Ruijie RG-WALL 1600 Series Next-Generation Firewall Implementation Cookbook (V1.3)
Please rate this document.
Please leave your suggestions here.
200 characters leftIf Ruijie may contact you for more details, please leave your contact information here.
* I understand and agree to Terms of Use and acknowledge Ruijie's Privacy Policy.
Thank you for your feedback!
.files/image006.jpg)
Ruijie RG-WALL 1600Series Next-Generation Firewall Implementation Cookbook (V1.3)
Copyright Statement
Ruijie Networks©2016
Ruijie Networks reserves all copyrights ofthis document. Any reproduction, excerption, backup, modification,transmission, translation or commercial use of this document or any portion ofthis document, in any form or by any means, without the prior written consentof Ruijie Networks is prohibited.
.files/image007.jpg){kind=small}
,.files/image008.jpg){kind=small}
,.files/image009.jpg){kind=small}
,.files/image010.jpg){kind=small}
,.files/image011.jpg){kind=small}
,.files/image012.jpg){kind=small}
,.files/image013.jpg){kind=small}
,.files/image014.jpg){kind=small}
,.files/image015.jpg){kind=small}
, .files/image016.jpg){kind=small}
,.files/image017.jpg){kind=small}
,.files/image018.jpg){kind=small}
are registered trademarks of Ruijie Networks. Counterfeit is strictlyprohibited.
Exemption Statement
This document is provided “as is”. Thecontents of this document are subject to change without any notice. Pleaseobtain the latest information through the Ruijie Networks website. RuijieNetworks endeavors to ensure content accuracy and will not shoulder anyresponsibility for losses and damages caused due to content omissions,inaccuracies or errors.
Obtaining Technical Assistance
l RuijieNetworks website: http://www.ruijienetworks.com/
l RuijieNetworks service portal: http://caseportal.ruijienetworks.com
Table of Contents
2.4 License Service Registration
2.5 Configuration Backup and Recovery
2.8 Restoring Factory Settings
3.1 Internet Access via a Single Line
3.1.1 Configuring Internet Access via a SingleADSL Line
3.1.2 Configuring Internet Access via a StaticLink
3.1.3 Configuring Internet Access via a DHCPLine
3.2 Internet Access via Multiple Links
3.2.1 Configuring Internet Access via Dual Linesof the Same Carrier
3.2.2 Configuring Internet Access via Dual Linesof Different Carriers
3.3.1 Configuring the DHCP Server
3.3.3 DHCP Relay Configuration
3.4.1 Address Mapping (One-to-One IP AddressMapping)
3.4.2 Port Mapping (One-to-Many Port Mapping)
3.4.3 Port Mapping for Multiple Lines
3.6 Application Level Gateway (ALG)
3.6.2 VoIP Destination Address Mapping
3.7.1 IPSec VPN (Point-to-Point)
3.9.1 HTTP Traffic-based Server Load Balancing
3.9.2 HTTPS Traffic-based Server Load Balancing
4 Configuring Transparent Mode
4.3 Out-of-Band Management in TransparentMode
5.3 Configuring VDOM in Hybrid Mode
6.4 Configuring Synchronization ofStandalone Device Configuration and Sessions
6.5 Configuring the Ping Server
6.6 Configuring the Out-of-Band ManagementInterface
7.1.5 Network Application Control
7.1.6 Data Leakage Prevention (DLP)
7.2.2 Storing Logs in the Hard Disk
7.2.3 Storing Logs in the Memory
7.3 Converting Interface Attribute
8.1 Enabling IPv6 on the Web Page
8.2 Configuring Internet Access
8.2.2 Configuring VIP46 Mapping
Firewall Maintenance
1.1 Device Management
1.1.1 Web-based Management
Networking Requirements
Via a Web visual interface, you can configurethe firewall, for example, configure the management function of the wan1interface.
Network Topology
.files/image019.jpg)
Configuration Tips
The default IP address of the NGFW is 192.168.1.200,and you can perform Web management via HTTPS (the default user name is admin,and the default password is firewall). The models of managementinterfaces are as follows:
RG-WALL1600-X9300: mgmt1 interface
RG-WALL1600-X8500: mgmt1 interface
RG-WALL1600-X6600: mgmt1 interface
RG-WALL1600-M5100: mgmt interface
RG-WALL1600-S3600: internal interface, corresponding to the switching interfaces 1to 14
RG-WALL1600-S3100: internal interface, corresponding to the switching interfaces 1to 7
.files/image002.png){kind=small}
All switching interfaces of the S3100 and S3600are Layer-3 internal interfaces; only internal interfaces are suitable forLayer-3 configurations, for example, IP address configurations.
Set the IP address of the PC to192.168.1.1/24, connect to the internal interface or MGMT interface, open theIE browser, enter https://192.168.1.200 to log in to the NGFW management page,and enter the user name admin and password firewall to open theNGFW page. If you forget the password, you can restore the initial password asinstructed in the section “Firewall Maintenance” > “Password Recovery”.
After you log in to the device, enable themanagement function of the wan1 interface.
By default, other interfaces have no IPaddresses, and other management functions (for example, HTTPS) are not enabled onother interfaces.
If the firewall interface address is modifiedbut you forget the new password, you can enter the CLI to view the currentconfigurations.
It is recommended that you use Firefox or IE10(or above). If you use a third-party browser (for example, 360 and Travel), usethe top speed mode.
Configuration Steps
1. When the NGFW is configured with default values, set the IP addressof the PC to 192.168.1.1, and set the IP address of the gateway to 192.168.1.200;
In the address bar of the IE browser, enter https://192.168.1.200, and the firewall login page pops up.
.files/image020.jpg)
Enter the user name admin and defaultpassword firewall, and then the homepage of the firewall pops up.
.files/image021.jpg)
2. Set the IP address of the wan1 interface to 192.168.33.51/24,and enable the management function of the internal interface.
Choose the System > Network> Interface menu.
.files/image022.jpg)
Double-click the wan1 interface to edit thefollowing parameters:
.files/image023.jpg)
Set the IP address of the interface to 192.168.0.200/24.
Administrative Access: Select HTTPS, PING,and SSH. Their meanings are as follows:
HTTPS: Allow users to use https://192.168.0.200to manage the device;
Ping: Users are allowed to ping thisinterface address. If it is deselected, the interface address cannot be pingedthrough even if the interface address is reachable;
HTTP: Allow users to use http://192.168.0.200to manage the device;
SSH: Allow users to use ssh 192.168.0.200 tomanage the device;
SNMP: Allow users to perform SNMP managementvia the interface;
TELNET: Allow users to use telnet192.168.0.200 to manage the device.
Verification
Enter https://192.168.0.200 in the browser,and then verify the configurations.
1.1.2 Console Management
Networking Requirements
To perform configuration management, you canuse HyperTerminal or CRT to enter the CLI via a Console cable. By default, thefirewall allows Console management.
Network Topology
.files/image024.jpg)
Configuration Tips
1. Prepare a Console cable and a PC.
2. Connect the Console cable.
Connect the RJ45 connector end of theConsole cable to the Console port of the PC, and connect the other end of theConsole cable to the com port of the PC.
3. Configure the HyperTerminal
a) A PC under Windows XP is equipped with built-inHyperTerminal; for a PC under Windows 7, you need to install HyperTerminalseparately.
b) By default, the Windows Sever 2003 is notequipped with HyperTerminal. You need to install it in Control Panel> Add/Delete Program, or directly download it from Attachment 1.
c) If you fail to enter the CLI afterconfigurations, check whether the Console cable is connected to the Consoleport, whether the data bits of HyperTerminal are configured correctly, andwhether you click Restore Defaults. If younevertheless fail to center the CLI after performing the above operations,attempt to replace the PC, Console cable and HyperTerminal.
Operation Steps
1. Prepare a Console cable and a PC
2. Connect the Console cable
Insert the RJ45 connector end of theConsole cable to the Console port of the network device (the Console port isusually beside the Ethernet port of the network device, and is marked with Console),and then insert the DB9 port of the Console cable to the Com port of the PC.
3. Configure the HyperTerminal
Verification
Press the Enter key, and the systemdisplays RG-WALL login, prompting you to enter the username adminand password firewall (if the password is changed or you forget thepassword, you can do as instructed in the section “Password Recovery”).
.files/image025.jpg)
1.1.3 SSH/Telnet
Networking Requirements
If you want to enter the CLI of a device toconfigure or gather the related information, you can manage the device remotelyvia Telnet or SSH when no Console cable is available or you are far away fromthe device.
Network Topology
.files/image026.png)
Configuration Tips
To use the Telnet or SSH mode, first ensure ahigh connectivity between the management host and the interface address of thedevice. You can tick the Ping function of the interface. If the device can pingthrough the management interface, it indicate that the connectivity betweenthem is normal.
1. Enable the Telnet and SSH functions on the interface.
2. Telnet the management device.
3. SSH the management device.
Configuration Steps
1. Enable the Telnet and SSH functions on theinterface
Choose the System > Network> Interface menu, and edit the internal interface by double-clickingit, as shown in the following figures:
.files/image027.jpg)
.files/image028.jpg)
Tick SSH and TELNET (bydefault, the Telnet and ping functions of the interface are disabled), andclick OK.
1.2 Administrator Settings
I. Requirements
According to the factory settings, thedefault account is admin (with all privileges), and the default password isfirewall. The requirements are as follows:
Change the admin password to ruijie@123, andset the host IP address of the admin account to 172.18.10.108/32. It indicatesthat only this host (172.18.10.108) can use the admin account to managedevices.
Create a monitor account with"read-only" privilege. Set the password to 123456a!. Set no limit toIP address for the management host which allows admin login from all hosts, andset the permission to read-only.
Define the password policy which specifiespassword complexity.
Set the timeout interval of the Web page. Ifan administrator does not perform any operation within 90 minutes for example,the administrator will automatically log out.
II. Configuration Tips
Change the admin password and setmanagement IP addresses.
Set Admin Profile to readonly.
Create a monitor account.
Define the password policy and changeadministrator settings.
III. Configuration Steps
Change the admin password and setmanagement IP addresses.
Choose System > Admin > Administrators.
.files/image029.jpg)
Click or double-click the editing button toset the administrator name to admin, and then click Change Password.
.files/image030.jpg)
In the Edit Password dialog box thatis displayed, change the password to ruijie@123, and then click OK.
.files/image031.jpg)
Tick Restrict this Admin Login fromTrusted Hosts Only, enter the management IP address 172.18.10.108/32in Trusted Host #1, and then click OK.
.files/image032.jpg)
Three trusted hosts can be added on thispage. Add up to 10 trusted hosts by running corresponding commands.
RG-WALL # configsystem admin
RG-WALL(admin) # edit admin
RG-WALL(admin) # set trusthost1 172.18.10.108 255.255.255.255
RG-WALL(admin) # set trusthost2 172.19.10.108 255.255.255.255
RG-WALL(admin) # set trusthost3 172.119.10.108 255.255.255.255
RG-WALL(admin) # end
Set Admin Profile to readonly.
Choose System > Admin > AdminProfile, and then click Create New.
.files/image033.jpg)
.files/image034.jpg)
Profile Name:Set it to readonly.
Tick Read Only for all items.
Create a monitor account.
Choose System > Admin > Administrators,and then click Create New.
.files/image035.jpg)
Create a monitor account, set the passwordto 123456a!, set Admin Profile to readonly, and set nolimit to IP addresses for the management hosts, as shown in the followingfigure.
.files/image036.jpg)
Define the password policy and changeadministrator settings.
If a password must contain at least 6characters comprising letters, digits, and special characters (such as!@#$%&'), set the password policy as follows.
Choose System > Admin > Settings,as shown in the following figure.
.files/image037.jpg)
Enable: TickEnable.
Minimum Length: It indicates the minimum length of a password.
Must Contain:It indicates limits to the number of letters, digits, and special characters)
Apply Password Policy to: Enter the admin password.
Admin Password Expires after: Configure the expiry date of a password. The system prompts theadministrator to change the password after the expiry date.
Idle Timeout:If an administrator does not perform any operation within the specified time,the administrator will automatically log out.
Note: The total length of uppercaseletters, lowercase letters, digits, and special characters should be less thanor equal to the maximum length; otherwise, the policy setting is invalid.
IV. Verification
Log in to the monitor account and change thesettings. An error prompt Permission denied is displayed.
.files/image038.jpg)
1.3 Upgrading Software
1.3.1 TFTP Upgrade
Networking Requirements
The firewall system can be upgraded via a Webinterface or TFTP CLI. Here, the firewall system needs to be upgraded via TFTP.
Before the upgrade, be sure to back up thefirewall configurations. For details, refer to the section “FirewallMaintenance” > “Configuration Backup and Recovery”.
Network Topology
.files/image039.jpg)
Configuration Tips
1. Prepare tools and connect the Console cable;
2. Connect the network cable, and ensure that network communication isnormal;
3. Set up the TFTP server;
4. Begin the upgrade.
Configuration Steps
1. Prepare tools
Prepare the Console cable, network cable,upgrade file, TFTP tool, and cable for USB conversion (the PC has no Com port),and install the driver;
2. Connect the network cable, and ensure that network communication isnormal;
3. Set up the TFTP server;
4. Begin the upgrade.
You can download the Cisco TFTP server fromthe attachment.
.files/image040.png)
Run the Cisco TFTP software, and save theupgrade firmware into the folder in the red frame below (when you install thesoftware, the system will specify a folder), for example, c:\tftp.
Restart the device, and perform the followingsteps:
5. Enter M (press Shift + m), and enter the BIOS menu:
...
[G]: Getfirmware image from TFTP server.
[F]: Format boot device.
[B]: Bootwith backup firmware and set as default.
[I]: Configuration and information.
[Q]: Quitmenu and continue to boot with default firmware.
[H]: Display this list of options.
6. Select F to set format to the Flash card;
EnterSelection [G]:
EnterG,F,B,I,Q,or H: F // Select F to setformat to the Flash card. Optional
All datawill be erased,continue:[Y/N]?Y
7. Select G to download the mirror file:
EnterG,F,B,I,Q,or H: G // Select G todownload the mirror file from the server.
Pleaseconnect TFTP server to Ethernet port "MGMT1". // Connect the PCto the MGMT1 port of the firewall.
Enter TFTPserver address [192.168.1.1]: // Enter the address of the TFTPserver.
Enterlocal address [192.168.1.200]: // Assign a temporary IPaddress to MGMT1.
Enterfirmware image file name [image.out]: Ruijie_XXX_ .bin // Enter the name ofthe mirror file.
MAC:14144B7EE172
###########################################
8. The TFTP server prompts successful download:
Total45387871 bytes data downloaded.
Verifyingthe integrity of the firmware image.
Total262144kB unzipped.
Save asDefault firmware/Backup firmware/Run image without saving:[D/B/R]?d //Serve as the default boot file.
Programmingthe boot device now.
................................................................................................................................................................................................................................................................
Readingboot image 1401958 bytes.
Initializingfirewall...
System isstarting...
Resizingshared data partition...done
Formattingshared data partition ... done!
1.3.2 Web-based Upgrade
Networking Requirements
The current system software version isoutdated, so it needs to be upgraded via a Web interface.
Before the upgrade, be sure to back up thedevice configurations. For details, refer to the section “Firewall Maintenance”> “Configuration Backup and Recovery”.
Configuration Points
1. RG-WALL: It is a next-generation firewall. Each model of the devicehas a separate version file; before the upgrade, confirm the current devicemodel.
2. The postfix of the upgrade package must be “.bin”, and its prefix isnot restricted;
3. Before the upgrade, prepare a Console cable, so as to take measuresin case of upgrade failure;
4. During the upgrade process, do not switch to other interfaces, norpower off or restart the device; the upgrade process usually takes less thanfive minutes;
5. After the new version is imported, the device is automaticallyrestarted, and then the upgrade takes effect.
The upgrade will cause network interrupt. Duringthe upgrade process, follow the upgrade procedure strictly; misoperations willcause system missing.
Upgrade Procedure
1. Log in to the Web interface of the NGFW
Choose the System > DashboardStatus > Firmware Version menu, and click the Updatebutton;
.files/image041.jpg)
2. Select the related OS files
Click OK, and then the system isautomatically restarted.
.files/image042.jpg)
Verification
The system will be restarted via the newlyloaded OS.
Precautions
The P3 version makes many changes over theprevious versions; you need to use the following upgrade mode:
1. Before the upgrade, be sure to disable the auto-ipsec managementproperty of the wan1 and wan2 interfaces via a CLI (if the management propertyis not disabled, the system will reports errors on the switching of thetransparent mode of the P3 version).
1) View the management property of interfaces
RG-WALL #show system interface
configsystem interface
edit"wan1"
set vdom "root"
set ip 192.168.57.74 255.255.255.0
setallowaccess ping https ssh telnet auto-ipsec
set type physical
set snmp-index 1
next
edit"wan2"
set vdom "root"
set ip 192.168.101.200 255.255.255.0
set allowaccess ping auto-ipsec
set type physical
set snmp-index 2
2) Disable the auto ipsec property of the wan1 andwan2 interfaces
RG-WALL #config system interface
RG-WALL(interface) # edit wan1
RG-WALL(wan1) # set allowaccess ping https ssh
RG-WALL(wan1) # next
RG-WALL(interface) # edit wan2
RG-WALL(wan2) # set allowaccess ping
RG-WALL(wan2) # end
2. Upgrade the P0, P1 or P2 version to the P3 version via a Webinterface (the upgrade process takes about five minutes);
3. To attain complete upgrade, you need to upgrade the P3 version againon a Web interface;
1) During the upgrade to the P3 version, aformatting action is added, so as to ensure complete upgrade;
2) The formatting operation will not clear theoriginal configurations;
3) The subsequent versions are not affected bythis; only the P3 version requires two upgrades;
4) The upgrade process takes about 5 minutes.
4. Upgrade flowchart: p0, p1 or p2 to p3 to P3.
5. auto-ipsec is enabled or disabled, depending on specific model ofthe device:
1) S3100: By default, auto-ipsec is enabled on wan1 and wan2;
2) S3600: By default, auto-ipsec is enabled on wan1 and wan2;
3) M5100: By default, auto-ipsec is enabled on wan1;
4) M6600 and X9300: auto-ipsec is not enabled onthe interfaces.
