H3C SecPath F1000-E Installation Manual

Download

Page 1

H3C SecPath F1000-E Firewall

Installation Manual

Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com

Manual Version: T2-080499-20071221-C-1.00

Page 2

No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd.

Trademarks

H3C, , Aolynk, , H3Care, Neocean, NeoVTL, SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V HUASAN are trademarks of Hangzhou H3C Technologies Co., Ltd.

All other trademarks that may be mentioned in this manual are the property of their respective owners.

Notice

The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the content s, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.

To obtain the latest information, please access: http://www. h3c.com

Technical Support

customer_service@h3c.com http://www. h3c.com

, TOP G, , IRF, NetPilot,

G, VnG, PSPT, XGbus, N-Bus, TiGem, InnoVision and

Page 3

About This Manual

I. GUI conventions

Chapter Contents

Introduces how to maintain the software

6 Maintaining Software

7 Maintaining Hardware

8 Troubleshooting

Convention Description

of the H3C SecPath F1000-E Firewall, including upgrading the software and updating the configuration files.

Introduces how to maintain the hardware of the H3C SecPath F1000-E Firewall.

Describes some problems that may occur during installation and startup of the H3C SecPath F1000-E Firewall and how to solve them.

Boldface

II. Symbols

Convention Description

Warning

Caution

 Note Means a complementary description.

Environmental Protection

Window names, button names, field names, and menu items are in Boldface. For example, the New User window appears; click OK.

Multi-level menus are separated by angle brackets. For example, File > Create > Folder.

Means reader be extremely careful. Improper operation may cause bodily injury.

Means reader be careful. Improper operation may cause data loss or damage to equipment.

This product has been designed to comply with the requirements on environmental protection. For the proper storage, use and disposal of this product, national laws and regulations must be observed.

Page 5

Installation Manual H3C SecPath F1000-E Firewall Table of Contents

Table of Contents

Chapter 1 Product Overview........................................................................................................1-1

1.1 Overview ............................................................................................................................ 1-1

1.1.1 Introduction.............................................................................................................. 1-1

1.1.2 Main Features ......................................................................................................... 1-1

1.2 Appearance of the F1000-E............................................................................................... 1-3

1.2.1 Front Panel.............................................................................................................. 1-3

1.2.2 Rear Panel .............................................................................................................. 1-4

1.3 Technical Specifications .................................................................................................... 1-4

1.3.1 Processor and Storages.......................................................................................... 1-4

1.3.2 Dimensions and Weight .......................................................................................... 1-5

1.3.3 Fixed Interfaces and Slots....................................................................................... 1-5

1.3.4 Power Input ............................................................................................................. 1-5

1.3.5 Operating Environment ........................................................................................... 1-6

1.4 Components....................................................................................................................... 1-6

1.4.1 Processor and Storages.......................................................................................... 1-6

1.4.2 Panel LEDs ............................................................................................................. 1-8

1.4.3 Fixed Interfaces..................................................................................................... 1-10

1.4.4 Interface Modules.................................................................................................. 1-19

1.4.5 USB Interfaces ...................................................................................................... 1-20

1.4.6 AC Power Input ..................................................................................................... 1-21

1.4.7 Clock ..................................................................................................................... 1-21

1.4.8 RPS (Optional) ...................................................................................................... 1-22

1.4.9 Port Lightning Arrester (Optional) ......................................................................... 1-22

1.4.10 Power Lightning Arrester (Optional).................................................................... 1-23

1.4.11 Signal Lightning Arrester (Optional).................................................................... 1-23

1.4.12 System Software ................................................................................................. 1-24

Page 6

Installation Manual H3C SecPath F1000-E Firewall Chapter 1 Product Overview

Chapter 1 Product Overview

1.1 Overview

1.1.1 Introduction

The H3C SecPath F1000-E Firewall (hereinafter referred to as the F1000-E) is a new

generation, professional firewall product developed by Hangzhou H3C Technologies

Co., Ltd. (hereinafter referred to as H3C) for enterprise users. In addition to traditional

firewall functions, the F1000-E supports virtual firewall, security zone, attack protection,

P2P flow control, and URL filtering, ensuring effective protection of network security.

Using the application specific packet filter (ASPF), the F1000-E can monitor connection

processes and detect illegal operations, and implement dynamic packet filtering by

applying ACL rules. The F1000-E supports a variety of virtual private network (VPN)

services, such as IPSec VPN, to construct various forms of VPNs. The F1000-E

provides abundant routing capabilities, and supports various routing protocols including

Routing Information Protocol (RIP), Open Shortest Path First (OSPF), and Border

Gateway Protocol (BGP). Employing a high-performance multi-core processor, the

F1000-E supports a maximum of 20 GE interfaces, providing a good extendibility.

To ensure reliability and convenience for networking applications, the F1000-E:

z Uses two power supply modules for 1+1 redundancy backup

z Supports both AC and DC power inputs

z Supports hot swap of service interface cards to allow convenient network

maintenance, upgrade and optimization

z Supports active/standby hot backup

z Supports Active/Active and Active/Passive work modes

z Provides internal temperature monitoring

z Supports Quidview and Web-based network management systems

The F1000-E provides four Combo ports flexible optical-electrical interface switchover.

The F1000-E provides two high-speed interface module (HIM) slots for high-speed

interfaces. Currently the device supports HIM-4GBE and HIM-8GBE interface modules.

1.1.2 Main Features

I. Powerful hardware platform

The F1000-E uses a multi-core processor of the MIPS 64-bit architecture and a built-in

high-performance VPN accelerator to ensure safe and reliable operation in a Gigabit

network environment.

1-1

Page 7

Installation Manual H3C SecPath F1000-E Firewall Chapter 1 Product Overview

II. Diversified security protection functions

z Security zone management. The F1000-E supports security zone division based

on physical interfaces, logical interfaces, L2 Ethernet sub-interfaces, and L2

Ethernet interfaces + VLANs. Interfaces in the same security zone typically have

the same security requirements for security policy control. With the concept of

security zone introduced, the security administrator can divide interfaces with

different security requirements into different zones. This hierarchical management

of policies simplifies policy maintenance and enables the separation of networking

services from security services.

z Packet filtering. The F1000-E supports static access control of users by filtering

each IP packet as per the defined the access control list (ACL) rules.

z Application-specific packet filtering (ASPF), also known as stateful packet

inspection (SPI). ASPF is an advanced communication filtering function that

checks the information of application layer protocols, such as the File Transfer

Protocol (FTP), Hypertext Transfer Protocol (HTTP), Simple Mail Transfer

Protocol (SMTP) and Real-Time Streaming Protocol (RTSP), monitors the state of

connection-oriented application layer protocols to maintain the state information of

each connection, and dynamically decides whether to permit or drop a packet.

z P2P flow control. The F1000-E uses the deep inspection method, namely by

matching packets with the characteristics of P2P packets, to accurately identify

P2P traffic. In addition, the F1000-E provides different control policies to allow

flexible control of P2P traffic.

z Virtual firewall. A firewall can be logically divided into multiple virtual firewalls,

each configured with a different security policy. By default, different virtual firewall

devices are isolated from one another and can be separately managed.

z Anti-attack features. The F1000-E supports a diversity of attack prevention

techniques to guard again various attacks, including Land, Smurf, Fraggle,

WinNuke, Ping of Death, Tear Drop, IP Spoofing, address sweep, and port scan

attacks. In addition, F1000-E can also guard against various DDoS attacks,

including SYN Flood, UDP Flood, ICMP Flood, ACK Flood, RST Flood, DNS

Query Flood, and CC.

z URL filtering. The F1000-E allows you to block specific Websites to improve the

utilization of network resources.

III. Powerful VPN functions

z The F1000-E supports IPsec and GRE.

z The F1000-E supports IKE and PKI.

z The F1000-E employs a built-in VPN encryption engine to ensure

high-performance VPN processing.

IV. High reliability

The F1000-E supports hot standby redundancy backup.

1-2

Page 8

Installation Manual H3C SecPath F1000-E Firewall Chapter 1 Product Overview

1.2 Appearance of the F1000-E

1.2.1 Front Panel

(1) AC power socket (100 VAC to 240 VAC; 50 Hz or 60 Hz; 2.5 A) (3) RPS socket (RPS) (4) CF card slot (CF CARD) (5) CF card LED (CF) (6) RPS LED (RPS) (7) Slot 2 LED (SLOT2) (8) System LED (SYS) (9) Slot 1 LED (SLOT1) (10) AC power LED (PWR) (11) USB 1 LED (USB) (12) USB interface 1 (13) USB interface 0 (14) Console port (CONSOLE) (15) AUX port (AUX)

(2) AC power switch (ON/OFF)

Figure 1-1 Front panel of the F1000-E

1-3

Page 9

Installation Manual H3C SecPath F1000-E Firewall Chapter 1 Product Overview

1.2.2 Rear Panel

(4)

(5)

(6)

(7)

(1) (2) (3) (8)

(1) Grounding screw and grounding sign

(3) 1000 Mbps optical Ethernet interface 1

(5) 1000 Mbps optical Ethernet interface LED (SFP2) (7) 1000 Mbps optical Ethernet interface LED (SFP0) (9) 1000 Mbps optical Ethernet interface 3 (10) HIM slot (2) (11) HIM slot (1) (12) 1000 Mbps optical Ethernet interface 2 (13) 10/100/1000 Mbps electrical Ethernet interface 2 (15) 10/100/1000 Mbps electrical Ethernet interface 0

(9)

(11)(12)(13)(14)(15)

(2) 10/100/1000 Mbps electrical Ethernet interface 1 (4) 1000 Mbps optical Ethernet interface LED (SFP3) (6) 1000 Mbps optical Ethernet interface LED (SFP1) (8) 10/100/1000 Mbps electrical Ethernet interface 3

(14) 1000 Mbps optical Ethernet interface 0

(10)

Figure 1-2 Rear panel of the F1000-E

1.3 Technical Specifications

1.3.1 Processor and Storages

Table 1-1 Processor and storages of the F1000-E

Item Specification

Processor

Flash 4 MB

Memory type and size

Compact flash (CF) card

RMI XLR732, 1 GHz

DDR2 SDRAM

1 GB (default)

2 GB (maximum)

256 MB by default for the built-in CF card; 256 MB, 512 MB, or 1 GB for an optional external CF card

1-4

Page 10

Installation Manual H3C SecPath F1000-E Firewall Chapter 1 Product Overview

1.3.2 Dimensions and Weight

Table 1-2 Dimensions and weight

Item Specification

Dimensions without feet and rack-mounting ears (H × W × D)

Weight

1.3.3 Fixed Interfaces and Slots

Table 1-3 Fixed interfaces and slots

Item Specification

Console port

AUX port

USB interfaces

Combo interfaces 4

CF card slot

1 (9600 bps to 115200 bps, 9600 bps by default)

USB 0: Type A connector, operating in the host mode

USB 1: Type B connector, operating in the device mode

z Four 10/100/1000 Mbps electrical Ethernet interfaces:

z Four 1000 Mbps optical Ethernet interfaces: SFP0 to

One 256 MB built-in CF card; one external CF slot

F1000-E supports three CF card sizes:

z 256 MB z 512 MB z 1 GB

GE 0 to GE 3

SFP3

44.2 × 442 × 463 mm (1.74 × 17.40 ×

18.23 in.)

7.5 kg (16.53 lb)

Interface module slots

1.3.4 Power Input

Table 1-4 Power input specifications

RPS Optional

Two HIM slots

Supported interface modules: HIM-4GBE and HIM-8GBE

Item Remarks

Rated voltage range

Maximum input current

Maximum power

100 to 240 VAC; 50/60 Hz

2.5 A

150 W

1-5

Page 11

Installation Manual H3C SecPath F1000-E Firewall Chapter 1 Product Overview

1.3.5 Operating Environment

Table 1-5 Operating environment

Item Specification

Operating temperature

Operating humidity

Operating altitude

1.4 Components

1.4.1 Processor and Storages

I. Processor

The F1000-E uses an RMI XLR732 1GHz multi-core microprocessor as its data

forwarding and service processing engine.

II. Flash

The Flash size is 4 MB, of which 1 MB is used for storing the boot file—BootWare and

the remaining space for BootWare backup and important system parameters.

III. Memory modules

0°C to 45°C (32°F to 113°F)

10% to 95%, noncondensing

–60 m to +3000 m (–196.85 ft. to +9842.52 ft.)

The default memory size of the F1000-E is 1 GB and the maximum memory size is 2

GB. The F1000-E provides two memory module connectors. When you use two

memory modules, make sure they are of the same size.

The F1000-E supports two sizes of DDR2 SDRAM modules:

z 512 MB

z 1 GB

IV. CF card

1) Introduction

A compact flash (CF) card is used for storing logs, host files, and configuration files.

The F1000-E is equipped with a built-in 256 MB CF card, which is identified with cfa0.

In addition, the F1000-E provides an external CF card slot to expand the local storage

space. A CF card inserted into the external CF card slot is identified with cfb0.

The F1000-E supports three sizes of CF cards:

z 256 MB

z 512 MB

1-6

Page 12

Installation Manual H3C SecPath F1000-E Firewall Chapter 1 Product Overview

z 1 GB

Caution:

The F1000-E only supports the CF cards provided by Hangzhou H3C Technologies

Co., Ltd. and may not be compatible with those provided other manufacturers.

2) CF card and slot

(1)

(1) Eject button (2) CF card slot (3) CF card LED (CF)

(2)

(3)

Figure 1-3 CF card and slot

3) CF card LED

For the description of the CF card LED, see

Table 1-6.

Caution:

The CF card is hot-swappable. When data is being read from or written to the CF card,

the CF card LED will flash. In this case, do not remove the CF card. Otherwise, the file

system on the CF card will be damaged.

1-7

Page 13

Installation Manual H3C SecPath F1000-E Firewall Chapter 1 Product Overview

1.4.2 Panel LEDs

I. Front Panel LEDs

Figure 1-4 Front panel LEDs

Table 1-6 Description of front panel LEDs

LED Status Meaning

PWR

Green

RPS

Yellow/Gree n

SLOT1

Green

SLOT2

Green

SYS

Green

OFF

Solid green

Solid yellow

OFF

Slow Flashing (1 Hz)

Fast Flashing (8 Hz)

Power input is not available.

The power module is operational.

There is no RPS DC power output.

Both AC power input and RPS DC output are normal.

AC power input is abnormal, and RPS DC output is normal.

No interface module is in slot 1 or the interface module is faulty.

An interface module is in slot 1 and operates normally.

No interface module is in slot 2 or the interface module is faulty.

An interface module is in slot 2 and operates normally.

The system is powered off or the board is faulty.

The board operates normally as configured.

Software is being loaded or the board does not start working yet.

Green

OFF

Solid green

Flashing green

No CF card is in position or the CF card cannot be identified.

A CF card is in position and the host has detected the CF card.

The system is accessing the CF card. Do not unplug the card in this state.

