HP A-F1000-E Getting Started Manual

Download

HP High-End Firewalls

Getting Started Guide

Part number: 5998-2626

Software version: A-F1000-E/Firewall module: R3166P13

A-F5000-A5: R3206P14

Document version: 6PW100-20110909

Legal and notice information

No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice.

HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.

The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

Product overview·······························································································································································1

Firewall A-F1000-E···················································································································································1 Firewall A-F5000······················································································································································2 HP firewall modules ·················································································································································2

Application scenarios ·······················································································································································4

A-F1000-E application·············································································································································4 A-F5000 application················································································································································5 Firewall module application····································································································································6

Login methods····································································································································································7 User interface overview····················································································································································8

Users and user interfaces·········································································································································9 Numbering user interfaces ······································································································································9

CLI login······································································································································································10

Overview········································································································································································· 10 Logging in through the console port ···························································································································· 10

Introduction ···························································································································································· 10 Configuration requirements·································································································································· 10 Login procedure····················································································································································· 11 Console login authentication modes ··················································································································· 14 Configuring none authentication for console login ··························································································· 14 Configuring password authentication for console login ··················································································· 15 Configuring scheme authentication for console login ······················································································· 16 Configuring common settings for console login (optional) ··············································································· 19

Logging in through Telnet·············································································································································· 21

Introduction ···························································································································································· 21 Telnet login authentication modes ······················································································································· 21 Configuring none authentication for Telnet login ······························································································ 22 Configuring password authentication for Telnet login ······················································································23 Configuring scheme authentication for Telnet login ·························································································· 24 Configuring common settings for VTY user interfaces (optional)······································································ 27 Configuring the device to log in to a Telnet server as a Telnet client······························································ 29

Logging in through SSH ················································································································································ 29

Logging in through the AUX port·································································································································· 33

Introduction ···························································································································································· 33 AUX login authentication modes ·························································································································34 Configuring none authentication for AUX login································································································· 35 Configuring password authentication for AUX login························································································· 35 Configuring scheme authentication for AUX login ···························································································· 36 Configuring common settings for AUX login (optional)····················································································· 39 Configuration requirements·································································································································· 41 Login procedure····················································································································································· 41

Logging in through modems ········································································································································· 44

Configuration requirements·································································································································· 44 Login procedure····················································································································································· 44 Modem login authentication modes ···················································································································· 48 Configuring none authentication for modem login···························································································· 48 Configuring password authentication for modem login···················································································· 50 Configuring scheme authentication for modem login ······················································································· 51 Configuring common settings for modem login (optional)················································································ 53

Displaying and maintaining CLI login ·························································································································56

Web login ··································································································································································57

Web login overview ······················································································································································ 57 Configuration guidelines ··············································································································································· 57 Logging in to the firewall by using the default web login information····································································· 57 Modifying the default web login information ············································································································· 58

Configuring the web login function····················································································································· 58 Configuring HTTP login ················································································································································· 59 Configuring HTTPS login ··············································································································································· 60 Displaying and maintaining web login ······················································································································· 62 Web login example······················································································································································· 62

HTTP login example ·············································································································································· 62

HTTPS login example ············································································································································ 63 Troubleshooting web login problems··························································································································· 65

Problem 1: Unable to access the device through web······················································································ 65

NMS login ··································································································································································69

NMS login overview······················································································································································ 69 Configuring NMS login················································································································································· 70 NMS login example······················································································································································· 71

Logging in to the firewall module from the network device····················································································73

Logging in to the firewall module from the network device······················································································· 73

Configuring the AUX user interface of the firewall module ·············································································· 73

Logging in to the firewall module ························································································································ 73 Monitoring and managing the firewall module on the network device ··································································· 74

Resetting the system of the firewall module ········································································································ 74

Configuring the ACSEI protocol ··························································································································74 Example for monitoring and managing the firewall module from the network device ·········································· 76

Basic configuration ····················································································································································79

Launching the basic configuration wizard·········································································································· 79

Configuring the system name and user password····························································································· 80

Configuring service management························································································································ 81

Configuring the IP address for an interface········································································································ 83

Configuring NAT··················································································································································· 84

Completing the configuration wizard ·················································································································85

Device management ··················································································································································87

Device management overview······································································································································ 87 Configuring the device name ·······································································································································87

Configuring the device name in the web interface···························································································· 87

Configuring the device name in the CLI·············································································································· 87 Configuring the system time·········································································································································· 88

Configuring the system time in the web interface······························································································ 88

Configuring the system time in the CLI················································································································ 92 Setting the idle timeout timer········································································································································· 95

Setting the idle timeout timer in the web interface····························································································· 95

Setting the idle timeout timer in the CLI··············································································································· 96

Enabling the display of copyright information············································································································ 96 Configuring banners······················································································································································ 96

Introduction to banners ········································································································································· 96

Configuring banners ············································································································································· 97 Configuring the maximum number of concurrent users ····························································································· 98 Configuring the exception handling method··············································································································· 98 Rebooting the firewall···················································································································································· 99

Rebooting the firewall in the CLI·························································································································· 99 Configuring a scheduled task ·····································································································································100

What is a scheduled task ···································································································································100

Configuration approaches ·································································································································100

Scheduled task configuration example ·············································································································103 Configuring temperature alarm thresholds for a card······························································································104 Clearing unused 16-bit interface indexes··················································································································104 Identifying and diagnosing pluggable transceivers ·································································································105

Introduction to pluggable transceivers ··············································································································105

Identifying a pluggable transceiver···················································································································106

Diagnosing a pluggable transceiver ·················································································································106 Displaying and maintaining device management ····································································································106

User management··················································································································································· 108

Configuring local users················································································································································108

Local user overview·············································································································································108

User levels ····························································································································································108

Configuring a local user·····································································································································108

Local user configuration example······················································································································109 Configuring user login control ····································································································································110

User login control overview································································································································110

Configuring login control over Telnet users······································································································110

Configuring source IP-based login control over NMS users ···········································································113

Configuring source IP-based login control over web users·············································································114 Displaying online users················································································································································116

Displaying online users·······································································································································116

CLI configuration····················································································································································· 117

What is CLI? ·································································································································································117 Entering the CLI ····························································································································································117 Command conventions ················································································································································117 Undo form of a command···········································································································································118 CLI views ·······································································································································································118

CLI view description ············································································································································118

Entering system view···········································································································································119

Exiting the current view·······································································································································120

Returning to user view·········································································································································120 Using the CLI online help ············································································································································120 Typing commands························································································································································121

Editing command lines········································································································································121

Typing incomplete keywords······························································································································122

Configuring command aliases ···························································································································122

Configuring CLI hotkeys······································································································································123

Redisplaying input but not submitted commands·····························································································124 Checking command-line errors ···································································································································125 Using command history···············································································································································125

Accessing history commands ·····························································································································125

iii

Configuring the history buffer size ····················································································································126 Controlling the CLI display··········································································································································126

Multi-screen display·············································································································································126

Filtering output information·································································································································127 Configuring user privilege and command levels ······································································································130

Configuring a user privilege level ·····················································································································130

Switching user privilege level·····························································································································133

Modifying the level of a command ···················································································································134 Saving the current configuration ································································································································134 Displaying and maintaining CLI ·································································································································134

Support and other resources ·································································································································· 135

Contacting HP ······························································································································································135

Subscription service ············································································································································135 Related information······················································································································································135

Documents····························································································································································135

Websites·······························································································································································135 Conventions ··································································································································································136

Index ········································································································································································ 138

Overview

This documentation is applicable to the following HP high-end firewall products and software versions:

• Firewall chassis—A-F1000-E (R3166P13), and A-F5000 (R3206P14)

• Firewall modules—(R3166P13)

You can configure most of the firewall functions in the web interface and some functions in the command line interface (CLI). Each function configuration guide specifies clearly whether the function is configured in the web interface or CLI.

This chapter includes these sections:

• Product overview

• Application scenarios

Product overview

Firewall A-F1000-E

The HP A-F1000-E firewall (hereinafter referred as the A-F1000-E) is designed for large- and medium-sized networks. It supports the following functions:

• Traditional firewall functions

• Virtual firewall, security zone, attack protection, URL filtering

• Application Specific Packet Filter (ASPF), which can monitor connection processes and user

operations and provide dynamic packet filtering together with ACLs.

• Multiple types of VPN services, such as IPsec VPN

• RIP/OSPF/BGP routing

• Power supply redundancy backup (AC+AC or DC+DC)

• Stateful failover (Active/Active and Active/Standby mode)

• Inside-chassis temperature detection

• Its own web-based management system

• Support for management by iMC

The A-F1000-E uses a multi-core processor and provides the following interfaces:

• Four combo interfaces, for fiber/copper port switching

• Two high-speed interface module (HIM) expansion slots, which support the following interface

modules: 4GBE, 8GBE, HIM-1EXP, and 4GBP.

Figure 1 Appearance of the A-F1000-E

Firewall A-F5000

The HP A-F5000 firewall (hereinafter referred to as the A-F5000) provides security protection for large enterprises, carriers, and data centers. It adopts multi-core multi-threaded and ASIC processors to construct a distributed architecture, which allows for the separation of the system management and service processing, making it a firewall that has the highest, distributed security processing capability.

The A-F5000 supports the following functions and features:

• Protection against external attacks, internal network protection, traffic monitoring, email filtering,

web filtering, application layer filtering

• ASPF

• Multiple types of VPN services, such as L2TP VPN, GRE VPN, IPsec VPN, and dynamic VPN

• RIP/OSPF/BGP routing, routing policy, and policy-based routing

• Power supply 1+1 redundancy backup (AC+AC or DC+DC)

• Service interface cards are hot swappable.

• High availability functions, such as stateful failover and VRRP

Figure 2 Appearance of the A-F5000

HP firewall modules

The HP firewall modules are developed based on the Open Application Architecture (OAA) for carrier-level customers.

A firewall module can be installed in the HP A5800/A7500/A9500/A12500 Switch Series or an A6608/A8800 router. A switch or router can be installed with multiple firewall modules to expand the firewall processing capability for future use. The main network device (switch or router) and the firewall modules together provide highly integrated network and security functions for large networks.

The firewall modules support the following functions and features:

• Traditional firewall functions

• Virtual firewall, security zone, attack protection, URL filtering

• Application Specific Packet Filter (ASPF), which can monitor connection processes and user

operations and provide dynamic packet filtering together with ACLs.

• Multiple types of VPN services, such as IPsec VPN

• RIP/OSPF/BGP routing

A firewall module provides two GE ports and two GE combo interfaces. It is connected to the main network device through the internal 10GE port. The HP main network device’s rear card has the line-speed forwarding capability, ensuring fast data forwarding with the firewall module. The firewall modules are equipped with dedicated, multi-core processors and high-speed caches. They can process security services without impacting performances of the main network devices.

Figure 3 Firewall module for A5800 series switches

Figure 4 Firewall module for A7500/A9500/A12500 series switches

Figure 5 Firewall module for A6600/A8800 routers

Application scenarios

The A-F1000-E and A-F5000 have similar software functions.

The firewall modules also have similar software functions to the A-F1000-E. You can regard a firewall module as an A-F1000-E firewall that is connected to the main network device through their 10 GE ports. The difference lies in that the A-F1000-E firewall uses physical ports to forward data, and the firewall module uses logical interfaces (subinterfaces and VLAN interfaces) of the 10 GE port to forward data.

The configuration on a firewall module is similar to that on an A-F1000-E firewall.

• Configurations for zone-based security functions, such as attack protection and object-oriented

ACLs, are the same on the two firewalls. The difference is that the A-F1000-E adds physical ports to security zones, and the firewall module adds logical interfaces (subinterfaces and VLAN interfaces) of the 10 GE port to security zones.

• Configurations for interface-based security functions are the same on the two firewalls. The

difference is that the A-F1000-E supports these functions on physical ports and the firewall module support these functions on the logical interfaces of the 10 GE port.

For more information about the configuration differences, see the Layer 2 and Layer 3 forwarding configurations in Network Management Configuration Guide.

A-F1000-E application

Deployed at the egress of an enterprise network, A-F1000-E firewalls can protect against external attacks, ensure security access from the external network to the internal network resources (such as servers in the DMZ zone) through NAT and VPN functions, and control access to the internal network by using security zones. You can deploy two firewalls in the network for redundancy backup to avoid a single point failure.

Figure 6 Network diagram for the A-F1000-E application

A-F5000 application

Large data centers are connected to the 10G core network usually through a 10G Ethernet. The A-F5000 firewall has a 10G processing capability and abundant port features. It can be deployed at the egress of a network to protect security for the internal network. You can deploy two firewalls to implement stateful failover.

• Active-active stateful failover can balance user data.

• Active-standby stateful failover improves availability of the firewalls. They back up each other to

avoid a single point failure.

Figure 7 Network diagram for the A-F5000 application

Firewall module application

Firewall modules work with the main network devices (such as A5800/A7500/A9500/A12500 switches and A6600/A8800 routers). Deployed at the egress of a network, the firewall modules can protect against external attacks and implement security access control of the internal network by using security zones. You can meet the development of the network simply by installing more firewall modules to a switch or router. Deploying two switches/routers with the firewall modules in the network can improve service availability.

Figure 8 Network diagram for the firewall module application

Login methods

HP Series High-End Firewalls support the following login methods:

• Local login through the console port

• Remote login through an Ethernet port or through Telnet/SSH

• Remote login through the AUX port

• Login through the web interface

• NMS login

In addition to these login methods, HP firewall modules also support login from the network device (a switch or router) that accommodates the firewall module.

Table 1 Login methods

CLI login

Logging in through the console port

Logging in through Telnet

Logging in through SSH

By default, you can log in to a device through the console port, the authentication mode is None (no username or password required), and the user privilege level is 3.

By default, you cannot log in to a device through Telnet. To do so, log in to the device through the console port, and complete the following configuration:

• Enable the Telnet function.

• Configure the IP address of the management Ethernet interface of the device,

and make sure that your device and the Telnet client can reach each other (by default, the IP address of the management Ethernet interface is

192.168.0.1/24).

• Configure the authentication mode of VTY login users (scheme by default).

• Configure the user privilege level of VTY login users (0 by default).