1.4 License Service Registration
I. Description
1. There is only one kind of license service, namely RG-WALL1600-XXXXX (model)-LIS-1Y,which is sent in an envelope with the term of 1 year. This is a compound licenseservice, containing virus signature upgrade service, IPS signature upgrade service,URL signature upgrade service, application signature upgrade service, and spam signatureupgrade service.
2. License service registration is online registration of a service licensefor UTM-related functions (such as anti-virus, IPS, application detection, emailfiltering, Web filtering, and data leakage prevention) purchased by customers, whichenables customers to upgrade rules repository and use the online detection functionduring the license term. You cannot handle license service registration by yourselves.Instead, you need provide relevant information to our engineer for registration.Then ,when your devices are connected to the Internet, you can find that the licensehas been activated, and UTM functions can be used.
II. License Service Registration Process
Step 1: Send registrationinformation.
When you purchase the service,you will receive an envelope enclosed with an authorization code. If you need registration,send the software SN (16 digits), model, authentication code, project name, andcustomer name of the device to be registered to rgngfw3@ruijie.com.cnaccording to instructions of the envelope.
1. Collect related information according to samples in the following table.
|
| Software SN (16 digits) | Model | Authorization Code (12 digits) | Project Name | Customer Name |
| Sample | DB99KKK124667235 | Sample* | Sample* | Sample | Sample* |
Explanation:
Software SN: It is a stringof code with 16 digits starting with RGFW on the Web page.
Model: It can be obtainedfrom the dashboard or Web page.
Please send the table information in Step1 and your contact information to the technical support email address: rgngfw3@ruijie.com.cntitled "License Activation for WALL 1600 (model)".
We will finish license activation basedon the table information provided by you within 1 working day. If your applicationis filed on weekends or holidays, we will finish license activation before 12:00on the subsequent working day.
When you receive an email about successfulactivation, it indicates that your license has been activated and you can use theupgrade service.
Notes:
1. The authorization code is only applicable to a certain model in RG-WALL1600 series.
2. Please do activate your license within 10 months after receipt of thelicense envelope. Otherwise, Ruijie Cloud Server will automatically activate itfor you.
3. The authorization code can be activated only once. If you fail to activateit, please contact Ruijie engineers for license migration.
Step 2: Operate on thedevice.
Ensure that the firewallis connected to the Internet and configured with the correct DNS address. The serverdomain name is automatically updated to fwupdate.ruijie.com.cn and port 8890 bydefault.
Run the following commandsto change the default setting to automatically find the server (using servers distributedglobally):
RG-WALL # show system central-management
config system central-management
set Ruijiemanager-fds-override enable
set fmg "fwupdate.ruijie.com.cn"
end
RG-WALL # config system central-management
RG-WALL (central-management) # unset fmg
RG-WALL (central-management) # set Ruijiemanager-fds-overridedisable
RG-WALL # show system central-management //Indicates that the default update address is disabled and it will automaticallyfind the nearest server.
1. Perform initial manual update.
After receipt of the registration successemail from Ruijie official reply, log in to the firewall to perform initialmanual update.
.files/image043.jpg)
Confirm license information.
Choose System > Status to viewLicense Information which indicates Licensed. Confirm the expiry dateof each service.
.files/image044.jpg)
IV. Information Acquisition Method
1. Software SN
Log in to device. Choose System > Dashboard> Status > System Information to view the software SN (softwarereg number).
.files/image045.jpg)
Model
View the model on the dashboard or Web page. Onthe Web page, choose System > Dashboard > Status >System Information to view the model.
.files/image046.jpg)
Authorization Code
Obtain the authorization code from theenvelope.
1.5 Configuration Backup and Recovery
Networking Requirements
Save the current configurations of thefirewall, and export them for backup, so as to restore the configurations incase of need.
Configuration Tips
1. Save the configurations
2. Export the configurations
3. Restore the configurations
. The imported configuration files must bein conf format; otherwise, they cannot be identified.
2. After you import the configurations, you must restart the system so thatthe imported configurations take effect.
3. You must remember the password for the backup configurations; otherwise,they cannot be imported or restored. 1
Configuration Steps
1. Save the configurations
Web: Via the Web interface, theconfigurations can take effect timely, and be saved automatically. Every timeyou modify configurations and click OK, the new configurations areautomatically saved.
CLI: Enter next and end on theCLI, the new configurations take effect and are automatically saved.
2. Export the configurations
Choose the System > Dashboard> Status menu, and the System Information page pops up. Then,click Backup after System Configuration.
.files/image047.jpg)
The updated P2 version allows you to choosewhether to encrypt configuration files (in the P1 version, configuration filesmust be encrypted by default). You can select or deselect Encryptconfiguration file (if selected, you need to set a password) according toactual needs, and click Backup.
.files/image048.jpg)
The configuration files will be backed up tothe local disk.
3. Restore the configurations
Choose the System > Dashboard> Status menu, and the System Information page pops up. Then,click Restore after System Configuration, so as to use thelocally stored configuration files to restore the firewall configurations.
.files/image049.jpg)
After the import is successful, the systemprompts that you need to restart the system.
Verification
After the system is restarted, the previousconfigurations are restored.
1.6 Configuring SNMP
Networking Requirements
If the intranet is equipped with a networkmanagement server that monitors and manages the network devices, you need toenable the SNMP function on the NGFW, so that the network management server canmonitor the NGFW via the SNMP function.
Configuration Tips
1. Enable the SNMP management function on the network interface;
2. Enable the SNMP local agent.
3. Configure the SNMP Community.
Configuration Steps
1. Enable the SNMP management function on the network interface
Choose the System > Network> Interface menu, edit the menu used for SNMP management; in the Managethe Access option, select SNMP.
.files/image050.jpg)
.files/image051.jpg)
2. Enable the SNMP local agent
Choose the System > Config> SNMPv1/v2 menu, select SNMP Agent, enter the relateddescription information, and click Apply.
.files/image052.jpg)
3. Configure the SNMP Community
On the interface of Step 2, click the CreateNew button below SNMP Communities. Then, the New SNMP Communityconfiguration page pops up.
.files/image053.jpg)
.files/image054.jpg)
Community Name: It isset to readonly (read the character string).
Host management: Enter the address of theSNMP server (the address is mandatory, for example, 192.168.1.168);then, the host is only allowed to perform SNMP management by using thecharacter string, and the address is used as the address for receiving the Trapinformation.
Interface: If you select an interface, thesystem only allows SNMP management by using the character string via theselected interface. any refers to any interface.
Queries: It refers to the interface used forSNMP queries.
Trap: It refers to the interface that theSNMP uses to send a Trap.
SNMP Event: It refers to an event of sendinga SNMP Trap. By default, all events are selected. It is recommended that youshould not modify the default setting.
Verification
As shown in the following figure, connect themibbrowser to thefirewall via SNMP, and view the related information of the device. You can viewthe device name and run time of the firewall:
.files/image055.jpg)
1.7 Password Recovery
Networking Requirements
1. If you forget the password of the device, you need to recover thepassword by using a Console cable.
2. After recovering the password, you need to restart the device on thebottom menu of the device. This will cause network interrupt. Therefore,perform the restart operation at a convenient time.
3. After you recover the password, the current configurations will notbe changed.
Configuration Tips
1. Connect to the firewall serial port via the HyperTerminal or CRT;
2. Power off the device to restart it, and enter the built-in account ruijieto log in.
3. Set a new password for the administrator.
Configuration Steps
1. Connect the Console cable, and set the HyperTerminal
a) Prepare a Console cable and a PC with a Com port;
b) Connect the Console cable;
Insert the RJ45 connector end of theConsole cable to the Console port of the network device (the Console port isusually beside the Ethernet port of the network device, and is marked with Console),and then insert the DB9 port of the Console cable to the Com port of the PC.
c) Configure the HyperTerminal.
2. Power off to restart the device
Within 15 seconds after system restart, enterthe user name ruijie and the password (the password is the softwareregistration number, which is usually a string of 16 characters starting with RJFW).The serial No. of the product is available on the bottom or one side of thedevice, as shown below.
.files/image056.png)
RG-WALLlogin: ruijie
Password:RGFW314614039839
RG-WALL #
The account is valid only within 15 secondsafter system restart, and must be used via the Console interface.
3. Change the account and password for the administrator
RG-WALL #config system admin
RG-WALL(admin) # edit admin
RG-WALL(admin) # set pass 123455@!@#
RG-WALL(admin) # end
Verification
Use the new admin account and password to login to the firewall via HTTPS or SSH.
1.8 Restoring Factory Settings
Networking Requirements
If you want to delete all currentconfigurations of the device, you can restore the factory default. If you arethat you want to restore the factory default, you are recommended to back upthe current configurations. For details about the backup operation, refer tothe section “Firewall Maintenance” > “Configuration Backup and Recovery”.
The license information of the device is savedon the cloud. After restoring the factory default, you can obtain the licenseinformation again if connecting the device to the Internet.
Configuration Tips
1. After you restore the factory default, all current configurationswill be removed and the system will be automatically restarted.
2. After you restore the factory default, the IP address of theinternal or MGMT interface is restored to 192.168.1.200.
Configuration Steps
Mode 1: CLI
Enter the CLI, run the executefactoryreset command, and press the Enter button. Then, the systemprompts whether you want to continue. Enter y to continue the operation.
RG-WALL #execute factoryreset
Thisoperation will reset the system to factory default!
Do youwant to continue? (y/n) y
Mode 1: Press the Reset button on thedevice (this is only available on the S3100 and S3600, but not other models).
Within 30 seconds after the firewall systemis normally started, press and hold the Reset button. The system will beautomatically restarted, and you can restore the factory default.
Verification
After you restore the factory default, the IPaddress of the management interface is restored to 192.168.1.200. Via thisaddress, you can log in to https://192.168.1.200.The user name and password are restored to the default admin and firewall.
Precautions
After you restore the factory default, thedisk log is not be removed and only the current configurations are removed.
1.9 Common Commands
I. Command Structure
config Configure object. Configurespolicies and objects.
get Get dynamic and system information. Shows settings of specific objects.
show Show configuration. Shows the configuration file.
diagnose Diagnose facility. Indicatesdiagnosis commands.
execute Execute static commands.Indicatescommon commands, such as ping.
exit Exit the CLI. Exits the CLI.
II. Common Commands
1. Configure an interface address.
RG-WALL # config system interface
RG-WALL (interface) # edit lan
RG-WALL (lan) # set ip 192.168.100.99/24
RG-WALL (lan) # end
2. Configure a static route.
RG-WALL (static) # edit 1
RG-WALL (1) # set device wan1
RG-WALL (1) # set dst 10.0.0.0 255.0.0.0
RG-WALL (1) # set gateway 192.168.57.1
RG-WALL (1) # end
3. Configure a default route.
RG-WALL (1) # set gateway 192.168.57.1
RG-WALL (1) # set device wan1
RG-WALL (1) # end
4. Configure a firewall address.
RG-WALL # config firewall address
RG-WALL (address) # edit clientnet
new entry 'clientnet' added
RG-WALL (clientnet) # set subnet 192.168.1.0255.255.255.0
RG-WALL (clientnet) # end
5. Configure an IP pool.
RG-WALL (ippool) # edit nat-pool
new entry 'nat-pool' added
RG-WALL (nat-pool) # set startip 100.100.100.1
RG-WALL (nat-pool) # set endip 100.100.100.100
RG-WALL (nat-pool) # end
6. Configure a virtual IP address.
RG-WALL # config firewall vip
RG-WALL (vip) # edit webserver
new entry 'webserver' added
RG-WALL (webserver) # set extip 202.0.0.167
RG-WALL (webserver) # set extintf wan1
RG-WALL (webserver) # set mappedip 192.168.0.168
RG-WALL (webserver) # end
7. Configure the Internet access policy.
RG-WALL # config firewall policy
RG-WALL (policy) # edit 1
RG-WALL (1)#set srcintf internal //Indicatesthe source interface.
RG-WALL (1)#set dstintf wan1 ///Indicatesthe destination interface.
RG-WALL (1)#set srcaddr all //Indicates the source address.
RG-WALL (1)#set dstaddr all //Indicates the destination address.
RG-WALL (1)#set action accept //Indicates the action.
RG-WALL (1)#set schedule always //Indicates the schedule.
RG-WALL (1)#set service ALL //Indicates the service.
RG-WALL (1)#set logtraffic disable //Enables or disables logs.
RG-WALL (1)#set nat enable //EnablesNAT.
end
8. Configure the mapping policy.
RG-WALL # config firewall policy
RG-WALL (policy) #edit 2
RG-WALL (2)#set srcintf wan1 //Indicatesthe source interface.
RG-WALL (2)#set dstintf internal //Indicatesthe destination interface.
RG-WALL (2)#set srcaddr all //Indicates the source address.
RG-WALL (2)#set dstaddr ngfw1 //Indicatesthe destination address used for virtual IP address mapping, which is added beforehand.
RG-WALL (2)#set action accept //Indicates the action.
RG-WALL (2)#set schedule always //Indicates the schedule.
RG-WALL (2)#set service ALL //Indicates the service.
RG-WALL (2)#set logtraffic disable //Enables or disables logs.
end
9. Change the internal switching interface to the routing interface.
Ensure that routing, DHCP, and firewallpolicies of the internal interface are deleted.
RG-WALL # config system global
RG-WALL (global) # set internal-switch-modeinterface
RG-WALL (global) #end
Restart
--------------------------------------
10. View the host name and management port.
RG-WALL# show system global
11. View the system status and available resources.
RG-WALL# get system performance status
12. View the application traffic statistics.
RG-WALL# get system performance firewall statistics
13. View the ARP table.
RG-WALL # get system arp
14. View ARP details.
RG-WALL # diagnose ip arp list
15. Clear the ARP cache.
RG-WALL # execute clear system arp table
16. View the current session table.
RG-WALL # diagnose sys session stat or RG-WALL# diagnose sys session full-stat;
17. View the session list.
RG-WALL # diagnose sys session list
18. View the physical interface status.
RG-WALL# get system interface physical
19. View settings of the default route.
RG-WALL# show router static
20. View the static route in the routing table.
RG-WALL# get router info routing-table static
21. View OSPF configuration.
RG-WALL# show router ospf
22. View the global routing table.
RG-WALL # get router info routing-tableall
-----------------------------------------------
23. View HA status.
RG-WALL # get system ha status
24. Check synchronization of active and standby routers.
RG-WALL# diagnose sys ha showcsum
---------------------------------------------------
25. Diagnosis commands:
RG-WALL #diagnose debug enable //Enables debugging.
RG-WALL # diagnose debug application ike-1 //Debugs packets of Phase 1 of IPSec to check whether an IPSec VPN is created.
RG-WALL #dia debug reset //Resets debugging.
---------------------------------------------------
Execute Commands:
RG-WALL #execute ping 8.8.8.8 //Indicatesthe common ping command.
RG-WALL #execute ping-options source 192.168.1.200 //Specifies 192.168.1.200 as the source address of ping packets.
RG- WALL #execute ping 8.8.8.8 //Entersthe destination address of ping packets to execute the ping command via the specifiedsource address 192.168.1.200.
RG-WALL #execute traceroute 8.8.8.8
RG-WALL #execute telnet 2.2.2.2 //Getsaccess via Telnet.
RG-WALL #execute ssh 2.2.2.2 //Getsaccess via SSH.
RG-WALL #execute factoryreset //Restoresfactory settings.
RG-WALL #execute reboot //Reboots thedevice.
RG-WALL #execute shutdown//Shuts down thedevice.
Configuring Routing Mode
1.1 Internet Access via a Single Line
1.1.1 Configuring Internet Access via a Single ADSLLine
Networking Requirements
The extranet interface uses ADSL for dial-upand the intranet belongs to 192.168.1.0/24 segment. Intranet users can accessthe Internet.
Network Topology
.files/image057.png)
Configuration Tips
1. Configure interfaces.
wan1 interface: It is used to access ADSL.The Retrieve default gatewayfrom server option is mandatory. After ADSL dial-upsucceeds, the device generates a default route without manual configuration.
Internal interface: Configure an IP addressformatted as 192.168.1.200/24. Ifnecessary, enable the management function on theinterface.
2. Configure address object lan. with address 192.168.1.0/24.
3. Configure the policy for the data transmitted from the internalinterface to wan1 interface and enable NAT.
Configuration Steps
1. Configure interface address.
Choose System>Network>Interface.Tick wan1 and click Edit to display the Edit Interfacepage.
Addressing mode: Select PPPoE.
Username:Enter the user name.
Password:Enter the password.
Initial Disc Timeout: The waiting time before beginning a new PPPoE discovery .
Initial PADT Timeout: If the idle time exceeds the defined time, PPPoE will be disabled.PADT function requires the support from the ISP.
Retrieve defaultgateway from server(mandatory): After dial-up succeeds, the firewall will obtain one defaultroute.
Override internal DNS: If the company does not have its own DNS server, this option ismandatory.
.files/image058.jpg)
Edit the internal interface. The default IPaddress of the internal interface is 192.168.1.200/24, which shall be changedaccording to the actual situations.
You can enable the management function on theinterface if necessary. It recommended to enable HTTPS, SSH, and PING services.
.files/image059.jpg)
After dial-up succeeds, choose Router>Monitor>RoutingMonitor to check the default route obtained by the PPPoE client.
.files/image060.png)
2. Configure address resources.
Choose Firewall>Address>Address,and then click Create New, as shown in the following figure:
.files/image061.jpg)
Set Name to lan. Choose Subnetfrom Type. Set Subnet/IP Range to 192.168.1.0/24. Click OK.See the following figure:
.files/image062.jpg)
3. Configure the policy.
For some low-end models, the system providesan NAT policy from the internal interface to wan1 interface by default.
Choose Firewall>Policy>Policy,and then click Create New, as shown in the following figure:
.files/image063.jpg)
On the Edit Policy page, add onepolicy as shown in the following figure:
.files/image064.jpg)
Source Interface/Zone: Choose internal.
Source address: Choose lan.
Destination Interface/Zone: Choose wan1.
Source address: Choose lan.
Destination address: Choose all, which indicates all the addresses.
Service:Choose ALL.
