H3C F1000-S INSTALLATION GUIDE

H3C SecPath F1000-S Firewall

Installation Manual

Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com

Manual Version: T2-08044J-20070622-C-1.03

No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd.

Trademarks

H3C, , Aolynk, , H3Care, Neocean, NeoVTL, SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V HUASAN are trademarks of Hangzhou H3C Technologies Co., Ltd.

All other trademarks that may be mentioned in this manual are the property of their respective owners.

Notice

The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the content s, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.

To obtain the latest information, please access: http://www. h3c.com

Technical Support

customer_service@h3c.com http://www. h3c.com

, TOP G, , IRF, NetPilot,

G, VnG, PSPT, XGbus, N-Bus, TiGem, InnoVision and

About This Manual

I. Command conventions

7 Troubleshooting

8.Multifunctional.Interface Modules

Convention Description

Boldface

italic

[ ]

The keywords of a command line are in Boldface. Command arguments are in italic. Items (keywords or arguments) in square brackets [ ] are

optional.

Lists common system failures and specific locating methods.

Details appearance, panel and LEDs of the functional modules available on the SecPath F1000-S, as well as module installation and connection of interface cables.

{ x | y | ... }

[ x | y | ... ]

{ x | y | ... } *

[ x | y | ... ] *

&<1-n>

# A line starting with the # sign is comments.

Alternative items are grouped in braces and separated by vertical bars. One is selected.

Optional alternative items are grouped in square brackets and separated by vertical bars. One or none is selected.

Alternative items are grouped in braces and separated by vertical bars. A minimum of one or a maximum of all can be selected.

Optional alternative items are grouped in square brackets and separated by vertical bars. Many or none can be selected.

The argument(s) before the ampersand (&) sign can be entered 1 to n times.

II. GUI conventions

Convention Description

< >

[ ]

Button names are inside angle brackets. For example, click <OK>.

Window names, menu items, data table and field names are inside square brackets. For example, pop up the [New User] window.

Multi-level menus are separated by forward slashes. For example, [File/Create/Folder].

III. Symbols

Convention Description

Means reader be extremely careful. Improper operation

Warning

Caution

 Note Means a complementary description.

may cause bodily injury. Means reader be careful. Improper operation may cause

data loss or damage to equipment.

Environmental Protection

This product has been designed to comply with the requirements on environmental protection. For the proper storage, use and disposal of this product, national laws and regulations must be observed.

Installation Manual H3C SecPath F1000-S Firewall Table of Contents

Table of Contents

Chapter 1 Product Overview........................................................................................................1-1

1.1 Brief Introduction................................................................................................................ 1-1

1.2 Hardware Features ............................................................................................................ 1-2

1.2.1 Appearance............................................................................................................. 1-2

1.2.2 System Description ................................................................................................. 1-2

1.2.3 LEDs........................................................................................................................ 1-3

1.2.4 Attributes of the Fixed Interfaces ............................................................................ 1-4

1.2.5 MIMs........................................................................................................................ 1-6

Chapter 2 Preparation for Installation......................................................................................... 2-1

2.1 Site Requirements ............................................................................................................. 2-1

2.1.1 Temperature/Humidity............................................................................................. 2-1

2.1.2 Cleanliness.............................................................................................................. 2-1

2.1.3 ESD Prevention....................................................................................................... 2-2

2.1.4 Electromagnetic Environment ................................................................................. 2-2

2.1.5 Lightning Protection ................................................................................................ 2-3

2.1.6 Mounting Rack ........................................................................................................ 2-3

2.2 Safety Precautions............................................................................................................. 2-3

2.3 Unpacking and Inspection ................................................................................................. 2-4

2.4 Tools, Meters, and Devices ............................................................................................... 2-4

Chapter 3 Hardware Installation .................................................................................................. 3-1

3.1 Installation Procedure ........................................................................................................ 3-1

3.2 Mounting the Device .......................................................................................................... 3-2

3.2.1 Freestanding the Device ......................................................................................... 3-2

3.2.2 Rack-Mounting the Device...................................................................................... 3-2

3.3 Installing an MIM................................................................................................................ 3-3

3.4 Connecting the Grounding Wires....................................................................................... 3-3

3.5 Connecting to the Console Terminal ................................................................................. 3-4

3.6 Connecting the Ethernet Interface..................................................................................... 3-5

3.7 Connecting a PSU ............................................................................................................. 3-8

3.8 Verifying Installation........................................................................................................... 3-9

Chapter 4 Booting and Configuration.........................................................................................4-1

4.1 Booting............................................................................................................................... 4-1

4.1.1 Setting up a Configuration Environment ................................................................. 4-1

4.1.2 Powering up the Firewall......................................................................................... 4-4

4.1.3 Booting Process ...................................................................................................... 4-5

4.2 Configuration Fundamentals.............................................................................................. 4-6

4.2.1 Basic Configuration Procedure ............................................................................... 4-6

Installation Manual H3C SecPath F1000-S Firewall Table of Contents

4.2.2 Command Line Interface......................................................................................... 4-7

Chapter 5 Software Maintenance................................................................................................. 5-1

5.1 Introduction ........................................................................................................................ 5-1

5.1.1 Boot Menu ............................................................................................................... 5-1

5.1.2 Upgrading the Application and Boot ROM Programs Using XModem.................... 5-2

5.1.3 Backing up and Restoring the Extended Segment of the Boot ROM program....... 5-5

5.1.4 Upgrading an Application Program Using TFTP..................................................... 5-6

5.1.5 Uploading/Downloading a Program/File Using FTP ............................................... 5-8

5.1.6 Modifying Boot ROM Password ............................................................................ 5-12

5.1.7 Resetting a Lost Password ................................................................................... 5-13

Chapter 6 Hardware Maintenance................................................................................................6-1

6.1 Preparing Tools.................................................................................................................. 6-1

6.2 Opening the Chassis Cover............................................................................................... 6-1

6.3 Replacing a DDR SDRAM ................................................................................................. 6-2

6.3.1 Locating the DDR SDRAMs on the Mainboard....................................................... 6-4

6.3.2 Removing a DDR SDRAM ...................................................................................... 6-5

6.3.3 Installing a DDR SDRAM ........................................................................................ 6-6

6.4 Closing the Chassis Cover ................................................................................................ 6-6

6.5 Replacing an MIM.............................................................................................................. 6-7

Chapter 7 Troubleshooting .......................................................................................................... 7-1

7.1 Troubleshooting the Power System................................................................................... 7-1

7.2 Troubleshooting the Configuration System ....................................................................... 7-1

7.3 Troubleshooting the Software Upgrade............................................................................. 7-2

Chapter 8 Multifunctional Interface Modules ............................................................................. 8-1

8.1 MIM Options....................................................................................................................... 8-1

8.2 Installing and Removing an MIM ....................................................................................... 8-1

8.3 Troubleshooting an MIM .................................................................................................... 8-3

8.4 1FE/2FE/4FE Module ........................................................................................................ 8-3

8.4.1 Introduction.............................................................................................................. 8-3

8.4.2 Appearance............................................................................................................. 8-3

8.4.3 Interface Attributes .................................................................................................. 8-5

8.4.4 Panel and Interface LEDs ....................................................................................... 8-5

8.4.5 Interface Cable........................................................................................................ 8-6

8.4.6 Connecting the Interface Cable............................................................................... 8-8

8.5 1GBE/2GBE Module.......................................................................................................... 8-9

8.5.1 Introduction.............................................................................................................. 8-9

8.5.2 Appearance............................................................................................................. 8-9

8.5.3 Interface Attributes .................................................................................................. 8-9

8.5.4 Panel and Interface LEDs ..................................................................................... 8-10

8.5.5 Interface Cable...................................................................................................... 8-10

8.5.6 Connecting the Interface Cable............................................................................. 8-11

Installation Manual H3C SecPath F1000-S Firewall Table of Contents

8.6 1GEF/2GEF Module ........................................................................................................ 8-12

8.6.1 Introduction............................................................................................................ 8-12

8.6.2 Appearance........................................................................................................... 8-12

8.6.3 Interface Attributes ................................................................................................ 8-13

8.6.4 Panel and Interface LEDs ..................................................................................... 8-13

8.6.5 Interface Fiber Cable............................................................................................. 8-14

8.6.6 Connecting the Interface Fiber Cable ................................................................... 8-15

8.7 SSL Module ..................................................................................................................... 8-15

8.7.1 Introduction............................................................................................................ 8-15

8.7.2 Appearance........................................................................................................... 8-15

8.7.3 Module Attributes .................................................................................................. 8-16

8.7.4 Panel and Module LEDs ....................................................................................... 8-16

8.7.5 Troubleshooting SSL Module................................................................................ 8-17

iii

Installation Manual H3C SecPath F1000-S Firewall List of Figures

List of Figures

Figure 1-1 Front panel of the H3C SecPath F1000-S firewall ............................................... 1-2

Figure 1-2 Rear panel of the H3C SecPath F1000-S firewall................................................ 1-2

Figure 3-1 Installation procedure ........................................................................................... 3-1

Figure 3-2 Install the firewall in a rack ...................................................................................3-3

Figure 3-3 Grounding screw on the firewall ........................................................................... 3-4

Figure 3-4 Console cable assembly....................................................................................... 3-5

Figure 3-5 Ethernet cable assembly ...................................................................................... 3-6

Figure 3-6 Power socket on a dual AC power supply firewall................................................ 3-8

Figure 4-1 Local configuration through the console port ....................................................... 4-1

Figure 4-2 Create a new connection...................................................................................... 4-2

Figure 4-3 Select serial interface ........................................................................................... 4-2

Figure 4-4 Set port parameters.............................................................................................. 4-3

Figure 4-5 Select emulation type ........................................................................................... 4-4

Figure 5-1 Send File dialog box ............................................................................................. 5-3

Figure 5-2 Sending File interface........................................................................................... 5-4

Figure 5-3 Set up an environment for local uploading/downloading...................................... 5-8

Figure 5-4 Set up an environment for remote uploading/downloading.................................. 5-9

Figure 6-1 Open the chassis.................................................................................................. 6-2

Figure 6-2 DDR SDRAM maintenance flow........................................................................... 6-3

Figure 6-3 Position of the DDR SDRAMs, Flash, and Boot ROM on the mainboard ............ 6-5

Figure 6-4 Remove a DDR SDRAM ......................................................................................6-5

Figure 6-5 Close the chassis cover........................................................................................6-7

Figure 8-1 Install the MIM I .................................................................................................... 8-2

Figure 8-2 Install the MIM II ................................................................................................... 8-2

Figure 8-3 1FE module ..........................................................................................................8-4

Figure 8-4 2FE module ..........................................................................................................8-4

Figure 8-5 4FE module ..........................................................................................................8-4

Figure 8-6 1FE module panel ................................................................................................8-5

Figure 8-7 2FE module panel ................................................................................................8-5

Figure 8-8 4FE module panel ................................................................................................8-5

Installation Manual H3C SecPath F1000-S Firewall List of Figures

Figure 8-9 Ethernet cable ......................................................................................................8-6

Figure 8-10 Category-5 twisted-pair cable............................................................................. 8-7

Figure 8-11 1GBE module ..................................................................................................... 8-9

Figure 8-12 2GBE module .....................................................................................................8-9

Figure 8-13 1GBE module panel .........................................................................................8-10

Figure 8-14 2GBE module panel .........................................................................................8-10

Figure 8-15 Ethernet cable .................................................................................................. 8-11

Figure 8-16 Category-5 twisted-pair cable........................................................................... 8-11

Figure 8-17 1GEF module ................................................................................................... 8-12

Figure 8-18 2GEF module ................................................................................................... 8-12

Figure 8-19 1GEF module panel.......................................................................................... 8-14

Figure 8-20 2GEF module panel.......................................................................................... 8-14

Figure 8-21 SSL module ...................................................................................................... 8-16

Figure 8-22 SSL module panel ............................................................................................ 8-16

Installation Manual H3C SecPath F1000-S Firewall List of Tables

List of Tables

Table 1-1 Technical specifications of the H3C SecPath F1000-S firewall.............................. 1-2

