MD5 authentication.
Advanced Settings
Receiving of RIP Packets Indicates that the interface is allowed to receive RIP update
packets.
Sending of RIP Packets Indicates that the interface is allowed to send RIP update packets.

Anti-Loop Mechanism Split Horizon: indicates that the interface does not send the
routes received by the interface.
Poison Reverse: RIP learns the route of the packet from an
interface, sets the route cost to 16 (unreachable), and sends the
packet to the neighbor router through the original interface.
Version Indicates the version of RIP packets received by the interface.

The RIP has two versions: RIP-1 and RIP-2. The RIP-1 is a
classful routing protocol, supporting the advertisement of
protocol packets in broadcast mode. The RIP-2 is a classless
routing protocol, supporting the transmission of packets in both
broadcast mode and multicast mode.
Sending Mode The RIP-2 packets can be transferred in two modes: broadcast
and multicast.
Receiving Offset Indicates the metric value added when the interface receives
routes.
Sending Offset Indicates the metric value added when the interface sends routes.
Sending Interval Indicates the interval for the interface to send update packets.
Maximum Sending Indicates the number of update packets allowed on the interface
Packets each time.
----End
Configuring Route Importing for a RIP Process

If a router runs the RIP and other routing protocols, you can configure the RIP to import external
route information, and to filter out unnecessary routes and specify a metric value. If no metric
value is specified, the default metric value takes effect.
Step 3 In the RIP Process ID:ID navigation tree, choose Advanced > Route Import.
Step 4 Click Add.
Table 10-9 Adding a route import configuration
Route Type Indicates the imported source routing protocol.

Process ID The routing protocol process ID needs to be specified when the route type
is ospf, rip, or isis.
Cost Indicates the cost of an imported route.
If the new route import configuration is displayed on the page, the operation succeeds.
----End
Configuring Route Filtering

A router provides a routing information filtering function. By specifying an ACL and an IP
address prefix list, you can configure an ingress or egress filtering policy to filter the received
and released routes.
Step 2 Click corresponding to the RIP progress to be modified.
Step 3 In the RIP Process ID:ID navigation tree, choose Advanced > Route Filter.
Step 4 Click Add.
Filter Type Indicate the route filter type of the RIP. After this parameter is
set, it cannot be changed.
l Import: indicates that the RIP filters received routing
information.
l Export: indicates that the RIP filters advertised routing
information.
Route Type Advertise routes by the route type based filtering. This parameter
is required when the filter type is export. After this parameter is
set, it cannot be changed.
Process ID Specifies the process ID for OSPF, RIP, and ISIS. After this
parameter is set, it cannot be changed.
Interface Name Advertises routes by the egress based filtering. After this
parameter is set, it cannot be changed.
Either route type based filtering or egress based filtering can be
selected.

Filter Mode Indicates the route filter mode. You can configure the mode to
either of the following:
l IP-Prefix: sets a matching rule based on the IP prefix list. It
is used for filtering routes according to the prefixes of
destination IP addresses.
l ACL: sets a matching rule based on the ACL. It is used for
filtering routes according to destination IP addresses.
IP-Prefix Indicates the name of the IP prefix list.

This parameter is required when Filter Mode is IP-Prefix.
ACL Indicates the basic ACL number.

You can select an existed ACL or select Basic ACL to create a
new ACL.
Source Address, Schedule, and Action are available when
Filter Mode is ACL and ACL is Basic ACL.
Source Address Indicates the source IP address for filtering routes or the name of
the source address/address group.
You can select an existed address/address group or create a new
address/address group.
Schedule Indicates the time range during which route filtering takes effect.
You can select an existed time range or create a new time range.
Action Indicates the action taken by the device towards the route.
l permit: indicates the action configured by the policy is
performed on the route.
l deny: indicates that the action configured by the policy is not
performed on the route.
Step 6 Click OK.
If the new route filtering policy is displayed on the page, the operation succeeds.
----End
Configuring a RIP Peer

Usually, the RIP sends packets by using broadcast or multicast addresses.
To use the RIP as a routing protocol on a network that does not support broadcasting or
multicasting, you need to specify a RIP peer manually.
Step 3 In the RIP Process ID:ID navigation tree, choose Advanced > Peer Settings.