1-8

Page 14

Installation Manual H3C SecPath F1000-E Firewall Chapter 1 Product Overview

LED Status Meaning

OFF

USB1

Green

Solid green

Flashing green

II. Rear Panel LEDs

(1) (2)

No host is connected to the USB interface.

A host is connected to the USB interface. You can remove the in this state.

Data is being transmitted or received. Do not remove the device in this state.

(3)

(4)

(5)

(6)

(7)

(8)

(1) 10/100/1000 Mbps electrical Ethernet interface LED (GE0) (3) 1000 Mbps optical Ethernet interface LED (SFP3) (5) 1000 Mbps optical Ethernet interface LED (SFP1) (7) 10/100/1000 Mbps electrical Ethernet interface LED (GE2)

Figure 1-5 Rear panel LEDs

(2) 10/100/1000 Mbps electrical Ethernet interface LED (GE1) (4) 1000 Mbps optical Ethernet interface LED (SFP2) (6) 1000 Mbps optical Ethernet interface LED (SFP0) (8) 10/100/1000 Mbps electrical Ethernet interface LED (GE3)

1-9

Page 15

Installation Manual H3C SecPath F1000-E Firewall Chapter 1 Product Overview

Table 1-7 Description of rear panel LEDs

LED Status Meaning

GE0 to GE3

Yellow/Green

SFP0 to SFP3

Yellow/Green

1.4.3 Fixed Interfaces

Table 1-8 Fixed interfaces

Fixed

interface

OFF

Solid green

Flashing green

Solid yellow

Flashing yellow

OFF

Solid green

Flashing green Data is being received or transmitted.

Solid yellow

No link is present.

A 1000 Mbps link is present.

Data is being received or transmitted at a rate of 1000 Mbps.

A 10/100 Mbps link is present.

Data is being received or transmitted at a rate of 10/100 Mbps.

No link is present.

A link is present.

The system fails to detect the SFP port

Specification

Console

AUX

USB interfaces 2

CF card slot

Combo interfaces

USB0: Type A connector, operating in the host mode

USB1: Type B connector, operating in the device mode

The optional CF cards for the F1000-E have three memory sizes:

z 256 MB z 512 MB z 1 GB

z Four electrical Ethernet interfaces: GE0 to GE3 z Four optical Ethernet interfaces: SFP0 to SFP3 z For a GE combo interface, the default operating

interface is the optical Ethernet interface.

z For a GE combo interface, you can use either the

electrical Ethernet interface or the optical Ethernet

interface at a point of time. You can use the combo enable { copper | fiber } command in interface view

to switch between the optical and electrical Ethernet interfaces.

1-10

Page 16

Installation Manual H3C SecPath F1000-E Firewall Chapter 1 Product Overview

I. Console port

1) Introduction

The F1000-E provides an RS232 asynchronous serial console port that can be

connected to a computer for system debugging, configuration, maintenance,

management, and host software loading.

2) Technical specifications for the console port

Table 1-9 Technical specifications for the console port

Item Specification

Connector

Compliant standard

Baud rate

Transmission Distance

RJ-45

Asynchronous EIA/TIA-232

9600 bps to 115200 bps

9600 bps (default)

≤ 15 m (49.2 ft.)

Connection to an ASCII terminal

Services

Connection to the serial interface of a local PC to run the terminal emulation program

Command line interface (CLI)

3) Console cable

A console cable is an 8-core shielded cable. At one end of the cable is an RJ-45

connector for the console port on the firewall; at the other end is a DB-9 female

connector for the serial port on a console terminal.

Figure 1-6 illustrates the console cable.

Figure 1-6 Console cable

Table 1-10 Console cable pinouts

Pin (RJ-45) Signal direction Pin (DB-9) Signal

8 CTS

1-11

6 DSR

2 RXD

Page 17

Installation Manual H3C SecPath F1000-E Firewall Chapter 1 Product Overview

Pin (RJ-45) Signal direction Pin (DB-9) Signal

1 DCD

5 — 5 GND

3 TXD

4 DTR

7 RTS

 Note:

For the connection of the console cable, refer to section 4.10.1 “Connecting the

Console Cable” in Chapter 4 “Installing the Firewall”.

II. AUX port

1) Introduction

The AUX port is an RS232 asynchronous serial interface used for remote configuration

or dialup backup. You need to connect the local modem to the remote modem through

PSTN and then to the remote device for remote system debugging, configuration,

maintenance, and management. In the event that the console port fails, the AUX port

can be connected to a terminal as a backup port of the console port. For details, refer to

section 8.4 “Using the AUX Port as Backup Console Port” in Chapter 8

“Troubleshooting”.

2) Technical specifications for the AUX port

Table 1-11 Technical specifications for the AUX port

Item Specification

Connector

Compliant standard

Baud rate

Services

RJ-45

Asynchronous EIA/TIA-232

9600 bps to 115200 bps

9600 bps (default)

Connection to the serial interface of a remote PC (through a pair of modems)

3) AUX cable

Console cable is an 8-core shielded cable. At one end of the cable is an RJ-45

connector for CON of the VG; at the other end are a DB-9 (female) connector and a

1-12

Page 18

Installation Manual H3C SecPath F1000-E Firewall Chapter 1 Product Overview

DB-25 (female) connector, either of which can be plugged into the serial interface of the

Console terminal as needed.

Figure 1-7 AUX cable

Table 1-12 AUX cable pinouts

Pin (RJ-45) Signal direction Pin (DB-9) Signal

7 RTS

4 DTR

3 TXD

1 DCD

5 — 5 GND

2 RXD

6 DSR

8 CTS

 Note:

For the connection of the AUX cable, refer to section 4.10.2 “Connecting the AUX Port

to a Modem” in Chapter 4 “Installing the Firewall”.

III. GE combo interfaces

1) Introduction

The F1000-E provides four fixed GE combo interfaces. Each GE combo interface

consists of an electrical Ethernet interface and an optical Ethernet interface, but either

the electrical Ethernet interface or the optical Ethernet interface can operate at one

time.

z For the rate and negotiation mode when the electrical Ethernet interface is

operating, see

Table 1-13.

1-13

Page 19

Installation Manual H3C SecPath F1000-E Firewall Chapter 1 Product Overview

Table 1-13 Rate and negotiation mode when the electrical Ethernet interface is

operating

Rate Negotiation mode

10 Mbps (autosensing)

100 Mbps (autosensing)

1000 Mbps (autosensing)

Half/full-duplex auto-negotiation

Full-duplex

The electrical Ethernet interface LEDs are above the RJ-45 ports. The LEDs in triangle

and inverted triangle indicate the status of the lower and upper electrical Ethernet

interfaces, respectively.

z The optical Ethernet interface supports a rate of 1000 Mbps in full-duplex mode.

The optical Ethernet interface LEDs are in the middle of the four GE combo

interfaces and use separate LEDs to indicate the status of the corresponding SFP

interfaces.

(1) (2) (3)

(4)

(8)

(1) 10/100/1000 Mbps electrical Ethernet interface (GE1) (3) 10/100/1000 Mbps electrical Ethernet interface (GE3) (5) 1000 Mbps optical Ethernet interface (SFP2) (7) 1000 Mbps optical Ethernet interface (SFP2)

(7)

(2) 1000 Mbps optical Ethernet interface (SFP1) (4) 1000 Mbps optical Ethernet interface (SFP3) (6) 10/100/1000 Mbps electrical Ethernet interface (GE2) (8) 10/100/1000 Mbps electrical Ethernet interface (GE0)

Figure 1-8 GE combo interfaces on the rear panel

1-14

(6)

(5)

Page 20

Installation Manual H3C SecPath F1000-E Firewall Chapter 1 Product Overview

 Note:

z For a GE combo interface, the default operating interface is the optical Ethernet

interface.

z For a GE combo interface, you can use either the electrical Ethernet interface or the

optical Ethernet interface. You can use the combo enable { copper | fiber }

command in interface view to switch between the optical and electrical Ethernet

interfaces.

2) Technical specifications for GE combo interface

z Technical specifications for electrical Ethernet interface

Table 1-14 Technical specifications for electrical Ethernet interface

Item Specification

Connector

RJ-45

Autosensing

Interface

Frame format

Rate and negotiation mode

When working in the forced mode, Ethernet does not support MDI/MDI-X autosensing.

Ethernet_II

Ethernet_SNAP

10 Mbps (autosensing)

100 Mbps (autosensing) Half/full-duplex auto-negotiation

1000 Mbps (autosensing) Full-duplex

Half/full-duplex auto-negotiation

 Note:

The media dependent interface (MDI) is a typical Ethernet interface provided by

network adapters. The media dependent interface crossover (MDI-X) is commonly

found on hubs or LAN switches.

z Technical specifications for optical Ethernet interfaces

Table 1-15 Technical specifications for 1000 Mbps optical Ethernet interfaces

Item Specification

Connector

Compliant standard

SFP/LC

802.3, 802.3u, and 802.3ab

1-15

Page 21

Installation Manual H3C SecPath F1000-E Firewall Chapter 1 Product Overview

Item Specification

Optical

Type

transm it power

Min

Max 0 dBm –3 dBm 5 dBm 1 dBm 2 dBm

Receiving sensitivity

Central wavelength

Fiber type

Maximum transmission distance

Operating mode

Short-ha ul multimod e optical module (850 nm)

–9.5 dBm –9 dBm –2 dBm –4 dBm –4 dBm

Medium-ha ul single-mod e optical module (1310 nm)

Long-haul optical module

(1310 nm)

Long-haul optical module

(1550 nm)

–17 dBm –20 dBm –23 dBm –21 dBm –22 dBm

850 nm 1310 nm 1310 nm 1550 nm 1550 nm

62.5/125 μm multimod e fiber

0.55 km (0.34 mi.)

1000 Mbps in full-duplex mode

9/125 μm single-mod e fiber

10 km (6.2 mi.)

9/125 μm single-mo de fiber

40 km (24.9 mi.)

9/125 μm single-mod e fiber

40 km (24.9 mi.)

Ultra-long haul optical module

9/125 μm single-mo de fiber

70 km (43.5 mi.)

3) RJ-45 connector

The 10/100/1000 Mbps electrical Ethernet interfaces of the F1000-E use RJ-45

connectors and support MDI/MDI-X autosensing. Category-5 twisted pair cables are

used for RJ-45 connectors.

PIN #8

PIN #1

Figure 1-9 shows the appearance of an RJ-45 connector.

Figure 1-9 RJ-45 connector

 Note:

When working in the forced mode, Ethernet does not support MDI/MDI-X autosensing.

1-16

Page 22

Installation Manual H3C SecPath F1000-E Firewall Chapter 1 Product Overview

4) LC connector

Optical fiber connectors are indispensable passive components in optical fiber

communication systems. Their application enables the removable connection between

optical channels, which makes the optical system debugging and maintenance more

convenient and the transit dispatching of the system more flexible.

Some optical fiber connector types are as follows:

z LC: square optical fiber connector

z SC: standard optical fiber connector

z FC: round optical fiber connector with screw thread

z ST: round plug-in optical fiber connector

z MT-RJ: square optical transceiver connector

Currently, the optical Ethernet interfaces of the F1000-E support LC connectors only.

Figure 1-10 LC connector

 Note:

z Before using an optical fiber to connect a network device, make sure that the optical

fiber connector matches the optical module.

z Before connecting a fiber, make sure that the optical power at the receiving end

does not exceed the upper threshold of the optical receive power of the optical

module. Otherwise, the optical module may be damaged.

5) Cable connecting a 1000 Mbps electrical Ethernet interface

Usually, you can use a category-5 twisted pair cable to connect a 1000 Mbps electrical

Ethernet interface to an Ethernet.

Figure 1-11 shows an Ethernet cable.

Figure 1-11 Ethernet cable

1-17

Page 23

Installation Manual H3C SecPath F1000-E Firewall Chapter 1 Product Overview

Ethernet cables fall into the following two categories:

z Standard cable: Also called straight-through cable. At both ends of a standard

cable, wires are crimped in the RJ-45 connectors in the same sequence. A

straight-through cable is used to connect a terminal (for example, a PC or a

firewall) to a hub or LAN Switch. The cables delivered with the firewall are

straight-through cables.

z Crossover cable: At both ends of a crossover cable, wires are crimped in the

RJ-45 connectors in different sequences. A crossover cable is used to connect a

terminal (for example, a PC or a firewall) to another terminal. You can make

crossover cables by yourself as needed.

Table 1-16 Straight-through cable pinouts

Pin Signal

1 TX+

2 TX– Orange

Category-5

twisted pair

White (Orange)

3 RX+ White (Green)

4 — Blue

5 — White (Blue)

6 RX– Green

Signal

direction

— 4

— 5

7 — White (Brown) — 7

8 — Brown

— 8

Table 1-17 Crossover cable pinouts

Signal

direction

1 TX+

Category-5

twisted pair

White (Orange)

Signal

direction

2 TX– Orange

3 RX+ White (Green)

4 — Blue

5 — White (Blue)

6 RX– Green

— 4

— 5

7 — White (Brown) — 7

8 — Brown

— 8

1-18

Page 24

Installation Manual H3C SecPath F1000-E Firewall Chapter 1 Product Overview

 Note:

z You can refer to the table above when distinguishing between or preparing these

two types of Ethernet cables.

z When preparing Ethernet cables, please follow the chromatogram given in the table

to arrange the wires. Otherwise communication quality will be affected even if the

devices at both ends are connected.

z When preparing Ethernet cables, use shielded cables preferentially for

electromagnetic compatibility (EMC).

6) Cable connecting a 1000 Mbps optical Ethernet interface

You can use a single-mode or multimode optical fiber to connect a 1000 Mbps optical

Ethernet interface to an Ethernet. You can select proper fibers for the installed

1000Base-FX SFP modules. Since the optical interfaces on these SFP modules use

LC optical connectors, you must use fibers with LC connectors. All SFP modules are

hot-swappable.

 Note:

z No SFP module is shipped with the F1000-E.

z Use only the SFP modules provided by H3C. The F1000-E cannot identify SFP

modules from other manufacturers.

z For the connection of electrical Ethernet interfaces or optical Ethernet interfaces,

refer to section 4.10.3 “Connecting Ethernet Cables” in Chapter 4 “Installing the

Firewall”.

1.4.4 Interface Modules

The F1000-E provides two HIM slots.

Table 1-18 HIMs supported by the F1000-E

Module name Description

8GBE 8-port 1000 Mbps electrical Ethernet interface module (WAN)

4GBE 4-port 1000 Mbps electrical Ethernet interface module (WAN)

1-19

Page 25

Installation Manual H3C SecPath F1000-E Firewall Chapter 1 Product Overview

 Note:

z For the technical specifications and functions of HIMs, refer to Chapter 2 “Interface

Modules”.

z For the installation and removal of HIMs, refer to Chapter 7 “Maintaining Hardware”.

1.4.5 USB Interfaces

The universal serial bus (USB) interfaces can connect multiple types of devices and

provide a higher data transfer rate than common parallel interfaces and serial

interfaces.