Table 1-2 LEDs on the front panel of the H3C SecPath F1000-S firewall .............................1-3

Table 1-3 Attributes of the console port.................................................................................. 1-4

Table 1-4 Attributes of the AUX port ....................................................................................... 1-4

Table 1-5 Attributes of the GE electrical interfaces ................................................................ 1-5

Table 1-6 Attributes of the GE optical interfaces .................................................................... 1-5

Table 2-1 Temperature/humidity requirements in the equipment room.................................. 2-1

Table 2-2 Dust limit in the equipment room............................................................................ 2-2

Table 2-3 Limit of harmful gases in the equipment room ....................................................... 2-2

Table 3-1 Dimensions of the H3C SecPath F1000-S firewall................................................. 3-2

Table 6-1 Memory specifications............................................................................................ 6-4

Table 8-1 Interface attributes of the 1FE, 2FE and 4FE modules .......................................... 8-5

Table 8-2 LEDs on the 1FE/2FE module................................................................................ 8-6

Table 8-3 Straight-through cable pinout ................................................................................. 8-7

Table 8-4 Crossover cable pinout........................................................................................... 8-7

Table 8-5 Interface attributes of the 1GBE/2GBE module .....................................................8-9

Table 8-6 LEDs on the 1GBE/2GBE module........................................................................ 8-10

Table 8-7 Interface attributes of the 1GEF/2GEF module.................................................... 8-13

Table 8-8 LEDs on the 1GEF/2GEF module ........................................................................ 8-14

Table 8-9 SSL module attributes .......................................................................................... 8-16

Table 8-10 LEDs on the SSL module ................................................................................... 8-16

Installation Manual H3C SecPath F1000-S Firewall Chapter 1

Chapter 1 Product Overview

1.1 Brief Introduction

H3C SecPath F1000-S Firewall is a new-generation firewall intended for enterprise

users. It can act as the egress firewall for small and medium businesses and internal

firewall for large and medium enterprises.

H3C SecPath F1000-S Firewall provides four fixed 10/100/1000 Mbps auto-sensing

interfaces (with two electrical interfaces and two applicable to both optical and electrical

modes). It provides two multifunctional interface module (MIM) expansion slots, which

currently can accommodate 1FE/2FE/4FE/1GBE/2GBE/1GEF/2GEF/SSL module. It

adopts power redundancy solutions (AC+AC), provides inside-chassis temperature

detection, and supports network management and Web configuration to meet the

carrier-class reliability requirements.

Product Overview

It supports multiple attack prevention approaches, TCP proxy, internal network security,

traffic policing, URL filtering, Web page filtering, and email filtering, to effectively

safeguard your network.

It adopts the application specific packet filtering (ASPF) technology to monitor

connection process and malicious commands and works together with access control

lists (ACLs) to implement dynamic packet filtering.

It provides various intelligent analysis and management methods, supports email

alarming and multiple sorts of logs, and provides network management monitoring to

help network administrators perform network security management.

It supports authentication, authorization, accounting (AAA), network address

translation (NAT) , hybrid mode, and object oriented management to ensure security

and guaranteed services for the private networks constructed on the open Internet.

It supports multiple virtual private network (VPN) services, such as Layer 2 tunneling

protocol (L2TP) VPN, IP security (IPsec) VPN, generic routing encapsulation (GRE)

VPN, dynamic VPN, and multi-protocol label switching (MPLS) VPN, as well as

hardware encryption, and allows users to build various VPNs, like Internet, Intranet,

and remote access VPNs using customized remote-user access approaches, such as

ADSL dial-up, virtual LAN (VLAN), and tunneling.

It provides basic routing features, including routing information protocol (RIP), open

shortest path first (OSPF), border gateway protocol (BGP), routing policy and policy

routing, and also provides abundant QoS (quality of service) features, such as traffic

policing, traffic shaping and queue scheduling.

It supports deeper application recognition (DAR) to recognize and classify packets

more deeply, enhancing the control over data flows.

1-1

Installation Manual H3C SecPath F1000-S Firewall Chapter 1

It supports active/standby switchover to protect current services against interruption,

eliminating the defects of traditional networking solution, for example, VRRP

networking solution.

You can upgrade the application and Boot ROM programs on line to add features and

extend functions.

It supports the branch intelligent management system (BIMS) feature to automatically

upgrade the configuration file and application programs, and the VPN manager

function to configure and deploy VPNs.

It supports the SNMP v3 protocol to offer powerful device management functions. With

the national and international standards dominant in China, North America, Europe,

Australia and Japan taken into consideration in its design, the firewall complies with the

requirements of these countries and regions in electromagnetic compatibility (EMC),

safety, and network access.

1.2 Hardware Features

Product Overview

1.2.1 Appearance

Figure 1-1 Front panel of the H3C SecPath F1000-S firewall

Figure 1-2 Rear panel of the H3C SecPath F1000-S firewall

1.2.2 System Description

Table 1-1 Technical specifications of the H3C SecPath F1000-S firewall

Item Description

MIM slot Two

Two 10/100/1000 Mbps Ethernet interfaces (applicable to both optical and electrical modes)

Fixed interface

Boot ROM 512 KB

Two 10/100/1000 Mbps Ethernet electrical interfaces

One auxiliary port (AUX)

One console port (CON)

1-2

Installation Manual H3C SecPath F1000-S Firewall Chapter 1

Item Description

Product Overview

DDR SDRAM

Flash memory

Physical dimensions (H × W × D)

Input power

AC+AC

Max power consumption

Operating temperature

Operating humidity (noncondensing)

 Note:

Default: 512 MB

Max: 1 GB

Default: 16 MB

Max: 32 MB

44 × 436 × 430 mm (1.7 × 17.2 × 16.9 in.), excluding the rubber feet

Rated voltage range: 100 VAC to 240 VAC, 50 Hz or 60 Hz

Max voltage range: 90 VAC to 264 VAC, 50 Hz or 60 Hz

Rated current: 1.5 A

100 W

0°C to 40°C (32°F to 104°F

)

10% to 90%

Synchronous dynamic random access memory (DSRAM) stores the communication

data with the CPU and running system.

Flash memory stores application files, exceptional information and configuration files.

Boot read only memory (Boot ROM) stores the bootstrap program files.

1.2.3 LEDs

Table 1-2 describes the LEDs on the front panel of the H3C SecPath F1000-S firewall

and describes how to read their state.

Table 1-2 LEDs on the front panel of the H3C SecPath F1000-S firewall

LED Description

Power supply unit (PSU) LED:

PWR0

OFF means the PWR0 is not supplying power to the device; ON means the PWR0 is supplying power to the device.

PSU LED:

PWR1

OFF means the PWR1 is not supplying power to the device; ON means the PWR1 is supplying power to the device.

1-3

Installation Manual H3C SecPath F1000-S Firewall Chapter 1

LED Description

System operating state LED:

SYS

ON means the system is operating normally; OFF means the system is operating abnormally.

Software running LED:

ACT

Blinking means the software is operating normally; OFF means the software is faulty.

Product Overview

LINK

GE interface LED:

ON means a link is present; OFF means no link is present.

GE interface LED:

ACTIVE

Blinking means packets are being transmitted/received on the interface; OFF means no packets are being transmitted/received on the interface.

1.2.4 Attributes of the Fixed Interfaces

I. Console port (CON)

Table 1-3 Attributes of the console port

Attribute Description

Connector RJ-45

Standard RS-232

Baud rate 1200 bps to 115200 bps, defaults to 9600 bps

Connected to an ASCII terminal

Services

Connected to the serial interface of a local PC running terminal emulation software

Command line interface (CLI)

II. Auxiliary port (AUX)

Table 1-4 Attributes of the AUX port

Attribute Description

Connector RJ-45

Standard RS-232

Baud rate 1200 bps to 115200 bps

Services

Modem dial-up

Backup

1-4

Installation Manual H3C SecPath F1000-S Firewall Chapter 1

III. Gigabit Ethernet (GE) Interface

The H3C SecPath F1000-S firewall provides four fixed 10/100/1000 Mbps

auto-sensing interfaces (with two electrical interfaces and two applicable to both optical

and electrical modes). The electrical interface uses the RJ-45 connector and the optical

interface uses the small form-factor pluggable (SFP) connector.

Five 1000Base-FX SFP optical transceiver options are available for the H3C SecPath

F1000-S firewall:

z Multimode short-haul (850 nm)

z Single mode medium-haul (1310 nm)

z Single mode long-haul (1310 nm)

z Single mode long-haul (1550 nm)

z Single mode ultra-long haul (1550 nm)

They all provide LC interfaces and are hot swappable.

Table 1-5 shows the Ethernet interface attributes of the H3C SecPath F1000-S firewall.

Table 1-5 Attributes of the GE electrical interfaces

Product Overview

Attribute Description

Connector RJ-45

Interface type auto-MDI/MDIX

Frame format

Ethernet_II

Ethernet_SNAP

10/100/1000 Mbps auto-sensing

Operating mode

Full/half duplex

(1000 Mbps and half duplex cannot be used at the same time)

Table 1-6 Attributes of the GE optical interfaces

Description

Attribute

Multimo

short-ha

ul (850

nm)

Single

mode

medium-ha

ul (1310

nm)

Long-haul

(1310 nm)

Connector SFP/LC

Long-haul

(1550 nm)

Ultra-long

haul (1550

nm)

Optical fiber

62.5/125 μm

multimod e fiber

9/125 μm

single mode fiber

1-5

9/125 μm

single mode fiber

9/125 μm

single mode fiber

9/125 μm

single mode fiber

Installation Manual H3C SecPath F1000-S Firewall Chapter 1

Description

Product Overview

Attribute

Max transmission distance

Central wavelength

Min –9.5 dBm –9 dBm –2 dBm –4 dBm –4 dBm Transmi tter optical power

Max 0 dBm –3 dBm 5 dBm 1 dBm 2 dBm

Receiver sensitivity

Operating mode

Frame format

Multimo

short-ha

ul (850

nm)

0.55 km (0.34 mi)

Single

mode

medium-ha

ul (1310

nm)

10 km (6.21 mi)

Long-haul

(1310 nm)

40 km (24.86 mi)

Long-haul

(1550 nm)

40 km (24.86 mi)

Ultra-long

haul (1550

nm)

70 km (43.5 mi)

850 nm 1310 nm 1310 nm 1550 nm 1550 nm

–17 dBm –20 dBm –23 dBm –21 dBm –22 dBm

1000 Mbps

Full duplex

Ethernet_II

Ethernet_SNAP

 Note:

z When using optical transceivers, select those that have been approved by our

z Before performing switchover between electrical/optical interfaces, you need to first

1.2.5 MIMs

The H3C SecPath F1000-S firewall provides two MIM (multifunctional interface module)

expansion slots, which can hold these types of MIMs:

z 1-port 10Base-T/100Base-TX fast Ethernet interface module (1FE)

z 2-port 10Base-T/100Base-TX fast Ethernet interface module (2FE)

z 4-port 10Base-T/100Base-TX fast Ethernet interface module (4FE)

z 1-port 10Base-T/100Base-TX/1000Base-T Ethernet interface module (1GBE)

z 2-port 10Base-T/100Base-TX/1000Base-T Ethernet interface module (2GBE)

z 1-port 1000Base-LX/1000Base-SX optical interface module (1GEF)

z 2-port 1000Base-LX/1000Base-SX optical interface module (2GEF)

company.

disable the rate and duplex mode configurations in the current mode (electrical or

optical), and then configure the interface after the switchover.

1-6

Installation Manual H3C SecPath F1000-S Firewall Chapter 1

z Security socket layer encryption module (SSL)

Product Overview

For more information on the MIMs, see

Chapter 8 “Multifunctional Interface Modules”.

1-7

Installation Manual H3C SecPath F1000-S Firewall Chapter 2

Chapter 2 Preparation for Installation

2.1 Site Requirements

The H3C SecPath Series Firewalls must be used indoors. To guarantee the normal

operation and long service life of your firewall, install it in an environment that can meet

the requirements in the following sections.

2.1.1 Temperature/Humidity

The equipment room must maintain adequate temperature and humidity. Long-lasting

high humidity is prone to cause bad insulation and even electricity creepage.

