No part of this manual may be reproduced or transmitted in any form or by any means without prior
written consent of Hangzhou H3C Technologies Co., Ltd.
G, VnG, PSPT,
XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co.,
Ltd.
All other trademarks that may be mentioned in this manual are the property of their respective owners.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Preface
H3C IPS products are new-generation intrusion prevention devices developed by H3C for enterprise
users, industry users, and Telecom users. They are one of the most crucial products in the intelligent
Safe Pervasive Network (iSPN) of H3C IToIP architecture.
An IPS device can be deployed in the inline mode on the critical path of a network to perform detailed
inspection of Layer 2-7 traffic passing through the p ath, and thus to precisely identify, block, and control
various types of network attacks or flood attacks in real time.
An IPS device can also be connected to a network in the bypass mode. In that case, the IPS device is
similar to the intrusion detection system (IDS) device in functions. It can capture packets by receiving
mirrored traffic and detecting copied packets, and execute security actions indirectly through response
packets, thus protecting the network.
Moreover, IPS devices can provide powerful and realistic bandwidth management and URL filtering
functions.
H3C IPS products involve the complete series of high end-to-low end IPSs, and provide box-type
devices and card-type IPS devices. For more information about IPS models, see H3C IPS Series Products at the H3C website.
This preface includes:
z Audience
z Conventions
z About the H3C IPS Web-Based Configuration Guide
z Obtaining Documentation
z Technical Support
z Documentation Feedback
Audience
This documentation is intended for:
z Network planners
z Field technical support and servicing engineers
z Network administrators working with the H3C IPS products
Conventions
This section describes the conventions used in this documentation set.
Command conventions
Convention Description
Boldface Bold
italic
[ ]
Italic text represents arguments that you replace with actual values.
Square brackets enclose syntax choices (keywords or arguments) that are
optional.
text represents commands and keywords that you enter literally as shown.
Convention Description
{ x | y | ... }
[ x | y | ... ]
{ x | y | ... } *
[ x | y | ... ] *
&<1-n>
# A line that starts with a pound (#) sign is comments.
Braces enclose a set of required syntax choices separated by vertical bars,
from which you select one.
Square brackets enclose a set of optional syntax choices separated by vertical
bars, from which you select one or none.
Asterisk marked braces enclose a set of required syntax choices separated by
vertical bars, from which you select at least one.
Asterisk marked square brackets enclose optional syntax choices separated by
vertical bars, from which you may select multiple choices or none.
The argument or keyword and argument combination before the ampersand (&)
sign can be entered 1 to n times.
GUI conventions
Convention Description
Boldface
>
Window names, button names, field names, and menu items are in Boldface.
For example, the
Multi-level menus are separated by angle brackets. For example,
Folder
>
.
New User
window appears; click OK.
File
>
Create
Symbols
Convention Description
Network topology icons
Convention Description
Means reader be extremely careful. Improper operation may cause bodily
injury.
Means reader be careful. Improper operation may cause data loss or damage to
equipment.
Means an action or information that needs special attention to ensure
successful configuration or good performance.
Means a complementary description.
Means techniques helpful for you to make configuration with ease.
Represents an H3C IPS device.
Represents a generic network device, such as a router, switch, or firewall.
Represents a routing-capable device, such as a router or Layer 3 switch.
Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router
that supports Layer 2 forwarding and other Layer 2 features.
About the H3C IPS Web-Based Configuration Guide
Organization
The H3C IPS web-based configuration guide describes the following features:
Feature Description
Describes the Web-based network management (NM) for the IPS.
zLogging in to/out from the web interface
Web overview
Device
management
User
management
System
manage
ment
Network
management
High
availability
Time table
management
Action
management
Log management
IPS
z Introduction to web users and levels
z Introduction to the web interface and web-based NM functions
z Common web interface elements
z Configuration guidelines
Describes basic configurations for IPS management.
z Displaying system status, system information, and system time
z Configuring system monitoring
z Save configuration, manage the configuration file, and restore the factory
defaults
z Upgrading signature database and software versions
z Displaying license information, importing and exporting a license
z Setting the operating mode
z Configuring OAA
z Rebooting system
Describes user management functions for the IPS device.
z Managing user accounts and online users
z Configuring a security policy
Describes network management configurations for the IPS.
zConfiguring management interface parameters, executing a ping operation,
creating a static route, and configuring DNS servers
z Displaying and configuring interface properties
z Creating security zones
z Creating a segment and configuring segment bandwidth control
Describes the high availability features of the IPS.
z Configuring Layer 2 fallback
z Configuring interface status synchronization
Describes the time table configuration for the IPS.
zCreating a time table
Describes action management configurations for the IPS.
z Creating a block, rate limit, or notify action
z Creating an action set
z Uploading packet trace files
Describes log management configurations for the IPS.
zDisplaying, querying, deleting system logs, operation logs, attack logs, and
virus logs
z Querying service logs and URL logs
z Configuring device logs, data logs, and email logs
Describes the attack prevention configurations for the IPS.
z Creating an IPS policy
z Configuring rules for a policy
z Applying an IPS policy to a segment
z Configuring IPS policy shortcut application
Feature Description
Describes URL filtering configurations for the IPS.
URL Filtering
z Configuring URL filtering global parameters
z Creating and applying a URL filtering policy
Describes anti-virus configurations for the IPS.
zCreating an anti-virus policy
Anti-virus
z Configuring rules for a policy
z Applying a policy to a segment
z Querying viruses
Describes DDoS prevention configurations for the IPS.
z Creating a DDoS policy
z Configuring learning rules
z Applying a DDoS policy to a segment
DDoS
z Maintaining a DDoS policy application
z Adding detection rules
z Adding a static filtering rule
z Configuring dynamic filtering rules
z Displaying DDoS statistics
Describes bandwidth management configuration for the IPS.
Bandwidth management
z Configuring protocols and services
z Creating a bandwidth management policy and applying the policy to a segment
Describes blacklist configurations for the IPS.
Blacklist
z Adding a blacklist entry manually
z Querying blacklist entries
Describes report configurations for the IPS.
zDisplaying packet statistics
Report
z Configuring, querying traffic statistics reports and top N reports
z Querying attack reports and top N attack reports
z Querying virus reports and top N virus reports
Acronym Lists the acronyms used in the IPS web-based configuration guide.
Related Documentation
In addition to the H3C IPS web-based configuration guide, you can go to H3C SecBlade IPS Cards
Documentation Navigator to view manuals of the SecBlade series IPS cards for reference.
Obtaining Documentation
You can access the most up-to-date H3C product documentation on the World Wide Web at
http://www.h3c.com.
Click the links on the top navigation bar to obtain different categories of product documentation:
upgrading, and software feature configuration and maintenance documentation.
[Products & Solutions] – Provides information about products and technologies, as well as solutions.
[Technical Support & Documents > Software Download] – Provides the documentation released with
the software version.
Technical Support
customer_service@h3c.com
http://www.h3c.com
Documentation Feedback
You can e-mail your comments about product documentation to info@h3c.com.
We appreciate your comments.
Table of Contents
1 Web Overview............................................................................................................................................1-1
System Status.........................................................................................................................................3-1
System Status Overview .................................................................................................................3-1
Viewing System Status....................................................................................................................3-1
System Information.................................................................................................................................3-5
System Information Overview .........................................................................................................3-5
Viewing System Information............................................................................................................3-5
System Time...........................................................................................................................................3-6
System Time Overview....................................................................................................................3-6
Configuring System Time................................................................................................................3-6
System Monitoring ..................................................................................................................................3-7
System Monitoring Overview...........................................................................................................3-7
Configuring System Monitoring.......................................................................................................3-7
OAA Configuration Example .........................................................................................................3-23
System Reboot......................................................................................................................................3-27
System Reboot Overview..............................................................................................................3-27
Rebooting the system....................................................................................................................3-27
4 User Management......................................................................................................................................4-1
User Management Overview ..................................................................................................................4-1
Configuring User Management...............................................................................................................4-1
System Logs .........................................................................................................................................13-1
System Logs Overview..................................................................................................................13-1
Service Logs .......................................................................................................................................13-16
Querying Top N Virus Reports......................................................................................................23-3
24 Index .......................................................................................................................................................24-1
vi
1 Web Overview
Overview
Hangzhou H3C Technologies Co., Ltd. (hereinafter referred to as H3C) provides the Web-based
network management function for the Intrusion Prevention System (IPS) of H3C to facilitate the
operations and maintenance on the IPS devices. Through this function, the administrator can visually
manage and maintain the IPS devices through the Web-based configuration interfaces.
Figure 1-1 shows a Web-based network management operating system.
The device is provided with the default Web login information .Y ou can use the default information to log
in to the Web interface. The default Web login inform ation is:
z Username: admin
z Password: admin
z IP address of the device: 192.168.1.1
To log in to the device through the Web interface, follow these steps:
Step1 Connect the device and PC
Connect the default management port meth 0/0 of the device to the PC using a crossover Ethernet
cable. For the IPS cards with silkscreen LSWM1IPS10 for S5800 and S5820X series switches, the
default management port is meth 0/0. For other models of IPS cards, the default management port is
meth 0/2.
zIf the IPS device provides two management ports, you can use only one to manage the device at a
time.
zBy default, a management port with the smallest ID is the default management port, and it is
assigned IP address 192.168.1.1/24. To make a management port with a larger ID the default
management port, remove the IP address of the original default management po rt and assign an IP
address to the management port that you want to configure as the default one.
1-1
Step2 Configure an IP address for the PC and ensure that the PC and device can communicate with each
other.
Modify the IP address to one within the network segment 192.168.1.0/24 (except for 192.168.1.1), for
example, 192.168.1.2.
Step3 Launch the IE browser, and input the login information.
On the PC, launch the IE browser, type https://192.168.1.1 in the address bar (the HTTPS service is
enabled by default), and press Enter. You can enter the login page of the Web interface, as shown in
Figure 1-2.
Click Chinese or English on the login page, in put the username (admin) password (admin), and ve rify
code shown on the page, and click Login to enter the Web interfa ce.
Figure 1-2 Login page of the Web interface
zThe PC where you configure the device is not necessarily the Web-based network management
terminal.
zAfter the first-time login, you are recommended to change the default password. For detailed
operation, refer to User Management.
zA verify code will expire in 2 minutes, so you need to use the code within the expiration time. To
obtain a new verify code, click the verify code image.
zUp to 5 users can concurrently log in to the device through the Web interface.
Logging Out of the Web Interface
Click Logout in the upper-right corner of the W eb interface. The system gives a confirmation dialog box ,
on which you can click OK to quit Web-based network management.
1-2
Introduction to Web Users and Levels
Web user levels include Level 0, Level 1, Level 2, Level 3, and auditor. Table 1-1 lists the Web user
levels and corresponding operation rights.
Table 1-1 Web user levels and operation rights
User level Operation right
zUse the network diagnosis tool ping
Level 0 (Visit)
Level 1 (Monitor)
Level 2 (System)
Level 3 (Manage)
Auditor
zView the IP address of the management port, management rights,
static routes, and DNS server information
z Unable to perform configuration
z Have the privileges of Level-0 users
z View all the other configuration information except user information
z View all the other logs excepts operation logs
z Unable to perform configuration
z Unable to monitor packet distribution in real time
z Have the privileges of Level-1 users
z Perform all the other configuration operations except user
z Have the privileges of Level-2 users
z View all configuration information
z View all logs
z Perform all configuration operations
z View/back up/delete operation logs
z Unable to perform other operations except the above ones
This manual assumes that a Level-3 user performs the configuration operations unless otherwise
specified.
Introduction to the Web Interface
The Web interface is composed of three parts: navigation area, title area, and body area, as shown in
Figure 1-3.
1-3
Figure 1-3 Web-based configuration interface
(2)
(1)
(3)
(1) Navigation area (2) Title area (3) Body area
zNavigation area—Organizes the Web-based NM function menus in the form of a navigation tree,
where you can select function menus as needed. The result is displ ayed in the body area.
zTitle area—Displays the path of the current configuration interface in the navigation area; provides
the Logout button to log out of the Web interface.
zBody area—The area where you can configure and display a function.
Introduction to the Web-Based NM Functions
Table 1-2 lists the Web-based NM functions.
Table 1-2 Web-based NM functions
Menu item Description User level
Syst
em
Man
age
ment
Devi
ce
Man
age
ment
System
Status
Displays the current status of system software and hardware.
Allows you to use links or the
block logs, anti-virus block logs, and system logs.
Allows you to use icon for IPS block logs, URL block logs,
anti-virus block logs, and allows you to use icons
system logs.
Allows you to use the link to view operation logs, and use
icons
,, and .
icon to view IPS block logs, URL
and for
Level 1
Level 2
Level 3
System
Informatio
n
System
Time
Displays the current software versions, hardware versions,
versions of signature packages, device serial number, MAC
address of the NM port, and system time.
Displays system date, time, and time zone. Level 1
Allows you to set system time source and time zone. Level 2
1-4
Level 1
Menu item Description User level
Displays system thresholds, including CPU usage threshold,
System
Monitoring
memory usage threshold, hardware usage threshold, CPU
temperature upper and lower limits, and main board temperature
upper and lower limits.