Step 4 Click Add.
Step 5 Enter the IP address of the RIP peer.
If the new RIP peer is displayed on the page, the operation succeeds.
----End
Configuring a Passive Interface

After an interface is configured not to send RIP update packets, the interface does not send RIP
updates to networks. This does not affect the advertisement of directly connected routes. This
function enhances the RIP networking capability and reduces the system resource consumption.
Step 3 In the RIP Process ID:ID navigation tree, choose Advanced > Passive Interface.
Step 4 Click Add.
Step 5 Select the interface to be disabled.
If the new passive interface is displayed on the page, the operation succeeds.
----End
10.3.4 RIP Configuration Using the CLI

This section describes how to use a command line interface (CLI) to configure RIP.

This section describes the RIP configuration task list. You can choose the configuration tasks
as needed.
Table 10-10 shows the RIP configuration tasks, including both the mandatory and optional
items.
Mandatory items are used to implement the interconnection of RIP networks, and optional items
are used to control and adjust RIP networks.
Table 10-10 RIP configuration task list
Configuration Task Sub-task Descripti

on
Enable RIP. Configuring Basic RIP Functions Mandatory
Configure RIP interface Configuring the Additional Metric of an Optional

attributes. Interface

Configuration Task Sub-task Descripti

on
Disabling an Interface from Sending Update Optional

Packets
Disabling an Interface from Receiving RIP Optional

Update Packets
Configuring Split Horizon and Poison Reverse Optional
Configure the RIP Setting a RIP Priority Optional

protocol attributes.
Configuring a RIP Neighbor Optional
Setting the Maximum Number of Equal-Cost Optional

Routes
Control the receiving and Configuring RIP to Advertise Default Routes Optional
advertising of RIP routes.
Configuring RIP to Import External Routes Optional
Disabling RIP from Receiving Host Routes Optional
Configuring RIP to Filter Sent and Received Optional

Routes
Configure the RIP route Configuring RIP-2 Route Summarization Optional

summarization function.
Configure the timer and Setting RIP Timers Optional

retransmission
restrictions. Setting the Interval at Which Packets Are Sent Optional
and the Maximum Number of Sent Packets
Improve RIP security. Configuring RIP-2 Packet Authentication Optional
Configuring RIP to Verify Update Packets Optional
10.3.4.2 Configuring Basic RIP Functions

To make RIP run properly, the network segment and the RIP version number must be specified
for each router running RIP.
Prerequisites
Before configuring basic RIP functions, complete the following tasks:
l Assign IP addresses to network layer interfaces to make neighboring nodes reachable at

the network layer. For details, see Interfaces.
l Add interfaces to security zones and configure security policies. For details, see Security
Policy.

Context
To implement proper RIP operation, set the process ID of each RIP router, the network segment
of the interface, and RIP version number.
Procedure
system-view
Step 2 Enable the RIP process and access the RIP view.
rip [ process-id ] vpn-instance vpn-instance-name
If you run RIP-related commands in the interface view before enabling RIP, the configurations
take effect only after RIP is enabled.
RIP supports the multi-instance service, and the RIP process can be associated with a VPN
instance. You can configure the vpn-instance vpn-instance-name parameter to associate a RIP
process with a VPN instance.
Step 3 Enable RIP on the specified network segment.
network network-address
RIP runs only on the interfaces of the specified network segment. RIP does not send, receive,
or forward routes for other interfaces. After enabling RIP, you must specify a network address
of a natural network segment.
By default, after RIP is enabled, RIP is disabled on all interfaces.
NOTE
Different network segments on the same physical interface must be assigned to a single RIP process.
Step 4 By default, an interface receives both RIP-1 and RIP-2 packets and only sends RIP-1 packets.
You can configure a RIP-2 interface to send packets in broadcast and multicast modes
simultaneously. If the RIP version number on the interface is not set, the global version number
is used.
l Set the global RIP version number.
version { 1 | 2 }
l Set the RIP version number on an interface.
system-view
3. Set the RIP version number.
rip version { 1 | 2 [ broadcast | multicast ] }
----End

