H3C F100-C-EI User Manual

H3C SecPath F100-C-EI Firewall

Installation Manual

Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com

Manual Version: 5PW100-20080729

No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd.

Trademarks

H3C, , Aolynk, , H3Care,

, TOP G, , IRF, NetPilot, Neocean, NeoVTL, SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V

G, VnG, PSPT, XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co., Ltd.

All other trademarks that may be mentioned in this manual are the property of their respective owners.

Notice

The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.

Technical Support

customer_service@h3c.com http://www.h3c.com

About This Manual

Organization

H3C SecPath F100-C-EI Firewall Installation Manual is

organized as follows:

Chapter Contents

Briefly introduces the product

1 Firewall Overview

2 Preparing for Installation

3 Installing the Firewall

specifications, as well as the features and applications of the H3C SecPath F100-C-EI Firewall.

Describes the requirements of the H3C SecPath F100-C-EI Firewall on installation site, the safety recommendations before and during installation, and the required tools.

Introduces how to install the H3C SecPath F100-C-EI Firewall, as well as how to connect the power cord, and other cables.

4 Starting and Configuring the Firewall

5 Maintaining Software

Describes how to boot and configure the H3C SecPath F100-C-EI Firewall, including device startup, power-on, and initialization of system files, and so on.

Introduces how to maintain the software of the H3C SecPath F100-C-EI Firewall, including upgrading the software and updating the configuration files.

Chapter Contents

Describes some problems that may

6 Troubleshooting

occur during installation and startup of the H3C SecPath F100-C-EI Firewall and how to solve them.

Conventions

The manual uses the following conventions:

GUI conventions

Convention Description

Window names, button names, field

Boldface

names, and menu items are in Boldface. For example, the New User window appears; click OK.

Multi-level menus are separated by angle brackets. For example, File > Create >

Folder.

II.

Symbols

Convention Description

Means reader be extremely careful.

Warning

Caution

 Note

Improper operation may cause bodily injury.

Means reader be careful. Improper operation may cause data loss or damage to equipment.

Means a complementary description.

Chapter 1 Firewall Overview

1.1 Brief Introduction

The H3C SecPath F100-C-EI Firewall (hereinafter referred to as

the F100-C-EI) is a new-generation Ethernet firewall intended for small office home office (SOHO) use.

The F100-C-EI has the following features:

z Provides an uplink WAN interface compliant to international

standards, ensuring the interoperability with the products of

other vendors.

z Provides five 10/100 Mbps auto-sensing Ethernet interfaces

that can be assigned to different security zones, such as

Trust, DMZ, Untrust and management security zones.

z Supports internal temperature detection, network

management, and Web-based management, satisfying

carrier-class reliability requirements.

z Supports such features as external attack defense, TCP

proxy, internal network security, traffic policing, Web filtering,

and email filtering, to effectively safeguard your network.

z Adopts the application specific packet filtering (ASPF)

technology to monitor connection processes and

unauthorized operations, and works together with access

control lists (ACLs) to implement dynamic packet filtering.

1-1

Installation Manual

H3C SecPath F100-C-EI Firewall

z Provides various intelligent analysis and management

Chapter 1 Firewall Overvie

methods, supports email alert and multiple types of logs,

and provides network management monitoring to help

network administrators perform network security

management.

z Supports authentication, authorization and accounting

(AAA), and network address translation (NAT) to ensure

security and guaranteed services to the private networks

constructed on the open Internet.

z Supports multiple virtual private network (VPN) services,

such as Layer 2 tunneling protocol (L2TP) VPN, IP security

(IPSec) VPN, generic routing encapsulation (GRE) VPN,

and dynamic VPN. It allows users to build various VPNs, like

Internet, Intranet, and remote access VPNs using

customized remote-user access approaches, such as

dial-up, leased line, virtual LAN (VLAN), and tunneling.

z Supports basic routing features, including routing

information protocol (RIP), open shortest path first (OSPF),

routing policy and policy routing, and also provides

abundant QoS (quality of service) features, such as traffic

policing, traffic shaping and queue scheduling.

1-2

Installation Manual

H3C SecPath F100-C-EI Firewall

Chapter 1 Firewall Overvie

1.2 Physical Description

1.2.1 Front Panel

(1) Ethernet LED (Yellow) (2) Ethernet LED (Green) (3) System LED (SYS) (4) Power LED (PWR) (5) Console port (CONSOLE) (6) Ethernet interface (WAN) (7) Ethernet interface (LAN3) (8) Ethernet interface (LAN2) (9) Ethernet interface (LAN1) (10) Ethernet interface (LAN0)

Figure 1-1 Front panel of the H3C F100-C-EI

1.2.2 Rear Panel

（1）（2）

(1) AC input (2) Grounding screw

Figure 1-2 Rear panel of the H3C F100-C-EI

1-3

Installation Manual

H3C SecPath F100-C-EI Firewall

Chapter 1 Firewall Overvie

1.3 Technical Specifications

Table 1-1 Technical specifications of the H3C F100-C-EI

Item Description

1 console port

Interface

1 × 10/100 Mbps Ethernet interface (WAN)

4 × 10/100 Mbps Ethernet interfaces (LAN)

SDRAM

Flash memory

Rated voltage range 100 VAC to 240 VAC, 50 Hz or 60 Hz

Maximum input current

Power consumption 6 W to 8 W

Dimensions (W x H x D)

Weight

Operating temperature

Relative humidity (noncondensing)

Default: 64 MB Max: 64 MB

8 MB

0.4 A

230 × 43.6 × 200 mm (9.06 × 1.82 × 7.87 in., excluding foot pads)

2 kg

0°C to 45°C (32°F to 113°F)

10% to 95%

1.4 LEDs

The following table describes the LEDs on the front panel of the F100-C-EI.

1-4

Installation Manual

H3C SecPath F100-C-EI Firewall

Table 1-2 LEDs on the front panel of the F100-C-EI

LED Description

Chapter 1 Firewall Overvie

Link LED

SYS (Green)

PWR (Green)

Green The interface speed is 100 Mbps.

Yellow The interface speed is 10 Mbps.

Blinking once per second: The system is operating normally.

Blinking eight times per second: The system is starting up.

Solid ON: The system is faulty.

Off: The system is faulty or not powered on.

Off: The power supply is faulty or the system is not powered on.

On: The power supply is normal.

1.5 Fixed Interfaces

1.5.1 Console Port

I. Console port specifications

The F100-C-FI provides one RS-232 asynchronous serial console port, through which you can configure your device.

Table 1-3 Specifications of the console port

Item Description

Connector type

Compliant standard RS-232

RJ-45

1-5

Installation Manual

H3C SecPath F100-C-EI Firewall

Item Description

Chapter 1 Firewall Overvie

Baud rate

1200 bps to 115200 bps (9600 bps by default)

Connecting to an ASCII terminal

Services

Connecting to a serial port on a local PC to run terminal emulation program on the PC

Command line interface (CLI)

II. Console cable

The console cable is an 8-core shielded cable. At one end of the

cable is an RJ-45 connector that can be plugged to the console port; at

the other end is a DB-9 (female) connector, which can be plugged to the serial port of the console terminal.

