Page 1
H3C SecPath F1800-A Firewall
Operation Manual
Hangzhou Huawei-3Com Technology Co., Ltd.
http://www.huawei-3com.com
Manual Version: T2-081659-20061015-C-1.01
Product Version: VRP3.30
Page 2
Copyright © 2006, Hangzhou Huawei-3Com Technology Co., Ltd. and its licensors
All Rights Reserved
No part of this manual may be reproduced or transmitted in any form or by any means
without prior written consent of Hangzhou Huawei-3Com Technology Co., Ltd.
Trademarks
H3C, Aolynk, , IRF, H3Care,
, Neocean, , TOP G, SecEngine,
SecPath, COMWARE, VVG, V2G, VnG, PSPT, NetPilot, and XGbus are trademarks of
Hangzhou Huawei-3Com Technology Co., Ltd.
All other trademarks that may be mentioned in this manual are the property of their
respective owners.
Notice
The information in this document is subject to change without notice. Every effort has
been made in the preparation of this document to ensure accuracy of the content s, but
all statements, information, and recommendations in this document do not constitute
the warranty of any kind, express or implied.
To obtain the latest information, please access:
http://www.huawei-3com.com
Technical Support
customer_service@huawei-3com.com
http://www.huawei-3com.com
Page 3
About This Manual
Related Documentation
In addition to this manual, each SecPath F1800-A documentation set includes the
following:
Manual Description
H3C SecPath F1800-A Firewall
Installation Manual
Introduces the installation process,
startup as well as the software/hardware
maintenance and monitoring of SecPath
F1800-A firewall.
H3C SecPath F1800-A Firewall
Operation Manual
Introduces the operation guidance about
getting started, working mode, security
zone, system management, interface,
link layer protocol, network and routing
protocol, security defence, VPN and
reliability of SecPath F1800-A firewall.
H3C SecPath F1800-A Firewall
Command Reference
Introduces commands used in working
mode, security zone, system
management, interface, link layer
protocol, network and routing protocol,
security defence, VPN and reliability of
SecPath F1800-A firewall corresponding
to the operation manual.
Organization
H3C SecPath F1800-A Firewall Operation Manual is organized as follows:
Part Contents
1 Getting Started begins with the firewall development and
security concept, introducing the
security features, configuration
environment setup, management and
working mode of SecPath F1800-A
firewall.
2 System Management introduces the usage of SecPath
F1800-A firewall file system, software
upgrading, displaying and debugging
tools and information center as well as
the usage and operation guidance of log
maintenance, NTP, SNMP, RMON and
RMON2.
Page 4
Part Contents
3 Interface presents various parameter
configurations on the interfaces
provided, such as Ethernet interface,
AUX interface and logical interface.
4 Link Layer Protocol describes the fundamentals and
configurations of various link layer
protocols supported by the SecPath
F1800-A firewall, including PPP,
PPPoE, and VLAN.
5 Network and Routing Protocol explains the IP address, IP
performance, address resolution, DHCP
relay and routing principle, and
describes static route, RIP route, OSPF
route, BGP route, policy route and
related configuration.
6 Security Defence details the virtual firewall, ACL basics,
security policy, NAT, IDS Cooperation
and AAA configuration.
7 VPN deals with the principle and
configuration of VPN solution provided
by the SecPath firewalls (eg., L2TP),
Dynamic VPN, including IPSec
configuration.
8 Reliability covers the reliability measures adopted
by the SecPath F1800-A firewall,
including route redundancy and
dual-system hot backup, and the
configuration.
9 Abbreviations lists abbreviations used in this manual
and their full names.
10 Index lists important keywords as index entries
to help the reader to fetch the required
information quickly.
Conventions
The manual uses the following conventions:
I. Command conventions
Convention Description
Boldface
The keywords of a command line are in Boldface.
italic
Command arguments are in italic.
Page 5
Convention Description
[ ]
Items (keywords or arguments) in square brackets [ ] are
optional.
{ x | y | ... }
Alternative items are grouped in braces and separated by
vertical bars. One is selected.
[ x | y | ... ]
Optional alternative items are grouped in square brackets
and separated by vertical bars. One or none is selected.
{ x | y | ... } *
Alternative items are grouped in braces and separated by
vertical bars. A minimum of one or a maximum of all can be
selected.
[ x | y | ... ] *
Optional alternative items are grouped in square brackets
and separated by vertical bars. Many or none can be
selected.
# A line starting with the # sign is comments.
II. GUI conventions
Convention Description
< >
Button names are inside angle brackets. For example, For
example, click <OK>.
[ ]
Window names, menu items, data table and field names
are inside square brackets. For example, pop up the [New
User] window.
/
Multi-level menus are separated by forward slashes. For
example, [File/Create/Folder].
III. Symbols
Convention Description
Caution
Means reader be careful. Improper operation may cause
data loss or damage to equipment.
Note Means a complementary description.
Page 6
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Table of Contents
i
Table of Contents
Chapter 1 Firewall Overview ........................................................................................................1-1
1.1 Overview of Network Security............................................................................................ 1-1
1.1.1 Security Threats ...................................................................................................... 1-1
1.1.2 Classification of Network Security Services ............................................................ 1-2
1.1.3 Implementation of Network Security Services ........................................................ 1-2
1.2 Overview of Firewall System ............................................................................................. 1-5
1.2.1 First Safeguard........................................................................................................ 1-5
1.2.2 Evolution of the Firewall .......................................................................................... 1-5
1.3 Overview of the SecPath F1800-A .................................................................................... 1-7
1.3.1 SecPath F1800-A.................................................................................................... 1-7
1.3.2 Overview of the SecPath F1800-A.......................................................................... 1-8
1.3.3 Function Features List of the SecPath F1800-A ..................................................... 1-9
Chapter 2 Basic SecPath F1800-A Configuration.................................................................... 1-12
2.1 Establishment of Configuration Environment Through the Console Interface ................ 1-12
2.1.1 Establishing Configuration Environment ............................................................... 1-12
2.1.2 Configuring Successful Ping Between a Device and a SecPath F1800-A ........... 1-15
2.1.3 Configuring Successful Ping between Two Devices across a SecPath F1800-A 1-17
2.2 Establishment of Configuration Environment by Other Means........................................ 1-19
2.2.1 Establishment through the AUX interface ............................................................. 1-19
2.2.2 Establishment through Telnet ............................................................................... 1-21
2.2.3 Establishment Through SSH................................................................................. 1-24
2.3 Command-line Interface Management ............................................................................ 1-25
2.3.1 Command-Line Level ............................................................................................ 1-25
2.3.2 Command-Line View............................................................................................. 1-26
2.3.3 Online Help of Command Line.............................................................................. 1-37
2.3.4 Error Information of Command Line...................................................................... 1-38
2.3.5 History Commands................................................................................................ 1-39
2.3.6 Edition Feature...................................................................................................... 1-40
2.3.7 Display Feature ..................................................................................................... 1-40
2.3.8 Hotkey ................................................................................................................... 1-41
2.4 Basic Configuration of the SecPath F1800-A .................................................................. 1-44
2.4.1 Entering and Quitting System View....................................................................... 1-44
2.4.2 Changing Language Mode.................................................................................... 1-44
2.4.3 Defining the SecPath F1800-A Name................................................................... 1-44
2.4.4 Configuring System Clock..................................................................................... 1-45
2.4.5 Configuring Command Privilege Level.................................................................. 1-45
2.4.6 Displaying System Status Information .................................................................. 1-46
Page 7
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Table of Contents
ii
2.5 User Management ........................................................................................................... 1-47
2.5.1 Overview of User Management............................................................................. 1-47
2.5.2 User Management Configuration .......................................................................... 1-49
2.5.3 User Login Information Configuration ................................................................... 1-51
2.5.4 Typical Examples of Configuration........................................................................ 1-53
2.6 User Interface .................................................................................................................. 1-53
2.6.1 User Interface Overview........................................................................................ 1-53
2.6.2 Entering User Interface View ................................................................................ 1-54
2.6.3 Configuring Asynchronous Interface Attributes..................................................... 1-55
2.6.4 Configuring Terminal Attributes............................................................................. 1-57
2.6.5 Configuring Modem Attributes............................................................................... 1-58
2.6.6 Configuring Redirection......................................................................................... 1-58
2.6.7 Configuring Call-in or Call-out Restriction on VTY User Interface ........................ 1-60
2.6.8 Displaying and Debugging User Interface ............................................................ 1-60
2.7 Terminal Service.............................................................................................................. 1-61
2.7.1 Configuring Terminal Service on the Console Interface ....................................... 1-61
2.7.2 Configuring Terminal Service on the AUX Port..................................................... 1-61
2.7.3 Configuring Telnet Terminal Service..................................................................... 1-62
2.7.4 Configuring SSH Terminal Service ....................................................................... 1-65
Chapter 3 Working Mode............................................................................................................ 1-71
3.1 Working Mode Overview.................................................................................................. 1-71
3.1.1 Introduction to Working Mode ............................................................................... 1-71
3.1.2 Working Process of Route Mode .......................................................................... 1-73
3.1.3 Working Process of Transparent Mode ................................................................ 1-74
3.1.4 Working Process of Composite Mode................................................................... 1-78
3.2 Route Mode Configuration............................................................................................... 1-78
3.2.1 Configuring the SecPath F1800-A to Work in Route Mode .................................. 1-78
3.2.2 Setting Other Parameters in Route Mode............................................................. 1-79
3.3 Transparent Mode Configuration..................................................................................... 1-79
3.3.1 Configuring Transparent Mode for the SecPath F1800-A .................................... 1-79
3.3.2 Configuring Address Entries ................................................................................. 1-79
3.3.3 Configuring Processing Mode of IP Packets with Unknown MAC Address.......... 1-80
3.3.4 Setting Aging Time of MAC Address Forwarding Table ....................................... 1-80
3.4 Composite Mode Configuration ....................................................................................... 1-81
3.4.1 Configuring the SecPath F1800-A to Work in Composite Mode........................... 1-81
3.4.2 Setting Other Parameters in Composite Mode ..................................................... 1-81
3.5 Displaying and Debugging Firewall Working Mode ......................................................... 1-81
3.6 Typical Example for Configuring Firewall Working Mode................................................ 1-82
3.6.1 Processing IP Packet with Unknown MAC Address ............................................. 1-82
3.6.2 Connecting Multiple LANs with the SecPath F1800-A in Transparent Mode ....... 1-83
Page 8
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 1 Firewall Overview
1-1
Chapter 1 Firewall Overview
1.1 Overview of Network Security
As the rapid development of the Internet, more and more enterprises turn to network
services to speed up their development. How to protect confidential data, resources
and reputation in an open network environment has become a focus of attention.
Therefore, network security is a very critical task in network construction.
1.1.1 Security Threats
At present, common security threats on the Internet are shown in Table 1-1.
Table 1-1 Common security threats on the Internet
Type Description Example
Unauthorized use
Resources are used by an
unauthorized user (also
called illegal user) or in
unauthorized mode.
An intruder can guess
a combination of user
name and password to
enter a computer
system and use
resources illegally.
Denial of Service (DoS)
The server denies legal
access request from the
legal user.
An intruder sends a
large number of data
packets or defective
packets to the server
within a short time, so
that the server cannot
process the legal task
due to overload.
Information theft -
An intruder does not
intrude a destination
system directly, but
intercepts significant
data or information on
the network.
Data juggle -
An intruder
intentionally destroys
the consistency of
data through
modifying, deleting,
delaying, reordering
the system data or
message stream, or
inserting fraud
messages.
Page 9
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 1 Firewall Overview
1-2
1.1.2 Classification of Network Security Services
Network security services are a set of security measures taken against the above
security threats. They are shown in Table 1-2.
Table 1-2 Network security services
Type Description
Availability service
Ensures information or services can be accessed if
required.
Confidentiality service
Ensures that sensitive data or information is not
disclosed or exposed to an unauthorized entity.
Integrality service
Ensures that data cannot be modified or destroyed in
an unauthorized mode.
Verification Ensures the legality of an entity ID.
Authorization
Specifies the access authority for a user to control
resources.
1.1.3 Implementation of Network Security Services
I. Encryption
It is a process to translate a readable message into an unreadable encrypted text.
It can:
z Provide users with communication security;
z Become the basis of many security mechanisms.
For example, password mechanism includes:
z Authentication password design
z Security communication protocol design
z Digital signature design
Encryption methods are of three types. They are shown in Table 1-3.
Table 1-3 Encryption methods
Type Description Remark
Symmetric password
mechanism
Its security key of
encryption and decryption
is identical. One pair of
users share one password
to exchange message,
and keys must be private.
It includes:
z Data Encryption
Standard (DES)
z Triple DES (3DES)
Page 10
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 1 Firewall Overview
1-3
Type Description Remark
Public key password
mechanism
It has two different
security keys that
separate the process of
encryption from that of
decryption. One key is
called private key that
must be stored secretly;
the other is called public
key that can be distributed
publicly.
It includes:
z Diffie-Hellman (DH)
z Rivest, Shamir,
Adleman (RSA)
Hash
It is used to compress a
variable message into an
invariable code and
enable it to become a
hash or message digest.
It includes:
z Message Digest 5
(MD5)
z Secure Hash
Algorithm (SHA)
II. Authentication
It is used to verify the legality of the user ID before a user accesses the network or
obtains services.
It can be either provided locally by each device on the network, or carried out through
a dedicated authentication server. The latter has better flexibility, controllability and
expandability.
Now, in a hybrid network, Remote Access Dial-In User Service (RADIUS), as an open
standard, is widely used for an authentication service.
III. Access Control
It is an enhanced authorization method. Generally, it is divided into two types:
z Access control based on an operating system
It authorizes a user to access resources on a certain computer. Access control
policies can be set based on user ID, groups or rules.
z Access control based on the network
It authorizes a legal user to access the network. Its mechanism is much more complex
than the access control based on an operating system. Usually, the access control
component (such as firewall) is configured on some intermediate points between a
requester and his destination to achieve access control.
IV. Security Protocol
It plays an extremely significant role in network security. Following describes widely
used security protocols in terms of TCP/IP layered model.
1) Application layer security
Page 11
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 1 Firewall Overview
1-4
It provides the end-to-end security from this application on a host to that application
on another host across the network. Application layer security mechanism depends
on the specific application, and its security protocol is a supplement of the application
protocol. Therefore, general application layer security protocol does not exist.
For example, the Secure Shell (SSH) protocol can:
z Establish secure remote login session;
z Connect other TCP applications through channels.
2) Transport layer security
It provides a process-to-process security service on a host or multiple hosts.
Transport layer security mechanism is based on the security of Inter-Process
Communication (IPC) interface and applications.
Providing security service at transport layer is to strengthen its IPC interface, such as
BSD socket.
Specific process includes:
z Authentication of entities at both ends
z Exchange of data encryption security keys
Based on this idea, Secure Socket Layer (SSL) is developed on the basis of reliable
transmission service.
SSL v3 includes two protocols:
z SSL record protocol
z SSL handshake protocol
3) Network layer security
Security provided at network layer, even if the upper layers fail to implement the
security, can also automatically protect the data of the user.
Therefore, IP security is:
z The basis of the whole TCP/IP security
z The core of the Internet security
At present, the most significant security protocol at transport layer is IP Security
Protocol (IPSec). IPSec is a generic term for a series of network security protocols,
including:
z Security protocols
z Encryption protocols
IPSec can provide communication parties with services:
z Access control
z Connectionless integrality
z Data source authentication
z Anti-replay
z Encryption
Page 12
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 1 Firewall Overview
1-5
z Classification encryption of data flow
4) Data link layer security
It provides a point-to-point security service, such as on a point-to-point link. Data link
layer security is implemented through encryption and decryption at each end on the
link using dedicated devices.
1.2 Overview of Firewall System
1.2.1 First Safeguard
In practical application, since a single security defense technology cannot construct a
secure network system, multiple technologies should be used together to control the
security hazard within the least limit.
In general, the fist step to implement security defense is to construct a barrier, known
as a firewall, between internal networks and external networks to defend the large
majority of attacks from the external.
Similar to partition wall used to prevent fire from spreading in the building, the firewall
is one or a group of system(s) to implement access control policy. It can monitor the
access channels between the Trust zone (the internal network) and the Untrust zone
(the external network) to prevent the hazard from external networks.
The firewall is mainly used for the following purposes:
z Restrict entry of users or information from a specific and strictly controlled
website;
z Prevent intruders from approaching other security defense facilities;
z Restrict exit of users or information from a specific and strictly controlled website.
The firewall is usually placed at the entry of a protected zone to perform security
defense based on access control policy.