Follow-up Procedure
Run the display rip [ process-id | vpn-instance vpn-instance-name ] command. You can view
the current running status and configuration information. The command output shows that two
VPN instances are running. One is a public network instance, and the other is VPN-
Instance-1.
<NGFW> display rip
Public VPN-instance
RIP process : 1
RIP version : 1
Preference : 100
Checkzero : Enabled
Default-cost : 0
Summary : Enabled
Hostroutes : Enabled
Maximum number of balanced paths : 3
Update time : 30 sec Age time : 180 sec
Suppress time : 0 sec Garbage-collect time : 120 sec
Silent interfaces : None
Default Route : Disabled
Verify-source : Enabled
Networks :
172.4.0.0
Configured peers : None
Number of routes in database : 4
Number of interfaces enabled : 3
Triggered updates sent : 3
Number of route changes : 6
Number of replies to queries : 1
Private VPN-instance name : VPN-Instance-1
RIP process : 2
RIP version : 1
Preference : 100
Checkzero : Enabled
Default-cost : 0
Summary : Enabled
Networks :
192.4.5.0
Total count for 2 process :
Number of routes sendable in a periodic update : 6
Number of routes sent in last periodic update : 4
Run the display rip process-id route command to view all routes of a specified RIP process.
<NGFW> display rip 1 route
Route Flags: R - RIP
A - Aging, S - Suppressed, G - Garbage-collect
----------------------------------------------------------------------------

172.4.0.0/16 192.4.5.1 1 0 RA 15
192.13.14.0/24 192.4.5.1 2 0 RA 15
192.4.5.0/24 192.4.5.1 1 0 RA 15
10.3.4.3 Controlling RIP Routing Information

This section describes how to control RIP routing information in the complex networking
environment.
Configuring the Additional Metric of an Interface

Prerequisite
The RIP network is planned, and the task of 10.3.4.2 Configuring Basic RIP Functions is
complete.
Context
RIP uses the hop count to measure the distance to a destination. You can set the metric for the
interface to receive and advertise routes. Changing the metric on the RIP interface affects route
selection.
Procedure

system-view
Step 3 Set the metric for received routes.
rip metricin value
The additional metric is added to the original metric of a RIP route. You can run the rip
metricin command to add an additional metric to a received route and add the route to the routing
table. As a result, the metric in the routing table changes.
Step 4 Set the metric for routes to be sent.
rip metricout value
The rip metricout command is used for route advertising. When a route is advertised, an
additional metric is added, but the metric in the routing table does not change.
----End
Follow-up Procedure
Run the display current-configuration interface interface-type interface-number command.
You can verify that interface information is correctly configured and that routing entries are
compliant with the plan on a related router.
<NGFW> display current-configuration interface GigabitEthernet 1/0/1
#
ip address 10.18.196.205 255.255.255.0
rip metricin 2
#

Setting a RIP Priority

Prerequisite
complete.
Context
Since multiple dynamic routing protocols may run on a router at the same time, the routing
information sharing and selection among routing protocols must be taken into consideration.
The system sets a priority level for each routing protocol. When different protocols carry the
same route, the routing protocol with higher priority is selected. By default, the RIP priority is
100.
Procedure
system-view
rip [ process-id ]
Step 3 Set the RIP priority.
preference { preference | route-policy route-policy-name } *
----End
Follow-up Procedure
Run the display rip [ process-id ] command. You can check the RIP priority.
<NGFW> display rip 1
Public VPN-instance
RIP process : 1
RIP version : 1
Preference : 100
Checkzero : Enabled
Default-cost : 0
Summary : Enabled
Networks :
10.0.0.0