The following figure illustrates a console cable:

Figure 1-3 Console cable

1.5.2 Ethernet Interfaces

I. Ethernet interface specifications

The F100-C-EI provides five 10/100 Mbps auto-sensing Ethernet interfaces.

1-6

Installation Manual

H3C SecPath F100-C-EI Firewall

Table 1-4 Specifications of Ethernet interfaces

Item Description

Chapter 1 Firewall Overvie

Connector type

Interface type

Frame format

Speed and operating mode

RJ-45

Auto-MDI/MDIX

Ethernet_II/Ethernet_SNAP/IEEE

802.2/IEEE 802.3

10/100Base-TX

Full duplex/half duplex

II. Ethernet cable

For a 10/100BASE-TX Ethernet interface, you can use a category-5 twisted pair cable, as shown in the following figure:

Figure 1-4 Ethernet cable

Ethernet cables fall into straight-through cable and crossover cable.

z Straight-through cable: The RJ-45 connectors at the two

ends have the same pinouts. The cable is used in the

connection between a terminal device (for example, PC) or

firewall and a HUB or LAN switch. The F100-C-FI is shipped

with straight-through cables.

1-7

Installation Manual

H3C SecPath F100-C-EI Firewall

z Crossover network cable: The RJ-45 connectors at the two

Chapter 1 Firewall Overvie

ends have different pinouts. The cable is used in the

connection between a terminal device (for example, PC) or

firewall and another terminal device (such as a PC) or

firewall. You can make crossover cables on the site.

Caution:

When preparing Ethernet cables, use shielded cables preferentially

for electromagnetic compatibility (EMC).

1-8

Installation Manual H3C SecPath F100-C-EI Firewall

Chapter 2 Preparing for Installation

2.1 Site Requirements

The F100-C-EI must be used indoors. To ensure its proper

operation and extend its longevity, install it in an environment that meets the requirements described in the following subsections.

2.1.1 Temperature and Humidity Requirements

The equipment room must maintain adequate temperature and humidity.

z Long-lasting high humidity is prone to cause bad insulation

and even electricity creepage. Sometimes the mechanical

performance changes of materials, the rustiness and

corrosion of some metal parts are also likely to occur.

z If the relative humidity is too low, the captive screws can

become loose due to insulation washer contraction.

Meanwhile, the static is likely produced in the dry

environments, jeopardizing the CMOS circuits of the

product.

z The higher the temperature is, the greater the damage to

your device. Long-lasting high temperature can speed up

the aging of the insulation materials, greatly lower the device

reliability, and hence significantly shorten its service life.

The following table lists the temperature and humidity requirements.

2-1

Installation Manual H3C SecPath F100-C-EI Firewall

Chapter 2 Preparing for Installation

Table 2-1 Temperature/humidity requirements in the equipment

room

Temperature Relative humidity

0°C to 45°C (32°F to 113°F)

10% to 95% (noncondensing)

2.1.2 Cleanness Requirements

I. Dust prevention requirements

Dust undermines the normal operation of your device. Dust on

the equipment can cause electrostatic adsorption, which degrades the

contact performance of the metal connectors or connection points.

This not only shortens the service life or your device, but also causes communication failures.

This is more likely to happen when the relative humidity in the equipment room is too low.

The contents of the dust in the equipment room must not exceed the limit as shown in the following table:

Table 2-2 Limitation on dust content in equipment room

Substance Content (particles/m³)

Dust

≤ 3 X 10

(No visible dust on desk over three days)

2-2

Installation Manual H3C SecPath F100-C-EI Firewall

Chapter 2 Preparing for Installation

II. Harmful gas limits

There are rigorous limits on the content of salts, acids and

sulfides in the air. These harmful gases will speed up metal rusting

and the aging processes of certain parts. The specific limits of these harmful gases are given in the following table.

Table 2-3 Harmful gas limits in the equipment room

Gas Maximum (mg/m3)

0.2

H2S

0.006

0.05

0.01

2.1.3 ESD-Preventive Requirements

I. Static electricity sources and harms

On the communication network connected to your device, the static electricity mainly comes from:

z The outside electrical fields, such as outdoor high-voltage

power cables and lightning.

z The indoor environments, floor materials and the internal

systems such as the equipment frame.

Although many antistatic considerations have been given to your

device, damage to the device’s circuits or even the whole equipment

may still happen when the static electricity exceeds the tolerance threshold.

2-3

Installation Manual H3C SecPath F100-C-EI Firewall

Chapter 2 Preparing for Installation

ESD-preventive measures

To prevent ESD damage, observe the following:

z Ensure that your device and the floor are well grounded.

z Keep the equipment room clean.

z Maintain suitable temperature and humidity;

z Wear an ESD-preventive wrist strap and antistatic garments

when handling the circuit board.

z Place the removed circuit board on an ESD-preventive

workbench right-side up or in an antistatic bag.

z Hold the removed circuit board only by its outer edge when

observing or moving it. Do not touch the components on it.

II. Wear an ESD-Preventive wrist strap

Take the following steps to wear the ESD-preventive wrist strap.

1) Put the ESD-preventive wrist strap around your wrist.

2) Fasten the wrist strap and ensure it has good contact with

your skin.

3) Attach the strap-end of the grounding wire to the wrist strap.

4) Attach the alligator clip at the other end of the grounding

wire to the rack.

5) Make sure that the rack is well grounded.

2-4

Installation Manual H3C SecPath F100-C-EI Firewall

Chapter 2 Preparing for Installation

Figure 2-1 Wear an ESD-preventive wrist strap

2.1.4 Electromagnetic Environment Requirements

All interference sources, wherever they are from, impact the

firewall negatively in the conducted emission patterns of capacitance

coupling, inductance coupling, electromagnetic wave radiation, and

common impedance (including the grounding system) coupling. To resist the interference, make sure to:

z Take effective measures against the interference caused by

the electrical power grid.

z Do not use same grounding system for the ground of your

firewall device and the power equipment ground or the

lightning protection ground.

z Keep the device far from heavy-duty radio transmitters,

radar transmitters, and high-frequency devices.

z Use electromagnetic shielding when necessary.

2-5

Installation Manual H3C SecPath F100-C-EI Firewall

Chapter 2 Preparing for Installation

2.1.5 Lightning Protection Requirements

Although the F100-C-EI is designed to be lightning resistant, your

device can get damaged when excessive lightning is present. To protect your device against lightning,

z Ensure the chassis is connected to earth ground.

z Ensure the ground point of the power socket is well

connected to earth ground.

z Add a lightning arrester to the front end of the power input to

better protect the power supply against lightning strikes.

2.1.6 Checking the Workbench

When installing the device on a workbench, make sure that:

z The workbench is firm enough to support the weight of the

device and its installation accessories.

z The workbench is well grounded.

2.1.7 Rack-Mounting Requirements

When installing the device in a rack, make sure that:

z The firewall is installed in an open rack. However, if you

want to mount it in a closed rack, make sure that the rack

has a good ventilation system.

z The rack is stable enough and can support the weight of the

firewall and the installation accessories;

z The rack dimensions meet the requirements for installing the

firewall. Adequate clearance is provided at the left and right

sides of the rack for good ventilation.