When the firewall is located in the joint between the internal network and the external
network, it can protect the internal network and its data from unauthorized or
unverified access and malicious attack from external networks.
When the firewall is located in the joint between a relatively open network segment
and a comparatively sensitive network segment (on which sensitive or private data is
stored), it will filter access to sensitive data even if the access is an internal one.
1.2.2 Evolution of the Firewall
The evolution of the firewall technology goes through the following stages.
I. The First Generation Firewall ——Packet Filtering Firewall
Packet filtering is to check each packet at network layer, and then to forward or deny
packets based on the security policy.
Page 13
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 1 Firewall Overview
1-6
The basic principle of packet filtering firewall is that: It filters packets through
configuring Access Control List (ACL), based on:
z The source and destination IP address
z The source and destination port number
z IP identifier
z Packet delivery direction
With moderate cost and simple design, the first generation firewall can be
implemented easily.
However, its disadvantages are obvious:
z As the complexity and length of ACL increase, its filtering performance will
degrade greatly;
z Static ACL rules are difficult to adapt to dynamic security requirement;
z Packet filtering neither checks session state nor analyzes data. That is, it cannot
filter data at user levels, which helps the hacker to spoof. For example, an
intruder can configure his host IP address to a legal host IP address to pass
through packet filter.
II. The Second Generation Firewall——Proxy Firewall
The proxy service acts on application layer. In essence, a proxy takes over the
services between internal network users and external network users. The working
principle is that the proxy first checks the request from a user, if the authentication is
passed, it establishes connection with a genuine server and forwards the request, and
finally it sends back the request response.
The proxy firewall has higher security. It can completely control network information
exchange and session process.
However, it has obvious disadvantages:
z Low processing speed due to software restriction
z Vulnerable to DoS attack
z Difficult to upgrade for requiring developing application proxy for each protocol
III. The Third Generation Firewall——Stateful Firewall
The stateful analysis technology is an extension of packet filtering technology (also
informally called “dynamic packet filtering”). When checking packets, packet filtering
based on connection state not only treats each packet as an independent unit, but
also takes its history association into account.
The basic principle is described as follows:
z The stateful firewall uses various state tables to keep track of activated TCP
session and UDP pseudo session. Then ACL determines which sessions are
allowed to be established. Finally only the packets associated with allowed
sessions are forwarded.
Page 14
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 1 Firewall Overview
1-7
z The stateful firewall can capture packets at network layer. Then the firewall
extracts the state information needed by security policy from application layer,
and saves it in the dynamic state tables. Finally it analyzes the state tables and
the subsequent connection request related to the data packet to make a proper
decision.
For the external network, the stateful firewall seems to act as a proxy system because
any external service request comes from the same host.
For the internal network, the stateful firewall seems to act as a packet filtering system
because internal users feel that they directly interwork with the external network.
The stateful firewall has the following advantages:
z High speed
They can record the connection state of packets while performing ACL check on the
initial packets. ACL check is not required for the subsequent packets. Thus, the
firewall only needs to check the connection record of the packet based on the state
table. After passing the check, the connection state records will be refreshed. In this
case, packets with the same connection state are no longer repeatedly checked.
Different from fixed arrangement of ACL, the records in the connection state table can
be arranged randomly. Thus, the firewall can fast search the records using such
algorithms as binary tree or hash, so as to improve the transmission efficiency of the
system.
z Reliable security
The connection state list is managed dynamically. After completing sessions, the
temporary return packet entry created on the firewall will be closed, so as to ensure
the security of internal networks. Meanwhile, in virtue of a realtime connection state
monitoring technology, the firewall can identify the connection state based on state
factors in the state table. Thus, the system security is enhanced.
1.3 Overview of the SecPath F1800-A
1.3.1 SecPath F1800-A
The SecPath F1800-A of Huawei-3Com is enhanced stateful firewall.
Combined with the Huawei-3Com ASPF technology, it is featured in:
z High security of the proxy firewall
z High speed of the stateful firewall
The SecPath F1800-A of Huawei-3Com adopt:
z Specially designed and highly reliable hardware system
z Dedicated operating system with independent intellectual property right
It is integrated with:
Page 15
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 1 Firewall Overview
1-8
z High efficient packet filtering
z Transparent proxy service
z Improved stateful inspection security technology
z Many analysis and statistics
z Multiple security measures
In addition, it provides:
z Multiple types of interfaces
z Multiple working modes
It supports the processing capability from low end (tens of megabits) to high end
(thousands of megabits).
With a combination of the firewalls and Huawei-3Com’s existing routers and switches,
Huawei-3Com provides customers with an advanced and overall security solution for
small, medium and large-sized Intranet.
1.3.2 Overview of the SecPath F1800-A
The SecPath F1800-A is a new generation high-speed stateful firewall; it ensures
cost-effective network security for medium and large-sized customers.
I. Enhanced Security
Compared with those software firewalls based on a common operating system, the
SecPath F1800-A adopts a specially designed hardware platform and a secure
operating system with independent intellectual property right. Its packet processing is
totally separated from operating system, which greatly increases the security of the
system.
With its own ASPF state inspection technology, the SecPath F1800-A is capable of:
z Monitoring the connection process and malicious commands
z Cooperating with ACL to achieve packet filtering
z Providing a number of attack defense capabilities
All of the above features ensure the security of networks.
II. High-speed Processing Capability
Oriented to medium and large-sized enterprise and industry users, the SecPath
F1800-A provides wire-rate, high-performance security defense and packet
processing capabilities by using the Network Processor (NP) technology.
III. High Reliability
Various attack details have been taken into account in the software design. The
SecPath F1800-A achieves great robustness by means of priority scheduling and flow
control.
In addition, the SecPath F1800-A supports:
Page 16
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 1 Firewall Overview
1-9
z Dual-system hot backup so that the service is not interrupted when state
switches
z Load balancing for multiple machines so that state switches automatically when
a fault occurs
IV. Powerful Networking and Service Support Capability
With integrated high-speed Ethernet interfaces, the SecPath F1800-A supports many
protocols:
z H.323
z File Transfer Protocol (FTP)
z Simple Mail Transfer Protocol (SMTP)
In addition, the SecPath F1800-A has the following features:
z Supports detection to bad commands.
z Supports Network Address Translation (NAT) application.
z Supports filtering static and dynamic black list.
z Supports proxy-based SYN Flood defense flow control.
Besides the security and safety capabilities, the SecPath F1800-A is integrated with
part routing capabilities:
z Static routing
z Routing Information Protocol (RIP) dynamic routing
z Open Shortest Path First (OSPF) dynamic routing
Such capabilities lead to a more flexible networking of the SecPath F1800-A.
V. Powerful Log and Statistic
Based on powerful log and statistic provided by the SecPath F1800-A, you can obtain
useful help in security analysis and event tracing.
1.3.3 Function Features List of the SecPath F1800-A
Table 1-4 Function feature list of the SecPath F1800-A
Attribute Description
Security
defense
Working
mode
z Supports route mode.
z Supports transparent mode.
z Supports composite mode.
Page 17
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 1 Firewall Overview
1-10
Attribute Description
Packet
filtering
z Supports basic ACL, advanced ACL and
firewall ACL.
z Supports time range ACL.
z Supports blacklist, MAC and IP addresses
binding.
z Supports the ASPF and the state inspection.
z Provides the port mapping.
NAT
z Supports address translation (NAT and
NAPT).
z Provides the internal server.
z Supports multiple NAT ALGs, including FTP,
NBT, RAS, ICMP, and H.323.
Attack
defense
z Defends multiple DoS attacks, such as SYN
Flood, ICMP Flood, UDP Flood, WinNuke,
ICMP redirection and unreachable packet,
Land, Smurf and Fraggle.
z Defends scanning and snooping, such as
address scanning, port scanning, IP source
routing option, IP routing record option and
ICMP snooping packet.
z Defends other attacks, such as IP Spoofing.
IDS
cooperation
z IDS cooperation.
Traffic
monitoring
z Supports the limit to connection rate and
connection number based on IP.
z Supports CAR.
z Supports realtime traffic statistic and attack
packet statistic.
Link layer
protocol
z Supports Ethernet.
z Supports VLAN.
z Supports PPP, PPPoE.
IP service
z Supports ARP.
z Supports static domain name resolution.
z Supports DHCP relay.
Network
interconnection
Routing
protocol
z Supports static routing.
z Supports dynamic routing (RIP, OSPF, BGP).
z Supports policy-based routing.
z Supports route policy and route iteration.
AAA
z Supports AAA, the RADIUS protocol and the
HWTACACS protocol.
z Supports AAA domain.
z Supports local user management.
Service
application
QoS
z Supports congestion management.
Page 18
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 1 Firewall Overview
1-11
Attribute Description
Command
line interface
z Prompt and help information in English and
Chinese.
z Hierarchical protection of command lines from
the intrusion from the unauthorized users.
z Detailed debugging information helps network
fault diagnosis.
z Network test tools, such as tracert and ping.
System
management
z Supports programs upload or download or
configuration files through FTP.
z Supports programs upload or download or
configuration files through TFTP.
z Supports program files upload in XModem
mode.
Configuration
and
management
Terminal
service
z Supports terminal services of the console port
and the AUX interface.
z Supports terminal services of Telnet and
SSH.
z Supports the send function so that terminal
users can communicate with each other.
Reliability
z Supports VRRP.
z Supports VGMP.
z Supports HRP hot backup.
Maintenance
and reliability
System
management
z Supports standard network management
protocol SNMPv1/v2c/v3.
System log
z Provides the log server for browsing and querying log
information.
z Provides input and output IP packets statistic, NAT log, ASPF
log, attack defense log and blacklist log.
Note:
ASPF = Application Specific Packet Filter
NAPT = Network Address Port Translation
ALG = Application Level Gateway
NBT = NetBIOS over TCP/IP
RAS = Remote Access Server
ICMP = Internet Control Message Protocol
VRRP = Virtual Router Redundancy Protocol
VGMP = VRRP Group Management Protocol
HRP = Huawei Redundancy Protocol
SNMP = Simple Network Management Protocol
CAR=Committed Access Rate
AAA=Authorization, Authentication and Accounting
Page 19
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-12
Chapter 2 Basic SecPath F1800-A Configuration
2.1 Establishment of Configuration Environment Through
the Console Interface
2.1.1 Establishing Configuration Environment
You can configure the SecPath F1800-A locally through the console interface, which
is a reliable configuration and maintenance mode. When the SecPath F1800-A
powers on for the first time or when it is disconnected with external networks or other
faults occur, you can use this mode to configure it.
Perform the following steps.
Step 1: Establish the local configuration environment. Connect the serial interface on
your computer (PC or terminal) to the console interface of the SecPath F1800-A with a
standard RS-232 cable. It is shown in Figure 2-1.
RS-232 serial
interf ace
Console cable
Console port
SecPath
PC
Figure 2-1 Establishing local configuration environment through the console port
Step 2: Run the terminal emulation program (such as HyperTerminal in Windows 9X)
on your computer to establish a new connection. It is shown in Figure 2-2 and Figure
2-3.
Page 20
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-13
Figure 2-2 Establishing a new connection
Figure 2-3 Selecting serial interface
Step 3: Select RS-232 serial interface on your computer.
Step 4 : Set terminal communication parameters as follows. It is shown in Figure 2-4
and Figure 2-5:
z Baud rate is 9600 bit/s.
z Data bits is 8.
z Stop bits is 1.
z Check is none.
Page 21
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-14
z Flow control is none.
z Terminal emulation type is VT100.
Figure 2-4 Setting port parameters
Page 22
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-15
Figure 2-5 Selecting terminal emulation type
Step 5: After the SecPath F1800-A passes power-on self test, the system will
automatically perform the configuration. Then, the system prompts you to press Enter,
and you will see a command line prompt (such as <SecPath>).
Step 6: Enter commands to configure the SecPath F1800-A or view its running status.
If you need to use the on-line help, you can enter “?” at any time. To use specific
commands, refer to the following chapters.
Note:
No authentication is required during the configuration of the SecPath F1800-A
through the console interface.
If local authentication is configured, set the local user name and password; otherwise,
you cannot enter configuration view.
2.1.2 Configuring Successful Ping Between a Device and a SecPath
F1800-A
Configuration roadmap:
Page 23
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-16
1) Ping a SecPath F1800-A from a device.
2) Implement the reverse ping.
Perform the following steps.
Step 1 : Connect the PC or terminal to the console interface of the SecPath F1800-A
through the RS-232 serial port; connect Ethernet 1/0/0 of the SecPath F1800-A to the
router by using the LAN. The networking diagram is shown in Figure 2-6.
Untrust zone
RS-232 serial port
Ethernet1/0/0
10.1.1.1
SecPath
PC
Router
Console
Ethernet
10.1.1.254
ping
Local zone
Figure 2-6 Networking diagram of pinging through the SecPath F1800-A
Step 2 : Assign the IP address to Ethernet 1/0/0 and add this interface to the Untrust
zone.
[SecPath] interface ethernet 1/0/0
[SecPath-Ethernet1/0/0] ip address 10.1.1.1 24
[SecPath-Ethernet1/0/0] quit
[SecPath] firewall zone untrust
[SecPath-zone-untrust] add interface ethernet 1/0/0
Step 3 : Set ACL rules through the console port to permit the ICMP packets to pass
from the router to the SecPath F1800-A.
<SecPath> system-view
[SecPath] acl number 3101
[SecPath-acl-adv-3101] rule permit icmp source 10.1.1.254 0 destination
10.1.1.1 0
Step 4 : Apply packet filtering rules in the inbound direction between the untrust zone
and the local zone.
[SecPath] firewall interzone untrust local
[SecPath-interzone-local-untrust] packet-filter 3101 inbound
Page 24
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-17
Caution:
By default, the SecPath F1800-A forbids any packet to pass. You need to allow
packets to pass by default or configure interzone packet filtering rules; otherwise, the
firewall is unavailable.
Step 5: You can ping the Ethernet 1/0/0 of the SecPath F1800-A from the router.
However, the reverse ping fails.
Step 6: To ping the router from the SecPath F1800-A, you shall set ACL rules to
permit ICMP packets from the SecPath F1800-A to the router to pass, and apply
packet filtering rules in the outbound direction between the local zone and the untrust
zone.
[SecPath] acl 3101
[SecPath-acl-adv-3101] rule permit icmp source 10.1.1.1 0 destination
10.1.1.254 0
[SecPath-acl-adv-3101] quit
[SecPath] firewall interzone local untrust
[SecPath-interzone-local-untrust] packet-filter 3101 outbound
Note:
You can only set one packet filtering rule in one direction between security zones.
Step 7: You can ping the router from the SecPath F1800-A.
2.1.3 Configuring Successful Ping between Two Devices across a SecPath
F1800-A
Configuration roadmap:
1) Ping the devices and the SecPath F1800-A.
2) Ping two devices across the SecPath F1800-A.
Perform the following steps.
Step 1 : Connect the PC or terminal to the console interface of the SecPath F1800-A
through the RS-232 serial port; connect the Ethernet 1/0/0 of the SecPath F1800-A to
the router by using LAN; connect Ethernet 2/0/0 of the SecPath F1800-A to a server
by using LAN. The networking diagram is shown in Figure 2-7.
Page 25
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-18
Untrust zone
RS-232 serial port
Ethernet1/0/0
10.1.1.1
SecPath
PC
Router
Console
10.1.1.254
DMZ zone
10.2.2.254
Serv er
ping
Ethernet2/0/0 10.2.2.1
Figure 2-7 Networking diagram of pinging the two devices across the SecPath
F1800-A
Step 2: Refer to the steps in 2.1.2 “Configuring Successful Ping Between a Device
and a SecPath F1800-A" to complete the ping between the router and the SecPath
F1800-A, between the server and the SecPath F1800-A. Here, the router belongs to
the untrust zone, and the server belongs to the DMZ zone.
Step 3 : Set ACL rules through the console interface, which permits ICMP packets
from the router to the server and return packets to pass.
<SecPath> system-view
[SecPath] acl number 3105
[SecPath-acl-adv-3105] rule permit icmp source 10.1.1.254 0 destination
10.2.2.254 0
[SecPath-acl-adv-3105] rule permit icmp source 10.2.2.254 0 destination
10.1.1.254 0
Step 4: Apply the ACL rules in the inbound and outbound directions between the
untrust zone and the DMZ zone.
[SecPath] firewall interzone untrust dmz
[SecPath-interzone-dmz-untrust] packet-filter 3105 inbound
[SecPath-interzone-dmz-untrust] packet-filter 3105 outbound
Step 5: You can ping through from the router to the server and from the server to the
router.
Page 26
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-19
2.2 Establishment of Configuration Environment by Other
Means
To help the users to configure the SecPath F1800-A, the system supports the local
and remote configuration. Each configuration environment has its relevant terminal
service feature.
