H3C F100-A INSTALLATION GUIDE

H3C SecPath F100-A Firewall

Installation Manual

Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com

Manual Version: T2-08044B-20070622-C-1.03

No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd.

Trademarks

H3C, , Aolynk, , H3Care, Neocean, NeoVTL, SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V HUASAN are trademarks of Hangzhou H3C Technologies Co., Ltd.

All other trademarks that may be mentioned in this manual are the property of their respective owners.

Notice

The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the content s, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.

To obtain the latest information, please access: http://www. h3c.com

Technical Support

customer_service@h3c.com http://www. h3c.com

, TOP G, , IRF, NetPilot,

G, VnG, PSPT, XGbus, N-Bus, TiGem, InnoVision and

About This Manual

I. Command conventions

6 Troubleshooting

7 MIM Modules

Convention Description

Boldface

italic

[ ]

The keywords of a command line are in Boldface. Command arguments are in italic. Items (keywords or arguments) in square brackets [ ] are

optional.

Lists common system failures and specific locating methods.

Details appearance, panel and LEDs of the functional modules available on the H3C SecPath F100-A, as well as module installation and connection of interface cables.

{ x | y | ... }

[ x | y | ... ]

{ x | y | ... } *

[ x | y | ... ] *

&<1-n>

# A line starting with the # sign is comments.

Alternative items are grouped in braces and separated by vertical bars. One is selected.

Optional alternative items are grouped in square brackets and separated by vertical bars. One or none is selected.

Alternative items are grouped in braces and separated by vertical bars. A minimum of one or a maximum of all can be selected.

Optional alternative items are grouped in square brackets and separated by vertical bars. Many or none can be selected.

The argument(s) before the ampersand (&) sign can be entered 1 to n times.

II. GUI conventions

Convention Description

< >

Button names are inside angle brackets. For example, click <OK>.

[ ]

Window names, menu items, data table and field names are inside square brackets. For example, pop up the [New User] window.

Convention Description

III. Symbols

Convention Description

Warning

Caution

 Note Means a complementary description.

Environmental Protection

This product has been designed to comply with the requirements on environmental protection. For the proper storage, use and disposal of this product, national laws and regulations must be observed.

Multi-level menus are separated by forward slashes. For example, [File/Create/Folder].

Means reader be extremely careful. Improper operation may cause bodily injury.

Means reader be careful. Improper operation may cause data loss or damage to equipment.

Installation Manual H3C SecPath F100-A Firewall Table of Contents

Table of Contents

Chapter 1 Product Overview........................................................................................................1-1

1.1 Overview ............................................................................................................................ 1-1

1.2 Hardware Features ............................................................................................................ 1-3

1.2.1 Appearance............................................................................................................. 1-3

1.2.2 System Specifications ............................................................................................. 1-3

1.2.3 LEDs........................................................................................................................ 1-4

1.2.4 Fixed Interface Attributes ........................................................................................ 1-5

Chapter 2 Installation Preparations............................................................................................. 2-1

2.1 General Site Requirements ............................................................................................... 2-1

2.1.1 Temperature and Humidity...................................................................................... 2-1

2.1.2 Cleanliness.............................................................................................................. 2-1

2.1.3 ESD Prevention....................................................................................................... 2-2

2.1.4 Electromagnetic Compatibility................................................................................. 2-2

2.1.5 Lightning Protection ................................................................................................ 2-3

2.1.6 Checking the Rack .................................................................................................. 2-3

2.2 Safety Precautions............................................................................................................. 2-3

2.3 Unpacking Inspections....................................................................................................... 2-4

2.4 Installation Tools, Meters and Equipment ......................................................................... 2-4

Chapter 3 Firewall Installation ..................................................................................................... 3-1

3.1 Installation Flow ................................................................................................................. 3-1

3.2 Mounting the Firewall......................................................................................................... 3-2