By default, you cannot log in to a device through SSH. To do so, log in to the device through the console port, and complete the following configuration:

• Enable the SSH function and configure SSH attributes.

• Configure the IP address of the management Ethernet interface of the device,

and make sure that your device and the SSH client can reach each other (by default, the IP address of the management Ethernet interface is

192.168.0.1/24).

• Configure the authentication mode of VTY login users as scheme (scheme by

default).

• Configure the user privilege level of VTY login users (0 by default).

By default, you to the device through the console port, and complete the following

Logging in through the AUX port

configuration:

• Configure the password for the default password authentication mode, or

change the authentication mode and configure parameters for the new authentication mode.

The default user privilege level of AUX login users is 0.

cannot log in to a device through the AUX port. To do so, log in

Web login

NMS login

Logging in through modems

By default, you can log in to a device through modems. The default user privilege level of modem login users is 3.

By default, you can log in to a device through web. If the web function is disabled, you need to log in to the device through the console port, and complete the following configuration:

• Configure the IP address of the management Ethernet interface of the device,

and make sure the device and web terminal can reach each other (by default, the IP address of the management Ethernet interface is

192.168.0.1/24.).

• Configure a username and password for web login (by default, the username

and password are admin).

• Configure the user privilege level for web login (by default, the user privilege

level is 3).

• Configure the web service type for web login (not configured by default).

By default, you cannot log in to a device through a network management station (NMS). To do so, log in to the device through the console port, and complete the following configuration:

• Configure the IP address of the management Ethernet interface, and make

sure the device and the NMS can reach each other (by default, the IP address of the management Ethernet is 192.168.0.1/24. ).

• Configure SNMP basic parameters.

User interface overview

User interfaces, or lines allow you to manage and monitor sessions between the terminal and device when you log in to the device through the console port, AUX port, or through Telnet or SSH.

Asynchronous serial interfaces include the following types:

• Synchronous/asynchronous serial interface operating in asynchronous mode, whose interface

index begins with Serial.

• Dedicated asynchronous serial interface, whose interface index begins with Async.

One user interface corresponds to one user interface view where you can configure a set of parameters, such as whether to authenticate users at login, whether to redirect the requests to another device, and the user privilege level after login. When the user logs in through a user interface, the parameters set for the user interface apply.

At present, the system supports the following CLI configuration methods:

• Local configuration via the console port

• Local/Remote configuration via the AUX port (Auxiliary port)

• Local/Remote configuration through Telnet or SSH

The methods correspond to the following user interfaces.

• Console user interface: Used to manage and monitor users that log in via the console port. The type

of the console port is EIA/TIA-232 DCE.

• AUX user interface: Used to manage and monitor users that log in via the AUX port. The type of the

AUX port is EIA/TIA-232 DTE. The port is usually used for modem dialup access.

• VTY (virtual type terminal) user interface: Used to manage and monitor users that log in via VTY. A

VTY port is a logical terminal line used for Telnet or SSH access.

Users and user interfaces

Only one user can use a user interface at a time. The configuration made in a user interface view applies to any login user. For example, if user A uses the console port to log in, the configuration in the console port user interface view applies to user A; if user A logs in through VTY 1, the c onfiguration in VTY 1 user interface view applies to user A.

A device has one console port, one AUX port, and multiple Ethernet interfaces. These user interfaces do not associate with specific users. When a user initiates a connection request, the system automatically assigns an idle user interface with the smallest number to the user based on the login method. During the login, the configuration in the user interface view takes effect. The user interface varies depending on the login method and the login time.

Numbering user interfaces

User interfaces can be numbered by using absolute numbering or relative numbering.

Absolute numbering

Absolute numbering identifies a user interface or a group of different types of user interfaces. The specified user interfaces are numbered from number 0 with a step of 1 and in the sequence of console, TTY (not supported, but the numbers are reserved), AUX, and VTY user interfaces. You can use the display user-interface command without any parameters to view supported user interfaces and their absolute numbers.

Relative numbering

Relative numbering allows you to specify a user interface or a group of user interfaces of a specific type. The number format is “user interface type + number”. The following rules of relative numbering apply:

• Console ports are numbered from 0 in the ascending order, with a step of 1.

• AUX ports are numbered from 0 in the ascending order, with a step of 1.

• TTYs are numbered from 1 in the ascending order, with a step of 1.

CLI login

Overview

The CLI enables you to interact with a device by typing text commands. At the CLI, you can instruct your device to perform a given task by typing a text command and then pressing Enter to submit it to your device. Compared with the graphical user interface (GUI) where you can use a mouse to perform configuration, the CLI allows you to input more information in one command line.

You can log in to the device at the CLI through the console port, Telnet, SSH, or modem.

• By default, you can log in to a device through the console port without any authentication, which

introduces security problems.

• By default, you cannot log in to a device through Telnet, SSH, or modem, so you cannot remotely

manage and maintain the device.

Therefore, you need to perform configurations to increase device security and manageability.

Logging in through the console port

Introduction

Logging in through the console port is the most common login method, and is also the first step to configure other login methods.

By default, you can log in to a device through its console port only. After logging in to the device through the console port, you can configure other login methods.

Configuration requirements

The following table shows the configuration requirements for console port login.

Object Requirements

Device No configuration requirement

Terminal

The port properties of the hyper terminal must be the same as the default settings of the console port shown in the following table.

Run the hyper terminal program.

Configure the hyper terminal attributes.

Setting Default

Bits per second 9,600 bps

Flow control None

Parity None

Setting Default

Stop bits 1

Data bits 8

Login procedure

1. As shown in Figure 9, use the console cable shipped with the device to connect the PC and the

device. Plug the DB-9 connector of the console cable into the serial port of the PC, and plug the RJ-45 connector into the console port of your device.

Figure 9 Connect the device and PC through a console cable

WARNING!

Identify interfaces correctly to avoid connection errors.

NOTE:

The serial port of a PC does not support hot-swap. Do not plug or unplug the console cable to or from the PC when your device is powered on. To connect the PC to the device, first plug the DB-9 connector of the console cable into the PC, and then plug the RJ-45 connector of the console cable into your device. To disconnect the PC from the device, first unplug the RJ-45 connector and then the DB-9 connector.

2. Launch a terminal emulation program (such as HyperTerminal in Windows XP). The following

takes the HyperTerminal of Windows XP as an example. Select a serial port to be connected to the device, and set terminal parameters as follows: set Bits per second to 9600, Data bits to 8, Parity to None, Stop bits to 1, and Flow control to None, as shown in Figure 10 through Figure 12.

NOTE:

On Windows 7, Windows Vista, or some other operating system, obtain a third party terminal control program first, and follow the user guide or online help of that program to log in to the device.

Figure 10 Connection description

Figure 11 Specify the serial port used to establish the connection

Figure 12 Set the properties of the serial port

3. Turn on the device. You are prompted to press Enter if the device successfully completes the

power-on self test (POST). A prompt such as <HP> appears after you press Enter, as shown in

Figure 13.

Figure 13 Configuration page

4. Execute commands to configure the device or check the running status of the device. To get help,

type ?.

Console login authentication modes

The following authentication modes are available for console port login: none, password, and scheme.

• none—Requires no username and password at the next login through the console port. This mode

is insecure.

• password—Requires password authentication at the next login through the console port. Keep your

password.

• scheme—Requires username and password authentication at the next login through the console

port. Authentication falls into local authentication and remote authentication. To use local authentication, configure a local user and related parameters. To use remote authentication, configure the username and password on the remote authentication server. Keep your username and password.

The following table lists console port login configurations for different authentication modes:

Authentication mode

None Configure not to authenticate users

Password

Scheme

Configuration Remarks

Configure to authenticate users by using the local password

Set the local password

Configure the authentication scheme

Configure a RADIUS/HWTACACS scheme

Configure the AAA scheme used by the domain

Configure the username and password on the AAA server

Configure the authentication username and password

Configure the AAA scheme used by the domain as local

Select an authentic ation scheme

Remote AAA authenticati on

Local authenticati on

For more information, see “Configuring none

authentication for console login.”

For more information, see “Configuring password

authentication f login.”

For more information, see “Configuring scheme

authentication f login.”

or console

NOTE:

A newly configured authentication mode does not take effect unless you exit and enter the CLI again.

Configuring none authentication for console login

Configuration prerequisites

You have logged in to the device.

By default, you can log in to the device through the console port without authentication and have user privilege level 3 after login. For information about logging in to the device with the default configuration, see “Configuration requirements.”

Configuration procedure

Follow these steps to configure none authentication for console login:

To do… Use the command… Remarks

Enter system view system-view —

Enter console user interface view

Specify the none authentication mode

Configure common settings for console login

user-interface console first-number [ last-number ]

authentication-mode none

—

Required

By default, you can log in to the device through the console port without authentication, and have user privilege level 3 after login.

Optional

See “Configuring common settings

for console login (optional).”

After the configuration, the next time you log in to the device through the console port, you are prompted to press enter. A prompt such as <HP> appears after you press Enter, as shown in Figure 14.

Figure 14 Configuration page

Configuring password authentication for console login

Configuration prerequisites

You have logged in to the device.

Configuration procedure

Follow these steps to configure password authentication for console login:

To do… Use the command… Remarks

Enter system view system-view —

Enter console user interface view

Configure the authentication mode as local password authentication

Set the local password

Configure common settings for console login

user-interface console first-number [ last-number ]

authentication-mode password

set authentication password

{ cipher | simple } password

—

Required

By default, you can log in to the device through the console port without authentication and have user privilege level 3 after login.

Required

By default, no local password is set.

Optional

See “Configuring common settings for

console log

in (optional).”

When you log in to the device through the console port after configuration, you are prompted to enter a login password. A prompt such as <HP> appears after you input the password and press Enter, as shown in Figure 15.

Figure 15 Configuration page

Configuring scheme authentication for console login

Configuration prerequisites

You have logged in to the device.

Configuration procedure

Follow these steps to configure scheme authentication for console login:

To do… Use the command… Remarks

Enter system view system-view —

Enter console user interface view

Specify the scheme authentication mode

Enable command authorization

user-interface console

first-number [ last-number ]

authentication-mode scheme

command authorization

—

Required

Whether local, RADIUS, or HWTACACS authentication is adopted depends on the configured AAA scheme.

By default, users that log in through the console port are not authenticated.

Optional

• By default, command authorization is not

enabled.

• By default, the command level depends on the

user privilege level. A user is authorized a command level not higher than the user privilege level. With command authorization enabled, the command level for a login user is determined by both the user privilege level and AAA authorization. If a user executes a command of the corresponding command level, the authorization server checks whether the command is authorized. If yes, the command can be executed.

Optional

• By default, command accounting is disabled.

• Command accounting allows the HWTACACS

Enable command accounting

Return to system view quit —

command accounting

The accounting server does not record the commands executed by users.

server to record all the commands executed by users, regardless of command execution results. This helps control and monitor user operations on the device. If command accounting is enabled and command authorization is not enabled, every executed command is recorded on the HWTACACS server. If both command accounting and command authorization are enabled, only the authorized and executed commands are recorded on the HWTACACS server.

To do… Use the command… Remarks

Enter the

Configure the authentica tion mode

ISP domain view

Apply the specified AAA scheme to the domain

Exit to system view

domain domain-name

authentication default { hwtacacs-scheme

hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

quit

Optional

By default, the AAA scheme is local.

Create a local user and enter local user view

Set the authentication password for the local user

Specifies the command level of the local user

Specify the service type for the local user

Configure common settings for console login

local-user user-name

password { cipher | simple } password

authorization-attribute level level

service-type terminal

—

Required

By default, no local user exists.

Required

Optional

By default, the command level is 0.

Required

By default, no service type is specified.

Optional

See “Configuring common settings for console login

(optional).”

After you enable command authorization or command accounting, you need to perform the following configuration to make the function take effect:

• Create a HWTACACS scheme, and specify the IP address of the authorization server and other

authorization parameters.

• Reference the created HWTACACS scheme in the ISP domain.

When users adopt the scheme mode to log in to the device, the level of the commands that the users can access depends on the user privilege level defined in the AAA scheme.

• When the AAA scheme is local, the user privilege level is defined by the authorization-attribute

level level command.

• When the AAA scheme is RADIUS or HWTACACS, the user privilege level is configured on the

RADIUS or HWTACACS server.

After the configuration, when you log in to the device through the console port, you are prompted to enter a login username and password. A prompt such as <HP> appears after you input the password and username and press Enter, as shown in Figure 16.

Figure 16 Configuration page

Configuring common settings for console login (optional)

Follow these steps to configure common settings for console port login

To do…

Enter system view system-view —

Enable display of copyright information

Enter console user interface view

Configure console port properties

Configure the baud rate

Configure the parity check mode

Configure the stop bits

Use the command…

user-interface console

first-number [ last-number ]

speed speed-value

parity { even | mark | none | odd | space }

stopbits { 1 | 1.5 | 2 }

Remarks

Optional

Enabled by default.

—

Optional

By default, the transmission rate is 9600 bps.

Transmission rate is the number of bits that the device transmits to the terminal per second.

Optional

none by default.

Optional

By default, the stop bits of the console port is 1.

Stop bits are the last bits transmitted in data transmission to unequivocally indicate the end of a character. The more the bits are, the slower the transmission is.

To do…

Configure the data bits

Define a shortcut key for enabling a terminal session

Define a shortcut key for terminating tasks

Configure the flow control mode

Configure the type of terminal display

Use the command…

databits { 5 | 6 | 7 | 8 }

activation-key character

escape-key

{ default | character }

flow-control

{ hardware | none | software }

terminal type { ansi | vt100 }

Remarks

Optional

By default, the data bits of the console port is 8.

Data bits is the number of bits representing one character. The setting depends on the contexts to be transmitted. For example, you can set it to 7 if standard ASCII characters are to be sent, and set it to 8 if extended ASCII characters are to be sent.

Optional

By default, you can press Enter to enable a terminal session.

Optional

By default, you can press Ctrl+C to terminate a task.

Optional

By default, the terminal display type is ANSI.

The device supports two types of terminal display: ANSI and VT100. HP recommends you to set the display type of both the device and the client to VT100. If the device and the client use different display types (for example, hyper terminal or Telnet terminal) or both are set to ANSI, when the total number of characters of the currently edited command line exceeds 80, an anomaly such as cursor corruption or abnormal display of the terminal display may occur on the client.