2-6

Installation Manual H3C SecPath F100-C-EI Firewall

z For the sake of adequate ventilation and easy equipment

Chapter 2 Preparing for Installation

maintenance, you are recommended to keep 0.8 meters of

clearance between the rear/front of the firewall rack and the

wall surface or other devices. The net height of the

equipment room should be at least 3 meters.

2.2 Safety Precautions

2.2.1 Safety Signs

Firewalls play a key role in data communications networks. When reading this manual, pay attention to the following signs:

Warning: appears throughout this manual in procedures

that, if performed incorrectly, may cause bodily injury to the operator or damage the firewall.

Caution: appears in procedures that, if performed

incorrectly, may affect the operation of the router.

2.2.2 General Safety Recommendations

z Keep the chassis and installation tools away from walk

areas.

z Keep the firewall away from any wet place or the heat

source.

z Remove all external cables before moving the chassis.

2-7

Installation Manual H3C SecPath F100-C-EI Firewall

Chapter 2 Preparing for Installation

2.2.3 Safety Recommendations against Electricity

z Locate the switch of the power source so as to turn off the

switch in case of emergency during the device installation

and maintenance. Unplug the power cord of the device

when necessary.

z Ensure that the firewall is grounded well.

z Do not open or close the chassis cover with the device

powered on.

z Ensure that the firewall interface cables are connected

correctly.

z An uninterrupted power supply (UPS) is recommended.

z Avoid maintaining the firewall alone with power on.

2.3 Tools, Meters, and Instruments

I. Tools

z Phillips screwdrivers

z Flat-blade screwdrivers

z ESD-preventive wrist strap

z Static shielding bag

II. Cables

z PGND wire and power cord

z Console cable

z Optional cables

III. Meters and instruments

z HUB or LAN switch

z Console terminal (or PC)

2-8

Installation Manual H3C SecPath F100-C-EI Firewall

z Multimeter

Chapter 2 Preparing for Installation

 Note:

The firewall is not shipped with installation tools, instruments or

related devices.

2-9

Installation Manual H3C SecPath F100-C-EI Firewall

Chapter 3 Installing the Firewall

3.1 Installation Flow

On a workbench In a rack

Check the workbench Install the rack

Connect the ground wire

Connect the power cord

Connect the firewall with

Power up the firewall Troubleshoot

Chapter 3 Installing the Firewall

Start

Where to install

the firewall

console terminal

Verify the installation

Yes

Connect the firewall to

Ethernet

Connect the firewall to

WAN

Verify installation

End

Figure 3-1 Firewall installation flow

3-1

Power offNormal?

Installation Manual H3C SecPath F100-C-EI Firewall

Chapter 3 Installing the Firewall

3.2 Installing the F100-C-EI

The F100-C-EI can be installed either in a standard 19-inch rack or on a workbench.

3.2.1 Installing the Firewall on a Workbench

If you do not have a standard 19-inch rack, you can install your

device on a workbench. To prevent any damage, observe the following:

z Make sure that the length and width of the workbench are

enough to hold the firewall chassis.

z Make sure that the workbench is stable and grounded well.

z Make sure that the workstation is sturdy enough to support

the weight of the firewall and installation accessories.

z Reserve at least 10 cm of clearance around the firewall for

heat dissipation.

z Do not place any object on the firewall chassis to avoid

damaging the device and lowering the heat dissipation.

3.2.2 Installing the Firewall in a Rack

I. Install mounting brackets on the firewall

1) Mounting bracket structure

Figure 3-2 Mounting bracket structure

3-2

Installation Manual H3C SecPath F100-C-EI Firewall

Chapter 3 Installing the Firewall

2) Install the mounting brackets on the firewall

Fix the mounting brackets to the two sides of the front panel of the firewall chassis with screws, as shown in the figure.

Figure 3-3 Install the mounting brackets on the firewall

II. Install the firewall in a rack

1) Ensure that the rack is stable and properly grounded.

2) After the firewall is installed with the mounting brackets, fix

the mounting brackets to the rack firmly using pan head

screws (M6 or a smaller size, antirust treated), and ensure

the firewall chassis is level.

Figure 3-4 Fix the firewall on the rack

3-3

Installation Manual H3C SecPath F100-C-EI Firewall

Chapter 3 Installing the Firewall

3.3 Connecting the PGND Wire

Warning:

The correct connection of protection ground (PGND) wire is essential

for safeguarding the firewall against lightning strikes and interference.

Therefore, first correctly connect the PGND wire before installing and

using the firewall.

The AC input end of the firewall is connected to a noise filter

whose ground point is connected to the chassis directly. This ground is

called PGND or chassis ground. The PGND must be properly

connected to the earth to channel induced currents and creepage

currents safely to the earth, improve the device’s electromagnetic

compatibility (EMC) performance, and protect the device against lightning voltages introduced by external network cables.

On the rear panel of the firewall, the grounding screw resides at

the bottom right by a grounding mark, as shown in

3-4

Figure 3-5.

Installation Manual H3C SecPath F100-C-EI Firewall

(1) Grounding hole (2) OT terminal (3) Grounding screw (4) PGND wire (5) Grounding mark

Chapter 3 Installing the Firewall

Figure 3-5 Connect the grounding terminal to the firewall

To connect the PGND wire, follow the steps:

1) Remove the grounding screw from the chassis.

2) Insert the grounding screw into the OT terminal of the PGND

wire.

3) Fix the grounding screw with the OT terminal to the

grounding hole in the chassis, and fasten it with a screw

driver.

4) Connect the other end of the PGND wire to the earth ground.

Generally, the equipment room has a grounding strip, to

which you can connect the PGND wire of the firewall. To

connect the PGND wire to the grounding strip, peel 15 mm

of insulation sheath using a wire stripper, and wrap the bare

metal wire clockwise around the ground post. Then fix the

PGND wire to the ground post using a hex nut. If a

grounding strip is not available, connect the metal wire core

directly to the earth ground.

3-5

Installation Manual H3C SecPath F100-C-EI Firewall

Chapter 3 Installing the Firewall

(1) Hex nut (2) PGND wire (3) Bare metal wire (4) Grounding post (5) Grounding strip

Figure 3-6 Connect PGND wire to grounding strip

 Note:

The resistance reading between the firewall chassis and the earth

ground must be less than 5 ohm.

3.4 Connecting the Power Cord

I. AC power supply

AC power input range: 100 to 240 VAC, 50/60Hz

II. AC power source socket

z You are recommended to use a three-wire single-phase

power socket with a neutral point.

3-6

Installation Manual H3C SecPath F100-C-EI Firewall

z The neutral point of the socket must be grounded reliably.

Chapter 3 Installing the Firewall

Normally, the neutral point of the power source in a building

was buried in the earth during construction and cabling.

z Make sure that the power source in the building is properly

grounded before connecting the AC power cord.

III. Connect the AC power cord

1) Make sure the PGND is properly connected to earth ground.

2) Connect one end of the AC power cord shipped with the

device to the AC input socket on the chassis and the other

end to the AC mains supply.

Figure 3-7 Connecting the AC power cord

3) Check the status of the PWR LED on the front panel. For

LED status description, refer to

Table 1-2 on page 1-5.