3.2.1 Free-Standing.......................................................................................................... 3-2

3.2.2 Rack-Mounting ........................................................................................................ 3-2

3.3 Connecting the PGND Wire............................................................................................... 3-3

3.4 Connecting to the Console Terminal ................................................................................. 3-4

3.5 Connecting to the Ethernet Interface................................................................................. 3-5

3.6 Connecting the Power Cord............................................................................................... 3-6

3.7 Verifying Installation........................................................................................................... 3-7

Chapter 4 Firewall Configuration................................................................................................. 4-1

4.1 Booting............................................................................................................................... 4-1

4.1.1 Setting Up a Configuration Environment................................................................. 4-1

4.1.2 Powering Up the Firewall ........................................................................................ 4-4

4.1.3 Booting Process ...................................................................................................... 4-5

4.2 Configuration Fundamentals.............................................................................................. 4-6

4.2.1 Basic Configuration Procedures.............................................................................. 4-6

4.2.2 Command Line Interface......................................................................................... 4-7

Installation Manual H3C SecPath F100-A Firewall Table of Contents

Chapter 5 Software Maintenance................................................................................................. 5-1

5.1 Boot Menu.......................................................................................................................... 5-1

5.2 Upgrading Application and Boot ROM Using XModem..................................................... 5-2

5.3 Backing Up and Restoring the Extended Segment of the Boot ROM ............................... 5-5

5.4 Upgrading the Application Program Using TFTP .............................................................. 5-6

5.5 Uploading/Downloading Applications/Files Using FTP...................................................... 5-8

5.6 Modifying Boot ROM Password....................................................................................... 5-12

5.7 Resetting a Lost Password .............................................................................................. 5-13

Chapter 6 Troubleshooting .......................................................................................................... 6-1

6.1 Troubleshooting PSU......................................................................................................... 6-1

6.2 Troubleshooting Configuration System ............................................................................. 6-1

6.3 Troubleshooting Application Upgrading............................................................................. 6-2

Chapter 7 MIM Modules................................................................................................................ 7-1

7.1 MIM Options....................................................................................................................... 7-1

7.2 Installing and Removing an MIM ....................................................................................... 7-1

7.3 Troubleshooting an MIM .................................................................................................... 7-3

7.4 1FE/2FE/4FE Module ........................................................................................................ 7-3

7.4.1 Introduction.............................................................................................................. 7-3

7.4.2 Appearance............................................................................................................. 7-3

7.4.3 Interface Attributes .................................................................................................. 7-4

7.4.4 Panel and Interface LEDs ....................................................................................... 7-5

7.4.5 Interface Cable........................................................................................................ 7-5

7.4.6 Connecting the Interface Cable............................................................................... 7-7

7.5 HNDE Module.................................................................................................................... 7-8

7.5.1 Introduction.............................................................................................................. 7-8

7.5.2 Interface Attributes .................................................................................................. 7-8

7.5.3 Panel and Interface LEDs ....................................................................................... 7-8

7.5.4 Troubleshooting the HNDE Module ........................................................................ 7-9

Installation Manual H3C SecPath F100-A Firewall List of Figures

List of Figures

Figure 1-1 Front panel of the H3C SecPath F100-A firewall.................................................. 1-3

Figure 1-2 Rear panel of the H3C SecPath F100-A firewall .................................................. 1-3

Figure 3-1 Installation flow for the firewall.............................................................................. 3-1

Figure 3-2 Rack-mount the firewall ........................................................................................ 3-3

Figure 3-3 Console cable assembly....................................................................................... 3-4

Figure 3-4 Ethernet cable assembly ...................................................................................... 3-5

Figure 4-1 Local configuration through the console port ....................................................... 4-1

Figure 4-2 Create a new connection...................................................................................... 4-2

Figure 4-3 Select connection port.......................................................................................... 4-2

Figure 4-4 Define port parameters......................................................................................... 4-3

