H3C SecPath F100-C-EI Firewall
Installation Manual
Hangzhou H3C Technologies Co., Ltd.
http://www.h3c.com
Manual Version: 5PW100-20080729
Copyright © 2008, Hangzhou H3C Technologies Co., Ltd.
and its licensors
All Rights Reserved
No part of this manual may be reproduced or transmitted in any form
or by any means without prior written consent of Hangzhou H3C
Technologies Co., Ltd.
Trademarks
H3C, , Aolynk, , H3Care,
, TOP G, , IRF,
NetPilot, Neocean, NeoVTL, SecPro, SecPoint, SecEngine, SecPath,
Comware, Secware, Storware, NQA, VVG, V
2
G, VnG, PSPT, XGbus,
N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou
H3C Technologies Co., Ltd.
All other trademarks that may be mentioned in this manual are the
property of their respective owners.
Notice
The information in this document is subject to change without notice.
Every effort has been made in the preparation of this document to
ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of
any kind, express or implied.
Technical Support
customer_service@h3c.com
http://www.h3c.com
About This Manual
Organization
H3C SecPath F100-C-EI Firewall Installation Manual is
organized as follows:
Chapter Contents
Briefly introduces the product
1 Firewall Overview
2 Preparing for
Installation
3 Installing the Firewall
specifications, as well as the features
and applications of the H3C SecPath
F100-C-EI Firewall.
Describes the requirements of the
H3C SecPath F100-C-EI Firewall on
installation site, the safety
recommendations before and during
installation, and the required tools.
Introduces how to install the H3C
SecPath F100-C-EI Firewall, as well
as how to connect the power cord, and
other cables.
4 Starting and Configuring
the Firewall
5 Maintaining Software
Describes how to boot and configure
the H3C SecPath F100-C-EI Firewall,
including device startup, power-on,
and initialization of system files, and
so on.
Introduces how to maintain the
software of the H3C SecPath
F100-C-EI Firewall, including
upgrading the software and updating
the configuration files.
Chapter Contents
Describes some problems that may
6 Troubleshooting
occur during installation and startup of
the H3C SecPath F100-C-EI Firewall
and how to solve them.
Conventions
The manual uses the following conventions:
I.
GUI conventions
Convention Description
Window names, button names, field
Boldface
>
names, and menu items are in Boldface.
For example, the New User window
appears; click OK.
Multi-level menus are separated by angle
brackets. For example, File > Create >
Folder.
II.
Symbols
Convention Description
Means reader be extremely careful.
Warning
Caution
Note
Improper operation may cause bodily
injury.
Means reader be careful. Improper
operation may cause data loss or damage
to equipment.
Means a complementary description.
Related Documentation
In addition to this manual, each H3C SecPath Series Security
Products documentation set includes the following:
Manual Content
Describes the features and
H3C SecPath Series Security
Products Operation Manual
H3C SecPath Series Security
Products Command Manual
specifications, working principles
of the H3C SecPath series
gateways/firewalls, and how to
configure the manipulate them.
Describes the configuration
commands for the H3C SecPath
series gateways/firewalls,
including syntax, complete
command line, parameters,
operation views, description and
examples.
H3C SecPath Series Security
Products Web Configuration
Manual
Guides you through configuring the
H3C SecPath series firewalls
through Web interfaces.
Obtaining Documentation
You can access the most up-to-date H3C product documentation
on the World Wide Web at this URL: http://www.h3c.com.
The following are the columns from which you can obtain different
categories of product documentation:
[Products & Solutions]: Provides information about products and
technologies, as well as solutions.
[Technical Support & Document > Technical Documents]:
Provides several categories of product documentation, such as
installation, operation, and maintenance.
[Technical Support & Document > Product Support > Software]:
Provides the documentation released with the software version.
Documentation Feedback
You can e-mail your comments about product documentation to
info@h3c.com.
We appreciate your comments.
Environmental Protection
This product has been designed to comply with the requirement s
on environmental protection. For the proper storage, use and disposal
of this product, national laws and regulations must be observed.