3-7

Installation Manual H3C SecPath F100-C-EI Firewall

Caution:

If the PWR LED does not light up after the above procedure is

repeated several times, refer to

6-1 in this manual.

Chapter 6 “Troubleshooting” on page

Chapter 3 Installing the Firewall

3.5 Connecting Interface Cables

3.5.1 Connecting the Console Cable

Follow these steps to connect the console cable:

1) Select a console terminal.

The console terminal can be a standard ASCII terminal possessing an RS-232 serial port, or, more often, a common PC.

2) Connect the console cable.

Disconnect the firewall from the power source. Plug the RJ-45

connector of the console cable into the console port of the firewall, and

the DB-9 (female) connector into the serial port of the console terminal.

3) Verify the connection and power on the firewall.

The console terminal should display the startup information of the

firewall. For details, refer to

Figure 3-8.

3-8

Installation Manual H3C SecPath F100-C-EI Firewall

Chapter 3 Installing the Firewall

Figure 3-8 Connect the console cable

3.5.2 Connecting the Ethernet Cables

Follow these steps to connect the Ethernet cables:

1) Connect one end of the Ethernet cables to the fixed Ethernet

interfaces of the firewall and the other end to the peer

devices. Because 10 Mbps/100 Mbps Ethernet interfaces

support MDI/MDIX auto-sensing, you can use either a

straight-through cable or a crossover cable when connecting

such a port to a hub or LAN switch.

2) After powering on the firewall, check the status of the LINK

LEDs for the fixed Ethernet interfaces. For the LINK LED

status description, refer to

Table 1-2 on page 1-5.

3-9

Installation Manual H3C SecPath F100-C-EI Firewall

Chapter 3 Installing the Firewall

3.6 Verifying Installation

Each time before you power on the firewall during installation, verify that:

z Enough room has been left around the firewall chassis for

adequate heat dissipation and the workbench is stable.

z The power source fits the firewall.

z The PGND wire of the firewall is correctly connected.

z The firewall has been correctly connected to other devices,

such as a console terminal.

Caution:

Installation verification is extremely important, because the normal

functioning of the firewall relies on its firm installation, proper

grounding, and correct power feed.

3-10

Installation Manual H3C SecPath F100-C-EI Firewall

Chapter 4 Starting and Configuring

the Firewall

Chapter 4 Starting and Configuring the

Firewall

4.1 Setting up the Configuration Environment

4.1.1 Connecting the Firewall to the Console Terminal

For how to connect the firewall to the console terminal, refer to

section

4.1.2 Setting Terminal Parameters

3.5 “Connecting Interface Cables” on page 3-8.

1) Set up a HyperTerminal connection. Select Start > All

Programs > Accessories > Communications > HyperTerminal, type a connection name as shown in

Figure 4-1, and click OK.

4-1

Installation Manual H3C SecPath F100-C-EI Firewall

Figure 4-1 Set up a new connection

Chapter 4 Starting and Configuring

the Firewall

2) Select a connection port. Choose the serial port to be

connected in the Connect using field, as shown in

Figure

4-2. The serial port should be the same port connected to

the console cable.

4-2

Installation Manual H3C SecPath F100-C-EI Firewall

Figure 4-2 Set the connection port

Chapter 4 Starting and Configuring

the Firewall

3) Set the serial port parameters.

In the popup property dialog box, set the connection parameters as follows:

4-3

Installation Manual H3C SecPath F100-C-EI Firewall

Chapter 4 Starting and Configuring

the Firewall

Figure 4-3 Set serial port parameters

4) Click OK after setting the serial port parameters, to open the

HyperTerminal window.

4-4

Installation Manual H3C SecPath F100-C-EI Firewall

Chapter 4 Starting and Configuring

the Firewall

Figure 4-4 HyperTerminal window

5) Set HyperTerminal properties. Select File > Properties > Settings in HyperTerminal to open the properties setting window. Choose VT100 or Auto detect for emulation, and click OK to return to the HyperTerminal window.

4-5

Installation Manual H3C SecPath F100-C-EI Firewall

Chapter 4 Starting and Configuring

the Firewall

Figure 4-5 Set terminal emulation type

4.2 Powering On the Firewall

4.2.1 Checking before Power-on

Check before powering on the firewall to ensure that:

z Both the power cord and the PGND wire are correctly

connected.

4-6

Installation Manual H3C SecPath F100-C-EI Firewall

z The power source voltage meets the requirement of the

Chapter 4 Starting and Configuring

the Firewall

firewall.

z The console cable is correctly connected, the configuration

PC or console terminal is running, and the concerned

parameters have been set on it.

Warning:

Locate the emergency power switch in the equipment room before

powering on the firewall so that you can cut off the power immediately

in case of accident.

4.2.2 Powering On the Firewall

Turn on the power switch of the firewall.

4.2.3 Checking the Firewall

After the firewall is powered on, check the device to ensure that:

z The LEDs on the front panel of the chassis indicate the

normal working condition of the firewall. See

1-5 for more information on LED state.

page

z The console terminal display is correct. After powering on

the firewall, you can see the startup interface on the console

terminal.

z After the Power-On Self-Test (POST), press Enter as

prompted. When “[H3C]” appears, you can proceed to

configure the firewall.

4-7

Table 1-2 on

Installation Manual H3C SecPath F100-C-EI Firewall

Chapter 4 Starting and Configuring

the Firewall

4.3 Booting Process

The screen displays the following information during the startup

of the F100-C-EI.

************************************************* * * *H3C SecPath Series Firewall BOOTROM, Version 1.15* * * ************************************************* Copyright (c) 1998-2008 Hangzhou H3C Technologies Co., Ltd. Compiled at Sat Apr 12 15:45:38 , CST 2008.

Testing memory...OK! 64M bytes SDRAM Memory 8M bytes Flash memory Hardware Version is 1.0 CPLD Version is 1.0

Press Ctrl-B to enter Boot Menu

System is self-decompressing.........................

System is starting...

User interface Con 0 is available.

Press ENTER to get started

Press Enter. The system displays (if login authentication is not

enabled):

<H3C>

4-8

Installation Manual H3C SecPath F100-C-EI Firewall

Chapter 4 Starting and Configuring

the Firewall

The prompt indicates that the firewall enters user view and is

ready to configure.

4.4 Configuration Outlines

In general, the configuration steps are as follows:

1) Before configuring your firewall, you should make the

networking requirements clear and specific, including

networking purpose, the role of the firewall in the network,

division of subnets, WAN type, transmission medium,

network security policy and reliability.

2) Draw a clear and complete networking diagram according to

the elements specified in step 1).

3) Configure parameters and the protocols to be used for the

Ethernet interface connected with another firewall according

to the peer firewall.

4) Configure IP addresses for the interfaces on the firewall.

5) Configure routes. If it is necessary to start a dynamic routing

protocol, configure the related operating parameters for the

protocol.

6) Configure security related parameters for the firewall as

required.

7) If special reliability is required, perform reliability

configuration for the firewall.

For more information on the configuration of protocols and

functions for the firewall, see the Operation Manual and Command Manual of the corresponding product.