Configure the user privilege level for login users

Set the maximum number of lines on the next screen.

Set the size of history command buffer

Set the idle-timeout timer

user privilege level level

screen-length screen-length

history-command max-size value

idle-timeout

minutes [ seconds ]

Optional

By default, the default command level is 3 for the console user interface.

Optional

By default, the next screen displays 24 lines.

A value of 0 disables the function.

Optional

By default, the buffer saves 10 history commands at most.

Optional

The default idle-timeout is 10 minutes. The system automatically terminates the user’s connection if there is no information interaction between the device and the user within the idle-timeout time.

Setting idle-timeout to 0 disables the timer.

CAUTION:

The common settings configured for console login take effect immediately. If you configure the common settings after you log in through the console port, the current connection may be interrupted, so you should use another login method. After you configure common settings for console login, you need to modify the settings on the terminal to make them consistent with those on the device.

Logging in through Telnet

Introduction

The device supports Telnet. You can telnet to the device to remotely manage and maintain it, as shown in Figure 17.

Figure 17 Telnet login

The following table shows the configuration requirements of Telnet login.

Object Requirements

Configure the IP address of the management Ethernet interface, and make sure

Telnet server

Telnet client

By default, the device is disabled with the Telnet server and client functions.

• On a device that serves as the Telnet client, you can log in to a Telnet server to perform operations

on the server.

• On a device that serves as the Telnet server, you can configure the authentication mode and user

privilege level for Telnet users. By default, scheme authentication is adopted for Telnet login. Before you can telnet to the device, you need to log in to the device through the console port and enable the Telnet server function, and then configure the authentication mode, user privilege level, and common settings.

the Telnet server and client can reach each other.( By default, the IP address of the management Ethernet interface is 192.168.0.1/24)

Configure the authentication mode and other settings

Enable the Telnet client.

Obtain the IP address of the management Ethernet interface on the server

Telnet login authentication modes

The following authentication modes are available for Telnet login: none, password, and scheme.

• none—Requires no username and password at the next login through Telnet. This mode is insecure.

• password—Requires password authentication at the next login through Telnet. Keep your password.

If you lose your password, log in to the device through the console port to view or modify the password.

• scheme—Requires username and password authentication at the next login through Telnet.

Authentication falls into local authentication and remote authentication. To use local authentication, configure a local user and related parameters. To use remote authentication, configure the username and password on the remote authentication server. Keep your username and password.

The following table lists Telnet login configurations for different authentication modes.

Authentication mode

None Configure not to authenticate users

Password

Scheme

Configuration Remarks

Configure to authenticate users by using the local password

Set the local password

Configure the authentication scheme

Remote AAA

authentication Select an authenticatio n scheme

Local

authentication

Configure a RADIUS/HWTACACS scheme

Configure the AAA scheme used by the domain

Configure the username and password on the AAA server

Configure the authentication username and password

Configure the AAA scheme used by the domain as local

For more information, see “Configuring none

authentication for Telnet login.”

For more information, see “Configuring

password authentication f login.”

For more information, see “Configuring

scheme authentication for Telnet login.”

or Telnet

Configuring none authentication for Telnet login

Configuration prerequisites

You have logged in to the device.

Configuration procedure

Follow these steps to configure none authentication for Telnet login:

To do… Use the command… Remarks

Enter system view system-view —

Enable Telnet telnet server enable

Enter one or multiple VTY user interface views

user-interface vty first-number [ last-number ]

Required

Disabled by default

—

To do… Use the command… Remarks

Specify the none authentication mode

Configure the command level for login users on the current user interfaces

Configure common settings for VTY user interfaces

authentication-mode none

user privilege level level

—

Required

By default, authentication mode for VTY user interfaces is scheme.

Required

By default, the default command level is 0 for VTY user interfaces.

Optional

See “Configuring common settings

for VTY user interfaces (option

When you log in to the device through Telnet again, perform the following steps:

• You enter the VTY user interface, as shown in Figure 18.

• If “

All user interfaces are used, please try later!” is displayed, it means the current login users

exceed the maximum number. Please try later.

Figure 18 Configuration page

al).”

Configuring password authentication for Telnet login

Configuration prerequisites

You have logged in to the device.

Configuration procedure

Follow these steps to configure password authentication for Telnet login:

To do… Use the command… Remarks

Enter system view system-view —

To do… Use the command… Remarks

Enable Telnet telnet server enable

Enter one or multiple VTY user interface views

Specify the password authentication mode

Set the local password

Configure the user privilege level for login users

Configure common settings for VTY user interfaces

user-interface vty first-number [ last-number ]

authentication-mode password

set authentication password { cipher | simple } password

user privilege level level

—

Required

Disabled by default

—

Required

By default, authentication mode for VTY user interfaces is scheme.

Required

By default, no local password is set.

Required

0 by default.

Optional

See “Configuring common settings for

VTY user interfaces (optional).”

When you log in to the device through Telnet again, perform the following steps:

• You are required to enter the login password. A prompt such as <HP> appears after you enter the

correct password and press Enter, as shown in Figure 19.

• If “

All user interfaces are used, please try later!” is displayed, it means the number of current

concurrent login users exceed the maximum. Please try later.

Figure 19 Configuration page

Configuring scheme authentication for Telnet login

Configuration prerequisites

You have logged in to the device.

Configuration procedure

Follow these steps to configure scheme authentication for Telnet login

To do… Use the command… Remarks

Enter system view system-view —

Enable Telnet telnet server enable

Enter one or multiple VTY user interface views

Specify the scheme authentication mode

Enable command authorization

Enable command accounting

user-interface vty first-number [ last-number ]

authentication-mode scheme

command authorization

command accounting

Required

Disabled by default

—

Required

Whether local, RADIUS, or HWTACACS authentication is adopted depends on the configured AAA scheme.

By default, local authentication is adopted.

Optional

By default, command authorization is not enabled.

• Create a HWTACACS scheme, and specify the

IP address of the authorization server and other authorization parameters.

• Reference the created HWTACACS scheme in

the ISP domain.

Optional

• By default, command accounting is disabled.

The accounting server does not record the commands executed by users.

• Command accounting allows the HWTACACS

server to record all executed commands that are supported by the device, regardless of the command execution result. This helps control and monitor user operations on the device. If command accounting is enabled and command authorization is not enabled, every executed command is recorded on the HWTACACS server. If both command accounting and command authorization are enabled, only the authorized and executed commands are recorded on the HWTACACS server.

Exit to system view quit —

To do… Use the command… Remarks

Enter the default ISP domain view

domain domain-name

Configure the authentic ation mode

Create a local user and enter local user view

Set the local password

Specifies the command level of the local user

Specify the service type for the local user

Exit to system view quit —

Configure common settings for VTY user interfaces

Specify the AAA scheme to be applied to the domain

Exit to system view

authentication default { hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

quit

local-user user-name By default, no local user exists.

password { cipher | simple } password

authorization-attribute level level

service-type telnet

—

Optional

By default, the AAA scheme is local.

Required

By default, no local password is set.

Optional

By default, the command level is 0.

Required

By default, no service type is specified.

Optional

See “Configuring common settings for VTY user

interfaces (optional).”

After you enable command authorization or command accounting, you need to perform the following configuration to make the function take effect:

• Create a HWTACACS scheme, and specify the IP address of the authorization server and other

authorization parameters.

• Reference the created HWTACACS scheme in the ISP domain.

When users adopt the scheme mode to log in to the device, the level of the commands that the users can access depends on the user privilege level defined in the AAA scheme.

• When the AAA scheme is local, the user privilege level is defined by the authorization-attribute

level level command.

• When the AAA scheme is RADIUS or HWTACACS, the user privilege level is configured on the

RADIUS or HWTACACS server.

When you log in to the device through Telnet again:

• You are required to enter the login username and password. A prompt such as <HP> appears after

you enter the correct username (for example, admin) and password and press Enter, as shown in

Figure 20.

• A

fter you enter the correct username and password, if the device prompts you to enter another password of the specified type, you will be authenticated for the second time. In other words, to pass authentication, you must enter a correct password as prompted.

• If “All user interfaces are used, please try later!” is displayed, it means the current login users

exceed the maximum number. Please try later.

Figure 20 Configuration page

Configuring common settings for VTY user interfaces (optional)

Follow these steps to configure Common settings for VTY user interfaces:

To do… Use the command…

Enter system view system-view —

Enter management Ethernet interface view

Specify an IP address for the management Ethernet interface

Return to system view quit —

Enable display of copyright information

Enter one or multiple VTY user interface views

interface interface-type interface-number

ip address ip-address { mask | mask-length }

user-interface vty

first-number [ last-number ]

Remarks

—

Required

By default, the IP address of the management Ethernet interface is

192.168.0.1/24.

Optional

Enabled by default.

—

To do… Use the command… Remarks

User interface configuration

Enable the terminal service

Enable the current user interface(s) to support either Telnet, SSH, or both of them

Define a shortcut key for terminating tasks

Configure the type of terminal display

Set the maximum number of lines on the next screen

Set the size of history command buffer

Set the idle-timeout timer

shell

protocol inbound { all | ssh | telnet }

escape-key { default | character }

terminal type { ansi | vt100 }

screen-length screen-length

history-command max-size value

idle-timeout minutes

[ seconds ]

Optional

Enabled by default.

Optional

By default, both protocols are supported.

The configuration takes effect next time you log in.

Optional

By default, you can press Ctrl+C to terminate a task.

Optional

By default, the terminal display type is ANSI.

Optional

By default, the next screen displays 24 lines.

A value of 0 disables the function.

Optional

By default, the buffer saves 10 history commands.

Optional

The default idle-timeout is 10 minutes for all user interfaces.

The system automatically terminates the user’s connection if there is no information interaction between the device and the user in timeout time.

Setting idle-timeout to 0 disables the timer.

Optional

By default, command auto-execution is disabled.

The system automatically executes the specified command when a user logs in to the user interface, and tears down the user connection after the command is executed. If the command triggers another task, the system does not tear down the user connection until the task is completed. A telnet command is usually specified to enable the user to automatically telnet to the specified device.

CAUTION:

Specify a command to be automatically executed when a user logs in to the current user interface

auto-execute command command

The auto-execute command command may disable you from configuring the system through the user interface to which the command is applied. Before confi

uring the command and saving the configuration (by using the save command), make sure that you can access the device through VTY, TTY, console, or AUX interfaces to remove the configuration when a problem occurs.

Configuring the device to log in to a Telnet server as a Telnet client

Configuration prerequisites

You have logged in to the device.

Figure 21 Telnet from the firewall (Telnet client) to another device (Telnet server)

NOTE:

If the Telnet client port and the Telnet server port that connect them are not in the same subnet, make sure that the two devices can reach each other.

Configuration procedure

Follow the step below to configure the device to log in to a Telnet server as a Telnet client:

To do… Use the command… Remarks

telnet remote-host [ service-port ] [ source

Configure the device to log in to a Telnet server as a Telnet client

Specify the source IPv4 address or source interface for sending Telnet packets

{ interface interface-type interface-number | ip ip-address } ]

telnet ipv6 remote-host [ -i interface-type interface-number ] [ port-number ]

telnet client source { interface

interface-type interface-number | ip ip-address }

Logging in through SSH

Introduction

Secure Shell (SSH) offers an approach to log into a remote device securely. By providing encryption and strong authentication, it protects devices against attacks such as IP spoofing and plain text password interception. The device supports SSH, and you can log in to the device through SSH to remotely manage and maintain the device, as shown in Figure 22.

Required

Use either command

Available in user view

Optional

By, no source IPv4 address or source interface is specified. The source IPv4 address is selected by routing.

Figure 22 SSH login diagram

IP network

Telnet client Telnet server

The following table shows the configuration requirements of SSH login.

Object Requirements

Configure the IP address of the management Ethernet interface, and make sure the SSH

SSH server

SSH client

server and client can reach each other.( By default, the IP address of the management Ethernet interface is 192.168.0.1/24.)

Configure the authentication mode and other settings.

If the host operates as an SSH client, run the SSH client program on the host.

Obtain the IP address of the management Ethernet interface of the device

By default, the device is enabled with the SSH server and client functions.

• On a device that serves as the SSH client, you can log in to an SSH server to perform operations on

the server.

• On a device that serves as the SSH server, you can configure the authentication mode and user level

for SSH users. By default, password authentication is adopted for SSH login, but no login password is configured, so you cannot log in to the device through SSH by default. Before you can log in to the device through SSH, you need to log in to the device through the console port and configure the authentication mode, user level, and common settings.

This section includes these topics:

• Configuring the SSH server

• Configuring the SSH client to log in to the SSH server

Configuring the SSH server

Configuration prerequisites

You have logged in to the device, and want to log in to the device through SSH in the future.

Configuration procedure

Follow these steps to configure the device that serves as an SSH server:

To do… Use the command… Remarks

Enter system view system-view —

Create local key pair(s)

Enable SSH server ssh server enable

public-key local create

{ dsa | rsa }

Required

By default, no local key pair(s) are created.

Required

By default, SSH server is disabled.

To do… Use the command… Remarks

Enter one or more VTY user interface views

Specify the scheme authentication mode

Enable the current user interface to support either Telnet, SSH, or both of them

Enable command authorization command authorization

Enable command accounting command accounting

user-interface vty first-number [ last-number ]

authentication-mode scheme

protocol inbound { all | ssh }

—

Required

By default, authentication mode for VTY user interfaces is scheme.

Optional

By default, both protocols are supported.

Optional

• By default, command authorization is not

enabled.

Optional

• By default, command accounting is

disabled. The accounting server does not record the commands executed by users.

• Command accounting allows the

HWTACACS server to record all executed commands that are supported by the device, regardless of the command execution result. This helps control and monitor user operations on the device. If command accounting is enabled and command authorization is not enabled, every executed command is recorded on the HWTACACS server. If both command accounting and command authorization are enabled, only the authorized and executed commands are recorded on the HWTACACS server.

Exit to system view quit —

Enter the default ISP domain view

Configure the authentication mode

Create a local user and enter local user view

Set the local password

Apply the specified AAA scheme to the domain

Exit to system view

domain domain-name

authentication default { hwtacacs-scheme

hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

quit

local-user user-name

password { cipher | simple } password

Optional

By default, the AAA scheme is local.