Sometimes the mechanical performance changes of materials, the rustiness and

corrosion of some metal parts are also likely to occur. If the relative humidity is too low,

the captive screws can become loose due to insulation washer contraction. Meanwhile,

the static is likely produced in the dry environments, jeopardizing the CMOS circuit of

the product. The higher the temperature is, the greater the damage to your device.

Long-lasting high temperature can speed up the aging of the insulation materials,

greatly lower the device reliability, and hence significantly shorten its service life.

Preparation for Installation

Table 2-1 lists the temperature and humidity requirements.

Table 2-1 Temperature/humidity requirements in the equipment room

0°C to 40°C (32°F to 104°F)

2.1.2 Cleanliness

Dust is a hazard to the operating safety of your device. The dust accumulated on the

chassis can cause electrostatic adsorption, one of the sources that cause the poor

contact of connectors or metal contact points. This not only shortens the service life of

your device but also causes communications failures. When the indoor relative

humidity is low, electrostatic adsorption is more likely to happen.

The equipment room must be free of explosion hazards and the electric and magnetic

conductible dust as well. The contents of the dust must be limited to the values shown

Table 2-2.

Temperature Relative humidity

10% to 90% (noncondensing)

2-1

Installation Manual H3C SecPath F1000-S Firewall Chapter 2

Table 2-2 Dust limit in the equipment room

Substance Unit Content

≤ 3 X 10

Dust Particles/m³

(No visible dust on the table top for three days)

Note: Diameter of a dust particle ≥ 5μm

Besides the dust, there are rigorous limits on the harmful gases that can accelerate the

erosion and aging of metals, such as salts, acids, and sulfides, as shown in

Table 2-3 Limit of harmful gases in the equipment room

Gas Maximum (mg/m3)

Preparation for Installation

Table 2-3.

H2S 0.006

2.1.3 ESD Prevention

Although the H3C SecPath Series Firewall is designed to be electrostatic discharge

(ESD) preventive, the card circuits and even the device can be badly damaged when

excessive static electricity is present.

On the communication network connected to your device, the static electricity mainly

comes from the outside electric fields, such as outdoor high-voltage power cables and

lightning, and from the indoor environments, floor materials and the internal system

such as the equipment frame. To prevent damage, observe the following:

z Connect your device to the earth ground properly.

z Keep the equipment room as clean as possible.

z Maintain adequate temperature and humidity.

z Wear an ESD-preventive wrist strap and clothes when handling the circuit board.

z Place the removed circuit board upward on the ESD-preventive workbench, or into

a static shielding bag.

z Hold the circuit board by its edge when observing or moving it, avoiding direct

contact with the elements on it.

0.2

0.05

0.01

2.1.4 Electromagnetic Environment

All interference sources, wherever they are from, impact the firewall negatively in the

conducted emission patterns of capacitance coupling, inductance coupling,

2-2

Installation Manual H3C SecPath F1000-S Firewall Chapter 2

electromagnetic wave radiation, and common impedance (including the grounding

system) coupling. To resist the interference, make sure to

z Take effective measures against the interference caused by the power supply grid.

z Use a grounding system or lightning protection grounding different from that for

the power supply equipment and keep them as far as possible.

z Keep the device far from strong the power radio launchers, radar launchers, and

high frequency and high-current equipment.

z Use electromagnetic shielding when necessary.

2.1.5 Lightning Protection

Although the H3C SecPath Series Firewall is designed to be lightning resistant, your

device can get damaged when excessive lightning is present. To protect your device

against lightning,

z Ensure the chassis is connected to the earth ground.

z Ensure the ground point of the power socket is well connected to the earth ground.

z Add a lightning arrester onto the front end of the power input to better protect the

power supply from lightning strikes.

Preparation for Installation

2.1.6 Mounting Rack

When installing the device in a rack, make sure that

z There is adequate clearance between the air inlet/exhaust vents and the rack for

ventilation.

z The rack has a good ventilation system.

z The rack is firm enough to support the device and its accessories.

z The rack is well grounded.

2.2 Safety Precautions

Be sure that you observe all safety precautions when you install your firewall and pay

adequate attention to the following icons:

Warning appears in operation procedures that, if performed incorrectly, might

cause bodily injury to the operators or damage the device.

Caution means care should be taken in these operations during installation and

use. Improper operations may result in abnormal running of the device.

Follow these safety precautions when installing or using your firewall:

z Keep the device far from the moisture and heat sources.

z Make sure that the device is well grounded.

2-3

Installation Manual H3C SecPath F1000-S Firewall Chapter 2

z Always wear an ESD-preventive wrist strap when installing and maintaining the

firewall, making sure the strap has good skin-contact.

z Do not hot-swap the console cable and auxiliary cable.

z Do not look directly into the fiber Tx port or the optical connector connected to it.

z You are recommended to use Uninterrupted Power Supply (UPS) for the firewall.

2.3 Unpacking and Inspection

Check the arrived shipment against the packing list, making sure all the items are

included and in good condition. Contact your agent for shortage or wrong delivery.

2.4 Tools, Meters, and Devices

I. Tools

z Phillips screwdriver

z Flat-blade screwdriver

z ESD-preventive wrist strap

z Static shielding bag

Preparation for Installation

II. Cables

z Grounding wire and power cord

z Console cable

z Optional cables

III. Meters and devices

z HUB or LAN switch

z Console terminal (or PC)

z Optional interface module-related device

z Multimeter

 Note:

The installation tools, meters and devices are not shipped with the firewall.

2-4

Installation Manual H3C SecPath F1000-S Firewall Chapter 3

Chapter 3 Hardware Installation

3.1 Installation Procedure

Start

Install the cabinet (optional)

Install the device at the

specified place

Connect the grounding wires

Connect the power cord

Hardware Installation

Connect the consol e

terminal to device

Verify the installation

Power up the device

Normal?

YES

Power down the device and

remove the power cord

Install MIM ( optional)

Connect the Ethernet

interface

Verify the installation

Connect the power cord

/power up the device

Troubleshooting

Power down the

device

End

Figure 3-1 Installation procedure

3-1

Installation Manual H3C SecPath F1000-S Firewall Chapter 3

Caution:

Before you install your device, make sure that:

z You have read Chapter 2 “Preparation for Installation” carefully.

z The requirements in Chapter 2 are satisfied.

3.2 Mounting the Device

You can install your device on a workbench/tabletop or in a rack.

3.2.1 Freestanding the Device

If a standard 19-inch rack is unavailable, you can place the firewall on a clean

workbench/tabletop. To prevent any damage, observe the following:

z Ensure the table is stable and well grounded.

z Reserve the clearance of 10 cm (3.9 in.) around the device for adequate

ventilation.

z Do not place any heavy stuff on the device.

Hardware Installation

3.2.2 Rack-Mounting the Device

The H3C SecPath Series Firewall can be placed in a standard 19-inch rack. Table 3-1

shows its dimensions.

Table 3-1 Dimensions of the H3C SecPath F1000-S firewall

Model

H3C SecPath F1000-S firewall

Follow these steps to install the H3C SecPath F1000-S firewall:

Step 1: Check that the rack is stable enough and properly grounded. Attach the

mounting ears to the front or rear of the chassis with screws.

Step 2: Place the device on a shelf in the rack and slide it to a proper position along the

guide rails, reserving a suitable clearance between the device and the guide rails.

Step 3: Fix the brackets to the rack posts with suitable antirust pan-head screws,

making sure that the device is securely fixed.

Dimensions (H × W × D)

44 × 436 × 430 mm (1.7 × 17.2 × 16.9 in.), excluding the rubber feet

3-2

Installation Manual H3C SecPath F1000-S Firewall Chapter 3

(1)

Hardware Installation

(3)

(2)

(1) Pan-head screws (four) (2) Mounting ear (3) Guide rail

Figure 3-2 Install the firewall in a rac

3.3 Installing an MIM

For details about installing MIMs, see Chapter 8 “Multifunctional Interface Modules”.

3.4 Connecting the Grounding Wires

Caution:

When installing or using your firewall, properly connect the grounding wire for lightning

protection and anti-interference.

The H3C SecPath Series Firewall provides a grounding screw, which must be

connected to the earth ground properly to safely channel the faradic current and

leakage electricity to the ground and have the device less susceptible to

electromagnetic interference (EMI).

On the rear panel of the firewall, the grounding screw resides at the bottom right with a

grounding mark, as shown in

Figure 3-3.

3-3

Installation Manual H3C SecPath F1000-S Firewall Chapter 3

(1) Grounding screw

Figure 3-3 Grounding screw on the firewall

Connect this screw to the earth ground using a grounding wire. The grounding

resistance must be smaller than 5 ohm. If the device is mounted in a standard 19-inch

rack, the rack must be grounded.

Hardware Installation

Caution:

Lightning strikes can damage your device and the connected device as well. For

secure lightning protection, make sure that the firewall has a good ground connection

when it is operating.

3.5 Connecting to the Console Terminal

I. Console port

On the H3C SecPath Series Firewall, one RS-232 asynchronous serial console port is

available for you to configure the device. For the attributes of the console port, refer to

section

II. Console cable

Console cable is an 8-wire shielded cable. At one end of the cable is an RJ-45

connector to the console port on the firewall; at the other end is a DB9 (female)

connector to the serial interface of the console terminal.

1.2.4 “Attributes of the Fixed Interfaces”.

Figure 3-4 illustrates a console cable.

3-4

Installation Manual H3C SecPath F1000-S Firewall Chapter 3

X3 A

Figure 3-4 Console cable assembly

III. Connecting the console cable

When configuring the firewall through a console terminal, follow these steps to connect

the console cable:

Step 1: Select a console terminal.

The console terminal can be either a standard ASCII terminal with an RS-232 serial

interface, or more commonly, a PC.

Step 2: Power down the firewall and the console terminal; connect the RS-232 serial

interface on the console terminal to the console port on the firewall through the console

cable.

Hardware Installation

Step 3: Verify the connection and power up the devices.

The console terminal shows the startup information of the firewall if the connection is

correct. For details, see

Chapter 4 “Booting and Configuration”.

3.6 Connecting the Ethernet Interface

I. Introduction to the Ethernet interface

The H3C SecPath F1000-S firewall provides four fixed 10/100/1000 Mbps

auto-sensing interfaces (with two electrical interfaces and two applicable to both optical

and electrical modes). For optical interfaces, SFP transceivers are used. For the

available SFP transceiver options, see

II. Ethernet cable

Electric and optical Ethernet interfaces use different Ethernet cables for connection.

1) Cables for electric Ethernet interfaces

For an electric Ethernet interface, you can use a category-5 twisted-pair cable

(straight-through or crossover), as shown in

Table 1-6.

Figure 3-5.

3-5

Installation Manual H3C SecPath F1000-S Firewall Chapter 3

Figure 3-5 Ethernet cable assembly

 Note:

In making network cables, shielded cables are preferred for the sake of

electromagnetic compatibility.

2) Cables for optical Ethernet interfaces

For an optical Ethernet interface, you can choose the appropriate fiber cable, single

mode or multimode, depending on the 1000Base-FX SFP optical transceiver you are

using (see

Table 1-6 for fiber options). Because all the available optical transceivers

use LC optical connectors, you must use the fiber cable with LC fiber connectors. All

the optical transceivers are hot-swappable.

Hardware Installation

 Note:

A fiber connector, as defined by the International Telecommunications Union (ITU), is a

passive component that connects two or more fiber cable segments stably but not

permanently. Fiber connectors are indispensable to an optical communication system,

making it possible to connect and disconnect optical channels.

Following are several fiber connector types:

z FC: A round optical connector with screw threads

z ST: A round plug-in optical connector

z SC: A square optical connector

z MT-RJ: A square optical transceiver

z LC: A compact optical connector developed by Lucent

 Note:

The fiber cable selection depends on SFP module. You must specify the desired SFP

modules when you purchase a firewall. Otherwise, the fiber cable is not provided.