The F1000-E is completely compliant with USB 1.1. The USB interfaces on the firewall

provide important storage and security functions. For example, they provide large Flash

memory space for application programs, configuration files, and security VPN

certificates to establish secure VPN connections and secure the delivery of firewall

configuration files.

In addition, USB interfaces provide a backup CF card mechanism to make file backup

and restoration very convenient and reliable.

(1)

(1) USB interface 0 (2) USB interface 1 (3) USB interface 1 LED

(2)

(3)

Figure 1-12 USB Interfaces

I. USB0

USB interface 0 on the F1000-E is a USB 1.1-compliant type-A interface. USB interface

0 can be connected to an external USB device to expand the firewall’s space for storing

files and logs and facilitate file transfer.

II. USB1 and LED

USB interface 1 on the F1000-E is a USB 1.1-compliant type-B interface. USB interface

1 can be connected to a host, through which you can configure, debug, maintain, and

manage the F1000-E, or upgrade and load software.

Table 1-19 describes the USB interface 1 LED.

1-20

Page 26

Installation Manual H3C SecPath F1000-E Firewall Chapter 1 Product Overview

Table 1-19 Description of USB interface 1 LED

Status Meaning

Solid green

Flashing green

 Note:

z The F1000-E supports only USB flash drives provided by H3C and may be

incompatible with those from other manufacturers.

z Do not remove the USB flash drive when the LED is flashing. Otherwise, the file

system in the USB flash drive may be damaged.

1.4.6 AC Power Input

Table 1-20 lists the AC power specifications for the F1000-E.

Table 1-20 AC power specifications for the F1000-E

A link is present.

Data is being received or transmitted. In this state, do not remove the USB cable.

Item Specification

Rated voltage range

Maximum input current

Maximum power

1.4.7 Clock

The F1000-E firewall is designed with a clock module that provides the system time.

You can set the system time on the command line interface.

When a power failure occurs to the firewall, the clock module can continue working to

ensure the system time is correct next time the firewall boots. With the firewall powered

off, the clock module can work for at least 10 years

When the firewall is powered on, note the following points:

z Never replace the clock module battery with the firewall powered on.

z The system time gets lost once the battery of the clock module is removed, and

100 VAC to 240 VAC; 50 Hz or 60 Hz

2.5 A

150 W

you need to set the system time again on the command line interface. However,

the system time will still get lost after the firewall is powered off

1-21

Page 27

Installation Manual H3C SecPath F1000-E Firewall Chapter 1 Product Overview

 Note:

You can use the clock datetime, clock summer-time one-off (or clock summer-time repeating), and clock time zone commands to set the system date and

time. For details about these commands, refer to H3C SecPath Series Security Products User Manual.

1.4.8 RPS (Optional)

The redundancy power supply (RPS) can provide power supply to maintain the normal

system operation for a short period when the system power supply fails.

The RPS uses a control pin to control its output status. When the system power supply

fails, it sends a LOW signal to the control pin of the RPS. Upon receiving the LOW

signal, the RPS switches to the output status within 10 ms and starts to supply power to

the firewall.

The F1000-E provides two power inputs: AC power input and RPS input. They can

guarantee the firewall to continue working when one power supply fails, thus providing

high reliability.

 Note:

z The RPS is an optional component not shipped with the firewall.

z For the RPS installation, refer to section 4.9.3 “Connecting the RPS DC Power

Cable” in Chapter 4 “Installing the Firewall”.

1.4.9 Port Lightning Arrester (Optional)

Before connecting an outdoor Ethernet cable to an Ethernet port, you can install a port

lightning arrester to protect the firewall against lightning strokes.

The following port lightning arrester can be installed on the F1000-E. The specifications

for the port lightning arrester are as follows:

Port protective unit–single port, maximum discharge current (8/20μs waveform): 5 kA,

output voltage (10/700μs waveform): core-core < 40 V, core-ground < 600 V.

1-22

Page 28

Installation Manual H3C SecPath F1000-E Firewall Chapter 1 Product Overview

 Note:

For the installation of the port lightning arrester, refer to section 4.6 “Installing a Port

Lightning Arrester (Optional)” in Chapter 4 “Installing the Firewall”.

1.4.10 Power Lightning Arrester (Optional)

Before connecting an outdoor AC power supply to the firewall, you need to install a

lightning protection busbar at the AC power input end and then connect the AC power

cord to a lightning protection busbar to protect the firewall against lightning strokes. In a

heavy lightning area, you are recommended to install a power lightning arrester.

The following power lightning arrester can be installed on the F1000-E. The

specifications for the power lightning arrester are as follows:

Maximum discharge current: 6500 A, protection voltage: 500 VAC to 220 VAC.

 Note:

For the installation of the power lightning arrester, refer to section 4.7 “Installing a

Power Lightning Arrester (Optional)” in Chapter 4 “Installing the Firewall”.

1.4.11 Signal Lightning Arrester (Optional)

Generally, you need to connect a signal lightning arrester (namely, a transient

over-voltage protection) before connecting a signal cable to the firewall. This can

protect electronic devices against surge over-voltage resulting from lightning strokes

and other interferences, and minimize impact on the firewall.

The F1000-E supports three types of signal lightning arresters:

z Voltage-limiting protection–signal lightning arrester–maximum discharge current

2.5 KA/protection voltage 25 V–SMB–75J/SMB–75J–1 W–10 Mbps.

z Voltage-limiting protection–signal lightning arrester–maximum discharge current

2.5 KA/protection voltage 25V–BNC–75K/BNC–75K–10 Mbps.

z Voltage-limiting protection–signal lightning arrester (U port)–maximum discharge

current 3 KA/common mode 400 V/differential mode 170V–RJ-11

1-23

Page 29

Installation Manual H3C SecPath F1000-E Firewall Chapter 1 Product Overview

 Note:

For the installation of the signal lightning arrester, refer to section 4.8 “Installing a

Signal Lightning Arrester (Lightning Protection Busbar) (Optional)” in Chapter 4

“Installing the Firewall“.

1.4.12 System Software

The F1000-E operates on Comware V5, the core software platform of H3C. By

supporting abundant security features such as virtual firewall, attack prevention, load

balancing, and P2P flow management, the F1000-E well integrates networking and

security technologies to provide easy access to various complex environments and

power security functions that help users guard against various networking security

issues.

1-24

Page 30

Installation Manual H3C SecPath F1000-E Firewall Table of Contents

Table of Contents

Chapter 2 Interface Modules........................................................................................................2-1

2.1 4GBE/8GBE.......................................................................................................................2-1

2.2 Arranging Slots and Numbering Interfaces........................................................................ 2-3

2.2.1 Slot Arrangement.................................................................................................... 2-3

2.2.2 Interface Numbering................................................................................................ 2-4

2.2.3 Examples.................................................................................................................2-4

Page 31

Installation Manual H3C SecPath F1000-E Firewall Chapter 2 Interface Modules

Chapter 2 Interface Modules

2.1 4GBE/8GBE

I. Introduction

An 8GBE is a high-speed Layer 3 Gigabit Ethernet interface module developed by H3C. An 8GBE module provides eight RJ-45 electrical interfaces that support the Layer 3 routing function. Each interface is provided with a bi-color LED indicating the running status of the interface. 8GBE is connected to the processor through a 10-Gbps high-speed bus and can provide all the high-performance Layer 3 Ethernet interface functionalities.

A 4GBE module has the same functionalities and specifications as an 8GBE module except that a 4GBE module provides four interfaces. You can select 4GBE or 8GBE modules as needed.

II. Front panel

(1) (2) (3)

(1) Captive screw (2) GE interface LED (3) GE interface (4) Ejector lever

Figure 2-1 Front panel of 8GBE

(4)

2-1

Page 32

Installation Manual

(1)(2)(3)

H3C SecPath F1000-E Firewall Chapter 2 Interface Modules

(4)

(1) Captive screw (2) GE interface LED (3) GE interface (4) Ejector lever

Figure 2-2 Front panel of 4GBE

III. LEDs

Table 2-1 Description of the LEDs on the front panel of 4GBE/8GBE

Status Meaning

OFF Solid green Flashing green Solid yellow Flashing yellow

No link is present. A 1000 Mbps link is present. Data is being received or transmitted at a rate of 1000 Mbps. A 10/100 Mbps link is present. Data is being received or transmitted at a rate of 10/100 Mbps.

IV. Interface specifications

Table 2-2 Interface specifications of 4GBE/8GBE

Item Specification

Connector type

Number of interfaces

RJ-45 4 (4GBE)

8 (8GBE) Autosensing

MDI/MDI-X

Supported frame format

An interface does not support MDI/MDI-X autosensing if forced to work in MDI or MDI-X mode.

Ethernet_II Ethernet_SNAP

2-2

Page 33

Installation Manual H3C SecPath F1000-E Firewall Chapter 2 Interface Modules

Item Specification

Full/half duplex, auto-negotiation

Interface speed and duplex mode

10 Mbps (autosensing)

100 Mbps (autosensing)

1000 Mbps (autosensing) Full duplex

V. Interface cable

A 4GBE/8GBE module uses a straight-through or crossover Ethernet cable.

Figure 2-3 Ethernet cable

 Note:

For the connection of a 4GBE/8GBE interface cable, refer to section 4.10.4.I “Connecting a 2GBE/4GBE/8GBE interface module cable” in Chapter 4 “Installing the Firewall”.

2.2 Arranging Slots and Numbering Interfaces

2.2.1 Slot Arrangement

The F1000-E firewall supports multiple types of interfaces, including console, AUX, and optical and electrical interfaces. This section describes how these interfaces are numbered.

(1)

(1) Slot 0 (2) Slot 1 (1) (3) Slot 2 (2)

Figure 2-4 Slot arrangement on the F1000-E firewall

(2)

2-3

(3)

Page 34

Installation Manual H3C SecPath F1000-E Firewall Chapter 2 Interface Modules

2.2.2 Interface Numbering

The interfaces of the F1000-E firewall are numbered as per the following rule:

1) An interface is numbered in the form of interface-type X/Y.

z interface-type: Interface type, such as GigabitEthernet. z X: Slot number, representing the slot where the module is inserted. z Y: Interface number, that is, the sequence number of the interface on the module.

2) Different interfaces on a module share the same slot number X.

3) For each type of interfaces, Y starts from 0 and is incremented from left to right on the interface module.

2.2.3 Examples

1) The fixed optical/electrical interfaces on the F1000-E firewall are numbered as follows:

z GigabitEthernet 0/0 z GigabitEthernet 0/1 z GigabitEthernet 0/2 z GigabitEthernet 0/3

2) If slot 1 and slot 2 on the F1000-E each are installed with an HIM-4GBE module, the GigabitEthernet interfaces are numbered as:

z Slot1: GigabitEthernet 1/0, GigabitEthernet 1/1, GigabitEthernet 1/2 and

GigabitEthernet 1/3.

z Slot2: GigabitEthernet 2/0, GigabitEthernet 2/1, GigabitEthernet 2/2 and

GigabitEthernet 2/3.

2-4

Page 35

Installation Manual H3C SecPath F1000-E Firewall Table of Contents

Table of Contents

Chapter 3 Preparing for Installation ............................................................................................ 3-1

3.1 Environment Requirements ............................................................................................... 3-1

3.1.1 Ventilation Requirements ........................................................................................ 3-1

3.1.2 Temperature and Humidity Requirements .............................................................. 3-1

3.1.3 Cleanness Requirements........................................................................................ 3-2

3.1.4 Electrostatic Discharge Prevention ......................................................................... 3-3

3.1.5 Electromagnetic Interference Prevention................................................................ 3-4

3.1.6 Lightning Protection ................................................................................................ 3-5

3.1.7 Workbench Requirements....................................................................................... 3-5

3.1.8 Cabinet-Mounting Requirements ............................................................................ 3-5

3.2 Safety Precautions............................................................................................................. 3-6

3.2.1 Safety Signs ............................................................................................................ 3-6

3.2.2 General Safety Recommendations ......................................................................... 3-6

3.2.3 Electricity Safety...................................................................................................... 3-6

3.3 Installation Tools, Meters and Devices.............................................................................. 3-7

3.3.1 Installation Accessories Supplied with the Firewall................................................. 3-7

3.3.2 User supplied tools.................................................................................................. 3-7

3.3.3 Reference................................................................................................................ 3-7

3.4 Checklist Before Installation .............................................................................................. 3-8

Page 36

Installation Manual H3C SecPath F1000-E Firewall Chapter 3 Preparing for Installation

Chapter 3 Preparing for Installation

3.1 Environment Requirements

The F1000-E is designed for indoor use. To ensure the normal operation and prolong

the service life, the installation site must meet the requirements mentioned hereunder.

3.1.1 Ventilation Requirements

The fans of the F1000-E draw air in through the inlet vents on the left and out through

the exhaust vents on the right.

Figure 3-1 Ventilation method for the F1000-E

Make sure that:

 There is a minimum clearance of 10 cm (3.9 in) around the air intake and the air

exhaust for heat dissipation of the firewall chassis.

 A ventilation system is available at the installation site.

3.1.2 Temperature and Humidity Requirements

To ensure the normal operation and prolong the service life, the temperature and

humidity in the equipment room should be maintained at an appropriate level.

 A long-term high relative humidity will quite likely result in poor insulation

performance, electric leakage, mechanical property change, and corrosion.

3-1

Page 37

Installation Manual H3C SecPath F1000-E Firewall Chapter 3 Preparing for Installation

 A long-term low relative humidity will result in looseness of fastening screws owing

to shrinkage of insulation washers, or electrostatic discharge (ESD), which may

damage the CMOS circuit on the firewall.

 A high temperature will speed up the aging of insulation materials, which greatly

lowers the firewall’s reliability and shortens the service life.

Table 3-1 lists the requirements on temperature and humidity for the F1000-E.

Table 3-1 Temperature and humidity requirements in the equipment room

Temperature Relative humidity

0°C to 45°C (32°F to 113°F) 10% to 95% (noncondensing)

3.1.3 Cleanness Requirements

I. Concentration limit of dust

Dust is harmful to the safe operation of the firewall. Dust on the chassis may result in

static adsorption, which causes poor contact between metal connectors or joints. The

poor contact may not only shorten the service life of the firewall, but also bring about

communication failures. Especially under the condition of low indoor humidity, dust is

apt to adsorb.

Table 3-2 lists the requirements on the dust concentration and diameters in the

equipment room.

Table 3-2 Limitation on dust concentration and diameter in the equipment room

Diameter (μm) 0.5 1 3 5

Concentration limit (particles/m³)

1.4×10

7×105 2.4×105 1.3×105

II. Concentration limit of harmful gases

Besides, the contents of salts, acids, and sulfides in the equipment room of the firewall

should be strictly restricted. Harmful gases could accelerate the corrosion of metal

parts and the aging of some parts.

, and CI2 in the equipment room.