Number of sending routes : 0

Configuring RIP to Advertise Default Routes

Prerequisite
complete.
Context
A RIP router can be configured to advertise default routes, which minimizes the impacts of route
changes on a RIP network and improves network performance.
A RIP router that generates a default route does not receive the default route from its neighboring
RIP router.
Procedure
system-view
rip [ process-id ]
Step 3 Enable RIP to advertise a default route.
default-route originate [ cost cost ]
You can configure a router to advertise a default route with the specified metric to its RIP
neighbors. The default metric value is 0.
----End
Follow-up Procedure
Run the display rip [ process-id ] command. You can see that Default Route in the specified
RIP process is set to Enabled. You can view the specified metric.
[NGFW] display rip 1
Public VPN-instance
RIP process : 1
RIP version : 1
Preference : 100
Checkzero : Enabled
Default-cost : 0
Summary : Enabled
Default Route : Enabled Default Route Cost : 4
Networks :
10.18.0.0 10.12.0.0
10.0.0.0

Disabling an Interface from Sending Update Packets

Prerequisite
complete.
Context
In some scenarios, a router enabled with RIP is connected to other routers, but does not send
updates to these routers. In this case, you can prevent the interface from sending update packets.
Procedure
l Configure a router in a RIP process (with a higher priority).

system-view
2. Enable the RIP process and access the RIP view.
rip [ process-id ]
3. Perform one of the following operations to set the interface status to be silent as
needed:
– To set all interfaces are set to be silent, run:
silent-interface all
– To disable an interface from sending Update packets., run:
silent-interface interface-type interface-number
You can set an interface to be silent. The interface receives update packets to only
update its routing table. The priority of silent-interface is higher than that of rip
output configured on the interface. By default, an interface does not work in the silent
state.
l Configure a router in interface view (with a lower priority).
system-view

3. Disable the interface from sending RIP Update packets.
undo rip output
This command enables you to determine whether to send RIP Update packets for an
interface. This command has a priority lower than that of the silent-interface
command. By default, an interface is allowed to send RIP Update packets.
----End
Follow-up Procedure
Run the display rip [ process-id ] command and verify that the specified interface is in
suppression state.

Run the display current-configuration interface interface-type interface-number command

and verify that the configurations on the specified interface take effect.
Run the display ip routing-table command and verify that routing entries are compliant with
the plan.
Configuring RIP to Import External Routes

Prerequisite
complete.
Context
A router may run multiple routing protocols concurrently on a live network.
You need to import external routes to the RIP routing table on a router to ensure communication
using different routing protocols.
Procedure
system-view
rip [ process-id ]
Step 3 Optional: Set the default cost for imported routes.
default-cost cost
Step 4 Import the external routes.
import-route protocol [ process-id ] [ cost cost ] [ route-policy route-policy-name ]
Step 5 Filter the imported routes when they are advertised.
filter-policy { acl-number | ip-prefix ip-prefix-name } export [ protocol | interface-type

interface-number ]
If no cost is specified when external routes are imported, the default cost is used.
If RIP has to advertise routing information of other protocols, you can specify protocol to filter
the specific routing information. If protocol is not specified, the router filter all routing
information, including the imported routes and local RIP routes (equivalent to direct routes).
NOTE
RIP regulates the tag length of 16 bits, whereas other protocols regulate the tag length of 32 bits. If the
routes of other protocols are imported and the tag is used in the routing policy, ensure that the length of
the tag does not exceed 65535. Otherwise, the routing policy becomes invalid, and the matching result is
incorrect.
----End
Follow-up Procedure

Run the display ip routing-table command and verify that routing entries are correctly
imported.
Disabling an Interface from Receiving RIP Update Packets