3-6

Installation Manual H3C SecPath F1000-S Firewall Chapter 3

III. Connecting an Ethernet cable

Take the fixed 10/100/1000 Mbps Ethernet 0/1 port on the front panel of the H3C

SecPath F1000-S firewall for example. Follow these steps to connect its Ethernet

cable:

Caution:

For each fixed Ethernet interface (for example, 10/100/1000 Mbps Ethernet 0/1 on the

H3C SecPath F1000-S firewall), if both of its electric and optical ports are connected,

the electric port is regarded as the operating port by default.

1) Connect the Ethernet electric port

Hardware Installation

Caution:

Read the mark above the port carefully, making sure it is the correct port.

Step 1: Connect one end of the Ethernet cable to the electric port of the 10/100/1000

Mbps Ethernet 0/1 and the other end to the peer device.

Step 2: Check the state of the LINK LED for the Ethernet 0/1 interface. ON means the

Rx link is present. OFF means no Rx link is present and then you need to check the line

for the cause.

2) Connect the optical Ethernet port

Caution:

In connecting the fiber cable, observe the following:

z Do not over-bend the fiber cable. Its curvature radius must be no less than 10 cm

(3.9 in.).

z Ensure that the Tx and Rx ends are correctly connected.

z Ensure that the fiber ends are clean.

3-7

Installation Manual H3C SecPath F1000-S Firewall Chapter 3

Caution:

Laser danger: never look into the optical ports that are connected to the laser. It can

harm your eyes.

Step 1: Correctly connect one end of a fiber-optic cable to the Rx port of the

10/100/1000 Mbps interface on the firewall and the other end to the Tx port on the peer

device. Connect another fiber-optic cable between the Tx port on the firewall and the

Rx port on the peer device.

Step 2: Power up the firewall and check the state of the LINK LED of the Ethernet 0/1

interface. On means the Rx link is present. OFF means no Rx link is present; check the

line for the cause.

3.7 Connecting a PSU

Hardware Installation

The H3C SecPath F1000-S firewall is AC-powered.

 Note:

If both PSUs are connected, they operate in mutual backup mode.

I. AC-input PSU

AC input: 100 VAC to 240 VAC, 50 Hz or 60 Hz

Figure 3-6 illustrates the power socket on a dual AC power supply firewall.

(1) PWR1 switch (2) PWR0 switch (3) AC-input PWR1 (4) AC-input PWR0

Figure 3-6 Power socket on a dual AC power supply firewall

3-8

Installation Manual H3C SecPath F1000-S Firewall Chapter 3

II. Recommended power socket

You are recommended to use a single-phase three-terminal socket with a ground

contact, which must be properly grounded. The building ground system is often buried

during the wiring engineering. Make sure that the building ground system is normal

before connecting the AC power cord.

III. Connecting an AC-input PSU

Take the H3C SecPath F1000-S firewall for example.

Step 1: Make sure that the grounding screw on the chassis is securely connected to the

earth ground.

Step 2: Make sure that the power switches are placed in the OFF position. Connect one

end of an AC power cord provided with the device to the socket of AC-input PWR0 on

the left-rear of the chassis and the other end to the AC site power.

Step 3: Repeat Step 2 to connect the PWR1. (Skip this step if you use only one PSU.)

Step 4: Place the PWR0 switch to the ON position.

Hardware Installation

Step 5: Place the PWR1 switch to the ON position. (Skip this step if you use only one

power switch.)

Step 6: Check that the PWR0 and PWR1 LEDs on the front panel light. ON means the

power connections are correct.

Step 7: Check that the SYS LED on the front panel is ON. ON means the hardware

system is working well.

3.8 Verifying Installation

Each time you power up the device during the installation, verify that

z The device has adequate clearance around it for heat dissipation and the

workbench/table/rack is stable enough.

z The proper power supply is used.

z The grounding wire is correctly connected.

z The device is correctly connected to other devices, such as a console terminal.

 Note:

Installation verification is extremely important, because the operations of the firewall

depend on its stability, grounding, and power supply.

3-9

Installation Manual H3C SecPath F1000-S Firewall Chapter 4

Chapter 4 Booting and Configuration

4.1 Booting

You can configure the H3C SecPath Series Firewall only through the console port when

you use it for the first time.

4.1.1 Setting up a Configuration Environment

I. Connecting the device to a console terminal

Connect the RJ-45 connector of the console cable to the console port on the firewall

and the DB9 connector to the serial interface on the console terminal, as shown in

Figure 4-1.

H3C SecPath F1000-S

Booting and Configuration

RS-232 serial interface

Console cable

Console port

Figure 4-1 Local configuration through the console port

II. Setting terminal parameters

Step 1: Start the console terminal and create a new connection.

When you perform the configuration on a PC, the terminal emulations, such as the

Windows3.1 Terminal, the HyperTerminal of Windows95/Windows98/Windows NT, is

needed for a connection. Enter the name of the new connection and click <OK>. See

Figure 4-2.

4-1

Installation Manual H3C SecPath F1000-S Firewall Chapter 4

Figure 4-2 Create a new connection

Step 2: Set the terminal parameters.

Booting and Configuration

Set the HyperTerminal parameters of Windows98 as follows:

1) Select serial interface

Select the serial interface to be used from the Connect Using drop-down list as shown

Figure 4-3. The serial interface selected here must be the one connected to the

console cable.

Figure 4-3 Select serial interface

4-2

Installation Manual H3C SecPath F1000-S Firewall Chapter 4

2) Set the serial interface

Booting and Configuration

The [Port Settings] tab appears as shown in

Figure 4-4, and set the serial interface

parameters as follows:

z Bits per second = 9600

z Data bits = 8

z Parity = None

z Stop bits = 1

z Flow control = None

Click <OK> and the HyperTerminal window appears.

Figure 4-4 Set port parameters

3) Select emulation type

Choose [Properties/Settings] to enter the corresponding page and select the emulation

as VT100 or Auto detect. Click <OK> and the HyperTerminal window appears.

4-3

Installation Manual H3C SecPath F1000-S Firewall Chapter 4

Booting and Configuration

Figure 4-5 Select emulation type

4.1.2 Powering up the Firewall

I. Checking before power-up

Before powering up the firewall, check that

z Both the power cord and the grounding wire are correctly connected.

z Proper power supply is used.

z The console cable is correctly connected.

z The console terminal (or PC) has been started and the related parameters have

been set on it.

Caution:

Locate the emergency power-off switch in the room before powering up the firewall.

Then, if an accident occurs, you can quickly shut off the power.

4-4

Installation Manual H3C SecPath F1000-S Firewall Chapter 4

II. Powering up the firewall

z Turn on the switch of the site power.

z Place the power switch(es) on the device into the ON position.

III. Checking/operating after power-up

After powering up the firewall, check that

z The ventilation system is operating well.

After powering up the firewall, you can hear the sound of the fan blade spinning, and

feel the airflow when you put your hands close to the air vents.

z The LEDs on the front panel of the chassis are in normal state.

Booting and Configuration

See the section

z The console terminal display is correct.

After powering up the firewall, you can see the startup interface on the console terminal

(see section “

4.1.3 Booting Process”). After the system passes Power-On Self-Test

(POST), press <Enter> as prompted. When “<H3C>” is displayed, you can proceed to

configure the firewall.

4.1.3 Booting Process

After being powered up, the firewall first runs the Boot ROM program. The terminal

screen displays the following system message:

 Note:

The message displayed on the terminal may vary with Boot ROM versions.

************************************************** * * * H3C SecPath Series Gateway Boot ROM V1.17 * * * **************************************************

Testing memory...OK! 512M bytes DDR SDRAM Memory 16M bytes Flash Memory Hardware Version is 2.0 CPLD Version is 1.0

1.2.3 “LEDs” for more information on LED state.

4-5

Installation Manual H3C SecPath F1000-S Firewall Chapter 4

Press Ctrl-B to enter Boot Menu

Press <Ctrl+B> to enter the Boot menu. Otherwise, the system starts decompressing

the program.

 Note:

To enter the Boot menu, you must press <Ctrl+B> within three seconds after the prompt

“Press Ctrl-B to Enter Boot Menu…” appears.

The system starts decompression and initialization, and displays this message:

System is starting... Number 1 memory block start from address 0x23000000 ,length 0xd000000

User interface Con 0 is available.

Press ENTER to get started

Booting and Configuration

Press <Enter>. The system displays (if login authentication is not enabled)

<H3C>

The prompt indicates that the firewall enters user view and is ready for your

configuration.

4.2 Configuration Fundamentals

4.2.1 Basic Configuration Procedure

Following are the basic steps that you can follow to configure the firewall:

Step 1: Figure out detailed networking requirements, including networking objectives,

the role of the firewall in the network, transmission medium, security policy, and

network reliability.

Step 2: Draw a network topology based on the requirements.

Step 3: Configure IP addresses of the interfaces on the firewall.

Step 4: Configure routes, and if a dynamic routing protocol is enabled, the parameters

related to the protocol.

Step 5: Configure security settings as required.

Step 6: Configure reliability settings as required.

For more information on the configuration of protocols and functions for the firewall, see

H3C SecPath Series Security Products Operation Manual.

4-6

Installation Manual H3C SecPath F1000-S Firewall Chapter 4

4.2.2 Command Line Interface

I. Features of the CLI

The CLI of the firewall offers lots of configuration commands for you to configure and

manage the firewall. The CLI allows you to

z Configure the device through the console port at the local.

z Telnet to access and manage the local and remote devices.

z Get online help whenever you enter <?>.

z Test network connectivity quickly with network diagnostic tools, such as tracert

and ping.

z Have detailed debugging information for network troubleshooting.

z Enter a command by only entering the conflict-free keyword portion, because the

CLI interpreter supports fuzzy keyword search. For example, you simply need to

enter dis for the display command.

II. CLI

Booting and Configuration

In system view, all the commands are put into several groups for the convenience of

management, each being associated to a view. You can switch between the views by

executing the proper commands. In normal circumstances, you can only execute the

commands appropriate to the view that you access. However, you are allowed to

execute in any view some commands in common use, such as ping, display, and current-configuration.

4-7

Installation Manual H3C SecPath F1000-S Firewall Chapter 5

Chapter 5 Software Maintenance

5.1 Introduction

The firewall maintains three types of files:

z Boot ROM program files

z Application program files

z Configuration files

The software maintenance mainly involves upgrading/downloading Boot

ROM/application program files and uploading/downloading configuration files.

5.1.1 Boot Menu

This section introduces the Boot menu that you use in maintaining the software of the

firewall.

Software Maintenance

Set up a configuration environment as shown in

Figure 4-1 and then boot the firewall.

Press <Ctrl+B> when the system prompts “Press Ctrl-B to enter Boot Menu…”. The

system displays this message:

Please input Boot ROM password :

Caution:

z Press <Ctrl+B> within three seconds after the prompt “Press Ctrl-B to Enter Boot

Menu...” appears to access the Boot menu. Otherwise, the system starts

decompressing the program.

z If you want to access the Boot menu after the system starts decompressing the

program, you need to reboot the firewall.

Type the correct password and press <Enter> (if no Boot ROM password is configured,

just press <Enter>). The system accesses the Boot menu.

I. Boot menu of the H3C SecPath F1000-S firewall

Boot Menu: 1: Download application program with XMODEM 2: Download application program with NET 3: Display file in flash 4: Delete file from flash

5-1

Installation Manual H3C SecPath F1000-S Firewall Chapter 5

5: Start up and ignore configuration 6: Enter debugging environment 7: Boot Rom Operation Menu 8: Do not check the version of the software 9: Exit and reboot Enter your choice(1-9):

If option 8 is selected, the system ignores the software versions of the Boot ROM

program, its extended segment, and application program for backward compatibility. If

you fail to upgrade the software because the system decides that you are using an

“invalid version” even when the correct version is used, you can use the option 8 to

ignore the version check during a software upgrading. Note that this option works only

once when you select it. The system resumes version check after you reboot the

firewall.