Required

By default, no local user exists.

Required

By default, no local password is set.

To do… Use the command… Remarks

Specify the command level of the local user

Specify the service type for the local user

Return to system view quit —

Create an SSH user, and specify the authentication mode for the SSH user

Configure common settings for VTY user interfaces

authorization-attribute level level

service-type ssh

ssh user username service-type stelnet authentication-type { password | { any | password-publickey | publickey } assign publickey keyname }

—

Optional

By default, the command level is 0.

Required

By default, no service type is specified.

Required

By default, no SSH user exists, and no authentication mode is specified.

Optional

See “Configuring common settings for VTY

user interfaces (optional).”

NOTE:

This chapter describes how to configure an SSH client by using password authentication. For more information about SSH and how to configure an SSH client by using publickey, see

and Maintenance Configuration Guide

System Managemen

After you enable command authorization or command accounting, you need to perform the following configuration to make the function take effect:

• Create a HWTACACS scheme, and specify the IP address of the authorization server and other

authorization parameters.

• Reference the created HWTACACS scheme in the ISP domain.

When users adopt the scheme mode to log in to the device, the level of the commands that the users can access depends on the user privilege level defined in the AAA scheme.

• When the AAA scheme is local, the user privilege level is defined by the authorization-attribute

level level command.

• When the AAA scheme is RADIUS or HWTACACS, the user privilege level is configured on the

RADIUS or HWTACACS server.

Configuring the SSH client to log in to the SSH server

Configuration prerequisites

You have logged in to the device.

Figure 23 Log in to another device from the current device

NOTE:

If the SSH client and the SSH server are not in the same subnet, make sure that the two devices can reach each other.

Configuration procedure

Follow these steps to configure the SSH client to log in to the SSH server:

To do… Use the command… Remarks

ssh2 server

ssh2 ipv6 server

Required

server is the IPv4 address or host name of the server.

Available in user view

Required

server is the IPv6 address or host name of the server.

Available in user view

NOTE:

You can configure other settings for the SSH client to work with the SSH server. For more information, see

System Management and Maintenance Configuration Guide

Logging in through the AUX port

Introduction

As shown in Figure 24, the console cable used in AUX port login is the same as that in console port login. For a device that has separate console and AUX ports, you can use both to log in to the device to facilitate system maintenance.

Figure 24 AUX port login diagram

By default, AUX port login adopts password authentication. To log in through the AUX port, log in to the device through the console port or another method, configure the password for AUX password authentication or change the authentication mode, and configure related parameters.

AUX login authentication modes

NOTE:

By default, password authentication is adopted for AUX port login.

The following authentication modes are available for AUX port login: none, password, and scheme.

• none—Requires no username and password at the next login through the AUX port. This mode is

insecure.

• password—Requires password authentication at the next login through the AUX port. Keep your

password.

• scheme—Requires username and password authentication at the next login through the AUX port.

The following table lists AUX port login configurations for different authentication modes.

Authentication mode

None Configure not to authenticate users

Configuration Remarks

For more information, see “Configuring none

authentication for AUX login.”

For more information, see “Configuring

password authentication f login.”

For more information, see “Configuring

scheme authentication for AUX login.”

Password

Scheme

Configure to authenticate users by using the local password

Set the local password

Configure the authentication scheme

Configure a RADIUS/HWTACACS

scheme Remote AAA authentication

Select an authenticatio n scheme

Local authentication

Configure the AAA scheme

used by the domain

Configure the username and

password on the AAA server

Configure the authentication

username and password

Configure the AAA scheme

used by the domain as local

NOTE:

AUX port login authentication changes do not take effect until you exit the CLI and log in again.

or AUX

Configuring none authentication for AUX login

Configuration prerequisites

You have logged in to the device.

By default, you can log in to the device through the AUX port with password authentication and have user privilege level 0 after login. For information about logging in to the device with the default configuration, see "Configuration requirements."

Configuration procedure

Follow these steps to configure none authentication for AUX login:

To do… Use the command… Remarks

Enter system view system-view —

Enter one or more AUX user interface view

Specify the none authentication mode

Configure common settings for AUX login

user-interface aux first-number [ last-number ]

authentication-mode none

—

Required

By default, password authentication is performed for users that log in through the AUX port.

Optional

See "Configuring common settings for

AUX login (optional)."

After the configuration, next time you log in to the device through the AUX port, you are prompted to press enter. A prompt such as <HP> appears after you press Enter, as shown in Figure 25.

Figure 25 Configuration page

Configuring password authentication for AUX login

Configuration prerequisites

You have logged in to the device.

Configuration procedure

Follow these steps to configure password authentication for AUX login:

To do… Use the command… Remarks

Enter system view system-view —

Enter one or more AUX user interface views

Specify the password authentication mode

Set the local password

Configure common settings for AUX login

user-interface aux first-number [ last-number ]

authentication-mode password

set authentication password

{ cipher | simple } password

—

Required

By default, you can log in to the device through the AUX port with password authentication and have user privilege level 0 after login.

Required

By default, no local password is set.

Optional

See “Configuring common settings for AUX

After the configuration, next time you log in to the device through the AUX port, you are prompted to enter a login password. A prompt such as <HP> appears after you input the password and press Enter, as shown in Figure 26.

Figure 26 Configuration page

Configuring scheme authentication for AUX login

Configuration prerequisites

You have logged in to the device.

Configuration procedure

Follow these steps to configure scheme authentication for AUX login:

To do… Use the command… Remarks

Enter system view system-view —

Enter one or more AUX user interface views

Specify the scheme authentication mode

Enable command authorization

Enable command accounting command accounting

user-interface aux first-number [ last-number ]

authentication-mode scheme

command authorization

—

Required

By default, the authentication mode for users that log in through the AUX port is password.

Optional

• By default, command authorization is not

enabled.

• By default, command level for a login user

depends on the user privilege level. The user is authorized the command with the default level not higher than the user privilege level. With the command authorization configured, the command level for a login user is determined by both the user privilege level and AAA authorization. If a user executes a command of the corresponding command level, the authorization server checks whether the command is authorized. If yes, the command can be executed.

Optional

• By default, command accounting is

disabled. The accounting server does not record the commands executed by users.

• Command accounting allows the

Exit to system view quit —

To do… Use the command… Remarks

Enter the default ISP domain view

Configure the authentica tion mode

Create a local user and enter local user view

Set the authentication password for the local user

Specifies the command level of the local user

Specify the service type for the local user

Configure common settings for AUX login

Apply the specified AAA scheme to the domain

Exit to system view

domain domain-name

authentication default { hwtacacs-scheme

hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

quit

local-user user-name

password { cipher | simple } password

authorization-attribute level level

service-type terminal

—

Optional

By default, the AAA scheme is local.

Required

By default, no local user exists.

Required

Optional

By default, the command level is 0.

Required

By default, no service type is specified.

Optional

See “Configuring common settings for AUX

After you enable command authorization or command accounting, you need to perform the following configuration to make the function take effect:

• Create a HWTACACS scheme, and specify the IP address of the authorization server and other

authorization parameters.

• Reference the created HWTACACS scheme in the ISP domain.

When users adopt the scheme mode to log in to the device, the level of the commands that the users can access depends on the user privilege level defined in the AAA scheme.

• When the AAA scheme is local, the user privilege level is defined by the authorization-attribute

level level command.

• When the AAA scheme is RADIUS or HWTACACS, the user privilege level is configured on the

RADIUS or HWTACACS server.

After the configuration, when you log in to the device through the AUX port, you are prompted to enter a login password. A prompt such as <HP> appears after you input the password and press Enter, as shown in Figure 27.

Figure 27 Configuration page

Configuring common settings for AUX login (optional)

Follow these steps to configure common settings for AUX login:

To do… Use the command…

Enter system view system-view —

Enable display of copyright information

Enter AUX user interface view user-interface aux 0 —

Configure AUX port properties

Configure the baud rate

Configure the parity check mode

Configure the stop bits

Configure the data bits

speed speed-value

parity { even | mark | none | odd | space }

stopbits { 1 | 1.5 | 2 }

databits { 5 | 6 | 7 | 8 }

Remarks

Optional

Enabled by default.

Optional

By default, the baud rate is 9600 bps.

Transmission rate is the number of bits that the device transmits to the terminal per second.

Optional

By default, the parity check mode of the AUX port is set to none, which means no check bit.

Optional

By default, the stop bits of the AUX port is 1.

Stop bits are the last bits transmitted in data transmission to unequivocally indicate the end of a character. The more the bits are, the slower the transmission is.

Optional

By default, the data bits of the AUX port is 8.

To do… Use the command… Remarks

Define a shortcut key for starting a session

Define a shortcut key for terminating tasks

Configure the flow control mode

Configure the type of terminal display

activation-key character

escape-key { default | character }

flow-control { hardware | none | software }

terminal type { ansi | vt100 }

Optional

By default, you can press Enter to start a session.

Optional

By default, you can press Ctrl+C to terminate a task.

Optional

By default, the terminal display type is ANSI.

Optional

By default, the default command level is 0 for the AUX user interface.

Optional

By default, the next screen displays 24 lines at most.

A value of 0 disables the function.

Optional

By default, the buffer saves 10 history commands at most.

Optional

The default idle-timeout is 10 minutes. The system automatically terminates the user’s connection if there is no information interaction between the device and the user in timeout time.

Setting idle-timeout to 0 disables the timer.

CAUTION:

Configure the user privilege level for login users

Set the maximum number of lines on the next screen

Set the size of history command buffer

Set the idle-timeout timer.

user privilege level

level

screen-length

history-command max-size value

idle-timeout minutes [ seconds ]

The common settings configured for AUX login take effect immediately. If you configure the common settings after you log in through the AUX port, the current connection may be interrupted, so you should use another login method. After you configure common settings for AUX login, you need to modify the settings on the terminal to make them consistent with those on the device.

Configuration requirements

The following table shows the configuration requirements of AUX login.

Object Requirements

Configure the authentication mode. For more information, see “Configuring none

Device

authentication for AUX login,” “Configuring password authentication for AUX login,” and

“Configuring scheme authentication for AUX login.”

Terminal

Run the hyper terminal program.

Configure the hyper terminal attributes.

Login procedure

1. As shown in Figure 28, use the console cable shipped with the device to connect the PC and the

device. Plug the DB-9 connector of the console cable into the serial port of the PC, and plug the RJ-45 connector into the AUX port of your device.

Figure 28 Connect the device and PC

WARNING!

Identify the interface to avoid connection errors.

NOTE:

The serial port of a PC does not support hot-swap, so do not plug or unplug the console cable to or from the PC when your device is powered on. To connect the PC to the device, first plug the DB-9 connector of the console cable into the PC, and then plug the RJ-45 connector of the console cable into your device. To disconnect the PC from the device, first unplug the RJ-45 connector and then the DB-9 connector.

2. Launch a terminal emulation program (such as HyperTerminal in Windows XP). The following

NOTE:

On Windows 7, Windows Vista, or some other operating system, you need to obtain a third party terminal control program first, and follow the user guide or online help of that program to log in to the device.

Figure 29 Connection description

Figure 30 Specify the serial port used to establish the connection

Figure 31 Set the properties of the serial port

3. Turn on the device. You are prompted to enter the login password if the device successfully

completes the power-on self test (POST). A prompt such as <HP> appears after you press Enter, as shown in Figure 32.

Figure 32 Configuration page

4. Execute commands to configure the device or check the running status of the device. To get help,

type ?.

Logging in through modems

Introduction

The administrator can use two modems to remotely maintain a switch through its AUX port over the Public Switched Telephone Network (PSTN) when the IP network connection is broken.

Configuration requirements

By default, no authentication is needed when you log in through modems, and the default user privilege level is 3.

To use this method, perform necessary configurations at both the device side and administrator side.

The following table shows the configuration requirements of remote login through the AUX port by using modem dial-in:

Object Requirement

The PC is correctly connected to the modem.

Administrator side

Device side

Login procedure

1. Set up a configuration environment as shown in Figure 33: connect the serial port of the PC and

the AUX port of the device to a modem respectively.

Figure 33 Set up a configuration terminal

Serial cable

2. Configuration on the administrator side

The modem is connected to a telephone cable that works properly.

The telephone number of the remote modem connected to the AUX port of the remote switch is obtained.

The AUX port is correctly connected to the modem.

Configurations have been configured on the modem.

The modem is connected to a telephone cable that works properly.

Authentication configuration has been completed on the remote switch.

Telephone

cable

Modem Modem Device

PSTN

Telephone

cable

Serial

cable

AUX port

The PC and the modem are correctly connected, the modem is connected to a telephone cable, and the telephone number of the remote modem connected to the AUX port of the remote switch is obtained.

NOTE:

CAUTION:

Note the following device settings:

• The baud rate of the AUX port is lower than the transmission rate of the modem. Otherwise, packets

may be lost.

• The parity check mode, stop bits, and data bits of the AUX port adopt the default settings.

3. Perform the following configurations on the modem directly connected to the device:

AT&F ----------------------- Restore the factory defaults

ATS0=1 ----------------------- Configure auto-answer on first ring

AT&D ----------------------- Ignore data Terminal Ready signals

AT&K0 ----------------------- Disable local flow control

AT&R1 ----------------------- Ignore Data Flow Control signals AT&S0 ----------------------- Force DSR to remain on

ATEQ1&W ----------------------- Disable the modem from response to commands and save the

configuration

To verify your configuration, enter AT&V to show the configuration results.

The configuration commands and the output for different modems may be different. For more information, see the user guide of your modem.

4. Launch a terminal emulation utility (such as HyperTerminal in Windows XP), create a new

connection (the telephone number is the number of the modem connected to the device).

NOTE:

5. Dial the destination number on the PC to establish a connection with the device, as shown in Figure

34 through Figure 36.

Figure 34 Connection Description

Figure 35 Enter the phone number

Figure 36 Dial the number

6. Character string CONNECT9600 is displayed on the terminal. Then a prompt such as <HP>

appears when you press Enter.

Figure 37 Configuration page

7. Execute commands to configure the device or check the running status of the device. To get help,

type ?.