Table 3-3 lists the concentration limit of SO2, H2S,

Table 3-3 Concentration limit of some harmful gases in the equipment room

Gas Max (mg/m3)

SO2 0.2

H2S 0.006

NH3 0.05

3-2

Page 38

Installation Manual H3C SecPath F1000-E Firewall Chapter 3 Preparing for Installation

Gas Max (mg/m3)

Cl2 0.01

3.1.4 Electrostatic Discharge Prevention

I. Generation and damage of static electricity

In the communication network to which the firewall is connected, static induction mainly

results from:

 External electrical fields such as outdoor high voltage power line or lightning

 Indoor environment, flooring materials, and the firewall structure

Although many antistatic measures have been taken in the design of the F1000-E,

damage to board circuits or even the firewall may still happen when the static electricity

exceeds a certain limit.

II. Measures against ESD

To prevent electrostatic discharge (ESD),

 Make sure that the firewall and the floor are well grounded.

 Take dust-proof measures for the equipment room.

 Maintain the humidity and temperature at a proper level, respectively.

 Wear an ESD-preventive wrist strap and uniform when touching a circuit board.

 Place the removed memory module, CF card, or HIM on an antistatic workbench,

with the face upward, or put it into an antistatic bag.

 Touch only the edges, instead of electronic components when observing or

moving a removed memory module, CF card, or HIM.

III. Use of the ESD-preventive wrist strap

Follow these steps to use an ESD-preventive wrist strap:

1) Put the ESD-preventive wrist strap around your wrist.

2) Tighten the fastener to ensure good skin contact.

3) Attach the alligator clip to the ESD-preventive wrist strap.

4) Attach the alligator clip to the rack.

5) Make sure that the rack is well grounded.

3-3

Page 39

Installation Manual H3C SecPath F1000-E Firewall Chapter 3 Preparing for Installation

Figure 3-2 Wear the ESD-preventive wrist strap

Caution:

 For the sake of safety, check the resistance of the ESD-preventive wrist strap. The

resistance reading should be in the range of 1 to 10 megohms between human body

and the ground.

 No is ESD-preventive wrist strap is shipped with the F1000-E and you have to

supply one by yourself.

3.1.5 Electromagnetic Interference Prevention

All possible interference sources, external or internal, affect the firewall in the way of

capacitance coupling, inductance coupling, electromagnetic radiation, and common

impedance (including the grounding system) coupling. To minimize the influence of

interference sources on the firewall, you should take the following into consideration:

 Take effective measures to protect the power system from the power grid system.

3-4

Page 40

Installation Manual H3C SecPath F1000-E Firewall Chapter 3 Preparing for Installation

 Separate the protection ground of the firewall from the grounding device or

lightning protection grounding device of the power supply equipment as far as

possible.

 Keep the firewall far away from radio stations, radar, and high-frequency devices

working in high current.

 Use electromagnetic shielding when necessary.

3.1.6 Lightning Protection

Although many lightning prevention measures have been in the design of the F1000-E,

if the lightning intensity exceeds a certain range, damage to the firewall may still

happen. To protect the firewall from lightning better, you are recommended to do as

follows:

 Ensure the PGND cable of the chassis is well grounded.

 Ensure the grounding terminal of the AC power socket is well grounded.

 Install a lightning arrester at the input end of the power supply to enhance the

lightning protection capability of the power supply.

 To enhance the lightning protection capability, install a special lightning arrester at

the input end of outdoor signal lines (for example, ISDN line, telephone line, or

E1/T1 line) to which interface modules of the firewall are connected.

 Note:

Refer to Chapter 4 “Installing the Firewall” for the connection of the PGND cable and

the installation of the power lightning arrester and signal lightning arrester.

3.1.7 Workbench Requirements

When installing the firewall on a workbench, make sure that:

 The workbench is sturdy enough to support the weight of the firewall and

installation accessories.

 The workbench is well grounded.

3.1.8 Cabinet-Mounting Requirements

When installing the firewall in a cabinet,

 Install the firewall in an open cabinet if possible. If you install the firewall in a

closed cabinet, make sure that the cabinet is equipped with a good ventilation

system.

 Make sure that the cabinet is sturdy enough to support the weight of the firewall

and installation accessories.

3-5

Page 41

Installation Manual H3C SecPath F1000-E Firewall Chapter 3 Preparing for Installation

 Make sure that the size of the cabinet is appropriate for the firewall, and that there

is enough clearance around the left and right panels of the firewall for heat

dissipation.

 For the sake of heat dissipation and device maintenance, it is recommended that

the front and rear of the cabinet should be at least 0.8 m (31.5 in.) away from walls

or other devices, and that the headroom in the equipment room should be no less

than 3 m (9.8 ft.).

3.2 Safety Precautions

3.2.1 Safety Signs

When reading this manual, pay attention to the following:

Warning: Means the reader be extremely careful. Improper operation may cause

device damage or bodily injury.

Caution: Means the reader be careful. Improper operation may cause device

malfunction.

3.2.2 General Safety Recommendations

 Keep the firewall chassis and installation tools away from walk area.

 Keep the firewall far away from a moist area and heat sources.

 Unplug all external cables before moving the chassis.

3.2.3 Electricity Safety

 Locate the emergency power switch in the equipment room before installation and

maintenance so that you can switch the power off in case of an electrical accident.

If necessary, unplug the power cord immediately.

 Make sure that the firewall has been correctly grounded.

 Do not open or close the chassis cover when the firewall is powered on.

 Do not remove power cables or interface modules when the firewall is powered on.

 Connect the interface cables for the firewall correctly.

 Use laser with caution. Do not directly stare into apertures or fiber-optic

connectors that emit laser radiation.

 If you are not using the laser, cover the dust cover to avoid static adsorption, which

may cause damage to the laser.

 Equip an uninterrupted power supply (UPS).

 Double check to make sure the firewall is powered off when it must be powered

off.

 Avoid maintaining the firewall alone when it is powered on.

3-6

Page 42

Installation Manual H3C SecPath F1000-E Firewall Chapter 3 Preparing for Installation

3.3 Installation Tools, Meters and Devices

3.3.1 Installation Accessories Supplied with the Firewall

 AC power cord

 Console cable

 PGND cable

 Front and back rack-mounting ears

3.3.2 User supplied tools

 Phillips screwdrivers: P1-100 mm, P2-150 mm, and P3-250 mm

 Flat-blade screwdrivers: P4-75 mm

 Screws of various sizes

 Meters and devices, such as hub, configuration terminal, optional modules,

multimeter.

 Optional cables

 ESD-preventive gloves, ESD-preventive wrist straps, antistatic bags or mats

3.3.3 Reference

When installing or maintaining the F1000-E, you can refer to the following documents

shipped with the F1000-E:

 H3C F1000-E Firewall Installation Manual  H3C SecPath Series Security Products User Manual

 Note:

To obtain the latest documents, visit http://www.h3c.com.

3-7

Page 43

Installation Manual H3C SecPath F1000-E Firewall Chapter 3 Preparing for Installation

3.4 Checklist Before Installation

Table 3-4 Checklist before installation

Item Requirements

Installation site

 There is a minimum clearance of 10 cm (3.9

in.) around the inlet vents and exhaust vents

Ventilation

for heat dissipation of the firewall chassis.

 A ventilation system is available at the

installation site.

Temperature 0°C to 45°C (32°F to 113°F)

Relative humidity 10% to 95% (noncondensing)

Cleanness Dust concentration ≤ 3 × 104 particles/m³

 The equipment and the floor are well

grounded.

 The equipment room is dust-proof.  The humidity and temperature are at a proper

level, respectively.

 Wear an ESD-preventive wrist strap and

ESD prevention

uniform when touching a circuit board.

 Place the removed memory module, CF card,

or HIM on an antistatic workbench, with the face upward, or put it into an antistatic bag.

 Touch only the edges, instead of electronic

components when observing or moving a removed memory module, CF card, or HIM.

 Take effective measures to protect the power

system from the power grid system.

 Separate the protection ground of the firewall

from the grounding device or lightning protection grounding device as far as

EMI prevention

possible.

 Keep the firewall far away from radio stations,

radar and high-frequency devices working in high current.

 Use electromagnetic shielding when

necessary.

 The PGND cable of the chassis is well

grounded.

 The grounding terminal of the AC power

socket is well grounded.

Lightning protection

 A port lightning arrester is installed. (Optional)  A power lightning arrester is installed.

(Optional)

 A signal lightning arrester is installed at the

input end of an external signal cable. (Optional)

 Equip an uninterrupted power supply (UPS).

Electricity safety

 In case of emergency during operation, switch

off the external power switch.

3-8

Page 44

Installation Manual H3C SecPath F1000-E Firewall Chapter 3 Preparing for Installation

Item Requirements

Safety precautions

Tools

Reference

Workbench

 The workbench is stable enough  Well grounding

 Install the firewall in an open cabinet if

possible. If you install the firewall in a closed cabinet, make sure that the cabinet is equipped with a good ventilation system.

 The rack is sturdy enough to support the

Cabinet-mounting requirements

weight of the firewall and installation accessories.

 The size of the cabinet is appropriate for the

firewall.

 The front and rear of the cabinet are at least

0.8 m (31.5 in.) away from walls or other devices.

 The firewall is far away from any moist area and heat source.  The emergency power switch in the equipment room is located.

 Installation accessories supplied with the firewall  User supplied tools

 Documents shipped with the firewall  Online documents

3-9

Page 45

Installation Manual H3C SecPath F1000-E Firewall Table of Contents

Table of Contents

Chapter 4 Installing the Firewall..................................................................................................4-1

4.1 Preparations....................................................................................................................... 4-1

4.2 Installation Flowchart ......................................................................................................... 4-1

4.3 Installing the Firewall ......................................................................................................... 4-2

4.3.1 Installing the Firewall on a Workbench ................................................................... 4-2

4.3.2 Installation the Firewall in a Rack............................................................................ 4-3

4.4 Installing Generic Modules ................................................................................................ 4-5

4.5 PGND Cable Connection................................................................................................... 4-5

4.5.1 Importance of the PGND Cable .............................................................................. 4-5

4.5.2 Connecting the PGND Cable .................................................................................. 4-5

4.6 Installing a Port Lightning Arrester (Optional).................................................................... 4-7

4.6.1 Tools........................................................................................................................ 4-8

4.6.2 Installation Procedure ............................................................................................. 4-8

4.6.3 Precautions ............................................................................................................. 4-9

4.7 Installing a Power Lightning Arrester (Lightning Protection Busbar) (Optional) ................ 4-9

4.8 Selecting and Installing a Signal Lightning Arrester (Optional) ....................................... 4-11

4.9 Connecting the Power Cables ......................................................................................... 4-12

4.9.1 Power Supply Port and PGND Terminal............................................................... 4-12

4.9.2 Connecting the AC Power Cord............................................................................ 4-12

4.9.3 Connecting the RPS DC Power Cable.................................................................. 4-13

4.10 Connecting Port Cables................................................................................................. 4-15

4.10.1 Connecting the Console Cable ........................................................................... 4-15

4.10.2 Connecting the AUX Port to a Modem................................................................ 4-17

4.10.3 Connecting Ethernet Cables ............................................................................... 4-17

4.10.4 Connecting a 4GBE/8GBE interface module cable ............................................ 4-20

4.11 Verifying Installation....................................................................................................... 4-21

Page 46

Installation Manual H3C SecPath F1000-E Firewall Chapter 4 Installing the Firewall

Chapter 4 Installing the Firewall

4.1 Preparations

Before installing the firewall, make sure that:

z You have read through Chapter 3 “Preparing for Installation”.

z Make sure all the requirements mentioned in Chapter 3 “Preparing for Installation”

are satisfied.

4.2 Installation Flowchart

Start

Install the firewall

Connect the PGND cable

Connect the power cable

Connect the firewall to a

configuration terminal

Verify the installation

Power on

Normal ?

Yes

Turn off the power switch

Install the HIM

Connect the firewall to

the LAN

Connect the firewall to the

WAN

Verify the installation

Troubleshoot the

Turn off the

power switch

firewall

Power on

End

Figure 4-1 Installation flowchart for the F1000-E

4-1

Page 47

Installation Manual H3C SecPath F1000-E Firewall Chapter 4 Installing the Firewall

4.3 Installing the Firewall

You can install the firewall on a workbench or in a rack.

4.3.1 Installing the Firewall on a Workbench

If a 19-inch rack is not available, you can install the firewall on a clean workbench.

During installation, make sure:

z The length and width of the workbench are larger than the distance between the

feet of the firewall. See

Table 4-1 Dimensions of the F1000-E

Item Description

Table 4-1 for the dimensions of the firewall.

Dimensions without feet, rack-mounting brackets, and plastic panel (H × W × D)

44.2 × 442 × 463 mm (1.7 × 17.4 × 18.2 in.)

Figure 4-2 Dimensions of the F1000-E

z The workbench is steady and well grounded.

z The workbench is firm enough to support the weight of the firewall and installation

accessories.

4-2

Page 48

Installation Manual H3C SecPath F1000-E Firewall Chapter 4 Installing the Firewall

z There is a minimum clearance of 10 cm (3.9 in.) around the firewall for heat

dissipation of the firewall chassis.

z No heavy object is placed on the firewall for fear of device damage and poor heat

dissipation.

4.3.2 Installation the Firewall in a Rack

I. Installing an N68 rack

The F1000-E can be installed in an H3C N68 rack. For the installation of an N68 rack,

refer to N68 Cabinet Installation Guide.

II. Installing rack-mounting brackets onto the firewall

1) Structure of the rack-mounting brackets

(1) (2)

(1) Left front rack-mounting bracket (2) Right front rack-mounting bracket (3) Left rear rack-mounting bracket (4) Right rear rack-mounting bracket

(3) (4)

Figure 4-3 Structure of rack-mounting brackets

2) Install the rack-mounting brackets to the firewall

Before installing the firewall in the rack, fix the left and right front rack-mounting

brackets respectively to the left and right sides of the front panel of the firewall.

Figure

4-4 shows how to install the rack-mounting brackets.

Figure 4-4 Install the front rack-mounting brackets to the firewall

4-3

Page 49

Installation Manual H3C SecPath F1000-E Firewall Chapter 4 Installing the Firewall

III. Installing the firewall in a rack

Follow these steps to install the firewall in a rack:

1) Check the grounding and stability of the rack and use screws to fix the rear

rack-mounting brackets onto both sides of the rack.

2) After installing the front rack-mounting brackets, fix two screws on the upper

central part of the left and right sides of the firewall for fixing the firewall to the rear

rack-mounting brackets, as shown in

Figure 4-4.

3) Put the firewall on the rack, making sure it is seated on the left and right rear

rack-mounting brackets.

(1) Rack (2) Right rear-mounting ear (3) Right front rack-mounting ear

Figure 4-5 Install the firewall in the rack

4) Fix the firewall in the rack horizontally and firmly by fastening the rack-mounting

brackets onto the rack posts with pan-head screws. The size of pan-head screws

should satisfy the installation requirements (maximally M6) and the surface of the

screws should be anti-rust.