II. Boot ROM submenu of the H3C SecPath F1000-S firewall

You can select 7 in the Boot menu to enter the Boot ROM submenu as follows:

Software Maintenance

Boot ROM Operation Menu: 1: Download Boot ROM with XModem 2: Download Extended Segment of Boot ROM with XModem 3: Restore Extended Segment of Boot ROM from FLASH 4: Backup Extended Segment of Boot ROM to FLASH 5: Exit to Main Menu Enter your choice(1-5):

The menu provides approaches to Boot ROM upgrade, backup, and restoration. See

section

and section

5.1.2 “Upgrading the Application and Boot ROM Programs Using XModem”

5.1.3 “Backing up and Restoring the Extended Segment of the Boot ROM”

for the procedures.

Caution:

You are recommended to upgrade the software of the firewall under the guidance of

technical support personnel. In addition, when upgrading the firewall, make sure the

version of the Boot ROM software is consistent with that of the application program.

5.1.2 Upgrading the Application and Boot ROM Programs Using XModem

You can use the console port to upgrade the software using XModem without setting up

a configuration environment.

5-2

Installation Manual H3C SecPath F1000-S Firewall Chapter 5

I. Upgrading the application program

Step 1: Enter the Boot menu and enter 1 to download an application program using

XModem. The firewall supports the following download speeds:

Downloading application program from serial ... Please choose your download speed: 1: 9600 bps 2: 19200 bps 3: 38400 bps 4: 57600 bps 5: 115200 bps 6: Exit to Main Menu Enter your choice(1-6):

Step 2: Choose an appropriate download speed (for example, 115200 bps by entering

5). The following message appears:

Download speed is 115200 bps. Change the terminal's speed to 115200 bps, and select XModem protocol. Press ENTER key when ready.

Software Maintenance

Step 3: Change your terminal’s baud rate (see Figure 4-4) to the same baud rate for

software downloading (115200 bps in this example). After that, disconnect the terminal

([Dial-in/Disconnect]), reconnect it ([Dial-in/Dialing]), and press <Enter> to start

downloading. The system displays this message:

Downloading ... CCCCC

 Note:

The new baud rate takes effect only after you reconnect the terminal emulation

program.

Step 4: Select [Transmit/Send File] in the terminal window. The following dialog box

pops up:

Figure 5-1 Send File dialog box

5-3

Installation Manual H3C SecPath F1000-S Firewall Chapter 5

Step 5: Click <Browse>. Select the application file to be downloaded and set protocol to

XModem. Click <Send>. The following dialog box pops up:

Figure 5-2 Sending File interface

Software Maintenance

Step 6: After completing the downloading, the system begins writing data to the Flash,

and then displays the following message in the terminal window, indicating the

completion of the downloading:

XModem download completed, Packet length 8790321 bytes. System file length 7868992 bytes, http.zip file length 921329 bytes.

Writing file flash:/system to FLASH... Please wait, it may take a long time ################################################ Writing into Flash Succeeds.

Writing file flash:/http.zip to FLASH... Please wait, it may take a long time ########################################################################## ###### ######### Writing into Flash Succeeds. Please use 9600 bps.Press <ENTER> key to reboot the system.

Restore the speed of the console terminal to 9600 bps as prompted, disconnect and

reconnect the terminal. The system starts up normally.

II. Upgrading the Boot ROM program

Step 1: Enter the Boot menu and select 7 to enter the Boot ROM operation menu.

5-4

Installation Manual H3C SecPath F1000-S Firewall Chapter 5

Step 2: Enter 1 in the Boot ROM operation menu to download the Boot ROM program

using XModem. Several speed options are available for you. The subsequent steps are

the same as those described in section

5.1.2 I. “Upgrading the application program”.

Caution:

You cannot restore the Boot ROM program on site if you fail to upgrade the entire Boot

ROM program. Therefore, you must not upgrade the entire Boot ROM program unless

necessary and do it under the direction of technical support personnel.

III. Upgrading the extended segment of the Boot ROM program

Step 1: Enter the Boot menu and select 7 to enter the Boot ROM operation menu. Step 2: Select 2 in the Boot ROM operation menu to upgrade the extended segment of

the Boot ROM using XModem. Several speed options are available for you. The

subsequent steps are the same as those described in section

application program

”.

5.1.2 I. “Upgrading the

Software Maintenance

Caution:

This upgrade approach is only used to upgrade a portion of the Boot ROM program, so

you can make a second attempt once errors occur.

5.1.3 Backing up and Restoring the Extended Segment of the Boot ROM program

I. Backing up the extended segment to the Flash

Follow these steps to back up the extended segment of the Boot ROM:

Step 1: Enter the Boot menu and select 7 to enter the Boot ROM operation menu. Step 2: Select 4 in the operation menu to copy the current extended segment of the

Boot ROM to the Flash.

Backup Extended Segment, are you sure?[Y/N]

Enter Y. The system starts backing up the extended segment.

If the backup is successful, the following message appears:

Writing to FLASH.Please wait...####

5-5

Installation Manual H3C SecPath F1000-S Firewall Chapter 5

Backuping Boot ROM program to FLASH successed!

Step 3: When the Boot ROM operation menu appears again, select 5 to exit and reboot

the firewall.

II. Restoring the extended segment from the Flash

If faults occur to the extended segment of the Boot ROM or you upgrade it wrongly, you

can restore the extended segment of the Boot ROM from the Flash to the Boot ROM by

completing these steps:

Step 1: Enter the Boot menu and select 7 to enter the Boot ROM operation menu. Step 2: Select 3 in the operation menu to restore the extended segment of the Boot

ROM from the Flash.

Restore Extended Segment, are you sure?[Y/N]

Enter Y. The system starts restoring the extended segment.

If the operation is successful, the system displays this message:

Writing to Boot ROM.Please wait...###### Restoring Boot ROM program successed!

Software Maintenance

Step 3: When the Boot submenu appears again, select 5 to exit and reboot the firewall.

5.1.4 Upgrading an Application Program Using TFTP

Upgrading an application program with net is to download the application program

using an Ethernet interface. In this approach, the firewall is the client that needs to be

connected to the TFTP server using one of its fixed Ethernet interfaces.

Caution:

The H3C SecPath Series Firewall does not provide TFTP server programs. You should

purchase and install one by yourself.

The H3C SecPath F1000-S firewall can only act as the TFTP client, so you can only

upgrade an application program using TFTP. The detailed steps are as follows:

1) Start the TFTP server.

Start the TFTP server on the PC connected to the Ethernet interface on the firewall and

set the path to the file to be downloaded.

2) Configure the firewall.

Step 1: Start the firewall and enter the Boot menu. Select 2 to enter the Net Port

Download Menu. The system displays the following message:

5-6

Installation Manual H3C SecPath F1000-S Firewall Chapter 5

Net Port Download Menu: 1: Change Net Parameter 2: Download From Net 3: Exit to Main Menu Enter your choice(1-3): 1

Step 2: Select 1 to configure the network interface parameters (including the interface

in use and the IP address and subnet mask of the interface) and the TFTP server

parameters (including the IP address of the Ethernet interface on the PC and the file

name of the application program).

Change Download parameter Download device : ETH0/1 Download file(Max 60 char) : system IP address of ETH0/1 :192.168.1.15 Subnet mask for ETH0/1 :255.255.255.0 IP address of the server :192.168.1.10 IP address of the gateway :10.110.95.117

Software Maintenance

Caution:

z The upgrade should be performed through interface ETH0/1 on the firewall.

z The item “IP address of the server: [192.168.1.10]” must be set to the IP address of

the TFTP server connected to the Ethernet interface on the firewall.

z You are recommended to configure the IP address of the Ethernet interface on the

TFTP server and that of the ETH0/1 on the firewall into the same network segment.

Step 3: After you input the last parameter value, the system displays the following

message and then returns to the Net Port download menu:

Saving config, please wait...OK! Net Port Download Menu: 1: Change Net Parameter 2: Download From Net 3: Exit to Main Menu Enter your choice(1-3): 2

3) Select 2 to download the application program using TFTP. The system displays

the following message:

Starting the TFTP download...

..........................................................................

.......................

TFTP download completed, Packet length 8790321 bytes.

5-7

Installation Manual H3C SecPath F1000-S Firewall Chapter 5

System file length 7868992 bytes, http.zip file length 921329 bytes.

Writing file flash:/system to FLASH... Please wait, it may take a long time #################################################################### Writing into Flash Succeeds.

Writing file flash:/http.zip to FLASH... Please wait, it may take a long time ########################################################################## ###### ######### Writing into Flash Succeeds.

5.1.5 Uploading/Downloading a Program/File Using FTP

The H3C SecPath Series Firewall can act as the FTP server. Any FTP clients (local or

remote) connected to the firewall can update configuration files or upgrade

application/Boot ROM programs using FTP. A user can upload/download configuration

files and application programs after passing the authentication. The following

subsections describe the procedures.

Software Maintenance

 Note:

Uploading is to transfer files from an FTP client to the firewall, that is, the put operation. Downloading is to transfer files from the firewall to an FTP client, that is, the get

operation.

I. Setting up an uploading/downloading environment

z Setting up a local uploading/downloading environment using FTP

10.110.10.13/24

LAN

(FTP Client)

H3C SecPath F1000-S (FTP Server)

Ethernet interface

10.110.10.10/24

Figure 5-3 Set up an environment for local uploading/downloading

5-8

Installation Manual H3C SecPath F1000-S Firewall Chapter 5

Step 1: Connect the PC to an Ethernet interface on the firewall.

Step 2: Assign an IP address, 10.110.10.10 for example, to the Ethernet interface on

the firewall.

Step 3: Assign an IP address, 10.110.10.13 for example, to the Ethernet interface on

the PC.

Step 4: Copy the application program/Boot ROM program/configuration file to a

directory, “C:\ version” for example.

Caution:

The IP addresses assigned to the network interface of the PC and the firewall must

reside on the same network segment.

z Setting up a remote uploading/downloading environment using FTP

Software Maintenance

10.110.20.13/24

(FTP Client)

Router

H3C SecPath F100

H3C SecPath F1000-S (FTP Server)

WAN

0-S (FTP Server)

Ethernet interface

10.110.10.10/24

Figure 5-4 Set up an environment for remote uploading/downloading

Step 1: Connect the PC to an interface on the firewall through the WAN. The PC and

the firewall can reside on different network segments.

Step 2: Copy the application program/Boot ROM/configuration file to a directory,

“C:\version” for example.

II. Enabling the FTP server

Follow these steps under the direction of service engineers to enable the FTP server:

Step 1: Configure an authentication method.

5-9

Installation Manual H3C SecPath F1000-S Firewall Chapter 5

 Note:

You can configure AAA authentication as needed. For more information, see the “AAA

and RADIUS Configurations” part in H3C SecPath Series Security Product s Operation Manual.

Step 2: Add the username and password.

[VPNGateway] local-user VPNGateway

VPNGateway is the username.

Step 3: Add the password.

[VPNGateway-luser-vpngateway] password simple 123

Step 4: Add the service type and specify the FTP directory.

[VPNGateway-luser-vpngateway] service-type ftp ftp-directory flash:

Step 5: Add an authority level.

Software Maintenance

[VPNGateway-luser-vpngateway] level 3

Step 6: Enable the FTP server.

[VPNGateway] ftp-server enable

After the FTP server is enabled and the user is added onto the firewall, any FTP client

program can use the username and password to log onto the FTP server.

III. Uploading/Downloading an application program/configuration file and

uploading the Boot ROM program

Step 1: In the DOS environment, access the directory containing the application

program/Boot ROM program/configuration files. Execute the ftp command to set up an

FTP connection with the firewall. For example,

C:\version>ftp 10.110.10.10

If the connection is set up, the following message appears (taking Windows98 for

example):

Connected to 10.110.10.10 220 FTP server ready on VPNGateway at User(10.110.10.10:(none)):

Step 2: Log onto the FTP server using the username and password set on the firewall.

User(10.110.10.10:(none)): VPNGateway 331 Password required for ftp Password: 230 User ftp logged in ftp>

5-10

Installation Manual H3C SecPath F1000-S Firewall Chapter 5

The prompt “ftp>” indicates that you can begin uploading/downloading the desired file.

Step 3: Upload/download the application program/configuration file/Boot ROM.