Installation Manual
H3C SecPath F100-C-EI Firewall
Table of Contents
Table of Contents
Chapter 1 Firewall Overview.........................................................1-1
1.1 Brief Introduction ................................................................1-1
1.2 Physical Description...........................................................1-3
1.2.1 Front Panel ..............................................................1-3
1.2.2 Rear Panel...............................................................1-3
1.3 Technical Specifications ....................................................1-4
1.4 LEDs ..................................................................................1-4
1.5 Fixed Interfaces..................................................................1-5
1.5.1 Console Port............................................................1-5
1.5.2 Ethernet Interfaces ..................................................1-6
Chapter 2 Preparing for Installation ............................................2-1
2.1 Site Requirements..............................................................2-1
2.1.1 Temperature and Humidity Requirements ..............2-1
2.1.2 Cleanness Requirements ........................................2-2
2.1.3 ESD-Preventive Requirements ...............................2-3
2.1.4 Electromagnetic Environment Requirements..........2-5
2.1.5 Lightning Protection Requirements .........................2-6
2.1.6 Checking the Workbench ........................................2-6
2.1.7 Rack-Mounting Requirements.................................2-6
2.2 Safety Precautions .............................................................2-7
2.2.1 Safety Signs ............................................................2-7
2.2.2 General Safety Recommendations .........................2-7
2.2.3 Safety Recommendations against Electricity ..........2-8
2.3 Tools, Meters, and Instruments .........................................2-8
i
Installation Manual
H3C SecPath F100-C-EI Firewall
Table of Contents
Chapter 3 Installing the Firewall ..................................................3-1
3.1 Installation Flow .................................................................3-1
3.2 Installing the F100-C-EI .....................................................3-2
3.2.1 Installing the Firewall on a Workbench ...................3-2
3.2.2 Installing the Firewall in a Rack...............................3-2
3.3 Connecting the PGND Wire ...............................................3-4
3.4 Connecting the Power Cord...............................................3-6
3.5 Connecting Interface Cables..............................................3-8
3.5.1 Connecting the Console Cable................................3-8
3.5.2 Connecting the Ethernet Cables .............................3-9
3.6 Verifying Installation.........................................................3-10
Chapter 4 Starting and Configuring the Firewall........................4-1
4.1 Setting up the Configuration Environment .........................4-1
4.1.1 Connecting the Firewall to the Console Terminal .......4-1
4.1.2 Setting Terminal Parameters...................................4-1
4.2 Powering On the Firewall...................................................4-6
4.2.1 Checking before Power-on......................................4-6
4.2.2 Powering On the Firewall ........................................4-7
4.2.3 Checking the Firewall ..............................................4-7
4.3 Booting Process .................................................................4-8
4.4 Configuration Outlines .......................................................4-9
4.5 Command Line Interface..................................................4-10
4.5.1 Features of the Command Line Interface..............4-10
Chapter 5 Maintaining Software...................................................5-1
5.1 Boot Menu..........................................................................5-1
5.1.1 Boot Menu of the Firewall........................................5-2
5.1.2 Boot ROM Operation Menu of the Firewall .............5-3
ii
Installation Manual
H3C SecPath F100-C-EI Firewall
Table of Contents
5.2 Upgrading Application and Boot ROM Programs Using
XModem...................................................................................
5.2.1 Upgrading the Application Program ........................5-4
5.2.2 Upgrading the Boot ROM Program .........................5-8
5.2.3 Upgrading the Extended Segment of the Boot ROM
Program............................................................................
5.3 Upgrading Application Program Using TFTP...................5-10
5.4 Uploading/Downloading a Program/File Using FTP ........5-14
5.5 Maintaining Application Program and Configuration
Files .......................................................................................
5.5.1 Displaying Files .....................................................5-19
5.5.2 Deleting a File........................................................5-20
5.6 Backing Up and Restoring the Extended Segment of the Boot
ROM Program ........................................................................
5.6.1 Backing Up the Extended Segment of Boot Rom
Program in Flash ............................................................
5.6.2 Restoring the Extended Segment of the Boot Rom
Program from the Flash..................................................