Prerequisite
complete.
Context
In some scenarios, the router enabled with RIP is connected to other routers, but does not receive
the updates from these routers. You can prevent the interface from receiving update packets.
Procedure
system-view
Step 3 Disabled the interface from receiving RIP Update packets.
undo rip input
By default, an interface is allowed to receive RIP Update packets.
----End
Follow-up Procedure

the plan.
Disabling RIP from Receiving Host Routes

Prerequisite
complete.
Context
In certain cases, routers may receive a large number of host routes from the same network
segment. These routes do not help with routing but consume mass resources. You can configure
RIP to prevent routers from receiving host routes, which helps save network resources.
NOTE
Preventing routers from receiving host routes is only valid for RIPv2, not RIPv1.
Procedure


system-view
Step 2 Enable RIP and access the RIP view.
rip [ process-id ]
Step 3 Disable RIP from adding host routes to the routing table.
undo host-route
----End
Follow-up Procedure
Run the display rip [ process-id ] command and verify that routers are prevented from receiving
host routes in the RIP process.
the plan.
Configuring RIP to Filter Sent and Received Routes

Prerequisite
complete.
Context
The NGFW can filter routing information. To filter the imported and advertised routes, you can
configure the inbound and outbound filtering policies and specify ACLs and IP-prefix lists in
the policies.
You can also configure a router to receive RIP packets only from a designated neighbor.
Procedure

system-view
rip [ process-id ]
Step 3 Configure RIP to filter the imported routes based on the requirements:
l To filter the learned routing information based on an ACL, run:
filter-policy acl-number [ import | export ]
l To filter the routing information advertised by neighbors on the basis of the destination
address prefix, run:
filter-policy gateway ip-prefix-name import
l To filter the routing information to be advertised based on the IP-prefix list, run:
filter-policy ip-prefix ip-prefix-name export
l To filter the routes learned by the specified interface on the basis of the destination address
prefix and the neighbors, run:

filter-policy ip-prefix ip-prefix-name[ gateway ip-prefix-name ] import [ interface-type

interface-number ]
----End
Follow-up Procedure
Run the display ip routing-table command on the related router and its neighbors to and verify
that routing entries are compliant with the plan.
10.3.4.4 Optimizing a RIP Network

This section describes how to configure RIP functions and optimize RIP networks in special
network environments.
Setting RIP Timers

Prerequisite
complete.
Context
RIP has four timers: Update, Age, Suppress, and Garbage-collect. Changing the timer values
affects the RIP route convergence speed.
l Update time: specifies the interface at which update packets are sent.
l Age time: If a RIP router does not receive a routing update packet after the aging time
elapses, a RIP router considers the route unreachable and starts the Garbage-collect timer.
l Garbage-collect time: also called the garbage timeout timer. If a RIP router does not receive
an update for the unreachable route from the same neighboring router after the Garbage-
collect time elapses, the router deletes the route from the routing table.
l Suppress time: The NGFW does not support the Suppress timer.
In real-world situations, the timeout for the Garbage-collect timer is changeable. When the
Update timer is set to 30 seconds, the Garbage-collect timer may be 90 to 120 seconds.
The reason is that before deleting the unreachable route thoroughly from the routing table, RIP
advertises this route (the metric is set to 16) by sending the regular update packet four times,
and all neighbors learn that the route is unreachable. The route does not always turn to the
unreachable state at the very beginning of an update cycle; therefore, the actual time of the
Garbage-collect timer is two to three times longer than that of the Update timer.
Procedure

system-view
Step 2 Enable RIP and access the RIP view.
rip [ process-id ]
Step 3 Configure the RIP timers.
timers rip update age suppress garbage-collect

The default values are as follows:

l Update timer: 30 seconds.
l Age timer: 180 seconds.
l Garbage-collect timer: 120 seconds.
l Suppress timer: 0 seconds. Currently, the NGFW supports the configuration of the suppress
timer, but the timer does not take effect after being configured. The suppress timer value is
fixed to 0.
NOTE
l Timer values can be adjusted based on network performance, and the timers must be configured on all
routers running RIPng, which prevents unnecessary network traffic or network routing flapping.
l Incorrect settings of these four timer values may cause unstable routing.
update is smaller than age, and suppress is smaller than garbage-collect.
For example, if update is greater than garbage-collect, and the RIP route changes within the update
time, the router cannot notify neighbors.
l The RIP timer values take effect dynamically after being modified.
----End
Follow-up Procedure
Run the display rip [ process-id ] command to view timer information of a specified RIP process.
Public VPN-instance
RIP process : 1
RIP version : 1
Preference : 100
Checkzero : Enabled
Default-cost : 0
Summary : Enabled
Networks : None
Setting the Interval at Which Packets Are Sent and the Maximum Number of Sent
Packets
Prerequisite
complete.
Context
When there are a large number of routes on a router, sending all route updates at a time imposes
great pressure on network bandwidths. You can set the interval at which update packets are sent