4-4

Page 50

Installation Manual H3C SecPath F1000-E Firewall Chapter 4 Installing the Firewall

Figure 4-6 Fix the front rack-mounting brackets on the rack

4.4 Installing Generic Modules

Generic modules include memory module, CF card, and HIM. For their installation

procedures, refer to Chapter 7 “Maintaining Hardware”.

4.5 PGND Cable Connection

4.5.1 Importance of the PGND Cable

Warning:

The correct connection of the protection ground (PGND) cable on the firewall chassis is

an essential safeguard against the lightning strokes and EMI. You need to correctly

connect the PGND cable when installing or using the firewall.

The power input end of the F1000-E is equipped with a noise filter. The neutral ground

of the power input end is directly connected to the chassis and is called PGND (also

known as chassis ground). You need to securely connect the PGND cable to the earth

ground to safely lead induced current and leakage current to the ground and reduce the

EMS of the firewall. The PGND cable can also protect the firewall against high lightning

voltage resulting from external network lines such as E1/T1 and PSTN line.

4.5.2 Connecting the PGND Cable

The grounding screw of the F1000-E is located on the lower left corner of the rear

chassis panel and is marked with a grounding sign, as shown in

Figure 4-7.

4-5

Page 51

Installation Manual H3C SecPath F1000-E Firewall Chapter 4 Installing the Firewall

(1)

(3)

(2)

(4)

(5)

(1) Grounding screw (2) OT terminal (3) Grounding screw hole (4) Grounding sign (5) PGND cable

Figure 4-7 Connect the grounding terminal of the PGND cable to the firewall

Follow these steps to connect the PGND cable:

1) Remove the grounding screw from the firewall chassis.

2) Put the supplied OT terminal of the PGND cable on the grounding screw.

3) Fasten the grounding screw, which is attached with the OT terminal of the PGND

cable, into the grounding screw hole with a screwdriver.

4) Connect the other end of the PGND cable to the ground. Generally, the cabinets

installed in equipment rooms are equipped with a grounding bar.

z If a grounding bar is available, you can connect the PGND cable of the firewall to

the grounding bar as follows: a) Use a cable stripper to strip off the insulation

rubber about 15 mm (0.59 in.) from the PGND cable. b) Wrap the naked part onto

the grounding post of the grounding bar. c) Fix the PGND cable onto the grounding

post with a hex nut.

z If no grounding bar is available, connect the naked part of the PGND cable to the

ground directly.

4-6

Page 52

Installation Manual H3C SecPath F1000-E Firewall Chapter 4 Installing the Firewall

(1) (2)

(3)

(5)

(1) PGND cable (2) Naked part of the PGND cable (3) Grounding bar (4) Grounding post (5) Hex nut

(4)

Figure 4-8 Connect the PGND cable to the grounding bar

 Note:

z The resistance between the firewall chassis and the ground must be less than 5

ohms.

z Use the PGND cable provided with the F1000-E firewall to connect the ground bar in

the equipment room. Otherwise, the firewall may not be effectively grounded, which

easily causes damage to the firewall.

4.6 Installing a Port Lightning Arrester (Optional)

 Note:

z Only 10/100 Mbps RJ-45 Ethernet ports need to be equipped with port lightning

arresters.

z No port lightning arrester is shipped with the firewall. You can purchase one if

needed.

Before connecting an outdoor Ethernet cable to an Ethernet port, you can install a port

lightning arrester to protect the firewall against lightning strokes.

The following port lightning arrester can be installed on the F1000-E. The specifications

for the port lightning arrester are as follows:

Port protective unit–single port, maximum discharge current (8/20μs waveform): 5 kA,

output voltage (10/700μs waveform): core-core < 40 V, core-ground < 600 V.

4-7

Page 53

Installation Manual H3C SecPath F1000-E Firewall Chapter 4 Installing the Firewall

4.6.1 Tools

z Phillips or flat-blade screwdriver

z Multimeter

z Diagonal pliers

4.6.2 Installation Procedure

Follow these steps to install a port lightning arrester:

1) Use a double-faced adhesive tape to stick the port lightning arrester to the firewall.

The port lightning arrester should be as close to the grounding screw as possible.

2) Cut short the grounding cable of the port lightning arrester according to its

distance to the grounding screw. Then, fix the grounding cable onto the grounding

screw of the firewall.

3) Use the multimeter to check the connection between the grounding cable of the

port lightning arrester and the grounding screw of the firewall.

4) Follow the instructions to connect the port lightning arrester with a transit cable.

Note that the external cable should be connected to the IN end while the transit

cable should be connected to the OUT end. Check whether the board LEDs are

normal.

 Note:

Read the instructions carefully before installing the port lightning arrester.

5) Bundle the cables with cable ties neatly.

Indoor Ethernet cables

Outdoor Ethernet cable

Firewall

Port lightning arrester arrester (stuck on the chassis)

Grounding cable of the lightning arrester

Cabinet

Power input

Transit cable

Figure 4-9 Install a port lightning arrester

4-8

Grounding screw of the firewall

Page 54

Installation Manual H3C SecPath F1000-E Firewall Chapter 4 Installing the Firewall

4.6.3 Precautions

Pay attention that the performance of the port lightning arrester may be affected in the

following cases:

z The IN and OUT ends of the port lightning arrester are connected incorrectly.

The IN end should be connected to the external cable, while the OUT end should

be connected to the Ethernet port of the firewall.

z The port lightning arrester is not well grounded.

Make sure that the grounding cable of the port lightning arrester should be as short

as possible and be well connected to the grounding screw of the firewall. You need

to check with a multimeter after connection.

z The installed port lightning arresters are not sufficient.

When more than one outdoor Ethernet cable is connected to the firewall, you need

to install a port lightning arrester for each outdoor Ethernet cable.

4.7 Installing a Power Lightning Arrester (Lightning Protection Busbar) (Optional)

 Note:

No power lightning arrester is shipped with the firewall. You should purchase one if

needed.

Before connecting an outdoor AC power supply to the firewall, you need to install a

lightning protection busbar at the AC power input end and then connect the AC power

cord to a lightning protection busbar to protect the firewall against lightning strokes. You

can use cable ties and screws to fasten the lightning protection busbar on the cabinet,

the workbench, or the wall in the equipment room.

4-9

Page 55

Installation Manual H3C SecPath F1000-E Firewall Chapter 4 Installing the Firewall

Figure 4-10 Install a power lightning arrester

Note that:

1) Make sure that the protection wire (PE) terminal of the power lightning arrester is

well grounded before using it.

2) After the AC power cord of the firewall is plugged into the multi-purpose socket of

the power lightning arrester (lightning protection busbar), if the green LED is ON

and the red LED is OFF, the lightning protection can function normally.

3) Pay attention and clear the alarm if the red LED is ON. You should correctly tell

whether the grounding cable is not well connected or the live and zero wires are

connected reversely. When the red LED is ON, use a multimeter to examine the

polarity at the multi-purpose socket of the power lightning arrester.

z If the live and zero wires are on the left and right respectively (supposing that you

are facing the socket), the PE terminal of the power lightning arrester is not

grounded.

z If the live and zero wires are on the right and left respectively (supposing that you

are facing the socket), the polarity of the power socket of the power lightning

arrester is reversed. In this case, you should open the power socket to correct the

polarity. After that, if the red LED is still ON, you can make sure that the PE

terminal of the power lightning arrester is not grounded.

4-10

Page 56

Installation Manual H3C SecPath F1000-E Firewall Chapter 4 Installing the Firewall

4.8 Selecting and Installing a Signal Lightning Arrester (Optional)

 Note:

No signal lightning arrester is shipped with the firewall. You should purchase one if

needed.

Generally, you need to connect a signal lightning arrester (namely, a transient

over-voltage protection) before connecting a signal cable to the firewall. This can

protect electronic devices against surge over-voltage resulting from lightning strokes

and other interferences, and minimize impact on the firewall.

Because the signal lightning arrester is serially connected to a signal cable, the signal

lightning arrester must satisfy the requirements of network performance indexes such

as data transmission bandwidth, as well as the lightning protection performance

requirement. Therefore, before installing a signal lightning arrester, you need to

consider such performance indexes of the lightning arrester as lightning protection,

bandwidth, transmission loss, and port type.

The F1000-E supports three types of signal lightning arresters:

z Voltage-limiting protection–signal lightning arrester–maximum discharge current

2.5KA/protection voltage 25V–SMB-75J/ SMB-75J–1W–10Mbps

z Voltage-limiting protection–signal lightning arrester–maximum discharge current

2.5KA/protection voltage 25V–BNC-75K/ BNC-75K–10Mbps

z Voltage-limiting protection–signal lightning arrester (U port)–maximum discharge

current 3KA/common-mode 400V/differential mode 170V–RJ-11

Caution:

z The signal lightning arrester should be grounded as near as possible. The

grounding resistance must be less than 4 ohms. The grounding resistance must be

less than 1 ohm if there are special grounding requirements.

z Connect the grounding cable to the special-purpose grounding cable of the signal

lightning arrester and connect it to the earthing network, instead of connecting it to

the lightning rod or lightning belt.

4-11

Page 57

Installation Manual H3C SecPath F1000-E Firewall Chapter 4 Installing the Firewall

4.9 Connecting the Power Cables

4.9.1 Power Supply Port and PGND Terminal

The F1000-E only supports AC power input. The AC power socket and power switch

are located on the left of the front panel, as shown in

(1) (2) (3)

Figure 4-11.

(1) Bail latch holder (2) AC power socket (100 V to 240V; 50/60Hz; 2.5A) (3) Power switch

Figure 4-11 AC power socket

For the specifications for the AC power socket, see

Table 4-2 Technical specifications for the AC power socket of the F1000-E

Item Specification

AC power socket 100 VAC to 240 VAC

4.9.2 Connecting the AC Power Cord

I. AC power supply

Rated voltage range: 100 VAC to 240 VAC, 50 Hz/60 Hz.

II. AC power socket

Table 4-2.

z Use a three-terminal, single-phase power connector with a grounding contact

z Ground the power supply reliably. Normally, the grounding contact of the power

supply system in a building was buried during construction and cabling.

z Before connecting the AC power cord, make sure that the power supply of the

building is well grounded.

4-12

Page 58

Installation Manual H3C SecPath F1000-E Firewall Chapter 4 Installing the Firewall

III. Connection procedure

Follow these steps to connect the AC power cord:

1) Make sure that the PGND terminal is securely connected to the ground.

2) Turn the firewall power switch to the OFF position.

3) Connect one end of the supplied AC power cord to the power socket on the firewall,

and the other end to the power supply.

4) Turn the firewall power switch to the ON position.

5) Check the status of the PWR LED on the front panel of the firewall. For the status

of the power LED, see

Table 4-3.

Table 4-3 Status of the power LED

Color Status

OFF No power supply is available.

ON The power module works abnormally.

(1)

(4) (5) (6)

(1) Bail latch holder (2) AC power connector (3) Power switch (4) AC power socket (100 V to 240V; 50/60Hz; 2.5A) (5) Bail latch (6) AC power cord

Figure 4-12 Connect the AC power cord

4.9.3 Connecting the RPS DC Power Cable

(2) (3)

Follow these steps to connect the RPS DC power cable:

1) Make sure that the power switch on the firewall and the RPS input power switch

are both off.

2) Rip off the adhesive tape from the RPS socket.

3) Loosen the screws on the RPS blank panel with a Phillips screw.

4-13

Page 59

Installation Manual H3C SecPath F1000-E Firewall Chapter 4 Installing the Firewall

Figure 4-13 Loosen the screws on the RPS blank panel

4) Shake the blank panel slightly and then take it off. Now, you can see the RPS

socket.

Figure 4-14 RPS socket

5) Plug the RPS power cable into the RPS socket on the firewall.

6) Turn the screws on the RPS connector clockwise to make the connector plugged

in completely, and then fasten the two strain-relief screws on the RPS connector.

4-14

Page 60

Installation Manual H3C SecPath F1000-E Firewall Chapter 4 Installing the Firewall

Figure 4-15 Connect the RPS DC power cable

7) Connect the other end of the RPS cable to the RPS power output port.

(1) (2)

(1) RPS (2) RPS power output port (3) Connector of the RPS power output port (4) RPS power cable (5)Connector for the RPS power socket on the firewall (6) RPS power socket

Figure 4-16 Connect the RPS DC power cable to the RPS power output port

8) Turn on the power switch on the firewall and the RPS power switch.

9) Check the status of the OK LED on the RPS front panel. If it is on, the RPS power

works normally.

4.10 Connecting Port Cables

4.10.1 Connecting the Console Cable

(6) (5)

(4)

(3)

Follow these steps to connect the console cable:

1) Select a configuration terminal.

The configuration terminal can be a standard ASCII terminal with an RS232 serial port,

or a common PC.

4-15

Page 61

Installation Manual H3C SecPath F1000-E Firewall Chapter 4 Installing the Firewall

2) Connect the console cable.

Disconnect the power supply to the firewall. Connect the RJ-45 connector of the

console cable to the console port on the firewall, and the DB-9 (female) connector to

the serial port on the configuration terminal.

3) Power on the firewall after verifying the connection.

Verify the connection and power on the firewall. The configuration terminal displays the

startup banner of the firewall if the connection is correct. For details, refer to section 5.2

“Firewall Power-on” in Chapter 5 “Starting and Configuring the Firewall”.

(1)

(2)

(3)

(5)

(4)

(1) Console port (2) DB-9 (female) connector (3) Serial port on the configuration terminal (4) Console cable (5) RJ-45 connector

Figure 4-17 Connect the console cable

Caution:

When connecting a PC to the firewall with the console cable, first connect the DB-9

connector to the serial port on the PC, and then the RJ-45 connector to the console port

on the firewall.

4-16

Page 62

Installation Manual H3C SecPath F1000-E Firewall Chapter 4 Installing the Firewall

4.10.2 Connecting the AUX Port to a Modem

The AUX port is usually used for remote configuration or dial backup. In this case, you

need to connect the local modem to the remote modem through PSTN and then to the

remote device.

Follow these steps to connect the AUX port with an AUX cable.

1) Plug the RJ-45 connector of an AUX cable into the AUX port on the firewall.

2) Plug the DB-25 (male) or DB-9 (male) connector into the serial port on the analog

modem.

(1)

(4)

(5)

(1) AUX port (2) RJ-45 connector (3) AUX cable (4) Modem (5) DB-25 (male) or DB-9 (male) connector

Figure 4-18 Connect the AUX cable

4.10.3 Connecting Ethernet Cables

I. Connecting an electrical Ethernet port

1) Connect one end of an Ethernet cable to an electrical Ethernet port on the

F1000-E and the other end to the Ethernet port on the peer device. Because a

10Base-T/100Base-TX/1000Base-T fixed electrical Ethernet port supports

MDI/MDIX auto-sensing, you can use a straight-through cable or crossover cable

to connect the port.