4-9

Installation Manual H3C SecPath F100-C-EI Firewall

Chapter 4 Starting and Configuring

the Firewall

4.5 Command Line Interface

4.5.1 Features of the Command Line Interface

The command line interface (CLI) of the firewall offers lots of

configuration commands for you to configure and manage the firewall.

The CLI provides approaches to:

z Configure the local device through the console port

z Log in to and manage the local device or a remote firewall

through telnet.

z Grant users different levels of rights to configure the firewall.

z Get online help whenever you type ?.

z Test network connectivity quickly with network diagnostic

tools, such as tracert and ping.

z View detailed debugging information for network

troubleshooting.

z Run a command by entering just the non-conflict part of the

command word and keywords. For example, you simply

need to enter “dis” for the display command.

4-10

Installation Manual H3C SecPath F100-C-EI Firewall

Chapter 4 Starting and Configuring

the Firewall

 Note:

In system view, all the commands are divided into several groups for

the convenience of management, each being associated to a view.

You can switch between the views by executing the proper commands.

Most commands can be executed only in their respective views, while

some commonly used commands, such as ping and display, can be

executed in any view.

4-11

Installation Manual H3C SecPath F100-C-EI Firewall

Chapter 5 Maintaining Software

The firewall maintains three types of files:

z Boot ROM program files

z Application program files

z Configuration files

Software maintenance of the firewall is primarily the maintenance

of these files, including the upload and download of Boot ROM programs, application programs, and configuration files.

Caution:

Ensure uninterrupted power supply when you upgrade Boot ROM or

application program or modify Boot menu parameters. A power failure

in such a process will cause loss of the Boot ROM or application

program. If you see a message indicating that the Boot ROM or

application program is lost when the system boots, follow the

instructions in this chapter to upgrade the Boot ROM and application

programs.

5.1 Boot Menu

This section introduces the Boot menu, which is used during the

software maintenance of a firewall.

5-1

Installation Manual H3C SecPath F100-C-EI Firewall

Chapter 5 Maintaining Software

Boot the firewall, and press Ctrl+B when the system displays

“Press Ctrl-B to enter Boot Menu”. The system then displays:

Please input Boot ROM password :

Caution:

z To enter the Boot Menu, press Ctrl+B within three seconds after

the information “Press Ctrl-B to enter Boot Menu...” appears.

Otherwise, the system starts to decompress the program.

z To enter the Boot menu after the firewall starts the program

decompression process, reboot the firewall.

Type the correct password and press Enter. (If no Boot ROM

password is configured, just press Enter. If you fail to enter the correct

password three times consecutively, the system will be halted. You

need to restart the firewall in this case.) The system displays the following Boot menu.

5.1.1 Boot Menu of the Firewall

Boot Menu: 1: Download application program with XMODEM 2: Download application program with NET 3: Display file in flash 4: Delete file from flash 5: Start up and ignore configuration 6: Enter debugging environment 7: Boot ROM Operation Menu

5-2

Installation Manual H3C SecPath F100-C-EI Firewall

8: Do not check the version of the software 9: Exit and reboot Enter your choice(1-9):

Chapter 5 Maintaining Software

Note that:

z To download an application program using XModem, see

section

Programs Using XModem” on page

z If option 5 is selected, the system starts up with the initial

5.2 “Upgrading Application and Boot ROM

5-4.

configurations.

z If option 8 is selected, the system ignores the software

version of the Boot ROM program, its extended segment,

and application program for backward compatibility. If you

fail to upgrade the software because the system decides

that you are using an “invalid version” even when the correct

version is used, you can use option 7 to ignore the version

check during a software upgrading. Note that this option

works only once when you select it. The system resumes

version check after you reboot the firewall.

5.1.2 Boot ROM Operation Menu of the Firewall

As mentioned earlier, you can select 7 in the Boot menu to enter

the Boot ROM operation menu as follows:

Boot ROM Operation Menu: 1: Download Boot ROM with XModem 2: Download Extended Segment of Boot ROM with XModem 3: Restore Extended Segment of Boot ROM from FLASH 4: Backup Extended Segment of Boot ROM to FLASH 5: Exit to Main Menu

5-3

Installation Manual H3C SecPath F100-C-EI Firewall

Enter your choice(1-5):

Chapter 5 Maintaining Software

The menu provides approaches to Boot ROM upgrade, backup,

and restoration.

Caution:

When upgrading the firewall, make sure the version of the Boot ROM

software matches that of the application program.

5.2 Upgrading Application and Boot ROM Programs Using XModem

You can use the console port to upgrade the software through

XModem.

5.2.1 Upgrading the Application Program

1) Enter the Boot Menu (see section 5.1 “Boot Menu” on page

5-1) and type 1 to download an application program through

XModem. The firewall supports the following download

speeds:

Please choose your download speed: 1: 9600 bps 2: 19200 bps 3: 38400 bps 4: 57600 bps 5: 115200 bps 6: Exit to Main Menu

5-4

Installation Manual H3C SecPath F100-C-EI Firewall

Enter your choice(1-6):

Chapter 5 Maintaining Software

2) Select an appropriate download speed. For example, type 5

to select 115200 bps. The firewall will display the following

information:

Download speed is 115200 bps. Change the terminal's speed to 115200 bps, and select XModem protocol. Press <ENTER> key when ready.

3) Because the baudrate of the firewall is now 115200 bps,

while that of the console terminal is 9600 bps, the two sides

cannot communicate. Therefore, you need to change the

Bits per second setting to 115200 in HyperTerminal before pressing Enter.

Step 1: Select Call > Disconnect in the HyperTerminal window.

Figure 5-1 Disconnect the console terminal

Step 2: Select File > Properties, click Configure and change the

baudrate to 115200. Then click OK.

5-5

Installation Manual H3C SecPath F100-C-EI Firewall

Figure 5-2 Modify baudrate

Chapter 5 Maintaining Software

Step 3: Press Enter to start downloading. The system displays:

Waiting ...CCCCC

4) Select Transmit > Send File in the terminal window. The

following dialog box pops up:

5-6

Installation Manual H3C SecPath F100-C-EI Firewall

Chapter 5 Maintaining Software

Figure 5-3 Send file dialog box

5) Click Browse. Select the application file to be downloaded, and select Xmodem from the Protocol dropdown list.. Then click Send. The following interface will pop up:

Figure 5-4 Send file interface

5-7

Installation Manual H3C SecPath F100-C-EI Firewall

Chapter 5 Maintaining Software

6) After completing the download, the system begins writing

data to the flash memory and then displays the following

information on the terminal interface, indicating the

completion of the download:

XMODEM download completed.Packet length 6560000 bytes. System file length 4142973 bytes,http.zip file length 2416958 bytes.

Writing file flash:/system to FLASH... Please wait, it may take a long time ####################################################### # Writing into Flash Succeeds.

Writing file flash:/http.zip to FLASH... Please wait,it may take a long time ####################################################### ################# Writing into Flash Succeeds. Please use 9600 bps.Press <ENTER> key to exit to Main Menu.

At this prompt, change the Bits per second setting back to 9600

in HyperTerminal, and press Enter. The system starts up normally.