NAT: TickEnable ANT. The system automatically converts the IP address of theintranet lan to the IP address of wan1 interface for Internet access.
Click OK. The system automaticallysaves configuration and the policy takes effect.
Log Allowed Traffic once enabled consumes extra system resources. Therefore, tick thisitem only when necessary.
Verification
Set the IP address of the PC to192.168.1.1/24, the gateway address to 192.168.1.200, and the DNS address to202.106.196.115, 8.8.8.8.(In general, you can set the DNS to the local DNS.)
Then the PC can access the Internet.
1.1.2 Configuring Internet Access via a Static Link
Networking Requirements
The extranet interface is connected to aprivate line and configured with a static address assigned by the carrier. Theintranet belongs to 192.168.1.0/24 segment. Intranet users can access theInternet.
Network Topology
.files/image065.png)
Assume that the IP addresses assigned by thecarrier are as follows:
Network segment:202.1.1.8/29 Assigned IP address: 202.1.1.10 Gateway address: 202.1.1.9DNS address: 202.106.196.115
Configuration Tips
1. Configure interfaces.
wan1 interface: Configure the IP addressassigned by the carrier.
Internal interface: Configure an IP address formatted as 192.168.1.200/24. Ifnecessary, enable the management function on theinterface.
2. Configure a static routing table.
3. Configure address object lan with address 192.168.1.0/24.
4. Configure the policy for the data transmitted from the internalinterface to wan1 interface and enable NAT.
Configuration Steps
1. Configure interface address.
Choose System>Network>Interface.Tick wan1 and click Edit to display the Edit Interfacepage, as shown in the following figure:
.files/image066.jpg)
In the 202.1.1.8/29network segment, 2202.1.1.8 is the network address and 202.1.1.15 is thebroadcast address, which cannot be used. 202.1.1.9 is the carrier’s gateway address. The available IP addressrange is from 202.1.1.9 to 202.1.1.14.
Set the IP address of wan1 interface to202.1.1.10.
Edit internal interface. The default IPaddress of internal interface is 192.168.1.200/24, which shall be changedaccording to the actual situations.
You can enable the management function on theinterface if necessary. It is recommended to enable HTTPS, SSH, and PINGservices.
.files/image067.jpg)
2. Configure a static routing table.
Choose Router>Static>StaticRoute, and then click Create New, as shown in the following figure:
.files/image068.png)
Create a routing table, as shown in thefollowing figure:
.files/image069.jpg)
Destination IP/Mask: Keep the default value 0.0.0.0/0.0.0.0.
Device: Choosewan1, which is related to this route. It must be set correctly.Otherwise, the route cannot work.
Gateway: TheIP address of the next hop, that is, the IP address of the peer devicecorresponding to wan1 interface.
Distance: Thedefault value is 10.
Priority: Thedefault value is 0.
3. Configure address resources.
Choose Firewall>Address>Address,and then click Create New, as shown in the following figure:
.files/image070.jpg)
Set Name to lan. Choose Subnetfrom Type. Set Subnet/IP Range to 192.168.1.0/24. Click OK.See the following figure:
.files/image071.jpg)
4. Configure the policy.
For some low-end models, the system providesan NAT policy from internal interface to wan1 interface by default.
Choose Firewall>Policy>Policy,and then click Create New, as shown in the following figure:
.files/image072.jpg)
On the Edit Policy page, add onepolicy as shown in the following figure:
.files/image073.jpg)
Source Interface/Zone: Choose internal.
Source address:Choose lan.
Destination Interface/Zone: Choose wan1.
Destination address: Choose all, which indicates all the addresses.
Service: ChooseALL.
NAT: Tick EnableANT. The system automatically converts the IP address of the intranet lanto 202.1.1.10, the IP address of wan1 interface for Internet access.
Click OK. The system automaticallysaves configuration and the policy takes effect.
Log Allowed Traffic once enabled consumes extra system resources. Therefore, tick thisitem only when necessary.
Verification
Set the IP address of the PC to192.168.1.1/24, the gateway address to 192.168.1.200, and the DNS address to 8.8.8.8.(In general, you can set the DNS to the local DNS.)
Then the PC can access the Internet.
1.1.3 Configuring Internet Access via a DHCP Line
Networking Requirements
The extranet interface uses DHCP and theintranet belongs to 192.168.1.0/24 segment. Intranetusers can access the Internet.
Network Topology
.files/image074.png)
Configuration Tips
1. Configure interfaces.
Wan1 interface: The Retrievedefault gateway from server option is mandatory. After obtaining a DHCPaddress, the device generates a default route without manual configuration.
Internal interface: Configurean IP address formatted as 192.168.1.200/24. If necessary, enable the managementfunction on the interface.
2. Configure address object lan with address 192.168.1.0/24.
3. Configure the policy for the data transmitted from the internalinterface to wan1 interface and enable NAT.
Configuration Steps
1) Configure interfaces.
Choose System>Network>Interface.Tick wan1 and click Edit to display the Edit Interfacepage.
Addressing mode: Choose DHCP.
Retrieve defaultgateway from server(mandatory): After dial-up succeeds, the firewall will obtain one defaultroute.
Override internal DNS: If the company does not have its own DNSserver, this option is mandatory. The DHCP successfully obtains an IP address,as shown in the following figure:
.files/image075.jpg)
Edit the internal interface. The default IPaddress of the internal interface is 192.168.1.200/24, which shall be changedaccording to the actual situations.
You can enable the management function on theinterface if necessary. It is recommended to enable HTTPS, SSH, and PINGservices.
.files/image076.jpg)
After the IP address is obtained, choose Router>Monitor>RoutingMonitor to check the default route, as shown in the following figure:
.files/image077.jpg)
2) Configure address resources.
Choose Firewall>Address>Address,and then click Create New, as shown in the following figure:
.files/image078.jpg)
Set Name to lan. Choose Subnetfrom Type. Set Subnet/IP Range to 192.168.1.0/24. Click OK.See the following figure:
.files/image079.jpg)
3) Configure the policy.
For some low-end models, the system providesan NAT policy from the internal interface to wan1 interface by default.
Choose Firewall>Policy>Policy,and then click Create New, as shown in the following figure:
.files/image080.jpg)
On the Edit Policy page, add onepolicy as shown in the following figure:
.files/image081.jpg)
Source Interface/Zone: Choose internal.
Source address:Choose lan.
Destination Interface/Zone: Choose wan1.
Source address:Choose lan.
Destination address: Choose all, which indicates all the addresses.
Service: ChooseALL.
NAT: Tick EnableANT. The system automatically converts the IP address of intranet lan tothe IP address of wan1 interface for Internet access.
Click OK. The system automaticallysaves configuration and the policy takes effect.
If you select Log Allowed Traffic, extraresource consumption of the system is caused. Therefore, tick this item onlywhen necessary.
Verification
Set the IP address of the PC to 192.168.1.1/24,the gateway address to 192.168.1.200, and the DNS address to 202.106.196.115, 8.8.8.8.(In general, you can set the DNS to the local DNS.)
Then the PC can access the Internet.
1.2 Internet Access via Multiple Links
1.2.1 Configuring Internet Access via Dual Lines ofthe Same Carrier
Networking Requirements
Two lines provided by China Telecom are usedon the current device with the same bandwidth. They back up each other, andwork in load-balancing mode.
Telecom line 1: wan1 interface, IP address202.1.1.2/30; gateway address 202.1.1.1
Telecom line 2: wan2 interface, IP address202.1.1.6/30; gateway address 202.1.1.5
Internal interface: intranet
In this example, the Internet interfaceaddress is used as NAT. If there is a need to use the address pool as NAT, seesection 1.2.2“Configuring Internet Access via Dual Lines of Different Carriers” for thepolicy configuration,.
Network Topology
.files/image082.png)
Configuration Tips
1. Configure interface address.
2. Configure a route.
3. Configure zones (untrust and trust zones).
4. Configure the policy.
5. Configure ECMP load-balancing mode.
Configuration Steps
1) Configure interface address.
Choose System>Network>Interface.Tick wan1 and click Edit to display the Edit Interfacepage, as shown in the following figure:
.files/image083.jpg)
Configure IP address and subnet mask to202.1.1.2/30.
Choose System>Network>Interface.Tick wan1 and click Edit to display the Edit Interfacepage, as shown in the following figure:
.files/image084.jpg)
IP address of wan2 interface is 202.1.1.6/30,and the gateway address is 202.1.1.5.
The configuration is asfollows:
.files/image085.jpg)
2) Configure a route.
Choose Router>Static>StaticRoute, and then click Create New, as shown in the following figure:
.files/image086.jpg)
Create two routing tables, as shown in thefollowing figure:
.files/image087.jpg)
Destination IP/Mask: Keep the default value 0.0.0.0/0.0.0.0.
Device: Choosewan1, which is related to this route. It must be set correctly.Otherwise, the route cannot work.
Gateway: TheIP address of the next hop, that is, the IP address of the peer devicecorresponding to wan1 interface.
Distance: Thedefault value is 10. The route with a shorter distance will be put into therouting table.
Priority: Thedefault value is 0. The route with a smaller priority is used preferentially.
.files/image088.jpg)
Destination IP/Mask: Keep the default value 0.0.0.0/0.0.0.0.
Device: Choosewan2, which is related to this route. It must be set correctly.Otherwise, the route cannot work.
Gateway: TheIP address of the next hop, that is, the IP address of the peer devicecorresponding to wan2 interface.
Distance: Thedefault value is 10. The route with a shorter distance will be put into therouting table.
Priority: Thedefault value is 0. The route with a smaller priority is used preferentially.
(1) To enable both egress lines to work, ensurethat two routing tables have the same path distances. Otherwise, the routingentries with a longer distance will not be put into the routing table.
(2) Besides, their priorities must be the same. With the same distance anddifferent priority, both routes are put into the routing table. The firewallwill choose the route with a lower priority preferentially. Therefore, trafficover two links cannot be balanced.
3) Configure zones.
The usage of zones facilitates and simplifiesconfiguration. If Internet access is based on physical interfaces, multiplefirewall policies are required.
Choose System>Network>Zone,and then click Create New, as shown in the following figure:
.files/image089.jpg)
Create untrust and trust zones, as shown inthe following figure. The zone can be regarded as an interface group and zonename is user defined.
.files/image090.jpg)
.files/image091.jpg)
After configuration, interfaces is displayedas shown in the following figure:
.files/image092.jpg)
4) Configure the policy.
For some low-end models, the system providesa policy from internal interface to wan1 interface by default. Follow thefollowing steps to add a default route if there is no one.
Choose Firewall>Policy>Policy,and then click Create New.
.files/image093.jpg)
Create a policy, as shown in the followingfigure:
.files/image094.jpg)
Source Interface/Zone: Choose trust.
Source address:Choose lan, which indicates internal network address.
Destination Interface/Zone: Choose untrust.
Destination address: Choose all, which indicates all the addresses.
Service: Chooseany.
Log Allowed Traffic: This item is ticked by default. It is recommended to untick it.
NAT: Tick EnableANT. The system automatically converts the IP address of intranet lan intothe IP address of wan1 interface or wan2 interface for Internet access.
Click OK. The system automaticallysaves configuration and the policy takes effect.
Log Allowed Traffic once enabled consumes extra system resources. Therefore, tick thisitem only when necessary.
5) Configure ECMP load-balancing mode.
The firewall supports the following threeload balancing modes:
.files/image095.jpg)
.files/image096.jpg)
Source IP based: Choose different routes based on different source IP addresses.
Weighted Load Balance: Choose routes based on weight values. In this example, tick thisitem.
For example, assume that wan1 interfaceweight is 50, wan2 interface weight is 50, and weight of other interfaces is 0.In this case, traffic is balanced over two links in 1:1 manner.
Assume that wan1 interface weight is 50 andwan2 interface weight is 100. In this case, traffic is balanced in 1:2 manner.
Spillover:When the traffic over a link exceeds a threshold value, another link is used.
It is recommended to choose Source IP based.For example, online banking and online games require source IP address verification.If traffic with different IP addresses interacts, online banking serviceinteraction may fail and games may get offline.
Verification
Check the real-time rates of two interfaces.
1.2.2 Configuring Internet Access via Dual Lines ofDifferent Carriers
Networking Requirements
There is one link from the firewall to theTelecom interface and one to Unicom interface. The data transmitted to the IPaddress of the Telecom interface will pass wan1 interface, while the datatransmitted to the IP address of the Unicom interface will pass wan2 interface.
Telecom: wan1 interface, IP address202.1.1.2/30; gateway address 202.1.1.1; NAT address pool: 100.0.0.1-10
Unicom: wan2 interface, IP address202.1.1.6/30; gateway address 202.1.1.5; NAT address pool: 200.0.0.1-10
Internal interface: internal 7F51
Network Topology
Configuration Tips
1. Configure IP addresses of interfaces.
2. Configure a route.
3. Configure the address pool.
4. Configure the policy.
.files/image005.jpg){kind=small}
Current routing table entries: The routing table entries for China Telecomreach more than 1,800, while those for China Netcom are more than 400 and thosefor China Mobile are around 30.
Because the routing tables of the S3100 and S3600 havea limited capacity (100 entries), the S3100 and S3600 are not applied to themulti-line scenario.
Routing tables of the M5100 and M6600 contain up to 500 entries. When a networkinvolves multiple lines, such as lines of China Telecom and lines of ChinaNetcom, it is recommended to configure a default route for Telecom lines and astatic route for Netcom lines.
The X9300 firewalls have sufficient routing table space.
Configuration Steps
1) Configure interface address.
Choose System>Network>Interface.Tick wan1 and click Edit to display the Edit Interfacepage, as shown in the following figure:
.files/image097.jpg)
Configure IP address and subnet mask to202.1.1.2/30.
Choose System>Network>Interface.Tick wan1 and click Edit to display the Edit Interfacepage, as shown in the following figure:
.files/image098.jpg)
IP address of wan2 interface is 202.1.1.6/30,while the gateway address is 202.1.1.5.
The configuration is asfollows:
.files/image099.jpg)
2) Configure a route.
Route for China Telecom: Configure a defaultroute of wan1 interface.
Route for China Unicom: Refer to the tool (attached)for importing routing tables to configure a detailed route. (Recommended)
You can also configure a default route forChina Unicom and a detailed route for China Telecom.
Choose Router>Static>StaticRoute, and then click Create New, as shown in the following figure:
.files/image100.jpg)
Create a default route for China Telecom, asshown in the following figure:
.files/image101.jpg)
Destination IP/Mask: Keep the default value 0.0.0.0/0.0.0.0.
Device: Choosewan1, which is connected by this route. It must be set correctly.Otherwise, the route cannot work.
Gateway: TheIP address of the next hop, that is, the IP address of the peer devicecorresponding to wan1 interface.
Distance: Thedefault value is 10. The route with a shorter distance will be put into therouting table.
Priority: The defaultvalue is 0. The route with a smaller priority is used preferentially.
3) Configure the address pool.
Choose Firewall>Virtual IP>IPPool, and then click Create New, as shown in the following figure:
.files/image102.png)
Create two address pools, as shown in thefollowing figure:
.files/image103.jpg)
Name: Entertelcom100.0.0.1-10.
Type: Choose Overload.The IP address is dynamically assigned from the address pool.
External IP Range/Subnet: Enter 100.0.0.1-100.0.0.10.
ARP Reply: Tick this item to enable ARP response, whichis equivalent to sending gratuitous ARP packets.
.files/image104.jpg)
Name: Enter unicom200.0.0.1-10.
Type: Choose Overload.The IP address is dynamically assigned from the address pool.
External IP Range/Subnet: Enter 200.0.0.1-200.0.0.10.
ARP Reply: Tick this item to enable ARP response, whichis equivalent to sending gratuitous ARP packets.
4) Configure the policy.
Configure two policies. One is for the routefrom the internal interface to wan1 interface, and the other is for the routefrom the internal interface to wan2 interface.
Choose Firewall>Policy>Policy,and then click Create New, as shown in the following figure:
.files/image105.jpg)
Create a policy for the route from theinternal interface to wan1 interface, as shown in the following figure:
.files/image106.jpg)
Source Interface/Zone: Choose internal.
Source address:Choose lan, which indicates internal network address.
Destination Interface/Zone: Choose wan1.
Destination address: Choose all, which indicates all the addresses.
Service: Choose any.
Log Allowed Traffic: The item is ticked by default. It is recommended to untick it,because many logs will be generated due to excessive data packet traffic andrecording normal logs is meaningless.
NAT: Tick EnableNAT. Select Dynamic IP Pool and choose the corresponding addresspool telecom100.0.0.1-10.
Create a policy for the route from theinternal interface to wan1 interface, as shown in the following figure:
.files/image107.jpg)
Source Interface/Zone: Choose internal.
Source address:Choose lan, which indicates internal network address.
Destination Interface/Zone: Choose wan2.
Destination address: Choose all, which indicates all the addresses.
Service: Chooseany.
Log Allowed Traffic: This item is ticked by default. It is recommended to untick it.
NAT: Tick EnableNAT. Select Dynamic IP Pool and choose the corresponding addresspool unicom200.0.0.1-10.
Verification
Access the Internet for testing. Run the tracertcommand to check the path.
1.3 Configuring DHCP
1.3.1 Configuring the DHCP Server
Networking Requirements
Enable DHCP sever function of the NGFW. Theintranet PC can automatically obtain an IP address for Internet access. Theintranet segment is 192.168.1.0/24 and the gateway address is 192.168.1.200.
Network Topology
.files/image108.jpg)
Configuration Tips
1. Basic configuration for Internet access
2. Configure the DHCP server.
Configuration Steps
1. Basic configuration for Internet access
For the detailed configuration process, seesection “Configuring Internet Access via a Static Link” section under section“Internet Access via a Single Line” in “Configuring Routing Mode”.
2. Configure the DHCP service.
a) Enable the DHCP service.
Choose System>DHCP Server>Service,and then click Create New, as shown in the following figure:
.files/image109.jpg)
Interface Name:Choose the interface where the DHCP server is connected to.
Mode: Choose Serveror Relay.
Enable: Thisitem is ticked by default.
Type: Choose Regularor IPsec. If you choose IPsec, the system assigns IP addressesfor IPsec users.
IP Range: Itindicates the IP address range assigned to users.