Allows you to set system thresholds, including CPU usage
threshold, memory usage threshold, hardware usage threshold,
CPU temperature upper and lower limits, and main board
temperature upper and lower limits.
Level 1
Level 2
Configurat
ion
Maintenan
ce
Signature
Upgrade
Software
Upgrade
License
Operating
Mode
OAA
Configurat
ion
Allows you to save the current configuration; add, delete, upload,
download, import, and export the configuration file; restore the
factory defaults.
Displays current versions and history versions of signature
packages, and configuration information of signature package auto
upgrade.
Allows you to roll back signature packages to a history version.
Upgrade signature package manually. Enable signature package
auto upgrade and set the upgrade time.
Displays the software versions, upload date, sizes of the version
files, and version status on the device.
Allows you to update and delete a software version, and modify
software version status.
Displays license information, and allows you to import and export
license file.
Displays operating mode configuration information. Level 1
Allows you to set operating mode parameters. Level 2
Displays OAA client configuration information. Level 1
Allows you to configure OAA client and test connectivity between
OAA client and server.
Level 3
Level 1
Level 2
Level 1
Level 3
Level 1
Level 2
User
Man
age
ment
Netw
ork
Man
age
ment
System
Reboot
User
Accounts
Online
Users
Security
Policy
Managem
ent
Interface
Interface
Configurat
ion
Security
Allows you to reboot the device. Level 2
Displays user information, and allow you to add, modify and delete
user accounts.
Displays all users that log in to the Web interface and allow you to
kick out the logged-in users except yourself.
Displays security related information and allow you to configure the
settings including timeout time, password strength, and lock
settings.
Displays the IP address and protocol used by each management
interface, display static routes and DNS server information, and
allow you to perform ping operations.
Allows you to specify the IP address and protocol used by each
management interface, add or delete static routes, and configure
DNS servers.
Displays interface properties, including connection status,
interface status, interface type, transmission rate, and duplex
mode.
Allows you to configure interface properties, such as interface
status, interface type, transmission rate, and duplex mode.
Displays all security zones, name links, and segment links. Level 1
Level 3
Level 3
Level 3
Level 0
Level 2
Level 1
Level 2
1-5
Menu item Description User level
Zone
Allows you to use icons or buttons , ,
perform corresponding functions.
Add
, and
Remove
to
Level 2
Segment
Configurat
ion
Layer 2
High
Avail
abilit
y
Time Table List
Actio
n
Man
age
ment
Fallback
Interface
Status
Synchroni
zation
Action Set
List
Block
Action List
Notify
Action List
Displays all segments, segment links, internal zone links, and
external zone links.
Allows you to control bandwidth for a specific segment by using
Activate, Add Segment, Apply
icons or buttons
Delete
.
Displays the parameters related to Layer 2 fallback. Level 1
Allows you to set the parameters related to Layer 2 fallback. Level 2
Displays the configuration information of interface status
synchronization.
Allows you to set interface status synchronization. Level 2
Displays all the time tables, and use the name links. Level 1
Allows you to use icons or buttons
Delete
.
Displays all the action sets, and use the name links. Level 1
Allows you to use icons or buttons
Displays all the block actions, and use the name links. Level 1
Allows you to use icons or buttons , ,
Delete
.
Displays all the notify actions, and use the name links. Level 1
Allows you to use icons or buttons , ,
Delete
.
, ,
Activate, Add
, ,
Activate, Add
,
Activate, Add
Activate, Add
, and
, and
, and
Delete
, and
, and
.
Level 1
Level 2
Level 1
Level 2
Level 2
Level 2
Level 2
Log
Man
age
ment
Syst
em
Logs
Oper
ation
Logs
Packet
Trace File
Upload
Recent
Logs
Query
Logs
Delete
Logs
Back Up
Logs
Recent
Logs
Query
Logs
Delete
Logs
Displays the parameters for uploading packet trace files. Level 1
Allows you to configure the parameters for uploading packet trace
files.
Displays the recent 25 system logs of the day. Level 1
Allows you to export the system logs of the day to a file in the
format of CSV.
Displays the system logs based on the query conditions. Level 1
Allows you to export the queried system logs to a file in the format
of CSV.
Displays system log file list. Level 1
Allows you to delete system log files. Level 2
Displays all system log files, open and export the specified system
log files to a file in the format of CSV.
Displays the recent 25 operation logs of the day, and export the
operation logs of the day to a file in the format of CSV.
Displays the operation logs based on the query conditions, and
export the queried operation logs to a file in the format of CSV.
Displays the system log file list and delete the operation log files.
Level 2
Level 2
Level 2
Level 2
Level
3/Auditor
Level
3/Auditor
Level
3/Auditor
1-6
Menu item Description User level
Attac
k
Logs
Virus
Logs
Back Up
Logs
Recent
Logs
Query
Logs
Delete
Logs
Recent
Logs
Query
Logs
Delete
Logs
Displays all operation log files, open and export the specified
operation log files to a file in the format of CSV.
Displays the recent 25 IPS block or alert logs of the day. Level 1
Allows you to export the attack logs of the day to a file in the format
of CSV.
Displays the attack logs based on the query conditions. Level 1
Allows you to export the queried attack logs to a file in the format of
CSV.
Query the attack logs based on the query conditions. Level 1
Allows you to delete the attack logs based on the query conditions. Level 2
Displays the recent 25 virus block or alert logs of the day. Level 1
Allows you to export the virus logs of the day to a file in the format
of CSV.
Displays the virus logs based on the query conditions. Level 1
Allows you to export the queried virus logs to a file in the format of
CSV.
Query the virus logs based on the query conditions. Level 1
Allows you to delete the virus logs based on the query conditions. Level 2
Level
3/Auditor
Level 2
Level 2
Level 2
Level 2
IPS
Displays the service logs based on the query conditions. Level 1
Service Logs
URL Logs
Device
Logs
Log
Confi
gurat
ion
Fast Application Allows you to configure an IPS policy and apply it to a segment. Level 2
Policy
Management
Data Logs
Mail
Configurat
ion
Allows you to delete the queried service logs or export them to a
file in the format of CSV.
Displays the URL logs based on the query conditions. Level 1
Allows you to delete the queried URL logs or export them to a file in
the format of CSV.
Displays the remote output parameters and local storage control
parameters for system and operation logs.
Allows you to set the remote output parameters and local storage
control parameters for system and operation logs.
Displays the parameters for data logs, such as log aggregation and
log lifetime.
Allows you to set the parameters for data logs, such as log
aggregation and log lifetime.
Displays the parameters for sending mails. Level 1
Allows you to set the parameters for sending mails. Level 2
Displays IPS policies and display details of a policy by clicking its
name link.
Allows you to use icons or buttons
Delete
and
.
, , , ,
Activate, Add
,
Level 2
Level 2
Level 1
Level 3
Level 1
Level 2
Level 1
Level 2
Default Rule
Management
Displays default rules of an IPS policy, allows you to search for an
IPS policy by certain criteria and display its default rules, and use
rule name links, action set links, and the
1-7
Query
button.
Level 1
Menu item Description User level
Allows you to modify policy name and description, and use icons or
Level 2
Level 2
User Defined Rule
Management
buttons , ,
Rule, Disable Rule
Displays user defined rules of an IPS policy. Level 1
Allows you to configure user defined rules for an IPS policy, and
use icons or buttons ,
Apply, Activate, Modify Action Set, Enable
Reset Rule
, and
Add, Delete
.
, and
Activate
.
URL
Filter
ing
AntiVirus
Man
age
ment
Segment Policy
Management
Global
Configuration
Policy
Management
Policy
Management
Rule Management
Displays policy application list and use the links and buttons in the
list.
Allows you to use icons or buttons
Delete
.
Displays global configuration of URL filtering. Level 1
Allows you to configure global settings of URL filtering, and
activate the configuration.
Displays URL filtering policies and the segments where the policies
are applied
Allows you to add, modify, and delete URL filtering policy
application, and activate configuration.
Displays anti-virus policies and display details of a policy by
clicking its name link.
Allows you to use icons or buttons
Delete
and
Displays information about an anti-virus policy, search for a policy
by certain criteria, and use rule name links, action set links, and the
Query
Allows you to modify policy name and description, and use icons or
buttons , ,
Rule, Disable Rule
.
button.
Apply, Activate, Modify Action Set, Enable
Reset Rule
, and
Activate, Add
, ,
, , , ,
.
, and
Activate, Add
,
Level 1
Level 2
Level 2
Level 1
Level 2
Level 1
Level 2
Level 1
Level 2
DDo
S
Displays policy application list and use the links and buttons in the
Segment Policy
Management
Query Viruses Displays virus list. Level 1
DDoS Policies
Learning Rule
Segment Policy
Detection Rule Displays detection rules of a protected object and use ID links. Level 1
list.
Activate, Add
Allows you to use icons or buttons
Delete
.
Displays DDoS policies and allows you to display details of a policy
by clicking its name link.
Allows you to use icons or buttons
Delete
and
Displays information about a DDoS policy, including name,
description and learning rules..
Allows you to modify policy name, description and learning rules,
and use icon
Displays policy application list and allows you to use the links and
and
Displays static filtering rules applied in a direction on a segment. Level 1
Allows you to use icons or buttons , , ,
Enable Selected, Disable Selected
Displays dynamic filtering rules based on the query conditions. Level 1
Allows you to use buttons
Disable Selected
Displays the protection status and DDoS statistics of a protected
project.
Allows you to configure a bandwidth management policy and apply
it to a segment.
Displays bandwidth polices and the segments where the policies
are applied.
Allows you to add, modify, and delete bandwidth policy
applications, and activate the configuration.
Displays service tree and information and matching rules of the
selected service.
Allows you to use icons or buttons
and
Activate
.
Activate, Enable Selected
.
.
Activate, Save, Add, Lock
Activate, Add
Delete
, and
, ,
.
, and
Add, Delete, Apply
Level 2
,
,
Level 2
Level 2
Level 1
Level 2
Level 1
Level 2
Level 1
,
Level 2
Blac
klist
Rep
ort
Protocol
Management
Blacklist
Management
Packet Statistics
Traffic
Statistics
Reports
Top N
Traffi
c
Statis
tics
Repo
rts
Reports
Traffic
Statistics
Report
Configura
tion
Top N
Report
Configura
tion
Displays protocol tree and information about the selected protocol. Level 1
Allows you to use buttons
Activate
Displays blacklist entries matching the conditions. Level 1
Allows you to use icons or buttons
Allows you to collect and display real-time packet distribution
information based on the specified criteria.
Displays traffic statistics reports based on the query conditions. Level 1
Displays top N reports based on the query conditions. Level 1
Allows you to add and delete traffic statistics report parameters. Level 2
Allows you to add and delete top N report parameters. Level 2
.
Add, Remove, Reset, Apply
Activate, Add
,
, and
, and
Delete
.
Level 2
Level 2
Level 2
Attac
k
Repo
rts
Attack
Reports
Top N
Attack
Reports
Displays attack reports based on the query conditions. Level 1
Displays top N attack reports based on the query conditions. Level 1
1-9
Menu item Description User level
Virus
Repo
rts
Virus
Reports
Top N
Virus
Reports
Displays virus reports based on the query conditions. Level 1
Displays top N virus reports based on the query conditions. Level 1
Common Web Interface Elements
Common buttons and icons
Table 1-3 describes the commonly used buttons and icons on the Web interface.
Table 1-3 Common buttons and icons
Button and icon Description
Bring the configuration on the current page into effect or save the
configuration into the database.
Select all entries that were not selected, and deselect those that were
selected.
Query all entries matching the query criteria.
Activate a configuration in the database, and bring it into effect.
Go to the selected page. Applicable to a list displayed on more than one
page.
Delete the selected entries.
Enter the detailed configuration page of an entry to allow you to view and
modify its parameters.
Delete an entry.
Copy the configuration of an entry and enter the page for adding a new
entry,
Enter the page for managing segment policies.
Indicate that the entry is a default one.
Content display by pages
The web interface can display contents by pages, as shown in Figure 1-4. You can set the number of
entries that are displayed per page, and use the First, Prev, Next, and Last links to view the contents
on the first, previous, next, and last pages, or go to any page that you want to check.
You can also click the column headings—such as Timestamp, Module, Severity, and Log Content—to sort the contents.
1-10
Figure 1-4 Content display by pages
Calendar
To facilitate setting time, the Web interface provides calendar interface. You can click to display the
calendar interface for setting time, as shown in
Figure 1-5.
Figure 1-5 Calendar
z To set a time, select year, month, day and hour, and click Apply.
z To cancel the time setting, click Clear.
1-11
zTo set a time to the system time of the local host, click Today. Note that, for the definition library
update module, today refers to the current system time of the device.
Regular expression help information
To facilitate configuring regular expressions, the Web interface provides help links on the page where
you need to configure a regular expression, as shown in
the help link to display the help information page, as shown in
Figure 1-6. To view the help information, click
Figure 1-7.