Figure 4-5 Select emulation type ........................................................................................... 4-4

Figure 5-1 Send File dialog box ............................................................................................. 5-3

Figure 5-2 Sending File interface........................................................................................... 5-4

Figure 5-3 Set up the local upload/download environment....................................................5-8

Figure 5-4 Set up the remote upload/download environment................................................ 5-9

Figure 7-1 Install the MIM I .................................................................................................... 7-2

Figure 7-2 Install the MIM II ................................................................................................... 7-2

Figure 7-3 1FE module ..........................................................................................................7-3

Figure 7-4 2FE module ..........................................................................................................7-4

Figure 7-5 4FE module ..........................................................................................................7-4

Figure 7-6 1FE module panel ................................................................................................7-5

Figure 7-7 2FE module panel ................................................................................................7-5

Figure 7-8 4FE module panel ................................................................................................7-5

Figure 7-9 Ethernet cable ...................................................................................................... 7-6

Figure 7-10 Category-5 twisted-pair cable............................................................................. 7-6

Figure 7-11 HNDE module panel ........................................................................................... 7-8

iii

Installation Manual H3C SecPath F100-A Firewall List of Tables

List of Tables

Table 1-1 Technical specifications of the H3C SecPath F100-A firewall................................ 1-3

Table 1-2 LEDs on the H3C SecPath F100-A firewall............................................................ 1-4

Table 1-3 Attributes of the console port.................................................................................. 1-5

Table 1-4 Attributes of the AUX port ....................................................................................... 1-5

Table 1-5 Attributes of the Ethernet interfaces ....................................................................... 1-5

Table 2-1 Temperature/humidity requirements in the equipment room.................................. 2-1

Table 2-2 Limits on the dust particles in the equipment room................................................ 2-1

Table 2-3 Harmful gas limits in the equipment room.............................................................. 2-2

Table 3-1 Physical dimensions of the H3C SecPath F100-A firewall..................................... 3-2

Table 7-1 Interface attributes of the 1FE, 2FE and 4FE modules .......................................... 7-4

Table 7-2 LEDs on the 1FE/2FE/4FE module ........................................................................7-5

Table 7-3 Straight-through cable pinout ................................................................................. 7-6

Table 7-4 Crossover cable pinout........................................................................................... 7-7

Table 7-5 Interface attributes of the HNDE module ............................................................... 7-8

Table 7-6 LEDs on the HNDE module.................................................................................... 7-9

Installation Manual H3C SecPath F100-A Firewall Chapter 1

Chapter 1 Product Overview

1.1 Overview

H3C SecPath F100-A Firewall, developed by H3C Technologies, is a new-generation

firewall designed for enterprise users. It can work both as an egress firewall for small

and medium businesses and as an internal firewall for midsize enterprises.

H3C SecPath F100-A firewall provides four 10/100 Mbps autosensing LAN interfaces,

three 10/100 Mbps autosensing WAN interface and one MIM expansion slot which

supports multiple VPN access types and can accommodate the 1FE/2FE/4FE and

HNDE modules.

H3C SecPath F100-A firewall applies ASPF status detection technique to monitor

connection process and malicious commands and works together with access control

lists (ACLs) to implement dynamic packet filtering.

Product Overview

H3C SecPath F100-A firewall supports authentication, authorization, accounting (AAA ),

network address translation (NAT), hybrid mode, object oriented management, and

flow logging to ensure security and guaranteed services to the private networks

constructed on the open Internet.

H3C SecPath F100-A firewall supports multiple virtual private network (VPN) services,

such as layer 2 tunneling protocol (L2TP) VPN, IP security (IPsec) VPN, generic routing

encapsulation (GRE) VPN, and dynamic VPN, and allows users to build various VPNs,

like Internet, Intranet, and remote access VPNs using customized remote-user access

approaches, such as dial-up, leased line, Virtual LAN (VLAN), and tunneling.