and the number of the update packets to be transmitted to prevent mass RIP packets from
affecting actual services.
Procedure
system-view
Step 3 Set the interval at which Update packets are sent and the maximum number of packets sent each
time on the interface.
rip pkt-transmit { interval interval | number pkt-count } *
----End
Follow-up Procedure

Verify that the RIP network status is compliant with the plan.
#
ip address 10.18.196.205 255.255.255.0
rip pkt-transmit interval 80 number 40
#
Configuring Split Horizon and Poison Reverse

Prerequisite
complete.
Context
Split horizon and poison reverse help prevent routing loops on a RIP network.
l Split horizon: a route learned from an interface by RIP is not advertised to neighboring
routers connected to this interface.
l Poison reverse: After learning a route from an interface, RIP sets the route cost to 16
(unreachable) and sends the route back to the neighboring routers. This method clears
useless information in the routing table.
On non-broadcast multiple access (NBMA) networks enabled with frame relay and X.25, if no
subinterface is used, disable split horizon to allow the router to correctly advertise routing
information. If both poison reverse and split horizon are configured, only poison reverse takes
effect.
Procedure

system-view
Step 3 Enable split horizon.
rip split-horizon
By default, split horizon is enabled on the interface.
Step 4 Enable poison reverse.
rip poison-reverse
By default, poison reverse is disabled.
----End
Follow-up Procedure
Run the display current-configuration interface interface-type interface-number command to

view the configurations on a specified interface.
#
ip address 10.18.196.205 255.255.255.0
rip poison-reverse
undo rip split-horizon
#
Configuring RIP to Verify Update Packets

Prerequisite
complete.
Context
To improve RIP network security, RIP Update packets must be checked, including the zero field
check and source IP address check.
Procedure
system-view
rip [ process-id ]
Step 3 Enable the zero field check for RIP-1 packets.
checkzero
Some fields in a RIP-1 packet must be 0s, and they are called zero fields. RIP-1 checks the zero
fields on receiving a packet. If the value of any zero field is not 0, the packet is not processed.

This command does not take effect on RIP-2 packets because RIP-2 packets contain no zero
fields.
By default, the zero field check is enabled.
Step 4 Specify the source address check for RIP Update packets.
verify-source
After receiving a packet, RIP checks whether the source IP address of the Update packet is in
the same network segment with the interface of a RIP process on the router. If the source Ip
address and the interface address are in different network segments, the packet fails the check
and is not processed.
By default, the source address check is enabled.
----End
Follow-up Procedure
Run the display rip [ process-id ] command to view the Checkzero and Verify-source function
status.
Public VPN-instance
RIP process : 1
RIP version : 2
Preference : 100
Checkzero : Enabled
Default-cost : 0
Summary : Enabled
Networks :
10.18.0.0

Number of sending routes : 2
Configuring a RIP Neighbor

Prerequisite
complete.
Context
RIP sends packets in broadcast or multicast mode. If RIP runs on links that do not support
broadcast or multicast packets, you must specify RIP neighbors manually.