5.7 Recovering/Changing Password......................................5-23
5.7.1 Recovering/Changing User Password ..................5-23
5.7.2 Recovering/Changing Boot ROM Password ......... 5-25
5-4
5-9
5-19
5-22
5-22
5-22
Chapter 6 Troubleshooting...........................................................6-1
6.1 Troubleshooting the Power System ...................................6-1
6.2 Troubleshooting Configuration System..............................6-1
iii
Installation Manual
H3C SecPath F100-C-EI Firewall
List of Figures
List of Figures
Figure 1-1 Front panel of the H3C F100-C-EI.........................1-3
Figure 1-2 Rear panel of the H3C F100-C-EI .........................1-3
Figure 1-3 Console cable ........................................................1-6
Figure 1-4 Ethernet cable........................................................1-7
Figure 2-1 Wear an ESD-preventive wrist strap......................2-5
Figure 3-1 Firewall installation flow .........................................3-1
Figure 3-2 Mounting bracket structure ....................................3-2
Figure 3-3 Install the mounting brackets on the firewall..........3-3
Figure 3-4 Fix the firewall on the rack .....................................3-3
Figure 3-5 Connect the grounding terminal to the firewall ......3-5
Figure 3-6 Connect PGND wire to grounding strip .................3-6
Figure 3-7 Connecting the AC power cord..............................3-7
Figure 3-8 Connect the console cable ....................................3-9
Figure 4-1 Set up a new connection .......................................4-2
Figure 4-2 Set the connection port..........................................4-3
Figure 4-3 Set serial port parameters .....................................4-4
Figure 4-4 HyperTerminal window...........................................4-5
Figure 4-5 Set terminal emulation type ...................................4-6
Figure 5-1 Disconnect the console terminal............................5-5
Figure 5-2 Modify baudrate .....................................................5-6
iv
Installation Manual
H3C SecPath F100-C-EI Firewall
List of Figures
Figure 5-3 Send file dialog box ...............................................5-7
Figure 5-4 Send file interface ..................................................5-7
Figure 5-5 Set up an upgrade environment through TFTP........5-11
Figure 5-6 Set up an upload/download environment using FTP
........................................................................................
5-15
v
Installation Manual
H3C SecPath F100-C-EI Firewall
List of Tables
List of Tables
Table 1-1 Technical specifications of the H3C F100-C-EI .......1-4
Table 1-2 LEDs on the front panel of the F100-C-EI ...............1-5
Table 1-3 Specifications of the console port............................1-5
Table 1-4 Specifications of Ethernet interfaces .......................1-7
Ta bl e 2 -1 Temperature/humidity requirements in the equipment
room .................................................................................
Table 2-2 Limitation on dust content in equipment room.........2-2
Table 2-3 Harmful gas limits in the equipment room ...............2-3
2-2
vi
Installation Manual
H3C SecPath F100-C-EI Firewall
Chapter 1 Firewall Overvie
Chapter 1 Firewall Overview
1.1 Brief Introduction
The H3C SecPath F100-C-EI Firewall (hereinafter referred to as
the F100-C-EI) is a new-generation Ethernet firewall intended for
small office home office (SOHO) use.
The F100-C-EI has the following features:
z Provides an uplink WAN interface compliant to international
standards, ensuring the interoperability with the products of
other vendors.
z Provides five 10/100 Mbps auto-sensing Ethernet interfaces
that can be assigned to different security zones, such as
Trust, DMZ, Untrust and management security zones.
z Supports internal temperature detection, network
management, and Web-based management, satisfying
carrier-class reliability requirements.
z Supports such features as external attack defense, TCP
proxy, internal network security, traffic policing, Web filtering,
and email filtering, to effectively safeguard your network.
z Adopts the application specific packet filtering (ASPF)
technology to monitor connection processes and
unauthorized operations, and works together with access
control lists (ACLs) to implement dynamic packet filtering.
1-1
Installation Manual
H3C SecPath F100-C-EI Firewall
z Provides various intelligent analysis and management
Chapter 1 Firewall Overvie
methods, supports email alert and multiple types of logs,
and provides network management monitoring to help
network administrators perform network security
management.
z Supports authentication, authorization and accounting
(AAA), and network address translation (NAT) to ensure
security and guaranteed services to the private networks
constructed on the open Internet.
z Supports multiple virtual private network (VPN) services,
such as Layer 2 tunneling protocol (L2TP) VPN, IP security
(IPSec) VPN, generic routing encapsulation (GRE) VPN,
and dynamic VPN. It allows users to build various VPNs, like
Internet, Intranet, and remote access VPNs using
customized remote-user access approaches, such as
dial-up, leased line, virtual LAN (VLAN), and tunneling.
z Supports basic routing features, including routing
information protocol (RIP), open shortest path first (OSPF),
routing policy and policy routing, and also provides
abundant QoS (quality of service) features, such as traffic
policing, traffic shaping and queue scheduling.