NOTE:

• To terminate the connection between the PC and device, execute the ATH

command on the terminal to terminate the connection between the PC and modem. If you cannot execute the command on the terminal, input AT+ + + and then press Enter. When you are prompted OK, execute the ATH command, and the connection is terminated if OK is displayed. You can also terminal the connection between the

PC and device by clicking

on the hyper terminal window.

• Do not close the hyper terminal directly. Otherwise, the remote modem may be always online, and you

will fail to dial in at the next time.

Modem login authentication modes

The following authentication modes are available for modem dial-in login: none, password, and scheme.

• none—Requires no username and password at the next login through modems. This mode is insecure.

• password—Requires password authentication at the next login through the console port. Keep your

password. If you lose your password, you cannot log in to the device through password authentication. You can log in to the device through the console port to view or modify the password.

• scheme—Requires username and password authentication at the next login through the console port.

The following table lists modem login configurations for different authentication modes:

Authentication mode

None Configure not to authenticate users

Password

Scheme

Configuration Remarks

Configure to authenticate users by using the local password

Set the local password

Configure the authentication scheme

Configure a RADIUS/HWTACACS scheme

Configure the AAA scheme used by the domain

Configure the username and password on the AAA server

Configure the authentication username and password

Configure the AAA scheme used by the domain as local

Select an authentic ation scheme

Remote AAA authenti cation

Local authenti cation

For more information, see “Configuring none authentication

for modem login.”

For more information, see “Configuring password

authentication for modem login.”

For more information, see “Configuring scheme

authentication f

or modem login.”

NOTE:

Modem login authentication changes do not take effect until you exit the CLI and log in again.

Configuring none authentication for modem login

Configuration prerequisites

You have logged in to the device.

When you log in to the device through modems, specify operating mode of the AUX interface is protocol.

Configuration procedure

Follow these steps to configure none authentication for modem login:

To do… Use the command… Remarks

Enter system view system-view —

Enter AUX interface view interface aux interface-number

—

Specify operating mode for the AUX interface

Exit to system view quit

Enter one or more AUX user interface views

Specify the none authentication mode

Configure common settings for VTY user interfaces

async mode { flow | protocol }

user-interface aux first-number

[ last-number ]

authentication-mode none

—

Required

By default, the mode is flow.

—

Required

By default, the modem login authentication mode is password.

Optional

See “Configuring common settings

for VTY user interfaces (option

al).”

After the configuration, when you log in to the device through modems, you are prompted to press Enter. A prompt such as <HP> appears after you press Enter, as shown in Figure 38.

Figure 38 Configuration page

Configuring password authentication for modem login

Configuration prerequisites

You have logged in to the device.

When you log in to the device through modems, specify operating mode of the AUX interface is protocol.

Configuration procedure

Follow these steps to configure password authentication for modem login:

To do… Use the command… Remarks

Enter system view system-view —

Enter AUX interface view interface aux interface-number

—

Specify operating mode for the AUX interface

Exit to system view quit

Enter one or more AUX user interface views

Specify the password authentication mode

Set the local password

Configure common settings for VTY user interfaces

async mode { flow | protocol }

user-interface aux first-number

[ last-number ]

authentication-mode password

set authentication password

{ cipher | simple } password

—

Required

By default, the mode is flow.

—

Required

By default, the modem login authentication mode is password.

Required

By default, no local password is set.

Optional

For more information, see “Configuring

common setting (optional).”

s for VTY user interfaces

After the configuration, when you log in to the device through modems, you are prompted to enter a login password. A prompt such as <HP> appears after you input the password and press Enter, as shown in Figure 39.

Figure 39 Configuration page

Configuring scheme authentication for modem login

Configuration prerequisites

You have logged in to the device.

When you log in to the device through modems, specify operating mode of the AUX interface is protocol.

Configuration procedure

Follow these steps to configure scheme authentication for modem login:

To do… Use the command… Remarks

Enter system view system-view —

Enter AUX interface view

Specify operating mode for the AUX interface

Exit to system view quit

Enter AUX user interface view

interface aux interface-number

async mode { flow | protocol }

user-interface aux first-number [ last-number ]

—

Required

By default, the mode is flow.

—

Required

Whether local, RADIUS, or HWTACACS Specify the scheme authentication mode

authentication-mode scheme

authentication is adopted depends on the

configured AAA scheme.

By default, the modem login authentication

mode is password.

To do… Use the command… Remarks

Optional

• By default, command authorization is not

enabled.

• By default, command level for a login user

depends on the user privilege level. The user is authorized the command with the default

Enable command authorization

command authorization

level not higher than the user privilege level. With the command authorization configured, the command level for a login user is determined by both the user privilege level and AAA authorization. If a user executes a command of the corresponding command level, the authorization server checks whether the command is authorized. If yes, the command can be executed.

Optional

• By default, command accounting is

disabled. The accounting server does not record the commands executed by users.

• Command accounting allows the

HWTACACS server to record all executed commands that are supported by the device,

Enable command accounting

command accounting

regardless of the command execution result. This helps control and monitor user operations on the device. If command accounting is enabled and command authorization is not enabled, every executed command is recorded on the HWTACACS server. If both command accounting and command authorization are enabled, only the authorized and executed commands are recorded on the HWTACACS server.

Exit to system view quit —

Enter the default ISP domain view

Configure the authentica tion mode

Create a local user and enter local user view

Set the authentication password for the local user

Apply the specified AAA scheme to the domain

Return to system view

domain domain-name

authentication default { hwtacacs-scheme

hwtacacs-scheme-name [ local ] | local | none | radius-scheme radius-scheme-name [ local ] }

quit

local-user user-name

password { cipher | simple } password

Optional

By default, the AAA scheme is local.

Required

By default, no local user exists.

Required

To do… Use the command… Remarks

Specifies the command level of the local user

Specify the service type for the local user

Configure common settings for VTY user interfaces

authorization-attribute level level

service-type terminal

—

Optional

By default, the command level is 0.

Required

By default, no service type is specified.

Optional

See “Configuring common settings for VTY user

interfaces (optional).”

After you enable command authorization or command accounting, you need to perform the following configuration to make the function take effect:

• Create a HWTACACS scheme, and specify the IP address of the authorization server and other

authorization parameters.

• Reference the created HWTACACS scheme in the ISP domain.

When users adopt the scheme mode to log in to the device, the level of the commands that the users can access depends on the user privilege level defined in the AAA scheme.

• When the AAA scheme is local, the user privilege level is defined by the authorization-attribute

level level command.

• When the AAA scheme is RADIUS or HWTACACS, the user privilege level is configured on the

RADIUS or HWTACACS server.

After the configuration, when you log in to the device through modems, you are prompted to enter a login username and password. A prompt such as <HP> appears after you input the password and username and press Enter, as shown in Figure 40.

Figure 40 Configuration page

Configuring common settings for modem login (optional)

Follow these steps to configure common settings for modem login:

To do… Use the command… Remarks

Enter system view system-view —

Enable display of copyright information

Enter one or more AUX user interface views

Configure AUX port properties

Configure the baud rate

Configure the parity check mode

Configure the stop bits

Configure the data bits

user-interface aux

first-number [ last-number ]

speed speed-value

parity { even | mark | none | odd | space }

stopbits { 1 | 1.5 | 2 }

databits { 5 | 6 | 7 | 8 }

Optional

Enabled by default.

—

Optional

By default ,the baud rate is 9600 bps.

Transmission rate is the number of bits that the device transmits to the terminal per second.

Optional

By default, the parity check mode of the AUX port is set to none, which means no check bit.

Optional

By default, the stop bits of the console port is 1.

Stop bits are the last bits transmitted in data transmission to unequivocally indicate the end of a character. The more the bits are, the slower the transmission is.

Optional

By default, the data bits of the AUX port is 8.

Define a shortcut key for starting a session

Define a shortcut key for terminating tasks

Configure the flow control mode

activation-key character

escape-key { default |

character }

flow-control { hardware | none | software }

Optional

By default, you can press Enter to start a session.

Optional

By default, you can press Ctrl+C to terminate a task.

Optional

To do… Use the command… Remarks

Optional

By default, the terminal display type is ANSI.

The device supports two types of terminal display: ANSI and VT100. HP recommends you

Configure the type of terminal display

terminal type { ansi | vt100 }

to set the display type of both the device and the client to VT100. If the device and the client use different display types (for example, hyper terminal or Telnet terminal) or both are set to ANSI, when the total number of characters of the currently edited command line exceeds 80, an anomaly such as cursor corruption or abnormal display of the terminal display may occur on the client.

Configure the user privilege level for login users

Set the maximum number of lines on the next screen

Set the size of the history command buffer

Set the idle-timeout timer

Set the maximum interval allowed between off-hook and dialing

user privilege level level

screen-length screen-length

history-command max-size value

idle-timeout minutes [ seconds ]

modem timer answer

time

Optional

3 by default.

Optional

By default, the next screen displays 24 lines at most.

A value of 0 disables the function.

Optional

By default, the buffer saves 10 history commands at most.

Optional

Setting idle-timeout to 0 disables the timer.

Optional

By default, the interval is 60 seconds.

Configure a modem to operate in auto-answer

modem auto-answer

Optional

By default, a modem operates in non-auto answer mode.

mode

Enable modem call-in/call-out on the user

modem { both | call-in | call-out }

interface

Optional

By default, both modem call-in and call-out are disabled.

CAUTION:

• The common settings configured for AUX login take effect immediately. If you configure the common

settings after you log in through the AUX port, the current connection may be interrupted, so you should use another login method. After you configure common settings for AUX login, you need to modify the settings on the terminal to make them consistent with those on the device.

• The baud rate of the AUX port must be lower than the transmission rate of the modem. Otherwise,

packets may be lost.

Displaying and maintaining CLI login

To do… Use the command… Remarks

Display information about the user interfaces that are being used

Display information about all user interfaces that the device supports

Display user interface information

Display the configuration of the device when it serves as a Telnet client

Release a specified user interface

display users Available in any view

display users all Available in any view

display user-interface

[ num1 | { aux | console | vty } num2 ] [ summary ]

display telnet client configuration

free user-interface { num1

| { aux | vty } num2 }

Available in any view

Available in user view

Multiple users can log in to the system to simultaneously configure the device. In some circumstances, when the administrator wants to make configurations without interruption from the users that have logged in through other user interfaces, the administrator can execute the command to release the connections established on the specified user interfaces.

You cannot use this command to release the connection that you are using.

Available in user view

Lock the current user interface lock

Send messages to the specified user interfaces

send { all | num1 | { aux | vty } num2 }

By default, the current user interface is not locked.

Available in user view

Web login

Web login overview

The device provides the web-based network management function to facilitate device operation and maintenance. With this function, the administrator can visually manage and maintain network devices through web-based configuration interfaces.

Configuration guidelines

• The web-based network management function supports the operating systems of Windows XP,

Windows 7 and Windows Vista.

• The web-based configuration interface supports Microsoft Internet Explorer 6.0 SP2 and higher,

and the explorer must support and be enabled with JavaScript.

• The web-based configuration interface does not support the Back, Next, Refresh buttons provided

by the browser. Using these buttons may result in abnormal display of Web pages.

• When the device is performing the spanning tree calculation, you cannot log in to or use the web

interface.

• The Windows firewall limits the number of TCP connections. When you use IE to log in to the web

interface, sometimes you may be unable to open the web interface. To avoid this problem, turn off the Windows firewall before login.

• If you log in to the device through the web interface after the software version of the device changes,

HP recommends you to delete the temporary Internet files on IE; otherwise, the web page content may not be displayed correctly.

Logging in to the firewall by using the default web login information

The firewall comes with the default web login information. You can log in to the web interface of the firewall by using the following default login information:

• Username: admin

• Password: admin

• IP address of the management Ethernet interface: 192.168.0.1. For the interface number, see the

corresponding installation guide or card manual of the firewall.

Follow these steps to log in to the firewall through web:

1. Connect the management interface of the firewall to the network port of the PC through a crossover

Ethernet cable.

2. Change the IP address of the PC to one that is within the network segment 192.168.0.0/24

(except for 192.168.0.1), for example, 192.168.0.2 so that the PC and the firewall can communicate with each other.

3. On the PC, launch the browser, type the IP address 192.168.0.1 in the address bar, and press

Enter to enter the web login page, as shown in Figure 41. Enter u

sername admin, password admin,

and the verification code, select a language (English), and click Login.

Figure 41 Web login page

CAUTION:

• To get a new verification code, click on the verification code picture.

• Up to five users can concurrently log in to the device through the web interface.

Modifying the default web login information

1. Create a Telnet user, set the username to userA, password to 123456, and user privilege level to

[HP] local-user userA

New local user added.

[HP-luser-userA] servce-type telnet

[HP-luser-userA] password simple 123456

[HP-luser-userA] authorization-attribute level 3

2. Add an interface into the management zone in hidden command line view to enable the firewall

to communicate with a PC through this interface, and then you can log in to the firewall through this interface.

[HP]_

Now you enter a hidden command view for developer's testing, some commands may

affect operation by wrong use, please carefully use it with our engineer's

direction.

[HP-hidecmd] zone add interface GigabitEthernet0/1 to management

Configuring the web login function

If the web function is disabled, log in to the device via the console port, and perform the following configuration:

• Enable HTTP or HTTPS service

• Configure the IP address of the management Ethernet interface

• Configure a username and password

The device supports the following web login methods:

• HTTP login—The Hypertext Transfer Protocol (HTTP) is used for transferring web page information

across the Internet. It is an application-layer protocol in the TCP/IP protocol suite. The connection-oriented Transport Control Protocol (TCP) is adopted at the transport layer. Currently, the device supports HTTP 1.0.

• HTTPS login—The Secure HTTP (HTTPS) refers to the HTTP protocol that s upports the Securit y Socket

Layer (SSL) protocol. HTTPS uses SSL to encrypt the data exchanged between the HTTPS client and the server to ensure data security and integrity. You can define a certificate attribute-based access control policy to allow legal clients to access the device securely and prohibit illegal clients.

The following table shows the configuration requirements of web login.