5.2.2 Upgrading the Boot ROM Program

1) Enter the Boot menu (see section 5.1 “Boot Menu” on page

5-1) and select 7 to enter the Boot ROM operation menu.

5-8

Installation Manual H3C SecPath F100-C-EI Firewall

Chapter 5 Maintaining Software

2) Select 1 in the Boot ROM operation menu to download the

Boot ROM program using XModem. Several speed options

are available for you. The subsequent steps are the same as

those described in section

Program” on page

5-4.

5.2.1 “Upgrading the Application

Caution:

If you fail to upgrade the entire Boot ROM program, you will be unable

to roll back to the original Boot ROM program version on the site..

Therefore, you are recommended to upgrade the entire Boot ROM

program only when necessary and under the direction of technical

support engineers.

5.2.3 Upgrading the Extended Segment of the Boot ROM Program

1) Enter the Boot menu (see section 5.1 “Boot Menu” on page

5-1) and select 7 to enter the Boot ROM operation menu.

2) Select 2 in the Boot ROM operation menu to upgrade the

extended segment of the Boot ROM using XModem.

Several speed options are available for you. The

subsequent steps are the same as those described in

section

5-4.

5.2.1 “Upgrading the Application Program” on page

5-9

Installation Manual H3C SecPath F100-C-EI Firewall

Caution:

This upgrade approach is only used to upgrade a portion of the Boot

ROM program, so you may make a second attempt if an error occurs.

Chapter 5 Maintaining Software

5.3 Upgrading Application Program Using TFTP

When you upgrade an application program using TFTP, you use

the firewall as a TFTP client, which must be connected with a TFTP server through a fixed Ethernet interface.

Caution:

The F100-C-EI does not come with the TFTP server program. You

need to make it available by yourself.

1) Set up an upgrade environment

5-10

Installation Manual H3C SecPath F100-C-EI Firewall

Chapter 5 Maintaining Software

Figure 5-5 Set up an upgrade environment through TFTP

2) Start the TFTP server

Start the TFTP server on the PC connected to the Ethernet

interface on the firewall and set the path for the file to be downloaded.

3) Configure the firewall

Step 1: Access the TFTP configuration status.

Start the firewall and enter the Boot menu (see section

5.1 ).

Select 2 to enter the Net Port Download Menu. The system displays the following message:

Net Port Download Menu: 1: Change Net Parameter 2: Download From Net 3: Exit to Main Menu Enter your choice(1-3):

Step 2: Configure TFTP parameters.

5-11

Installation Manual H3C SecPath F100-C-EI Firewall

Chapter 5 Maintaining Software

Enter 1 to configure the network interface parameters (including

the interface in use and the IP address and subnet mask of the

interface) and the TFTP server parameters (including the IP address

of the Ethernet interface on the TFTP server and the file name of the application program).

Change Download parameter Download device :WAN Download file(Max 60 char) :update.bin IP address of WAN :192.168.1.1 Subnet mask for WAN :255.255.255.0 IP address of the server :192.168.1.2 IP address of the gateway :192.168.1.10

Caution:

z The upgrade should be performed through interface WAN on the

firewall.

z The item “IP address of the server: [192.168.1.10]” must be set to

the IP address of the TFTP server connected to the Ethernet

interface on the firewall.

z You are recommended to configure the IP addresses of the TFTP

server network interface and that of interface WAN on the firewall

into the same network segment.

Step 3: Confirm configuration parameters.

Saving the net configuration, are you sure?[Y/N]

5-12

Installation Manual H3C SecPath F100-C-EI Firewall

Chapter 5 Maintaining Software

After you input the last parameter value and press Enter, the

system displays the following message and returns to the Net Port Download Menu:

Saving config, please wait...OK! Net Port Download Menu: 1: Change Net Parameter 2: Download From Net 3: Exit to Main Menu Enter your choice(1-3):

4) Download application program using TFTP.

Type 2 to download the application program using TFTP. The

system displays the following message:

Starting the TFTP download...............................

.......................................................

TFTP download completed, Packet length 6559931 bytes. System file length 4142973 bytes, http.zip file length 2416958 bytes.

Writing file flash:/system to FLASH... Please wait, it may take a long time ####################################################### ####################################################### #################################################### Writing into Flash Succeeds.

Writing file flash:/http.zip to FLASH...

5-13

Installation Manual H3C SecPath F100-C-EI Firewall

Please wait, it may take a long time ####################################################### ####################################################### ########################################### Writing into Flash Succeeds.

Chapter 5 Maintaining Software

The download is successful. Press Enter to reboot the system.

5.4 Uploading/Downloading a Program/File Using FTP

The F100-C-EI can act as an FTP server. Any FTP clients (local

or remote) connected to the firewall can update configuration files or

upgrade application/Boot ROM programs using FTP. Any FTP client

(local or remote) can upload/download configuration files and

application programs after passing the authentication. The following subsections describe the procedures.

 Note:

z Upload refers to transferring files from an FTP client to the firewall,

that is, the put operation.

z Download refers to transferring files from the firewall to an FTP

client, that is, the get operation.

1) Set up an upload/download environment

5-14

Installation Manual H3C SecPath F100-C-EI Firewall

Chapter 5 Maintaining Software

Figure 5-6 Set up an upload/download environment using FTP

Step 1: Connect the PC to the WAN interface on the firewall, and

ensure the firewall and the PC can communicate. Assign an IP

address, 10.110.10.10 for example, to the WAN interface on the firewall. The IP address of the PC is 10.110.10.13.

Step 2: Copy the application program/Boot ROM/configuration

file to a directory, “C:\version” for example.

2) Start the FTP server

Step 1: Add a username.

[H3C] local-user 123

123 is the username. Step 2: Add the password.

[H3C-luser-vpngateway] password simple 123

Step 3: Add the service type and specify the FTP directory.

[H3C-luser-vpngateway] service-type ftp ftp-directory

5-15

Installation Manual H3C SecPath F100-C-EI Firewall

Flash:

Chapter 5 Maintaining Software

Step 4: Add an authority level.

[H3C-luser-vpngateway] level 3

Step 5: Enable the FTP server.

[H3C] ftp server enable

Upon the completion of these operations, any FTP client program

can use the username and password to log on to the FTP server.

3) Upload/download an application program/configuration file

and upload the Boot ROM program

Step 1: Enter the directory containing the application file, Boot

ROM program or configuration files in the DOS mode. Execute the ftp command to set up an FTP connection with the firewall. For example:

C:\version\ftp 10.110.10.10

If the connection is set up, the following message appears (taking

Microsoft Windows 98 for example):

Connected to 10.110.10.10 220 FTP service ready. User(10.110.10.10:(none)):

Step 2: Log on to the FTP server with the username and

password set on the firewall.

User(10.110.10.10:(none)): 123 Type the username 331 Password required for 123. Password: Type the password (not displayed) 230 User logged in. ftp>

5-16

Installation Manual H3C SecPath F100-C-EI Firewall

Chapter 5 Maintaining Software

At the prompt ftp>, begin uploading/downloading the desired file.

Step 3: Upload/download the application program/configuration

file or upload Boot ROM program.