1-2
Installation Manual
H3C SecPath F100-C-EI Firewall
Chapter 1 Firewall Overvie
1.2 Physical Description
1.2.1 Front Panel
(1) Ethernet LED (Yellow) (2) Ethernet LED (Green)
(3) System LED (SYS) (4) Power LED (PWR)
(5) Console port (CONSOLE) (6) Ethernet interface (WAN)
(7) Ethernet interface (LAN3) (8) Ethernet interface (LAN2)
(9) Ethernet interface (LAN1) (10) Ethernet interface (LAN0)
Figure 1-1 Front panel of the H3C F100-C-EI
1.2.2 Rear Panel
( 1)( 2)
(1) AC input (2) Grounding screw
Figure 1-2 Rear panel of the H3C F100-C-EI
1-3
Installation Manual
H3C SecPath F100-C-EI Firewall
Chapter 1 Firewall Overvie
1.3 Technical Specifications
Table 1-1 Technical specifications of the H3C F100-C-EI
Item Description
1 console port
Interface
1 × 10/100 Mbps Ethernet interface (WAN)
4 × 10/100 Mbps Ethernet interfaces (LAN)
SDRAM
Flash memory
Rated voltage range 100 VAC to 240 VAC, 50 Hz or 60 Hz
Maximum input
current
Power consumption 6 W to 8 W
Dimensions (W x H x
D)
Weight
Operating
temperature
Relative humidity
(noncondensing)
Default: 64 MB
Max: 64 MB
8 MB
0.4 A
230 × 43.6 × 200 mm (9.06 × 1.82 × 7.87
in., excluding foot pads)
2 kg
0°C to 45°C (32°F to 113°F)
10% to 95%
1.4 LEDs
The following table describes the LEDs on the front panel of the
F100-C-EI.
1-4
Installation Manual
H3C SecPath F100-C-EI Firewall
Table 1-2 LEDs on the front panel of the F100-C-EI
LED Description
Chapter 1 Firewall Overvie
Link LED
SYS (Green)
PWR (Green)
Green The interface speed is 100 Mbps.
Yellow The interface speed is 10 Mbps.
Blinking once per second: The system is
operating normally.
Blinking eight times per second: The system
is starting up.
Solid ON: The system is faulty.
Off: The system is faulty or not powered on.
Off: The power supply is faulty or the system
is not powered on.
On: The power supply is normal.
1.5 Fixed Interfaces
1.5.1 Console Port
I. Console port specifications
The F100-C-FI provides one RS-232 asynchronous serial
console port, through which you can configure your device.
Table 1-3 Specifications of the console port
Item Description
Connector type
Compliant standard RS-232
RJ-45
1-5
Installation Manual
H3C SecPath F100-C-EI Firewall
Item Description
Chapter 1 Firewall Overvie
Baud rate
1200 bps to 115200 bps (9600 bps by
default)
Connecting to an ASCII terminal
Services
Connecting to a serial port on a local PC to
run terminal emulation program on the PC
Command line interface (CLI)
II. Console cable
The console cable is an 8-core shielded cable. At one end of the
cable is an RJ-45 connector that can be plugged to the console port; at
the other end is a DB-9 (female) connector, which can be plugged to
the serial port of the console terminal.
The following figure illustrates a console cable:
A
X3
A
Figure 1-3 Console cable
1.5.2 Ethernet Interfaces
I. Ethernet interface specifications
The F100-C-EI provides five 10/100 Mbps auto-sensing Ethernet
interfaces.
1-6
Installation Manual
H3C SecPath F100-C-EI Firewall
Table 1-4 Specifications of Ethernet interfaces
Item Description
Chapter 1 Firewall Overvie
Connector type
Interface type
Frame format
Speed and
operating mode
RJ-45
Auto-MDI/MDIX
Ethernet_II/Ethernet_SNAP/IEEE
802.2/IEEE 802.3
10/100Base-TX
Full duplex/half duplex
II. Ethernet cable
For a 10/100BASE-TX Ethernet interface, you can use a
category-5 twisted pair cable, as shown in the following figure:
Figure 1-4 Ethernet cable
Ethernet cables fall into straight-through cable and crossover
cable.
z Straight-through cable: The RJ-45 connectors at the two
ends have the same pinouts. The cable is used in the
connection between a terminal device (for example, PC) or
firewall and a HUB or LAN switch. The F100-C-FI is shipped
with straight-through cables.