For details, see the 2.7 “Terminal Service" in this chapter.
You can establish the local or remote configuration environment through:
z The AUX interface
z Telnet
z SSH
2.2.1 Establishment through the AUX interface
The AUX interface (short for auxiliary interface) is also called the backup interface.
Similar to the console interface, it supports local configuration.
For establishing the configuration environment, refer to 2.1.1 “Establishing
Configuration Environment". You only need to connect a RS-232 cable to the AUX
interface of the SecPath F1800-A. You can connect to the PSTN network through an
externally attached Modem in asynchronous mode to carry out remote configuration.
The establishment procedure is as follows.
Step 1 : Connect Modem devices with the serial interface on your PC and the AUX
interface on the SecPath F1800-A to establish the remote configuration environment.
The network topology is shown in Figure 2-8.
RS-232 serial interface
Telephone lines
AUX interface
SecPath
PC
PS TN
Modem Modem
Figure 2-8 Establishing remote configuration environment
Step 2: Initialize and configure the Modem through the AUX interface of the SecPath
F1800-A. For example, configure a dial-up user with the username “auxuser”, the
password “auxpwd” and the service type “terminal”.
[SecPath] aaa
[SecPath-aaa] local-user auxuser password simple auxpwd
[SecPath-aaa] local-user auxuser service-type terminal
Page 27
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-20
Step 3: Set the user’s privilege level to “3” and the authentication mode to “aaa”.
[
SecPath] user-interface aux 0
[SecPath-ui-aux0] authentication-mode aaa
[SecPath-ui-aux0] user privilege level 3
Step 4: Configure the Modem connected with the AUX interface to support
bidirectional call, autoanswer, and no limit to timeout time.
[SecPath-ui-aux0] idle-timeout 0 0
[SecPath-ui-aux0] modem both
[SecPath-ui-aux0] modem timer answer 60
Step 5: Configure the AUX interface to work in flow mode.
[SecPath] interface aux 0
[SecPath-Aux0] async mode flow
Step 6: Run the terminal emulation program (such as HyperTerminal in Windows 9X)
on your computer to establish a new connection with the SecPath F1800-A through
the Modem, and then input the phone number, for example 12345678. It is shown in
Figure 2-9 and Figure 2-10.
Figure 2-9 Configuring dial-in number and connection device
Page 28
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-21
Figure 2-10 Starting dial-in program on remote computer
Step 7: When a new remote terminal emulation program interface pops up, enter the
user name and the password, such as user name ”auxuser” and the password
“auxpwd”. After verification, you will see a command line prompt (such as <SecPath>)
on the remote terminal emulation program interface. Then you can enter commands
to configure the SecPath F1800-A or to view its operating state. Enter “?” whenever
you need helps. For details, refer to the subsequent sections.
2.2.2 Establishment through Telnet
You can log in to the SecPath F1800-A across LAN or WAN through Telnet to
configure the device based on the reachable route between configuration terminal
and the SecPath F1800-A. For establishing the environment through Telnet, you must
first perform the following configuration.
I. Preparations
Step 1 : Connect the PC through the RS-232 serial port with the console interface of
the SecPath F1800-A, connect the SecPath F1800-A through Ethernet 1/0/0 to the
Internet and take a remote PC as the Telnet client.
Step 2 : Refer to the description in 2.1.2 “Configuring Successful Ping Between a
Device and a SecPath F1800-A" to enable the remote PC (Telnet client) to ping
through the SecPath F1800-A.
Step 3: Set the Telnet user name and the password through the console interface.
[SecPath] aaa
[SecPath-aaa] local-user telnetuser password simple telnetpwd
[SecPath-aaa] local-user telnetuser service-type telnet
Step 4: Configure the local AAA authentication and Telnet login authentication
(namely, VTY authentication) through the console interface.
Page 29
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-22
[SecPath-aaa] authentication-scheme telnetuser
[SecPath-aaa-authen-telnetuser] authentication-mode local radius
[SecPath-aaa-authen-telnetuser] quit
[SecPath-aaa] quit
[SecPath] user-interface vty 0 4
[SecPath-ui-vty0-4] authentication-mode aaa
Step 5 : Set an ACL rule through the console interface for permitting Telnet packets
from the remote PC to the SecPath F1800-A to pass, and apply the ACL rule in the
inbound direction between the untrust zone and the local zone.
[SecPath] acl number 3101
[SecPath-acl-adv-3101] rule permit tcp source 30.3.3.3 0 destination 10.1.1.1
0
[SecPath-acl-adv-3101] quit
[SecPath] firewall interzone untrust local
[SecPath-interzone-local-untrust] packet-filter 3101 inbound
Step 6: Set the password for switching the Telnet user level to 3 as “superpwd”
through the console interface.
[SecPath] super password level 3 simple superpwd
II. Establishing Telnet Connection
Step 1 : To establish local configuration environment, you only need to connect the
Ethernet interface on your computer with that on the SecPath F1800-A through LAN,
or to implement network interworking through hub or Ethernet switch. The network
topology is shown in Figure 2-11.
PC
Server
PC running Telnet Client pr ograms
SecPath
Ethernet port
Et he r n et
Figure 2-11 Establishing local configuration environment through LAN
To establish remote configuration environment, you need to connect your computer
with the SecPath F1800-A through WAN. The topology is shown in Figure 2-12.
Page 30
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-23
Remote Ethernet
WAN port
WAN
PC
PC running Telnet client programs
Rou te r
Server
SecPath
Local Ethernet
Server
Figure 2-12 Establishing remote configuration environment through WAN
Step 2 : Run the Telnet program on your computer, and then enter the IP address of
the Ethernet interface on the SecPath F1800-A (or enter the IP address of the WAN
interface on the remote computer) to connect with the SecPath F1800-A. If the prompt
“Too many users!” appears, you need to reconnect later. The interface is shown in
Figure 2-13.
Figure 2-13 Running the Telnet program
Step 3: The Telnet interface displays the following information. Enter the user name
“telnetuser” and the password “telnetpwd”, and the command line prompt (such as
<SecPath>) appears.
*********************************************************
* All rights reserved (1997-2004) *
* Without the owner's prior written consent, *
*no decompiling or reverse-engineering shall be allowed.*
*********************************************************
Login authentication
Username:telnetuser
Password:*********
Note:The max number of VTY users is 5,and the current number of VTY users on
line is 1.
Page 31
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-24
<SecPath>
Note:
The host name can be either the SecPath F1800-A host name or the SecPath
F1800-A IP address.
Step 4: Enter commands to configure the SecPath F1800-A or view its running state.
If you need to use the on-line help, you can enter “?” at any time. To use specific
commands, refer to the following chapters.
Note:
During the configuration of the SecPath F1800-A through Telnet, do not change the IP
address connected on the SecPath F1800-A through Telnet; otherwise, Telnet will be
disconnected. To change the IP address, you can change it through the console
interface or the AUX interface. Then, you can establish a connection with the new IP
address through Telnet.
2.2.3 Establishment Through SSH
When a user telnets the SecPath F1800-A in an insecure network, SSH can provide
secure information guarantee and powerful authentication to protect the SecPath
F1800-A from attacks, such as IP spoofing and plain text password capture.
Establishment of configuration environment through SSH is similar to that through
Telnet.
Step 1 : To establish local configuration environment, you only need to connect the
Ethernet interface on your computer with that on the SecPath F1800-A through LAN,
or to implement network interworking through hub or Ethernet switch; To establish
remote configuration environment, you need to connect your computer with the
SecPath F1800-A through WAN.
Step 2 : Run the Telnet program on your computer and set its “Term Type” to VT100,
and then enter the IP address of the Ethernet interface on the SecPath F1800-A (or
enter the IP address of the WAN interface on the remote computer) to connect with
the SecPath F1800-A.
Step 3: Set SSH parameters on the SecPath F1800-A. For more details, see the 2.7.4
"Configuring SSH Terminal Service" in this chapter.
Page 32
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-25
2.3 Command-line Interface Management
The system offers a series of configuration commands and a command-line interface,
through which you can configure and manage the SecPath F1800-A.
The command-line interface has the following features.
z Performs local configuration through the console interface.
z Performs local or remote configuration through the AUX interface.
z Performs local or remote configuration through Telnet or SSH.
z Provides user interface view, used to manage the specific configuration of
terminal users.
z Provides hierarchical protection for commands. Users at different levels only
perform the commands at the relevant level.
z Ensures system security through local or AAA authentication mode.
z Provides online help. You can enter “?” to obtain the relative information at any
time.
z Provides network test commands, such as tracert and ping, through which you
can diagnose network connectivity rapidly.
z Provides various and detailed debugging information, which is useful for the
diagnosis of network faults.
z Provides FTP service, which is helpful for uploading and downloading files.
z Provides a function similar to DosKey, through which you can use a history
command.
z Command-line interpreter provides multiple intelligent command resolution
methods, such as incompletely matching and context sensitive, which help
users’ entry to the greatest extent.
2.3.1 Command-Line Level
Hierarchical protection is applied in designing command lines.
The command lines are divided into:
z Visit level
z Monitoring level
z Configuration level
z Management level
Table 2-1 shows their brief descriptions.
Page 33
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-26
Table 2-1 Command-line level
Level
number
Level name Level authority
0 Visit level
Includes network diagnosis tool commands ping and
tracert without access to external devices (Telnet
client and SSH client). No configuration file generated
by the commands at this level is allowed to save.
1
Monitoring
level
Used for system maintenance and service fault
diagnosis, including display and debugging
commands. No configuration file generated by the
commands at this level is allowed to save.
2
Configuration
level
Service configuration commands, including security
defense, upper layer service and network
interconnection. With these commands, you can
directly configure security and network services.
3
Management
level
Commands related to system running and support
modules, including file system, FTP, TFTP, XModem
download, configuration file switching commands,
power supply control commands, standby board
control commands, user management commands,
level configuration commands and internal parameter
configuration commands (not specified by protocols
nor RFC).
After a user logs in, the system will assign a level for him. Users at different levels can
only use the commands whose levels are inferior to or equal to theirs.
To prevent unauthorized users from intruding illegally, the system authenticates their
IDs when the users switch from lower levels to higher levels.
To keep secret, the password typed by a user is not displayed. If they type a correct
password within three times, the system will switch to higher levels. Otherwise, the
system will remain at the original level.
2.3.2 Command-Line View
The view is the occasion where commands can be configured and used. The SecPath
F1800-A adopts hierarchical views. You can enter system view and FTP client view
from user view, then enter various function views from system view (except FTP client
view), and finally enter sub-function views from various function views.
I. System Maintenance Views
Figure 2-14 shows the relationship between various views.
Page 34
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-27
System view
Login
FTP Client view
User interface view
RSA public key view RSA public key edition view
User view
Figure 2-14 Relationship between system maintenance views
The following tables show the relative information about various views.
Table 2-2 User view
Item Description
Function
Views simple running state and statistics of the SecPath
F1800-A.
Entry command Directly enters after connection is set up.
Prompt after entry
<SecPath>
Exit command
<SecPath> quit
Prompt after exit Views after disconnection.
Table 2-3 System view
Item Description
Function
Sets system parameters of the SecPath F1800-A, and you
can enter other function views from this view.
Entry command
<SecPath> system-view
Prompt after entry
[SecPath]
Exit command
[SecPath] quit
Prompt after exit
<SecPath>
Table 2-4 User interface view
Item Description
Function
Sets parameters of various user interfaces and manage
relative interfaces.
Entry command
[SecPath] user-interface console 0
In the above example, the parameter console can be
replaced with the parameters aux or vty.
Prompt after entry
[SecPath-ui-console0]
Page 35
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-28
Item Description
Exit command
[SecPath-ui-console0] quit
Prompt after exit
[SecPath]
Table 2-5 FTP client view
Item Description
Function Sets file transmission parameters at FTP client.
Entry command
<SecPath> ftp 10.110.24.1
Prompt after entry
[ftp]
Exit command
[ftp] bye or [ftp] quit
Prompt after exit
<SecPath>
Table 2-6 RSA public key view
Item Description
Function Sets parameters of RSA public key in SSH application.
Entry command
[SecPath] rsa peer-public-key test
Prompt after entry
[SecPath-rsa-public-key]
Exit command
[SecPath-rsa-public-key] peer-public-key end
Prompt after exit
[SecPath]
Table 2-7 RSA public key edition view
Item Description
Function Edits RSA public key parameter in SSH application.
Entry command
[SecPath-rsa-public-key] public-key-code begin
Prompt after entry
[SecPath-rsa-key-code]
Exit command
[SecPath-rsa-key-code] public-key-code end
Prompt after exit
[SecPath-rsa-public-key]
II. Network Interconnection Views
Figure 2-15 shows the relationship between various views.
Page 36
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-29
User view
System view
Login
Inte rfa ce vie w
RIP view
OSPF view
BGP view
OSPF area view
Figure 2-15 Relationship between network interconnection views
The following tables show the relative information about various views.
Table 2-8 Basic interface view
Item Description
Function
Sets parameters for basic interfaces:
z Ethernet interface AUX port
z Sub-interface
z Virtual interface template
z Loopback interface
z Null interface
z Tunnel interface
z Logical interface
z Logic channel interface
Entry command
[SecPath] interface ethernet 1/0/0
In the above example, the parameter ethernet can be
replaced with aux, virtual-template, loopback, null, and
tunnel.
Prompt after entry
[SecPath-Ethernet1/0/0]
Exit command
[SecPath-Ethernet1/0/0] quit
Prompt after exit
[SecPath]
Table 2-9 RIP view
Item Description
Function Sets parameters for the RIP protocol.
Entry command
[SecPath] rip
Prompt after entry
[SecPath-rip]
Page 37
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-30
Item Description
Exit command
[SecPath-rip] quit
Prompt after exit
[SecPath]
Table 2-10 OSPF view
Item Description
Function Sets parameters for the OSPF protocol.
Entry command
[SecPath] ospf
The parameters process-id and mib-binding process-id
may be set after ospf, indicating OSPF process ID and
OSPF MIB binding process. The process ID will be
displayed in the prompt.
Prompt after entry
[SecPath-ospf-1]
Exit command
[SecPath-ospf-1] quit
Prompt after exit
[SecPath]
Caution:
You must set the router ID in system view before setting OSPF parameters; otherwise,
OSPF parameters setting will be fail.
Table 2-11 OSPF area view
Item Description
Function Specifies the ID of the OSPF area.
Entry command
[SecPath-ospf-1] area 1
The parameter 1 is area ID which can be a decimal integer
in the range of 0 to 4294967295 or in IP address format.
Prompt after entry
[SecPath-ospf-1-area-0.0.0.1]
Exit command
[SecPath-ospf-1-area-0.0.0.1] quit
Prompt after exit
[SecPath-ospf-1]
Table 2-12 BGP view
Item Description
Function Sets parameters for the BGP protocol.
Page 38
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-31
Item Description
Entry command
[SecPath] bgp as-number
as-number specifies the local AS number in the range of 1
to 65535.
Prompt after entry
[SecPath-bgp]
Exit command
[SecPath-bgp] quit
Prompt after exit
[SecPath]
III. AAA Authentication View
AAA authentication view structure is described in Figure 2-16.
AAA Vie w
RADIUS view
HWTACACS view
Authentication scheme view
Accounting scheme view
Recording scheme view
AAA domain view
Authorization scheme view
User view
System view
Login
Figure 2-16 AAA authentication related views
The function, command and prompt of each view are described as below.
Table 2-13 AAA view
Item Description
Function
Enters AAA view in order to enter authentication and
authorization view and RADIUS and HWTACACS view.
Entry command
[SecPath] aaa
Prompt after entry
[SecPath-aaa]
Exit command
[SecPath-aaa] quit
Prompt after exit
[SecPath]
Table 2-14 RADIUS view
Item Description
Function
Enters RADIUS view to set authentication and
authorization parameters of RADIUS.
Page 39
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-32
Item Description
Entry command
[SecPath] radius-server template test
test in the command is the name of RADIUS server
template.
Prompt after entry
[SecPath-radius-test]
Exit command
[SecPath-radius-test] quit
Prompt after exit
[SecPath]
Table 2-15 HWTACACS view
Item Description
Function
Enters HWTACACS view to set authentication and
authorization parameters of HWTACACS.
Entry command
[SecPath] hwtacacs-server template test
test in the command is the name of HWTACACS server
template.
Prompt after entry
[SecPath-hwtacacs-test]
Exit command
[SecPath-hwtacacs-test] quit
Prompt after Exit
[SecPath]
Table 2-16 AAA scheme view
Item Description
Function
Enters AAA scheme view and sets authentication and
authorization mode.