Figure 1-6 Regular expression help link
1-12
Figure 1-7 Regular expression help information
Configuration Guidelines
zThe web console supports Windows XP, Windows 2000, Windows Server 2003 Enterp rise Edition,
Windows Server 2003 Standard Edition, Windows Vista, Linux and MAC OS operating systems.
zThe web console supports Microsoft Internet Explorer 6.0 SP2 and higher, and Mozilla Firefox
3.0.10 and higher. To ensure that the web console can operate normally, it is recommended to
enable Script ActiveX controls marked safe for scripting, Run ActiveX controls and plug-ins, and
Active scripting when using Microsoft Internet Explorer, and enable JavaScript when using Mozill a
Firefox.
zSome Web pages do not support the Back, Next, Refresh buttons provided by the browser. Using
these buttons may result in abnormal display of these Web pages.
zBecause the Windows firewall limits the number of TCP connections, when you use IE to log in to
the Web interface, sometimes you may be unable to open the Web interface. To a void this problem,
it is recommended to turn off the Windows firewall before login.
zIf the software version of the device changes, when you log in to the device through the Web
interface, you are recommended to delete the temporary Internet files on IE; otherwise, the Web
page content may not be displayed correctly.
1-13
2 Device Registration
You can log in to the H3C website for registering a license for your device. The website will generate a
license file based on the serial number of the device and the serial number on the software license
certificate shipped with the device. Only after you import the license file can you update the signature
database and virus definition file to enable the IPS device to defend against new attacks in rea l time.
Device Registration
After logging in to the H3C website at www.h3c.com, select Product & Solutions > Products >
Security Products, and then click Signature Database Services at the lower right part of the page to
enter the registration page.
Figure 2-1 Home page of the H3C website
Figure 2-2 Signature database services
2-1
Figure 2-3 Registration page
Table 2-1 shows the detailed device registration configuration items.
Table 2-1 Device registration configuration items
Item Description
Device serial number, which can be obtained from:
z Device chassis
z Bar code on the warranty card shipped with the device
Device serial No.
(20 digits or letters)
zWeb interface: Select System Management > Device Management >
System Info from the navigation tree to display the device serial number.
The device serial number is not the serial number on the software license
certificate shipped with the device.
License serial No.
(26 digits or letters)
Email Enter your Email address to receive the license file
Obtained from the software license certificate shipped with the device
z A software license certificate can be used by only one device.
z The license file generated based on the registration information will be sent to your Email address
within two working days.
zAfter you received the license file, log in to the web page and select System Management >
Device Management > License from the navigation tree. Then specify the path and file name on the License Import tab and click Import to import the license. For other information, refer to
Device Management.
License File Update
With the initial license file, you can update the signature database and virus definition file for free within
one year. After that, you need to purchase a new software licen se certificate and follow the steps above
to generate another license file to update the signature database and virus definition file.
2-2
3 Device Management
System Status
System Status Overview
The system status module helps you understand the current status of the system, including the
following information:
zHealth status: Displays the current health status of the system. It helps you understand the usages
of CPU, memory, hardware image area, and hardware log area; the status of fan and power; the
temperatures of CPU and the main board.
zIPS: Displays the statistics of IPS detection. It helps you understand the statistics of IPS attack
logs.
zURL filtering: Displays the statistics of URL filtering. It helps you understand the statistics of URL
logs.
zAnti-Virus: Displays the statistics of anti-virus management. It helps you understand the statistics
of virus logs.
zLogs: It links you to various log pages conveniently.
Viewing System Status
After logging into the Web interface, you can directly enter the page which can also enter by selecting
System Management > Device Management > System Status, as shown in
Figure 3-1.
3-1
Figure 3-1 System status page
Select the check box on the top of the above figure, and then the system will automatically refresh the
system status page at the specified interval; or you can click Refresh Now to manually refresh the
page.
Health status
Table 3-1 describes the fields of health status.
Table 3-1 Health status fields
Field Description
CPU usage
Memory usage
Image Area usage
If the CPU usage exceeds the threshold, is displayed; otherwise, is displayed.
If the memory usage exceeds the threshold,
displayed.
If the image area usage exceeds the threshold,
displayed.
is displayed; otherwise, is
is displayed; otherwise, is
Log Area usage
Fan status
Power status
If the log area usage exceeds the threshold,
displayed.
If any fan fails, and
If any power supply unit (PSU) fails,
Normal
are displayed.
Fault
are displayed; otherwise, and
and
3-2
is displayed; otherwise, is
Normal
Fault
are displayed; otherwise, and
are displayed.
Field Description
CPU Temperature
Mainboard
Temperature
If the temperature exceeds the threshold,
If the temperature exceeds the threshold,
is displayed; otherwise, is displayed.
is displayed; otherwise, is displayed.
Put your cursor on or of a field, and you can view the corresponding data of the item. For example,
if you put cursor on
or of the fan status field, the current status of each fan is displayed.
IPS
Table 3-2 describes the fields of IPS detection
Table 3-2 IPS detection fields
Item Description
Block Displ ays the total number of the block logs in IPS attack logs.
Alarm Displays the total number of the alert logs in IPS attack logs.
By clicking the corresponding number, you can jump to the page which yo u can also enter by selecting
Log Management > Attack Logs > Query Logs.
URL filtering
Table 3-3 describes the fields of URL filtering detection.
Table 3-3 URL filtering detection fields
Item Description
Block Displ ays the total number of the block logs in URL logs.
Alarm Displays the total number of the alert logs in URL logs.
By clicking the corresponding number, you can jump to the page which yo u can also enter by selecting
Log Management > URL Logs.
Anti-Virus
Table 3-4 describes the fields of anti-virus management.
3-3
Table 3-4 Anti-virus management fields
Item Description
Block Displ ays the total number of the block logs in virus logs.
Alarm Displays the total number of the alert logs in virus logs.
By clicking the corresponding number, you can jump to the page which yo u can also enter by selecting
Log Management > Virus Logs > Query Logs.
Logs
Table 3-5 describes the fields of logs.
Table 3-5 Log fields
Item Description
IPS Block
URL Block
Anti-Virus Block
System Logs
Query the latest IPS attack logs.
zIf you click IPS Block or its corresponding icon, you can enter the page that can
also be accessed by selecting Log Management > Attack Logs > Query Logs.
zIf you click the icon , you can enter the page that can also be accessed by selecting
Log Management > Attack Logs > Delete Logs.
Query the latest URL logs.
If you click
can also be accessed by selecting
URL Block
or its corresponding icon or , you can enter the page that
Log Management > URL Logs
.
Query the latest virus logs.
zIf you click Anti-Virus Block or its corresponding icon, you can enter the page
that can also be access by selecting Log Management > Virus Logs > Query Logs.
zIf you click the icon , you can enter the page that can also be accessed by selecting
Log Management > Virus Logs > Delete Logs.
Query the latest system logs.
zIf you click System Logs or its corresponding icon, you can enter the page that
can also be accessed by selecting Log Management > System Logs > Recent
Logs.
z If you click the icon , you can save the latest system logs to the CSV file.
z If you click the icon , you can enter the page that can also be accessed by selecting
Log Management > System Logs > Delete Logs.
Query the latest operation logs.
Operation Logs
zIf you click Operation Logs or its corresponding icon, you can enter the page
that can also be accessed by selecting Log Management > Operation Logs >
Recent Logs.
z If you click the icon , you can save the latest operation logs to the CSV file.
z If you click the icon , you can enter the page that can also be accessed by selecting
Log Management > Operation Logs > Delete Logs.
3-4
System Information
System Information Overview
The system information module helps you underst and the current sof tware versions, hardware versi ons,
versions of signature databases, device serial number, MAC address of network management interface,
and system time information.
Viewing System Information
Select System Management > Device Management > System Info from the navigation tree, and
enter the page as shown in
Figure 3-2 System information page
Figure 3-2.
Table 3-6 describes the fields of system information.
Table 3-6 System information fields
Item Description
Software Version Displays the version of the system software.
PCB Hardware Version Displays the version of PCB.
CPLD Hardware Version Displays the version of CPLD logic.
BootROM Base Section Version Displays the version of the base section of the BootROM.
BootROM Extended Section Version Displays the version of the extended section of the BootROM.
Displays the version of IPS signature database.
IPS Signature Database Version
Support for this field depends on the device model.
AV_SS Signature Database Version Displays the version of anti-virus signature database.
3-5
Item Description
Device Serial Number Displays the serial number of the device.
System Name Displays the system name.
MAC of Network Management Interface Displays the MAC address of the network management interface.
System Time Displays the current system time.
System Time Zone Displays the current system time zone.
System Time
System Time Overview
You need to configure a correct system time so that the device can work with other devices properly.
The system time module helps you set the system date, time, and time zone. The device supports
setting system time through manual configuration and automatic synchronization of Simple Network
Time Protocol (SNTP) server time.
An administrator can by no means keep time synchronized among all the devices within a network by
changing the system clock on each device, because this is a huge amount of workload and cannot
guarantee the clock precision. SNTP, however, allows quick clock synchronization within the entire
network and ensures a high clock precision so that the devices can provide diverse applications based
on the consistent time.
Configuring System Time
Select System Management > Device Management > System Time from the navigation tree, and
enter the page as shown in
Figure 3-3 System time page
Figure 3-3.
Table 3-7 describes system time configuration items.
3-6
Table 3-7 System time configuration items
Item Description
Local Date and Time
Local Date
Time
Source
Time Zone
Local Time
SNTP Server
Primary SNTP Server
Secondary SNTP Server
Synchronization Interval
System Monitoring
Set the system date and time manually.
If you do not select the Time Source check box, the Local Date
and Local Time fields display the current system time, which
changes in real time; if you configure the SNTP server as the time
source, and the time synchronization is successful, these fields
display the synchronized time.
Enable clock automatic synchronization with an SNTP server,
and specify the IP address of the SNTP server and the
synchronization interval.
Set the time zone to which the system belongs.
The local time zone is based on Greenwich Mean Time (GMT).
After your configuration takes effect, the system time, log and
debugging information use the local time adjusted according to
the time zone.
System Monitoring Overview
The system monitoring module helps you view and set system thresholds, including CPU usage
threshold, memory usage threshold, hardware usage threshold, CPU temperature upper and lower
limits, and main board temperature upper and lower limit s.
Configuring System Monitoring
Select System Management > Device Management > System Monitoring from the navigat ion tree,
and enter the page as shown in
Figure 3-4 System monitoring
Figure 3-4.
Table 3-8 describes system monitoring configuration items.
3-7
Table 3-8 System monitoring configuration items
Item Description
Set the upper limit of CPU usage.
CPU usage threshold
Memory usage threshold
When the CPU usage exceeds the configured threshold, the system triggers an
alarm.
Set the upper limit of memory usage.
When the memory usage exceeds the configured threshold, the system triggers an
alarm.
Image area usage
threshold
Log area usage threshold
CPU temperature
threshold
Mainboard temperature
threshold
Set the upper limit of image area usage.
When the image area usage exceeds the configured threshold, the system triggers
an alarm.
Set the upper limit of log area usage.
When the log area usage exceeds the configured threshold, the system triggers an
alarm.
Set the upper and lower limits of CPU temperature.
When the CPU temperature exceeds the configured temperature range, the
system triggers an alarm.
Set the upper and lower limits of main board temperature.
When the main board temperature exceeds the configured temperature range, the
system triggers an alarm.
Configuration Maintenance
Configuration Maintenance Overview
The configuration maintenance module provides the following functions:
z Saving the current configuration
z Configuration file management
z Restoring the factory defaults
Saving the current configuration
This module helps you save the current configuration to the disk.
To increase the access rate of the device and to prolong the service life of the disk by reducing the
reading and writing operations to the disk, some configurations are not directly saved to the disk when
they are submitted, but saved to the memory database firstly. Therefore, you need to save the current
configuration to the disk manually; otherwise, after the device reboot, the configurations that are not
saved to the disk will probably be lost.
Configuration file management
This module provides the following functions:
zImport configuration file: Import the compressed package of the specified configuration file saved
on the local host or device to the disk, and then reboot the device to validate the configuration.
zUpload configuration file: Upload the compressed package of the configuration file saved on the
local host to the device.
zExport configuration file: Back up the current configuration of the device as an encrypted and
compressed package, and download this package to the local host .
3-8
zAdd configuration file: Back up the current configuration of the device as an encrypted and
compressed package.
zDownload configuration file: Download the compressed package of the device configuration file to
the local host.
zDelete configuration file.
With these functions, when multiple devices of the same type and with similar configurations are
present on the network, you can configure one of the devices, export the configuration to the local
device, and then export the configuration from the local device to other devices, thus avoiding repeated
work.
zWhen you use a compressed package of the specified configuration file, make sure that the current
device and the device imported from the compressed package have the same software version
and the same license file configuration; otherwise, the compressed package cannot be used.
zWhen you are importing or exporting the compressed package of the configuration file, you cannot
activate the configuration.
zConfiguration information of high availability, security policy, management interface configuration,
interface configuration, and system monitoring does not support configuration file management.