(3)

(2)

4-17

Page 63

Installation Manual H3C SecPath F1000-E Firewall Chapter 4 Installing the Firewall

2) Check the status of the LED of the fixed electrical Ethernet port after power-on.

For the status of the LED, see

Table 4-4.

Table 4-4 Status of the LED

LED Color Status

Off No link is present.

Solid green A 1000 Mbps link is present.

GE0 to GE3 (yellow/green)

Flashing green

Data is being transmitted/received at 1000 Mbps.

Solid yellow A 10/100 Mbps link is present.

Flashing yellow

Data is being transmitted/received at 10/100 Mbps.

II. Connecting an optical Ethernet port

Follow these steps to connect a 1000 Mbps optical Ethernet port:

1) Remove the dust cover from the optical Ethernet port.

Figure 4-19 Remove the dust cover

2) Align an SFP module with the optical SFP port, with the module handle facing

outward. Then insert it into the optical SFP port.

4-18

Page 64

Installation Manual H3C SecPath F1000-E Firewall Chapter 4 Installing the Firewall

Figure 4-20 Insert an SFP module

3) Identify the Rx and Tx ports on the SFP module. Plug the LC connector at one end

of one fiber cable into the Rx port of the firewall and the LC connector at the other

end into the Tx port of the peer device. Plug the LC connector at one end of

another fiber cable into the Tx port of the firewall and the LC connector at the other

end to the Rx port of the peer device.

Figure 4-21 Plug fiber connectors

4) View the SFP LED after power-on. For the status of the SFP LED, see

4-19

Table 4-5.

Page 65

Installation Manual H3C SecPath F1000-E Firewall Chapter 4 Installing the Firewall

Table 4-5 Status of the SFP LED

LED Color Status

Off No optical fiber link is present.

SFP0 to SFP3 (yellow/green)

Solid green An optical fiber link is present.

Flashing green Data is being transmitted/received.

Solid yellow The optical fiber cable fails to be detected.

Note that:

z Avoid excessively bending optical fiber cables, with the curvature radius less than

10 cm (3.9 in.).

z Ensure that the Tx and Rx ports of the SFP module are connected correctly.

z Keep the end-faces of optical fiber cables clean.

Caution:

z Never stare into an open optical Ethernet port, because invisible rays may be

emitted from the optical Ethernet port.

z Cover the dust cover if no optical fiber connector is connected to the optical Ethernet

port.

4.10.4 Connecting a 4GBE/8GBE interface module cable

You can use a straight-through cable or crossover cable to connect a

2GBE/4GBE/8GBE interface module cable. Follow these steps to connect a

2GBE/4GBE/8GBE interface module cable:

1) Power off the firewall and then install the module into the corresponding interface

module slot. For the installation of a 4GBE/8GBE interface module, refer to section

7.6.1 “Installing HIM” in Chapter 7 “Maintaining Hardware”.

2) Use a straight-through or crossover network cable to connect an interface.

z To connect the firewall to a PC or another firewall, use a crossover cable. Connect

one end of the network cable to the Ethernet interface of the 4GBE/8GBE interface

module, and the other end to the Ethernet port on the PC or firewall.

z To connect the firewall to a hub or a LAN switch, use a straight-through cable.

Connect one end of the network cable to the Ethernet interface of the 4GBE/8GBE

interface module, and the other end to the Ethernet port on the hub or LAN switch.

3) Check the following after connection:

4-20

Page 66

Installation Manual H3C SecPath F1000-E Firewall Chapter 4 Installing the Firewall

z Check the status of the LED of the corresponding interface module slot on the

front panel: If the LED is on, the power-on self test (POST) succeeds and the

module works normally; if the LED is off, POST fails and you need to contact the

sales agent.

z For a 4GBE/8GBE interface module, check the status of the LED on the module

panel. For the status of the LED, see Table 2-1 in Chapter 2 “Interface Modules”.

4.11 Verifying Installation

Each time you power on the firewall during installation, you must verify that:

z There is enough space around the firewall for heat-dissipation and the workbench

is stable enough.

z The power source meets the requirements of the firewall.

z The PGND cable of the firewall is correctly connected.

z The firewall is correctly connected to the configuration terminal and other devices.

Caution:

It is very important to verify the installation because the firm installation, good

grounding and correct power input directly affect the operation of the firewall.

4-21

Page 67

Installation Manual H3C SecPath F1000-E Firewall Table of Contents

Table of Contents

Chapter 5 Starting and Configuring the Firewall ....................................................................... 5-1

5.1 Setting Up a Configuration Environment...........................................................................5-1

5.1.1 Connecting the Firewall to a Configuration Terminal..............................................5-1

5.1.2 Setting the Parameters for the Console Terminal................................................... 5-1

5.2 Firewall Power-On ............................................................................................................. 5-4

5.2.1 Checklist for Firewall Power-On..............................................................................5-4

5.2.2 Powering On the Firewall........................................................................................ 5-5

5.2.3 Checklist/Operations after Firewall Power-On........................................................ 5-5

5.3 Startup Process ................................................................................................................. 5-6

5.4 Configuration Fundamentals..............................................................................................5-7

5.5 Command Line Interface ...................................................................................................5-8

5.5.1 Features of the Command Line Interface ............................................................... 5-8

5.5.2 Command Line Interface.........................................................................................5-8

5.6 Logging to the Firewall Through a Web Browser .............................................................. 5-9

Page 68

Installation Manual H3C SecPath F1000-E Firewall Chapter 5 Starting and Configuring the Firewall

Chapter 5 Starting and Configuring the Firewall

You can use only the console port to make initial configuration of the F1000-E.

5.1 Setting Up a Configuration Environment

5.1.1 Connecting the Firewall to a Configuration Terminal

For how to connect the firewall to the configuration terminal, refer to section 4.10.1 “Connecting the Console Cable” in Chapter 4 “Installing the Firewall“.

5.1.2 Setting the Parameters for the Console Terminal

1) Create a connection. Select Start > Programs > Accessories > Communications > HyperTerminal, and enter a connection name in the Connection Description dialog box, as shown below.

Figure 5-1 Create a connection

2) Select a connection port. Select a serial port from the Connect using drop-down list in the Connect to dialog box, as shown below. Be sure to select the serial port to which the console cable is actually connected.

5-1

Page 69

Installation Manual H3C SecPath F1000-E Firewall Chapter 5 Starting and Configuring the Firewall

Figure 5-2 Select a port for local configuration connection

3) Set serial port parameters.

Set the properties of the serial port in the COM1 Properties dialog box, as shown in Figure 5-3.

Table 5-1 Set serial port parameters

Item Value

Bits per second Data bits Parity Stop bits Flow control

9600 bps (default) 8 None 1 None

 Note:

To use the default settings, click Restore Defaults.

5-2

Page 70

Installation Manual H3C SecPath F1000-E Firewall Chapter 5 Starting and Configuring the Firewall

Figure 5-3 Set serial port parameters

4) Click OK after setting the serial port parameters to enter the HyperTerminal window, as shown below.

Figure 5-4 HyperTerminal window

5-3

Page 71

Installation Manual H3C SecPath F1000-E Firewall Chapter 5 Starting and Configuring the Firewall

5) Set HyperTerminal properties. In the HyperTerminal window, select File > Properties from the menu, and select the Settings tab to enter the properties setting dialog box, as shown below. Select VT100 or Auto detect from the

Emulation drop-down list, and click OK to return to the HyperTerminal window.

Figure 5-5 Set the terminal type

5.2 Firewall Power-On

5.2.1 Checklist for Firewall Power-On

Before powering on the firewall, check that:

z The power cord and ground cable are correctly connected. z The voltage of the power source conforms to voltage requirement of the firewall. z The console cable is correctly connected, the configuration terminal or PC is

powered on, and the emulation program is properly configured.

z If an external CF card is needed to store applications, the CF card is properly

installed.

5-4

Page 72

Installation Manual H3C SecPath F1000-E Firewall Chapter 5 Starting and Configuring the Firewall

Warning:

Before powering on the firewall, locate the position of the power switch for the equipment room where you will operate so that you can switch off the power supply promptly in case of any accident

5.2.2 Powering On the Firewall

z Turn on the power source. z Turn on the power switch on the firewall.

5.2.3 Checklist/Operations after Firewall Power-On

After powering on the firewall, check that:

1) The LEDs on the front panel are normal.

The following table describes normal LED state s after the firewall is powered on.

Table 5-2 Normal LED states after firewall power-on

LED State Meaning

PWR (green)

RPS (yellow/green)

SLOT1 (green)

SLOT2 (green)

SYS (green)

Solid green

Slow flashing (1 Hz)

The power module is working power normally.

Both the AC input and DC output are normal.

The module in slot 1 is running normally.

The module in slot 2 is running normally.

The system is working normally.

The host detects that the

CF (green)

Solid green

external CF card works normally. In this state, you can remove the CF card.

USB1 (green)

OFF

The firewall is not connected with a host.

2) The fans work normally.

3) The buzzer beeps at power-on.

5-5

Page 73

Installation Manual H3C SecPath F1000-E Firewall Chapter 5 Starting and Configuring the Firewall

4) The configuration terminal displays information normally. You can see the startup window on the local configuration terminal. For more information, see section

Startup Process” on page 5-6.

“

5.3

5) After the power-on self-test (POST), the system prompts you to press Enter. When the command line prompt appears, the firewall is ready to configure.

5.3 Startup Process

After power-on, the firewall initializes its memory, and then runs the extended BootWare. The followin g informatio n appears on the terminal screen:

 Note:

The information displayed on the terminal may vary with different BootWare versions.

System start booting...

Booting Normal Extend BootWare....

******************************************************** * * * H3C SecPath F1000-E BootWare, Version 1.12 * * * ******************************************************** Copyright (c) 2004-2007 Hangzhou H3C Technologies Co., Ltd.

Compiled Date : Jul 27 2007 CPU Type : XLR732 CPU L1 Cache : 32KB CPU Clock Speed: 1000MHz Memory Type : DDR2 SDRAM Memory Size : 1024MB Memory Speed : 533MHz BootWare Size : 1024KB Flash Size : 4MB cfa0 : 244MB CPLD Version : 135.0 PCB Version : Ver.A

BootWare Validating...

Press Ctrl+B to enter extended boot menu...

5-6

Page 74

Installation Manual H3C SecPath F1000-E Firewall Chapter 5 Starting and Configuring the Firewall

Press Ctrl+B at this prompt to enter the extended BootWare menu, or let the system start to decompress the application program.

 Note:

z To enter the extended BootWare menu, press Ctrl+B as prompted within four

seconds; otherwise, the system will proceed with application decompression.

z If you want to enter the extended BootWare menu after the system starts application

decompression, you need to restart the firewall.

Starting to get the main application file--cfa0:/f1000e.bin!.................

......................................................

The main application file is self-decompressing

..........................................................................

.......

System is starting.....

..........................................................................

User interface con0 is available.

Press ENTER to get started.

Press Enter. The screen will display:

<H3C>

This prompt indicates that the firewall has entered user view and is ready to configure.

5.4 Configuration Fundamentals

In general, the configuration steps are as follows:

1) Before configuring the firewall, you should summarize the networking requirements, including the networking objective, role of the firewall in the network, division of subnets, WAN type and transmission medium, network security policy and network reliability.

2) Based on the above requirements, draw a clear, complete network diagram.

3) Configure the WAN interface of the firewall. First, configure the physical operating parameters (for example, the operating mode, baud rate an d synchronous clock in the case of a serial interface) of the interface according to the transmission medium of the WAN. In the case of a dial-up interface, you also need to configure

5-7

Page 75

Installation Manual H3C SecPath F1000-E Firewall Chapter 5 Starting and Configuring the Firewall

DCC parameters. Then, configure the data link layer protocol encapsulated on the interface and related operating parameters.

4) Configure the IP addresses of all the interfaces on the firewall according to the division of the subnets.

5) Configure routes. If it is necessary to enable a dynamic routing protocol, you need to configure related operating parameters of the protocol.

6) Perform security configuration for the firewall if necessary.

7) Perform reliability configuration for the firewall if necessary.

For the configuration details of the protocols or functions of the firewall, refer to H3C SecPath Series Security Products User Manual.

5.5 Command Line Interface

5.5.1 Features of the Command Line Interface

The command line interface (CLI) of the F1000-E provides a number of configuration commands, which enable you to configure and manage the firewall.

The CLI provides the following functions:

z Allows you to perform local configuration through the console port. z Allows you to perform the local or remote configuration and directly log in to and

manage other firewalls by using the telnet command.

z Provides online help, which is available by entering “?”. z Provides network diagnostic tools, such as Tra cert and Ping, for quick diagnosis of

network connectivity.

z Provides all kinds of detailed debugging information to help diagnose network

faults.

z Supports the auto-complete function. If you enter a conflict-free part of a command,

the command will be interpreted. For example, you just need to enter dis for the display command.

z Supports the suggest function. For example, if you type dis and press Tab, all the

commands started with “dis” will be displayed.

5.5.2 Command Line Interface

The command line interface of the F1000-E provides plenty of configuration commands. All the commands are grouped in system view . Each group correspond s to a view. You can switch between different configuration views by using the corresponding commands. In general, only certain commands can be executed in a particular view. However, some commonly used commands, such as ping and display current-configuration, can be executed in any view .

5-8

Page 76

Installation Manual H3C SecPath F1000-E Firewall Chapter 5 Starting and Configuring the Firewall

5.6 Logging to the Firewall Through a Web Browser

The F1000-E supports Web-base d network management, which allows you to manag e and maintain the firewall in a more user-friendly way.

Your F1000-E firewall was delivered with the default Web logging information. You can use this default information to log in to the Web page of your firewall. The default Web logging information includes:

z User name: admin z Password: admin z IP address: 192.168.0.1

Follow these steps to log to your firewall through a Web browse r:

1) Connect the F1000-E.

Connect the Ethernet interface GigabitEthernet 0/0 of the F1000-E to a PC using a crossover network cable. For the connection of the console cable, refer to section

4.10.3 “Connecting Ethernet Cables” in Chapter 4 “Installing the Firewall”.

2) Configure an IP address for the PC, ensuring the PC and the F1000-E are pingable to each other.

Set the IP address to any one but 192.168.0.1 within the range of 192.168.0.0/24. For example, set the address to 192.168.0.2.

3) Launch the Web browser and input the login information.

Launch the Web browser on the PC. You are recommended to use IE 5.0 or a later version. Type 192.168.0.1 in the address bar and press Enter. The login dialog box appears, as shown in

Figure 5-6. In this dialog box, enter your user name (admin),

password (admin) and click Login.