Entry command
[SecPath-aaa] authentication-scheme test
[SecPath-aaa] authorization-scheme test
test in the commands refers to the specified authentication
and authorization mode.
Prompt after entry
[SecPath-aaa-authen-myscheme]
Exit command
[SecPath-aaa-authen-myscheme] quit
Prompt after exit
[SecPath-aaa]
Table 2-17 Recording scheme view
Item Description
Function
Enters recording scheme view to configure the
HWTACACS server template.
Page 40
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-33
Item Description
Entry command
[SecPath-aaa] recording-scheme test
test in the command refers to the recording scheme,
including HWTACACS server template.
Prompt after entry
[SecPath-aaa-recording-test]
Exit command
[SecPath-aaa-recording-test] quit
Prompt after exit
[SecPath-aaa]
Table 2-18 AAA domain view
Item Description
Function
Enters AAA domain view to configure default authorization,
RADIUS or HWTACACS template, authentication scheme.
Entry command
[SecPath-aaa] domain test
test in the command is the domain name.
Prompt after entry
[SecPath-aaa-domain-test]
Exit command
[SecPath-aaa-domain-test] quit
Prompt after exit
[SecPath-aaa]
IV. Security Views
Figure 2-17 shows the relationship between various views.
firewall zone view
firewal l inter-zone view
IPSec proposol view
Security policy view
Security poli cy tem plate view
IKE proposol view
ACL vi ew
User view
System view
Login
Figure 2-17 Relationship between security views
The following tables show the relative information about various views.
Page 41
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-34
Table 2-19 ACL view
Item Description
Function
Sets parameters of basic ACL rule (numbered from 2000
to 2999).
Sets parameters of advanced ACL rule (numbered from
3000 to 3999).
Sets parameters of firewall ACL (numbered from 5000 to
5499).
Entry command
[SecPath] acl number 2001
In the above example, the parameter 2001 can be
replaced with any integer between 2000 and 2999, 3000
and 3999, 5000 and 5499. The prompts vary with
parameters.
Prompt after entry
[SecPath-acl-basic-2001]
Exit command
[SecPath-acl-basic-2001] quit
Prompt after exit
[SecPath]
Table 2-20 Firewall zone view
Item Description
Function
Sets parameters of security zones (Trust, Untrust, DMZ,
local and name).
Entry command
[SecPath] firewall zone trust
In the above example, the parameter trust can be
replaced with parameters untrust, dmz, local or name
test.
Prompt after entry
[SecPath-zone-trust]
Exit command
[SecPath-zone-trust] quit
Prompt after exit
[SecPath]
Table 2-21 Firewall inter-zone view
Item Description
Function Sets inter-zone parameters of firewall.
Entry command
[SecPath] firewall interzone trust dmz
In the above example, parameters trust and dmz can be
replaced with parameters trust, untrust, dmz, local and
any combination of areas (for example, test) defined by
users.
Prompt after entry
[SecPath-interzone-trust-dmz]
Exit command
[SecPath-interzone-trust-dmz] quit
Page 42
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-35
Item Description
Prompt after exit
[SecPath]
Table 2-22 IPSec proposal view
Item Description
Function
Sets parameters of IPSec proposal, such as translation
mode, security algorithm.
Entry command
[SecPath] ipsec proposal test
Prompt after entry
[SecPath-ipsec-proposal-test]
Exit command
[SecPath-ipsec-proposal-test] quit
Prompt after exit
[SecPath]
Table 2-23 IPSec policy view
Item Description
Function
Sets parameters of IPSec policy, such as security proposal
and SA parameter.
Entry command
[SecPath] ipsec policy test 1 isakmp
In the above example, the parameter isakmp can be
replaced with manual.
Prompt after entry
[SecPath-ipsec-policy-isakmp-test-1]
Exit command
[SecPath-ipsec-policy-isakmp-test-1] quit
Prompt after exit
[SecPath]
Table 2-24 IPSec policy template view
Item Description
Function
Sets parameters of IPSec policy template, such as security
proposal and SA parameter.
Entry command
[SecPath] ipsec policy-template test 1
Prompt after entry
[SecPath-ipsec-policy-templet-test-1]
Exit command
[SecPath-ipsec-policy-templet-test-1] quit
Prompt after exit
[SecPath]
Page 43
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-36
Table 2-25 IKE proposal view
Item Description
Function
Sets parameters of IKE proposal, such as shared key, SA
parameter.
Entry command
[SecPath] ike proposal 1
Prompt after entry
[SecPath-ike-proposal-1]
Exit command
[SecPath-ike-proposal-1] quit
Prompt after exit
[SecPath]
V. VPN/QoS Views
Table 2-18 shows the relationship between various views.
Policy view
Class view
Behavior view
User view
System view
Login
Figure 2-18 Relationship between VPN/QoS views
The function, command and prompt of each view are described as below.
Table 2-26 L2TP group view
Item Description
Function
Classifies L2TP VPN as groups and sets parameters for this
L2TP group.
Entry command
[SecPath] l2tp-group 1
In the above example, the parameter 1 can be replaced with any
integer between 2 to 1000. Prompts vary with parameters. They
are not described in detail here.
Prompt after entry
[SecPath-l2tp1]
Exit command
[SecPath-l2tp1] quit
Prompt after exit
[SecPath]
Table 2-27 Policy view
Item Description
Function Configures traffic behaviors for classes being used.
Page 44
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-37
Item Description
Entry command
[SecPath] qos policy test
Prompt after entry
[SecPath-qospolicy-test]
Exit command
[SecPath-qospolicy-test] quit
Prompt after exit
[SecPath]
Table 2-28 Class view
Item Description
Function Sets rules for traffic classification.
Entry command
[SecPath] traffic classifier test
Prompt after entry
[SecPath-classifier-test]
Exit command
[SecPath-classifier-test] quit
Prompt after exit
[SecPath]
Table 2-29 Behavior view
Item Description
Function Configures QoS features.
Entry command
[SecPath] traffic behavior test
Prompt after entry
[SecPath-behavior-test]
Exit command
[SecPath-behavior-test] quit
Prompt after exit
[SecPath]
2.3.3 Online Help of Command Line
You can enter various “?” to obtain useful information through the online help.
Online help is described in Table 2-30.
Table 2-30 Online help of command line
Type Help information Example
Full help
Enters “?” in any command view
to obtain all commands and
their brief description in this
command view.
<SecPath> ?
Page 45
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-38
Type Help information Example
Enters a command followed by
“?” with a space between them.
If the location is key word, the
system will list all key words and
their brief description.
<SecPath> display ?
Enters a command followed by
“?” with a space between them.
If the location is parameter, the
system will list all parameters
and their brief description.
[SecPath] interface ethernet ?
[SecPath] interface ethernet
1/0/0 ?
Enters a character string
followed by ”?” with no space
between them, and the system
will list all commands with the
character string as the
beginning.
<SecPath> d?
Partial
help
Enters a command followed by
a character string and “?” (no
space is between the character
string and “?”), and the system
will list all key words of the
command with the character
string as the beginning.
<SecPath> display h?
Note:
Enter the first letters of a key word in a command, then press Tab, and the system will
display a complete key word. The first letters can uniquely identify the key word, and
thus they will not confound with other key words in this command.
2.3.4 Error Information of Command Line
If a command entered by a user passes the syntax check, the system will use it;
otherwise, the system reports error information to the user.
For common error information, see Table 2-31.
Table 2-31 Common error information of command line
Error information Cause
Not find command.
Not find key word.
Erroneous parameter type.
Unrecognized command
Parameter value exceeds its threshold.
Page 46
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-39
Error information Cause
Incomplete command
Entered command is incomplete. For example,
the required parameters are not input.
Too many parameters Entered parameters are too many.
Ambiguous command Entered parameters are ambiguous.
2.3.5 History Commands
The command-line interface provides a function similar to Doskey, which can
automatically save the history commands entered by users. You can use the history
commands saved in the command-line interface and re-use them.
By default, the command-line interface can store ten history commands for each user.
Do as follows in any view, and then access the recently entered commands using the
keys listed in Table 2-32.
Table 2-32 Displaying history commands
Action Keys Description
View history
commands.
display
history-command
Views the history commands entered
by the user.
Access last history
command.
Up arrow key or
Ctrl+P
If there are earlier history commands,
the system will display last history
command; otherwise, the system will
give out alarm.
Access next history
command.
Down arrow key or
Ctrl+N
If there are later history commands,
the system will display next history
command; otherwise, the system will
clear the command and sound the
alarm.
Note:
When using arrow keys to access history commands, you can discover that the arrow
keys are valid in Terminal and Telnet of Windows 3.X. However, up arrow key is
invalid in HyperTerminal of Windows 9X. This is because the HyperTerminal of
Windows 9X explains the key with different meanings. In this case, you can replace
up arrow key with a combination key Ctrl+P.
Page 47
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-40
2.3.6 Edition Feature
The command-line interface provides a basic command edition, and supports
multiple-line edition. Each command consists of up to 256 characters.
Table 2-33 shows the specific edition.
Table 2-33 Edition function
Key Function
Common key
If the edition buffer is not full, the key will be inserted in
the current cursor location, and the cursor is moved to
the right; otherwise, the system sounds out the alarm.
BackSpace
Deletes a character before the cursor location and the
cursor is moved to the left. If the cursor reaches the
beginning of the command, the system sounds out the
alarm.
Left arrow(←) or Ctrl+B
The cursor is moved with a character to the left. If the
cursor reaches the beginning of the command, the
system sounds out the alarm.
Right arrow(→) or Ctrl+F
The cursor is moved with a character to the right. If the
cursor reaches the end of the command, the system
sounds out the alarm.
Up arrow(↑) or Ctrl+P Views last history command.
Down arrow(↓) or Ctrl+N Views next history command.
Tab
Press Tab after an incomplete key word, and the system
will automatically use partial help as below.
z If the matched key word is unique, the system will
replace the original entry with the complete key word
and display the command in a new line.
z Otherwise, the system does not make any
modification and display the original entry in a new
line.
z If the matched key words of parameters in the
command line are not unique, the system will display
the original entry in a new line, and each parameter
will replace the original input one by one until you
stop typing Tab.
2.3.7 Display Feature
If display information exceeds one screen, the system provides pause function for
selection. At this same time, you have three options.
Page 48
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-41
Table 2-34 Display function
Action Key or command
Stop viewing and executing the command. When display pauses, enter Ctrl+C.
Continue to view the next screen. When display pauses, enter Space.
Continue to view the next line. When display pauses, enter Enter.
2.3.8 Hotkey
Hotkey (also named shortcut key) is a kind of shortcut input for executing some
command or some function.
There are two types of hotkey:
z System hotkey
z User-defined hotkey
I. System Hotkey
System hotkey is the fixed hotkey representing assured command line in the system,
which cannot be modified by users.
The specific hotkey as well as the relevant command is shown in Table 2-35.
Table 2-35 System hotkey
Hotkey Function
CTRL_A Moves the cursor to the beginning of the current line.
CTRL_B Moves the cursor one character to the left.
CTRL_C Stops the function being used.
CTRL_D Deletes the character at the current position of the cursor.
CTRL_E Moves the cursor to the end of the current line.
CTRL_F Moves the cursor a character to the right.
CTRL_H Deletes a character on the left of the cursor.
CTRL_K Terminates call-out connections.
CTRL_N Views the next command in history command buffer.
CTRL_P Views the previous command in history command buffer.
CTRL_R Re-views the current line.
CTRL_V Pastes the content on the clip board.
CTRL_W Deletes a character on the left of the cursor.
CTRL_X Deletes all characters on the left of the cursor.
Page 49
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-42
Hotkey Function
CTRL_Y Deletes all characters on the right of the cursor.
CTRL_Z Returns to user view.
CTRL_] Terminates or redirects call-in connections.
ESC_B Moves the cursor a word position to the left.
ESC_D Deletes all words on the right of the cursor.
ESC_F Moves the cursor a word position to the right.
ESC_N Moves the cursor a line upward.
ESC_P Moves the cursor a line downward.
ESC_< Sets the current position of the cursor as the beginning of the
clip board.
ESC_> Sets the current position of the cursor as the ending of the clip
board.
II. User-Defined Hotkey
The system provides five user-defined hotkeys:
z Ctrl_G
z Ctrl_L
z Ctrl_O
z Ctrl_T
z Ctrl_U
You can associate these hotkeys with any command as required. After association,
the system will use the command when you press the hotkey.
By default, the system set values to hotkeys Ctrl_G, Ctrl_L and Ctrl_O. The other
two hotkeys are defaulted as null. All the hotkeys are shown in Table 2-36.
Table 2-36 User-defined hotkey
Hotkey Function
CTRL_G
display current-configuration (views the current configuration).
CTRL_L
display ip routing-table (views the routing table information).
CTRL_O
undo debugging all (stops viewing all the debugging information).
CTRL_T
null
CTRL_U
null
Page 50
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-43
III. Hotkey Usage
z You can input the hotkey anywhere the command is allowed to be pressed. Then
the system will display and use the command, just as you have input the entire
command.
z When you input part of the command without pressing Enter, the inputting of
hotkey will clear all the input characters, and the command will be displayed, just
as you delete all the input characters and input the entire command again.
z The execution of hotkey is identical to that of an entire command. The command
is recorded in the command buffer area for troubleshooting and query.
Note:
The hotkey can be affected by the used terminal. For example, if a user-defined
hotkey conflicts with a system hotkey, the user-defined hotkey will be intercepted by
the terminal program. Thus, the command line cannot be used.
Do as follows in system view.
Table 2-37 Defining hotkeys
Action Command
Define a hotkey.
hotkey [ CTRL_G | CTRL_L | CTRL_O | CTRL_T |
CTRL_U ] command
Restore the default
value of a hotkey.
undo hotkey [ CTRL_G | CTRL_L | CTRL_O | CTRL_T |
CTRL_U ]
IV. Display Hotkey
Do as follows in any view.
Table 2-38 Displaying hotkeys
Action Command
View hotkeys.
display hotkey
Using the display hotkey command, you can view three types of hotkeys:
z User-defined hotkeys
z User-definable undefined hotkeys that are displayed as “NULL”
z System hotkeys
Page 51
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-44
2.4 Basic Configuration of the SecPath F1800-A
2.4.1 Entering and Quitting System View
You can access user view after logging in to the SecPath F1800-A from the console
interface, viewing the prompt <SecPath>.
Do as follows to enter and quit system view.
Table 2-39 Entering and quitting system view
Action Command
Enter system view from user view.
system-view
Return to user view from system view.
quit
Return to user view from any non-user view.
return
The quit command is used to return to the upper layer view.
Using the quit command in user view, you can quit system view. You can use the
Ctrl+Z hotkey to replace the return command.
2.4.2 Changing Language Mode
The SecPath F1800-A can provide help information in either English or Chinese.
English can be switched to Chinese, and vice versa.
Do as follows in user view.
Table 2-40 Changing language mode
Action Command
Change to English mode.
language-mode english
Change to Chinese mode.
language-mode chinese
2.4.3 Defining the SecPath F1800-A Name
The SecPath F1800-A name appears in the command prompt, which can be modified
if it is required.
Do as follows in system view.
Table 2-41 Defining the SecPath F1800-A name
Action Command
Define the SecPath F1800-A
name.
sysname sysname
Page 52
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-45
2.4.4 Configuring System Clock
An accurate system clock is needed to ensure the coordinated work of other devices.
The SecPath F1800-A supports time zone and summer time.
Do as follows in user view.
Table 2-42 Configuring system clock
Action Command
Set UTC standard time.
clock datetime HH:MM:SS YYYY/MM/DD
Set the local time zone.
clock timezone time-zone-name { add |
minus } offconfigure
Delete the time zone.
undo clock timezone
Apply summer time.
clock summer-time
summer-time-zone-name { one-off |
repeating } start-time start-date end-time
end-date add-time
Delete the summer time.
undo clock summer-time
2.4.5 Configuring Command Privilege Level
All commands are classified into four privilege levels:
z Visit
z Monitoring
z Configuration
z Management
Their identifiers are 0 to 3 respectively.
The system administrator can specify privilege level and view for a command as
required.
Do as follows in system view.
Table 2-43 Setting command privilege level
Action Command
Set privilege level for a command.
command-privilege level level view view
command-key
Restore the default privilege level of
the command.
undo command-privilege view view
command-key
Page 53
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-46
Note:
Each command has a default view and a privilege level. You do not need to
reconfigure them.
2.4.6 Displaying System Status Information
The display command is used to collect system status information, which can be
classified as:
z Viewing system configuration information
z Viewing system running status
z Viewing system statistics
For the display command of various protocols and interfaces, refer to the related
sections. This section only introduces the display command associated with the
system.