H3C SecPath F100-A firewall provides basic routing features, including the routing

information protocol (RIP), open shortest path first (OSPF), routing policy, and policy

routing, as well as abundant QoS (quality of service) features, such as traffic policing,

traffic shaping, and multiple queue scheduling policies.

H3C SecPath F100-A firewall offers these main features:

I. IP VPN solution

Networks benefit enterprises in many ways; company headquarters can send important

information to its branch offices quickly and conveniently. To interconnect the intranets

of a company over the Internet, however, you need VPN technologies. The H3C

SecPath F100-A firewall provides abundant IP VPN services: L2TP and GRE provide

Layer 2 and Layer 3 tunneling respectively; IPsec provides tunnels encapsulated with a

security protocol.

1-1

Installation Manual H3C SecPath F100-A Firewall Chapter 1

II. Data security and reliability

The H3C SecPath F100-A firewall offers:

z High network security. ACL-based packet filtering detects data packet at the

network and transport layers to prevent illegal intrusion. Application specific

packet filter (ASPF) detects information about the application layer protocols and

monitors traffic at the application layer.

z NAT. Other than the basic functions, the NAT also can limit the number of

concurrent connections for an individual user. This eliminates the malicious

resource seizures without any negative impact on general network applications. In

addition, its enhanced NAT application layer gateway (ALG) function provides NAT

traversal for H.323, FTP, ICMP, and so on.

z AAA and RADIUS user authentication

z VPN (including GRE, L2TP, and MPLS) with the IPsec and IKE technologies to

guarantee the security of private networks over the Internet.

z OSPF and RIP2 to offer MD5 authentication and guarantee reliable exchange of

routing information.

z Virtual router redundancy protocol (VRRP) to provide communication line or

equipment backup in case of failure. This effectively enhances network

robustness and reliability.

z Deeper application recognition (DAR) to recognize and classify packets more

deeply, enhancing the control over data flows.

z Active/standby switchover to protect current services against interruption,

eliminating the defects of traditional networking solution, for example, VRRP

networking solution.

Product Overview

III. Online software upgrade

You can upgrade the application and Boot ROM programs online to add features and

extend functions.

IV. Network management

The H3C SecPath F100-A firewall supports SNMPv3 network management

(compatible with SNMPv2c and SNMPv1) and provides powerful device management.

V. Regulatory compliance

Designed according to the standards dominant in China, North America, Europe,

Australia, and Japan, the H3C SecPath F100-A firewall complies with the requirements

of these countries and regions for electromagnetic compatibility (EMC), safety standard,

and network access.

1-2

Installation Manual H3C SecPath F100-A Firewall Chapter 1

1.2 Hardware Features

1.2.1 Appearance

Product Overview

(1)

(1) MIM slot (2) Two LEDs for the fixed WAN 0 interface (3) Two LEDs for the fixed WAN 1 interface (4) Two LEDs for the fixed WAN 2 interface (5) Fixed WAN 0 interface (WAN 0) (6) Fixed WAN 1 interface (WAN 1) (7) Fixed WAN 2 interface (WAN 2) (8) Fixed LAN 0 interface (LAN 0) (9) Fixed LAN 1 interface (LAN 1) (10) Fixed LAN 2 interface (LAN 2) (11) Fixed LAN 3 interface (LAN 3) (12) Auxiliary port (AUX) (13) Console port (CONSOLE) (14) System LED (SYS) (15) Power LED (PWR)

Figure 1-1 Front panel of the H3C SecPath F100-A firewa

(1) (2) (3)

(1) Power switch (2) Power socket (3) Grounding screw

(2) (3)(4)(5) (6) (7) (8)(9)(10)(11)(12)(13)(14) (15)