Network Mask:It indicates the subnet mask. Set it to 255.255.255.0.
Default Gateway: Generally, it indicates the IP address of the interface that theDHCP server is connected to.
DNS Service:You can choose Specify or Use System DNS Setting.
b) Advanced options. You can set the lease time and excluded range, asshown in the following figure:
.files/image110.jpg)
Lease Time: Itis set to 1 day, which can be adjusted according to the actualsituations. If you choose Unlimited, the assigned IP addresses are notreleased forever. Therefore, Unlimited is not recommended.
Options: It isused to configure the DHCP server options.
Exclude Ranges:Enter the IP address segment to be reserved, such as192.168.1.120-192.168.1.130.
Verification
Set the PC to automatically obtain an IPaddress.
Notes
1. Question: Among DHCP configuration, does the system DNS refer to theDNS settings of the firewall itself?
DHCP configuration provides three DNSoptions:
RG-WALL #config system dhcp server
RG-WALL (server) #edit 1
RG-WALL (1)#set auto-configuration enable
RG-WALL (1)#set conflicted-ip-timeout 1800
RG-WALL (1)#set default-gateway 192.168.1.99
RG-WALL (1)#set dns-service default //Default parameter
default Use system DNS settings. // DNS server configured on the firewall.
local Use this RGT as DNS server. //IP address of the firewall interface.
specify Specify DNS servers. //Specify DNS servers.
2. When yourun the set dns-service default command, the PC obtains the DNS serverconfigured by the firewall itself.
Set the DNS server of the firewall itself.
RG-WALL#config system dns //DNS server configured on the firewall.
RG-WALL (dns) #set primary 8.8.8.8
RG-WALL (dns) #end
.files/image111.jpg)
3. When you run the set dns-service local command, the PC obtains the IPaddress of the DHCP interface enabled by the firewall.
1.3.2 DHCP Static Binding
Networking Requirements
Enable DHCP sever function of the NGFW. Theintranet PC can automatically obtain an IP address for Internet access. Theintranet segment is 192.168.1.0/24 and the gateway address is 192.168.1.200.Reserve IP address 192.168.1.100 for the host with MAC address04:7d:7b:9b:71:ad.
Network Topology
Configuration Tips
1. Basic configuration for Internet access
2. Configure the DHCP server.
Configuration Steps
1) Basic configuration for Internet access
2) Configure the DHCP service.
See section “Configuring the DHCP Server”.
3) Configure the reserved IP address.
Before operation, it is recommended to upgradethe firewall version to the latest..
Way 1(CLI):
RG-WALL #config system dhcp server
RG-WALL (server) # edit1 //Basicconfiguration
RG-WALL (1)#set dns-service default
RG-WALL (1)#set default-gateway 192.168.1.200
RG-WALL (1)#set netmask 255.255.255.0
RG-WALL (1)#set interface internal
RG-WALL (1) # config ip-range
RG-WALL (ip-range) #edit 1
RG-WALL (1)set start-ip 192.168.1.99
RG-WALL (1)set end-ip 192.168.1.199
RG-WALL (1) # next
RG-WALL (ip-range) # end //Basic configuration of
RG-WALL (1)#config reserved-address //Configure thereserved IP address.
RG-WALL (reserved-address)#edit 1 //Entry 1, 2, or 3, which is used as identification. Youcan define multiple entries.
RG-WALL (1) # set ip 192.168.1.100 //Assign the IP address tothe specified MAC address.
RG-WALL (1) # set mac 04:7d:7b:9b:71:ad //Specify the MAC address.
RG-WALL (1) # next
RG-WALL (reserved-address) # end
RG-WALL (1) # next
RG-WALL (server) #end
Way 2(Web UI):
.files/image112.jpg)
Verification
Set the PC to automatically obtain an IPaddress. The host with MAC address 04:7d:7b:9b:71:ad will obtain IP address 192.168.1.100.
1. Check the DHCP address pool assignment on the firewall, as shown inthe following figure:
.files/image113.jpg)
1.3.3 DHCP Relay Configuration
I. Networking Requirements
Enable DHCP relay of RG-WALL1600 Series Next-Generation Firewall (NGFW) to allow the intranet PC to obtain theaddress assigned to the device by the DHCP server.
II. Network Topology
.files/image114.png)
III. Configuration Tips
1. Basic configuration for Internet access
2. Enable DHCP relay and enter the address of the DHCP server.
IV. Configuration Steps
1. Basic configuration for Internet access
For the detailed configurationprocess, see section 1.1.2 "Configuring Internet Access via a Static Link"under section 1.1 "Internet Access via a Single Line" in Chapter 1 "TypicalFunctions of Routing Mode".
Enable DHCP relay and enter the addressof the DHCP server.
Choose System >DHCP Server > Service, and then click Create New.
.files/image115.jpg)
Interface Name: Choose the interface where the DHCP server is connected to.
Mode: Choose Server or Relay.
Type: Choose Regular or IPsec. If you choose IPsec,the system assigns IP addresses for IPsec users.
DHCP Server IP: Enter the IP address of the DHCP server.
V. Verification
Set the PC to automaticallyobtain an IP address.
1.4 Port Mapping
1.4.1 Address Mapping (One-to-One IP Address Mapping)
Networking Requirements
As shown in the following figure, you havecompleted the basic configuration of the firewall. Now, you need to map one webserver address (IP address: 192.168.1.2) on the intranet to the extranet portaddress (IP address: 202.1.1.11) so that extranet users can access the webserver.
Meantime, intranet users can access the webserver by using a public network IP address.
Network Topology
.files/image116.png)
Configuration Tips
1. Basic configuration for Internet access
2. Configure the virtual IP address (DNAT).
3. Configure the security policy.
Configuration Steps
1. Basic configuration for Internet access
For the detailed configuration process, seesection “Configuring Internet Access via a Static Link” section under “InternetAccess via a Single Line” in “Configuring Routing Mode”.
IP addresses of the interfaces are displayedas shown in the following figure:
.files/image117.jpg)
The route configuration is as shown in thefollowing figure:
.files/image118.jpg)
2. Configure the virtual IP address (DNAT).
Choose Firewall>Virtual IP>VirtualIP, and then click Create New, as shown in the following figure:
.files/image119.jpg)
Configure the virtual IPaddress. Set the name to webserver. The virtual IP address is used forthe destination address conversion of wan1 interface.
.files/image120.jpg)
Values of External IP Address/Range aremapped to the values of Mapped IP Address/Range correspondingly. Enterboth the start and end IP addresses of the external IP address range. You justneed to enter the start mapped IP address and the system automatically enterthe end IP address.
Take the IP address range from 202.1.1.3 to202.1.1.10 as an example. The start IP address for internal mapping is192.168.1.2 and the end IP address must be 192.168.1.9 (which is filled in bythe system automatically). The IP addresses within the two ranges are mappedcorrespondingly.
For example, the IP address 202.1.1.3 ismapped to 192.168.1.2, while the IP address 202.1.14 is mapped to 192.168.1.3.
3. Configure the security policy.
Choose Firewall>Policy>Policy,and then click Create New, as shown in the following figure:
.files/image121.jpg)
Source Interface/Zone: Choose wan1. //If intranet users needto access the Internet by using a virtual IP address, choose any.
Source address: Choose all.
DestinationInterface/Zone: Choose internal.
Destination address: Choose webserver. //It indicates thedefined object mapped by the virtual IP address.
Service: Choose HTTP. //The system only allowsInternet access via HTTP.
If intranet users need toaccess the Internet by using a virtual IP address, choose one of the followingtwo methods:
1. Set Source Interface/Zone of the original policy to any.
2. Add one internal-to-internal policy with the Source Interface/Zonevalue of internal.
Source Interface/Zone: Choose internal.
Source address: Choose all.
DestinationInterface/Zone: Choose internal.
Destination address: Choose webserver. //It indicates thedefined object mapped by the virtual IP address.
Service: Choose HTTP. //The system only allowsInternet access via HTTP.
4. Intranet users are allowed to access the VIP public network IPaddress.
Intranet users are allowed to access theinternal web server by using the IP address mapped by the public network. Youjust need to add one policy that allows intranet users to access extranet. Addthe policy, as shown in the following figure:
.files/image122.jpg)
Verification
Access http://202.1.1.11from extranet. To test whether the mapping is valid, temporarily add the pingservice .
1.4.2 Port Mapping (One-to-Many Port Mapping)
Networking Requirements
As shown in the followingfigure, you have completed the basic configuration of the firewall.
Map port 80 of oneintranet web server (IP address: 192.168.1.2) to the extranet port 8080 (IPaddress: 202.1.1.11). (The intranet port is different from the mapped port ofthe extranet.)
Map port 25 of oneintranet SMTP server (IP address: 192.168.1.3) to port 25 of the extranet port(IP address: 202.1.1.11).
Meaning of this case: Master the mapping sequence of the criticalfunction of the new NGFW: DNAT > Route > Security Policy > Source NAT.
Network Topology
.files/image123.png)
Configuration Tips
1. Basic configuration for Internet access
2. Configure the virtual IP address (DNAT).
3. Configure the security policy.
Configuration Steps
1. Basic configuration for Internet access
For the detailed configuration process, seesection “Configuring Internet Access via a Static Link” section under “InternetAccess via a Single Line” in “Configuring Routing Mode”.
IP addresses of the interfaces are displayedas shown in the following figure:
The route configuration is as shown in thefollowing figure:
2. Configure the virtual IP address (DNAT).
Choose Firewall>Virtual IP>VirtualIP, and then click Create New to create a new virtual IP address, asshown in the following figure:
Create virtual IP1. Set Nameto webserver:80 to map the HTTP server, as shown in the followingfigure:
.files/image124.jpg)
Create virtual IP2. Set Name to smtpserver:25to map the SMTP server, as shown in the following figure:
.files/image125.jpg)
Values of External IP Address/Range aremapped to the values of Mapped IP Address/Range correspondingly. Enterboth the start and end IP addresses of the external IP address range. You justneed to enter the start mapped IP address and the system automatically entersthe end IP address.
Take the IP address range from 202.1.1.3 to 202.1.1.10 as an example. The start IP address forinternal mapping is 192.168.1.2 and the end IP address must be 192.168.1.9(which is filled in by the system automatically). The IP addresses within thetwo ranges are mapped correspondingly.
For example, the IP address 202.1.1.3 is mapped to 192.168.1.2, while the IP address 202.1.14 ismapped to 192.168.1.3.
3. Configure the security policy.
Choose Firewall>Policy>Policy,and then click Create New, as shown in the following figure:
.files/image126.jpg)
On the New Policy page, add one policyas shown in the following figure:
.files/image127.jpg)
Click Multiple next to DestinationAddress to choose two defined virtual IP addresses, as shown in thefollowing figure:
.files/image128.jpg)
Click Multiple next to Serviceto add HTTP and SMTP services, as shown in the following figure:
.files/image129.jpg)
Source Interface/Zone: Choose wan1. //If intranet users needto access the Internet by using a virtual IP address, choose any.
Source address: Choose all.
DestinationInterface/Zone: Chooseinternal.
Destination address: Choose webserver:80 and smtpserver:25.
Service: Choose HTTP and SMTP.
If intranet users need toaccess the Internet by using a virtual IP address, choose one of the followingtwo methods:
1. Set Source Interface/Zone of the original policy to any.
2. Add one internal-to-internal policy with the Source Interface/Zonevalue of internal.
Source Interface/Zone: Choose internal.
Source address: Choose all.
Destination Interface/Zone: Choose internal.
Destination address: Choose webserver:80and smtpserver:25.
Service: ChooseHTTP and SMTP.
Key note: Data traffic of the new NGFW maps the DNAT (virtual IP address), and then the firewall policy. Inthis case, the extranet port 8080 of the webserver is changed into port 80after being converted by the DNAT (virtual IP address). Therefore, the HTTPservice (port 80) is released by the firewall policy.
The policy configuration is as follows:
.files/image130.jpg)
Verification
Access http://202.1.1.11from extranet. To test whether the mapping is valid, temporarily add the pingservice.
Do an email test.
1.4.3 Port Mapping for Multiple Lines
Networking Requirements
Respectively map one intranet web server tothe public network IP addresses of China Telecom and China Unicom egress portsfor Internet access.
Web server address: 192.168.1.2/24; Gatewayaddress: 192.168.1.200
China Telecom egress port address:202.1.1.2/29; gateway address: 202.1.1.1; public network IP address of theserver: 202.1.1.3
China Unicom egress port address:100.1.1.2/29; gateway: address 100.1.1.1; public network IP address of theserver: 100.1.1.3
The PCs in the intranetsegment 192.168.1.0/24 need to access the Internet.
Meaning of this case: The new NGFW supports Source In Source Outfunction of data traffic. The firewall traces sessions. The access from theTelecom port is returned from the Telecom port preferentially, while the accessfrom the Unicom port is returned from the Unicom port preferentially. Theprecondition is that the routing table of the firewall contains routing entriesthat can map the returned data traffic. Therefore, you just need to configuredefault routes to the Telecom port and Unicom port respectively.
Network Topology
.files/image131.jpg)
Configuration Tips
1. Configure the IP addresses of interfaces.
2. Configure a route.
3. Configure the virtual IP address (DNAT).
4. Configure address resources.
5. Configure the policy.
Configuration Steps
1. Configure interface address.
For the detailed configuration process, seesection “Configuring Internet Access via a Static Link” section under “InternetAccess via a Single Line” in “Configuring Routing Mode”.
The following figure shows IP addresses ofinterfaces:
.files/image132.jpg)
2. Configure a route.
The firewall tracessessions. The access from the Telecom port is returned from the Telecom portpreferentially, while the access from the Unicom port is returned from theUnicom port preferentially. The precondition is that the firewall of thefirewall contains routing entries that can map the returned data traffic.Therefore, you just need to configure default routes to the Telecom port andUnicom port respectively.
The default route toTelecom port:
The default route to Unicom port:
.files/image133.jpg)
.files/image134.jpg)
Check the current routes,as shown in the following figure:
.files/image135.jpg)
3. Configure the virtual IP address.
Set Name to web1, which is usedfor the IP address mapping of the Telecom interface, as shown in the followingfigure:
.files/image136.jpg)
Set Name to web2, which is usedfor the IP address mapping of the Unicom interface, as shown in the followingfigure:
.files/image137.jpg)
Values of External IP Address/Range aremapped to the values of Mapped IP Address/Range correspondingly. Enterboth the start and end IP addresses of the external IP address range. You justneed to Enter the start mapped IP address and the system automatically entersthe end IP address.
Take the IP address range from 202.1.1.3 to 202.1.1.10 as an example. The start IP address forinternal mapping is 192.168.1.2 and the end IP address must be 192.168.1.9(which is filled in by the system automatically). The IP addresses within tworanges are mapped correspondingly.
For example, the IP address 202.1.1.3 is mapped to 192.168.1.2, while the IP address 202.1.14 ismapped to 192.168.1.3, and so on.
4. Configure address resources.
Choose Firewall>Address>Address,and then click Create New, as shown in the following figure:
.files/image138.jpg)
Set Name to lan. Choose Subnetfrom Type. Set Subnet/IP Range to 192.168.1.0/24. Click OK.See the following figure:
.files/image139.jpg)
5. Configure the policy.
You need to configure the following fourpolicies:
a) Configure the virtual IP address policy from wan1 interface to internalinterface, as shown in the following figure:
.files/image140.jpg)
b) Configure the virtual IP address policy from wan2 interface tointernal interface, as shown in the following figure:
.files/image141.jpg)
c) Configure the policy from internal interface to wan1 interface toallow the PC with an internal IP address to access the Internet through wan1interface, as shown in the following figure:
.files/image142.jpg)
d) Configure the policy from internal interface to wan2 interface toallow the PC with an internal IP address to access the Internet through wan2 interface,as shown in the following figure:
.files/image143.jpg)
Verification
Access port 80 at the IP address202.1.1.3 and 100.1.1.3 through two interfaces respectively.
1.5 Configuring Route
1.5.1 Static Routing
Static Routing
Static routing is a routing entry manuallyadded on the firewall by the system administrator according to the networkstructure. For the firewall, static routing is the most basic manner and isalso the most common route configuration.
Network Topology
.files/image144.jpg)
The IP address of wan1 interface of thefirewall is 202.1.1.10, while the IP address of G1/0 interface of the peer ISProuter is 202.1.1.9.
Configuration Method
Choose Router>Static>StaticRoute, and then click Create New, as shown in the following figure:
.files/image145.jpg)
Destination IP/Mask: Keep the default value 0.0.0.0/0.0.0.0.
Device: Choosewan1, which is related to this route. It must be set correctly.Otherwise, the route cannot work.
Gateway: TheIP address of the next hop, that is, the IP address of the peer devicecorresponding to wan1 interface.
Distance: Thedefault value is 10. For the same routing entry, the entry with theshorter distance will be put into the routing table. If the distance is thesame, both of them will be put into the routing table.
Priority: Thedefault value is 0. For the two routes with the same distance, the firewallchooses the route with a lower priority preferentially.
Configuration Command
1. Configure the default route
RG-WALL #config router static
RG-WALL(static) # edit 1
RG-WALL(1) # set gateway 202.1.1.9 //This entry does not define the dstdestination network. Therefore, the default value is 0.0.0.0/0.0.0.0.
RG-WALL(1) # set device wan1
RG-WALL(1) # next
2. Configure the static routing.
RG-WALL# config router static
RG-WALL(static) # edit 2
RG-WALL(2) # set dst 1.24.0.0255.248.0.0
RG-WALL(2) # set gateway 202.1.1.5
RG-WALL(2) # set device wan2
RG-WALL(2) # next
Verification
Check the routing tableon the graphical page. Choose Router>Monitor>Routing Monitor or run the get router info routing-table static command to check whether the route takes effect.
Run ping 202.1.1.9to check the link.
1.5.2 Policy-Based Routing
Policy-Based Routing
Both static and dynamic routing are destinationrouting, which selects a route according to the destination address.
The policy-based routing selects a routeaccording to the original address, protocol type, flow control label, ordestination address.
The policy-based routing priority is higherthan the static routing priority. The policy-based routing is implementedpreferentially.