Restoring the factory defaults
This operation will remove all configurations of the current users and restore the system to factory
defaults.
Saving the Current Configuration
Select System Management > Device Management > Configuration Maintenance from the
navigation tree to enter the configuration maintenance page. Click the Save Curre nt Configuration tab
to save the current configuration to the device, as shown in
Figure 3-5 Save current configuration page
Figure 3-5.
Click Save and confirm your action.
Configuration File Management
Select System Management > Device Management > Configuration Maintenance from the
navigation tree to enter the configuration maintenance page. Click the Configuration File Information,
Import Configuration File, Upload Configuration File, Export Configuration File, or Add Current
Configuration tab to manage the configuration file, as shown in
Figure 3-6.
3-9
Figure 3-6 Configuration file management page
zIn the Configuration File Information tab, you can view the related information of configuration
Table 3-9 describes the fields of configuration file information.
files.
zIn the Configuration File Information tab, click the icon and set the directory on the local host
to save the configuration file in the pop-up dialog box. You can download the encrypted and
compressed package of the specified configuration file to the local host and save it.
zIn the Configuration File Information tab, click the icon , and you can import the encrypted and
compressed package of the specified configuration file to the disk of the device and then reboot the
device to validate the configuration.
zIn the Import Configuration File tab, you can set the directory on the local host to save the
encrypted and compressed package of the specified configuration file. Click Import to import the
compressed package of the configuration file that is saved on the local host to the disk of the de vice,
and then reboot the device to validate the configuration.
zIn the Upload Configuration File tab, you can set the directory on the local host to save the
encrypted and compressed package of the specified configuration file. Click Upload to upload the
compressed package of the configuration file that is saved on the local host to the device.
3-10
zIn the Export Configuration File tab, you can set the configuration ID. Click Export, set the
directory on the local host to save the configuration file in the pop-up dialog, and then you can back
up the current configuration of the device as an encrypted and compressed package with the
specified configuration ID, and download this package to the local host.
zIn the Add Configuration File tab, input the configuration ID and click Add to back up the current
configuration of the device as an encrypted and compressed package with the specified
configuration ID.
Table 3-9 Fields of configuration file information
Item Description
Configuration ID ID of the encrypted and compressed package of the configuration file
Date Date to create the encrypted and compressed package of the configuration file
Software Version
Product Model
Software version of the device when the encrypted and compressed package of
the configuration file is created
Product model of the device on which the encrypted and compressed package of
the configuration file is created
Restoring the Factory Defaults
Select System Management > Device Management > Configuration Maintenance from the
navigation tree to enter the configuration maintenance page. Click the Restore Defaults tab to restore
all the configurations on the device to the factory defaults, as shown in
Figure 3-7 Restore the factory defaults
Before restoring the factory defaults, determine whether to keep the license file (if you do not select the
Keep license file check box, when the factory defaults are restored, the current license file is d eleted).
Then click Reset and confirm your action.
Figure 3-7.
Signature Upgrade
Signature Upgrade Overview
Signature databases record the attack signature and virus signatures that can be recognized by the
device; therefore, for IPS devices, their signature databases must be upgra ded in real time and must be
of the latest version.
Signature databases can be upgraded either automatically or manually:
zManual upgrade: Manual upgrade allows you to download the signature databases file saved on
the local host of the user to the device by using the HTTP or TFTP protocol. Manual upgrade is
generally performed within the LAN of the user. In addition, manual upgrade allows you to
download any version of the signature database that is compatible with the device.
3-11
zAuto upgrade: Auto upgrade helps you download the signature database file of the latest version
from a certain signature database version server directly to the device by using specific protocol at
a specified interval or immediately if necessary.
zVersion of the signature database is related to the version of device software. You must make sure
that the version of the new signature database is compatible with the current version of the device
software before you upgrade the signature database; otherwise, signature database upg rade fails.
zYou must make sure that the current License file is valid and is not expire d before you upgrade the
signature database. If the License file has been expired, contact H3C technical support staff.
zIf the software of the new version contains new features that have to be used with the signature
database together, to use these new features, you need to upgrade the signature database to the
version that matches the new software version after the software upgrade.
Signature Database Version Management
Select System Management > Device Management > Signature Upgrade from the navigation tree
to enter the signature database upgrade p age.
zIn the Current Version tab and History Version tab, you can view the current versions of various
types of signature database and their history version (the previous one), as shown in
zIn the History Version tab, click the icon , and you can roll back a certain type of signature
database to a specified history version (that is, the previous one).
Figure 3-8 Current version and history version
Figure 3-8.
Manual Upgrade
Select System Management > Device Management > Signature Upgrade from the navigation tree
to enter the signature database upgrade page. You can upgrade signature database manually in the
Manual Upgrade tab, as shown in
Figure 3-9.
3-12
Figure 3-9 Manual upgrade
Table 3-10 describes configuration items of manual upgrade.
Table 3-10 Configuration items of manual upgrade
Item Description
Signature Type Set the type of the signature database to be upgraded.
Protocol Specify the protocol (HTTP or TFTP) to be used to download the upgrade database.
Set the directory on the local host to save the upgrade package and its file name, for
example, 192.168.1.16/abc.
Upgrade Package
Location
The directory of the file can include letters, digits, and underline (_), and cannot include
any Chinese character.
After configuring the parameters, click OK to upgrade the signature database. The Manual Upgrade
tab page displays the upgrade progre ss, as shown in
Figure 3-10 Upgrade progress
Auto Upgrade
To realize the auto grade of the signature database, you must select Sy stem Management > Network
Management > Management Interface from the navigation tree and then configure DNS serv ers. For
detailed configuration, refer to Network Management Configuration of this manual.
Figure 3-10.
Select System Management > Device Management > Signature Upgrade from the navigation tree
to enter the signature database upgrade page. You can set related parameters for the auto upgrade in
the Auto Upgrade tab, as shown in
Figure 3-11.
3-13
Figure 3-11 Auto upgrade
zOn the Auto Upgrade page, you can view the types of signature databases from the leftmost list,
and set whether to enable the auto upgrade function and the time of auto upgrade on the right side
of the page. For example, as shown in
Figure 3-11, the auto upgrade function of the IPS signature
database is enabled, the first upgrade time is at 11:00 2010-9-8, and after that, the signature
database is upgraded at 11:00 every 7 days; the auto upgrade function of the anti-virus signature
database is not enabled. After configuring the parameters, click Apply to complete the
configuration.
Figure 3-12 Upgrade process
zYou can click Upgrade Now to download the signature database file of the latest version from a
certain signature database version server to the device and then upgrade the signature database
immediately..
Software Upgrade
If the software of the new version contains new features that have to be used with the signature
database together, to use these new features, you need to upgrade the signature database to the
version that matches the new software version after the software upgrade.
Software Upgrade Overview
The software upgrade module helps you manage and upgrade the versions of IPS device software.
Through the web interface, you can conveniently perform operations like sof tware upgrading, specifying
main/backup version, and deleting the version file.
3-14
Upgrading Software
Select System Management > Device Management > Software Upgrade from the navigation tree to
enter the software upgrade configuration page, as shown in
Figure 3-13 Software upgrade page
Figure 3-13.
The upper part of the page allows you to view an d manage the current sof t ware versi ons of the device.
The list shows the name of the software versions, upload date, size of the version file, and version
status. You can specify a non-main software version as the main software version by clicking the icon
, specify a non-backup software version as a backup version by clicking the icon ; and delete a
software version by clicking the icon
.
The lower part of the page allows you to upgrade software version of the device.
Set the IP address of the TFTP server and file name, such as 192.168.1.6/abc.bin.
zYou can store up to three software version files on the device. If you download a
software version file that has the same name as a current version file through the
web interface, no matter how many version files are stored on the device, the
following prompt appears “Version file with the same name already exists in the
Software Version
Version Status
device. Do you wish to replace it?”. If the device stores three version files and th e
file to be downloaded has a different name with the existing files, the download
operation fails, and the following prompt appears “Up to thr ee version files can be
supported”.
z You should make sure that the disk has enough space; otherwise, the downloading
of the software version fails when the size of the software version to be downloaded
exceeds the available space of the disk partition no matter whether a software
version with the same name exists in the disk partition.
z The file name is a string of 1 to 64 characters, which can include letters, digits, dots
(.), hyphens (-), and underlines (_).
Specify the status of the downloaded software version:
zMain: The software version is the main version, which is used to boot and start up
the device.
zBackup: The software version is the backup version, which is used to boot and start
up the device when the main version is unavailable.
zOther: The software version is neither the main version nor the backup version.
3-15
Item Description
Reboot after upload
to apply the new
version
License
License Overview
A license can control the statuses of signature databases and time sensitive features:
zThe license controls whether to upgrade the signature databases. A signature database records
the attack signature and virus signatures that can be recognized by the device; therefore, for the
security device, its signature database must be upgraded in real time. When the license of the
signature database is expired, you cannot simply upgrade the signature database and need to
recharge to obtain a new license, and then upgrade the signature databa se.
zThe license controls the lifetime of time-sensitive features. When the license of a feature is expired,
you cannot use the feature and need to recharge to obtain a new license. Meanwhile, the device
periodically accesses the website http://www.h3c.com.cn to check the expiration times of features.
If the device cannot access this website, all time-sensitive features are not available.
Specify whether to reboot the device to make the upgraded software take effect after
the software is uploaded.
This item can be selected only when the version status is selected as main.
The license module allows you to view the license information, import license and export license.
To apply for a new License, contact H3C technical support staff.
Managing a License
Select System Management > Device Management > License from the navigation tree to enter the
license page, as shown in
Figure 3-14.
3-16
Figure 3-14 License
zIn the License tab, you can view the following information:
1) Signature database type contained in the license, and their expiration times.
2) Time-sensitive features contained in the license, their expiration times, and their statuses. If a
feature is available, a green indicator is displayed in the Status column; if a feature is expired, a red
indicator is displayed in the Status column.
zIn the License Import tab, you can set the file name and the directory on the local host to save t he
license, and click Import to import the license to the device.
zIn the License Export tab, click Export, and set the directory on the local host to save the license
in the pop-up dialog.
Operating Mode
Operating Mode Overview
IPS devices can take security actions to attacks and services. The way to take security actions of the
IPS devices depends on the connecting mode, which can be either direct connection or bypass
connection.
zDirect connection means that the device is on the link where data is forwarded, therefore, the
device can directly capture data packets and take various security actions, as shown in
3-15.
Figure
Figure 3-15 Network diagram for direct connection
3-17
zBypass connection means that the device is not on the link where data is forwarded. Therefore, the
device captures data packets by receiving traffic mirroring and detecting duplicate packets, and it
cannot take security actions directly and can only take security actions through response packets,
as shown in
Figure 3-16.
Figure 3-16 Network diagram for bypass connection
General device
Mirroring port
General portMonitor port
Response port
IPS
Configuring Operating Mode
Select System Management > Device Management > Operating Mode from the navigation tree to
enter the operating mode page, as shown in
Select the connecting mode: directly connected or bypassed.
Connecting Mode
Application Mode
For network diagram for direct connection, see
bypass connection, see
Set the application mode: report logs only or integrated function set.
zReport logs only: Only sends log packets to the specified device or host, and no
blocking or interfering actions are taken.
zIntegrated function set: Sends log packets to the specified device or host, and
blocking or interfering actions are taken.
Figure 3-16.
3-18
Figure 3-15; for network diagram for
Item Description
In the bypassed connecting mode, the source MAC address of
the responded interfering packets:
Source MAC for
Interfering
zManagement interface: Take the MAC address of the
management interface as the source MAC address
zPackets: Take the source MAC address of the captured
packets as the source MAC address
zCustomize: Manually configured source MAC address
In the bypassed connecting mode, the next hop MAC address
Next Hop MAC
of the responded interfering packets.
It is usually the MAC address of the
General port
in
Figure
3-15.
Select the interface to send the responded interfering packets; you can select to return
by original path or select a certain interface.
Return by original
path/A certain
interface (the
drop-down list at the
bottom right corner)
zReturn by original path: Sends the responded interfering packets from the interface
through which the device captured data packets.
zA certain interface: Sends the responded interfering packets from the selected
interface. The drop-down list only displays interfaces that are not in the security
zone.
This drop-down list is available only after you select both the
check box and the
Integrated function set
check box.
Table 3-13 Configuration limitation if the Bypassed check box is selected
In the bypassed
connecting mode,
when the IPS
device is
connected to a
switch, there are
some configuration
limitations for the
Source MAC for
Interfering
and
Next Hop MAC
Table 3-13 for
see
details.
Directly connected
,
Devices in the bypassed connecting
mode
When the
General device
3-16 is a Layer 2 switch
General port
The
Mirroring port
When the
General
device
in
Monitor port
same VLAN.
Figure 3-16
is a Layer 3
switch
General port
The
Mirroring port
Monitor port
different VLANs.
Configuration Guidelines
in Figure
,
, and the
are in the
,
, and the
are in
Source MAC for Interfering Next Hop MAC
Management interface
Select
Customize
Packets
, and cannot select
.
When you select
Customize
or
, the
Null
MAC address cannot be conflicted
with another MAC address in the
Layer 2 domain.