Object Requirements

Configure the IP address of the management Ethernet interface, and make sure the device and the PC can reach each other

Device

Configuring HTTP login

Required to use one approach

Configuring HTTPS login

Install a web browser

Obtain the IP address of the management Ethernet interface of the device

Configuring HTTP login

Follow these steps to configure HTTP login:

To do… Use the command… Remarks

Enter system view system-view —

Enable the HTTP service ip http enable

Configure the HTTP service port number

Associate the HTTP service with an ACL

ip http port port-number

ip http acl acl-number

Required

Enabled by default.

Optional

80 by default.

If you execute the command multiple times, the last one takes effect.

Optional

By default, the HTTP service is not associated with any ACL.

Associating the HTTP service with an ACL enables the device to allow only clients permitted by the ACL to access the device.

Create a local user and enter local user view

Configure a password for the local user

Specify the command level of the local user

local-user user-name

password { cipher | simple } password

authorization-attribute level level

Required

By default, no local user is configured.

Required

By default, no password is configured for the local user.

Required

No command level is configured for the local user.

To do… Use the command… Remarks

Specify the Telnet service type for the local user

Exit to system view quit —

Enter management Ethernet interface view

Assign an IP address and subnet mask to the management Ethernet interface

service-type web

interface interface-type interfac-number

ip address ip-address { mask

| mask-length }

Configuring HTTPS login

Follow these steps to configure HTTPS login:

To do… Use the command… Remarks

Enter system view system-view —

Associate the HTTPS service with an SSL server policy

ip https ssl-server-policy

policy-name

Required

By default, no service type is configured for the local user.

Required

By default, the IP address of the management Ethernet interface is

192.168.0.1/24

Required

By default, the HTTPS service is not associated with any SSL server policy.

• If you disable the HTTPS service, the system

automatically de-associates the HTTPS service from the SSL service policy. Before re-enabling the HTTPS service, associate the HTTPS service with an SSL server policy first.

• Any changes to the SSL server policy associated with

the HTTP service that is enabled do not take effect.

Enable the HTTPS service

ip https enable

Required

Disabled by default.

Enabling the HTTPS service triggers an SSL handshake negotiation process. During the process, if the local certificate of the device exists, the SSL negotiation succeeds, and the HTTPS service can be started properly. If no local certificate exists, a certificate application process will be triggered by the SSL negotiation. Because the application process takes much time, the SSL negotiation often fails and the HTTPS service cannot be started normally. In that case, you need to execute the ip https enable command multiple times to start the HTTPS service.

To do… Use the command… Remarks

Optional

By default, the HTTPS service is not associated with any certificate-based attribute access control policy.

Associate the HTTPS service with a certificate attribute-based access control policy

ip https certificate access-control-policy policy-name

• Associating the HTTPS service with a certificate-based

attribute access control policy enables the device to control the access rights of clients.

• You must configure the client-verify enable command in

the associated SSL server policy. If not, no clients can log in to the device.

• The associated SSL server policy must contain at least

one permit rule. Otherwise, no clients can log in to the device.

Configure the port number of the HTTPS service

Associate the HTTPS service with an ACL

Create a local user and enter local user view

Configure a password for the local user

Specify the command level of the local user

Specify the Telnet service type for the local user

ip https port port-number

ip https acl acl-number

local-user user-name

password { cipher | simple } password

authorization-attribute level level

service-type web

Optional

443 by default.

Required

By default, the HTTPS service is not associated with any ACL.

Associating the HTTPS service with an ACL enables the device to allow only clients permitted by the ACL to access the device.

Required

By default, no local user is configured.

Required

By default, no password is configured for the local user.

Required

By default, no command level is configured for the local user.

Required

By default, no service type is configured for the local user.

Exit to system view quit —

Enter management Ethernet interface view

Assign an IP address and subnet mask to the management Ethernet interface

interface interface-type interfac-number

ip address ip-address { mask | mask-length }

Required

By default, the IP address of the management Ethernet interface is 192.168.0.1/24.

Displaying and maintaining web login

To do… Use the command… Remarks

Display information about web users display web users Available in any view

Display HTTP state information display ip http Available in any view

Display HTTPS state information display ip https Available in any view

Web login example

HTTP login example

Network requirements

As shown in Figure 42, the PC is connected to the firewall over an IP network. The IP address of firewall i s 10 .15 3.17. 82 / 24 .

Figure 42 Network diagram for configuring HTTP login

Configuration procedure

1. Configuration on the device

# Log in to the device via the console port and configure the IP address and mask of the management Ethernet interface GigabitEthernet 0/1 of the device.

<Firewall> system-view

[Firewall] interface GigabitEthernet0/1

[Firewall-GigabitEthernet0/1] ip address 10.153.17.82 255.255.255.0

[Firewall-GigabitEthernet0/1] quit

# Create a local user named admin, and set the password to admin for the user. Specify the Telnet service type for the local user, and set the command level to 3 for this user.

[Firewall] local-user admin

[Firewall-luser-admin] service-type web

[Firewall-luser-admin] authorization-attribute level 3

[Firewall-luser-admin] password simple admin

2. Configuration on the PC

# On the PC, run the web browser. Enter the IP address of the device in the address bar, 192.168.0.58 in this example. The web login page appears, as shown in Figure 43.

Figure 43 Web login page

# Type the user name, password, verify code, select English, and click Login. The homepage appears. After login, you can configure device settings through the web interface.

HTTPS login example

Network requirements

As shown in Figure 44, to prevent unauthorized users from accessing the Device, configure HTTPS login as follows:

• Configure the Firewall as the HTTPS server, and request a certificate for it.

• The Host acts as the HTTPS client. Request a certificate for it.

In this example, Windows Server acts as the CA. Install Simple Certificate Enrollment Protocol (SCEP) add-on on the CA. The name of the CA that issues certificates to the Firewall and Host is new-ca.

Before performing the following configuration, make sure that the Firewall, Host, and CA can reach each other.

Figure 44 Network diagram for configuring HTTPS login

Configuration procedure

1. Configure the Firewall that acts as the HTTPS server

# Configure a PKI entity, configure the common name of the entity as http-server1, and the FQDN of the entity as ssl.security.com.

<Firewall system-view

[Firewall] pki entity en

[Firewall-pki-entity-en] common-name http-server1

[Firewall-pki-entity-en] fqdn ssl.security.com

[Firewall-pki-entity-en] quit

Firewall

# Create a PKI domain, specify the trusted CA as new-ca, the URL of the server for certificate request as http://10.1.2.2/certsrv/mscep/mscep.dll, authority for certificate request as RA, and the entity for certificate request as en.

[Firewall] pki domain 1

[Firewall-pki-domain-1] ca identifier new-ca

[Firewall-pki-domain-1] certificate request url http://10.1.2.2/certsrv/mscep/mscep.dll

[Firewall-pki-domain-1] certificate request from ra

[Firewall-pki-domain-1] certificate request entity en

[Firewall-pki-domain-1] quit

# Create local RSA key pairs.

[Firewall] public-key local create rsa

# Retrieve the CA certificate from the certificate issuing server.

[Firewall] pki retrieval-certificate ca domain 1

# Request a local certificate from a CA through SCEP for the Firewall.

[Firewall] pki request-certificate domain 1

# Create an SSL server policy myssl, specify PKI domain 1 for the SSL server policy, and enable certificate-based SSL client authentication.

[Firewall] ssl server-policy myssl

[Firewall-ssl-server-policy-myssl] pki-domain 1

[Firewall-ssl-server-policy-myssl] client-verify enable

[Firewall-ssl-server-policy-myssl] quit

# Create a certificate attribute group mygroup1, and configure a certificate attribute rule, specifying that the Distinguished Name (DN) in the subject name includes the string of new-ca.

[Firewall] pki certificate attribute-group mygroup1

[Firewall-pki-cert-attribute-group-mygroup1] attribute 1 issuer-name dn ctn new-ca

[Firewall-pki-cert-attribute-group-mygroup1] quit

# Create a certificate attribute-based access control policy myacp. Configure a certificate attribute-based access control rule, specifying that a certificate is considered valid when it matches an attribute rule in certificate attribute group myacp.

[Firewall] pki certificate access-control-policy myacp

[Firewall-pki-cert-acp-myacp] rule 1 permit mygroup1

[Firewall-pki-cert-acp-myacp] quit

# Associate the HTTPS service with SSL server policy myssl.

[Firewall] ip https ssl-server-policy myssl

# Associate the HTTPS service with certificate attribute-based access control policy myacp.

[Firewall] ip https certificate access-control-policy myacp

# Enable the HTTPS service.

[Firewall] ip https enable

# Create a local user named usera, set the password to 12 3 for the user, and specify the web service type for the local user.

[Firewall] local-user usera

[Firewall-luser-usera] password simple 123

[Firewall-luser-usera] service-type web

2. Configure the host that acts as the HTTPS client

On the host, run the IE browser. In the address bar, enter http://10.1.2.2/certsrv and request a certificate for the host as prompted.

3. Verify the configuration

Enter https://10 .1.1.1 in the address bar, and select the certificate issued by new-ca. Then the web login page of the Firewall appears. On the login page, type the username usera, and password 12 3 to enter the web management page.

NOTE:

• To log in to the web interface through HTTPS, enter the URL address starting with https://. To lo

the web interface through HTTP, enter the URL address starting with http://.

• For more information about the SSL commands, see

Network Management Command Reference

Troubleshooting web login problems

Problem 1: Unable to access the device through web

Problem description

The user can ping the device successfully, and log in to the device through Telnet. HTTP is enabled and the operating system and browser version are as required. But the user cannot access the web interface of the device.

in to

Problem analysis

• If Microsoft Internet Explorer is used, select the Enable button for Run ActiveX controls and plug-ins,

Script ActiveX controls marked safe for scripting, and Active scripting .

• If Mozilla Firefox is used, enable JavaScript.

Solution for Microsoft Internet Explorer

• Open the Internet Explorer, and select Tools > Internet Options.

• Click the Security tab, and select a Web content zone to specify its security settings, as shown in

Figure 45.

Figure 45 Internet Explo

rer setting (I)

• Click Custom Level, and a dialog box Security Settings appears.

• As shown in Figure 46,

select t he Enable button for Run ActiveX controls and plug-ins, Script ActiveX

controls marked safe for scripting, and Active scripting.

Figure 46 Internet Explorer setting (II)

• Click OK in the Security Settings dialog box.

Solution for Mozilla Firefox

• Open the Firefox Web browser, and then select Tools > Options.

• Click the Content tab, select the Enable JavaScript check box, and click OK.

Figure 47 Firefox web browser setting

NMS login

NMS login overview

A Network Management Station (NMS) runs the SNMP client software. It offers a user-friendly interface to facilitate network management. An agent is a program that resides in the device. It receives and handles requests from the NMS. An NMS is a manager in an SNMP enabled network, whereas agents are managed by the NMS. The NMS and agents exchange information through the SNMP protocol. At present, the device supports multiple NMS programs, such as IMC.

By default, you cannot log in to the device through NMS. To enable NMS login, log in to the device via the console port and make the configurations described in the following table.

The following table shows the configuration requirements of NMS login.

Object Requirements

Configure the IP address of the management Ethernet interface, and make sure the device and the NMS can reach each other

Device

By default, the IP address of the management Ethernet interface is

192.168.0.1/24.

Configure SNMP settings

NMS Configure the NMS. For more information, see the manual of your NMS.

For a firewall module, you need to configure its management Ethernet interface’s IP address on the network device.

The firewall module and network device are integrated to work as one device. From the perspective of an SNMP UDP domain-based NMS, however, the network device and firewall module are separate SNMP agents. They have different software systems and manage their own MIB objects. To access an SNMP agent, the NMS must get the IP address of the management interface on the agent. By default, the firewall module does not have an IP address, so you need to specify an IP address for the firewall module.

Follow these steps to configure the IP address of the management Ethernet interface of the firewall module on the network device:

To do… Use the command… Remarks

Enter system view system-view —

Specify the IP address of the management Ethernet interface of the firewall module

CAUTION:

oap management-ip ip-address slot slot-number

Required

Not specified by default.

Before configuring the IP address of the management Ethernet interface of the firewall module on the network device, you must configure the same IP address on the firewall module. Otherwise, the NMS cannot access the firewall module by using the IP address.

Configuring NMS login

Connect the Ethernet port of the PC to the management Ethernet interface of the firewall module over an IP network, as shown in Figure 48. Mak

Figure 48 Network diagram for configuring NMS login

Follow these steps to configure SNMPv3 settings:

To do… Use the command… Remarks

Enter system view system-view —

Enable SNMP agent snmp-agent

e sure the PC and the firewall module can reach each other.

Optional

Disabled by default.

You can enable SNMP agent with this command or any command that begins with snmp-agent.

Configure an SNMP group and specify its access right

Add a user to the SNMP group

snmp-agent group v3 group-name [ authentication | privacy ] [ read-view read-view ] [ write-view

write-view ] [ notify-view notify-view ] [ acl acl-number ]

snmp-agent usm-user v3 user-name group-name [ [ cipher ]

authentication-mode { md5 | sha }

auth-password ] [ acl acl-number ]

Required

By default, no SNMP group is configured.

Required

If the cipher keyword is specified, both auth-password and priv-password are cipher text passwords.

Follow these steps to configure SNMPv1 and SNMPv2c settings:

To do… Use the command… Remarks

Enter system view system-view —

Optional

Disabled by default.

Enable SNMP agent snmp-agent

You can enable SNMP agent with this command or any command that begins with snmp-agent.

To do… Use the command… Remarks

Configure an

Directly

Configure SNMP NMS access right

Indirectly

SNMP community

Configure an SNMP group

Add a user to the SNMP group

NOTE:

The device supports three SNMP versions: SNMPv1, SNMPv2c and SNMPv3. For more information abou SNMP, see

System Management and Maintenance Configuration Guide

NMS login example

In this example, IMC is used as the NMS for illustration.

snmp-agent community { read | write }

community-name [ acl acl-number ]

snmp-agent group { v1 | v2c } group-name

[ read-view read-view ] [ write-view write-view ] [ notify-view notify-view ] [ acl acl-number ]

snmp-agent usm-user { v1 | v2c } user-name group-name

[ acl acl-number ]

Required

Use either approach.

The direction configuration approach is for SNMPv1 or SNMPv2c. The community name configured on the NMS should be consistent with the username configured on the agent.