Application example
Scenario: As described in section“Configuring Internet Access via Dual Lines of Different Carriers” undersection “Internet Access via Multiple Links” in “Configuring Routing Mode”,force the PC with IP address 192.168.1.0/29 to access the Internet from wan2interface.
Choose Router>Static>PolicyRoute, and then click Create New, as shown in the following figure:
.files/image146.jpg)
As defined by this policy-based route, allthe data packets from the internal interface with source address 192.168.1.0255.255.255.248 and destination address 0.0.0.00.0.0.0 will be forcibly forwarded by wan2 interface. The gateway address ofthe next hop is 100.1.1.1.
On the New Routing Policy page, theoptions are as follows:
Protocol: Itindicates the protocol type. The value 0 indicates any protocol. You canspecify 6 for TCP, 17 for UDP, or 132 for SCTP.
Incoming interface: It indicates the interface through which traffic enters.
Source address/mask: It indicates the source address of the data packet.
Source address/mask: It indicates the source address of the data packet.
Destination Ports: By default, it indicates all the ports, from port 1 to port 65536.
Force traffic to:
Outgoing interface: It indicates the interface through which data is forwarded.
Gateway Address: It indicates the gateway address.
1.5.3 RIP
Application Scenario
If there are many network routing devices andthe number does not exceed 16, it is recommended to configure RIP on the NGFWso that the NGFW can dynamically learn the routing to other networks and theroutes can automatically age and update.
When the number of routing devices exceeds16, it is recommended to configure OSPF, because the OSPF enables faster routelearning and updating and the OSPF is more suitable for the network with morethan 16 routing devices.
If there are few routing devices, it isrecommended to configure the static route. That’s because the static route iseasily maintained and does not raise a high requirement for the routers. Allthe routers support static routes. In general, the low end routers do notsupport RIP.
Networking Requirements
As shown in the figure, the L3 switch in theintranet and the egress NGFW mutually advertise routes through the dynamicroute RIP to enable intranet users to access the Internet.
On the NGFW, manually configure the defaultroute, redistribute the default route into RIP. The L3 switch and NGFW mutuallylearn routes through RIP to enable intranet users to access the Internet.
Network Topology
.files/image147.jpg)
Configuration Tips
1. Configure interface address.
2. Configure the firewall.
3. Configure the router.
Configuration Steps
1. Configure interface address.
For the detailed configuration process, seesection “Configuring Internet Access via a Static Link” section under section“Internet Access via a Single Line” in “Configuring Routing Mode”. Theconfiguration is displayed as shown in the following figure:
.files/image148.jpg)
2. Configure a default route.
For the detailed configuration process, seesection “Configuring Internet Access via a Static Link” section under section“Internet Access via a Single Line” in “Configuring Routing Mode”. Theconfiguration is displayed as shown in the following figure:
.files/image149.jpg)
3. Configure RIP.
Choose Router > Dynamic > RIP.
a) Configure basic information, as shown in the following figure:
.files/image150.jpg)
RIP Version: Choose 2.
Enable Default-information-originate: Tickthis item to send the default route to the neighbor (router).
Redistribute: It determines whether todistribute other protocol routes.
b) Add the RIP network.
Click Create New. Set IP/Netmask to192.168.1.0/255.255.255.0, and then click Add, as shown in the followingfigure:
.files/image151.jpg)
After the network segment is added, theconfiguration is displayed as shown in the following figure:
.files/image152.jpg)
4. Configure the router.
interfaceFastEthernet 0/1
ipaddress 192.168.1.111 255.255.255.0
interfaceFastEthernet 0/2
ipaddress 192.168.200.100 255.255.255.0
Configure RIP as follows:
routerrip
version2
network192.168.1.0
network192.168.10.0
noauto-summary
Verification
Check the current routes.
Choose Router>Monitor>RoutingMonitor, as shown in the following figure:
.files/image153.jpg)
Run the following commandto display the current routes:
RG-WALL #get router info routing-table all
Codes: K -kernel, C - connected, S - static, R - RIP, B - BGP
O -OSPF, IA - OSPF inter area
N1 - OSPFNSSA external type 1, N2 - OSPF NSSA external type 2
E1 -OSPF external type 1, E2 - OSPF external type 2
i - IS-IS,L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* -candidate default
S* 0.0.0.0/0 [10/0] via 192.168.2.1, wan1, [0/50]
C 192.168.1.0/24 is directly connected, internal
C 192.168.2.0/24 is directly connected, wan1
R 192.168.200.0/24 [120/2] via 192.168.1.99, internal, 00:00:01
1.5.4 OSPF
Application Scenario
When the number of routing devices exceeds16, it is recommended to configure OSPF, because the OSPF enables faster routelearning and updating and the OSPF is more suitable for the network with morethan 16 routing devices.
If there are many network routing devices andthe number does not exceed 16, it is recommended to configure the RIP on theNGFW so that the NGFW can dynamically learn the routing to other networks andthe routes can automatically age and update.
If there are few routing devices, it isrecommended to configure the static route. That’s because the static route iseasily maintained and does not raise a high requirement for the routers. Allthe routers support static routes. In general, the low end routers do notsupport RIP.
Networking Requirements
As shown in the figure, the L3 switch in theintranet and the egress NGFW mutually advertise routes through the dynamicroute OSPF to enable intranet users to access the Internet.
On the NGFW, manually configure the defaultroute, redistribute the default route into OSPF. The L3 switch and NGFWmutually learn routes through OSPF to enable intranet users to access theInternet.
Network Topology
.files/image154.jpg)
Configuration Tips
1. Configure the IP addresses of interfaces.
2. Configure a default route.
3. Configure OSPF.
l Configure the router ID.
l Distribute the default route.
l Redistribute the default route.
l Create OSPF areas.
l Add the OSPF network.
l Add the interface.
4. Configure the peer router.
Configuration Steps
1. Configure the IP addresses of interfaces.
For the detailed configuration process, seesection “Configuring Internet Access via a Static Link” section under section“Internet Access via a Single Line” in “Configuring Routing Mode”. Theconfiguration is displayed as shown in the following figure:
.files/image155.jpg)
2. Configure a default route.
For the detailed configuration process, seesection “Configuring Internet Access via a Static Link” section under section“Internet Access via a Single Line” in “Configuring Routing Mode”. Theconfiguration is displayed as shown in the following figure:
.files/image156.jpg)
3. Configure OSPF.
Choose Router>Dynamic>OSPF,as shown in the following figure:
a) Configure basic information, as shown in the following figure:
.files/image157.jpg)
Set Router ID to 1.1.1.1.
Default Information: Choose Regular. The three options are described as follows:
The default route is not distributed.
Regular: Ifthe default route is configured, the system distributes it. If not, the systemdoes not distribute it.
Always: Nomatter whether the default route is configured, the system distributes adefault route.
Ospf_redistribute: Choose Connected Metric, which indicates that the routinginformation at the 192.168.1.0/24 is sent to the OSPF neighbor.
After the above settings are completed,click Apply to validate configuration.
b) Create OSPF areas.
Click Create New,as shown in the following figure:
.files/image158.jpg)
Create root area 0.0.0.0 (area 0), as shown in the following figure:
.files/image159.jpg)
The configuration is as follows:
.files/image160.jpg)
c) Add the OSPF network.
Click Create New, as shown in thefollowing figure:
.files/image161.jpg)
Add segment 1.1.1.0/24 to the OSPF area 0.0.0.0, as shown in thefollowing figure:
.files/image162.jpg)
d) Add interfaces. (Optional)
Click Create New, as shown in thefollowing figure:
.files/image163.jpg)
You can edit the related parameters ofinterfaces by using this menu.
.files/image164.jpg)
Name: It isused for identification.
Interface: Itindicates the interface to be edited.
IP: Itindicates the IP address of the interface.
Authentication:It determines whether to perform OSPF authentication on the interface. Thesystem supports MD5 (MD5 summary), txt (plain text), and none (none).
MD5 keys:Enter key ID and key.
Timers:
Hello Interval:By default, the interval for sending hello packets is 10 seconds, which can bechanged as required. In the case of OSPF neighbor negotiation, the value of HelloInterval must be the same.
Dead Interval:By default, the value is 40 seconds, which can be changed as required. In thecase of OSPF neighbor negotiation, the value of Dead Interval must bethe same.
4. Configure the switch.
Configure interface address.
interfaceFastEthernet 0/0
ip address1.1.1.2255.255.255.0
interfaceFastEthernet 0/1
ip address192.168.2.1 255.255.255.0
Configure OSPF as follows:
routerospf 10
network1.1.1.00.0.0.255 area 0
network192.168.2.0 0.0.0.255area 0 //This entry can also be distributed through direct connection.
Verification
RG-WALL # get router info routing-table all
path=router,objname=info, tablename=(null), size=0
Codes: K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPFNSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS,L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
S* 0.0.0.0/0[10/0] via 192.168.118.1, wan1, [0/50]
C 1.1.1.0/24is directly connected, wan2
C 192.168.1.0/24 is directly connected, internal
O 192.168.2.0/24 [110/11] via 1.1.1.2, wan2, 00:01:49
C 192.168.118.0/24 is directly connected, wan1
Check the routes of the router:
Codes:K - kernel, C - connected, S - static, R - RIP, B - BGP
O - OSPF, IA - OSPF inter area
N1 - OSPFNSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS,L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default
O*E2 0.0.0.0/0[110/10] via 1.1.1.1, wan1, 00:09:34
C 1.1.1.0/24is directly connected, wan1
O E2 192.168.1.0/24 [110/10] via 1.1.1.1, wan1, 00:09:34
C 192.168.2.0/24 is directly connected, internal
O E2 192.168.118.0/24 [110/10] via 1.1.1.1, wan1, 00:09:34
1.6 Application Level Gateway (ALG)
1.6.1 VoIP
I. Networking Requirements
A company uses a voice system based on the SessionInitiation Protocol (SIP). The employees use SIP phones in the company. The SIPserver is connected to a node outside the firewall.
Because of the particularity of SIP, the firewallshould enable SIP ALG to prevent dial-up failure, unidirectional port state, orother problems caused by the firewall policy.
II. Network Topology
.files/image165.png)
III. Configuration Tips
1. Basic configuration for Internet access
2. Configure a VoIP policy.
3. Move policies. (Optional)
4. Configure SIP ports. (Optional)
IV. Configuration Steps
1. Basic configuration for Internet access
See section 1.1 "InternetAccess via a Single Line" in Chapter 1 "Typical Functions of Routing Mode".
Configure a VoIP policy.
1) Define the address object.
Choose Firewall > Address> Address.
.files/image166.jpg)
2) Define a VoIP policy.
Choose Firewall > Policy >Policy.
.files/image167.jpg)
.files/image168.jpg)
Enable the UTM function,tick Enable VoIP, and choose default.
Move policies. (Optional)
Move policies to appropriatepositions to ensure execution.
.files/image169.jpg){kind=small}
Configure SIP ports. (Optional)
In most SIP settings, TCPor UDP port 5060 is used for SIP sessions while port 5061 is used for SIP SSL sessions.If the SIP network uses other ports for SIP sessions, run the following commandsto enable SIP ALG to use other ports of TCP, UDP, or SSL for interception. For example,use TCP port 5064, UDP port 5065, and SSL port 5066 instead.
RG-WALL#config system settings
RG-WALL (settings) #set sip-tcp-port5064
RG-WALL (settings) #set sip-udp-port5065
RG-WALL (settings) #set sip-ssl-port5066
RG-WALL (settings) #end
SIP ALG can also be setto use two different TCP ports and two different UDP ports for interception of SIPsessions. For example, if ports 5060 and 5064 are used to receive SIP TCP trafficwhile ports 5061 and 5065 are used to receive SIP UDP traffic, run the followingcommands to use all these ports to receive SIP traffic.
RG-WALL#config system settings
RG-WALL (settings) #set sip-tcp-port5060 5064
RG-WALL (settings) #set sip-udp-port5061 5065
RG-WALL (settings) #end
V. Verification
Use a SIP phone for testing.
VI. Notes
Q: Why to enable theUTM function of VoIP?
A: Session Helper of thesystem supports some functions of VoIP ALG but provides simple functions and appliesto simple scenarios. As VoIP scenarios become more complicated, VoIP profiles areused now.
VoIP ALG feature can befound on UTM function, which provides a well-developed ALG function and safety protectionfor VoIP.
1.6.2 VoIP Destination Address Mapping
I. Networking Requirements
A company uses a SIP-based voice system. The employeesuse SIP phones in the company. SIP server 100.1.1.2 is connected to a node in thefirewall server area. The SIP server needs to be mapped to the intranet 192.168.1.2.
Because of the particularity of SIP, the firewallshould enable SIP ALG to prevent dial-up failure, unidirectional port state, orother problems caused by the firewall policy.
II. Network Topology
.files/image170.png)
III. Configuration Tips
1. Basic configuration for Internet access
2. Configure a VoIP policy.
3. Move policies. (Optional)
4. Configure SIP ports. (Optional)
IV. Configuration Steps
1. Basic configuration for Internet access
See section 1.1 "InternetAccess via a Single Line" in Chapter 1 "Typical Functions of Routing Mode"
Configure a VoIP policy.
1) Define a virtual IP address.
Choose Firewall> Virtual IP > Virtual IP.
.files/image171.jpg)
2) Define a VoIP policy.
Choose Firewall> Policy > Policy.
.files/image172.jpg)
Enable the UTM function,tick Enable VoIP, and choose default.
3) Configure SIP ports. (Optional)
In most SIP settings, TCPor UDP port 5060 is used for SIP sessions while port 5061 is used for SIP SSL sessions.If the SIP network uses other ports for SIP sessions, run the following commandsto enable SIP ALG to use other ports of TCP, UDP, or SSL for interception. For example,use TCP port 5064, UDP port 5065, and SSL port 5066 instead.
RG-WALL#config system settings
RG-WALL (settings) #set sip-tcp-port5064
RG-WALL (settings) #set sip-udp-port5065
RG-WALL (settings) #set sip-ssl-port5066
RG-WALL (settings) #end
SIP ALG can also be setto use two different TCP ports and two different UDP ports for interception of SIPsessions. For example, if ports 5060 and 5064 are used to receive SIP TCP trafficwhile ports 5061 and 5065 are used to receive SIP UDP traffic, run the followingcommands to use all these ports to receive SIP traffic.
RG-WALL#config system settings
RG-WALL (settings) #set sip-tcp-port5060 5064
RG-WALL (settings) #set sip-udp-port5061 5065
RG-WALL (settings) #end
V. Verification
Use a SIP phone for testing.
1.7 Configuring VPN
1.7.1 IPSec VPN (Point-to-Point)
1.7.1.1 Interface Mode
Networking Requirements
As shown in the figure, two LANs areconnected via VPN, so as to implement the communication between two networksegments (including 192.168.0.0/24 and 192.168.1.0/24).
Network Topology
.files/image173.jpg)
Configuration Tips
1. Configure NGFW1
1. Perform basic configurations of Internet access
2. Configure IKE Phase 1
3. Configure IKE Phase 2
4. Configure the routes
5. Configure the policies
2. Configure NGFW2
1. Perform basic configurations of Internet access
2. Configure IKE Phase 1
3. Configure IKE Phase 2
4. Configure the routes
5. Configure the policies
To delete Phases 1 and 2 of IPSec VPN, you needto delete the invoked route or firewall security policy first.
Configuration Steps
1. Configure NGFW1
1. Perform basic configurations of Internetaccess
For details about the configuration procedure,refer to the section “Configuring Routing Mode” > “Configuring InternetAccess via a Single Line” > “Configuring Internet Access via a Static Link”.
2. Configure IKE Phase 1
Choose the VPN > IPsec > Auto Key(IKE) menu, and click Create Phase 1.
.files/image174.jpg)
Configure the related parameters of Phase1, as shown below.
.files/image175.jpg)
Name: Set it to VPN. In interfacemode, it is used to indicate the name of the VPN interface.
Remote Gateway: Set it to Static IPAddress.
IP Address: The IP address of the extranetinterface of the peer firewall is 200.1.1.2.
Local Interface: It refers to the interfacevia which the firewall builds a VPN connection with the peer device. It isusually an extranet interface.
Authentication Method: It is set to Pre-sharedKey.
Pre-shared Key: It must be the same at bothends.
Enable IPsec Interface Mode: Ticked.
Other parameters are set to their defaultvalues. For details about the parameters, refer to section “Parameters of Phase1”.
3. Configure IKE Phase 2
Choose the VPN > IPsec > Auto Key(IKE) menu, and click Create Phase 2.
.files/image176.jpg)
Configure thebasic parametersof Phase 2.
Name: It refers to the name of Phase 2, andis here set to vpn2.
Phase 1: It is associated with Phase 2, andis here set to vpn1.
Click Advanced, and the advancedparameter options pop up.
.files/image177.jpg)
Tick Autokey Keep Alive, and set otherparameters to their default values.
4. Configure the VPN route.
Choose the Route > Static> Static Route menu, and click Create New.
.files/image178.jpg)
Add the VPN static route of the protectednetwork segment on the peer as follows:
.files/image179.jpg)
Destination IP/Mask: It refers to the subnetprotected by the peer firewall; here, it is set to 192.168.1.0.
Device: It refers to the interface generatedby the VPN; here, it is set to vpn1.
5. Configure the policies
Choose the Firewall > Policy> Policy menu, and click Create New.
.files/image180.jpg)
Create two policies as shown below. Via thepolicies, the system controls the access between two subnets at the peer end,and implements NAT and UTM protection.
Policy 1: Allow the local 192.168.0.0 networksegment to access the peer 192.168.1.0 network segment.
.files/image181.jpg)
Policy 2: Allow the peer 192.168.1.0 networksegment to access the local 192.168.0.0 network segment.
.files/image182.jpg)
2. Configure NGFW2
1. Perform basic configurations of Internetaccess
For details about the configurationprocedure, refer to the section “Configuring Routing Mode” > “Configuring InternetAccess via a Single Line” > “Configuring Internet Access via a Static Link”.
2. Configure IKE Phase 1
Choose the VPN > IPsec > Auto Key(IKE) menu, and click Create Phase 1.
.files/image183.png)
Configure the related parameters of Phase 1.
.files/image184.jpg)
Name: Set it to VPN. In interfacemode, it is used to indicate the name of the VPN interface.