 Note:

By default, the application file and configuration file on the firewall are

respectively named “system” and “config.cfg”, the file of the extended

Boot ROM program segment is named “bootrom”, and the entire Boot

ROM file name defaults to “bootromfull”.

z Upload the application program/Boot ROM/configuration

file.

ftp> put Put means uploading the file. local file Type the name of the application program/Boot ROM/configuration file to be uploaded. remote file Type the name of the application program/Boot ROM/configuration file to be saved after it is uploaded to the firewall.

After the upload is completed, the prompt ftp> will be displayed

again. Type dir to display the name and size of the file on the firewall.

The size of the configuration file will be the same as that of the file on

the host if the upload is successful.

5-17

Installation Manual H3C SecPath F100-C-EI Firewall

Chapter 5 Maintaining Software

Caution:

z When using FTP to upgrade the application program, make sure

that the firewall has enough free space on the flash memory. If the

free space is not enough, you need to use the delete /unreserved

command to permanently delete outdated files or other files;

otherwise, new files cannot be uploaded.

z The Boot ROM upgrade is not complete after the Boot ROM

program is uploaded by using the put command. To complete the upgrade, use the upgrade bootrom [ full ] command to

decompress the bootrom/bootromfull program from the root

directory in the flash memory and write it to the Boot ROM.

z After uploading the application program into the flash memory,

rename the program file to “system” to make the program take

effect at next startup.

z After uploading configuration files into the flash memory, rename

the file to “config.cfg” to make the files take effect at next startup of

the system, or use the startup saved-configuration command to

set the attribute of the file so that it will be used at the next startup.

z Download application program files or configuration files

ftp> get Get means downloading the file. remote file Type the name of the application program/configuration file to be downloaded. local file Type the name of the application program/configuration file to be saved after it is downloaded to the local end.

5-18

Installation Manual H3C SecPath F100-C-EI Firewall

Chapter 5 Maintaining Software

Step 4: Upon completion of the upload/download, quit the FTP

client program using the following command.

4) ftp> quitDetach the Web file.

After the download using FTP is completed, if the Web

application file is included in the application program, detach it from

the application program using the detach command.

<H3C> detach system System file length 7856557 bytes, http file length 834724 bytes. <H3C> dir Directory of flash:/

0 -rw- 8691281 Jun 16 2009 06:46:36 system 1 -rw- 1830 Jun 17 2009 07:47:16 config.cfg 2 -rw- 834724 Jun 18 2009 02:22:39 http.zip

If the Web file is not included, the system gives the corresponding

prompt. The Web file name defaults to http.zip.

5.5 Maintaining Application Program and Configuration Files

5.5.1 Displaying Files

I. Display all files using the Boot menu

After entering the Boot menu, type 3. The system displays the

following information:

File Number File Size(bytes) File Name =======================================================

1. 4142973 system

5-19

Installation Manual H3C SecPath F100-C-EI Firewall

Chapter 5 Maintaining Software

2. 4 snmpboots

3. 151 private-data.txt

4. 1501 config.cfg

5. 2416958 http.zip

Free Space : 584704 bytes

II. Display all files using CLI

<H3C>dir /all Directory of flash:/

1 -rw- 4142973 Feb 05 2000 02:46:22 system 2 -rwh 4 Feb 12 2000 03:51:49 snmpboots 3 -rwh 151 Feb 05 2000 10:47:37 privatedate.txt 4 -rw- 1501 Jan 24 2000 22:25:22 config.cfg 5 -rw- 2416958 Feb 05 2000 09:42:49 http.zip

6985 KB total (572 KB free)

<H3C>

5.5.2 Deleting a File

I. Delete a file using the Boot menu

After entering the Boot menu, type 4. The system displays the

following information:

File Number File Size(bytes) File Name =======================================================

5-20

Installation Manual H3C SecPath F100-C-EI Firewall

Chapter 5 Maintaining Software

1. 4142973 system

2. 4 snmpboots

3. 151 private-data.txt

4. 1501 config.cfg

5. 2416958 http.zip

Free Space : 584704 bytes Please input the file number to delete:

Type 3 and press Enter. The system displays:

The file you select is private-data.txt, delete it, are you sure?[Y/N]

Type y. The system displays:

Delete file...done!

II. Delete a file using CLI

In user view, type the command delete [ /unreserved ] file-url to

delete a file. In the command,

z /unreserved: means that the file will be deleted

permanently.

z file-url: indicates the file to be deleted.

# Delete file config.cfg in the root directory.

<H3C> delete flash:/config.cfg Delete flash:/config.cfg?[Y/N]:y %Delete file flash:/config.cfg...Done.

5-21

Installation Manual H3C SecPath F100-C-EI Firewall

Chapter 5 Maintaining Software

5.6 Backing Up and Restoring the Extended Segment of the Boot ROM Program

5.6.1 Backing Up the Extended Segment of Boot Rom Program in Flash

Follow these steps to back up the extended segment of the Boot

ROM program.

1) Enter the Boot menu as described in section

Menu” on page

menu.

2) Select 4 in the Boot ROM operation menu to copy the

current extended segment of the Boot ROM program to flash

memory.

Backup Extended Segment, are you sure?[Y/N]

Type y to begin the backup. If the backup attempt is successful, the system displays:

Writing to FLASH.Please wait... Backuping Boot ROM program to FLASH successed!

3) When the Boot ROM operation menu appears again, type 5 to return to the Boot menu. Type 9 to restart the firewall to

complete the backup.

5-1. Type 7 to enter the Boot ROM operation

5.1 “Boot

5.6.2 Restoring the Extended Segment of the Boot Rom Program from the Flash

If faults occur to the extended segment of the Boot ROM program

or you upgrade it wrongly, you can restore the extended segment saved in the flash memory to the Boot ROM by following these steps:

5-22

Installation Manual H3C SecPath F100-C-EI Firewall

Chapter 5 Maintaining Software

1) Enter the Boot menu, and select 7 to enter the Boot ROM

operation menu.

2) Select 3 in the Boot ROM operation menu to restore the

extended segment of the Boot ROM program from the flash

memory.

Restore Extended Segment, are you sure?[Y/N]

Type y to begin the restoration. If the restoration attempt is successful, the system displays:

Writing to Boot ROM.Please wait... Restoring Boot ROM program successed!

3) When the Boot ROM operation menu appears again, type 5 to return to the Boot menu. Type 9 to restart the firewall to

complete the restoration.

5.7 Recovering/Changing Password

5.7.1 Recovering/Changing User Password

If you forget your password, you can enter the system by ignoring

the system configuration.

Follow the steps to enter the system without password:

1) Enter the Boot menu, and select 5.

The system displays:

Start up and ignore configuration, are you sure?[Y/N]y Set Success!

This indicates the system has been set successfully.

2) When the Boot menu appears again, type 9 to restart the

system.

5-23

Installation Manual H3C SecPath F100-C-EI Firewall

Exit and reboot, are you sure?[Y/N]y System is rebooting now ...

Chapter 5 Maintaining Software

3) Configure a new user password in system view after the

system reboots.

<H3C> system-view [H3C] user-interface console 0 [H3C-ui-console0] authentication-mode password [H3C-ui-console0] set authentication password simple 123456

The above information indicates that the Console port

authentication mode is password authentication, and the password for the console port is 123456, in plain text..