Do as follows in any view.
Table 2-44 Displaying system status
Action Command
View system version.
display version
View system clock.
display clock
View all users. display users [ all ]
View saved configuration
information.
display saved-configuration
View current configuration
information.
display current-configuration
View debugging status.
display debugging [ interface { interface-type
interface-number } ] [ module-name ]
View technical support
information.
display diagnostic-information
During system fault or routine maintenance, it is needed to collect a great deal of
information to help troubleshooting. However, there are so many display commands
that it is hard to collect all the information at a time. You can use the display
diagnostic-information command to collect the running information of the current
modules in the system.
Page 54
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-47
2.5 User Management
2.5.1 Overview of User Management
When the SecPath F1800-A is booted for the first time, no user password is set. In this
case, any user can operate on the SecPath F1800-A by connecting its PC with the
SecPath F1800-A through the console interface.
If a Modem is configured on the AUX interface of the SecPath F1800-A, any remote
user can access the SecPath F1800-A by dialing up.
If an IP address is assigned to the interface, any remote user can log on to the
SecPath F1800-A through Telnet.
Remote users can also establish PPP connection with the SecPath F1800-A to
access the network.
All of the above make the network unsafe. Therefore, it is very necessary to create the
user and set the user password on the SecPath F1800-A for user management.
I. User Classification
Based on the services delivered to the user, The SecPath F1800-A users can be
classified as:
z Hyper terminal users
They log on to the SecPath F1800-A through the Console or AUX interface.
z Telnet users
They log on to the SecPath F1800-A by using the Telnet command.
z FTP users
They establish the FTP connection with the SecPath F1800-A to transfer files.
z PPP user
They establish the PPP connection (such as dial up) with the SecPath F1800-A to
access the network.
One user can obtain several services at the same time. Thus, one user can use
several functions.
II. User Priority
After logging on to the SecPath F1800-A, Telnet and HyperTerminal users can
manage the SecPath F1800-A.
The system performs hierarchical management over these users with the priority
ranging from 0 to 3.
The users can log on to the SecPath F1800-A through various interfaces and be
configured with a default priority in batches or be configured with specific priority in
Page 55
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-48
singles. Between the default priority and the specific priority, the higher one is the
priority of the user.
III. User Authentication
After a user is specified, the system will authenticate the user when he logs on to the
SecPath F1800-A.
There are three types of user authentication modes. They are shown in Table 2-45.
Table 2-45 Authentication modes
Type Description Remark
Non-authentication
Means a user can log on to the
SecPath F1800-A without the
user name and the password.
It is not recommended
for the sake of
security.
Password authentication
Means a user can log on to the
SecPath F1800-A by inputting
the password without need of
the user name.
It is a little safer than
non-authentication.
AAA authentication
Needs both the user name and
the password and consists of
AAA local authentication and
AAA server authentication.
The AAA server
authentication, which is
generally used to authenticate
PPP users, can be based on
RADIUS protocol or
HWTACACS protocol.
Usually, it is used for
Telnet users and
HyperTerminal users.
For AAA configuration
in detail, refer to
"06-Security Defence
Operation" in this
manual.
IV. User Planning
The SecPath F1800-A users are planned as required.
z At least one HyperTerminal user should be created on the SecPath F1800-A.
z A Telnet user should be created to telnet the SecPath F1800-A.
z An FTP user should be created so that a remote user can upload or download
files on the SecPath F1800-A.
z A PPP user should be created to establish PPP connection with the SecPath
F1800-A to access the network.
How to create Telnet and HyperTerminal users will be described in this section,
including:
z User management configuration
z User login information configuration
For the configuration of the FTP user, refer to the “FTP Configuration” in "02-System
Management Operation" of this Manual.
Page 56
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-49
For the configuration of the PPP user, refer to the “AAA Configuration” in "06-Security
Defence Operation" of this manual.
2.5.2 User Management Configuration
User management configuration includes:
z User authentication configuration
z User priority configuration
User authentication is used to pass the valid user and deny the invalid user.
The command privilege level must be inferior or equal to the user priority. Both the
user priority and the command privilege level are divided into 4 levels from 0 to 3. The
user with different priority can use the command in different privilege level
accordingly.
User management configuration includes:
z Configuring authentication mode
z Configuring default user priority on the interface
z Creating user and configuring priority
I. Configuring Authentication Mode
Using this command, you can configure the authentication mode when a user logs on
to the SecPath F1800-A from the user interface specified in the view.
z none indicates no authentication is performed.
z password indicates only the password is needed in the authentication without
need of the user name.
z aaa refers to executing AAA authentication, and then you need to set the user
name and the password.
Do as follows in user interface view.
Table 2-46 Enabling or disabling terminal authentication
Action Command
Enable terminal authentication. authentication-mode { aaa | password }
Disable terminal authentication.
authentication-mode none
By default, the user interface of VTY applies the password authentication while user
interfaces of other types do not perform the terminal authentication.
Usually, the keyword aaa is selected to perform AAA local authentication when
configuring a Telnet or HyperTerminal user.
1) Local password authentication
Do as follows in user interface view.
Page 57
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-50
Table 2-47 Setting the password of local authentication
Action Command
Set the password of local
authentication.
set authentication password { simple | cipher }
password
Delete the password of local
authentication.
undo set authentication password
# Use the following command on user-interface vty 0 that the user needs to enter the
password “huawei-3com” to log in from user-interface vty 0.
[SecPath-ui-vty0] authentication-mode password
[SecPath-ui-vty0] set authentication password simple huawei-3com
2) Local AAA authentication
# Suppose a Telnet user with the user name “user” and password “telnetpwd”.
Configure local AAA authentication.
[SecPath] user-interface vty 0
[SecPath-ui-vty0] authentication-mode aaa
[SecPath-ui-vty0] quit
[SecPath] aaa
[SecPath-aaa] local-user user password simple telnetpwd
[SecPath-aaa] local-user user service-type telnet
[SecPath-aaa] authentication-scheme user
[SecPath-aaa-authen-user] authentication-mode local
3) AAA server authentication
# Suppose an FTP user with the username “user” and password “ftppwd”. Configure
AAA RADIUS server authentication.
[SecPath] user-interface vty 0
[SecPath-ui-vty0] authentication-mode aaa
[SecPath-ui-vty0] quit
[SecPath] aaa
[SecPath-aaa] local-user user password simple ftppwd
[SecPath-aaa] local-user user service-type ftp
[SecPath-aaa] authentication-scheme user
[SecPath-aaa-authen-user] authentication-mode radius
4) Non authentication
[SecPath-ui-vty0] authentication-mode none
II. Configuring the Default User Priority of the Port
Configure the priority corresponding to the user who logs on from the user interface.
Do as follows in user interface view.
Page 58
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-51
Table 2-48 Configuring user priority
Operation Command
Configure the priority of the login user.
user privilege level level
Restore the default priority of the login user.
undo user privilege level
By default, the priority of the console interface is 3 and the priority of other user
interfaces is 0.
III. Creating User and Configuring Priority
You should create a local user before performing local AAA authentication for the
user.
Do as follows in AAA view.
Table 2-49 Configuring user priority
Action Command
Create a user and configure a
password for the user.
local-user local-user password { simple |
cipher } password
Configure user priority.
local-user local-user level level
Note:
The command privilege level that a user can use after it logs on to the SecPath
F1800-A is determined by its priority and the priority of the user interface. If both the
priorities are configured at the same time, the user accesses the system based on its
priority. For example, given the priority of user Tom is 3 while the priority configured in
VTY 0 user interface is 1, Tom can use the command of level 0 to level 3 when it
accesses the system from VTY 0. If Tom is not configured with priority, it can only use
the command of level 0 and level 1 when accessing the system from VTY 0.
2.5.3 User Login Information Configuration
I. Configuring Title Text
Title text is a segment of prompt when a user is connected to the SecPath F1800-A
and performs login authentication as well as interaction configuration.
Do as follows in system view.
Page 59
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-52
Table 2-50 Configuring title text
Action Command
Configure title text of login
authentication.
header login { file file-name | information
information-text }
Configure title text of the beginning
of configuration.
header shell { file file-name | information
information-text }
Delete the title text. undo header { login | shell }
II. Configuring the Password of Changing User Level
If a user logs on to the SecPath F1800-A with a low-level ID, it needs to switch to a
high-level ID to perform operation after inputting the password of user level. The
password needs to be configured in advance.
Do as follows in system view.
Table 2-51 Configuring the password of changing user level
Action Command
Configure the password of
changing user level.
super password [ level user-level ] { simple |
cipher } password
Delete the password. undo super password [ level user-level ]
III. Changing User Level
A correct password should be input to switch users from low level to high level.
Do as follows in user view.
Table 2-52 Changing user level
Action Command
Change user level. super [ level ]
IV. Locking User Interface
You can lock the interface to prevent the unauthorized user from operating the
terminal interface during your temporary leave. If the user interface is locked, it is
required to input the password. You can operate the interface only after passing the
authentication.
Do as follows in user view.
Page 60
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-53
Table 2-53 Locking user interface
Action Command
Lock user interface.
lock
2.5.4 Typical Examples of Configuration
For the related configuration of user management and user login information
configuration, refer to 2.2.2 “Establishment Through Telnet".
2.6 User Interface
2.6.1 User Interface Overview
I. Introduction to User Interface
User interface view is a new view in parallel with interface view. It is used to configure
and manage the configuration data of physical interfaces and logical interfaces that
work in asynchronous and interaction mode, so as to implement the unified
management over various user configurations.
At present, configuration mode and relevant user interface supported by the system
are described in Table 2-54.
Table 2-54 Configuration mode and user interface
Configuration mode User interface
Local configuration through
the Console interface
The Console interface is a kind of line device
interface. The SecPath F1800-A provides a console
interface, and its type is EIA/TIA-232 DCE.
Local or remote
configuration through the
AUX interface
The AUX interface is also a kind of line device port.
The SecPath F1800-A provides an AUX port, and its
type is EIA/TIA-232 DTE. It is generally used for dial
up access through Modem.
Local or remote login
configuration through Telnet
or SSH
Virtual port (usually abbreviated as VTY) belongs to
logical terminal line, used to access the SecPath
F1800-A through Telnet.
II. Number of User Interface
There are two numbering modes:
z Absolute numbering mode
z Relative numbering mode
1) Absolute numbering mode
Page 61
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-54
User interface of the system is classified into three types: the Console interface, the
AUX interface and the VTY interface, which are arranged in a specific order.
Of these, there is only one Console interface and one AUX port, and there are
possibly multiple VTY user interfaces that are arranged in a specific order. Start
number of absolute numbering mode is 0. You can use absolute numbering mode to
uniquely specify a user interface or a group of user interfaces.
For example, there are console, AUX and five VTY user interfaces in the system, and
the absolute numbering in the system is described in Table 2-55.
Table 2-55 Absolute numbering mode
Absolute numbering User interface
ui0 Console
ui1 AUX
ui2 First VTY user interface
ui3 Second VTY user interface
2) Relative numbering mode
Relative numbering is formed with: user interface type + number (an internal number
of the user interface type).
Relative numbering mode can uniquely specify one or a group of user interfaces with
the same type. It complies with the following rules:
z Console numbering: console 0.
z AUX numbering: aux 0.
z VTY numbering: The first user interface is VTY 0, and the second one is VTY 1,
and so on.
User interface configuration includes:
z Entering user interface view
z Configuring asynchronous interface attributes
z Configuring terminal attributes
z Configuring Modem attributes
z Configuring redirection
z Configuring call-in or call-out restriction on VTY user interface
2.6.2 Entering User Interface View
Enter a command in system view to enter user interface view. You can enter a single
user interface view to configure the user interface, or enter multiple user interface
views to configure multiple user interfaces.
Page 62
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-55
In user interface view, you can set and manage the attributes of each asynchronous
interface.
Table 2-56 Configuring attributes of asynchronous interfaces
Type Description
Asynchronous attributes configuration
Configures transfer rate.
Configures flow control mode.
Configures parity.
Configures stop bits
Configures data bits.
Terminal attribute configuration
Enables terminal service.
Configures disconnection after end
users time out.
Sets the length of one screen.
Configures authentication mode.
Sets buffer size of history commands.
Priority configuration Configures login user priority.
Modem attribute configuration Configures Modem and script.
Redirection -
Do as follows in system view.
Table 2-57 Entering user interface view
Action Command
Enter one or multiple user interface
views.
user-interface [ type-keyword ] number
[ ending-number ]
2.6.3 Configuring Asynchronous Interface Attributes
You can configure asynchronous attributes in user interface view. To enable these
configuration commands to take effect, the interface must work in asynchronous
mode.
I. Configuring Transfer Rate
Do as follows in user interface view.
Table 2-58 Configuring transfer rate
Action Command
Configure transfer rate.
speed speed-value
Page 63
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-56
Action Command
Restore its default value.
undo speed
II. Configuring Flow Control Mode
Do as follows in user interface view.
Table 2-59 Configuring flow control mode
Action Command
Configure flow control mode. flow-control { none | software | hardware }
Restore its default value.
undo flow-control
By default, the flow control mode on terminal line is none.
III. Configuring Parity Bit
Do as follows in user interface view.
Table 2-60 Configuring parity bit
Action Command
Configure parity bit. parity { none | even | odd | mark | space }
Restore its default value.
undo parity
IV. Configuring Stop Bits
Do as follows in user interface view.
Table 2-61 Configuring stop bits
Action Command
Configure stop bits. stopbits { 1.5 | 1 | 2 }
Restore its default value.
undo stopbits
V. Configuring Data Bit
Do as follows in user interface view.
Table 2-62 Configuring data bit
Action Command
Configure data bit. databits { 5 | 6 | 7 | 8 }
Page 64
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-57
Action Command
Restore its default value.
undo databits
2.6.4 Configuring Terminal Attributes
I. Enabling Terminal Service
Do as follows in user interface view.
Table 2-63 Enabling terminal service
Action Command
Enable terminal service.
shell
Disable terminal service.
undo shell
Note:
There are the following restrictions when using the undo shell command.
z If there is only the console interface (no AUX port exists), the console interface
does not support the command.
z If there is only the AUX interface (no console interface exists), the AUX interface
does not support the command.
z If there are both the console interface and the AUX interface, the AUX interface
supports the command, whereas the console interface does not.
z Other types of user interfaces are not restricted.
II. Configuring Disconnection after End Users Time out
Do as follows in user interface view.
Table 2-64 Configuring disconnection after end users time out
Action Command
Configure disconnection after end
users time out.
idle-timeout minutes [ seconds ]
Restore its default value.
undo idle-timeout
To disable the disconnection, you can configure this command as idle-timeout 0.
III. Configuring the Length of Terminal Screen
Do as follows in user interface view.
Page 65
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-58
Table 2-65 Configuring the length of terminal screen
Action Command
Configure the length of terminal
screen.
screen-length screen-length
Restore its default value.
undo screen-length
IV. Configuring Buffer Size of History Commands
Do as follows in user interface view.
Table 2-66 Configuring buffer size of history commands
Action Command
Configure buffer size of history
commands.
history-command max-size size-value
Restore its default value.
undo history-command max-size
2.6.5 Configuring Modem Attributes
You can manage and set Modem parameters through the AUX interface. Relative
configuration commands are valid only on the AUX interface and serial port that works
in asynchronous mode.
Do as follows in user interface view.
Table 2-67 Configuring Modem attributes
Action Command
Configure time interval from receiving
RING signal to waiting for CD in Up state.
modem timer answer seconds
Restore its default value.
undo modem timer answer
Configure automatic answer.
modem auto-answer
Configure manual answer.
undo modem auto-answer
Configure call-in or call-out. modem [ call-in | both ]
Disable call-in or call-out. undo modem [ call-in | both ]
2.6.6 Configuring Redirection
I. Message Transfer
Do as follows in user view.
Page 66
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-59
Table 2-68 Configuring message transfer
Action Command
Configure transferring message
between user interfaces.
send { all | number | type-name number }
II. Auto-Execute Command
There are the following restrictions in using the auto-execute command command.
z If there is only one console interface or one AUX port on the SecPath F1800-A,
the interface will not support auto-execute command.
z If there are both the console interface and the AUX interface on the SecPath
F1800-A, the console interface does not support auto-execute command and
the AUX interface supports auto-execute command.
z Other types of interfaces are not restricted.
When a user logs on, the system automatically executes a command configured by
using the auto-execute command command on the terminal. After the command is
executed, the system will automatically disconnect the connection. Generally, the
auto-execute command command is used to configure the Telnet command to
connect a user to the specified host.