Remote Gateway: Set it to Static IPAddress.
IP Address: The IP address of the extranetinterface of the peer firewall is 100.1.1.2.
Local Interface: It refers to an interface viawhich the firewall builds a VPN connection with the peer device; it is here setto wan1.
Authentication Method: It is set to Pre-sharedKey.
Pre-shared Key: It must be the same at bothends.
Enable IPsec Interface Mode: Ticked.
Other parameters are set to their defaultvalues. For details about the parameters, refer to section “Parameters of Phase1”.
3. Configure IKE Phase 2
Choose the VPN > IPsec > Auto Key(IKE) menu, and click Create Phase 2.
.files/image185.jpg)
Configure the basic parameters of Phase 2.
.files/image186.jpg)
Name: It refers to the name of Phase 2, andis here set to vpn2.
Phase 1: It is associated with Phase 2, andis here set to vpn.
Click Advanced, and the advancedparameter options pop up.
.files/image187.jpg)
Tick Autokey Keep Alive, and set otherparameters to their default values.
4. Configure the VPN routes.
Choose the Route > Static> Static Route menu, and click Create New.
.files/image188.jpg)
Add the VPN route of the protected networksegment on the peer as shown below:
.files/image189.jpg)
Destination IP/Mask: It refers to the subnetprotected by the peer firewall; here, it is set to 192.168.1.0/24.
Device: It refers to the interface generatedby the VPN; here, it is set to vpn.
5. Configure the policies
Choose the Firewall > Policy> Policy menu, and click Create New.
.files/image190.jpg)
Create two policies as shown below. Via thepolicies, the system controls the access between two subnets at the peer end,and implements NAT and UTM protection.
Policy 1: Allow the local 192.168.1.0 networksegment to access the peer 192.168.0.0 network segment.
.files/image191.jpg)
Policy 2: Allow the peer 192.168.0.0 networksegment to access the local 192.168.1.0 network segment.
.files/image192.jpg)
1.7.1.2 Troubleshooting
Common Negotiation Failures:
1. Inconsistency of pre-shared key;
2. Inconsistency of encryption algorithm and authentication algorithmparameters;
3. Mismatch of quick selector at two ends in Phase 2;
4. Errors of policy configurations or sequence.
Troubleshooting Commands:
RG-WALL#diagnose debug enable
RG-WALL#diagnose debug applicationike -1
If multiple gateways are available, observethe negotiation process of ike after the gateways are filtered:
diagnose vpn ike log-filter dst-addr4<IP address of peer gateway>
diagnose vpn ike log-filter src-addr4<IP address of local gateway>
diagnose vpn ike log-filter dst-port <Peerport of IKE negotiation, for example, 500>
diagnose vpn ike log-filter src-port <Localport of IKE negotiation, for example, 500>
Analysis of Common Faults:
1. Inconsistency of encryption andauthentication algorithms: In Phase 1, authentication or encryption algorithms are not consistent. Check the authenticationor encryption algorithms on the devices of both ends at the time of IPsec setupfor their consistency.
Results of packet capture:
.files/image193.png)
Troubleshooting position: Check whether theencryption and authentication algorithms in the red frame below match eachother at two ends.
.files/image194.jpg)
2. Inconsistency of DH algorithm: The DH algorithms at two ends are notconsistent.
Results of packet capture:
.files/image195.png)
Troubleshooting position: Check whether theDH Group in the red frame below is consistent at two ends.
(Common packet capture results of DH group:DH group 1 (768-bit), DH group 2 (1024-bit), and DH group 5 (1536-bit))
.files/image196.jpg)
3. Inconsistency of pre-shared key;
Results of packet capture:
ike0:mobile:5140: responder: main mode get 3rd message...
ike0:mobile:5140: decA5BF9FFD3412F8CD24C7C54635FA869705100201000000000000005CF50FA936BEFB6D99E76CD6FAA679D77858160C306FE83B03F7DB8CFB680BB864AB42391BA3C5A5ADCDFB2D6CF1CEEC0A6AC0BAC12DFEABEC25E534580E6EFF32
ike0:mobile:5140: probable pre-shared secret mismatch
Troubleshooting position: Check the positionin the red frame below.
.files/image197.jpg)
Normal packet capture results of pre-sharedkey:
ike0:mobile:5122: responder: main mode get 3rd message...
ike0:mobile:5122: dec0AB1AD6CF994A06023E867B8EBB63F4505100201000000000000005C0800000C01000000C0A8FE020B000018608B589D57388681EC1286989FB775C88FEB66D20000001C00000001011060020AB1AD6CF994A06023E867B8EBB63F45
ike0:mobile:5122: received notify type 24578
ike0:mobile:5122: PSK authentication succeeded
ike0:mobile:5122: authentication OK
4. Normal negotiation prompts of Phase 1
ike0:0ab1ad6cf994a060/0000000000000000:5122: negotiation result
ike0:0ab1ad6cf994a060/0000000000000000:5122: proposal id = 1:
ike0:0ab1ad6cf994a060/0000000000000000:5122: protocol id = ISAKMP:
ike0:0ab1ad6cf994a060/0000000000000000:5122: trans_id = KEY_IKE.
ike0:0ab1ad6cf994a060/0000000000000000:5122: encapsulation = IKE/none
ike 0:0ab1ad6cf994a060/0000000000000000:5122: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC.
ike0:0ab1ad6cf994a060/0000000000000000:5122: type=OAKLEY_HASH_ALG,val=SHA.
ike0:0ab1ad6cf994a060/0000000000000000:5122: type=AUTH_METHOD, val=PRESHARED_KEY_XAUTH_I.
ike0:0ab1ad6cf994a060/0000000000000000:5122: type=OAKLEY_GROUP, val=1536.
ike0:0ab1ad6cf994a060/0000000000000000:5122: ISAKMP SA lifetime=28800
ike0:0ab1ad6cf994a060/0000000000000000:5122: SA proposal chosen, matched gatewaymobile
5. Mismatch of quick selector in Phase 2
Results of packet capture
.files/image198.png)
Troubleshooting position: Check whether thenetwork segment settings in the red frame below match each other at two ends.
.files/image199.jpg)
Other common commands
1) If multiple gateways are available, observe thenegotiation process of ike after the gateways are filtered:
diagnose vpn ike log-filter dst-addr4 <IP address of peer gateway>
diagnose vpn ike log-filter src-addr4 <IP address of local gateway>
diagnose vpn ike log-filter dst-port <Peer port of IKE negotiation, for example, 500>
diagnose vpn ike log-filter src-port <Local port of IKE negotiation, for example, 500>
2) View the VPN channels: diagnose vpn tunnel list
RG-WALL #diagnose vpn tunnel list
list allipsec tunnel in vd 0
------------------------------------------------------
name=mobile_0ver=1 serial=4 192.168.118.25:4500->192.168.118.151:10954 lgwy=statictun=intf mode=dial_inst bound_if=5
parent=mobileindex=0
proxyid_num=1child_num=0 refcnt=7 ilast=3 olast=3
stat:rxp=10 txp=0 rxb=1280 txb=0
dpd:mode=active on=1 idle=5000ms retry=3 count=0 seqno=22
natt:mode=silent draft=32 interval=10 remote_port=10954
proxyid=mobileproto=0 sa=1 ref=2 auto_negotiate=0 serial=1
src:0:0.0.0.0-255.255.255.255:0
dst:0:10.0.0.10-10.0.0.10:0
SA:ref=4 options=00000006 type=00 soft=0 mtu=1280 expire=1671 replaywin=1024seqno=1
life:type=01 bytes=0/0 timeout=1790/1800
dec:spi=b2ad0f87 esp=aes key=16 046a1e666f7ae7b2aaf6197a13ea5818
ah=sha1key=20 6f607decd4416c203911070d960cd5f26e2061bf
enc:spi=dfe610a1 esp=aes key=16 453e333a15416cfdb6ab95d324fa3ffe
ah=sha1 key=20 2a2d1cee5da51a1503ddb18599a265d5dce51e5a
dec:pkts/bytes=10/608, enc:pkts/bytes=0/0
npu_flag=02 npu_rgwy=192.168.118.151 npu_lgwy=192.168.118.25 npu_selid=2
------------------------------------------------------
name=mobilever=1 serial=1 192.168.118.25:0->0.0.0.0:0 lgwy=static tun=intf mode=dialupbound_if=5
proxyid_num=0child_num=1 refcnt=5 ilast=29 olast=29
stat:rxp=0 txp=0 rxb=0 txb=0
1.7.2 IPSec VPN (Dial-up)
1.7.2.1 HUB-SPOKE Mode
Networking Requirements
As shown in the figure, the headquarters of acompany is internally fitted with an OA server and the three branch offices ofthe company need to log in to the headquarters’ intranet by VPN dial-up firstand then access the OA server. To facilitate the configurations, theheadquarters wants to build only one VPN tunnel to implement the communicationsbetween all branch offices and the headquarters.
Network Topology
.files/image200.png)
Configuration Tips
1. Configure NGFW-1
1. Perform basic configurations of Internet access;
2. Configure IKE Stage 1;
3. Configure IKE Stage 2;
4. Configure the IPsec policy;
5. Configure the route.
2. Configure NGFW-2
1. Perform basic configurations of Internet access;
2. Configure IKE Stage 1;
3. Configure IKE Stage 2;
4. Configure the route;
5. Configure the IPSec policy;
3. Configure other spoke node devices.
To delete Stages 1 and 2 of IPSec VPN, you needto delete the invoked route or firewall security policy first.
Configuration Steps
1. Configure NGFW-1
1) Perform basic configurations of Internetaccess
For details about the configurationprocedure, refer to the section “Configuring Routing Mode” > “InternetAccess via a Single Line” > “Configuring Internet Access via a Static Link”.
2) Configure IKE Stage 1
Choose the VPN > IPsec > Auto Key(IKE) menu, and click Create Phase 1.
.files/image201.jpg)
Configure the related parameters of Phase1.
.files/image202.jpg)
Name: Set it to dialvpn. In interfacemode, it is used to indicate the name of the VPN interface.
Remote Gateway: It is used to connect thedialup user.
Local Interface: It refers to the interfacevia which the firewall builds a VPN connection with the peer device. It isusually an extranet interface. Here, it is set to wan1.
Authentication Method: It is set to Pre-sharedKey.
Pre-shared Key: It must be the same at bothends.
Enable IPsec Interface Mode: Ticked.
Other parameters are set to their defaultvalues. For details about the parameters, refer to section “Parameters of Phase1”.
3) Configure IKE Phase 2
Choose the VPN > IPsec > Auto Key(IKE) menu, and click Create Phase 2.
.files/image203.jpg)
Configure the basic parameters of Phase 2.
.files/image204.jpg)
Name: It refers to the name of Phase 2, andis here set to dialvpn2.
Phase 1: It is associated with Phase 2, andis here set to dialvpn.
Click Advanced, and the advancedparameter options pop up.
.files/image205.jpg)
Tick Autokey Keep Alive, and set otherparameters to their default values.
Quick Mode Selector: Both the source addressand destination address are set to their default values 0.0.0.0 0.0.0.0.
4) Configure the IPSec policy
Choose the Firewall > Policy> Policy menu, and click Create New.
.files/image206.jpg)
Add an IPSec policy as shown below, allowingthe external user 192.168.0.0/16 to access the network segment 192.168.0.0/24.
.files/image207.jpg)
Source Interface/Zone: Select the new dialupVPN interface dialvpn.
5) Configure the route
You do not need to configure the hub-endfirewall into the routing table of each branch office; instead, the system willgenerate the hub-end firewall automatically.
2. Configure NGFW-2
1) Perform basic configurations of Internetaccess
For details about the configurationprocedure, refer to the section “Configuring Routing Mode” > “InternetAccess via a Single Line” > “Configuring Internet Access via a Static Link”.
2) Configure IKE Phase 1
Choose the VPN > IPsec > Auto Key(IKE) menu, and click Create Phase 1.
Configure the related parameters of Phase1.
.files/image208.jpg)
Name: Set it to VPN. In interfacemode, it is used to indicate the name of the VPN interface.
Remote Gateway: Set it to Static IPAddress.
IP Address: The IP address of the extranetinterface of the peer firewall is 100.1.1.2.
Local Interface: It refers to an interfacevia which the firewall builds a VPN connection with the peer device; it is hereset to wan1.
Authentication Method: It is set to Pre-sharedKey.
Pre-shared Key: It must be the same at bothends.
Enable IPsec Interface Mode: Ticked.
Other parameters are set to their defaultvalues. For details about the parameters, refer to section “Parameters of Phase1”.
3) IKE Phase 2
Choose the VPN > IPsec > AutoKey (IKE) menu, and click Create Phase 2.
.files/image209.jpg)
Configure the basic parameters of Phase 2.
Name: It refers to the name of Phase 2, andis here set to vpn2.
Phase 1: It is associated with Phase 2, andis here set to vpn.
Click Advanced, and the advancedparameter options pop up.
.files/image210.jpg)
Tick Autokey Keep Alive, and set otherparameters to their default values.
Source Address: It refers to the locallyprotected subnet.
Destination address: It refers to the networksegment accessed via the VPN.
The destination IP address mask of the staticroute can comprise 16 or 24 bits; in this scenario, the branch offices cancommunicate with each other if it comprises 16 bits; the branch offices canaccess the network segment 0 of the headquarters if it comprises 24 bits.
4) Configure the route
Choose the Route > Static> Static Route menu, and click Create New.
.files/image211.jpg)
Add the VPN route of the protected networksegment on the peer as follows:
.files/image212.jpg)
Destination IP/Mask: It refers to the subnetprotected by the peer firewall; here, it is set to 192.168.1.0/16.
Device: It refers to the interface generatedby the VPN; here, it is set to vpn.
The destination IP address mask of the staticroute can comprise 16 or 24 bits; in this scenario, the branch offices cancommunicate with each other if it comprises 16 bits; the branch offices canaccess the network segment 0 of the headquarters if it comprises 24 bits.
5) Configure the IPSec policy
Choose the Firewall > Policy> Policy menu, and click Create New.
.files/image213.jpg)
Create a security policy as follows:
.files/image214.jpg)
Source Address: 192.168.1.0/24 can accessother network segments.
Destination Address: It can be 192.168.0.0/16or 192.168.0.0/24.Then, the user is allowed to access only the networksegment protected by NGFW1, but not the network segments of other branchoffices, for example, 192.168.2.0/24.
3. Configure other spoke node devices.
By reference to the configurations of NGFW2,adjust the related parameters according to the local private network segment.
When editing Phase 2 of IPsec, modify theSource Address of the quick mode selector. For example, the relatedconfigurations of NGFW3 are as follows:
.files/image215.jpg)
1.7.3 L2TP/PPTP
Overview
The PPTP VPN allows a PC client or mobileclient to dial up.
Networking Requirements
As shown in the figure, a company isinternally fitted with an OA server, and to access the OA server, the employeesoutside the company need to first log in to its intranet via PPT VPN.
The configurations of L2TP VPN are the sameas those of PPTP VPN.
Network Topology
.files/image216.png)
Configuration Tips
1. Perform basic configurations of Internet access;
2. Configure the users;
3. Perform PPTP/L2TP configurations for the NGFW;
4. Define the policy;
5. Configure the PC client;
6. If PPTP dialup is successful, the DNS is not issued; if LSTP dialupis successful, the DNS of the firewall system is issued.
Configuration Steps
Step 1. Perform basic configurations ofInternet access
For details about the configurationprocedure, refer to the section “Configuring Routing Mode” > “InternetAccess via a Single Line” or “Internet Access via a Multiple Links”.
Step 2. Configure the users
1) Define the users
Choose the User > User > Usermenu, and click Create New.
.files/image217.jpg)
Add the user name user1 and password 11111111.
.files/image218.jpg)
2) Define the user group
Choose the User > User Group> User Group menu, and click Create New.
.files/image219.jpg)
Add the user group vpn, and add theuser user1 to the user group.
.files/image220.jpg)
Step 3. Perform PPTP/L2TP VPNconfigurations for the NGFW (on the CLI)
RG-WALL#config vpn pptp // config vpnl2tp The configurations of pptp are the same as the configurations ofl2TP; take pptp as an example.
RG-WALL(pptp) #set status enable // Enable theVPN function
RG-WALL(pptp) #set eip 192.168.1.220 // Configure therange of IP addresses allocated to the client: End IP address
RG-WALL(pptp) #set sip 192.168.1.210 // Configure the rangeof IP addresses allocated to the client: Start IP address
RG-WALL(pptp) #set usrgrp vpn // Invoke the VPN usergroup
RG-WALL(pptp) #end
The address range allocated to the VPN user canbe a segment of intranet addresses or an independent network segment.
Step 4. Define the policy
1) Configure an address object
.files/image221.jpg)
.files/image222.jpg)
.files/image223.jpg)
.files/image224.jpg)
2) Create the policy
Choose the Firewall > Policy> Policy menu, and click Create New.
The policy is configured as shown below:
.files/image225.jpg)
.files/image226.jpg)
Source interface/zone: wan1, extranetinterface
Source address: Select the previously createdpptppool.
Destination Interface/Zone: Select internal.
Destination Address: Enter 192.168.1.10/32.
Service: Select ALL.
Other parameters: Select the defaultsettings.
Verification
Note: If the VPN is not establishedsuccessfully, run the diagnosis command below:
dia debug enable
dia deb app ppp -1
For example, the entered user name orpassword is incorrect; the system displays the following prompt:
.files/image227.jpg)
Should you have any query, collect therelated information and then call the technical support hotline (400-111-000)to seek help.
1.8 WAN Optimization
1.8.1 Standalone Mode
I. Networking Requirements
Configure basic functionsfor Internet access and enable Web cache.
II. Network Topology
Assume that the ISP assignsthe following addresses:
Network segment: 202.1.1.8/29;IP address: 202.1.1.10; gateway address: 202.1.1.9; DNS: 202.106.196.115.
III. Configuration Tips
1. Basic Configuration for Internet Access (Omitted. See section 1.1 "InternetAccess via a Single Line" in Chapter 1 "Typical Functions of Routing Mode".)
a. Configure an interface.
b. Configure a static routing table.
c. Set the address object to InternalIP and the address to 192.168.1.0/24.
d. Configure the policy from LAN to wan1, and enable NAT.