 Note:

On the firewall, the default name of the application program is "system”, the

configuration file “config.cfg”, the extended segment of the Boot ROM “bootrom”, and

the entire Boot ROM “bootromfull”.

z Upload the application program/Boot ROM/configuration file.

ftp> put local file remote file

Upon the completion of uploading, the prompt “ftp>” appears again. Enter dir to view

the name and size of the uploaded file on the firewall. It has the same size as the

original file on the host if the uploading is successful.

Software Maintenance

Caution:

z When using FTP to upgrade the application program, make sure that the firewall

has enough flash memory. If the memory is not enough, you need to use the delete

/unreserved command to permanently delete old version files or other files to save

the memory space; otherwise, new files cannot be uploaded.

z The Boot ROM upgrade is not complete after the Boot ROM program is uploaded

using the put command. To complete the upgrade, use the upgrade bootrom [ full ]

command to decompress the bootrom/bootromfull program from the root directory

in the Flash and write it to the Boot ROM.

z After uploading the application program into the flash memory, you need to rename

the program file to “system” to make the program take effect at next startup.

z After uploading configuration files into the flash memory, you need to rename the file

to “config.cfg” to make the files take effect at next startup of the system, or use the

startup saved-configuration command to set the configuration files used for next

startup.

z Download an application program/configuration file.

ftp> get remote file local file

5-11

Installation Manual H3C SecPath F1000-S Firewall Chapter 5

Step 4: Upon the completion of the uploading/downloading, quit the FTP client

program.

ftp>quit

IV. Detaching the Web file

When the downloading using FTP is completed, the Web file is included in the

application program. You need to detach it from the application program using the

detach command.

<VPN Gateway> detach system System file length 7856557 bytes, http file length 834724 bytes. <VPN Gateway> dir Directory of flash:/

0 -rw- 8691281 Jun 16 2009 06:46:36 system 1 -rw- 1830 Jun 17 2009 07:47:16 config.cfg 2 -rw- 834724 Jun 18 2009 02:22:39 http.zip

Software Maintenance

If the Web file is not included, the system gives the corresponding prompt. The Web file

name defaults to http.zip.

5.1.6 Modifying Boot ROM Password

You can use the Boot menu of the firewall to change the Boot ROM password.

Start the firewall. When “System starts booting” appears on the configuration terminal,

press <Ctrl+D>, and then the system prompts:

Please input Boot ROM password :

Caution:

z To enter the Boot menu, you must press <Ctrl+D> within three seconds after the

“System starts booting” prompt appears on the configuration terminal; otherwise,

the system starts decompressing the program.

z You need to restart the firewall if you want to enter the Loader menu after entering

the Boot ROM extended segment.

After entering the correct password, press <Enter>to enter the Boot menu (press

<Enter> directly if the password is not set), and the system displays the information as

follows:

Boot Menu: 1: Download Boot ROM with XModem

5-12

Installation Manual H3C SecPath F1000-S Firewall Chapter 5

2: Download Extended Segment of Boot ROM with XModem 3: Modify Boot ROM password 4: System booting from Flash 5: Do not check the version of Extended Segment of Boot ROM 6: Exit and reboot Enter your choice(1-6):

Following is the description on the options of Boot menu:

z 1: Download Boot ROM with XModem

z 2: Upgrade the extended segment of Boot ROM with XModem

z 3: Modify Boot ROM password

z 4: Boot the system from flash (This option requires backing up the extended

segment of Boot ROM in flash, refer to

Extended Segment of the Boot ROM program

z 5: Do not check the software version of extended segment of Boot ROM (This

5.1.3 “Backing up and Restoring the

” for details.)

option is used for backward compatibility of version upgrade. When the software

version is correctly adopted for software upgrade, but you still cannot operate

successfully, the system prompts “invalid version”. At this time, select this option to

cancel the version checking for version upgrade. However, this option can function

only once, the version checking is restored after restarting the firewall.)

z 6: Exit from the Loader menu and restart the firewall.

Software Maintenance

Select 3 in the Boot menu to change the Boot ROM password, and the system prompts:

Modify Boot ROM password, are you sure?[Y/N]y

Please input new password(Max 32 char) : Retype the new password(Max 32 char) : Saving the password... Success!

 Note:

The password can contain up to 32 characters.

5.1.7 Resetting a Lost Password

Contact the technical support personnel in case of Boot ROM or user password loss.

They can help your access the firewall to set a new password.

5-13

Installation Manual H3C SecPath F1000-S Firewall Chapter 6

Chapter 6 Hardware Maintenance

6.1 Preparing Tools

z Phillips screwdriver

z Flat-blade screwdriver

z ESD-preventive wrist strap

z Static shielding bag

 Note:

These tools are not shipped with the firewall, so you need to prepare them yourself.

Hardware Maintenance

6.2 Opening the Chassis Cover

Step 1: Power down the firewall and remove the power cords.

Step 2: Remove the interface cables from the front of the chassis, except for the

grounding wire.

Step 3: Place the firewall on a flat table, with the rear panel facing you. Use a Phillips

screwdriver to remove the two captive screws that secures the cover at the rear of the

chassis.

Step 4: Remove the four captive screws that secures the cover at both sides of the

chassis.

Step 5: Raise the cover to such a height that the edge of the cover is separated from the

bottom of the chassis.

Step 6: Pull the cover towards you until the tabs on the edge of the cover are separated

from the front panel. Put the cover away.

6-1

Installation Manual H3C SecPath F1000-S Firewall Chapter 6

(1)

(2)

Hardware Maintenance

(1) (1

(1) Remove the six screws (2) Pull it out towards this direction

Figure 6-1 Open the chassi

)

Caution:

z Do not replace the hardware unless urgently necessary and do it under the

guidance of technical support personnel.

z There is an anti-dismantle seal on a screw on the chassis. You must keep the seal

intact before your sales representative maintains the firewall. Contact your sales

representative to obtain the permission to open the chassis. The company is not

liable for any damage or consequence resulted from users' operation without

permission.

z Ensure that the firewall has no electricity before servicing the device to avoid bodily

injuries and device damages.

z Wear an ESD-preventive wrist strap when servicing the device, making sure it has

good skin-contact.

z You must use the DDR SDRAMs provided by H3C Technologies. Otherwise,

anomalies might occur to the device.

6.3 Replacing a DDR SDRAM

Following are the storage media available for the firewall:

z DDR SDRAM: where the programs of the firewall are running.

z Flash memory: stores the programs and configuration files of the firewall.

z Boot ROM: stores the boot and initialization programs of the firewall.

6-2

Installation Manual H3C SecPath F1000-S Firewall Chapter 6

Hardware maintenance mainly involves DDR SDRAM replacement.

Follow this maintenance flow to replace a DDR SDRAM:

Start

Prepa

re tools

Hardware Maintenance

Open the

Locate th

Remove the ol

Install a new

Close the c

chassis

e DDR SDRAM

d DDR SDRAM

DDR SDRAM

hassis

Figure 6-2 DDR SDRAM maintenance flow

A DDR SDRAM is a mainboard component that you can expand and replace as needed.

Generally, you need to expand a DDR SDRAM for

z Upgrading the application program.

z Providing an adequate memory size for retaining a large routing table or

processing tasks that consume huge memory resources.

When booting the firewall, you can see the following message:

************************************************** * * * H3C SecPath Series Gateway Boot ROM V1.17 * * * **************************************************

Testing memory...OK! 512M bytes DDR SDRAM Memory 16M bytes Flash Memory Hardware Version is 2.0 CPLD Version is 1.0

6-3

Installation Manual H3C SecPath F1000-S Firewall Chapter 6

Press Ctrl-B to enter Boot Menu

“512M bytes DDR SDRAM” means that a DDR SDRAM of 512M bytes is installed on

the firewall.

 Note:

Note that there is a limit on the times that you can install a DDR SDRAM in a memory

bank.

6.3.1 Locating the DDR SDRAMs on the Mainboard

When removing/installing a DDR SDRAM, make sure to identify the type of mainboard

and the exact position of the DDR SDRAM. See

in the firewall and the configuration.

Table 6-1 for the types of memory used

Hardware Maintenance

Table 6-1 Memory specifications

Item Specifications

Memory type DDR SDRAM

Max size of an identifiable memory bank (MB)

512

Expansion limit Expandable to 1 GB

Figure 6-3 shows where the DDR SDRAMs, Flash, and Boot ROM are located on the

mainboard.

6-4

Installation Manual H3C SecPath F1000-S Firewall Chapter 6

Figure 6-3 Position of the DDR SDRAMs, Flash, and Boot ROM on the mainboard

Hardware Maintenance

Each DDR SDRAM has one positioning recess at its bottom for correct orientation.

When installing a DDR SDRAM into a memory bank, press the positioning recess into

the pin in the bank.

6.3.2 Removing a DDR SDRAM

Step 1: Locate the DDR SDRAM to be replaced on the mainboard.

Step 2: Press the clips at both sides of the DDR SDRAM bank outward with appropriate

pressure, till the DDR SDRAM ejects from the bank.

Figure 6-4 Remove a DDR SDRAM

Step 3: Hold the DDR SDRAM by its non-conductive edge and take it out of the bank.

Place it in a static shielding bag to avoid ESD damages.

6-5

Installation Manual H3C SecPath F1000-S Firewall Chapter 6

Caution:

z Hold the DDR SDRAM only by its non-conductive edge, because it is prone to ESD

and could be damaged by incorrect operations.

z You need to exercise some strength to pull the DDR SDRAM out of its bank, but do

not overdo it.

z Do not touch the components on the DDR SDRAM by hands.

z The marks “DDR SDRAM1” and “DDR SDRAM2” in Figure 6-3 do not mean the

DDR SDRAMs are divided into basic and extended DDR SDRAMs; they are

identical.

6.3.3 Installing a DDR SDRAM

Follow these steps to install a DDR SDRAM:

Hardware Maintenance

Step 1: Locate the memory bank on the mainboard with reference to Figure 6-3.

Step 2: Hold the DDR SDRAM by its non-conductive top edge and place it in the

desired memory bank.

Step 3: Exercise adequate pressure on the DDR SDRAM to press it into the bank.

Press the clips at both sides of the bank inward until the locking pins at the end of the

clips are engaged with the semicircular recesses at the bottom of the DDR SDRAM.

Repeat the above steps to install other DDR SDRAMs.

6.4 Closing the Chassis Cover

Step 1: Place the firewall on a flat table, with the rear panel facing you.

Step 2: Hold the chassis cover and align the small tabs on the cover with the edges of

the bottom of the chassis.

Step 3: Push the chassis cover and ensure the tabs on the cover and the tabs on the

top of the front panel are engaged.

Step 4: Lower the chassis cover onto the chassis bottom, engaging the tabs on the

cover with the tabs on the top of the side panels.

6-6

Installation Manual H3C SecPath F1000-S Firewall Chapter 6

(2)

(1)

Hardware Maintenance

(2)

(1) Insert the cover in this direction (2) Install the six screws at these places

Figure 6-5 Close the chassis cove

Step 5: Tighten the six captive screws that are removed in steps 3 and 4 described in

section

6.2 “Opening the Chassis Cover” to secure the cover to the chassis body.

6.5 Replacing an MIM

For details, see Chapter 8 “Multifunctional Interface Modules”.

(2)

6-7

Installation Manual H3C SecPath F1000-S Firewall Chapter 7

Chapter 7 Troubleshooting

7.1 Troubleshooting the Power System

Symptom: The PWR0/PWR1 LED is OFF. Solution: Check that

z The power switch of the PSU is turned on.

z The power switch of the site power is turned on.

z The power cord is connected correctly.

z Required power supply is used.

Caution:

Troubleshooting

Do not hot-swap the power cord. Contact your agent if the PWR0/PWR1 LED is still

OFF after you finish the above operations.

7.2 Troubleshooting the Configuration System

If the firewall is operating normally after it is powered up, it displays the start-up

information on the console terminal. If the configuration system has failed, it displays

illegible characters or nothing at all.

I. No information on the terminal

Symptom: The powered-up firewall displays nothing on the console terminal. Solution:

Step 1: Check that

z The power system is operating normally.

z The console cable is connected correctly.

Step 2: If you cannot locate the problem yet, check the console cable and the terminal

(HyperTerminal for example) parameter settings.