Figure 5-6 Web login dialog box

5-9

Page 77

Installation Manual H3C SecPath F1000-E Firewall Table of Contents

Table of Contents

Chapter 6 Maintaining Software...................................................................................................6-1

6.1 Overview............................................................................................................................ 6-1

6.1.1 Files Managed by the Firewall ................................................................................ 6-1

6.1.2 BootWare Program File........................................................................................... 6-1

6.1.3 Application File........................................................................................................6-1

6.1.4 Configuration Files .................................................................................................. 6-2

6.1.5 Software Maintenance Methods..............................................................................6-3

6.2 BootWare Menu.................................................................................................................6-5

6.2.1 BootWare Main Menu .............................................................................................6-5

6.2.2 Serial Submenu....................................................................................................... 6-7

6.2.3 Ethernet Submenu..................................................................................................6-8

6.2.4 File Control Submenu .............................................................................................6-9

6.2.5 BootWare Operation Submenu...............................................................................6-9

6.2.6 Storage Device Operation Submenu .................................................................... 6-10

6.3 Upgrading BootWare and an Application Through a Serial Interface..............................6-11

6.3.1 Introduction to Xmodem........................................................................................ 6-11

6.3.2 Modifying Serial Interface Parameters..................................................................6-11

6.3.3 Upgrading an Application...................................................................................... 6-13

6.3.4 Upgrading BootWare............................................................................................. 6-15

6.4 Upgrading an Application Using TFTP ............................................................................ 6-16

6.4.1 Upgrading an Application Using TFTP on the BootWare Menu ...........................6-17

6.4.2 Upgrading an Application Using TFTP Through Command Lines........................ 6-20

6.5 Upgrading an Application Using FTP...............................................................................6-22

6.5.1 Upgrading an Application Using FTP on the BootWare Menu.............................. 6-23

6.5.2 Upgrading an Application Using FTP Through Command Lines.......................... 6-23

6.6 Maintaining Application and Configuration Files..............................................................6-30

6.6.1 Displaying All Files................................................................................................ 6-30

6.6.2 Setting the Application File Type...........................................................................6-31

6.6.3 Deleting a File ....................................................................................................... 6-32

6.7 Dealing with Password Loss............................................................................................6-33

6.7.1 User Password Loss............................................................................................. 6-33

6.7.2 BootWare Password Loss.....................................................................................6-34

6.7.3 Super Password Loss...........................................................................................6-35

6.8 Backing Up and Restoring BootWare..............................................................................6-36

6.8.1 Backing Up the Full BootWare..............................................................................6-36

6.8.2 Restoring the Full BootWare.................................................................................6-37

6.9 Upgrading the Software Through the Web Interface.......................................................6-38

6.9.1 Configuring Parameters for Software Upgrade.....................................................6-38

Page 78

Installation Manual H3C SecPath F1000-E Firewall Table of Contents

6.9.2 Software Upgrade Configuration Example............................................................ 6-39

Page 79

Installation Manual H3C SecPath F1000-E Firewall Chapter 6 Maintaining Software

Chapter 6 Maintaining Software

6.1 Overview

6.1.1 Files Managed by the Firewall

Three types of files need to be managed on the F1000-E. They are:

z BootWare program file z Application file z Configuration file

6.1.2 BootWare Program File

The BootWare program file is used for bo oting applications when a firewall st arts and is saved on the Flash. Because Flash has no file system, the BootWare progra m file can be saved on the Flash with or without an extension name.

A full BootWare program file includes two segments: basic and extended.

z Basic segment of BootWare is used to finish basic system initialization. When

basic initialization of the system is finished, the network interfaces and the CF card are unavailable.

z Extended segment of BootWare provides abundant human-computer interaction

(HCI) functions and available network interfaces and CF card, and can be used to upgrade the applications and boot the system.

z After the basic segment is booted, you can load and upgrade the extended

segment on the menu of the basic segment.

6.1.3 Application File

THE F1000-E supports the Dual Image function. By default, the system defines three application files for booting.

z Main application file z Backup application file z Secure application file

The three kinds of application files are stored on the CF card. If you have loaded the three application files into the CF card, the system will boot using

these three files in order. For more information about application files, refer to section

6.6 "Maintaining Application and Configuration Files” on page 6-30.

The following gives the default names and types of the application files and their priorities for booting.

6-1

Page 80

Installation Manual H3C SecPath F1000-E Firewall Chapter 6 Maintaining Software

z Main application file. The default name is main.bin, and the file type is M. It is the

default application file used for booting.

z Backup application file. The default name is backup.bin, and the file type is B.

When the boot using the main application file fails, the system boots using the backup application file.

z Secure application file. The default name is secure.bin, and the file type is S.

When the boot using the main and backup application files fails, the system boot s using the secure application file. If the boot using the secure application file fails, the system prompts a boot failure.

Note that:

z The application files for system boot can be type M, B and S, but not type N (that is,

types other than M, B, and S).

z You can modify the name of an application file using commands after the

application boots. You can modify the type of application files of type M, B and N except for type S on the BootWare menu or using commands after the application boots.

z The secure application file is the last resort for system boot. You cannot change

the type of the secure application file, or change other types of files to the secure application file. You can only download it using the BootWare menu.

z There is only one file of the same type (M, B, or S) on the CF card. For instance, if

there is a file of type M+B on the CF card, there will not be other files of type M or B. If the type of another file is changed to B, the original type M+B file changes to a file of type M.

6.1.4 Configuration Files

The configuration files store configuration information of the firewall. These files are displayed when you view the BootWare information, but without file attributes. The default file attribute is N/A.

By default, the system defines three configuration files for booting:

z Main configuration file z Backup configuration file z Default configuration file

The three kinds of configuration files are stored on the CF card with the extension .cfg. If you have loaded the three configuration files into the CF card, the system will boot using these three files in order. For more information about configuration files, refer to

6.6 "Maintaining Application and Configuration Files” on page 6-30.

The following gives the types of the configuration files and their priorities for booting:

z Main configuration file. The file type is M. The system boots using the main

configuration file by default.

6-2

Page 81

Installation Manual H3C SecPath F1000-E Firewall Chapter 6 Maintaining Software

z Backup configuration file. The file type is B. When the boot using the main

configuration file fails, the system boots using the backup configuration file.

z Default configuration file. The file type can be M, B or N. When the boot using the

main and backup configuration files fails, the system boots using the default configuration file. If the boot using the default configuration file fails, the system boots without loading a configuration file. Firewalls of different vendors have different default configuration file names. The main/backup attribute configuration on the default configuration file is the same as that on common con figuration files. At present, the name of the default configuration file of the F1000-E firewall is startup.cfg.

Note that:

z The configuration files for system boot can be type M, B and default configuration

file of type N. The non-default configuration files of type N (that is, neither M nor B) cannot be used for system boot.

z You can modify the name of a configuration file using commands after the

application boots. You cannot modify the type of the default configuration file, but you can modify the file type of type M, B and N configuration files using commands after the application boots.

z There is only one file of the same type (M, or B) on the CF card. For instance, if

there is a file of type M+B on the CF card, there will not be other files of type M or B. If the type of another file is changed to B, the original type M+B file changes to a file of type M.

Caution:

z The configuration file name cannot be longer than 64 characters (including drive

identifier and a string terminator). If the drive identifier is “CF:/”, the file name can be at most [ 64 – 1 – 4 ] = 59 characters in length; or, errors will occur in file operation. Typically, the file name is recommended to be not more than 16 characters.

z The configuration file as a result of Web-based management i s also saved in the CF

card. Currently, the device supports only the M type of configuration file, with a suffix of .xml.

6.1.5 Software Maintenance Methods

Y ou can maintain sof tware of the F1000-E either the Web interface of the command line interface (CLI).

For the detailed description about software maintenance through the Web interface, refer to section

6.9 “Upgrading the Software Through the W eb Interface” on pag e 6-38.

6-3

Page 82

Installation Manual H3C SecPath F1000-E Firewall Chapter 6 Maintaining Software

In the CLI approach, the following two methods are available for software upgrading:

z Upgrade BootWare and applications using the Xmodem protocol through a serial

interface.

z Upgrade applications using TFTP/FTP through Ethernet interface on BootWare

menu or through command lines.

 Note:

z The BootWare program is upgraded together with the Comware application. You do

not need to upgrade the BootWare separately. The system automatically upgrades the BootWare program to the latest version if the current BootWare version is found to be inconsistent with the BootWare version contained in the host application.

z Check the current version of the BootWare and the Comware application before

upgrading them. For the association between the Comware application version and the BootWare program version, refer to the version configuration information in Release Notes.

Start

Comware application

Upgrade Comware ?

Choose the right Comware application file

Choose an upgrade method

Through Ethernet

interface

Xmodem

TFTP

FTP

Upgrade

End

Figure 6-1 BootWare and Comware programs upgrade flow

6-4

Page 83

Installation Manual H3C SecPath F1000-E Firewall Chapter 6 Maintaining Software

6.2 BootWare Menu

6.2.1 BootWare Main Menu

When the firewall is powered on, the system first initializes the memory. After the initialization, the system runs the extended BootWare, and the following information is displayed on the console terminal:

 Note:

The information displayed on the terminal may vary with different BootWare versions.

System start booting...

Booting Normal Extend BootWare....

BootWare Validating...

Press Ctrl+B to enter extended boot menu...

Press Ctrl+B to enter the extended BootWare menu; otherwise, the system enters the self extraction process of applications.

6-5

Page 84

Installation Manual H3C SecPath F1000-E Firewall Chapter 6 Maintaining Software

 Note:

z You must press Ctrl+B in four seconds when “Press Ctrl+B to enter extended boot

menu” appears. Otherwise, the system will not enter the extended BootWare menu but enter the self extraction process of applications.

z After the system enters the self extraction process of applications, if you want to

enter the extended BootWare menu, you need to reboot the firewall.

z The extended BootWare menu is referred to as BootWare main menu in this manual

unless otherwise specified.

Press Ctrl+B when “Press Ctrl+B to enter extended boot menu...” ap pears. The system prompts:

Please input BootWare password:

You can try up to three times to enter the BootWare password (the initial password is null). If you have tried three times but the password is still incorrect, you need to reboot the system. After you type the correct password, the system enters the BootW are main menu:

Note: The current operating device is cfa0 Enter < Storage Device Operation > to select device.

The menu is described in the following table.

6-6

Page 85

Installation Manual H3C SecPath F1000-E Firewall Chapter 6 Maintaining Software

Table 6-1 BootWare main menu

Menu item Description

<1> Boot System Boot system applications from the CF card

Enter the serial submenu.

<2> Enter Serial SubMenu

For detailed information, refer to section

Serial Submenu” on page 6-7.

“

6.2.2

Enter the Ethernet submenu.

<3> Enter Ethernet SubMenu

For detailed information, refer to section

Ethernet Submenu” on page 6-8.

“

6.2.3

File control submenu.

<4> File Control

For detailed information, refer to section

File Control Submenu” on page 6-9.

“

<5> Modify BootWare Password Modify the BootWare password.

6.2.4

Boot the system with the system configuration

<6> Skip Current System Configuration

ignored. This operation is valid this time, and you need to

configure it next time. BootWare operation submenu.

<7> BootWare Operation Menu

For detailed information, refer to section

6.2.5

BootWare Operation Submenu. Clear the super password.

The super password is used in user level switching.

<8> Clear Super Password

No super password is set by default. This setting is valid for the first reboot of the

firewall only. The super password will be restored after a second reboot.

<9> Storage Device Operation

<a> Reboot Reboot the firewall.

6.2.2 Serial Submenu

Select 2 on the BootWare main menu to enter the serial submenu, where you can upgrade application files through Xmodem.

The system displays:

======================<SERIAL SUB-MENU>====================== |Note:the operating device is cfa0 | | <1> Download Application Program To SDRAM And Run | | <2> Update Main Application File |

Device control menu, used to select the storage medium.

6-7

Page 86

Installation Manual H3C SecPath F1000-E Firewall Chapter 6 Maintaining Software

| <3> Update Backup Application File | | <4> Update Secure Application File | | <5> Modify Serial Interface Parameter | | <0> Exit To Main Menu | ============================================================= Enter your choice(0-5):

Items on this submenu are described in Table 6-2.

Table 6-2 BootWare serial submenu

Menu item Description

<1> Download Application Program To SDRAM And Run

<2> Update Main Application File Upgrade the main application file. <3> Update Backup Application File Upgrade the backup application file. <4> Update Secure Application File Upgrade the secure application file. <5> Modify Serial Interface Parameter Modify serial interface parameters. <0> Exit To Main Menu Return to the BootWare main menu.

6.2.3 Ethernet Submenu

Select 3 on the BootWare main menu to enter the Ethernet submenu, where you can upgrade application files using FTP/TFTP.

The system displays:

====================<ETHERNET SUB-MENU>====================== |Note:the operating device is cfa0 | | <1> Download Application Program To SDRAM And Run | | <2> Update Main Application File | | <3> Update Backup Application File | | <4> Update Secure Application File | | <5> Modify Ethernet Parameter | | <0> Exit To Main Menu | | < Ensure The Parameter Be Modified Before Downloading! > | ============================================================= Enter your choice(0-5):

Download an application to the SDRAM through the serial interface and run the program.

Items in Ethernet submenu are described in the following table:

6-8

Page 87

Installation Manual H3C SecPath F1000-E Firewall Chapter 6 Maintaining Software

Table 6-3 Ethernet submenu

Menu item Description

<1> Download Application Program To SDRAM And Run

<2> Update Main Application File Upgrade the main application file. <3> Update Backup Application File Upgrade the backup application file. <4> Update Secure Application File Upgrade the secure application file. <5> Modify Ethernet Parameter Modify Ethernet interface parameters. <0> Exit To Main Menu Return to the BootWare main menu.

6.2.4 File Control Submenu

Select 4 on the BootW are main menu to enter the file cont rol subm enu, whe re you can view the application files, modify file names, and delete files.

The system displays:

Download an application to the SDRAM and run the program.

Items on this submenu are described in the following table:

Table 6-4 File control submenu

Menu item Description

<1> Display All File Display all files <2> Set Application File type Set the application file type <3> Delete File Delete a file <0> Exit To Main Menu Return to the BootWare main menu.

6.2.5 BootWare Operation Submenu

Select 7 on the BootWare main menu to enter the BootWare operation submenu:

=====================<BOOTWARE OPERATION>==================== |Note:the operating device is cfa0 |

6-9

Page 88

Installation Manual H3C SecPath F1000-E Firewall Chapter 6 Maintaining Software

Items on this submenu are described in the following table:

Table 6-5 BootWare operation submenu

Menu item Description

<1> Backup Full BootWare Backup the full BootWare. <2> Restore Full BootWare Restore the full BootWare.

<3> Update BootWare By Serial

<4> Update BootWare By Ethernet Upgrade BootWare through Ethernet <0> Exit To Main Menu Return to the BootWare main menu.