Procedure
system-view
rip [ process-id ]
Step 3 Configure a RIP neighbor.
peer ip-address
----End
Follow-up Procedure
Run the display rip [ process-id ] command to view the configurations of a specified RIP
process.
RIP process : 1
RIP version : 1
Preference : 100
Checkzero : Enabled
Default-cost : 0
Summary : Enabled
Networks : None
Configured peers :
10.112.80.22
Setting the Maximum Number of Equal-Cost Routes

Prerequisite
complete.
Context
If a router has several routes with the same destination IP address and priority, all the routes are
used. If no routes have higher priorities than these routes, the router sends packets with the
specific destination IP address over all equal-cost routes, which implements the load balancing.
You can set the maximum number of equal-cost routes to be added to the routing table.
Procedure

system-view
rip [ process-id ]
Step 3 Set the maximum number of equal-cost routes.
maximum load-balancing number
----End
Follow-up Procedure
Run the display rip [ process-id ] command and verify that the configuration of Maximum
number of balanced paths takes effect.
Run the display ip routing-table command and verify that there are multiple equal-cost routes
to the same destination in the routing table.
RIP process : 1
RIP version : 1
Preference : 100
Checkzero : Enabled
Default-cost : 0
Summary : Enabled
Networks : None
Configuring RIP-2 Route Summarization

Prerequisite
complete.
Context
Route summarization indicates that when being advertised to other network segments, the routes
on different subnets of the same natural network segment are summarized to a route with a
natural mask. This function minimizes the routing table size, which helps reduce unwanted
network traffic. On the network with large number of routers, configuring route summarization
can improve network scalability and the router processing speed.
RIP-1 does not support variable length subnet mask (VLSM), and route summarization is invalid
for RIP-1. RIP-2 supports VLSM and classless inter-domain routing (CIDR). If all subnet routes
need to be broadcast, you can disable RIP-2 automatic route summarization.
Procedure

l Enable RIP-2 automatic route summarization.

system-view
2. Enable the RIP process and access the RIP view.
rip [ process-id ]
3. Enable RIP-2 automatic route summarization.
summary
By default, RIP-2 automatic route summarization is enabled.
NOTE
Automatic route summarization does not take effect on interfaces that are configured with split
horizon or poison reverse.
l Configure RIP-2 to advertise the aggregation address.
system-view

3. Advertise the local RIP-2 aggregation IP address.
rip summary-address ip-address mask [ avoid-feedback ]
----End
Follow-up Procedure
Run the display ip routing-table command on a router to check whether routing entries are
compliant with the plan.
Configuring RIP-2 Packet Authentication

Prerequisite
complete.
Context
To improve RIP network security, you can configure authentication on the router that runs RIP-2
to safeguard packet transmission.
RIP-2 supports the following authentication mode.
l Simple authentication: an insecure authentication mode. An authentication key that is not

encrypted is transmitted using packets; therefore, simple authentication is not applicable
to networks requiring high security.
l Message digest algorithm 5 (MD5) authentication: uses keys in the following formats:
– usual: uses the IETF standard authentication packet format.
– nonstandard: uses the non-standard authentication packet format.

Procedure
system-view

l To enable simple authentication, run:
rip authentication-mode simple password
l To enable MD5 authentication in ciphertext, run:
rip authentication-mode md5 { nonstandard password-key key-id | usual password-
key }
----End
Follow-up Procedure

and verify that the authentication mode on a specified interface is correctly configured.
#
ip address 10.18.196.205 255.255.255.0
rip authentication-mode md5 nonstandard %$%$,|M]CXBou+W#[S++S-~3a,#w%$%$
34
#
10.3.4.5 Maintaining RIP

The RIP route can be checked, cleared, and debugged after being configured.
Displaying the RIP Configuration
Table 10-11 Displaying the RIP configuration
Action Command
Display the current display rip [ process-id | vpn-instance vpn-instance-name ]

running status and
configuration
information of RIP.
Display all activated display rip process-id database [ verbose ]

routes in the RIP
advertising database.