Management interface
Select
Customize
Packets
, and cannot select
.
When you select
Customize
or
, the
Null
MAC address cannot be conflicted
with another MAC address in the
Layer 2 domain.
zNull
No limitation
zVirtual interface MAC
address of the VLAN to
which the General port
belongs
When configuring operating mode, note that:
1) When the device is in bypassed connecting mode and connected to a switch, avoid the following
configurations; otherwise, the switch may not learn MAC address successfully.
zConfigure the source MAC address of the captured packets as the source MAC address on the
device.
3-19
z Apply the policy using blocking or interfering actions on the device.
z The interfaces connected with the management interface and service interface (A management
interface is the interface through which the device sends out packets and manages bypass traffics;
a service interface is the interface through which the device receives bypass traffics and performs
detections. The two interfaces can actually be the same one) are configured in the same VLAN.
OAA Configuration
The OAA client and the OAA server mentioned in the following configuration procedure and
configuration examples indicate the ACFP client and the ACFP server in the OAA architecture.
OAA Configuration Overview
Basic data communication networks co mpri se of routers and switches, which forward data packets. As
data networks develop, more and more services run on them. It has become inappropriate to use
legacy devices for handling some new services. Therefore, some security products such as firewalls,
Intrusion Detection System (IDS), and Intrusion Prevention System (IPS), and voice and wireless
products are designed to handle specific services.
For better support of new services, manufacturers of legacy networking devices (routers and switches
in this document) have developed various dedicated service boards (cards) to specifically handle these
services. Some manufacturers of legacy networking devices provide a set of software/hardware
interfaces to allow the boards (cards) or devices of other manufacturers to be plugged into or conne cted
to these legacy networking devices to handle these services. This gives full play to the advantages of
respective manufacturers for better support of new services while reducing user investments.
The open application architecture (OAA) is an open service architecture developed with this concept.
The Application Control Forwarding Protocol (ACFP) is developed based on the OAA architecture. For
example, collaborating IPS/IDS cards or IPS/IDS devices acting as ACFP clients run software
packages developed by other manufacturers to support the IPS/IDS services. A router or switch mirrors
or redirects the received packets to an ACFP client after matching the ACFP collaboration rules. The
software running on the ACFP client monitors and detects the packets. Based on the monitoring and
detection results, the ACFP client sends back responses to the router or switch through collaboration
Management Information Bases (MIBs) to instruct the router or switch to process the results, such as
filtering out the specified packets.
3-20
ACFP architecture
Figure 3-18 Diagram for ACFP architecture
As shown in
zRouting/switching component: As the main part of a router and a switch, it performs complete
Figure 3-18, the ACFP architecture consists of:
router/switch functions and is also the core of user management control.
zIndependent service component: It is also known as the Open Application Platform (OAP), the
main part open for development by a third party and is mainly used to provide various unique
service functions.
zInterface-connecting component: It connects the interface of the routing/switching component to
that of the independent service component, allowing the devices of two manufacturers to be
interconnected.
OAA collaboration
OAA collaboration means that the independent service component can send instructions to the
routing/switching component to change its functions. OAA collaboration is mainly implemented through
the Simple Network Management Protocol (SNMP). Acting as a network management system, the
independent service component sends various SNMP commands to the routing/switching component,
which can then execute the instructions received because it support s SNMP agent. In this process, the
cooperating MIB is the key to associating the two components with each other.
ACFP management
ACFP collaboration provides a mechanism, which enables the ACFP client (the independent service
component in
Figure 3-18) to control the traffic on the ACFP serv er (the routing/switching component in
Figure 3-18) by implementing the following functions:
z Mirroring and redirecting the traffic on the ACFP server to the ACFP client
z Permitting/denying the traffic from the ACFP server
z Carrying the context ID in a packet to enable the ACFP server and ACFP client to communicate the
packet context with each other. The detailed procedure is as follows: The ACFP server maintains a
context table that can be queried with context ID. Each context ID corresponds with an ACFP
collaboration policy that contains information including inbound interface and outbound interfa ce of
the packet, and collaboration rules. When the packet received by the ACFP server is redirected or
mirrored to the ACFP client after matching a collaboration rule, the packet carries the context ID of
the collaboration policy to which the collaboration rule belongs. When the redirected packet is
returned from the ACFP client, the packet also carries the context ID. With the context ID, the
ACFP server knows that the packet is returned after being redirected and then fo rwards the packet
normally.
For the ACFP client to better control traffic, a two-level structure of the collaboration policy and
collaboration rules is set in the collaboration to manage the traffic matching the collabo ration rule based
on the collaboration policy, implementing flexible traffic management.
3-21
T o better sup port the Client/Server collaboration mode and granularly and flexibly set different rules, the
collaboration content is divided into four parts: ACFP server information, ACFP client information, ACFP
collaboration policy and ACFP collaboration rules. These four parts of information are saved in the
ACFP server.
An ACFP server supports multiple ACFP clients. Therefore, ACFP client information, ACFP
collaboration policy, and ACFP collaboration rules are org anized in the form of tables.
ACFP server information is generated by the ACFP server itself. ACFP client information, ACFP
collaboration policy, and ACFP collaboration rules are generated on the ACFP client and sent to the
ACFP server through the collaboration MIB or collaboration protocol.
Configuring OAA Client
Select System Management > Device Management > OAA Configuration to enter the OAA
configuration page, as shown in
Specify whether to enable ACFP client.
The ACFP client is enabled by default.
Set the username of the OAA client. The username should be the same with the
related configuration of the SNMP on the OAA server.
3-22
Item Description
Authentication Password
Encryption Password
OAA Server IP Set the IP address for the OAA server.
VLAN ID Specify the VLAN to which the internal interface belongs.
IP Address Set the IP address for the internal interface.
Subnet Mask Set the subnet mask for the internal interface.
Set the authentication password and encryption password for the OAA client.
Three security levels are available: no authentication no privacy, authentication
without privacy, and authentication with privacy. The security level you set must be
the same with the related configuration of the SNMP on the OAA server.
The device supports MD5 authentication mode and DES privacy mode. If
authentication and encryption are needed, the authentication mode and privacy
mode on the OAA server must be MD5 and DES respectively.
After configuring the OAA client, click Test Connectiv to test the connectivity between the OAA client
and the server.
After configuring the parameters on the OAA page, click Test Connectiv to test the connectivity
between the OAA client and the server. After you confirm that the test is successful, click Apply to
submit your configuration.
OAA Configuration Example
Network requirements
z The intranet is interconnected to the Internet through Device that acts as the ACFP server.
z IPS is connected to Device. With the OAA configurations, IPS can detect and control the traffic on
Device.
3-23
Figure 3-20 Network diagram for OAA configuration
Internet
Ten-GigabitEthernet2/0/1
192.1681.2/24
GE4/0/2
Router
GE4/0/1
EnterPrise
IPS
OAA client
Vlan-int100
192.168.1.1/24
Device
OAA server
Switch
Network
Management
Configuration procedure
1) Configure the OAA server
Follow these steps to configure the OAA server (the detailed configuration is omitted here):
z Enable the OAA server.
z Configure a VLAN interface for VLAN 100, and set the IP address of the interface to 192.168.1.1.
z Specify the SNMP version as v3.
z Create a user with the username v3user, and specify the security level as no authentication no
privacy.
2) Configure the OAA client
# Configure the OAA client.
zSelect System Management > Device Management > OAA Configuration, and perform the
following operations, as shown in
Figure 3-21.
3-24
Figure 3-21 OAA configuration
z Type v3user as the username.
z Type 192.168.1.1 as the IP address of the OAA server.
z Type 100 as VLAN ID.
z Type 192.168.1.2 as the IP address.
z Type 255.255.255.0 as subnet mask.
z Click Apply.
# Test the connectivity.
z Click Test Connectiv on OAA configuration page.
z The system prompts that the connectivity test succeeded.
# Add an internal security zone.
zSelect Sy stem Management > Network Management > Security Zone, and click Add, as shown
Figure 3-22. Perform the following operations on the Add Security Zone page, as shown in
in
Figure 3-23.
Figure 3-22 Security zone
3-25
Figure 3-23 Add a security zone
z Type zone1 as the name.
z Add interface GigabitEthernet 4/0/1.
z Click Apply.
# Add an external security zone.
z Click Add.
z Type zone2 as the name.
z Add interface GigabitEthernet 4/0/2.
z Click Apply.
# Add segment 0.
zSelect System Management > Net work Management > Segment Configurati on, and click Add
Segment, as shown in
as shown in
Figure 3-25.
Figure 3-24. Perform the following operations on the AddSegment page,
Figure 3-24 Segment configuration
Figure 3-25 Add a segment
3-26
z Select 0 from the Segment No drop-down list.
z Select zone1 from the Internal Zone drop-down list, and zone2 from the External Zone
drop-down list.
z Select Ten-GigabitEthernet2/0/1 from the Internal Interface drop-down list.
z Click Apply.
After the above configuration, you need to apply the security policies (such as URL filtering policies,
anti-virus policy) on segment 0, and then you can detect and control the traffic on Device.
System Reboot
System Reboot Overview
The system reboot module allows you to reboot the device through the web interface. After the system
reboots, you need to re-log in to the Web interface.
Rebooting the system
Select SystemManagement > Device Management > System Reboot from the navigation tree to
enter the system reboot configuration page, as shown in
Figure 3-26.
Figure 3-26 System reboot page
You need to save the configurations to the disk before you reboot the device; otherwise, unsaved
configuration may be lost after reboot.
Click Reboot and confirm your action.
3-27
4 User Management
User Management Overview
The user management module allows you to manage web users.
Web users fall into five categories: Level 0, Level 1, Level 2, Level 3, and auditor.
their authorities.
Table 4-1 User levels and their authorities
User level Authorities
zPerform ping operations
Level 0 (visit level)
Level 1 (monitor level)
Level 2 (system level)
Level 3 (manage level)
Auditor
zView the IP address of the management interface, management privilege, static
route, and DNS server information only.
z Cannot perform any configurations.
z Own user authorities of level 0.
z View configurations except user information.
z View logs except operation logs.
z Cannot perform any configurations.
z Cannot monitor real-time packet distribution.
z Own user authorities of level 1.
z Perform configurations except user configuration, operation log c onfiguration,
modify logging configuration, software upgrade, and configuration maintenance.
z Own user authorities of level 2.
z View all configurations and all logs.
z Perform all configurations.
z View, back up, and delete operation logs.
z Cannot perform any other operations.
Table 4-1 describes
Configuring User Management
Configuration Task List
Table 4-2 describes the user management functions.
Table 4-2 User management functions
Task Remarks
You can display information about all user accounts, add new user accounts, and
modify user information.
Managing User Accounts
Managing Online Users
By default, the user
You can unlock a user on the page for modifying user information.
You can view all users that have logged in to the system and kick any of them out
of the system.
Users cannot kick themselves out.
admin
of level 3 is predefined in the system.
4-1
Task Remarks
Configuring the Security
Policy
Managing User Accounts
Select System Management > User Managem ent > User Accounts from the navigation tree to enter
the page listing all users, as shown in
Figure 4-1 User account list
On the page, you are allowed to perform the following operations:
z Click Add to enter the page for adding a user account, as shown in Figure 4-2.
z Click the icon of a user to enter the page for modifying the user account information, as shown
in
Figure 4-3. You can also set whether to lock the user. However, if you enter the modification
page of the account you are using, the lock configuration item is not displayed.
You can set the parameters related to Web login security, such as idle timeout,
password strength, and locking upon login failures.
Figure 4-1.
zModify the user level by selecting the check box of a user, selecting a level from the Level
drop-down list, and then clicking Apply.
Figure 4-2 Add a user
4-2
Figure 4-3 User information configuration page
Table 4-3 describes user account configuration items.
Table 4-3 User account configuration items
Item Description
Username This field displays a user name.
Password
Confirm Password
Description Set the description of the user.
Level Set the user level.
Status
Return to
User management functions.
Managing Online Users
Set a password for the user to log in to the system.
The password must comply with the strength requirements; otherwise, the
password configuration will fail. For more information about password strength
requirements, see
Type the password the same as that you set in the
not the same, a message appears telling you that the two passwords are not
consistent.
Set the user status, normal or lock.
z Lock: The user is locked and cannot log in to the system.
z Normal: The user is not locked.
This configuration item is displayed when you enter the modification page of
another user account rather than the account you are using.
Configuring the Security Policy.
Password
text box. If they are
Select System Management > User Management > Online Users from the navigation tree to enter
the page displaying a list of online users, as shown in
4-3
Figure 4-4.
Figure 4-4 Online user display page
Select the check box of a user and click Kick Out to kick the online user out of the system.
Table 4-4 describes items in the online user list.
Table 4-4 Item description of the online user list
Item Description
Username User names.
Level User levels.
Login Time The time when the users log in to the system.
Recent Operation Time The time at which the last user operation occurred.
Login IP The IP address of the host where the user resides.
Language The language displayed on the Web interface
Return to
User management functions.