1-7
Installation Manual
H3C SecPath F100-C-EI Firewall
z Crossover network cable: The RJ-45 connectors at the two
Chapter 1 Firewall Overvie
ends have different pinouts. The cable is used in the
connection between a terminal device (for example, PC) or
firewall and another terminal device (such as a PC) or
firewall. You can make crossover cables on the site.
Caution:
When preparing Ethernet cables, use shielded cables preferentially
for electromagnetic compatibility (EMC).
1-8
Installation Manual
H3C SecPath F100-C-EI Firewall
Chapter 2 Preparing for Installation
Chapter 2 Preparing for Installation
2.1 Site Requirements
The F100-C-EI must be used indoors. To ensure its proper
operation and extend its longevity, install it in an environment that
meets the requirements described in the following subsections.
2.1.1 Temperature and Humidity Requirements
The equipment room must maintain adequate temperature and
humidity.
z Long-lasting high humidity is prone to cause bad insulation
and even electricity creepage. Sometimes the mechanical
performance changes of materials, the rustiness and
corrosion of some metal parts are also likely to occur.
z If the relative humidity is too low, the captive screws can
become loose due to insulation washer contraction.
Meanwhile, the static is likely produced in the dry
environments, jeopardizing the CMOS circuits of the
product.
z The higher the temperature is, the greater the damage to
your device. Long-lasting high temperature can speed up
the aging of the insulation materials, greatly lower the device
reliability, and hence significantly shorten its service life.
The following table lists the temperature and humidity
requirements.
2-1
Installation Manual
H3C SecPath F100-C-EI Firewall
Chapter 2 Preparing for Installation
Table 2-1 Temperature/humidity requirements in the equipment
room
Temperature Relative humidity
0°C to 45°C (32°F to 113°F)
10% to 95% (noncondensing)
2.1.2 Cleanness Requirements
I. Dust prevention requirements
Dust undermines the normal operation of your device. Dust on
the equipment can cause electrostatic adsorption, which degrades the
contact performance of the metal connectors or connection points.
This not only shortens the service life or your device, but also causes
communication failures.
This is more likely to happen when the relative humidity in the
equipment room is too low.
The contents of the dust in the equipment room must not exceed
the limit as shown in the following table:
Table 2-2 Limitation on dust content in equipment room
Substance Content (particles/m³)
4
Dust
≤ 3 X 10
(No visible dust on desk over three days)
2-2
Installation Manual
H3C SecPath F100-C-EI Firewall
Chapter 2 Preparing for Installation
II. Harmful gas limits
There are rigorous limits on the content of salts, acids and
sulfides in the air. These harmful gases will speed up metal rusting
and the aging processes of certain parts. The specific limits of these
harmful gases are given in the following table.
Table 2-3 Harmful gas limits in the equipment room
Gas Maximum (mg/m3)
SO
2
0.2
H2S
NH
Cl
3
2
0.006
0.05
0.01
2.1.3 ESD-Preventive Requirements
I. Static electricity sources and harms
On the communication network connected to your device, the
static electricity mainly comes from:
z The outside electrical fields, such as outdoor high-voltage
power cables and lightning.
z The indoor environments, floor materials and the internal
systems such as the equipment frame.
Although many antistatic considerations have been given to your
device, damage to the device’s circuits or even the whole equipment
may still happen when the static electricity exceeds the tolerance
threshold.
2-3
Installation Manual
H3C SecPath F100-C-EI Firewall
Chapter 2 Preparing for Installation
ESD-preventive measures
To prevent ESD damage, observe the following:
z Ensure that your device and the floor are well grounded.
z Keep the equipment room clean.
z Maintain suitable temperature and humidity;
z Wear an ESD-preventive wrist strap and antistatic garments
when handling the circuit board.
z Place the removed circuit board on an ESD-preventive
workbench right-side up or in an antistatic bag.
z Hold the removed circuit board only by its outer edge when
observing or moving it. Do not touch the components on it.
II. Wear an ESD-Preventive wrist strap
Take the following steps to wear the ESD-preventive wrist strap.
1) Put the ESD-preventive wrist strap around your wrist.
2) Fasten the wrist strap and ensure it has good contact with
your skin.
3) Attach the strap-end of the grounding wire to the wrist strap.
4) Attach the alligator clip at the other end of the grounding
wire to the rack.
5) Make sure that the rack is well grounded.
2-4