Figure 1-2 Rear panel of the H3C SecPath F100-A firewa

1.2.2 System Specifications

Table 1-1 Technical specifications of the H3C SecPath F100-A firewall

Item Description

MIM slot 1

Fixed interface

Boot ROM 512 KB

DDR SDRAM 256 MB

1-3

Four 10/100 Mbps LAN interfaces, three 10/100 Mbps WAN interfaces

One AUX port

One console port (CONSOLE)

Installation Manual H3C SecPath F100-A Firewall Chapter 1

Item Description

Product Overview

Flash memory 16 MB

Physical dimensions (H × W × D)

Weight

44 × 436 × 330 mm (1.7 × 17.2 × 13.0 in.) (excluding feet)

4 kg (8.8 lb)

Rated voltage: 100 VAC to 240 VAC, 50

Power supply

Hz or 60 Hz

Rated current: 1.5 A

Max. power consumption

Operating temperature

Operating humidity (noncondensing)

54 W

0°C to 40°C (32°F to 104°F)

10% to 90%

 Note:

Double data rate synchronous dynamic random access memory (DDR SDRAM) stores

the communication data of the running system with the CPU.

1.2.3 LEDs

Table 1-2 LEDs on the H3C SecPath F100-A firewall

PWR

SYS

LINK/ACT

100M

LED Description

Power supply unit (PSU) LED: OFF means the PSU is not supplying power to the device. ON means the PSU is supplying power to the device.

System operating status LED: Blinking means the system is operating normally. OFF means the system is operating abnormally.

OFF means no link is present. ON means a link is present. Blinking means packets are being transmitted/received.

OFF means packets are being transmitted/received at 10 Mbps on the interface. ON means packets are being transmitted/received at 100 Mbps on the interface.

1-4

Installation Manual H3C SecPath F100-A Firewall Chapter 1

1.2.4 Fixed Interface Attributes

I. Console port (CONSOLE)

Table 1-3 Attributes of the console port

Item Description

Product Overview

Connector

Interface standard

Baud rate

RJ-45

RS-232

1,200 bps to 115,200 bps, defaults to 9,600 bps

Connected to an ASCII terminal

Connected to the serial interface of a

Service

local PC running terminal emulation software

Command line interface (CLI)

II. AUX port

Table 1-4 Attributes of the AUX port

Item Description

Connector

Interface standard

RJ-45

RS-232

Baud rate 1,200 bps to 115,200 bps

Service

Modem dialup

Backup

III. Ethernet interfaces

The H3C SecPath F100-A firewall provides seven 10/100 Mbps autosensing Ethernet

interfaces. Their attributes are described in

Table 1-5.

Table 1-5 Attributes of the Ethernet interfaces

Item Description

Connector

RJ-45

1-5

Installation Manual H3C SecPath F100-A Firewall Chapter 1

Item Description

Product Overview

Interface type

Frame format

Operating mode

Both LAN and WAN interfaces support auto-MDI/MDIX.

Ethernet_II

Ethernet_SNAP

10/100 Mbps autosensing

Half/full duplex

1-6

Installation Manual H3C SecPath F100-A Firewall Chapter 2

Chapter 2 Installation Preparations

2.1 General Site Requirements

The H3C SecPath F100-A firewall must be used indoors. To guarantee normal

operation and longevity of your device, its installation site should meet the

requirements described in this chapter.

2.1.1 Temperature and Humidity

The equipment room must maintain proper humidity to prevent poor insulation,

electricity creepage and corrosion accompanying high humidity, or washer contraction

and electrostatic discharge accompanying low humidity. In dry environments where the

relative humidity is very low, electrostatic discharge (ESD) is more likely to happen

causing the complementary metal-oxide-semiconductor (CMOS) circuitry to fail.

Installation Preparations

Table 2-1 lists the temperature and humidity requirements.

Table 2-1 Temperature/humidity requirements in the equipment room

0°C to 40°C (32°F to 104°F)

2.1.2 Cleanliness

Dust is hazardous to the operating safety of your device. Dust buildup on the chassis

may result in static absorption, causing poor contact of metal components or points.