Configuring the Security Policy
Select System Managem ent > User Management > Security Policy from the navigation tree to enter
the page for configuring the security policy, as shown in
Unlock Set the time period a locked user must wait before the user is unlocked.
Set the time period after which the idle users will be logged out.
If a user is idle for the time period, the system will log out the user.
Set the requirements on the user passwords.
There are three strength levels, low, middle, and higher, each containing certain
security requirements. For details, see Figure 4-5.
Set the number of unsuccessful password attempts after which the user account
will be locked.
When a user account is locked, you cannot log in with this account and a message
appears displaying "User is locked, please try again later."
Return to
User management functions.
4-5
5 Management Interface Configuration
Overview
The management interface module allows you to specify management interface parameters, perform
ping operations, and configure static routes and DNS servers.
Management Interface Parameters
Management interface parameters include the IP address and mask of the management interface, and
the status of HTTP, HTTPS, SSH, and Telnet. A device may have multiple managem ent interfaces. You
can log in to the device through any of the management interfaces to configure, manage, and maintain
the device.
Ping
You can use the ping command to check whether a device is reachable.
A successful ping operation involves the following steps:
1) The source device sends an ICMP echo request (ECHO-REQUEST) to the destination device.
2) The destination device responds by sending an ICMP echo reply (ECHO-REPLY) to the source
device after receiving the ICMP echo request.
3) The source device displays related statistics after receiving the reply.
If the source device does not receive an ICMP echo reply from the destination device before the timeout
timer expires, it displays output information and st atistics during the ping operation. If the source device
receives an ICMP echo reply before the timeout timer expires, it displays the bytes of the echo reply,
packet sequence number, Time to Live (TTL), response time, and statistics during the ping operation.
Statistics du ring the ping operation include the numbe r of packets sent, number o f echo replies received,
percentage of packets lost, and the mini mum, maximum and average round trip times.
Static Routes
You can manage a device through multiple management stations. The device reports detected
anomalies and network attacks to the management stations. You can manage the device from remote
management stations, or allow the management stations to receive and analy ze logs gene rated by the
device, so as to detect and prevent network security threats effe ctively.
The route management module manages routes from the device to the management st ations. You can
establish a routing table on the device by manually configuring static routes. Each entry in the routing
table specifies the next hop to reach a specific management station.
The device selects the default route for a packet only when it cannot find any matching entry in the
routing table. A static route with its destination IP address and subnet mask configured as 0.0.0.0
serves as a default route.
5-1
DNS Servers
Domain name system (DNS) is a distributed databa se used by TCP/IP applications to translate domain
names into corresponding IP addresses. With DNS, you can use easy-to-remember domain names in
some applications and let the DNS server translate them into correct IP addresses.
Domain name resolution is implemented by querying the DNS server. The resolution procedure is as
follows:
1) A user program sends a name query to the resolver of the DNS client.
2) The DNS re solver lo oks up the lo cal d om ain name cach e for a match. If a match is fou nd, it send s
the corresponding IP address back. If not, it sends a query to the DNS server.
3) The DNS server looks up the corresponding IP address of the domain name in its DNS database. If
no match is found, it sends a query to a higher DNS server. This process continues until a result,
whether successful or not, is returned.
4) The DNS client returns the resolution result to the application after receiving a response from the
DNS server.
Figure 5-1 Dynamic domain name resolution
Figure 5-1 shows the relationship between the user program, DNS client, and DNS server . The resolver
and cache comprise the DNS client. The user program and DNS client can run on the same device or
different devices, while the DNS server and the DNS client usually run on differe nt devices.
Configuring a Management Interface
Configuring Management Interface Parameters
zAfter the IP address of a management interface is changed, Web users that have already logged in
to the management interface cannot perform operations in IE any more. They need to log in to the
interface again by using the new IP address.
zIf a device has multiple management interfaces, you are recommended to use one of them, and
configure others as standby interfaces.
5-2
Select System Management > Network Management > Management Interface from the n avigation
tree to enter the page as shown in
Figure 5-2. On the Management Interface Configuration tab, you
can view and configure parameters including the IP address and mask of a specific management
interface, and the status of HTTP, HTTPS, SSH, and Telnet.
Figure 5-2 Management interface configuration
Table 5-1 describes the configuration items of management interface parameters.
Management Interface Select an interface to be co nfigured.
IP Address Specify an IP address and a subnet mask for the management interface.
Enable or disable HTTP, HTTPS, SSH and Telnet.
Protocol
z This configuration item is effective globally.
z The total number of HTTP and HTTPS connections on the device cannot
exceed 5. The total number of SSH and Telnet connections on the device
cannot exceed 7.
z You are not recommended to log in to the Web network management
interface on a host through HTTP and HTTPS at the same time.
5-3
Executing a Ping Operation
Select System Management > Network Management > Management Interface from the n avigation
tree to enter the page as shown in
Interface Configuration page.
Type a destination IP address in the Ping text box, and then click Test to start a ping operation. The
result of the ping operation is displayed below the text box, as shown in
Figure 5-3 Ping operation result
Figure 5-2. You can perform ping operations on the Management
Figure 5-3.
Creating a Static Route
Select System Management > Network Management > Management Interface from the n avigation
tree to enter the page as shown in
Add to enter the Add Static Route page as shown in
Figure 5-4 Add a static route
Figure 5-2. On the Static Route tab, all static routes a re listed. Click
Figure 5-4.
5-4
Table 5-2 describes the configuration items of creating a static route.
Table 5-2 Static route configuration items
Item Description
Destination IP Specify the IP address of a destination management station, in dotted decimal notation.
Subnet Mask Specify the subnet mask for the management station, in dotted decimal notation.
Gateway IP Specify the next hop to reach the management station, in dotted decimal notation.
Configuring DNS Servers
Select System Management > Network Management > Management Interface from the n avigation
tree to enter the page as shown in
Configuration tab.
Table 5-3 describes the DNS server configuration items.
Table 5-3 DNS server configuration items
Item Description
Figure 5-2. You can configure DNS servers on the DNS
Preferred DNS Server Specify the IP address of the preferred DNS server.
Alternate DNS Server Specify the IP address of the alternate DNS server.
5-5
6 Interface Configuration
Overview
The interface configuration module allows you to manage device interface attributes, including the
interface type, up/down status, transmission rate, and duplex mode.
Configuring and Displaying Interface Properties
Select System Management > Ne t work Management > InterfaceConfiguration from the navigation
tree to enter the page as shown in
Interface This field displays the interface type and number.
Connection Status This field displays whether the interface is connected to another network device.
Configure the medium type of the interface, which can be:
zCopper—The interface is an electrical interface and is connected to a twisted pair.
Interface Type
Management Status Config ure the up/down state of the interface.
Rate
zFiber—The interface is an optical interface and is connected to an optical fiber.
Support for the medium types depends on your device model.
Configure the interface transmission rate, which can be
z 1000M—1000 Mbit/s
z 100M—100 Mbit/s
z 10M—10 Mbit/s
z Auto—The transmission rate is automatically negotiated.
Table 6-1 describes the
6-1
Item Description
Rate Negotiated
Auto
If
is selected for
negotiated.
If the connection status or management status is
Rate
, this field displays the transmission rate automatically
Down
, this field displays
Configure the interface communication mode, which can be
Duplex
Duplex Negotiated
z Full Duplex
z Half Duplex
z Auto—Automatically negotiated communication mode
If
Auto
is selected for
Duplex
, this field displays the communication mode negotiated
automatically.
If the connection status or management status is
Down
, this field displays
Bytes Sent This field displays bytes sent on the interface.
Bytes Received This field displays bytes received on the interface.
Packets Sent This field displays the number of packets sent on the interface.
Packets Received This field displays the number of packets received on the interface.
Clear Counters
Click
to clear statistics of the corresponding interface.
Unknown
Unknown
.
.
6-2
7 Security Zone Configuration
Overview
With security zones, an administrator can classify interfaces based on security needs, that is, assign
them to different zones, thus implementing hierarchical policy management. A security zone can
include physical and logical interfaces, and Layer 2 physical trunk in terfaces + VLAN. Interfaces added
to the same security zone have consistent security needs in security policy control.
As shown in
Internal zone, and add the IPS device’s interface connecting to the external network to the External
zone. After that, you only need to define security policies for the two security zones. If networking
changes, you can modify interfaces in the security zones, instead of modifying security policies.
Security zones simplify policy maintenance and separate network services from security services.
Figure 7-1 Security zones
Figure 7-1, you can add the IPS device’s interface connecting to the internal network to the
Configuring a Security Zone
Configuration Task List
Perform the tasks in Table 7-1 to configure a security zone.
Table 7-1 Security zone configuration task list
Task Description
Creating a Security
Zone
Required
Create a security zone and add interfaces to it.
By default, no security zone is created.
7-1
Task Description
Required
Activate all Class B configurations.
Activating
Configurations
zThere are two categories of configurations in the system: Class A and Class B.
Class A configurations take effect immediately, while Class B configurations must
be activated to take effect.
z The Activate button is present on all pages with Class B configuratio ns. Clicking
the button on any page will activate all Class B configurations. You are
recommended to complete all Class B configurations before clicking the Activate
button.
Creating a Security Zone
For interfaces without VLAN configuration
Select System Management > Network Management > Security Zone from the navigation tree to
enter the page as shown in
Figure 7-2 Security zone configuration page (for interfaces without VLAN configuration)
Figure 7-2. Click Add to enter the page as shown in Figure 7-3.
Figure 7-3 Create a security zone for interfaces without VLAN configuration
Table 7-2 describes the configuration items of creating a security zone.
7-2
Table 7-2 Configuration items of creating a security zone for interfaces without VLAN configuration
Item Description
Name Specify the name of the security zone.
Interface Assign interfaces to or remove interfaces from the security zone.
For OAA enabled interfaces with VLAN configuration
Select System Management > Network Management > Security Zone from the navigation tree to
enter the page as shown in
Figure 7-4. Click Add to enter the page as shown in Figure 7-5.
Figure 7-4 Security zone configuration page (for OAA enabled interfaces with VLAN configuration)
Figure 7-5 Create a security zone for OAA enabled interface with VLAN configuration
Table 7-3 describes the configuration items of creating a security zone.
7-3
Table 7-3 Configuration items of creating a security zone for OAA enabled interfaces with VLAN
configuration
Item Description
Specify the name of the security zone.
Name
Interface
VLAN ID
Application Mode
Return to
Security zone configuration task list.
The Any zone is a reserved security zone for some devices. Support for the
configuration of this zone depends on your device model.
Assign interfaces to or remove interfaces from the security zone.
If your device serves as an ACFP client, the Available Interfaces field lists the
interfaces of the ACFP server. Otherwise, the Available Interfaces field lists the
interfaces of your device.
When you try to assign a Layer 2 Ethernet interface to the security zone, you must
associate one or more VLANs with the interface. If you do not specify any VLAN, you
will associate all VLANs with the interface.
You can assign the association between a Layer 2 Ethernet interface and a VLAN to
one security zone only.
The SR6600 IPS card does not support VLAN ID configuration.
Select the application mode (normal or cascaded) of the security zone.
In cascaded mode, policy applications are used based on VLAN IDs. The cascaded
mode is applied to ACFP internal interfaces, whereas the normal mode applies to
other cases.
Security Zone Configuration Example
Network requirements
As shown in Figure 7-6, the IPS device serves as the network edge device that connects the Intranet to
the Internet. Interface GigabitEthernet 0/0/0 on the IPS device is connected to the Intranet, which is
configured as security zone Internal, and interface GigabitEthernet 0/0/1 is connected to the Extranet,
which is configured as security zone External.
Configure security zones on the IPS device to facilitate network management.
Figure 7-6 Network diagram for the security zone configuration
Configuration procedure
# Configure security zone Internal.
7-4
zSelect System Management > Network Management > Security Zone to enter the page as
shown in
Figure 7-7. Click Add to enter the page and operate on the page as shown in Figure 7-8.
Figure 7-7 Security Zone Configuration
Figure 7-8 Configure security zone Internal
z Input Internal in the Name text box.
z Select interface g-ethernet0/0/0.
z Click Apply to complete the operation.
# Configure security zone External.
zClick Add to enter the page and operate on the page as shown in Figure 7-9.
Figure 7-9 Configure security zone External
z Input External in the Name text box.
z Select interface g-ethernet0/0/1.
7-5
zClick Apply to complete the operation.
7-6
8 Segment Configuration
Overview
A segment refers to the combinatio n of two security zones in specific direction s. You can apply different
security policies to a segment to monitor and regulate network behaviors.
Configuring a Segment
Configuration Task List
Perform the tasks in Table 8-1 to complete segment management.
Table 8-1 Segment configuration task list
Task Description
Creating a Segment
Applying a Policy to the
Segment
Applying a Segment
Bandwidth Control
Scheme to the Segment
Activating Configurations
Required
Create a segment and add security zones to it.
By default, no segment is created.
Optional
Apply a security policy to a security zone in the segment or specific IP addresses
of the security zone. The security policy can be related to IPS, anti-virus, URL
filtering, DDoS, and bandwidth management. For details, refer to corresponding
Web configuration manuals.