II. Illegible characters on the terminal

Symptom: The powered-up firewall displays illegible characters on the console

terminal.

Solution: Make sure you have set terminal (HyperTerminal) parameters as follows:

7-1

Installation Manual H3C SecPath F1000-S Firewall Chapter 7

z Bits per second = 9600

z Data bits = 8

z Parity = None

z Stop bits = 1

z Flow control = None

z Emulation = VT100

Reconfigure the parameters if their values are different.

7.3 Troubleshooting the Software Upgrade

I. Fault 1

Symptom: When you start the firewall and upgrade the Comware using TFTP, the

system displays this message:

Net Port Download Menu: 1: Change Net Parameter 2: Download From Net 3: Exit to Main Menu Enter your choice(1-3): 2

Starting the TFTP download...

Failed to connect the tftp server!! Please check the network setting!!

Troubleshooting

Solution: Check that

z The TFTP server program is started.

z An Ethernet connection to the TFTP server is present (the IP address is correct

and the network cable is securely connected).

II. Fault 2

Symptom: When you start the firewall and upgrade the Comware using TFTP, the

system displays this message:

Net Port Download Menu: 1: Change Net Parameter 2: Download From Net 3: Exit to Main Menu Enter your choice(1-3): 2

Starting the TFTP download...

Failed to find the updated file Please check the network setting!!

7-2

Installation Manual H3C SecPath F1000-S Firewall Chapter 7

Solution: Check that the file to be downloaded exists and you have correctly specified

the directory in the TFTP server.

III. Fault 3

Symptom: When you start the firewall and upgrade the Comware using TFTP, the

system displays this message:

Net Port Download Menu: 1: Change Net Parameter 2: Download From Net 3: Exit to Main Menu Enter your choice(1-3): 2

Starting the TFTP download...

The downloaded software is not a valid version. Please download the correct version.

Troubleshooting

Solution: Check that you are downloading the correct version of software.

 Note:

The bar code labels attached to the firewall unit and the smart interface cards (SICs)

contain the information about production and maintenance. Provide its bar code for

your agent when asking the agent to repair it.

7-3

Installation Manual H3C SecPath F1000-S Firewall Chapter 8

Multifunctional Interface Modules

Chapter 8 Multifunctional Interface Modules

8.1 MIM Options

Following are the MIMs available for the H3C SecPath F1000-S firewall:

z 1-port 10Base-T/100Base-TX Fast Ethernet interface module (1FE)

z 2-port 10Base-T/100Base-TX Fast Ethernet interface module (2FE)

z 4-port 10Base-T/100Base-TX Fast Ethernet interface module (4FE)

z 1-port 10Base-T/100Base-TX/1000Base-T Ethernet interface module (1GBE)

z 2-port 10Base-T/100Base-TX/1000Base-T Ethernet interface module (2GBE)

z 1-port 1000Base-LX/1000Base-SX optical interface module (1GEF)

z 2-port 1000Base-LX/1000Base-SX optical interface module (2GEF)

z Security socket layer encryption module (SSL)

8.2 Installing and Removing an MIM

Caution:

There is a shield finger on the front panel of the MIM module, which provides

electromagnetic shielding for the firewall. You must keep the shield finger intact when

replacing the module. Do not remove the shield finger.

Before installing MIMs, read Chapter 2 “Preparation for Installation” carefully.

I. Tools

ESD-preventive wrist strap

II. Installing an MIM

Caution:

Before performing any of the following operations, make sure you have completely

powered down the firewall to avoid getting electric shocks.

Step 1: Place the firewall with its front panel facing you.

8-1

Installation Manual H3C SecPath F1000-S Firewall Chapter 8

Step 2: Turn off the site power and remove the power cord.

Step 3: Select a slot and push the MIM into the chassis until it is fully seated in the slot

and its front panel is flush with the front of the chassis.

Step 4: Tighten the captive screws to secure the MIM.

Step 5: Power up the firewall and check the state of the ACT LED for the slot on the

firewall. Blinking means the MIM is installed correctly.

Figure 8-1 Install the MIM I

Multifunctional Interface Modules

Figure 8-2 Install the MIM II

III. Removing an MIM

Step 1: Place the firewall with its front panel facing you.

Step 2: Turn off the site power and remove the power cord.

Step 3: Remove all interface cables from the front of the chassis.

Step 4: Loosen the captive screws at both sides of the MIM.

Step 5: Pull the MIM towards you until it is completely separated from the bottom of the

chassis.

8-2

Installation Manual H3C SecPath F1000-S Firewall Chapter 8

Caution:

z If you remove an MIM and do not install a new one right away, you must replace the

blanking filler panel to prevent dust from entering the firewall and to provide

adequate ventilation.

z Do not operate at MIMs near the passageway to avoid accidents to the unit or the

removed MIMs.

8.3 Troubleshooting an MIM

You can read the LEDs on the MIM panel to check for the MIM installation.

If the MIM on the firewall does not operate normally, check that:

z Correct interface cables are used.

z The interfaces are working well by reading the interface LEDs.

z The configurations on the MIM are validated by executing the display command.

Multifunctional Interface Modules

8.4 1FE/2FE/4FE Module

8.4.1 Introduction

1-/2-/4-port 10Base-T/100Base-TX Fast Ethernet interface module (1FE/2FE/4FE)

provides the communications between the firewall and a LAN.

The 1FE provides one 10/100 Mbps Ethernet interface with the RJ-45 connector, while

the 2FE and 4FE can provide two and four. All of them support:

z The transmission distance of 100 meters (328 ft) over the category-5 twisted-pair

cable.

z The Operating rates of 100 Mbps and 10 Mbps, with auto-sensing.

z Full duplex (commonly used) and half duplex.

8.4.2 Appearance

I. Appearance of the 1FE module

Figure 8-3 shows the 1FE module.

8-3

Installation Manual H3C SecPath F1000-S Firewall Chapter 8

Figure 8-3 1FE module

II. Appearance of the 2FE module

Figure 8-4 shows the 2FE module.

Multifunctional Interface Modules

Figure 8-4 2FE module

III. Appearance of the 4FE module

Figure 8-5 shows the 4FE module.

Figure 8-5 4FE module

8-4

Installation Manual H3C SecPath F1000-S Firewall Chapter 8

8.4.3 Interface Attributes

Table 8-1 shows the interface attributes of the 1FE, 2FE and 4FE modules.

Table 8-1 Interface attributes of the 1FE, 2FE and 4FE modules

Attributes 1FE module 2FE module 4FE module

Connector RJ-45

Multifunctional Interface Modules

Number of connectors

1 2 4

Cable type Straight-through Ethernet cable

Operating mode

Frame format

8.4.4 Panel and Interface LEDs

Figure 8-6 shows the 1FE module panel.

Figure 8-6 1FE module panel

Full/half duplex

10/100 Mbps auto-sensing

Ethernet_II

Ethernet_SNAP

10/100BASE-TX

Figure 8-7 shows the 2FE module panel.

Figure 8-7 2FE module panel

Figure 8-8 shows the 2FE module panel.

Figure 8-8 4FE module panel

8-5

Installation Manual H3C SecPath F1000-S Firewall Chapter 8

Table 8-2 describes the LEDs on the 1FE/2FE/4FE module panel and how to read their

state.

Table 8-2 LEDs on the 1FE/2FE module

LED Description

LINK OFF means no link is present; ON means a link is present.

OFF means no packets are being transmitted/received on the

ACTIVE

interface; blinking means packets are being transmitted/received on the interface.

8.4.5 Interface Cable

I. Ethernet cable

The FE modules use category-5 twisted-pair cables with RJ-45 connectors (see Figure

). Pins 1 and 2 of the connectors are for transmitting data, and Pins 3 and 6 are for

8-9

receiving data.

Multifunctional Interface Modules

Figure 8-9 Ethernet cable

II. Making an Ethernet cable

To make an Ethernet cable with RJ-45 connectors using a category-5 twisted-pair cable,

refer to

Figure 8-10. A category-5 twisted-pair cable is composed of eight wires that are

identified and grouped by colors of the outer insulator. Usually a solid color wire and a

white/solid color wire are organized in pairs. But sometimes, wires are also paired by

color coded points.

8-6

Installation Manual H3C SecPath F1000-S Firewall Chapter 8

Blue

Pair 1

White/blue

Orange

Pair 1

White/orange

Green

Pair 1

White/green

Brown

Pair 1

White/brown

Multifunctional Interface Modules

Figure 8-10 Category-5 twisted-pair cabl

Table 8-3 Straight-through cable pinout

Category-5

RJ-45 Signal

twisted-pair

cable

1 Tx+

White (orange)

2 Tx- Orange

3 Rx+ White (green)

Direction of

signal

→

←

RJ-45

4 –– Blue –– 4

5 –– White (blue) –– 5

6 Rx- Green

←

7 –– White (brown) –– 7

8 –– Brown –– 8

Table 8-4 Crossover cable pinout

RJ-45

Direction of

signal

1 Tx+

2 Tx- Orange

3 Rx+ White (green)

Category-5

twisted-pair

cable

White (orange)

Direction of

signal

→

←

RJ-45

4 –– Blue –– 4

5 –– White (blue) –– 5

6 Rx- Green

8-7

←

Installation Manual H3C SecPath F1000-S Firewall Chapter 8

Category-5

twisted-pair

cable

RJ-45

Direction of Direction of

signal

7 –– White (brown) –– 7

8 –– Brown –– 8

Ethernet cables are divided into two categories: straight-through and crossover.

z Straight-through cable: The sequences of the twisted pairs crimped in the RJ-45

connectors at both ends are the same. It connects a terminal device (PC or router)

to a HUB or LAN switch.

z Crossover cable: The sequences of the twisted pairs crimped in the RJ-45

connectors at both ends are different. It connects a terminal device (PC or router)

to another terminal device. You make crossover cables by yourself.

 Note:

Multifunctional Interface Modules

signal

RJ-45

In making network cables, shielded cables are preferred for the sake of

electromagnetic compatibility.

8.4.6 Connecting the Interface Cable

Step 1: Plug one end of the cable to an Ethernet port of the FE module on the firewall

and another end to the desired device. (For a PC or Router, use a straight-through

cable; for a HUB or LAN switch, use a crossover cable.)

Step 2: Power up the firewall and check state of the LINK LED on the FE module. ON

means a link is present. OFF means no link is present and you should check the

connection.

Caution:

Read the mark of a port carefully before you connect it; a wrong connection can cause

damages to the interface module and even the device.

8-8

Installation Manual H3C SecPath F1000-S Firewall Chapter 8

8.5 1GBE/2GBE Module

8.5.1 Introduction

1-/2-port 10Base-T/100Base-TX/1000Base-TX Ethernet interface module

(1GBE/2GBE) can provide the communications between the firewall and a LAN.

The 1GBE/2GBE module supports

z The transmission distance of 100 meters (328 ft) over category-5 twisted-pair

cable

z Three operating rates: 1000 Mbps, 100 Mbps, and 10 Mbps, with auto-sensing

z Full duplex mode

8.5.2 Appearance

Figure 8-11 and Figure 8-12 show respectively the 1GBE and 2GBE module.

Multifunctional Interface Modules

Figure 8-11 1GBE module

Figure 8-12 2GBE module

8.5.3 Interface Attributes

Table 8-5 shows the interface attributes of the 1GBE and 2GBE modules.

Table 8-5 Interface attributes of the 1GBE/2GBE module

Attribute 1GBE 2GBE

Connector RJ-45

Number of connectors 1 2

Interface type MDI/MDIX

Interface standard 802.3, 802.3u, 802.3ab

Cable type Ethernet cable

8-9

Installation Manual H3C SecPath F1000-S Firewall Chapter 8

Attribute 1GBE 2GBE

Multifunctional Interface Modules

Operating mode

8.5.4 Panel and Interface LEDs

Figure 8-13 and Figure 8-14 show respectively the panel of the 1GBE and 2GBE

modules.

Figure 8-13 1GBE module panel

10/100/1000 Mbps, auto-sensing

Full/half duplex auto-negotiation

Figure 8-14 2GBE module panel

Table 8-6 describes the LEDs on the 1GBE/2GBE module panel and how to read their

state.