When indoor humidity is extremely low, this is more likely to happen to shorten the

useful life of the device and cause communication failures.

The equipment room must be free of explosion hazards and the electrical and magnetic

conductible dust as well. The following table lists the limits on dust particles:

Table 2-2 Limits on the dust particles in the equipment room

Mechanical active

material

Dust particle

Temperature Relative humidity

Unit Content

Particle/m³

10% to 90% (noncondensing)

≤ 3 × 10

(No visible dust on desk in three days)

Note: Dust particles diameter = 5µm

2-1

Installation Manual H3C SecPath F100-A Firewall Chapter 2

Besides, the equipment room should meet the rigorous limits on salt, acid and sulfide to

eliminate corrosion and premature aging of some parts, as shown in the

Table 2-3 Harmful gas limits in the equipment room

Gas Max content (mg/m3)

Installation Preparations

Table 2-3.

H2S 0.006

2.1.3 ESD Prevention

By design, the H3C SecPath F100-A firewall is ESD preventative, but excessive

buildup of static electricity can still damage the card circuitry and even the entire device.

On the communication network connected to the firewall, static electricity is primarily

introduced from the outside electrical fields, such as the outdoor high-voltage power

cabling and lightning, and from the inside system, such as indoor environment, floor

material and the equipment frame. To avoid damage, ensure that:

z The device is well grounded.

z The equipment room is dust-proof.

z Maintain adequate temperature and humidity.

z Wear an ESD-preventive wrist strap and clothes when contacting the circuit board.

z Place the removed circuit board upward on the ESD-preventive workbench, or into

a static shielded bag.

z Hold the circuit board by its edge when observing or moving it, avoiding direct

contact with the elements on it.

0.2

0.05

0.01

2.1.4 Electromagnetic Compatibility

All interference sources, from the outside or from the inside of the device/application

system, adversely affect the device in the conduction patterns of capacitance coupling,

inductance coupling, electromagnetic wave radiation, and common impedance

(including grounding system) coupling. To prevent the interference, do the following:

z Take effective measures against interference from the power grid.

z Use a separate grounding system or lightning protection grounding from that for

the power supply equipment and keep them as far as possible.

z Keep the device far away from strong power wireless launchers, radar launchers

and high frequency and high-current equipment.

z Use electromagnetic shielding when necessary.

2-2

Installation Manual H3C SecPath F100-A Firewall Chapter 2

2.1.5 Lightning Protection

By design, the H3C SecPath F100-A firewall is lightning protective; but excessive

lightning may still damage the device. To protect the device better, you are

recommended to:

z Ensure the grounding screw of the chassis is securely connected to the earth

ground.

z Ensure the earth point of the power socket is securely connected to the earth

ground.

z Add a lightning arrester onto the front end of the power input to better protect the

power supply from lightning strikes.

2.1.6 Checking the Rack

When installing the H3C SecPath F100-A firewall, observe the following:

z Reserve adequate clearance at the air inlet and exhaust for adequate ventilation

inside the chassis.

z The rack has a good ventilation system.

z The rack is stable enough to support the weight of the device and the installation

accessories.

z The rack is well-grounded.

Installation Preparations

2.2 Safety Precautions

When reading this manual, pay adequate attention to the following.

Warning appears in operation procedures that, if performed incorrectly, might

cause bodily injury to the operators or damage the device.

Caution appears throughout this manual in procedures that, if performed

incorrectly, might affect the operation of the device.

When installing or using on the firewall, you are recommended to:

z Keep the firewall far away from the heat sources and water/liquid.

z Make sure that the firewall has been correctly grounded.

z Wear an ESD-preventive wrist strap in installation and maintenance, making sure

that the strap has good skin contact.

z Do not hot swap the console cable or AUX cable.

z Adopt uninterrupted power supply (UPS).

2-3

+ 41 hidden pages