Optional
Apply a segment bandwidth control scheme to the segment.
Required
Activate all Class B configurations, including the configured segments, policy
applications, segment bandwidth control schemes.
zThere are two categories of configurations in the system: Class A and C lass
B. Class A configurations take effect immediately, while Class B
configurations must be activated to take effect.
z The Activate button is present on all pages with Class B configurations.
Clicking the button on any page will activate all Class B configurations. You
are recommended to complete all Class B configurations before clicking the
Activate button.
Creating a Segment
On a chassis
Select System Management > Net work Management > SegmentConfiguration from the navigation
tree to enter the page as shown in
Figure 8-2.
Figure 8-1. Then click Add Segment to enter the page as shown in
8-1
Figure 8-1 Segment configuration on a chassis
Figure 8-2 Create a segment on a chassis
Table 8-2 describes the configuration items of creating a segment.
Table 8-2 Configuration items of creating a segment on a chassis
Item Description
Segment No Specifies the segment ID.
Internal Zone
External Zone
Specifies the internal zone of the segment. You can select one of the existing security
zones only.
Specifies the external zone of the segment. You can select one of the existing security
zones only.
Return to
Segment configuration task list.
On a card
Select System Management > Net work Management > SegmentConfiguration from the navigation
tree to enter the page as shown in
Figure 8-3. Then click Add Segment to enter the page as shown in
Figure 8-4.
8-2
Figure 8-3 Segment configuration on a card
Figure 8-4 Create a segment on a card
Table 8-3 describes the configuration items of creating a segment.
Table 8-3 Configuration items of creating a segment on a card
Item Description
Segment No Specifies the segment ID.
Internal Zone
External Zone
Start VLAN
End VLAN
Acfp Policy Priority
Specifies the internal zone of the segment. You can select one of the existing security
zones only, and make sure that the security zone includes at least one interface.
Specifies the external zone of the segment. You can select one of the existing security
zones only, and make sure that the security zone includes at least one interface.
Specifies the start VLAN ID and the end VLAN ID of the segment. Note that the start
VLAN ID must be greater than the end VLAN ID.
Support for this configuration item depends on your device model.
Priority of the ACFP policy applied to the segment.
On a host device implementing load balancing and stateful failover on multiple cards, the
host device distributes traffic to the card that has a higher ACFP policy priority.
If the host device does not use the ACFP policy priority of cards, you are recommended
to set the ACFP policy priority to 0.
8-3
Item Description
Internal Interface
Specifies the internal interface of the segment. The card is connected to the host device
through this interface.
Return to
Segment configuration task list.
Applying a Segment Bandwidth Control Scheme to the Segment
Select System Management > Ne t work Management > InterfaceConfiguration from the navigation
tree to enter the page as shown in
Table 8-4 describes the segment bandwidth control configuration items.
Table 8-4 Segment bandwidth control configuration items
Item Description
Segment List
Configure
Segment
Bandwidth
Control
Up Set the bandwidth upper limit for traffic from the internal zone to the external zone.
Down Set the bandwidth upper limit for traffic from the external zone to the internal zone
This field displays basic information about all segments.
Select a segment that you want to apply the segment bandwidth control scheme to.
Figure 8-1 or Figure 8-3.
Return to
Segment configuration task list.
Precautions
Before creating a segment, you must configure security zones and assign at least one interface to each
security zone configured on a card. For more information, see
Configuring a Security Zone.
8-4
9 Layer 2 Fallback
Layer 2 Fallback Overview
The internal monitoring module of the device monitors the health status of the device periodically in a
high frequency. As long as detecting a detection engine or software system fault, or a large traffic, the
device can automatically fall back to be a simple Layer 2 switching device. In this way, the device does
not detect any network traffic, which ensures the continuity of network services. This function is called
Layer 2 fallback.
You can also manually enable or disable Layer 2 fallback.
Configuring Layer 2 Fallback
Select System Management > HighReliability > Layer2Fallback to enter the page for configuring
Layer 2 fallback, as shown in
Figure 9-1.
Figure 9-1 Layer 2 fallback
Table 9-1 describes the configuration items of setting Layer 2 fallback.
Table 9-1 Configuration items for Layer 2 fallback
Item Remarks
zIf the device is in the automatic detection status, the status indicator is green, and the
button at the right of the indicator is Enable. When the device detects a fault or a large
traffic, it automatically enables Layer 2 fallback. You can also click Enable to manually
Layer 2
Fallback
Action for Data
Packets
make the device fall back to be a Layer 2 device.
zIf the device is enabled with the Layer 2 fallback function, the status indicator is red, and
the button at the right of the indicator is Disable. After waiting for a period of time, the
device automatically disables Layer 2 fallback and enters the automatic detection status.
You can also click Disable to manually disable Layer 2 fallback.
Set how the device processes the data packets received when Layer 2 fallback is performed.
z Permit: The device does not check the data packets received and forwards them directly.
z Block: The device discards the data packets received so that the traffic can be blocked.
After the configuration, click
By default, the device permits the data packets received.
Apply
to make the configuration take effect.
Current
Networking
Mode
Display the current networking mode of the device as
9-1
Directly connected
Bypassed
or
.
Guidelines
Note the following when configuring Layer 2 fallback:
1) The Layer 2 fallback function takes effect only when the networking mode of the device is directly
connected. When the networking mode of the device is bypassed, the Layer 2 fallback function is
invalid, and cannot be configured. If the device is already in the state of Layer 2 fallback when its
networking mode is configured as bypassed, you can only disable the Layer 2 fallback function.
9-2
10 Interface Status Synchronization
Interface Status Synchronization Overview
In a network, when an IPS device is connected to two adjacency devices, the interface status of the
network devices may not be consistent and the devices cannot update the information related to
interface status (for example routing information) because the devices cannot be aware of the st atus of
the interface on the original peer device.
To solve this problem, the interface status synchronization module is introduced. The interface status
synchronization module provides three synchronization modes. You can select one according to the
interface requirements of the network devices at the two ends of the IPS device. The following
describes the three modes in detail.
1) Hub
No interface status synchronization is performed, and the status of each interface is independent.
2) Breaker
If the link status of the interface on one end changes from up to down, the link st atus a nd mana gement
status of the interface on the peer end change s from up to down; if the link st atus of the interface on one
end changes from down to up, the interface on the peer end does not perform any interface status
synchronization.
3) Wire
In the Wire mode, the link status of the interfaces on the two ends should be the same after interface
status synchronization is performed. When the link status of the interface on one end becomes down,
the device changes the link status and management status of the interface on the peer end from up to
down; when the link status of the interface on the peer end changes from down to up:
zIf the current management status of the peer interface is down, the device tries to change the
management status and link status of the peer interface to up; if succeeds, the link status and
management status of the two interfaces are up; otherwise, the device changes the lin k status and
management status of both of the two interfaces to down.
zIf the management status of the peer interface is up, and the physical connection status is down,
the device changes the link status and management status of the local interface to down.
zIf the management status of the peer interface is up, and the physical connection status is up, the
link status and management status of both of the two interfaces are up.
Configuring Interface Status Synchronization
Select System Management > High Reliability > Interface Status Synchronization to enter the
page for configuring interface status syn ch ronization, as shown in
10-1
Figure 10-1.
Figure 10-1 Interface status synchronization
Table 10-1 describes the configuration items for setting interface status synchronization.
Table 10-1 Configuration items for setting interface status synchronization
Item Remarks
Device Access Mode
Synchronize After
Set the interface status synchronization mode of the device: Hub, Breaker or
Wire.
Set the validation waiting time for an interface to change to a new status.
If you select the Breaker or Wire mode, this item is configurable.
When the interface status synchronization mode of the device is set to Wir e, a
short validation waiting time for an interface to change to a new status may easily
cause interface pair flapping, so set a longer one.
10-2
11 Time Table Management
Time Table Management Overview
A time t able is used to define time information. It can be reference d by the rules of the policie s su ch as
bandwidth management and URL filter , so the system can take dif ferent actions on the matched pa ckets
at different time ranges.
Each time table contains a time range in a unit of half an hour and of a period of seven days. This time
range can be continuous or discontinuous.
Configuring Time Table Management
Configuration Task List
Perform the tasks in Table 1 1-1 to configure time table management.
Table 11-1 Time table management configuration task list
Task Remarks
Required
Create a time table and set the valid time range.
By default, two time tables that can be modified and deleted exist. The default
Creating a Time Table
Activating
Configurations
configurations are as follows:
two time tables exist:
z work: Valid from 8:00 am to 18:00 pm from Monday to Friday.
z weekend: Valid at all times except 8:00 am to 18:00 pm from Monday to Friday.
Required
Activate the configurations of a time table to make the configurations take effect.
zThere are two categories of configurations in the system: Class A and Class B.
Class A configurations take effect immediately, while Class B configurations must
be activated to take effect.
z The Activate button is present on all pages with Class B configurations. Clicking
the button on any page will activate all Class B configurations. You are
recommended to complete all Class B configuration before clicking the Activate
button.
Creating a Time Table
Select System Management > Time Table List from the navigation tree to enter the page for
displaying a time table, as shown in
page, as shown in
Figure 1 1 -2.
Figure 11-1. Then click Add to enter the time table configuration
11-1
Figure 11-1 Time table management
Figure 11-2 Create a time table
Table 11-2 shows the configuration items for creating a time table.
Table 11-2 Configuration items for creating a time table
Item Remarks
Name Set the name of a time table.
Description Set the description for the time table.
Set the time ranges for the time table to take effect.
You can select the blue icon, and then highlight the desired time ranges in the time
Click to select time
ranges to take effect
table to set the valid time ranges; select the white icon, and you will clear the time
ranges you set.
The longitudinal grids in a time table represent the seven days (from Sunday to
Saturday) in a week, the latitudinal grids represent the 24 hours (from 00:00 to 24:00,
that is, 00:00 in the second day) in a day, and each grid represents half an hour.
Return to
Time table management configuration task list.
11-2
12 Action Management
Action Management Overview
An action management module manages actions and action sets. An action set is a group of actions
that can be applied in IPS, bandwidth, and URL policies to configure the actions conducted to the
matching packets. The actions in clude block action and notify actions.
zBlock action—Blocking and isolating the attack packets once an attack is detected. It is suitable for
IPS, bandwidth management, and URL filtering.
zNotify action—Sending notification messages once an attack is detected. It can be applied for IPS,
bandwidth management, and URL filtering.
Configuring Action Management
Configuration Task List
Follow the steps in Table 12-1 to configure action management:
Table 12-1 Action management configuration task list
Task Description
Creating a Block Action
Creating
an action
Creating an Action Set
Uploading Packet Trace Files
Creating a Notify Action
Required
Use either operation
Create a bloc action or notify action, and configure the action.
z By default, a block action named Block exists.
z By default, a notify action named Notify exists.
Optional
Create an action set and configure the actions in it.
By default, a system-defined action set exists, as shown in
The system-defined action set varies by device.
Optional
You can upload the trace files generated by the packet trace action to
the TFTP server. With the IP address of the TFTP server configured,
the system uploads the trace files to the TFTP server at a specified
upload time. Meanwhile, the system checks the disk partitions at
certain times. When the partition usage reaches the threshold, the
system automatically uploads the packet trace files starting from the
oldest ones until the usage falls into the normal range.
If the specified TFTP server is not reachable, or the server is reachable
but the TFTP server service is not enabled, the trace file fails to be
uploaded, and the system removes the trace file if the partition usage
reaches the threshold.
Figure 12-5.
12-1
Task Description
Activating Configurations
Creating a Block Action
Select System Management > Action Management > Block Actions in the navigation tree to enter
the block action list displaying page, as shown in
configuration page, where the action type is Block by default, as shown in
Figure 12-1 Block action list
Required
Activate the configuration of an action and action set.
zThe system has Class A and Class B configurations. Class A
configurations take effect immediately, while Class B configurations
must be activated to take effect.
z The Activate button is present on all pages with Class B
configurations. Clicking the button will activate all Class B
configurations. You are recommended to complete all Class
B configurations before clicking the Activate button.
Figure 12-1. Click Add to enter the action
Figure 12-2.
Figure 12-2 Block action configuration page
Table 12-2 describes the configuration items for creating a block action.
12-2
Table 12-2 Block action configuration items
Item Description
Name Enter a name for the block action
Description Enter a description for the block action, for example, the function of this action
Specify the sending mode of TCP reset packets, including
z Do not send—Do not send any TCP reset packets
z Send to src IP—Send TCP reset packets to the source IP address of the TCP
TCP Reset Mode
HTTP Request
Quarantine Duration
connection
zSend to dest IP—Send TCP reset packets to the destination IP address of the
TCP connection
zSend to both—Send TCP reset packets to both the source and destination IP
addresses of the TCP connection
Specify how to process HTTP requests:
z Drop HTTP Request—Directly drop the received HTTP requests.
z Redirect to URL—Redirect HTTP requests to a specified URL. You need to
configure the URL address if this checkbox is selected.
zReturn response page—Return the response page to users who initiate an
HTTP request. With this checkbox selected, you need to configure the
content in the respond page, including the rule description and the
customized description. The rule description defines the policies, while the
customized description is configured by users to define the response content.