6.2.6 Storage Device Operation Submenu

Select 9 on the BootWare main menu to enter the storage device operation submenu:

====================<DEVICE CONTROL>========================= | <1> Display All Available Nonvolatile Storage Device(s) | | <2> Set The Operating Device | | <3> Set The Default Boot Device | | <0> Exit To Main Menu | ============================================================= Enter your choice(0-3):

Upgrade BootWare through a serial interface

Items on this submenu are described in the following table

Table 6-6 Storage device operation submenu

Menu item Description

<1> Display All Available Nonvolatile Storage Device(s)

Display all available nonvolatile storage

devices <2> Set The Operating Device Set the current operating device <3> Set The Default Boot Device Set the default boot device <0> Exit To Main Menu Return to the BootWare main menu

6-10

Page 89

Installation Manual H3C SecPath F1000-E Firewall Chapter 6 Maintaining Software

6.3 Upgrading BootWare and an Application Through a Serial Interface

6.3.1 Introduction to Xmodem

Use Xmodem when upgrading BootWare and an application through a serial inte rface. Xmodem is a file transfer protocol that is widely used due to its simplicity and high

performance. Xmodem transfers files through a serial interface. It support s two types of data packets (128 bytes and 1 KB), two check methods (checksum and CRC), and error packet retransmission mechanism (generally the maximum number of retransmission attempts is 10).

The Xmodem transmission procedure is completed by the cooperation of a receiving program and a sending program. The receiving program sends a n egotiation character to negotiate a packet check method. After the negotiation, the sending program starts to transmit data packets. When receiving a complete packet, the receiving program checks the packet using the agreed method.

z If the check succeeds, the receiving program sends an acknowledgement

character and the sending program proceeds to send another packet.

z If the check fails, the receiving program sends a negative acknowledgement

character and the sending program retransmits the packet.

6.3.2 Modifying Serial Interface Parameters

In actual applications, you need to make the serial interface baud rate higher to save upgrading time or make it lower to guarantee transmission reliability. This section introduces how to adjust the serial interface baud rate.

Enter the BootWare main menu and select 2 to enter the serial interface submenu, and then select 5 on the submenu to modify the baud rate. The system displays the following:

========================<BAUDRATE SET>======================= |Note:'*'indicates the current baudrate | | Change The HyperTerminal's Baudrate Accordingly | | Press 'Enter' to exit with things untouched. | |--------------------<Baudrate Available>-------------------| | <1> 9600(Default) * | | <2> 19200 | | <3> 38400 | | <4> 57600 | | <5> 115200 | | <0> Exit |

=============================================================

6-11

Page 90

Installation Manual H3C SecPath F1000-E Firewall Chapter 6 Maintaining Software

Enter Your Choice(0-5):

Select a proper baud rate. For example, select 5 for a baud rate of 1 15200 bps and the system displays the following information:

Baudrate has been changed to 115200 bps. Please change the terminal's baudrate to 115200 bps, press ENTER when ready.

At this time, the baud rate of the serial interface of the firewall is modified to 1 15200 bp s, while that of the terminal is still 9600 bps. The firewall and the terminal cannot communicate with each other. Therefore, you need to make the baud rate on the terminal consistent with that on the firewall.

Perform the following operations on the terminal:

Figure 6-2 Disconnect the terminal

Select File > Properties, and then click Configure… to change the bits per second to

115200.

Figure 6-3 Modify the baud rate on the terminal

6-12

Page 91

Installation Manual H3C SecPath F1000-E Firewall Chapter 6 Maintaining Software

Select Call > Call to establish a new connection.

Figure 6-4 Re-establish a call connection

Then, press the Enter key , and the system will prompt the current baud rate and return to the previous menu.

The system displays:

The current baudrate is 115200 bps

 Note:

After you download files to upgrade applications by changing the baud rate, restore the baud rate in the HyperTerminal to 9600 bps in time, so as to ensure the normal display on the console screen when the system boots or reboots.

6.3.3 Upgrading an Application

The application upgrade through a serial interface is implemented on the serial submenu.

Select 2 on the BootWare main menu to enter the serial submenu. For detailed description on this submenu, refer to section

The following example shows how to upgrade the main application file main.bin: To improve the upgrading speed, you can modify the serial port baud rate before

upgrading the main application file (refer to section Parameters” on page prompts:

Waiting...CC

6-11). Select 2 on the serial port submenu, and the system

6.2.2 “Serial Submenu” on page 6-7.

6.3.2 “Modifying Serial Interface

Select Transfer > Send file… in the terminal window. The following dialog box appears:

6-13

Page 92

Installation Manual H3C SecPath F1000-E Firewall Chapter 6 Maintaining Software

Figure 6-5 Send File dialog box

Click Browse… to select the application to be downloaded, and select Xmodem from the Protocol drop-down list. Then click Send and the following dial og box appears:

Figure 6-6 Sending file dialog box

After the file is downloaded, the following information appears on the terminal interface:

Download successfully! 10129792 bytes downloaded!

 Note:

The size of an application is often over 10 MB. Even if the baud rate is 115200 bps, it will take about 30 minutes to upgrade the application through a serial interface. Therefore, you are recommended to upgrade the application through Ethernet.

6-14

Page 93

Installation Manual H3C SecPath F1000-E Firewall Chapter 6 Maintaining Software

6.3.4 Upgrading BootWare

Enter the BootWare main menu, refer to section 6.2.1 “BootW are Main Menu“ on page 6-5. Select 7 to enter the BootWare operation submenu, where you can perform all BootWare operations. For detailed description on this submenu, refer to section

BootWare Operation Submenu“ on page 6-9.

“ The following example shows how to upgrade the full BootWare:

6.2.5

First modify the baud rate to improve the upgrading speed (refer to section

Modifying Serial Interface Parameters“ on page 6-11), and then select 3 on the

“

6.3.2

BootWare operation submenu. The system prompts:

Select 1, the system displays the following:

Waiting ...CCCCCCCCCCCCCCCCCCCCCCCCC...

Select Transfer > Send file… in the terminal window. The following dialog box appears:

Figure 6-7 Send File dialog box

Click Browse… to select the application file to be downloaded, and select Xmodem from the Protocol drop-down list. Then click Send and the following dialog box appears:

6-15

Page 94

Installation Manual H3C SecPath F1000-E Firewall Chapter 6 Maintaining Software

Figure 6-8 Sending file dialog box

After the file is downloaded, the following information appears on the terminal interface, indicating the success of BootWare upgrade:

Download successfully! 10129792 bytes downloaded!

 Note:

z The BootWare program is upgraded together with the Comware application. You do

not need to upgrade the BootWare separately. The system automatically upgrades the BootWare program to the latest version while upgrading the application.

z The file name, size and path in the above figures may vary. Check the current

BootWare and application versions before upgrading them.

z If you upgraded the extended segment of BootWare, you only upgraded part of the

BootWare. If error occurs, you can re-upgrade the BootWare.

6.4 Upgrading an Application Using TFTP

When the application file is large, you can upgrade it using TFTP to save upgrade and maintenance time.

Trivial File T ransfer Protocol (TFTP ), a protocol in the TCP/IP protocol suite, is used for trivial file transfer between client and server. It provides not-so-complex and low-cost file transfer services. TFTP provides unreliable data transfer services over UDP and

6-16

Page 95

Installation Manual H3C SecPath F1000-E Firewall Chapter 6 Maintaining Software

does not provide any access authorization and authentication mechanism. It employs timeout and retransmission to guarantee successful data delivery.

The F1000-E firewall can serve as the TFTP client. Therefore the file server serves as the TFTP server. You can upload/download the application file on the firewall to/from the file server.

There are two approaches to upgrading application files using TFTP:

z Using the BootWare menu z Using command lines.

6.4.1 Upgrading an Application Using TFTP on the BootWare Menu

1) Set up a TFTP upgrade environment

Figure 6-9 Set up a TFTP upgrade environment

z Firewall serves as the TFTP client, and PC serves as the TFTP server. z Connect Ethernet interface GigabitEthernet 0/0 on the firewall to the PC using a

crossover Ethernet cable. Ensure the connectivity between the firewall and the PC.

z Enable TFTP Server on PC and set the path where the application file is stored.

6-17

Page 96

Installation Manual H3C SecPath F1000-E Firewall Chapter 6 Maintaining Software

Caution:

z The TFTP Server software is not included in the F1000-E firewall package. You

need to purchase and install it by yourself,

z You can upgrade the applications of the F1000-E through GigabitEthernet 0/0 only.

2) Configuring Ethernet interface parameters on the BootWare menu. Enter the BootWare main menu and select 3 to enter the Ethernet submenu, where you

can select 5 to enter the Ethernet Parameter Set menu to set the Ethernet parameters.

==================<ETHERNET PARAMETER SET>=================== Note: '.' = Clear field. '-' = Go to previous field. Ctrl+D = Quit. ============================================================= Protocol (FTP or TFTP):tftp Load File Name :main.bin Target File Name :main.bin Server IP Address :192.168.80.200 Local IP Address :192.168.80.10 Gateway IP Address : FTP User Name : FTP User Password :

Table 6-7 Description on the display information of setting Ethernet interface parameters

Display information Description

'.' = Clear field Shortcut key . is used to clear the current input. '-' = Go to previous field Shortcut key - is used to return to the previous field.

Ctrl+D = Quit

Protocol (FTP or TFTP)

Shortcut key Ctrl+D is used to quit the parameter setting page.

Choose to upgrade application programs using TFTP/FTP

Name of the download file, which needs to be the

Load File Name

same with that of the actual file to be downloaded. At the same time, you need to set the download path

in TFTP/FTP. Name of the target file after the file is downloaded to

Target File Name

the firewall. The extension of the target file needs to be same with that of the downloaded file.

6-18

Page 97

Installation Manual H3C SecPath F1000-E Firewall Chapter 6 Maintaining Software

Display information Description

Server IP Address IP address of the FTP/TFTP server.

Local IP Address

Gateway IP Address

FTP User Name

FTP User Password

IP address of the interface connected with the FTP/TFTP server.

IP address of the gateway. You need not configure this IP address.

FTP username, which will be used in FTP download. TFTP download needs no username.

FTP password, which will be used in FTP download. TFTP needs no password.

 Note:

To use the default parameter after the colon, press Enter directly.

3) After the above configuration, the system will automatically return to the BootWare submenu, where you can select 2 to upgrade the main application file.

Loading................................... done

10129712 bytes downloaded! Updating File cfa0:/main.bin

.........

Update Success!

4) After the upgrade is finished, select 0 to return to the BootWare main menu, where you can select 1 to reboot the system from the CF card.

Caution:

z If the input application file name is the same with the name of a file on the CF card,

the system prompts “The file is exist, will you overwrite it? [Y/N]”. If you select Y, the input application file will overwrite the one on the CF card. The upgraded appli cation file will directly replace the original one of this type and become the only application file.

z Make sure the available space on the CF card is sufficient. Or, the system prompts

“The free space isn't enough!”.

z Refer to section 6.1 “Overview” on page 6-1 for detailed description on file types.

6-19

Page 98

Installation Manual H3C SecPath F1000-E Firewall Chapter 6 Maintaining Software

6.4.2 Upgrading an Application Using TFTP Through Command Lines

1) Set up a TFTP upgrade environment.

z Firewall serves as the TFTP client, and PC serves as the TFTP server. z For the procedure of setting up an upgrade environment, refer to step 1 in section

6.4.1 “Upgrading an Application Using TFTP on the BootWare Menu” on page 6-17.

z Run the terminal emulation program on the PC, and then configure the IP

addresses of the client and sever to be on the same network segment. In this example, the IP address of the server is 192.168.80.200, and that of GigabitEthernet 0/0 on the client is 192.168.80.10.

z You can use the ping command to check whether the connection is successful.

Caution:

You can upgrade the application programs of the F1000-E through GigabitEthernet 0/0 only.

2) View the files saved in the storage medium and its available space.

Use the dir command on the console terminal to view the files contained in the current file system, and the available space of the storage device.

<H3C>dir <H3C>dir Directory of cfa0:/

0 -rw- 10867848 Jun 13 2007 13:21:20 main.bin 1 -rw- 4722 Jun 26 2007 12:55:42 config.cfg 2 -rw- 1128 Jun 27 2007 11:07:24 startup.cfg 3 -rw- 10129712 Jun 27 2007 10:26:02 update.bin 4 drw- - Jun 02 2007 18:28:14 logfile

62472 KB total (41855.5 KB free)

File system type of cfa0: FAT16 <H3C>

6-20

Page 99

Installation Manual H3C SecPath F1000-E Firewall Chapter 6 Maintaining Software

Table 6-8 Description on the display information of the dir command

Display information Description

'.' Directory of cfa0:/ Name of the current directory. 62472 KB total (41855.5 KB free) Used space of the CF card (available space) File system type of cfa0 File system type of the CF card.

3) Upgrade an application.

Using TFTP, you can download an application file from the server to the firewall, and overwrite the original main application file to implement the application program upgrade. The upgraded application file takes effect when the firewall reboots.

# Download application file main.bin from the TFTP server to the firewall.

<H3C> tftp 192.168.80.200 get main.bin main.bin The file main.bin exists. Overwrite it? [Y/N]:y Verifying server file... Deleting the old file, please wait...

File will be transferred in binary mode Downloading file from remote TFTP server, please wait...| TFTP: 10867848 bytes received in 512.615 second(s) File downloaded successfully.

 Note:

z When you download an application file, if a file having the same name with the

downloaded file exists on the firewall, the system prompts whether to overwrite the file on the firewall. You need to select Y or N for confirmation.

z For details about the tftp command, refer to H3C SecPath Series Security Products

User Manual.

z You can upgrade a configuration file using the same method as upgrading an

application file. A configuration file can be modified by a text editor. You can modify a configuration file and then download the modified configuration file to the firewall, and the modification takes effect after the firewall reboots.

4) Back up an application file

Using TFTP, you can back up an application file by uploading it to the server. # Upload file main.bin on the firewall to the server, and save it as main.bin.

<H3C> tftp 192.168.80.200 put main.bin main.bin

6-21

Page 100

Installation Manual H3C SecPath F1000-E Firewall Chapter 6 Maintaining Software

File will be transferred in binary mode Sending file to01 remote tftp server. Please wait... TFTP: 10867848 bytes sent in 0.01 second(s). File uploaded successfully.

 Note:

z When you backup an application file, if a file having the same name with the file to

be backed up exists on the server, the system overwrites the file on the server directly.

z For details about the tftp command, refer to H3C SecPath Series Security Products

User Manual.

z You can backup a configuration file using the same method as backing up an

application file.

6.5 Upgrading an Application Using FTP

When the application file is large, you can also upgrade it using FTP to save upgrade and maintenance time.

File Transfer Protocol (FTP) is an application layer protocol in the TCP/IP suite. It is mainly used for file transfer between remote hosts. FTP provides reliable and connection-oriented data transfer service over TCP. Compared with TFTP, the FTP software is much bigger.

There are two approaches to upgrading an application file using FTP:

z Using the BootWare menu. In this approach, the firewall can serve as the FTP

client only.

z Using command lines. In this approach, the firewall ca n serve as the FTP server or

the FTP client.

6-22