The indirect configuration approach is for SNMPv3.

1. Configuration on the device

# Assign 1.1.1.1/24 for the IP address of device. Make sure the device and the NMS can reach each other. (Configuration steps are omitted.)

# Enter system view.

<Sysname> system-view

# Enable the SNMP agent.

[Sysname] snmp-agent

# Configure an SNMP group.

[Sysname] snmp-agent group v3 managev3group

# Add a user to the SNMP group.

[Sysname] snmp-agent usm-user v3 managev3user managev3group

2. Configuration on the NMS

On the PC, start the browser. In the address bar, enter http://192.168.20.107:8080/IMC, where

192.168.20.107 is the IP address of the IMC.

Figure 49 IMC login page

Type the username and password, and then click Login. The IMC homepage appears, as shown in Figure

50.

Figure 50 IMC homepage

Log in to the IMC and configure SNMP settings for the IMC to find the device. After the device is found, you can manage and maintain the device through the IMC. For example, query device information or configure device parameters.

The SNMP settings on the IMC must be the same as those configured on the device. If not, the device cannot be found or managed by the IMC. See the IMC manuals for more information.

Click Help in the upper right corner of each configuration page to get help information.

Logging in to the firewall module from the network device

NOTE:

This chapter describes how to log in to the firewall module from the network device. Other lo for the firewall module are the same as a firewall. For more information, see the previous chapters.

in methods

Logging in to the firewall module from the network device

Configuring the AUX user interface of the firewall module

Before logging in to the firewall module from the network device, you need to configure the AUX user interface of the firewall module.

Follow these steps to configure the AUX user interface:

To do… Use the command… Remarks

Enter system view system-view —

Enter AUX user interface view

Specify the none authentication mode

user-interface aux first-number [ last-number ]

authentication-mode none

—

Required

By default, the AUX user interface uses password authentication.

Configure the user privilege level user privilege level level

Logging in to the firewall module

Use the following command to log in to the firewall module. After login, the terminal screen displays the CLI of the firewall module. To return to the CLI on the device, press Ctrl+K.

Follow the step below to log in from the network device to the firewall module:

To do… Use the command… Remarks

oap connect slot slot-number

Required

0 by default. HP recommends you to set it to 3.

Required

Available in user view of the network device (switch or router)

Monitoring and managing the firewall module on the network device

Resetting the system of the firewall module

If the operating system of the firewall module works abnormally (for example, the system does not respond), you can reset the system with the following command. This operation is the same as resetting the firewall module by pressing the reset button on the firewall module.

The firewall module has an independent CPU; therefore, the network device can still recognize and control the firewall module when you reset the system of firewall module.

Follow the step to reset the system of the firewall module:

To do… Use the command… Remarks

Reset the system of the firewall module

CAUTION:

The reset operation may cause data loss and service interruption. Therefore, before performing this operation, save the configurations of the firewall module operating system and shut down the firewall module operating system to avoid service interruption and data loss.

oap reboot slot slot-number

Configuring the ACSEI protocol

Introduction to ACSEI

ACSEI is an HP-proprietary protocol. It provides a method for exchanging information between ACFP clients and ACFP server so that the ACFP server and clients can cooperate to run a service.

As a supporting protocol of ACFP, ACSEI also has two entities: server and client.

• The ACSEI server is integrated into the software system (Comware) of the network device.

• The ACSEI client is integrated into the software system (Comware) of the firewall module.

NOTE:

The collaborating IDS (Intrusion Detection System) applications of other vendors and support the IPS (Intrusion Prevention System)/IDS services.

Required

Available in user view

cards or IDS devices serve as the ACFP clients which run

Functions of ACSEI

ACSEI mainly provides the following functions:

• Registration and deregistration of an ACSEI client to the ACSEI server.

• ID assignment. The ACSEI server assigns IDs to ACSEI clients to distinguish between them.

• Mutual monitoring and awareness between an ACSEI client and the ACSEI server.

• Information interaction between the ACSEI server and ACSEI clients, including clock

synchronization.

• Control of the ACSEI clients on the ACSEI server. For example, you can close or restart an ACSEI

client on the ACSEI server.

An ACSEI server can register multiple ACSEI clients.

ACSEI timers

An ACSEI server uses two timers, the clock synchronization timer and the monitoring timer.

• The clock synchronization timer is used to periodically trigger the ACSEI server to send clock

synchronization advertisements to ACSEI clients. You can set this timer through command lines.

• The monitoring timer is used to periodically trigger the ACSEI server to send monitoring requests to

ACSEI clients. You can set this timer through command lines.

An ACSEI client starts two timers, the registration timer and the monitoring timer.

• The registration timer is used to periodically trigger the ACSEI client to multicast registration requests

(with the multicast MAC address being 010F-E200-0021). You cannot set this timer.

• The monitoring timer is used to periodically trigger the ACSEI client to send monitoring requests to

the ACSEI server. You cannot set this timer.

ACSEI startup and running

ACSEI starts up and runs in the following procedures:

1. The firewall module runs the ACSEI client application to enable ACSEI client.

2. Start up the network device and enable the ACSEI server function on it.

3. The ACSEI client multicasts a registration request.

4. After the ACSEI server receives a valid registration request, it negotiates parameters with the

ACSEI client and establishes a connection with the client if the negotiation succeeds.

5. The ACSEI server and the ACSEI client mutually monitor the connection.

6. Upon detecting the disconnection of the ACSEI client, the ACFP server removes the configuration

and policies associated with the client.

Configuring ACSEI server on the network device

Follow these steps to configure the ACSEI server:

To do… Use the command… Remarks

Enter system view system-view —

Enable ACSEI server acsei server enable

Enter ACSEI server view acsei server —

Configure the clock synchronization timer

Configure the monitoring timer acsei timer monitor seconds

acsei timer clock-sync minutes

Required

Disabled by default.

Optional

Five minutes by default.

Optional

Five seconds by default.

Close the specified ACSEI client acsei client close client-id

Restart the specified ACSEI client acsei client reboot client-id Optional

Configuring ACSEI client on the firewall module

Follow these steps to configure the ACSEI client:

Optional

Supported on the ACSEI client running Linux only

To do… Use the command… Remarks

Enter system view system-view —

Enter interface view

Enable the ACSEI client acsei-client enable

interface interface-type interface-number

Displaying and maintaining ACSEI server and client

To do… Use the command… Remarks

On the network device

On the firewall module

Display ACSEI client summary display acsei client summary [ client-id ]

Display ACSEI client information

Display ACSEI client information display acsei-client information

Display current ACSEI client state

display acsei client info [ client-id ]

display acsei-client status

Required

Disabled by default.

NOTE:

The Comware platform can run only one ACSEI client, that is, the ACSEI client can be enabled on only one interface at a time. But the ACSEI client on the Comware platform and that on the firewall module can run simultaneously.

Available in any view

Example for monitoring and managing the firewall module from the network device

Network requirements

A firewall module is installed in slot 3 of the network device to detect the traffic passing the network device. The internal interface Ten-GigabitEthernet 3/0/1 on the network device is connected to the internal interface Ten-GigabitEthernet0/0 on the firewall module.

The network device redirects received traffic to the firewall module. The firewall module processes the traffic based on the configured security policy, and redirects permitted traffic to the network device for forwarding.

Configure the network device and firewall module so that you can log in to and restart the firewall module from the network device. Configure the clock synchronization timer as 10 minutes, and configure the monitoring timer as 10 seconds.

Network diagram

Figure 51 Network diagram for monitoring and managing the firewall module

Configuration procedure

The following configuration uses a switch as an example. The configuration on a router is the same.

1. Log in to the firewall module from the network device

# Configure the AUX user interface of the firewall module.

<FIREWALL card> system-view

[FIREWALL card] user-interface aux 0

[FIREWALL card-ui-aux0] authentication-mode none

[FIREWALL card-ui-aux0] user privilege level 3

[FIREWALL card-ui-aux0]

# Log in to the firewall module.

<Switch> oap connect slot 3

Connected to OAP!

2. Configure the clock synchronization timer and the monitoring timer

• Configuration on the network device

# Enable ACSEI server.

<Switch> system-view

[Switch] acsei server enable

# Enter ACSEI server view

[Switch] acsei server

# Set the clock synchronization timer to 10 minutes

[Switch-acsei server] acsei timer clock-sync 10

# Set the monitoring timer to 10 seconds

[Switch-acsei server] acsei timer monitor 10

# Enable ACSEI client on the Ten-GigabitEthernet 0/0 interface.

<FIREWALL card> system-view

[FIREWALL card] interface Ten-GigabitEthernet0/0

[FIREWALL card] acsei-client enable

Configuration verification

1. Restart the firewall module on the network device.

<Switch> oap reboot slot 3

This command will recover the OAP from shutdown or other failed state.

Warning: This command may lose the data on the hard disk if the OAP is not being

shut down! Continue? [Y/N]:y

Reboot OAP by command.

The output shows that you can restart the firewall module on the network device.

2. Display the ACSEI server configuration information on the network device.

<Switch> display current-configuration configuration acsei-server

acsei server

acsei timer clock-sync 10

acsei timer monitor 10

return

[Switch]

The output shows that the clock synchronization timer and monitoring timer are 10 minutes and 10 seconds, respectively.

Basic configuration

You can perform the following basic configuration in the web or at the CLI:

• System name and user password. Modify the system name and the password of the current user. For

more information, see the chapters “Device management configuration” and “User management.”

• Service management. Specify whether to enable the services like FTP, telnet, HTTP, and HTTPS, and

set port numbers for HTTP and HTTPS. For more information, see Access Control Configuration Guide.

• Interface IP address. Configure IP addresses for Layer 3 Ethernet interfaces and VLAN interfaces.

For more information, see Network Management Configuration Guide.

• NAT. Configure dynamic NAT, internal server translation, and related parameters. For more

information, see NAT Configuration Guide.

• Zone. Configure a zone to perform interface- or IP address-based security policy control. For more

information, see Access Control Configuration Guide.

This chapter describes the fast configuration by using the basic configuration wizard.

Launching the basic configuration wizard

Select Wizard from the navigation tree to enter the Configuration Wizard page, and then click the Basic Device Information hyperlink to enter the first page of the basic configuration page, as shown in Figure

52.

Figure 52 Basic configuration wizard: 1/6

Configuring the system name and user password

Click Next on the first page of the basic configuration wizard to enter the basic information configuration page, as shown in Figure 53.

Figure 53 Basic configuration wizard: 2/6 (basic information)

Table 2 Basic information configuration items

Item Description

Sysname Set the system name.

Modify Current User Password

New Password

Confirm Password

Specify whether to modify the login password of the current user.

To modify the password of the current user, set the new password and the confirm password, and the two passwords must be identical.

Configuring service management

Click Next on the basic information configuration page to enter the service management page, as shown in Figure 54.

Figure 54 Basic configuration wizard: 3/6 (service management)

Table 3 Service management configuration items

Item Description

FTP

Telnet

HTTP

Specify whether to enable FTP on the device.

Disabled by default.

Specify whether to enable telnet on the device.

Disabled by default.

Specify whether to enable HTTP on the device, and set the HTTP port number.

Disabled by default.

IMPORTANT:

• If the current user has logged in to the web interface through HTTP, disabling HTTP

or modifying the HTTP port number will result in disconnection with the device; therefore, perform the operation with caution.

• When you modify a port number, ensure that the port number is not used by

another service.

Item Description

Specify whether to enable HTTPS on the device, and set the HTTPS port number.

Disabled by default.

IMPORTANT:

• If the current user logged in to the web interface through HTTPS, disabling HTTPS

HTTPS

or modifying the HTTPS port number will result in disconnection with the device; therefore, perform the operation with caution.

• When you modify a port number, ensure that the port number is not used by

another service.

• By defaul t, H TTPS uses th e PKI dom ain default. If this PKI domain does not exist, the

system will prompt you for it when the configuration wizard is completed; however, this will not affect the execution of other configurations.

Configuring the IP address for an interface

Click Next on the service management configuration page to enter the interface IP address configuration page, as shown in Figure 55. T Ethernet interfaces and VLAN interfaces. You can click a value in the table and then modify it.

he table lists the IP address configuration information for all Layer 3

Figure 55 Basic configuration wizard: 4/6 (interface IP address configuration)

Table 4 Interface IP address configuration items

Item Description

Set the approach for obtaining the IP address, including:

• None: The IP address of the interface is not specified,

that is, the interface has no IP address.

• Static Address: Specify the IP address for the interface

IP Configuration

manually; if you select this item, you need to specify both the IP address and the mask.

• DHCP: The interface obtains an IP address

automatically through the DHCP protocol.

• Do not change: The IP address of the interface does not

change.

IMPORTANT:

Modification to the interface IP address will result in disconnection with the device, so make changes with caution.

IP Address

Mask

Configuring NAT

Click Next on the interface IP address configuration page to enter the NAT configuration page, as shown in Figure 56.

Figure 56 Basic c

onfiguration wizard: 5/6 (NAT configuration)

If you select Stack Address as the approach for obtaining the IP address, you need to set the interface IP address and network mask.

Table 5 NAT configuration items

Item Description

Interface Select an interface on which the NAT configuration will be applied.

Specify whether to enable dynamic NAT on the interface.

Dynamic NAT

Source IP/Wildcard If dynamic NAT is enabled, set the source IP address and wildcard for packets.

If dynamic NAT is enabled, the IP address of the interface will be used as the IP address of a matched packet after the translation.

By default, dynamic NAT is disabled.

Destination IP/Wildcard

Protocol Type

Internal Server

External IP: Port

Internal IP: Port

If dynamic NAT is enabled, set the destination IP address and wildcard for packets.

If dynamic NAT is enabled, select the protocol type carried over the IP protocol, including TCP, UDP, and IP (indicating all protocols carried by the IP protocol).

Specify whether to enable the internal server.

If the internal server is enabled, when a user from the external network accesses the internal server, the NAT translates the destination address of request packets into the private IP address of the internal server; when the internal server replies to the packets, the NAT translates the source address (private IP address) of reply packets into a public IP address.

By default, the internal server is disabled.

IMPORTANT:

Configuration of the internal server may result in disconnection with the device (for example, specify an external IP address as the IP address of the local host or as the IP address of the current access interface). Perform the operation with caution.