HUAWEI USG6000 Series &amp; NGFW Module V100R001 Administrator Guide 04

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

HUAWEI USG6000 Series &amp; NGFW Module V100R001 Administrator Guide 04

Загружено:

Авторское право:

Доступные форматы

HUAWEI USG6000 Series & NGFW Module

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Issue 04 (2015-07-30) Huawei Proprietary and Confidential i

About This Document

Issue 04 (2015-07-30) Huawei Proprietary and Confidential ii

Product Name Version

The USG6000 series and NGFW V100R001C30SPC100

Issue 04 (2015-07-30) Huawei Proprietary and Confidential iii

Indicates an imminently hazardous situation which, if not

Indicates a potentially hazardous situation which, if not

Indicates a potentially hazardous situation which, if not

Issue 04 (2015-07-30) Huawei Proprietary and Confidential iv

Indicates a potentially hazardous situation which, if not

NOTE Calls attention to important information, best practices and

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[] Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... } Optional items are grouped in braces and separated by

[ x | y | ... ] Optional items are grouped in brackets and separated by

{ x | y | ... } * Optional items are grouped in braces and separated by

[ x | y | ... ] * Optional items are grouped in brackets and separated by

# A line starting with the # sign is comments.

Issue 04 (2015-07-30) Huawei Proprietary and Confidential v

Boldface Buttons, menus, parameters, tabs, window, and dialog titles

> Multi-level menus are in boldface and separated by the ">"

Updates in Issue 04 (2015-07-30) of Product Version V100R001C30SPC100

Issue 04 (2015-07-30) Huawei Proprietary and Confidential vi

Transparent Proxy Using the Web UI or Configuring DNS Transparent Proxy

Issue 04 (2015-07-30) Huawei Proprietary and Confidential vii

Updates in Issue 03 (2015-03-25) of Product Version V100R001C30

l Feature Updates and Supports

Issue 04 (2015-07-30) Huawei Proprietary and Confidential viii

for Configuring Source NAT in a Load Balancing Scenario (Active/Standby

Issue 04 (2015-07-30) Huawei Proprietary and Confidential ix

Updates in Issue 02 (2015-01-26) of Product Version V100R001C20SPC700

l Feature Updates and Supports

Issue 04 (2015-07-30) Huawei Proprietary and Confidential x

Issue 04 (2015-07-30) Huawei Proprietary and Confidential xi

Issue 04 (2015-07-30) Huawei Proprietary and Confidential xii

Configuring a Traffic Profile Using the Web UI or Configuring a Traffic Profile

Updates in Issue 01 (2014-10-20) of Product Version V100R001C20SPC200

Issue 04 (2015-07-30) Huawei Proprietary and Confidential xiii

About This Document.....................................................................................................................ii

Issue 04 (2015-07-30) Huawei Proprietary and Confidential xiv

1.9.22 Monitoring and System Diagnosis..........................................................................................................................88

Issue 04 (2015-07-30) Huawei Proprietary and Confidential xv

2.11.3 Configuring Bandwidth Policies...........................................................................................................................179

Issue 04 (2015-07-30) Huawei Proprietary and Confidential xvi

5.2.4 Configuration Examples..........................................................................................................................................257

Issue 04 (2015-07-30) Huawei Proprietary and Confidential xvii

5.6 Across-Layer-3 MAC Identification..........................................................................................................................340

Issue 04 (2015-07-30) Huawei Proprietary and Confidential xviii

5.10.5.2 Example for Configuring the NGFW as an FTP Server.....................................................................................395

Issue 04 (2015-07-30) Huawei Proprietary and Confidential xix

5.12.3.1 Installation Mode................................................................................................................................................452

Issue 04 (2015-07-30) Huawei Proprietary and Confidential xx

Issue 04 (2015-07-30) Huawei Proprietary and Confidential xxi

5.17.21.3 Example for Performing an FTP Download Test.............................................................................................534

Issue 04 (2015-07-30) Huawei Proprietary and Confidential xxii

5.20.4.1 Enabling NetStream for an Interface..................................................................................................................575

Issue 04 (2015-07-30) Huawei Proprietary and Confidential xxiii

6.1.2.1 Active/Standby Mode...........................................................................................................................................660

HUAWEI USG6000 Series & NGFW Module V100R001 Administrator Guide 04

HUAWEI USG6000 Series & NGFW Module V100R001 Administrator Guide 04