Table 8-6 LEDs on the 1GBE/2GBE module

LED Description

LINK OFF means no link is present; ON means a link is present.

ACT

8.5.5 Interface Cable

I. Ethernet cable

The 1GBE/2GBE module uses a category-5 twisted-pair cable with RJ-45 connectors

Figure 8-15). Pins 1 and 2 of the connectors are for transmitting data, and Pins 3

(see

and 6 are for receiving data.

OFF means no packets are being transmitted/received on the interface; blinking means packets are being transmitted/received on the interface.

8-10

Installation Manual H3C SecPath F1000-S Firewall Chapter 8

Figure 8-15 Ethernet cable

II. Making an Ethernet cable

To make an Ethernet cable with RJ-45 connectors using a category-5 twisted-pair cable,

refer to

Figure 8-16. A category-5 twisted-pair cable is composed of eight wires that are

identified and grouped by colors of the outer insulator. Usually a solid color wire and a

white/solid color wire are organized in pairs. But sometimes, wires are also paired by

color coded points.

Multifunctional Interface Modules

Pair 1

Figure 8-16 Category-5 twisted-pair cabl

Blue

White/blue

Orange

White/orange

Green

White/green

Brown

White/brown

Ethernet cables are divided into two categories: straight-through and crossover.

z Straight-through cable: The sequences of the twisted pairs crimped in the RJ-45

connectors at both ends are the same. The cable connects a terminal device (PC

or router) to a Hub or LAN switch.

z Crossover cable: The sequences of the twisted pairs crimped in the RJ-45

connectors at both ends are different. The cable connects a terminal device (PC or

router) to another terminal device. You can make crossover cables by yourself.

For the Ethernet cable pinout, see Low-End and Mid-Range Series Routers Cable Manual.

8.5.6 Connecting the Interface Cable

Step 1: Plug one end of the cable to the GE port on the 1GBE/2GBE module on the

firewall and another end to the peer device. (For a PC or Router, use a crossover cable;

for a HUB or LAN switch, use a straight-through cable.)

8-11

Installation Manual H3C SecPath F1000-S Firewall Chapter 8

Step 2: Power up the firewall and check the state of the LED for the module on the front

panel of the firewall. ON means the module has passed the POST and can operate

normally; OFF means the POST fails. In the latter case, contact your agent for help.

Step 3: Check the state of the LINK LED on the 1GBE/2GBE module panel. ON means

a link is present. OFF means no link is present; check the line for the cause.

8.6 1GEF/2GEF Module

8.6.1 Introduction

1-/2-port 1000Base-LX/1000Base-SX Ethernet optical interface module (1GEF/2GEF)

can provide the communications between the firewall and a LAN.

The 1GEF/2GEF module can be multimode short-haul (850 nm), single mode

medium-haul (1310 nm), single mode long-haul (1310 nm), single mode long-haul

(1550 nm), and single mode ultra-long haul (1550 nm). You can purchase them as

needed.

The 1GEF/2GEF module supports:

Multifunctional Interface Modules

z The operating rate of 1000 Mbps

z Full duplex mode

8.6.2 Appearance

Figure 8-17 and Figure 8-18 show respectively the 1GEF and 2GEF modules.

Figure 8-17 1GEF module

Figure 8-18 2GEF module

8-12

Installation Manual H3C SecPath F1000-S Firewall Chapter 8

8.6.3 Interface Attributes

Table 8-7 shows the interface attributes of the 1GEF and 2GEF modules.

Table 8-7 Interface attributes of the 1GEF/2GEF module

Attribute 1GEF 2GEF

Connector SFP/LC

Multifunctional Interface Modules

Number of connectors

Interface standard

Trans

Type

mitter optical power

Min –9.5 dBm –9 dBm –2 dBm –4 dBm –4 dBm

Max 0 dBm –3 dBm 5 dBm 1 dBm 2 dBm

Receiver sensitivity

Central wavelength

Optical fiber

1 2

IEEE 802.3, 802.3u and 802.3ab

Multi- mode short-haul (850 nm)

Single mode medium

-haul (1310 nm)

Single mode long-haul (1310 nm)

Single mode long-haul (1550 nm)

Single mode ultra-long haul (1550 nm)

–17 dBm –20 dBm –23 dBm –21 dBm –22 dBm

850 nm 1310 nm 1310 nm 1550 nm 1550 nm

62.5/125μm multimode fiber

9/125μm single

-mode fiber

9/125μm single mode fiber

9/125μm single

-mode fiber

Max transmission distance

Operating mode

0.55 km (0.34 mi)

1000 Mbps full duplex

 Note:

When using optical transceivers, select those that have been approved by our

company.

8.6.4 Panel and Interface LEDs

Figure 8-19 and Figure 8-20 show the panel of the 1GEF and 2GEF modules.

10 km (6.2 mi)

8-13

40 km (24.9 mi)

70 km (43.5 mi)

Installation Manual H3C SecPath F1000-S Firewall Chapter 8

Figure 8-19 1GEF module panel

Figure 8-20 2GEF module panel

Table 8-8 LEDs on the 1GEF/2GEF module

LED Description

LINK OFF means no Rx link is present; ON means an Rx link is present.

Multifunctional Interface Modules

OFF means no packets are being transmitted/received on the

ACTIVE

interface; blinking means packets are being transmitted/received on the interface.

8.6.5 Interface Fiber Cable

You can select the fiber cable (with LC connector) depending on the

1000Base-SX/1000Base-LX SFP optical module type you choose.

 Note:

LC optical connector is a type of small push button connector developed by Lucent

Technologies.

The fiber cable is optional. You must specify the optional SFP module when purchasing

the interface module.

8-14

Installation Manual H3C SecPath F1000-S Firewall Chapter 8

8.6.6 Connecting the Interface Fiber Cable

Caution:

When connecting the fiber cable, observe the following:

z Do not over-bend the fiber cable. Its curvature radius must be equal to or greater

than 10 cm (3.9 in.).

z Ensure that the Tx and Rx ends are correctly connected.

z Ensure that the fiber ends are clean.

Caution:

Laser danger: never look into the optical ports that are connected to the laser. It can

harm your eyes.

Multifunctional Interface Modules

Step 1: Insert the shipped SFP module into the corresponding slot.

Step 2: Identify the Rx and Tx optical ports on the 1GEF/2GEF module. Plug one end of

a fiber cable into the Rx port on the module and the other end into the Tx port on the

peer device. Plug one end of another fiber cable into the Tx port on the module, and the

other end into the Rx port on the peer device.

Step 3: Power up the firewall. Check the state of the LINK LED on the module panel.

ON means an Rx link is present. OFF means no Rx link is present; check the line for the

cause.

8.7 SSL Module

8.7.1 Introduction

The SSL encryption module supports multiple types of hardware encryption/decryption

and Hash algorithms and provides high-performance and high-reliability encryption

features by processing the SSL protocol, which is available on the module.

When a SSL encryption module is inserted on a MIM slot, the mainboard receives and

transmits packets and processes the SSL protocol, while the SSL encryption module

encrypts and decrypts packets.

8.7.2 Appearance

Figure 8-21 shows the SSL module.

8-15

Installation Manual H3C SecPath F1000-S Firewall Chapter 8

Figure 8-21 SSL module

8.7.3 Module Attributes

Table 8-9 shows the attributes of the SSL module.

Table 8-9 SSL module attributes

Attribute Description

Supported protocol SSL

Multifunctional Interface Modules

Hardware algorithm

8.7.4 Panel and Module LEDs

Figure 8-22 shows the panel of the SSL module.

Figure 8-22 SSL module panel

Table 8-10 LEDs on the SSL module

LED Description

ON means module is not powered normally;

STATUS

OFF means the module is not powered, or the power supply is OFF or in fault.

Key algorithm (DES, 3DES, AES and RC4)

Authentication algorithm (HMAC-MD 5and HMAC-SHA-1)

ACTIVE

Blinking for two seconds and then OFF means the module initialization is completed; blinking continuously means the module is normal and packets are being transmitted/received on the interface; OFF means the module is normal but no packets are being transmitted/received on the interface; .

8-16

Installation Manual H3C SecPath F1000-S Firewall Chapter 8

8.7.5 Troubleshooting SSL Module

Symptom 1: The STATUS LED is OFF when the firewall starts. Solution:

1) The STATUS LED should be ON when the firewall starts. OFF means that the

module or some components on the module are not powered on normally. Check

the system power supply is correctly connected.

2) If the system power supply works normally, the cause may be that module power

supply is faulty or that CPLD (complex programmable logic device) is faulty.

Please contact your agent.

Symptom 2: The ACTIVE LED keeps ON during the booting of the firewall. Solution: The ACTIVE LED should blink for two seconds and then become OFF during

the booting of the firewall. Solid OFF means that the module initialization fails. The

possible cause is that the system bus does not work normally. Check if the module is

properly connected to the firewall. If the connection is OK, there must be a fault on the

module or the firewall. Please contact your agent.

Multifunctional Interface Modules

Symptom 3: The ACTIVE LED keeps ON or OFF during the operation of the SSL

module.

Solution: The ACTIVE LED should blink when the SSL module processes encryption

services. Solid ON or OFF means the system bus does not work normally. Check if the

module is properly connected to the firewall. If the connection is OK, there must be a

fault on the module or the firewall. Please contact your agent.

8-17

H3C F1000-S INSTALLATION GUIDE

Specifications and Main Features

Frequently Asked Questions

User Manual

I. Command conventions

II. GUI conventions

III. Symbols

Chapter 1 Product Overview

1.1 Brief Introduction

1.2 Hardware Features

1.2.1 Appearance

1.2.2 System Description

1.2.3 LEDs

1.2.4 Attributes of the Fixed Interfaces

I. Console port (CON)

II. Auxiliary port (AUX)

III. Gigabit Ethernet (GE) Interface

1.2.5 MIMs

Chapter 2 Preparation for Installation

2.1 Site Requirements

2.1.1 Temperature/Humidity

2.1.2 Cleanliness

2.1.3 ESD Prevention

2.1.4 Electromagnetic Environment

2.1.5 Lightning Protection

2.1.6 Mounting Rack

2.2 Safety Precautions

2.3 Unpacking and Inspection

2.4 Tools, Meters, and Devices

I. Tools

II. Cables

III. Meters and devices

Chapter 3 Hardware Installation

3.1 Installation Procedure

3.2 Mounting the Device

3.2.1 Freestanding the Device

3.2.2 Rack-Mounting the Device

3.3 Installing an MIM

3.4 Connecting the Grounding Wires

3.5 Connecting to the Console Terminal

I. Console port

II. Console cable

III. Connecting the console cable

3.6 Connecting the Ethernet Interface

I. Introduction to the Ethernet interface

II. Ethernet cable

III. Connecting an Ethernet cable

3.7 Connecting a PSU

I. AC-input PSU

II. Recommended power socket

III. Connecting an AC-input PSU

3.8 Verifying Installation

Chapter 4 Booting and Configuration

4.1 Booting

4.1.1 Setting up a Configuration Environment

I. Connecting the device to a console terminal

II. Setting terminal parameters

4.1.2 Powering up the Firewall

I. Checking before power-up

II. Powering up the firewall

III. Checking/operating after power-up

4.1.3 Booting Process

4.2 Configuration Fundamentals

4.2.1 Basic Configuration Procedure

4.2.2 Command Line Interface

I. Features of the CLI

II. CLI

Chapter 5 Software Maintenance

5.1 Introduction

5.1.1 Boot Menu

I. Boot menu of the H3C SecPath F1000-S firewall

II. Boot ROM submenu of the H3C SecPath F1000-S firewall

5.1.2 Upgrading the Application and Boot ROM Programs Using XModem

I. Upgrading the application program

II. Upgrading the Boot ROM program

III. Upgrading the extended segment of the Boot ROM program

5.1.3 Backing up and Restoring the Extended Segment of the Boot ROM program

I. Backing up the extended segment to the Flash

II. Restoring the extended segment from the Flash

5.1.4 Upgrading an Application Program Using TFTP