When the internal server is enabled, set the valid IP address and service port number for the external access.

If the internal server is enabled, set the IP address and service port number for the server on the internal LAN.

Completing the configuration wizard

Click Next on the NAT configuration page to enter the page shown in Figure 57.

Figure 57 Basic configuration wizard: 6/6

This page lists all configurations you have made in the basic configuration wizard. Confirm the configurations. To modify your configuration, click Prev to go back to the previous page; if no modification is needed, click Finish to execute all configurations.

Device management

Device management overview

Device management functions enable you to check the operating status and configure the running parameters of devices.

Configuring the device name

NOTE:

You can configure the device name in the web interface or the comand line interface (CLI).

Configuring the device name in the web interface

The current system name is on the very top of the navigation tree, as shown in Figure 58.

Figure 58 Current system name

Select Device Management > Device Basic > Device Basic Info from the navigation tree to enter the page, as shown inFigure 59.

Figure 59 Device basic i

nformation

Configuring the device name in the CLI

A device name identifies a device in a network. If the device name is Sysname, the prompt of user view is <Sysname>.

Follow these steps to configure the device name:

To do… Use the command… Remarks

Enter system view system-view —

To do… Use the command… Remarks

Configure the device name sysname sysname

Configuring the system time

NOTE:

• The firewall modules synchronize the time with the NTP server (a primary networking device installed

with a firewall module) throu starts, and is synchronized to the correct time after the system starts up.

• After a firewall module is configured with NTP synchronization, it sends a NTP time request every 64

seconds. If it finds that its time is asynchronous time with the NTP server in a few minutes.

h NTP. The system time resets to 12:00:00, 26, April, 2000 each time it

with the NTP server, the firewall module synchronizes its

Optional

The device name depends on the device model.

• The configurations about

system time

are suitable for the firewall chassis.

Configuring the system time in the web interface

System time overview

System time allows you to display and set the device system time on the Web interface. The device supports setting system time through manual configuration and automatic synchronization of NTP server time.

An administrator can by no means keep time synchronized among all the devices within a network by changing the system clock on each device, because this is a huge amount of workload and cannot guarantee the clock precision.

Defined in RFC 1305, the Network Time Protocol (NTP) synchronizes timekeeping among distributed time servers and clients. NTP allows quick clock synchronization within the entire network and ensures a high clock precision so that the devices can provide diverse applications based on the consistent time.

Viewing the current system time

Select Device Management > System Time from the navigation tree, and you will enter the System Time tab page, as shown inFigure 60. T

Figure 60 System time page

he current system time of the device is displayed on the page.

Configuring the system time

Select Device Management > System Time from the navigation tree, and you will enter the System Time tab page, as shown in Figure 60. C in Figure 61.

Figure 61 Calendar page

lick the System Time Configuration text to open a c alendar, as shown

You can modify the system time either in the System Time Configuration text box, or through the calendar page. You can perform the following operations on the calendar page:

• Click Today to set the current date on the calendar to the current system date of the local host, and

the time keeps unchanged.

• Set the year, month, date and time, and then click OK.

After finishing the configuration in the calendar, you must click Apply in the system time configuration page to save your configuration.

Configuring the network time

Select Device Management > System Time from the navigation tree, and then click Net Time to enter the page as shown in Figure 62.

Figure 62 Network time

Table 6 Network time configuration items

Item Description

Clock status Displays the synchronization status of the system clock.

Set the IP address of the local clock source to 127.127.1.u, where u ranges from 0 to 3, representing the NTP process ID.

• If the IP address of the local clock source is specified, the local

Local Reference Source

clock is used as the reference clock, and thus can provide time for other devices.

• If the IP address of the local clock source is not specified, the local

clock is not used as the reference clock.

Set the stratum level of the local clock.

Stratum

Source Interface

The stratum level of the local clock decides the precision of the local clock. A higher value indicates a lower precision. A stratum 1 clock has the highest precision, and a stratum 16 clock is not synchronized and cannot be used as a reference clock.

Set the source interface for an NTP message.

If you do not want the IP address of a certain interface on the local device to become the destination address of response messages, you can specify the source interface for NTP messages, so that the source IP address in the NTP messages is the primary IP address of this interface. If the specified source interface is down, the source IP address of the NTP messages sent is the primary IP address of the outbound interface.

Item Description

Set NTP authentication key.

The NTP authentication feature should be enabled for a system

Key 1

Key 2

running NTP in a network where there is a high security demand. This feature enhances the network security by means of client-server key authentication, which prohibits a client from synchronizing with a device that has failed authentication.

You can set two authentication keys, each of which is composed of a key ID and key string.

• ID is the ID of a key.

• Key string is a character string for MD5 authentication key.

Specify the IP address of an NTP server, and configure the

NTP Server 1/Reference Key ID

External Reference Source

NTP Server 2/Reference Key ID

authentication key ID used for the association with the NTP server. Only if the key provided by the server is the same with the specified key will the device synchronize its time to the NTP server.

You can configure two NTP servers. The clients will choose the optimal reference source.

IMPORTANT:

The IP address of an NTP server is a unicast address, and cannot be a broadcast or a multicast address, or the IP address of the local clock source.

Date and time configuration example

1. Network requirements

• The local clock of Device A is set as the reference clock, with the stratum of 2.

• Device B works in the client mode, and uses Device A as the NTP server.

Figure 63 Network diagram for date and time configuration

2. Configure Device A

# Configure the local clock as the reference clock, with the stratum of 2.

• Select Device Management > System Time from the navigation tree, and click Net Time.

• Select 12 7.127.1.1 from the Local Reference Source drop-down list.

• Select 2 from the Stratum drop-down list.

• Click Apply.

3. Configure Device B

# Configure Device A as the NTP server of Device B.

• Select Device Management > System Time from the navigation tree, and click Net Time.

• Type 1. 0.1.11 in the NTP Server 1 box.

• Click Apply.

4. Verify the configuration

After the above configuration, you can see that the current system time displayed on the System Time page is the same for Device A and Device B.

Configuration guidelines

• A device can act as a server to synchronize the clock of other devices only after its clock has been

synchronized. If the clock of a server has a stratum level higher than or equal to that of a client’ s clock, the client will not synchronize its clock to the server’s.

• The synchronization process takes a period of time. Therefore, the clock status may be

unsynchronized after your configuration. In this case, you can refresh the page to view the clock status later on.

Configuring the system time in the CLI

The system time is determined by the configured relative time, time zone, and daylight saving time. To view the system time, use the display clock command.

Follow these steps to configure the system time:

To do… Use the command… Remarks

Set the time and date clock datetime time date

Enter system view system-view —

Set the time zone

Adopt daylight saving time from the start-time on the start-date to

Set a daylight saving time scheme

the end-time on the end-date in this year. Daylight saving time is the standard time plus the add-time.

Adopt daylight saving time every year

System time configuration examples

Th e system time is determined by the commands clock datetime, clock timezone and clock summer-time. If these three commands are not configured, the display clock command displays the original system time. If you combine these three commands in different ways, the system time is displayed in the ways as shown in Table 7. T

he numbers in the configuration column are described below:

clock timezone zone-name { add | minus } zone-offset

clock summer-time

zone-name one-off start-time start-date end-time end-date add-time

clock summer-time

zone-name repeating start-time start-date end-time end-date add-time

Optional

Available in user view.

Optional

Universal time coordinated (UTC) time zone by default.

Optional

Use either command

By default, daylight saving time is not configured on the device, and the UTC time zone is applied.

• 1 indicates that the date-time has been configured with the clock datetime command.

• 2 indicates that the time-zone has been configured with the clock timezone command and the offset

time is zone-offset.

• 3 indicates that the daylight saving time has been configured with the clock summer-time command

and the offset time is summer-offset.

• [1] indicates that the clock datetime command is optional.

• The default system time is 2005/1/1 1:00:00 in the example.

Table 7 System time configuration

Configuration System time configured Example

Configure: clock datetime 1:00 2007/1/1

1 date-time

System time configured: 01:00:00 UTC Mon 01/01/2007

1 and 2 date-time ± zone-offset

[1], 2 and 1 date-time

The original system time ± “zone-offset”

If the original system time is not in the daylight saving time range, the system time configured is the original system time.

If the original system time is in the daylight saving time range, the system time configured is the original system time + “summer-offset”.

Configure: clock timezone zone-time add 1

System time configured: 02:00:00 zone-time Sat 01/01/2005

Configure: clock datetime 2:00 2007/2/2 and clock timezone zone-time add 1

System time configured: 03:00:00 zone-time Fri 02/02/2007

Configure: clock timezone zone-time add 1 and clock datetime 3:00 2007/3/3

System time configured: 03:00:00 zone-time Sat 03/03/2007

Configure: clock summer-time ss one-off 1:00 2006/1/1 1:00 2006/8/8 2

System time configured: 01:00:00 UTC Sat 01/01/2005

Configure: clock summer-time ss one-off 00:30 2005/1/1 1:00 2005/8/8 2

System time configured: 03:00:00 ss Sat 01/01/2005

If the original system time + “summer-offset” is not in the daylight saving time range, the system time configured is the original system time. After this configuration, if you disable the daylight saving, the system time becomes the system time minus “summer-offset”.

1 and 3

If “date-time” is not in the daylight saving time range, the system time configured is “date-time”.

If “date-time” is in the daylight saving time range, the system time configured is “date-time” + “summer-offset”.

Configure: clock datetime 1:00 2007/1/1 and clock summer-time ss one-off 1:00 2006/1/1 1:00 2006/8/8 2

System time configured: 01:00:00 UTC Mon 01/01/2007

Configure: clock datetime 8:00 2007/1/1 and clock summer-time ss one-off 1:00 2007/1/1 1:00 2007/8/8 2

System time configured: 10:00:00 ss Mon 01/01/2007

If “date-time” + “summer-offset” is not in the daylight saving time range, the system time configured is “date-time”. After this configuration, if you disable the daylight saving, the system time becomes the system time minus “summer-offset”.

Configuration System time configured Example

Configure: clock summer-time ss one-off 1:00

If “date-time” is not in the daylight saving time range, the system time configured is “date-time”.

2007/1/1 1:00 2007/8/8 2 and clock datetime 1:00 2008/1/1

System time configured: 01:00:00 UTC Tue 01/01/2008

[1], 3 and 1

2 and 3 or 3 and 2

1, 2 and 3 or 1, 3 and 2

“date-time” is in the daylight saving time range:

If the value of “date-time” - “summer-offset” is not in the summer-time range, the system time configured is “date-time” - “summer-offset”; If the value of “date-time” - “summer-offset” is in the summer-time range, the system time configured is “date-time”.

If the value of the original system time ± “zone-offset” is not in the summer-time range, the system time configured is the original system time ± “zone-offset”.

If the value of the original system time ± “zone-offset” is in the summer-time range, the system time configured is the original system time ± “zone-offset” + ”summer-offset”.

If the value of "date-time"±"zone-offset" is not in the summer-time range, the system time configured is "date-time"±"zone-offset".

If the value of "date-time"±"zone-offset" is in the summer-time range, the system time configured is "date-time"±"zone-offset"+”summer

-offset”.

Configure: clock summer-time ss one-off 1:00 2007/1/1 1:00 2007/8/8 2 and clock datetime 1:30 2007/1/1

System time configured: 23:30:00 UTC Sun 12/31/2006

Configure: clock summer-time ss one-off 1:00 2007/1/1 1:00 2007/8/8 2 and clock datetime 3:00 2007/1/1

System time configured: 03:00:00 ss Mon 01/01/2007

Configure: clock timezone zone-time add 1 and clock summer-time ss one-off 1:00 2007/1/1 1:00 2007/8/8 2

System time configured: 02:00:00 zone-time Sat 01/01/2005

Configure: clock timezone zone-time add 1 and clock summer-time ss one-off 1:00 2005/1/1 1:00 2005/8/8 2

System time configured: 04:00:00 ss Sat 01/01/2005

Configure: clock datetime 1:00 2007/1/1, clock timezone zone-time add 1 and clock summer-time ss one-off 1:00 2008/1/1 1:00 2008/8/8 2

System time configured: 02:00:00 zone-time Mon 01/01/2007

Configure: clock datetime 1:00 2007/1/1, clock timezone zone-time add 1 and clock summer-time ss one-off 1:00 2007/1/1 1:00 2007/8/8 2

System time configured: 04:00:00 ss Mon 01/01/2007

HP A-F1000-E Getting Started Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Contents

Overview

Product overview

Firewall A-F1000-E

Firewall A-F5000

HP firewall modules

Application scenarios

A-F1000-E application

A-F5000 application

Firewall module application

Login methods

Login methods

User interface overview

Users and user interfaces

Numbering user interfaces

Absolute numbering

Relative numbering

CLI login

Overview

Logging in through the console port

Introduction

Configuration requirements

Login procedure

Console login authentication modes

Configuring none authentication for console login

Configuration prerequisites

Configuration procedure

Configuring password authentication for console login

Configuration prerequisites

Configuration procedure

Configuring scheme authentication for console login

Configuration prerequisites

Configuration procedure

Configuring common settings for console login (optional)

Logging in through Telnet

Introduction

Telnet login authentication modes

Configuring none authentication for Telnet login

Configuration prerequisites

Configuration procedure

Configuring password authentication for Telnet login

Configuration prerequisites

Configuration procedure

Configuring scheme authentication for Telnet login

Configuration prerequisites

Configuration procedure

Configuring common settings for VTY user interfaces (optional)

Configuring the device to log in to a Telnet server as a Telnet client

Configuration prerequisites

Configuration procedure

Logging in through SSH

Introduction

Configuring the SSH server

Configuration prerequisites

Configuration procedure

Configuring the SSH client to log in to the SSH server

Configuration prerequisites

Configuration procedure

Logging in through the AUX port

Introduction

AUX login authentication modes

Configuring none authentication for AUX login

Configuration prerequisites

Configuration procedure

Configuring password authentication for AUX login

Configuration prerequisites

Configuration procedure

Configuring scheme authentication for AUX login

Configuration prerequisites

Configuration procedure

Configuring common settings for AUX login (optional)

Configuration requirements

Login procedure

Logging in through modems

Introduction

Configuration requirements