 Note:

z After the system restarts, it runs using the initial configuration, but

the previous configuration file is still stored in the storage medium.

To restore to the previous configuration, use the display saved-configuration command to display the previous

configuration, and then copy and execute the previous

configuration.

z If the password is stored in plain text, you can use the display

current-configuration command to view the password in the current configuration. If you use the cipher keyword in the set authentication password command, for example, set authentication password cipher 123456, the password is stored

in cipher text.

5-24

Installation Manual H3C SecPath F100-C-EI Firewall

Chapter 5 Maintaining Software

4) Save your configuration.

[H3C] save

 Note:

z Be sure to use the save command to save the modified user

password.

z You are recommended to save your modification to the default

configuration file.

5.7.2 Recovering/Changing Boot ROM Password

If the Boot ROM password of the firewall is lost, contact your local

dealer.

You can use the Boot menu of the firewall to change the Boot

ROM password.

Start the firewall. When “System starts booting” appears on the

console terminal, press Ctrl+D. The system prompts:

Please input Boot ROM password:

5-25

Installation Manual H3C SecPath F100-C-EI Firewall

Chapter 5 Maintaining Software

Caution:

z To enter the Boot menu, be sure to press Ctrl+B within three

seconds after the “System starts booting” prompt appears on the

configuration terminal; otherwise, the system starts

decompressing the program.

z Restart the firewall if you want to enter the Loader menu after

entering the Boot ROM extended segment.

Type the correct password and press Enter. (If no Boot ROM

password has been set, just press Enter.) The system displays the Boot Menu:

Boot Menu: 1: Download Boot ROM with XMODEM 2: Download Extended Segment of Boot ROM with XMODEM 3: Modify Boot ROM password 4: System booting from Flash 5: Do not check the version of Extended Segment of Boot ROM 6: Exit and reboot Enter your choice(1-4):

Note that:

If option 4 is selected, it is required to back up the extended

segment of Boot ROM in the flash memory, refer to section

5.6

Backing Up and Restoring the Extended Segment of the Boot ROM

Program” on page

5-22 for details.

5-26

Installation Manual H3C SecPath F100-C-EI Firewall

Chapter 5 Maintaining Software

If option 5 is selected, the system ignores the software version of

the Boot ROM program, its extended segment, and application

program for backward compatibility. If you fail to upgrade the software

because the system decides that you are using an “invalid version”

even when the correct version is used, you can use this option to

ignore the version check during a software upgrading. Note that this

option works only once when you select it. The system resumes version check after you reboot the firewall.

Type 3 in the Boot menu to change the Boot ROM password. The

system prompts:

Modify Boot ROM password,are you sure?[Y/N]y

Please input new password(Max 32 char): Retype the new password(Max 32 char):

Saving the password...OK

 Note:

A password is a string of up to 32 characters.

5-27

Installation Manual H3C SecPath F100-C-EI Firewall

Chapter 6 Troubleshooting

6.1 Troubleshooting the Power System

Symptom:

The PWR LED does not light up.

Troubleshooting:

Check that:

z The power switch of the PSU is turned on.

z The power cord is connected correctly.

z Correct mains supply is used.

Caution:

Do not plug or unplug the power cord with the firewall switched on.

Contact your local dealer if the PWR LED does not light up after the

above operations.

6.2 Troubleshooting Configuration System

After the firewall is powered on and the system is normal, the

startup information will be displayed on the console terminal. If the

configuration system has any faults, the console terminal may display nothing or illegible characters

6-1

Installation Manual H3C SecPath F100-C-EI Firewall

Chapter 6 Troubleshooting

I. No terminal display

Symptom:

The console terminal does not display any information after

POST of the firewall.

Troubleshooting:

1) Check that:

z The power system is correctly working.

z The Console cable is connected correctly.

2) If you cannot locate the problem yet, check the console

cable and the parameter settings of the terminal (for

example, HyperTerminal).

II. Illegible terminal display

Symptom:

The console terminal displays illegible characters after the POST

of the firewall.

Troubleshooting:

Verify that the baud rate is set to 9600, data bit to 8, stop bit to 1,

parity to none, flow control to none, and terminal emulation to VT100

or auto-detect. If the parameters do not match the above values, please reconfigure them.

6-2

H3C F100-C-EI User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Chapter 1 Firewall Overview

1.1 Brief Introduction

1.2 Physical Description

1.2.1 Front Panel

1.2.2 Rear Panel

1.3 Technical Specifications

1.4 LEDs

1.5 Fixed Interfaces

1.5.1 Console Port

I. Console port specifications

II. Console cable

1.5.2 Ethernet Interfaces

I. Ethernet interface specifications

II. Ethernet cable

Chapter 2 Preparing for Installation

2.1 Site Requirements

2.1.1 Temperature and Humidity Requirements

2.1.2 Cleanness Requirements

I. Dust prevention requirements

II. Harmful gas limits

2.1.3 ESD-Preventive Requirements

I. Static electricity sources and harms

II. Wear an ESD-Preventive wrist strap

2.1.4 Electromagnetic Environment Requirements

2.1.5 Lightning Protection Requirements

2.1.6 Checking the Workbench

2.1.7 Rack-Mounting Requirements

2.2 Safety Precautions

2.2.1 Safety Signs

2.2.2 General Safety Recommendations

2.2.3 Safety Recommendations against Electricity

2.3 Tools, Meters, and Instruments

I. Tools

II. Cables

III. Meters and instruments

Chapter 3 Installing the Firewall

3.1 Installation Flow

3.2 Installing the F100-C-EI

3.2.1 Installing the Firewall on a Workbench

3.2.2 Installing the Firewall in a Rack

I. Install mounting brackets on the firewall

II. Install the firewall in a rack

3.3 Connecting the PGND Wire

3.4 Connecting the Power Cord

I. AC power supply

II. AC power source socket

III. Connect the AC power cord

3.5 Connecting Interface Cables

3.5.1 Connecting the Console Cable

3.5.2 Connecting the Ethernet Cables

3.6 Verifying Installation

4.1 Setting up the Configuration Environment

4.1.1 Connecting the Firewall to the Console Terminal

4.1.2 Setting Terminal Parameters

4.2 Powering On the Firewall

4.2.1 Checking before Power-on

4.2.2 Powering On the Firewall

4.2.3 Checking the Firewall

4.3 Booting Process

4.4 Configuration Outlines

4.5 Command Line Interface

4.5.1 Features of the Command Line Interface

Chapter 5 Maintaining Software

5.1 Boot Menu

5.1.1 Boot Menu of the Firewall

5.1.2 Boot ROM Operation Menu of the Firewall

5.2 Upgrading Application and Boot ROM Programs Using XModem

5.2.1 Upgrading the Application Program

5.2.2 Upgrading the Boot ROM Program

5.2.3 Upgrading the Extended Segment of the Boot ROM Program

5.3 Upgrading Application Program Using TFTP

5.4 Uploading/Downloading a Program/File Using FTP

5.5 Maintaining Application Program and Configuration Files

5.5.1 Displaying Files

I. Display all files using the Boot menu

II. Display all files using CLI