For example, to enable a user to log on to the destination host, you need to perform
the auto-execute command command with the parameter telnet 10.110.100.1 in
user interface view. In this way, the system will automatically execute the telnet
10.110.100.1 command when the user logs on the next time.
Do as follows in user interface view.
Table 2-69 Configuring auto-execute command
Action Command
Configure auto-execute command.
auto-execute command command
Cancel auto-execute command.
undo auto-execute command
Caution:
Be cautious to use the command that will disable you to perform routine configuration
through the terminal line.
Ensure that you will be able to log on to the system in some other ways to cancel the
configuration before you configure the auto-execute command command and save
the configuration.
Page 67
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-60
III. Enabling Redirection on the AUX interface
For example, you can use the redirect command in AUX user interface to enable the
redirection of the user interface.
Do as follows in user interface view.
Table 2-70 Enabling redirection on the AUX interface
Action Command
Enable redirection on the AUX interface.
redirect
Disable redirection on the AUX interface.
undo redirect
2.6.7 Configuring Call-in or Call-out Restriction on VTY User Interface
You can make call-in or call-out restriction on VTY user interface based on ACL.
Do as follows in user interface view.
Table 2-71 Configuring call-in or call-out restriction on VTY user interface
Action Command
Configure call-in or call-out
restriction on VTY user interface.
acl acl-number { inbound | outbound }
Cancel call-in or call-out
restriction on VTY user interface.
undo acl { inbound | outbound }
2.6.8 Displaying and Debugging User Interface
You can use the display command in any view to query the running state and verify
the configuration of user interface.
Do as follows in all views.
Table 2-72 Displaying and debugging user interface
Action Command
View user interfaces. display users [ all ]
View physical attributes and
configurations of user interfaces.
display user-interface [ typename
number ] [ number ]
Page 68
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-61
2.7 Terminal Service
2.7.1 Configuring Terminal Service on the Console Interface
Table 2-73 shows terminal service features on the console interface.
Table 2-73 Terminal service features on the console interface
Service type Value
Echo mode No echo at local end
Terminal type VT100
Baud rate 9600
Data bits 8
Parity None
Stop bits 1
Flow control None
Binary transmission protocol XModem
2.7.2 Configuring Terminal Service on the AUX Port
Table 2-74 shows terminal service features on the AUX interface.
Table 2-74 Terminal service features on the AUX interface
Service type Value
Echo mode No echo at local end
Terminal type VT100
Baud rate 9600 bit/s (default)
Data bits 8 (default)
Parity None (default)
Stop bits 1 (default)
Flow control None (default)
You need to set the parameters as described in Table 2-74. Note that such
parameters as baud rate, data bits, parity and flow control must be consistent with the
configuration on the AUX interface of the SecPath F1800-A.
Page 69
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-62
2.7.3 Configuring Telnet Terminal Service
The Telnet protocol belongs to an application layer protocol in TCP/IP protocol suite. It
provides the remote login and virtual terminal across the network. The SecPath
F1800-A of Huawei-3Com supports Telnet service.
I. Configuring Telnet Server Service
You can run Telnet Client program to log on to the SecPath F1800-A to configure and
manage the firewall. The topology is shown in Figure 2-19.
PC
Telnet Client
Telnet Server
SecPath
Figure 2-19 Telnet Server service
Table 2-75 shows Telnet service features of the SecPath F1800-A.
Table 2-75 Telnet terminal service feature
Service Feature
Entry mode Character mode
Echo mode No echo at local end
Terminal type VT100
II. Configuring Telnet Client Service
You can run terminal emulation program or Telnet program on your computer to
connect with the SecPath F1800-A, and then input the Telnet command to log on to
other SecPath F1800-A firewalls and configure and manage them. The topology is
shown in Figure 2-20.
PC
Telnet Client
Terminal
Telnet Client
Telnet Server
SecPath SecPath
Figure 2-20 Telnet Client service
To prevent unauthorized users from intrusion, the system will disconnect the
connection with the user if it has not received the entry of a terminal user within a
period of time.
Page 70
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-63
By default, the terminal user is disconnected regularly every ten minutes.
You can disable the disconnection using the idle-timeout 0 0 command in user
interface view. After this function is disabled, the terminal user will not be
disconnected.
Do as follows in user view.
Table 2-76 Establishing Telnet connection
Action Command
Run Telnet command to log on and
manage other SecPath F1800-A firewalls.
telnet host-ip-address [ service-port ]
Do as follows in user interface view.
Table 2-77 Setting Telnet connection
Action Command
Allow disconnecting Telnet regularly. idle-timeout minutes [ seconds ]
Restore the default value of
disconnecting Telnet regularly.
undo idle-timeout
III. Displaying and Debugging Telnet
You can use the display command in any view to view the running state and verify the
configuration of Telnet.
You can use the debugging command in user view to debug Telnet.
Table 2-78 Displaying and debugging Telnet
Action Command
View the connection status in current user
interface.
display users
View the connection status in each user
interface.
display users all
View all current TCP connection status. display tcp { statistics | status }
Using the display users command, you can only view the interface through which
Telnet Client is connected with the SecPath F1800-A.
If you want to view the IP address of Telnet Server for connection with the SecPath
F1800-A, you need to use the display tcp command. The TCP connection with a port
number 23 is Telnet connection (Telnet Client and Telnet Server).
Page 71
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-64
IV. Shortcut Key of Telnet Service
During Telnet connection you can use a shortcut key to break the connection, as
shown in Figure 2-21.
SecPath_A SecPath_B
SecPath_C
PC
Telnet Client
Ter minal
Figure 2-21 Shortcut key of Telnet service
You can run Telnet Client program on the terminal to log on to SecPath_A, and then
connected to SecPath_B through Telnet, and finally connected to SecPath_C through
Telnet. In this case, SecPath_A is Client of SecPath_B and SecPath_B is Client of
SecPath_C.
Table 2-79 describes the usage of shortcut keys.
Table 2-79 Telnet shortcut key
Shortcut key Description
Ctrl+]
In the case of smooth network connection, input Ctrl+] to inform
Telnet server end to break the Telnet login (like the quit
command). Namely, the server end initiatively disconnects the
connection.
If the network is disconnected for some reasons, the shortcut key
command cannot be sent to the server end, and the entry does
not take effect. For example, if you input Ctrl+] in SecPath_C
prompt, the system will return to SecPath_B prompt.
Ctrl+k
When the server end fails and the client end is not aware, the
server does not respond to any entry command by the client. In
this case, input Ctrl+k to inform the client end to initiatively break
the connection and directly exit Telnet connection. For example,
if you input Ctrl+k in SecPath_C prompt, the system will
disconnect and exit Telnet connection.
V. Cautions in Logging on to the Firewall Through Telnet
If the user inputs an incorrect password repeatedly for three times when logging on to
the firewall through Telnet, the system will add the client IP address into its blacklist
with an interval for 10 minutes. In other words, in the event of the blacklist is enabled,
no user will be allowed to use this client IP address to log on to the firewall in 10
minutes. When the blacklist is disabled the restriction is invalid.
For the blacklist in detail, refer to the "06-Security Defence Operation" section.
Page 72
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-65
2.7.4 Configuring SSH Terminal Service
I. SSH Overview
After establishing local or remote SSH channel, you can set SSH terminal service
parameters to ensure a secure configuration environment. SSH Client is used to
connect SSH connection with the SecPath F1800-A and the UNIX host supporting
SSH Server. The SecPath F1800-A can connect multiple SSH Clients.
To implement SSH authentication connection, SSH Server and Client need to go
through the following five stages:
z Version number negotiation
z Key algorithm negotiation
z Authentication mode negotiation
z Session request
z Session interaction
II. SSH Configuration
SSH configuration involves:
z Configuring protocols supported by user interface
z Creating or deleting local RSA key pair
z Configuring SSH user authentication mode
z Configuring update time of server key
z Configuring SSH authentication timeout
z Configuring SSH authentication retries
z Entering RSA public key view
z Entering RSA public key edition view and editing key
z Configuring RSA public key for an SSH user
1) Configuring protocols supported by user interface
By default, the protocols supported by user interface are Telnet and SSH. If SSH is
enabled but RSA key is not configured, you can still not log on through SSH. The
configuration will take effect when you log on the next time.
If SSH is configured in the user interface, to successfully log in, you must use the
authentication-mode command to configure the authentication mode as local or
scheme default (AAA authentication). If the authentication mode is configured as
password or none, the configuration through the protocol inbound ssh command
will fail (and vice versa).
Do as follows in VTY user interface view.
Page 73
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-66
Table 2-80 Configuring protocols supported by user interface
Action Command
Configure protocols supported by user
interface.
protocol inbound { all | ssh | Telnet }
2) Creating or deleting local RSA key pair
The configuration task is used to generate local server key pair and host key pair. If
RSA key exists, the system will prompt whether to replace the original key.
Generated key pair is named in the following forms:
z The SecPath F1800-A name + “server”
z The SecPath F1800-A name + “host"
In general, the server key is at least 128 bits longer than the host key, and the
minimum length of the host key is 512 bits and the maximum length of the server key
is 2048 bits.
Do as follows in system view.
Table 2-81 Creating or deleting local RSA key pair
Action Command
Create local RSA key pair.
rsa local-key-pair create
Delete local RSA key pair.
rsa local-key-pair destroy
Caution:
To implement SSH login, you must configure and generate local RSA key pair.
Note that you need to use the rsa local-key-pair create command to generate local
key pair before performing other SSH configurations.
In addition, you need not use the command again when the SecPath F1800-A is
rebooted next time.
3) Configuring SSH user authentication mode
Using this command, you can specify authentication mode for SSH users. For a new
user, you must specify authentication mode for him; otherwise, he cannot log on. To
create an SSH user, refer to the local-user command in “AAA Configuration” in
"06-Security Defence Operation". The new authentication mode takes effect when the
user logs on next time.
Do as follows in system view.
Page 74
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-67
Table 2-82 Configuring SSH user authentication mode
Action Command
Configure SSH user authentication
mode.
ssh user user-name authentication-type
{ password | rsa | all }
Restore its default value.
undo ssh
user
user-name
authentication-type { password | rsa | all }
4) Configuring update time of server key
Using the configuration task, you can configure update time of server key, so as to
ensure the security of your SSH connection to the greatest extent.
Do as follows in system view.
Table 2-83 Configuring update time of server key
Action Command
Configure update time of server key.
ssh server rekey-interval hours
Restore its default value.
undo ssh server rekey-interval
5) Configuring SSH authentication timeout time
Using the configuration task, you can configure SSH authentication timeout time.
Do as follows in system view.
Table 2-84 Configuring SSH authentication timeout time
Action Command
Configure SSH authentication timeout.
ssh server timeout seconds
Restore its default value.
undo ssh server timeout
6) Configuring SSH authentication retries
Using the task, you can configure authentication retries for SSH users, so as to
prevent illegal behaviors such as malicious guess.
Do as follows in system view.
Table 2-85 Configuring SSH authentication retries
Action Command
Configure SSH authentication retries.
ssh server authentication-retries
times
Restore its default value.
undo ssh server
authentication-retries
Page 75
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-68
7) Entering RSA public key view
Using the task, you can enter RSA public key view to configure the client public key
that is randomly generated by the client software supporting SSH1.5.
Do as follows in system view.
Table 2-86 Entering RSA public key view
Action Command
Enter RSA public key view.
rsa peer-public-key key-name
Return to system view from RSA
public key view.
peer-public-key end
8) Entering RSA public key edition view and editing key
Using the task, you can enter RSA public key edition view and input the RSA public
key data generated by the client software. To edit the public key, you must specify a
key name using the rsa peer-public-key key-name command in system view. In
inputting key data, space is allowed and you can also press Enter to continue to input
the data. The configured public key must be hexadecimal character string coded in
public key format.
Use the public-key-code-begin command in RSA public key view, and the
public-key-code-end command in RSA public key edition view.
Table 2-87 Entering RSA public key edition view and editing keys
Action Command
Enter RSA public key edition view and edit keys.
public-key-code begin
Exit RSA public key edition view.
public-key-code end
9) Configuring RSA public key for an SSH user
Using the task, you can assign an existing public key for an SSH user.
Do as follows in system view.
Table 2-88 Configuring RSA public key for an SSH user
Action Command
Configure RSA public key of an
SSH user.
ssh user user-name assign rsa-key
key-name
Delete RSA public key of an SSH
user.
undo ssh user user-name assign rsa-key
Page 76
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-69
III. Displaying and Debugging SSH
You can use the display command in any view to view the running state and verify the
configuration of SSH.
You can use the debugging command in user view to debug SSH.
Table 2-89 Displaying and debugging SSH
Action Command
View public key in key pairs of hosts
and servers.
display rsa local-key-pair public
View RSA public key of the client.
display rsa peer-public-key [ brief |
name key-name ]
View SSH status and session. display ssh server { status | session }
View SSH user information.
display ssh user-information
[ user-name ]
Debug SSH. debugging ssh server { vty index | all }
Debug RSA.
debugging rsa
IV. SSH Configuration Example
1) Networking requirements
The configuration terminal (SSH Client) is connected with the SecPath F1800-A
locally, and the client software supporting SSH1.5 is running on the terminal, so as to
ensure the security of data information exchange to the greatest extent.
2) Networking diagram
SSH
Client
SecPath
Figure 2-22 SSH local configuration networking
3) Configuration procedure
To perform SSH configuration, you need to use the following command first.
[SecPath] rsa local-key-pair create
Note:
If you have configured the local key pair, this step can be skipped over.
Page 77
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 2 Basic SecPath F1800-A Configuration
1-70
# User login authentication mode is password.
[SecPath] user-interface vty 0 4
[SecPath-ui-vty0-4] authentication-mode aaa
[SecPath-ui-vty0-4] protocol inbound ssh
[SecPath-ui-vty0-4] quit
[SecPath] ssh user client001 authentication-type password
[SecPath] aaa
[SecPath-aaa] local-user client001 password simple huawei-3com
[SecPath-aaa] authentication-scheme client001
[SecPath-aaa-authen-client001] authentication-mode local
For the configuration of SSH authentication timeout, retries and update time of server
key, you can use their default values. After the above configuration, you can run the
client software supporting SSH1.5 on other terminals that are connected with the
SecPath F1800-A. Then you can access the SecPath F1800-A with user name
“client001” and password “huawei-3com”.
# User login authentication mode is RSA.
[SecPath] user-interface vty 0 4
[SecPath-ui-vty0-4] authentication-mode aaa
[SecPath-ui-vty0-4] protocol inbound ssh
[SecPath] ssh user client002 authentication-type RSA
In this case, you need to run the client software supporting SSH1.5 to randomly
generate RSA key pair. Then the system will send RSA public keys to the server.
[SecPath] rsa peer-public-key H3C002
[SecPath-rsa-public-key] public-key-code begin
[SecPath-rsa-key-code] 308186028180739A291ABDA704F5D93DC8FDF84C427463
[SecPath-rsa-key-code] 1991C164B0DF178C55FA833591C7D47D5381D09CE82913
[SecPath-rsa-key-code] D7EDF9C08511D83CA4ED2B30B809808EB0D1F52D045DE4
[SecPath-rsa-key-code] 0861B74A0E135523CCD74CAC61F8E58C452B2F3F2DA0DC
[SecPath-rsa-key-code] C48E3306367FE187BDD944018B3B69F3CBB0A573202C16
[SecPath-rsa-key-code] BB2FC1ACF3EC8F828D55A36F1CDDC4BB45504F020125
[SecPath-rsa-key-code] public-key-code end
[SecPath-rsa-public-key] peer-public-key end
[SecPath] ssh user client002 assign rsa-key key002
Then, you can run the client software supporting SSH1.5 on the terminal that reserves
RSA private keys to set up the SSH connection.
Page 78
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 3 Working Mode
1-71
Chapter 3 Working Mode
3.1 Working Mode Overview
3.1.1 Introduction to Working Mode
At present, the SecPath F1800-A can work in three modes:
z Route mode
z Transparent mode
z Composite mode
If the firewall is connected to external networks through the interface that has an IP
address, the firewall should work in route mode.
If the firewall is connected to external networks through the interface that has no IP
address, the firewall should work in transparent mode.
If the firewall has both interfaces with IP addresses and interfaces without IP
addresses, the firewall should work in composite mode.
I. Route Mode
When the SecPath F1800-A is located between the internal network and the external
network, you need to configure the interfaces. Through this interface, the firewall is
connected with the internal network, the external network and DMZ, with IP
addresses on different network segments. In this case, the firewall serves as a router.
As shown in Figure 3-1, the SecPath F1800-A is connected with the internal network
through an interface in the Trust zone; it is connected with the external network
through an interface in the Untrust zone.