2. Enable Web cache.
3. Configure Web cache parameters.
IV. Configuration Steps
1. Basic Configuration for Internet Access (Omitted. See section 1.1 "InternetAccess via a Single Line" in Chapter 1 "Typical Functions of Routing Mode".)
a) Configure an interface.
b) Configure a static routing table.
c) Set the address object to InternalIP and the address to 192.168.1.0/24.
d) Configure the policy from LAN to wan1, and enable NAT.
For some low-end models,the system configures an NAT policy from internal to wan1 by default.
In the New Policywindow, create a policy as follows:
.files/image228.jpg)
Source Interface/Zone: Choose Ian.
Source address: Choose InternalIP.
Destination Interface/Zone: Choose wan1.
Destination address: Choose all, which indicates all addresses.
Service: Choose ALL.
NAT: Tick Enable NAT. The system automatically converts the IP addressof the intranet lan to the IP address of wan1 interface 202.1.1.10 for Internetaccess.
Click Enable Web cache.
Click OK. The systemautomatically saves configuration and the policy takes effect.
Configure Web cache parameters.
Choose WAN Opt. &Cache > Cache >Settings. Default settings are used generally.
.files/image229.jpg)
Always Revalidate:
Max Cache Object Size: It indicates the maximum size of the cache object, which is 512 MBby default. Larger files are directly sent to clients without caches.
Negation Response Duration: It indicates whether to cache error messages returned by the server.The default value is 0.
Fresh Factor: It is used to set the check frequency of cache update by the firewall.If it is set to 100%, check caches once before expiration (TTL timeout). If it isset to 20%, check caches five times.
Max TTL: It indicates the maximum alive time of caches when the expiration isnot checked.
Min TTL: It indicates the minimum alive time of caches before the expirationis checked.
Default TTL: It indicates the default alive time of caches.
Ignore: It indicates that caches are ignored.
V. Verification
RGFW # diagnose wacs stats
Disk 0 /var/storage/FLASH1-68B85ACE134E6A3A/wa_cs
Current number of open connections: 2
Number of terminated connections: 21 //
Number of requests -- Adds: 6547 (0 repetitive keys), Lookups: 12780, Conflict incidents: 0
Percentage of missed lookups: 96.39
Communication is blocked for 0 client(s)
wa_cs disk space: 4278 MB
Disk usage: 93861 KB (2%) //Indicates the space occupied by caches.
1.9 Load Balancing
1.9.1 HTTP Traffic-based Server Load Balancing
I. Networking Requirements
As shown in the followingfigure, the company has two Web servers. Load balancing is configured on the serversand loads Web services to the server 192.168.1.1 and the server 192.168.1.2.
II. Network Topology
.files/image230.png)
III. Configuration Tips
1. Basic configuration for Internet access
Configure the load balancing server.
a) Configure health check.
b) Configure the load balancing server.
c) Configure a real server.
d) Configure a safety policy.
IV. Configuration Steps
1. Basic configuration for Internet access
For the detailed configurationprocess, see section 1.1.2 "Configuring Internet Access via a Static Link"under section 1.1 "Internet Access via a Single Line" in Chapter 1 "TypicalFunctions of Routing Mode".
IP addresses of interfacesare as follows:
.files/image231.jpg)
The routing configurationis as follows:
.files/image232.jpg)
2. Configure the load balancing server.
(1) health check.
Choose Firewall> Load Balance > Health Check Monitor. Set health check methodsto check the health condition of the real server. The following takes TCP as anexample.
.files/image233.jpg)
Name: Enter tcp80. This item is user-defined.
Type: TCP, HTTP, and PING are supported. Tick TCPto check the service port 80, or tick HTTP to check whether the HTTP serviceprocess is normal and whether Web pages can be accessed, or tick PING tocheck whether the host is online.
Interval: Enter 10, which indicates check every 10 seconds.
Timeout: Enter 2. If no response is received from the server within 2seconds, it indicates exceptions on the server.
Retry: If the server still fails to give any response after retry for threeconsecutive times, it indicates that the server is out of service and will not assignload to the device.
(2) Configure the load balancing server.
Choose Firewall> Load Balance > Virtual Server, and then click Create Newto create a virtual server, as shown in the following figure.
.files/image234.jpg)
Name: Enter httpserver. This item is user-defined.
Type: HTTP, TCP, UDP, and IP are supported. HTTP is chosen in thisexample. For the DNS server, choose UDP.
Interface: Choose wan1. It indicates the port where the server is connectedto external servers.
Virtual Server IP: It indicates the IP address where the server provides external services.
Load Balance Method: Static, Round-Robin, Weighted, First Alive, Least RTT, Least-conn,and HTTP Host are supported. For the difference between these methods, see the FirewallConfiguration Guide.
Persistence: Choose http cookie.
HTTP Multiplexing: This item is optional. Multiple links requested by a customer can bemerged into one request to reduce the server load.
SSL: It indicates the loadapplicable to HTTPS service.
Certificate: It indicates the certificate that enables HTTP proxy.
Health Check: Select tcp80.
(3) Configure a real server.
Choose Firewall> Load Balance > Real Server, and then click Create Newto create two real servers, as shown in the following figure.
.files/image235.jpg)
.files/image236.jpg)
Virtual Server: Choose httpserver. It indicates the virtual serverfor which a real server is configured.
IP Address: It indicates IP address of the real server.
Port: It indicates the HTTP service port of the real server, which may bedifferent from the server port of the virtual server.
Weight: It is disabled in this example. If the load balance method is set toweighted, specify the percentage, such as 10:10.
Max Connections: The value 0 indicates no restriction.
Mode: Choose Active. Three options are available: active, inactive,and standby.
Configure a safety policy.
Choose Firewall> Policy > Policy, and then click Create New.
.files/image237.png)
In the New Policywindow, create a policy as follows:
.files/image238.jpg)
Click Multiple behindDestination address, and choose two virtual IP addresses that have been defined.
Source Interface/Zone: Choose wan1.
Source address: Choose all.
Destination Interface/Zone: Choose internal.
Destination address: Choose httpserver.
Service: Choose HTTP.
Note: Virtual IP addressesdefined with earlier versions than P4 cannot be called on the Web page but can becalled from the command line. Choose the interface defined by the virtual serveras the source interface, and run the following commands:
.files/image239.png)
V. Verification
Access http://192.168.118.122from an external address.
Common Diagnosis Commands:
1. Check the status of a real server.
RG-WALL # diagnose firewall vip realserver list
alloc=4
------------------------------
vf=0 name=httpserver/1 type=3 192.168.118.122:(80-80),protocol=6
total=2 alive=2 power=2 ptr=197676
ip=192.168.1.1-192.168.1.1:80 adm_status=0holddown_interval=300 max_connections
=0 weight=1 option=01
alive=1 total=1 enable=00000001 alive=00000001power=1
src_sz=0
id=0 status=up ks=12 us=0 events=1 bytes=2078892rtt=0
ip=192.168.1.2-192.168.1.2:80 adm_status=0holddown_interval=300 max_connections
=0 weight=1 option=01
alive=1 total=1 enable=00000001 alive=00000001power=1
src_sz=0
id=0 status=up ks=9 us=0 events=1 bytes=50450rtt=0
Check the status of a real server configuredfor a virtual server.
RG-WALL # diagnose firewallvip virtual-server real-server
vd root/0 vs httpserver/1 addr 192.168.1.1:80 status 2/1 (process 193)
conn: max 0 active5 attempts 1440success 165 drop 0 fail 3
http: available4 total 5
vd root/0 vs httpserver/1 addr 192.168.1.2:80 status 2/1 (process 193)
conn: max 0 active1 attempts 37success 11 drop 0 fail 2
http: available0 total 1
Collect statistics on the sessions of avirtual server.
RG-WALL # diagnose firewallvip virtual-server stats
summary
c2p_connections: now 21 max 31total 140
embryonics: now0 max 6total 140
close_during_connect: 0
........
Collect statistics on the sessions of avirtual server.
RG-WALL # diagnose firewallvip virtual-server stats
summary
c2p_connections: now 21 max 31total 140
1.9.2 HTTPS Traffic-based Server Load Balancing
I. Networking Requirements
As shown in the following figure, the companyhas two Web servers with the domain name www.test.com,which can be accessed via HTTPS. Load balancing is configured on the firewall andloads Web services to the server 192.168.1.1 and the server 192.168.1.2.
II. Network Topology
.files/image240.png)
III. Configuration Tips
2. Basic configuration for Internet access
Configure the load balancing server.
(1) Configure health check.
(2) Configure the load balancing server.
(3) Configure a real server.
(4) Configure a safety policy.
IV. Configuration Steps
1. Basic configuration for Internet access
For the detailed configurationprocess, see section 1.1.2 "Configuring Internet Access via a Static Link"under section 1.1 "Internet Access via a Single Line" in Chapter 1 "TypicalFunctions of Routing Mode".
IP addresses of interfacesare as follows:
.files/image241.jpg){kind=small}
The routing configurationis as follows:
.files/image242.jpg)
Configure the load balancingserver.
(1) Configure the load balancing server.
Choose Firewall> Load Balance > Virtual Server, and then click Create Newto create a virtual server, as shown in the following figure.
.files/image243.jpg)
Name: Enter https. This item is user-defined and can be modified asrequired.
Type: HTTP, TCP, UDP, and IP are supported. HTTP is chosen in thisexample. For the DNS server, choose UDP.
Interface: Choose port15. It indicates the port where the firewall is connectedto the Internet.
Virtual Server IP: Enter 192.168.118.126. It indicates the IP address where theserver provides external services.
Load Balance Method: Static, Round-Robin, Weighted, First Alive, Least RTT, Least-conn,and HTTP Host are supported.
Persistence: Choose http cookie.
HTTP Multiplexing: This item is optional. Multiple links requested by a customer can bemerged into one request to reduce the server load.
SSL Offloading: client--RuijieGate indicates that a client and the firewallare connected via SSL, and the firewall and a server are connected via a plaintextpassword to reduce the server load.
client--RuijieGate--server indicates that a client and the firewall are connected via SSL, andthe firewall and a server are connected also via SSL.
Certificate: Choose the certificate that is applied for the server. In this example,the valid certificate of the website is web.
Health check: This item is optional. If there is only one real server, it is setby default. (The configuration is similar to HTTP.)
(2) Configure a real server.
Choose Firewall> Load Balance > Real Server, and then click Create Newto create two real servers, as shown in the following figure.
.files/image244.jpg)
Virtual Server: Choose https. It indicates the virtual serverfor which a real server is configured.
IP Address: It indicates IP address of the real server.
Port: It indicates the HTTP service port of the real server, which may bedifferent from the server port of the virtual server.
Weight: It is disabled in this example. If the load balance method is set toweighted, specify the percentage, such as 10:10.
Max Connections: The value 0 indicates no restriction.
Mode: Choose Active. Three options are available: active, inactive,and standby are optional.
(3) Configure the second server in the above way.
.files/image245.jpg)
.files/image246.jpg)
(4) Configure a safety policy.
Choose Firewall> Policy > Policy, and then click Create New. In theNew Policy window, create a policy.
.files/image247.jpg)
Click Multiple behindDestination address, and choose two virtual IP addresses that have been defined.
Source Interface/Zone: Choose wan1.
Source address: Choose all.
Destination Interface/Zone: Choose internal.
Destination address: Click Multiple to choose https and https 1.
Service: Choose HTTPS.
In the policy, enable theHTTP archiving function of DLP, and tick Enable SSL/SSH Inspection.
.files/image248.jpg)
V. Verification
Access http://www.test.comfrom an external address to view logs.
Configuring Transparent Mode
1.1 Enabling Transparent Mode
Networking Requirements
Without changing the current networktopology, deploy the firewall NGFW in transparent mode between the router andserver. The firewall works in transparent mode to protect server 192.168.1.10.
Network Topology
.files/image249.png)
Configuration Tips
l Setthe firewall to work in transparent mode.
l Addthe server address.
l Configurethe policy.
Configuration Steps
For the M5100, take the following steps toconvert the LAN port into the routing port, and then switch to the transparentmode. For other modes, such operation is not required.Delete the policy, route, and DHCP configurationrelated to the LAN port.
RG-WALL#configsystem virtual-switch
RG-WALL# (virtual-switch)#delete lan
RG-WALL# end
Before operation, it is recommended to upgradethe firewall version to the latest.
1. Set the firewall to work in transparentmode.
Choose System > Dashboard> Status. The information on the home page is as follows:
.files/image250.jpg)
Click Change in the Operation Mode field.Change the value of Operation Mode into Transparent. Setthe management IP address and gateway for the device. See the following figure:
.files/image251.jpg)
In transparent mode, the interface addresscannot be written. There is only one user-managed device IP address. To managethe device through an interface, run the following command to enable managementvia the interface (mgmt or mgmt1 interface by default). The following takes port1 as an example:
RG-WALL#configsystem interface
RG-WALL (interface)#edit port1
RG-WALL (port1)#set allowaccess ping https ssh telnet
RG-WALL (port1)#end
The following figure shows interfaces:
.files/image252.jpg)
2. Add the server address.
Choose Firewall > Address> Address, and then click Create New to add the serveraddress, as shown in the following figure:
.files/image253.jpg)
3. Add the policy.
Choose Firewall > Policy> Policy, and then click Create New. Add the policy, as shownin the following figure to allow extranet users to access the HTTP service ofserver 192.168.1.10.
.files/image254.jpg)
1.2 VLAN and Transparent Mode
Networking Requirements
There are two VLANs (in trunk environment)established on the intranet. The gateway is deployed on the router. Thefirewall works in transparent mode between the core switch and core router. TwoVLANs, enabled with virus filtering, are allowed to access the extranet underprotection.
Network Topology
.files/image255.jpg)
Configuration Tips
l Configurethe transparent mode.
l CreateVLAN sub-interfaces.
l Configurethe forwarding domain.
l Configurethe policy.
Configuration Steps
1. Configure the transparent mode.
For the detailed configuration steps, seesection 2.1 “How to EnableTransparent Mode”. Click Changein the Operation Mode field. Change the value of Operation Modeinto Transparent. Configure the management address and gateway for thefirewall. See the following figure:
.files/image256.jpg)
2. Establish VLAN sub-interfaces.
Choose System > Network >Interface, and then click Create New. Create a VLAN interface, asshown in the following figure:
.files/image257.jpg)
Create four VLAN interfaces in the same way.Respectively create VLAN10 and VLAN20 sub-interfaces on wan1 and internal interfaces.The configured VLAN interfaces are displayed as shown in the following figure:
.files/image258.jpg)
3. Configure the forwarding domain. (CLI ismandatory.)
RG-WALL#config system interface
RG-WALL (interface) #edit wanvlan10
RG-WALL (wanvlan10)#set forward-domain 10
RG-WALL (wanvlan10)#next
RG-WALL (interface) #edit invlan10
RG-WALL (invlan10)#set forward-domain 10 //Putthe uplink interfaces wanvlan10 and invlan10 into one forwarding domain. Only withinone forwarding domain can they communicate.
RG-WALL (invlan10)#next
RG-WALL (interface) #edit wanvlan20
RG-WALL (wanvlan20)#set forward-domain 20
RG-WALL (wanvlan20)#next
RG-WALL (interface) #edit invlan20
RG-WALL (invlan20)#set forward-domain 20
RG-WALL (invlan20)#end
4. Configure the policy.
1) Configure the policy for VLAN10.
For the detailed configuration steps, seesection “Configuring InternetAccess via a Static Link” undersection 1.1 “Internet Access viaa Single Line” in “Configuring Routing Mode”. The policy configuration is as follows:
.files/image259.jpg)
.files/image260.jpg)
2) Configure the policy for vlan20, as shown inthe following figure:
.files/image261.jpg)
3) When VLAN10 and VLAN20 access each other, configure thepolicy for the access from wanvlan10 to invlan10 and another policy fromwanvlan20 to invlan20. See the following figure:
.files/image262.jpg)
Verification
Test Internet access and virus detectionrespectively on vlan10 and vlan20.
1.3 Out-of-Band Management in Transparent Mode
Networking Requirements
The firewall deployed in transparent moderequires out-of-band management.
l Onthe firewall, configure an IP address the same as that of the managementnetwork segment.
l Thelocal route generated by the management IP address does not come into conflictwith the regular business data, such as asynchronous route.
Network Topology
.files/image263.jpg)
Configuration Tips
l EnableVDOM.
l Assignthe interface connected to the management network segment to one VDOM. (internal3interface in this example)
l Configurethe management IP address and management access mode for internal3interface.
Configuration Steps
1. Enable the transparent mode.
Choose System > Dashboard> Status. The information on the home page is displayed as follows:
.files/image264.jpg)
Click Change in the Operation Mode field.Change the value of Operation Mode into Transparent, as shown inthe following figure:
2. Configure the VDOM.
Choose System > Dashboard> Status. Find the Virtual Domain value, as shown in thefollowing figure:
.files/image265.jpg)
Create a VDOM named manager, as shownin the following figure:
.files/image266.jpg)
3. Assign management interface internal3 toVDOM manager. Choose System > Network > Interface and then click Edit, asshown in the following figure:
.files/image267.jpg)
Edit internal3 interface, as shown inthe following figure:
.files/image268.jpg)
Vdom: Choose manager.
IP/Netmask:Set it to 192.168.1.3/24 (in the management network segment).
Administrative Access: Tick HTTPS, PING, and SSH.
Verification
Set the IP address of the PC to 192.168.1.1/24.Access the web management page of the firewall by https://192.168.1.3.
l Thefirewall can be managed.
l ThePC in the management network segment can access the Internet.
Notes
If the out-of-band management port is not requiredand the firewall in bridge mode is directly managed (internal1 or wan1interface in this example), pay attention to the following notes:
l Thebridge IP address is the IP address of the entire firewall instead of the IPaddress of an interface.
l Tomanage the firewall in bridge mode through an interface, enable managementfunctions on the corresponding interface, for example, ping, HTTPS, and SSHfunctions.
In this example, to manage the firewallthrough internal1 or wan1 interface, enable Ping, HTTPS, and SSHmanagement functions of internal1 or wan1 interfaces.