You can use either description type or both.
Configure whether to quarantine packets sourced from a specific IP address
(namely adding the IP address of the source to the blacklist) and specify the
quarantine period (namely the lifetime of the blacklist entry).
z Do not quarantine—Do not quarantine any packets.
z Quarantine—Quarantine packets sourced from a certain IP address. You
need to configure the quarantine period together with this selection.
Return to
Action management configuration task list.
Creating a Notify Action
Select System Management > Action Management > Notify Actions in the navigation tree to enter
the notify action list displaying page, as shown in
configuration page, where the action type is Notify by default, as shown in
Figure 12-3 Notify action list
Figure 12-3. Click Add to enter the action
Figure 12-4.
12-3
Figure 12-4 Notify action configuration page
Table 12-3 describes the configuration items for creating a notify action.
Table 12-3 Notify action configuration items
Item Description
Name Enter a name for the notify action
Description Enter a description for the notify action, for example, the function of the action
Notificatio
n
Methods
Output to local
database
Notify by
Email
Output to
syslog host
Output notification messages to the local database
Send notification messages to users by Email
You can configure the Email address and other related parameters on the page
you enter by selecting
Configuration
Output notification messages to the loghost. You need to select one or more
loghosts from the loghost list.
You need to manually add loghosts to the loghost list. To do this, enter the
loghost information such as the name, description, IP address, and listening port
number, and then click
effective and up to ten loghosts can be added here.
. For details, refer to Log Management.
Log Management
Add
to complete the operation. The loghosts are globally
>
Logging Configuration
>
Mail
Return to
Action management configuration task list.
Creating an Action Set
Select System Management > Action Management > Action Sets in the navigation tree to enter the
action set list displaying page, as shown in
list, as shown in
Figure 12-6.
Figure 12-5. Click Add to enter the action set configuration
12-4
Figure 12-5 Action set list
Figure 12-6 Action set configuration page
Table 12-4 describes the configuration items for creating an action set.
Table 12-4 Action set configuration items
Item Description
Name Enter a name for the action set
Description Enter a description for the action set, for example, the function of the action set
12-5
Item Description
Select the actions to be included in the action set:
zPermit/block—Either is required. You can allow or deny packets to pass. You must
select a block action in the pull-down box if Block is selected.
zPacket trace—Trace the packets, that is, obtain some information from the packets
and form a packet trace file in use for analysis. Click the hyperlink for the packet trace
name, which is Packet Trace by default, to enter the configuration page as shown in
Figure 12-7. In this page, you can modify the trace action. Detailed description is given
Table 12-5.
in
zNotify—Add the notify action in the action set. You need to select a notify action from
the drop-down list.
Actions
zInterfere—You can select this action together with only the Permit action. This action
allows packets to pass but with interference information so that the destination
receives faulty packets.
zWhen you click the hyperlink for packet trace, a dialog box appears to pro mpt that
modifications that have not been saved will get lost if you want to enter the new page.
Click OK to enter the packet trace configuration page.
z Control the time for packet tracing since a great amount of packet trace files will be
generated in case of high traffic rate, resulting in great occupation of storage space
and thus affecting normal operation of the system.
TFTP Upload Select the checkbox to enable uploading packet trace files.
TFTP Server IP Enter the IP address of the TFTP server to which you upload the packet trace file.
Specify when to upload the packet trace file when the maximum number of packets
are captured..
When Max Packets are
Captured
zUpload immediately—Upload the trace file once the number of packets saved in
this file reaches the configured threshold.
zUpload at a certain time—Upload all the trace files in each of which the n umber
of packets reaches the configured threshold at a certain time.
Return to
Action management configuration task list.
12-7
13 Log Management
System Logs
System Logs Overview
The system logs feature enables you to save the system messages to the log buffer or send them to the
log hosts. The analysis and archiving of the logs can enable you to check the security holes of the
firewall, when and who try to disobey security policies.
System logs are saved on the disk in the format of log files, with the name of sys-date.log. For example,
the system logs on 1st, October, 2007 are saved in file sys-20071001.log. The size of each log file
cannot exceed 300 MB. If the system logs generated in one day are too large, they will be saved in
multiple log files, with the name sys-date.log.n respectively, where a larger value of n indicates that the
logs are generated earlier. The latest system logs in one day are saved in file sys-current.log.
The functions provided by the system log module are listed in the following table :
Table 13-1 System log functions
Function Description
Displaying Recent Logs Displays the recent system logs.
Querying System Logs Allows you to query the system logs based on different conditions.
Deleting System Logs Allows you to delete the specified system log files from the disk.
Backing Up System Logs
Displaying Recent Logs
Select Log Management > System Logs > Recent Logs to enter the page as shown in Figure 13-1.
This page displays the recent 25 system logs.
Allows you to back up the specified system log files to the local host in
the format of CSV.
13-1
Figure 13-1 Recent logs
Table 13-2 describes the configuration items for displaying the recent logs.
Table 13-2 Configuration items for displaying the recent logs
Item Description
Time
Module
Severity
Log Content
Time when a system log was generated
Module to which a system log belongs
Severity level of a system log, including the following (from high to low):
z Emergency: The system is unavailable.
z Alert: Information that demands prompt reaction
z Critical: Critical information
z Error: Error information
z Warning: Warnings
z Notice: Normal information that needs to be noticed
z Informational: Informational information
The system logs with different severity levels are displayed with shadings in different colors:
z Emergency, alert and critical information are displayed with red shadings.
z Errors and warnings are displayed with orange shadings.
z Notice and informational messages are displayed with white shadings.
Content of a log
13-2
Click Export to CSV, and a popup window appears. You can display the log contents in the format of
CSV, or save them in the format of CSV locally.
zSelect the Refresh every seconds checkbox, and the system will automatically refresh the logs in
the specified interval; click the Refresh Now button, and you can refresh the latest logs manually.
zTo display the logs in the order defined by the title items, click the title items in the log information
table.
Return to
System log functions.
Querying System Logs
Select Log Managem ent > System Logs > Query Logs to enter the page for querying system logs, as
shown in
Figure 13-2 Query system logs
Figure 13-2. The page allows you to query system logs based on different conditions.
After setting the severity level and the time range for the system logs to be queried,
zClick Export to CSV, and a popup windows appears. You can ope n the system l ogs or save them
locally in the format of CSV.
zTo display all the system logs matching the query condition, click Query. The detailed description
of the information is as shown in
Table 13-2.
13-3
To display the logs in the order defined by the title items, click the title items in the log information table.
Return to
System log functions.
Deleting System Logs
Select Log Management > System Logs > Delete Logs to enter the page as shown in Figure 13-3.
Figure 13-3 Delete system logs
Select the checkbox before the system log files to be deleted, and then click Delete to delete the
corresponding system log files.
Return to
System log functions.
Backing Up System Logs
Select Log Management > Sy stem Logs > Back up Logs to enter the page as shown in Figu re 13-4.
Figure 13-4 Back up system logs
Select the system log files to be backed up, and then click Back Up to back up the system log files to
the local host in the format of CSV.
Return to
System log functions.
Operation Logs
Operation Logs Overview
The operation logs function enables you to save the operations performed on the Web interface and
command lines. The analysis and archiving of the logs can enable you to know the operations
performed on the device, thus to analyze and solve the problems.
Operation logs are saved on the disk of the device in the format of log files, with the name of
oper-date.log. For example, the operation logs on 1st, October, 2007 are saved in file
oper-20071001.log. The size of each log file cannot exceed 300 MB. If the operation logs in one day are
13-4
too large, they will be saved in multiple log files, with the name sys-date.log.n respectively, where a
larger value of n indicates that the logs are generated earlier. The latest operation logs in one day are
saved in file oper-current.log.
The functions provided by the operation log module are listed in the following table:
Table 13-3 Operation log functions
Function Description
Displaying Recent Logs Displays the recent operation logs.
Querying Operation Logs Allows you to query the operation logs based on different conditions.
Deleting Operation Logs Allows you to delete the specified operation log files from the disk.
Backing Up Operation Logs
Displaying Recent Logs
Select Log Management > Opera tion Logs > Recen t Logs to enter the p age as shown in Figure 13-5.
This page displays the recent 25 operation logs.
Figure 13-5 Recent operation logs
Allows you to back up the specified operation log files to the local host in the
format of CSV.
Table 13-4 describes the fields for displaying the recent logs.
Table 13-4 Fields for displaying the recent logs
Item Description
Time
Module
Time when an operation log was generated
Module to which an operation log belongs
13-5
Item Description
Type of the client where an operation log was generated, including the following:
zWeb: Operations performed on the Web interface
Client Type
z Console: Operations performed on the console port
z Telnet: Operations performed when a user telnets the device from a remote
client
zSSH: Operations performed when a user connects to the device using SSH from
a remote client
User The user that performs the operation
IP Address IP address of the user that performs the operation
The result of an operation, including:
Operation Result
Log Content
z succeeded
z failed
Content of a log
Click Export to CSV, and a popup window appears. You can display the log contents in the format of
CSV, or save them in the format of CSV locally.
zIf you select the Refresh every seconds checkbox, the system will automatically refresh th e l o gs
in the specified interval; if you click the Refresh Now button, you can refresh the latest logs
manually.
zTo display the logs in the order defined by the title items, click the title items in the log information
table.
Return to
Operation log functions.
Querying Operation Logs
Select Log Management > Operation Logs > Query Logs to enter the page for querying operation
logs, as shown in
conditions.
Figure 13-6. The page allows you to query operation logs based on different
13-6
Figure 13-6 Query operation logs
After setting the username, IP address and time range of the operation logs to be que ried,
zClick Export to CSV, and a popup windows appears. You can open the operation logs or save
them locally in the format of CSV.
zTo display all the operation logs matching the query condition, click Query. The detailed
description of the information is as shown in
Table 13-4.
To display the logs in the order defined by the title items, click the title items in the log information table.
Return to
Operation log functions.
13-7
Deleting Operation Logs
Select Log Management > Operation Logs > Delete Logs to enter the page for deleting operation
logs, as shown in
Figure 13-7 Delete operation logs
Select the checkbox before the operation log files to be deleted, and then click Delete to delete the
corresponding operation log files.
Figure 13-7.
Return to
Operation log functions.
Backing Up Operation Logs
Select Log Management > Operation Logs > Back up Logs to enter the page for backing up
operation logs, as shown in
Figure 13-8 Back up operation logs
Select the operation log files to be backed up, and then click Back Up to back up the operation log file s
to the local host in the format of CSV.
Return to
Operation log functions.
Attack Logs
Attack Logs Overview
Figure 13-8.
The system analyzes and archives the attack event s occurred durin g device running to generate att ack
logs and saves them in the database. Attack logs enable you to monitor the device running status and
diagnose network device faults.
The functions provided by the attack logs module are listed in the following table:
13-8
Table 13-5 Attack logs functions
Function Description
Displaying Recent Logs Displays the recent attack logs.
Querying Attack Logs Allows you to query the attack logs based on different conditions.
Deleting Attack Logs Allows you to delete the specified attack logs.
Displaying Recent Logs
Select Log Management > Attack Logs > Recent Logs to enter the page for displaying recent logs.
This page displays the recent 25 block logs or alert logs, as shown in
respectively.
Figure 13-9 Recent block logs
Figure 13-9 and Figure 13-10
Figure 13-10 Recent alert logs
Table 13-6 describes the fields for displaying the recent logs.
Table 13-6 Fields for displaying the recent logs
Item Description
ID of an attack
Attack ID
Click the link corresponding to the ID, and you can enter the page for modifying the
IPS policy rule that the attack matches.
Time
Attack Name
Segment
Time when an attack was performed
Name of the rule that an attack matches.
Click the link corresponding to the attack name, and you can enter the page for
modifying the IPS policy rule that the attack matches.
Segment where the attack is generated
13-9
Item Description
Direction
Src ID The source IP address of an attack
Dest IP The destination IP address of an attack
Src Port The source port of an attack
Dest Port The destination port of an attack
App Layer The application layer protocol corresponding to an attack
Hit Count Count of times that the attack is detected.
Severity
Packet Trace Packet Trace file name generated (with the download file link)
Direction of the attack: from inside to outside or from outside to inside.
Severity level of an attack, including the following:
z Emergency: The system is unavailable.
z Alert: Information that demands prompt reaction
z Warning: Warnings
z Informational: Informational information
Click Export to CSV, and a popup window appears. You can display the log contents in the format of
CSV, or save them in the format of CSV locally.
zSelect the Refresh every seconds checkbox, and the system will automatically refresh the logs in
the specified interval; click the Refresh Now button, and you can refresh the latest logs manually.
zTo display the logs in the order defined by the title items, click the title items in the log information
table.
Return to
Attack logs functions.
Querying Attack Logs
Select Log Management > Attack Logs > Query Logs to enter the page for querying attack logs, as
shown in
Figure 13-11. The page allows you to query attack logs based on different conditions.
13-10
Loading...
+ hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.