Note that the interface in the Trust zone and the interface in the Untrust zone reside in
two subnets.
External netw ork (Internet)
Server
PC
PC
202.10.0.0/24
Trus t zon e
Serv er
PC
10.110.1.0/24
202.10.0.110.110.1.254
Internal netw ork
Untrust zone
Router
SecPath
Figure 3-1 Networking in route mode
When working in route mode, the firewall can complete:
Page 79
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 3 Working Mode
1-72
z ACL packet filtering
z ASPF dynamic filtering
z NAT
However, network topology needs to be changed, for example, internal network users
need to change their gateways and routers' routing configurations need to be
changed, which will take great troubles. So you’d better weigh the advantages and
disadvantages in using route mode.
II. Transparent Mode
If the SecPath F1800-A works in transparent mode, you do not need to change
network topology. In this case, the firewall is completely transparent to users in
subnets and routers; that is, users are not fully aware of the existence of the firewall.
In transparent mode, you only need to place the SecPath F1800-A in the network like
placing a bridge without need of modifying any existing configuration. Similar to route
mode, IP packets also need to be filtered and checked in transparent mode (while
during this procedure the source or destination addresses in IP packets do not
change), and internal users can be protected by the firewall.
Figure 3-2 shows a typical networking in transparent mode.
External netw ork
(Internet)
Server
PC
PC
Trust zone
Server
PC
202.10.0.0/24
Internal netw ork
Untrust zone
SecPath
Figure 3-2 Networking in transparent mode
As shown in Figure 3-2, the SecPath F1800-A is connected with the internal network
through an interface in the Trust zone; it is connected with the external network
through an interface in the Untrust zone.
Note that the interface in the Trust zone and the interface in the Untrust zone must
reside in the same subnet.
III. Composite Mode
If there are both interfaces working in route mode (such interfaces have IP addresses)
and interfaces working in transparent mode (such interfaces have no IP address) in
the SecPath F1800-A, the firewall is working in composite mode.
Composite mode is applied in the case of dual-system hot standby with transparent
mode. The interface on which VRRP is enabled needs to be configured with an IP
address, and other interfaces do not.
Page 80
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 3 Working Mode
1-73
Figure 3-3 shows a typical networking in composite mode.
External netw ork(Internet)
Server
PC
PC
Trus t z one
Server
SecPath
(active)
PC
202.10.0.0/24
Internal netw ork
SecPath
(standby)
VRRP
202.10.0.0/24
Hub
Figure 3-3 Networking in composite mode
As shown in Figure 3-3, master and backup SecPath F1800-A firewalls are connected
with the internal network through interfaces in the Trust zone; they are connected with
the external network through interfaces in the Untrust zone.
In addition, master and backup SecPath F1800-A firewalls:
z Connect each other through hub or LAN switch.
z Perform hot standby through VRRP.
Note that the internal network and the external network must reside in the same
subnet.
3.1.2 Working Process of Route Mode
When the SecPath F1800-A works in route mode, all the interfaces should be
configured with IP addresses and reside in Layer 3 security zone. External users
connected with different interfaces in Layer 3 zone belong to different subnets.
When packets are forwarded between interfaces in Layer 3 zone, the SecPath
F1800-A serves as a router to search for the routing entries based on IP addresses of
the packets. However, unlike the processing within the router, IP packets in the
SecPath F1800-A are sent to the upper layer for filtering. The firewall determines
whether to let the packets pass through based on session entries and ACL rules.
In addition, the SecPath F1800-A needs to complete other attack defense checks in
route mode, such as:
z ACL rule check
z ASPF filtering
z Attack defense check
z Traffic monitoring
Page 81
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 3 Working Mode
1-74
3.1.3 Working Process of Transparent Mode
In transparent mode (or bridge mode), interfaces on the SecPath F1800-A cannot be
configured with IP addresses and they reside in layer 2 security zone. Moreover,
external users connected with the interfaces in layer 2 zone reside in the same
subnet.
When packets are forwarded between interfaces in layer 2 zone, the SecPath
F1800-A serves as a transparent bridge to search for outbound interfaces based on
MAC addresses of the packets. However, different from a bridge, IP packets in the
SecPath F1800-A need to be sent to the upper layer and filtered, then the firewall
determines whether to permit the packets to pass through based on session entries
and ACL rules.
In addition, in transparent mode, the SecPath F1800-A supports:
z ACL rule check
z ASPF filtering
z Attack defense check
z Traffic monitoring
In transparent mode, the SecPath F1800-A is connected to LAN at the data link layer
so that end users do not need to perform some special configurations in connecting
the network (like LAN Switch connection). Working process of transparent mode is
described as follows.
I. Obtaining Address Table
In transparent mode, the firewall forwards packets based on MAC address table,
which consists of MAC addresses and interfaces, so that the firewall must obtain the
relationship between MAC addresses and interfaces first.
1) Broadcasting data packets
When connected with a physical network segment, the SecPath F1800-A will monitor
all Ethernet frames on the physical network segment. Once it monitors an Ethernet
frame sent from the node on an interface, it will extract the source MAC address of the
frame, and add the relationship between the MAC address and the interface receiving
the frame to the MAC address table. This process is shown in Figure 3-4.
Page 82
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 3 Working Mode
1-75
Workstation A
00e0.fcaa.aaaa
Workstation B
00e0.fcbb.bbbb
Workstation C
Workstation D
00e0.fcdd.dddd
00e0.fccc.cccc
Port 1
Port 2
Ethernet
segment 1
Ethernet
segment2
Destination
address
00e0.fcbb.bbbb 00e0.fcaa.aaaa
Source
address
SecPath
Figure 3-4 Broadcasting data packet
Workstations A, B, C and D reside in two LANs. Ethernet segments 1 and 2 are
connected with ports 1 and 2 on the SecPath F1800-A respectively. For example,
when workstation A sends an Ethernet frame to workstation B, both the firewall and
workstation B will receive the frame.
2) Reversely learning the relationship between the MAC address of workstation A
and the port
After receiving the Ethernet frame, the SecPath F1800-A is aware that workstation A
is connected with Port 1 on the firewall because Port 1 receives the frame. Then it
adds the relationship between the MAC address of workstation A and Port 1 of
workstation A to the MAC address table. This process is shown in Figure 3-5.
Workstation A
00e0.fcaa.aaaa
Workstation B
00e0.fcbb.bbbb
Workstation C
Workstation D
00e0.fcdd.dddd
00e0.fccc.cccc
Port1
Port 2
Ethernet
segment1
Ethernet
segment2
Destination
address
00e0.fcbb.bbbb 00e0.fcaa.aaaa
Source
address
MAC address Port
00e0.fcaa.aaaa 1
Address table
SecPath
Figure 3-5 Reversely learning the relationship between the MAC address of
workstation A and the port
Page 83
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 3 Working Mode
1-76
3) Reversely learning the relationship between the MAC address of workstation B
and the port
After workstation B responds to the Ethernet frame from workstation A, the firewall
monitors the response Ethernet frame and is aware that workstation B is also
connected with Port 1 on the firewall because Port 1 receives the frame. Then it adds
the relationship between the MAC address of workstation B and Port 1 to the MAC
address table. This process is shown in Figure 3-6.
Workstation A
00e0.fcaa.aaaa
Workstation B
00e0.fcbb.bbbb
Workstation C
Workstation D
00e0.fcdd.dddd
00e0.fccc.cccc
Port1
Port 2
Ethernet
segment1
Ethernet
segment 2
Destination
address
00e0.fcaa.aaaa 00e0.fcbb.bbbb
Source
address
MAC address Port
00e0.fcaa.aaaa 1
00e0.fcbb.bbbb 1
Address table
SecPath
Figure 3-6 Reversely learning the relationship between the MAC address of
workstation B and the port
Reverse learning process will go on until the relationship between all MAC addresses
and ports is added to the address table (assume that all workstations are in use).
II. Forwarding or Filtering Frames
At the link layer, the firewall determines whether to forward the frame; that is, filter the
frame, based on the following three cases.
1) Forwarding frames after searching for address table successfully
If workstation A sends an Ethernet frame to workstation C, the firewall will search for
the address table and be aware that workstation C is connected with Port 2, and then
forward the frame from Port 2. This process is shown in Figure 3-7.
Page 84
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 3 Working Mode
1-77
Workstation A
00e0.fcaa.aaaa
Workstation B
00e0.fcbb.bbbb
Workstation C
Workstation D
00e0.fcdd.dddd00e0.fccc.cccc
Port1
Port2
Ethernet
segment1
Ethernet
segment2
MAC address Port
00e0.fcaa.aaaa 1
00e0.fcbb.bbbb 1
00e0.fccc.cccc 2
00e0.fcdd.dddd 2
Address table
00e0.fcaa.aaaa 00e0.fccc.cccc
Source
address
Destination
address
00e0.fccc.cccc 00e0.fcaa.aaaa
Source
address
Destinatio
n address
Forwarding
SecPath
Figure 3-7 Forwarding frames after searching for address table successfully
Note that if the firewall receives broadcast frames or multicast frames, it will forward
them to other interfaces.
2) Filtering frames after searching for address table successfully
If workstation A sends an Ethernet frame to workstation B, the firewall will not forward
but filter the frame because workstations B and A are located on the same physical
network segment.
Workstation A
00e0.fcaa.aaaa
Workstation B
00e0.fcbb.bbbb
Workstation C
Workstation D
00e0.fcdd.dddd
00e0.fccc.cccc
Port 1
Port 2
Ethernet
segment 1
Ethernet
segment 2
MAC address Port
00e0.fcaa.aaaa 1
00e0.fcbb.bbbb 1
00e0.fccc.cccc 2
00e0.fcdd.dddd 2
Address table
00e0.fcaa.aaaa 00e0.fcbb.bbbb
Source
address
Destination
address
Not
forwarding
SecPath
Figure 3-8 Filtering frames after searching for address table successfully
3) Forwarding frames after searching for address table unsuccessfully
If workstation A sends an Ethernet frame to workstation C, but the firewall does not
find the relationship between the MAC address of workstation C and the port in the
address table, the firewall will forward this frame to other ports except the source port
Page 85
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 3 Working Mode
1-78
that sends the frame. At this time, the firewall acts as a hub, so as to ensure
continuous information transfer. This process is shown in Figure 3-9.
Workstation A
00e0.fcaa.aaaa
Workstation B
00e0.fcbb.bbbb
Workstation C
Workstation D
00e0.fcdd.dddd00e0.fccc.cccc
Port 1
Port2
Ethernet
segment 1
Ethernet
segment 2
MAC address Port
00e0.fcaa.aaaa 1
00e0.fcbb.bbbb 1
SecPath
Figure 3-9 Forwarding frames after searching for address table unsuccessfully
3.1.4 Working Process of Composite Mode
When the SecPath F1800-A works in composite mode, some interfaces should be
configured with IP addresses and some should not.
The interfaces configured with IP addresses reside in layer 3 security zone, with
VRRP enabled for dual-system hot backup;
The interfaces not configured with IP addresses reside in layer 2 security zone.
External users connected with the interfaces in layer 2 zone belong to the same
subnet.
When packets are forwarded between interfaces in layer 2 security zone, the
forwarding process is the same as the working process of transparent mode. For
details, refer to 3.1.3 "Working Process of Transparent Mode".
When the firewall performs dual-system hot backup, the forwarding process is similar
to the working process of route mode. For details, refer to 3.1.2 "Working Process of
Route Mode".
3.2 Route Mode Configuration
Route mode configuration includes:
z Configuring the SecPath F1800-A to work in route mode
z Setting other parameters in route mode
3.2.1 Configuring the SecPath F1800-A to Work in Route Mode
Do as follows in system view.
Page 86
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 3 Working Mode
1-79
Table 3-1 Configuring the SecPath F1800-A to work in route mode
Action Command
Configure the SecPath F1800-A to work in route mode.
firewall mode route
3.2.2 Setting Other Parameters in Route Mode
The SecPath F1800-A can serve as a router when it works in route mode so that it can
carry out network interconnection and provide upper layer enhanced services.
For the detailed configuration, refer to "04-Link Layer Protocol Operation", and
"05-Network and Routing Protocol Operation" in this manual.
3.3 Transparent Mode Configuration
Transparent mode configuration includes:
z Configuring the SecPath F1800-A to work in transparent mode
z Configuring address entries
z Configuring processing mode of IP packets with unknown MAC addresses
z Setting aging time of MAC address forwarding table
3.3.1 Configuring Transparent Mode for the SecPath F1800-A
Do as follows in system view.
Table 3-2 Configuring transparent mode for the SecPath F1800-A
Action Command
Configure transparent mode for the SecPath
F1800-A.
firewall mode transparent
Restore its default value.
undo firewall mode
3.3.2 Configuring Address Entries
Do as follows in system view.
Table 3-3 Configuring address entries
Action Command
Configure address entries.
mac-address { static | blackhole } mac-address
{ interface interface-type interface-number } vlan
vlan-id
Page 87
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 3 Working Mode
1-80
Action Command
Delete address entries.
undo mac-address mac-address vlan vlan-id
undo mac-address { dynamic | static | all | vlan
vlan-id }
3.3.3 Configuring Processing Mode of IP Packets with Unknown MAC
Address
In transparent mode, when receiving an IP packet with the unknown destination MAC
address; that is, the firewall is not aware of the outbound interface, the SecPath
F1800-A will process the IP packet in the following three modes.
z Directly discards the IP packet.
z Broadcasts the ARP request packet to other interfaces, which must belong to a
security zone, except the interface receiving the packet, and discards the IP
packet. After receiving the ARP response packet, the firewall will save the
relationship between the MAC address and the interface.
z Forwards the IP packet to other interfaces, which must belong to a security zone,
except the interface receiving the packet. After receiving the response packet,
the firewall will save the MAC address and forward the subsequent packets
using the MAC address.
Do as follows in system view.
Table 3-4 Configuring processing mode of IP packets with unknown MAC addresses
Action Command
Configure processing mode
of IP packets with unknown
MAC addresses.
firewall unknown-mac unicast { drop | arp | flood }
firewa ll unknown-mac { broadcast | multicast }
{ drop | flood }
Restore its default value.
undo firewall unknown-mac { unicast | broadcast
| multicast }
3.3.4 Setting Aging Time of MAC Address Forwarding Table
Aging time of a dynamic address table is time to live of an address item before it is
deleted from the address table. The aging time is controlled by an aging timer. If the
timer times out, the address item will be deleted from the address table.
Do as follows in system view.
Page 88
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 3 Working Mode
1-81
Table 3-5 Setting aging time of MAC address forwarding table
Action Command
Set aging time of MAC address
forwarding table.
firewall transparent-mode
mac-aging-time seconds
Restore its default value.
undo firewall transparent-mode
mac-aging-time
3.4 Composite Mode Configuration
Composite mode configuration involves:
z Configuring the SecPath F1800-A to work in composite mode
z Setting other parameters in composite mode
3.4.1 Configuring the SecPath F1800-A to Work in Composite Mode
Do as follows in system view.
Table 3-6 Configuring the SecPath F1800-A to work in composite mode
Action Command
Configure the SecPath F1800-A to work in
composite mode.
firewall mode composite
3.4.2 Setting Other Parameters in Composite Mode
When working in composite mode, the SecPath F1800-A is mainly used for
dual-system hot standby in transparent mode. When two firewalls for dual-system hot
backup work in composite mode, the interfaces with IP addresses should be
configured with VRRP.
For details, refer to the “Dual-System Hot Backup” chapter in "08-Reliability
Operation" module of this manual.
For the configuration of other interfaces, refer to the configuration in transparent
mode.
3.5 Displaying and Debugging Firewall Working Mode
You can use the display command in any view to view the running state and verify the
configuration of working mode.
Page 89
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 3 Working Mode
1-82
Table 3-7 Displaying and debugging working mode
Action Command
View current working mode of the
firewall.
display firewall mode
View MAC address forwarding table.
display firewall transparent-mode
address-table [ vlan vlan-id [ mac
mac-address ] | static | dynamic ]
3.6 Typical Example for Configuring Firewall Working Mode
3.6.1 Processing IP Packet with Unknown MAC Address
I. Networking Requirements
When the SecPath F1800-A works in transparent mode, you need to configure and
manage the firewall through Telnet. In the event of receiving an IP packet with an
unknown MAC address, the firewall will forward the packet to all other interfaces
except the receiving interface.
II. Networking Diagram
External netw ork
(Internet)
Server
PC
PC
Trust zone
Server
SecPath
PC
202.106.100.1/24
Internal netw ork
Untrust zone
Router
Figure 3-10 Processing IP packet with unknown MAC address
III. Configuraion Procedure
# Configure the SecPath F1800-A to work in transparent mode.
[SecPath] firewall mode transparent
# Configure the firewall in transparent mode so that it can forward the packet to all
other interfaces except the receiving interface, in the event of receiving an IP packet
with an unknown MAC address.
[SecPath] firewall unknown-mac unicast flood
Page 90
Operation Manual - Getting Started
H3C SecPath F1800-A Firewall Chapter 3 Working Mode
1-83
3.6.2 Connecting Multiple LANs with the SecPath F1800-A in Transparent
Mode
I. Networking Requirements
In a mansion, there are several PCs and servers in LAN1 on one floor, and several
PCs and servers in LAN2 on another floor. You are required to connect LAN 1 with
LAN 2 through the SecPath F1800-A.
II. Networking Diagram
LAN2
Server
PC
PC
Server
SecPath
PC
LAN1
E0/0/0 E1/0/0
Figure 3-11 Networking in transparent mode
III. Configuration Procedure
# Configure the SecPath F1800-A to work in transparent mode.
[SecPath] firewall mode transparent
# Set aging time of the firewall forwarding table to 300 seconds.
[SecPath] firewall transparent-mode mac-aging-time 300
# Set the default filter rule of the firewall.
[SecPath] firewall packet-filter default permit interzone trust untrust
1.
Page 91
Operation Manual - System Management
H3C SecPath F1800-A Firewall Table of Contents
i
Table of Contents
Chapter 1 System Maintenance Management............................................................................ 2-1
1.1 Introduction to System Maintenance Management........................................................... 2-1
1.2 Configuration File Management.........................................................................................2-1
1.2.1 Content and Format of Configuration File...............................................................2-1
1.2.2 Displaying Current Configuration and Initial Configuration of the Firewall..............2-1
1.2.3 Modifying and Saving the Current Configuration....................................................2-2
1.2.4 Resetting the Configuration File.............................................................................. 2-2
1.2.5 Configuring File Usage............................................................................................ 2-3
1.3 Maintenance Debugging....................................................................................................2-4
1.3.1 Configuring Firewall Name and System Clock........................................................2-4
1.3.2 Using Regular Expressions for Information Display................................................2-4
1.3.3 System Status Information Collection.....................................................................2-7
1.3.4 Test Tool for Network Connection...........................................................................2-7
1.3.5 System Debugging.................................................................................................. 2-9
1.4 Patch Software Upgrade.................................................................................................. 2-11
1.4.1 Patch Software Upgrade....................................................................................... 2-11
1.4.2 Displaying Patch Software Upgrade:.................................................................... 2-11
1.5 Information Center...........................................................................................................2-12
1.5.1 Introduction to Information Center.........................................................................2-12
1.5.2 Configuring Information Center............................................................................. 2-12
1.5.3 Displaying Terminal Configuration........................................................................2-17
1.5.4 Configuration Example.......................................................................................... 2-17
1.6 Log Maintenance.............................................................................................................2-20
1.6.1 Introduction to Log ................................................................................................2-20
1.6.2 Binary Flow Log Configuration.............................................................................. 2-21
1.6.3 Displaying and Debugging Log.............................................................................2-22
1.6.4 Typical Examples for Configuring Log.................................................................. 2-22
Chapter 2 File Management........................................................................................................ 2-26
2.1 File System......................................................................................................................2-26
2.1.1 Introduction to File System.................................................................................... 2-26
2.1.2 Directory Operation...............................................................................................2-26
2.1.3 File Operation........................................................................................................ 2-26
2.1.4 Storage Device Operation.....................................................................................2-27
2.1.5 File System Prompt Mode.....................................................................................2-27
2.1.6 Configuration Example.......................................................................................... 2-28
2.2 FTP Configuration............................................................................................................ 2-28
2.2.1 Introduction to FTP................................................................................................ 2-28
Page 92
Operation Manual - System Management
H3C SecPath F1800-A Firewall Table of Contents
ii
2.2.2 Configuring the FTP Server .................................................................................. 2-29
2.2.3 Displaying and Debugging the FTP Server........................................................... 2-30
2.2.4 Typical Example for Configuring FTP Connection................................................ 2-30
2.3 TFTP Configuration .........................................................................................................2-34
2.3.1 Introduction to TFTP .............................................................................................2-34
2.3.2 Configuring TFTP.................................................................................................. 2-35
2.4 Configuring the XModem Protocol................................................................................... 2-36
2.4.1 Introduction to the XModem Protocol.................................................................... 2-36
2.4.2 Configuring the XModem Protocol........................................................................2-37
Chapter 3 NTP Configuration.....................................................................................................2-38
3.1 Introduction to NTP..........................................................................................................2-38
3.2 Configuring NTP .............................................................................................................. 2-39
3.2.1 Configuring NTP Working Mode ........................................................................... 2-39
3.2.2 Configuring NTP Authentication............................................................................ 2-43
3.2.3 Configuring NTP Authentication Key.....................................................................2-43
3.2.4 Configuring Specified Key as Reliable.................................................................. 2-43
3.2.5 Configuring the Interface through Which NTP Packets are Sent.......................... 2-43
3.2.6 Configuring NTP Master Clock..............................................................................2-44
3.2.7 Enabling or Disabling the Interface to Receive NTP Packets............................... 2-44
3.2.8 Configuring Access Control Right for Local Firewall Service................................ 2-45
3.2.9 Configuring the Number of Allowed Sessions....................................................... 2-45
3.3 Displaying and Debugging NTP.......................................................................................2-45
3.4 Typical Example for Configuring NTP..............................................................................2-46
3.4.1 Configuring the NTP Server.................................................................................. 2-46
3.4.2 Configuring NTP Peer Mode................................................................................. 2-47
3.4.3 Configuring NTP Broadcast Mode ........................................................................ 2-49
3.4.4 Configuring NTP Multicast Mode .......................................................................... 2-50
3.4.5 Configuring NTP Server Mode with Authentication...............................................2-52
Chapter 4 SNMP Configuration..................................................................................................2-54
4.1 Overview.......................................................................................................................... 2-54
4.1.1 Introduction to SNMP............................................................................................2-54
4.1.2 SNMP Versions and MIB ...................................................................................... 2-54
4.2 SNMP Configuration........................................................................................................2-56
4.2.1 Enabling or Disabling SNMP Agent Service......................................................... 2-56
4.2.2 Enabling or Disabling SNMP Version ................................................................... 2-57
4.2.3 Configuring a Community Name........................................................................... 2-57
4.2.4 Configuring an SNMP Group ................................................................................ 2-57
4.2.5 Adding a User to an SNMP Group........................................................................ 2-58
4.2.6 Configuring sysContact......................................................................................... 2-58
4.2.7 Enabling or Disabling Sending the Trap Packet ................................................... 2-59
4.2.8 Setting Engine ID for the Local Device ................................................................. 2-59
4.2.9 Assigning the Address to the Host Receiving the Trap Packet ............................2-60
Page 93
Operation Manual - System Management
H3C SecPath F1800-A Firewall Table of Contents
iii
4.2.10 Configuring sysLocation...................................................................................... 2-60
4.2.11 Specifying the Source Address to Send the Trap Packet...................................2-60
4.2.12 Creating or Updating View Information...............................................................2-60
4.2.13 Setting Maximum Size of SNMP Messages Received by or Sent from Agent... 2-61
4.2.14 Setting Length of a Message Queue Containing the Trap Packet......................2-61
4.2.15 Setting Saving Time for the Trap Packet............................................................ 2-61
4.3 Displaying and Debugging SNMP ................................................................................... 2-62
4.4 Typical Example for Configuring the SNMP.................................................................... 2-62
Page 94
Operation Manual - System Management
H3C SecPath F1800-A Firewall Chapter 1 System Maintenance Management
2-1
Chapter 1 System Maintenance Management
1.1 Introduction to System Maintenance Management
System maintenance management includes:
z Configuration file management
z System status information collection and maintenance debugging tool usage
z Patch upgrade management
z System information center maintenance and management
z Log maintenance and management
1.2 Configuration File Management
1.2.1 Content and Format of Configuration File
Configuration file is a text file, and its format is described as follows:
z It is saved in command format.
z In order to save space, only those non-default parameters are saved. For the
default parameters, refer to the following chapters.
z Commands are organized in command view. The commands in the same
command view are organized together to form a section, and adjacent sections
are separated by blank lines or comment lines (beginning with #). Blank lines or
comment lines can be one or more lines.
z Sections are usually arranged in the order of global configuration, physical
interface configuration, logical interface configuration and routing protocol
configuration.
z End with return.
1.2.2 Displaying Current Configuration and Initial Configuration of the
Firewall
After power on, the firewall reads the configuration file from it s default p ath to perform
initialization; it is called initial configuration.
If the firewall does not find the initial configuration file from the default path, it will use
the default parameters to carry out initialization.
The configuration that takes effect during the running of the firewall is called current
configuration.
Do as follows in all views.
Page 95
Operation Manual - System Management
H3C SecPath F1800-A Firewall Chapter 1 System Maintenance Management
2-2
Table 1-1 Displaying firewall configuration
Action Command
View the initial configuration of the firewall.
display saved-configuration
View the current configuration of the firewall.
display current-configuration
View technical information on the firewall.
display diagnostic-information
View the configuration in the current view.
display this
Note:
The configuration file is displayed in saved format.
1.2.3 Modifying and Saving the Current Configuration
You can modify the current configuration of the firewall through the command line
interface; in this way, the current configuration will become the initial configuration
when the firewall powers on next time.
Then, you can use the save command to save the current configuration in the default
storage device; in this way, a configuration file is created.
Do as follows in user view.
Table 1-2 Saving the current configuration
Action Command
Save the current configuration.
save
1.2.4 Resetting the Configuration File
Y ou can re set the configuration file save d in the storage device. Af ter that, the firewall
will use the default configuration parameters to carry out initialization when it powers
on next time.
In the following cases, you need to reset the configuration file.
z After the firewall software is upgraded, the software does not match the
configuration file.
z The configuration file is damaged or incorrect.
After resetting the configuration file, you can use the save command to save the
current configuration file as a new one.
Do as follows in user view.
Page 96
Operation Manual - System Management
H3C SecPath F1800-A Firewall Chapter 1 System Maintenance Management
2-3
Table 1-3 Resetting the configuration file in storage device
Action Command
Reset the configuration file in storage device.
reset saved-configuration
1.2.5 Configuring File Usage
I. Naming the System Software File Used for the Next Startup
Do as follows in user view.
Table 1-4 Naming the system software file used for the next startup
Action Command
Name the system software file used for
the next startup.
startup system-software sysfile
II. Naming the Configuration File Used for the Next Startup
Do as follows in user view.
Table 1-5 Naming the configuration file used for the next startup
Action Command
Name the configuration file used for the
next startup.
startup saved-configuration cfgfile
III. Displaying the Files Used at Startup
You can use the display command in all views to view the running state of the
configuration files, and to verify the effect of the configuration.
Table 1-6 Displaying the file used at startup
Action Command
View the file used at startup.
display startup
IV. Comparing the Configuration File
Do as follows in user view.
Page 97
Operation Manual - System Management
H3C SecPath F1800-A Firewall Chapter 1 System Maintenance Management
2-4
Table 1-7 Comparing the configuration file
Action Command
Compare the current configuration file with
the configuration file saved in the storage
device.
compare configuration
[ line-number1 line-number2 ]
1.3 Maintenance Debugging
1.3.1 Configuring Firewall Name and System Clock
Use the sysname command in system view, and the clock command in user view.
Table 1-8 Basic configuration and management
Action Command
Name the firewall.
sysname sysname
Configure system clock.
clock datetime HH:MM:SS YYYY/MM/DD
1.3.2 Using Regular Expressions for Information Display
I. Introduction to Regular Expression
The regular expression is a tool for mode matching and substitution. With powerful
functions, it can be used flexibly.
In application, the regular expression can be used without limit to some languages or
systems. Therefore, it is now a popular concept and function.
When using the regular expression, you need to constru ct a matching mode based on
a certain rule, and then match the matching mo de with the t arget object. The simp lest
regular expression does not cover any metachara cter. For example, you can define a
regular expression as “hello”, and it only matches with the character string “hello”.
To help to construct the matching mode flexibly, regular expression provides some
characters of special meanings, which are called metacharacters; it defines the mode
of other characters in the target object.
Table 1-9 lists these metacharacters.
Table 1-9 Description of metacharacters
Metacharacter Description
\ Escape character.
. Match any single character except “\n”, including space.
Page 98
Operation Manual - System Management
H3C SecPath F1800-A Firewall Chapter 1 System Maintenance Management
2-5
Metacharacter Description
* The character before it does not appear or appear several times
repeatedly in the target object.
+ The character before it appears once or several times repeatedly
in the target object.
| The left characters and right characters of it are in “or”
relationship.
^ The characters after it must appear at the beginning of the target
object.
$ The characters before it must appear at the end of the target
object.
[xyz] Matches any character in the square bracket.
[^xyz] Matches any character other than those in the square brackets
(“^” is before the characters).
[a-z] Matches any character within the specified range.
[^a-z] Matches any character out of the specified range.
{n} The “n” in the brace is a non-negative integer. It refers to matching
the consecutively appearing definite n times.
{n,} The “n” in the brace is a non-negative integer. It refers to matching
at least the consecutively appearing n times.
{n,m} The “m” and “n” in the brace are non-negative integers, n<=m. The
consecutively appearing n to m times is matched. Note that there
is no space between n and comma, comma and m.
For example:
^ip: matches the target object starting with the character string “ip”.
ip$: matches the target object ending with the charact er string “ip”.
II. Applying Regular Expression
When there is a great deal of information to output, you can:
z Use the regular expression to select contents to be displayed.
z Filter out unconcerned contents.
1) Specifying the filtering mode in the command
For filtering output, you can choose one from three filtering modes with the expression
| { begin | exclude | include } regular-expression:
z begin: outputs all lines starting with the line that matches the specified regular
expression.
z exclude: outputs all lines that do not match the specified regular expression.
z include: outputs all lines that match the specified regular expression.
2) Specifying filtering mode in split screen display
Page 99
Operation Manual - System Management
H3C SecPath F1800-A Firewall Chapter 1 System Maintenance Management
2-6
When the output contents are excessiv e and displayed in split screen, you can specify
the filtering mode in the prompt of split screen “---- More ----“.
z /regular-expression: outputs all lines starting with the line that matches the
specified regular expression.
z -regular-expression: outputs all lines that do not match the specified regular
expression.
z +regular-expression: outputs all lines that match the specified regular
expression.
For example: view the current configuration.
<SecPath> display current-configuration
#
sysname SecPath
#
controller E3 0/1/0
e1 1 channel-set 1 timeslot-list 1-31
#
controller T3 1/1/0
#
interface Ethernet0/2/0
description Don't change the configuration please
ip address 10.110.98.137 255.255.255.0
#
interface Ethernet1/0/0
#
interface Ethernet1/2/0
#
interface Serial0/1/0/1:1
link-protocol ppp
ip address 100.110.1.1 255.255.255.0
#
interface Pos0/0/0
#
interface NULL0
When the split screen prompt “---- More ----” appears, you can input the regular
expression to filter the contents to be displayed. In this example, output the lines that
contain the character string “interface” only.
---- More ----
+interface Manually input by the user
filtering...
interface LoopBack0
Page 100
Operation Manual - System Management
H3C SecPath F1800-A Firewall Chapter 1 System Maintenance Management
2-7
user-interface con 0
user-interface vty 0 14
<SecPath>
1.3.3 System Status Information Collection
Using the display command, you can collect system status information.
In terms of function, system status information can be classified as:
z Commands displaying system configuration
z Commands displaying system running state
For display commands about protocols and interfaces, refer to relevant sections.
Do as follows in all views.
Table 1-10 System display commands
Action Command
View system version.
display version
View system clock.
display clock
View end users. display users [ all ]
View the initial configuration.
display saved-configuration
View the current configuration.
display current-configuration
View debugging state.
display debugging [ interface { interface-type
interface-number } ] [ module-name ]
1.3.4 Test Tool for Network Connection
I. Ping
Using the ping command, you can check whether the network is connected and the
host is reachable.
Do as follows in all views.
Table 1-11 ping command
Action Command
Ping a host over IP.
ping [ -a X.X.X.X ] [ -c count ] [ -d ] [ -h ttl_value ]
[ -i {interface-type interface-number } ] [ ip ] [ -n ]
[ -p pattern ] [ -q ] [ -r ] [ -s packetsize ] [ -t
timeout ] [ -tos tos ] [ -v ] [ -vpn-instance
vpn-instance-name ] host
For parameters in detail, refer to the related chapter in Command Reference.
Loading...