1.4 Bypass Deployment
Bypass Mode
Among the RG-WALL 1600 series newnext-generation firewalls, only the X8500 supports two groups of electricalbypass interfaces. That is, after the device is powered off or restarted, communicationstill proceeds. The two groups of interfaces are wan1---port1 and wan2---port2.The indicators below port1 and port2 are bypass indicators, as shown in thefollowing figure:
.files/image269.png)
For the new NGFW products, only the X8500supports two groups of electrical bypass interfaces. All the NGFW products donot support optical bypass interfaces.
Network Topology
The firewall works in transparent mode,enabled with the anti-virus function. The bypass interface is used. After thefirewall fails, enabling the bypass interface ensures that links work.
.files/image270.png)
Configuration Tips
l Setthe firewall to work in transparent mode.
l Configurea firewall policy.
l Enablebypass mode.
Configuration Steps
1. Set the firewall to work in transparentmode.
Choose System > Dashboard> Status. The information on the home page is as follows:
.files/image271.jpg)
Click Change in the Operation Modefield. Change the value of Operation Mode into Transparent.Set the management IP address and gateway for the device. See the followingfigure:
2. Configure a firewall policy.
Choose Firewall > Policy> Policy. Add a policy for Internet access and enable the anti-virusfunction, as shown in the following figure:
.files/image272.jpg)
.files/image273.jpg)
3. Enable bypass mode.
configsystem bypass
setbypass-watchdog enable
setpoweroff-bypass enable
end
Verification
Power off the system or restart the device,but business of customers is not interrupted.
1.5 Notes in Transparent Mode
Notes in Transparent Mode
1. By default, the new NGFW does not forward BPDUpackets. This may cause L2 loops due to STP problems. You can log in to the CLIof the new NGFW and enter the Edit Interface page. Run the following command toenable BPDU forwarding: set stpforward enable.
RG-WALL# config system interface
RG-WALL(interface) #edit port1
RG-WALL (port1) #set stpforwad enable #By default, it is disabled.
RG-WALL(port1) #next
Log in to each interface in turns to enablestpforward.
2. You can use forward domain to control the data forwarding among the specifiedinterfaces. The data packets can be forwarded among interfaces with the sameforward domain ID.
RG-WALL #config system interface
RG-WALL(interface) # edit wan1
RG-WALL(wan1) # set forward-domain 10
RG-WALL(wan1) # next
RG-WALL(interface) # edit wan2
RG-WALL(wan2) # set forward-domain 10
RG-WALL(wan2) # end
There is no need to define forward-domain inadvance. The forward-domain takes effect immediately after being configured.The broadcast packets can be only broadcast within one forward-domain.
3. Only the Ethernet II frames can be forwarded. By default, the other L2protocol frames cannot be forwarded. To forward these frames, enable the L2forward function on the interface.
RG-WALL #config system interface
RG-WALL(interface) #edit port1
RG-WALL (port1) #set l2forward enable #By default, it is disabled.
RG-WALL(port1) #next
Log in to each interface in turns to enable l2forward.
4. By default, multicast packets are not forwarded.To deploy the firewall in transparent mode in the multicast environment, configurethe corresponding multicast policy to allow the related multicast data flow topass the new NGFW. For example, to deploy the firewall in the OSPF or RIP V2environment, configure a firewall policy to allow data transmitted to 224.0.0.5and 224.0.0.6/224.0.0.9, or from 224.0.0.5 and224.0.0.6/224.0.0.9.
RG-WALL #config system settings
RG-WALL(settings)set multicast-skip-policy enable #By default, it is disabled.
RG-WALL(settings)end
5. To enable out-of-band management, set multipleVDOMs. VDOM root is only used to manage other related transparent VDOMs.
6. If you want to deploy the new NGFW in transparent mode betweenrouter and host, ensure that MAC addresses of the data flow in this line withthe same source and destination IP addresses are the same in differentdirections on the firewall. For the simple applications, such as VRRP, HSRP andother host route backup protocols, set the static IP/MAC addresses on thefirewall to enable the new NGFW to learn the VRRP group or HSRP group to whichthe specified virtual MAC address belongs . Note: Only one identical MACaddress pair is specified for one forward_domain.
7. Check the MAC table in transparent mode.
Run diagnetlink brctl name host <VDOM_name>.b to check the MAC table intransparent mode. The following example takes VDOM root as an example.
RGFW# diagnetlink brctl name host root.b
showbridge control interface root.b host.
fdb:size=256, used=6, num=7, depth=2, simple=no
Bridgeroot.b host table
port nodevice devname mac addr ttl attributes
2 7 wan202:09:0f:78:69:000 Local Static
5 6 trunk_102:09:0f:78:69:010 Local Static
3 8 dmz02:09:0f:78:69:010 Local Static
4 9internal 02:09:0f:78:69:020 Local Static
3 8 dmz00:80:c8:39:87:5a194
4 9internal 02:09:0f:78:67:688
1 3 wan100:09:0f:78:69:fe0 Local Static
8. Limitation of the transparent mode.
l OnlyIPSec VPN in policy mode is supported. User authentication is supported.
l Theinterface mode, SSL VPN, dynamic routing, policy-based routing or DHCP is notsupported.
Configuring VDOM
1.1 Enabling VDOM
Overview
.files/image274.jpg)
A virtual domain (VDOM) can be regarded as avirtual firewall. The VDOM technique can divide one RG-WALL device into two ormore virtual devices with different firewall policies which functionindependently. In NAT or routing mode, VDOMs can be configured separately andaccessed mutually, providing routing or VPN services for connected networks ororganizations. Different VDOMs can be assigned manually with differentiated systemresources, which generally adapts to multiple networks that should be split likecloud network. Because the next-generation firewall (NGFW) can work in NAT ortransparent mode, VDOMs must be adopted in the hybrid mode.
Configuration Tips
l EnableVDOM.
l Adda VDOM.
l Addinterfaces to the VDOM.
l Assignresources to the VDOM. (Optional)
l Assignthe administrator account to the VDOM. (Optional)
Configuration Steps
1. Enable VDOM.
Choose System > Dashboard> Status. Locate the Virtual Domain value among systeminformation, as shown in the following figure:
.files/image275.jpg)
Click Enable corresponding to VirtualDomain. The system requires you to re-login. After re-login, VDOM isenabled. See the following figure:
.files/image276.png)
.files/image277.jpg)
2. Add a VDOM.
Adding a VDOM is completed in global configurationmode. After step 1, the system runs in global configuration mode by default.See the following figure:
.files/image278.png)
Choose System > VDOM > VDOM.The default vdom root is displayed. Click Create New. Enter a VDOM namein the displayed Edit Virtual Domain dialog box, and then click OK.
.files/image279.jpg)
.files/image280.jpg)
If Operation Mode is set to Transparent,you need to configure the management IP address and default gateway.
3. Add interfaces to the VDOM.
For the newly created VDOM, add interfaces toit. The interfaces can be physical or virtual.
Choose System > Network >Interface to edit the interfaces. The following figure shows thatinternal and wan1 are added to the VDOM:
.files/image281.jpg)
.files/image282.jpg)
4. Assign resources to the VDOM.
(Optional) Assign system resources to eachVDOM, such as session quantity and VPN channel quantity.
Choose System >VDOM > VDOM. Double-click vdom1 to which resources should beassigned, as shown in the following figure:
.files/image283.jpg)
The Resource Usage page is as shown inthe following figure. The value 0 indicates no restriction and guarantee. Setthe maximum value and guaranteed value of each item.
.files/image284.jpg)
Maximum: It indicates the maximum value of the deviceresources that can be used by a VDOM. For example, set Maximum under LocalUsers to 10, which indicates that up to 10 users can be created inthis VDOM.
Guaranteed: Itindicates the value of the device resources that can be used at least by aVDOM. For example, set Maximum under Local Users to 10,which indicates that at least 10 users can be created in this VDOM.
5. Assign the administrator account to theVDOM.
Choose System > Admin > Administrators,and then click Create New, as shown in the following figure:
.files/image285.jpg)
If the administrator does not have themanagement authority over a VDOM, he/she cannot login to a VDOM through IPaddresses of its interfaces. A super administrator has the authority over allthe VDOMs and therefore can login to any VDOM.
In the displayed New Administrator page,fill in the information, and then choose vdom1 in the Virtual Domain droplist, as shown in the following figure:
.files/image286.jpg)
Enter the VDOM.
On the bottom of the navigation bar, currentVDOM options are added. Choose vdom1 to which you want to login, so thatyou can configure the interfaces and firewall policies.
.files/image287.jpg)
Choose System > VDOM > VDOMto add a new VDOM. Before that, switch the mode to global configuration mode.
.files/image288.jpg)
Command Notes
To configure a VDOM in the CLI, for example,configure the interface IP address and firewall policy for a VDOM or enable theUTM logging function, enter a specific VDOM by running the edit command andthen make configuration.
RG-WALL #config vdom
RG-WALL(vdom) # edit nattest //”nattest” is a VDOM name.
current vf=nattest:3
RG-WALL(nattest) # config ips senso
To display the global running status, CPU,memory usage or perform global operations like restarting the firewall system orrestoring factory settings, please run the corresponding commands:
RG-WALL #config global
RG-WALL (global) # get system performance status
CPU states: 0% user 0% system 0% nice 100% idle
1.2 Configuring Vlink
Overview
.files/image289.jpg)
As shown in the preceding figure, to enablecommunication between vdom1 (port1-port10) and vdom2 (port11-port20), use anetwork cable to connect one port of vdom1 and one port of vdom2. Anothermethod is to set up a logical virtual link (Vlink) in the firewall to connecttwo VDOMs. The high-end firewalls support the VDOM connection through thehardware NPU-Vlink.
Vlink Type
l ManuallyConfigured Vlink
Choose System > Network >Interface. Click .files/image290.png){kind=small}
nextto Create New, and then choose VDOM Link, as shown in thefollowing figure:
.files/image291.jpg)
In the displayed New VDOM Link page,add a Vlink. The Vlink consists of two interfaces. For example, if the Vlink isnamed vlink, the two interfaces of the link are vlink0 and vlink1.
.files/image292.jpg)
Name: It canbe any string for identification.
Virtual Domain:It indicates the VDOM to which the Vlink interface belongs. It is meaningfulonly when two interfaces belong to two different VDOMs.
After configuration, the two new networkinterfaces will be displayed in the Interface page, as shown in thefollowing figure:
.files/image293.jpg)
l NPU Vlink (Preferred)
For the integrated npu0-vlink and npu1-vlink,each link has two interfaces, such as npu0-vlink0 and npu0-vlink1. You can addthese two interfaces to different VDOMs to enable communication between VDOMs.
The NP chip speeds up NPU-Vlink. The manuallyconfigured Vlink is processed by the CPU. Therefore, NPU-Vlink should be usedpreferably. Only the high-end models support this function.
1.3 Configuring VDOM in Hybrid Mode
Networking Requirements
By VDOM, configure a firewall to work inhybrid mode. That is, some VDOMs work in NAT mode, while others work intransparent mode to meet the following requirements:
l Configurethe firewall as two VDOMs. One is vdom1 in transparent mode. The other is vdom root in NAT mode.
l Thetransparent mode is serially established between the Internet egress router andIntranet Web server. The vdom1 is used to protect the server and allow the Extranetand vdom root to access the Web server.
l TheOA server at 100.1.1.2 should be mapped to the public network at 202.1.1.3 toenable public network access.
Network Topology
.files/image294.jpg)
As shown in the preceding figure, the Vlinkbetween VDOMs can be manually configured Vlink, NPU-Vlink or connected physically(the latter two preferred). The following takes manually configured Vlink as anexample.
Configuration Tips
l EnableVDOM.
l Addvdom1.
l EstablishVlink.
l Addinterfaces to vdom1.
l Configurevdom1.
l Configurevdom root.
Configuration Steps
1. Enable VDOM.
Choose System > Dashboard> Status. Locate the Virtual Domain value among systeminformation, as shown in the following figure:
.files/image295.jpg)
.files/image296.jpg)
Click Enable corresponding to VirtualDomain. The system requires you to re-login. After re-login, VDOM isenabled. See the following figure:
.files/image297.jpg)
2. Add vdom1.
Choose System > VDOM > VDOM.The default vdom root is displayed. Click Create New. Enter the VDOM namevdom1 in thedisplayed Edit Virtual Domain dialog box, and choose Transparentas Operation Mode.
Set Management IP/Netmask and DefaultGateway, and then click OK, as shown in the following figure:
.files/image298.jpg)
3. Establish the Vlink.
Choose System > Network >Interface, and then click .files/image299.png){kind=small}
nextto Create New. Choose VDOM Link, as shown in the followingfigure:
.files/image300.jpg)
In the displayed New VDOM Link page,enter Vlink name in the Name text box and set the VDOM and IP address ofVlink interface, as shown in the following figure:
.files/image301.jpg)
The vlink1 is connected to vdom root and theIP address is set to 202.1.1.3.
If you cannot add a Vlinkinterface to vdom1on the Web, you can run commands in the CLI. See thefollowing:
RG-WALL#config system global
RG-WALL(global) # config sys int
RG-WALL(interface) # edit vlink0
RG-WALL(vlink0) # set vdom vdom1
Warning:"vdom1" is a Transparent Mode VDOM. VDOM link type for"vlink" must bechanged from the default PPP to Ethernet so that NATmode and transparent mode VDOMs can communicate. //When the interface worksin PPPoE mode, the system will alert you to change the interface mode to theEthernet mode so that you can add an interface to the VDOM.
Bychoosing to continue, type of VDOM link "vlink" will be changed fromPPP to Ethernet.
Do youwant to continue? (y/n)y
RG-WALL(vlink0) #
Choose System > Network >Interface to view the new Vlink interface, as shown in the followingfigure:
.files/image302.jpg)
4. Add interfaces to VDOM.
1) Add interfaces to vdom1.
In global configuration mode, choose System> Network > Interface. Add internal and wan1 interfaces tovdom1, as shown in the following figure:
.files/image303.jpg)
.files/image304.jpg)
2) Add interfaces to vdom root.
After you add wan2interface to vdom root, all the interfaces belong to vdom root by default.
.files/image305.jpg)
5. Configure vdom1.
Choose vdom1 to enter vdom1.
1) Configure server IP addresses.
Web server: name is webserver202.1.1.2; IP address is 202.1.1.2
OA server: name is OAserver100.1.1.2; IP address is 202.1.1.3(mapped to public network IP address)
For detailed configuration, see the section “Configuring Internet Access via a StaticLink” in “Configuring Routing Mode”.
2) Configure the policies.
a) Allow the Extranet to access webserver202.1.1.2.
.files/image306.jpg)
b. Allow vdom root to access webserver202.1.1.2.
.files/image307.jpg)
c. Allow vdom root to access the Internet.
.files/image308.jpg)
d. Allow the Internet to access mapped IP address 202.1.1.3 of the OA server invdom root.
.files/image309.jpg)
The policy configuration is displayed asfollows:
.files/image310.jpg)
6. Configure vdom root.
Choose root to enter vdom root.
1) Configure the virtual IP address.
Choose Firewall > Virtual IP> Virtual IP, and then click Create New. Add the Mapped IP Addressof the OA server, as shown in the following figure:
.files/image311.jpg)
Choose vlink1 from External Interface drop-down list.
2) Configure a route.
.files/image312.jpg)
Choose vlink1 from Device drop-downlist.
3) Configure policies.
a) Allow the Extranet to access OA server.
.files/image313.jpg)
b) Allow wan2 interface to access the Internet.
.files/image314.jpg)
Verification
1. Normally Access the webserver202.1.1.2 and OAserver202.1.1.3 from theExtranet.
2. In vdom root, Intranet users can normally access http://202.1.1.2.
3. The webserver202.1.1.2 can normally access OAserver202.1.1.3.
Configuring HA
1.1 Networking Requirements
Hardware and software versions should meetthe following requirements:
1. Hardware models of the firewalls are the same.
2. The same model requires the same hardwareversion, memory capacity, CPU model, and hard disk capacity.
3. The software versions are the same.
4. All the interfaces of the device cannot work in DHCP or PPPoE mode.For the interface IP address mode that is not used, choose Manual.
.files/image315.jpg)
1.2 Master Election
Election Rule
When firewalls form a cluster, one masterneeds to be elected. Other devices except the master are slaves. Masterelection is carried out according to the rule shown as the following figure. If there is any failure with hardware or links, the master will be re-elected.Firewalls make comparison in the following factors orderly to elect the master:valid-monitored port quantity, device runtime, HA priority, and device sequencenumber (SN).
.files/image316.jpg)
Valid-Monitored Port Quantity
After the business ports to be monitored areconfigured, the firewall with the maximum valid-monitored ports will become themaster. In general, when an HA cluster is set up, all the monitored ports areconnected and work normally. In this case, the number of the monitored portswill not affect master election. When one monitored port fails or one linkfails, master election is re-performed by negotiation. When the faulty port orlink recovers, re-negotiation will be triggered. For example, port 3 and port 4are monitored ports on a master firewall. When port 3 is down, itsvalid-monitored port quantity decreases. In this case, the number of the validinterfaces of the slave device is not changed and the slave device will becomea primary device to continue running. If this happens to slaves, election restarts but the master isunchanged, because the number of monitored ports on slaves is smaller. Everytime when a port on a device fails, the master is re-elected.
RG-WALL#config system ha
RG-WALL(ha)#set monitor"port3" "port4”
RG-WALL(ha)#end
Link failover aims to guarantee the maximumvalid ports. The device with the least failure points will become a masterdevice.
Device Runtime
The device with the longest runtime willbecome the master. Runtime indicates the normal running time since the lastdevice failure. After the device is restarted, the runtime is reset to 0. Whenthe devices in a cluster start up at the same time, the runtime of each deviceis the same. When one monitored port on one firewall fails, the runtime will bereset and its port number decreases. After the faulty monitored port isrestored, although its monitored port quantity may be the same as that of otherfirewalls, the firewall cannot become the master because of its runtime.
In most of cases, the cluster reduces theelection time by adjusting the age parameter to stabilize the cluster incase of transmission interruption during election.
The runtime is reset to 0 after devices arerestarted or ports fail.
Startup Time Difference
Sometimes, some firewalls in the clusterrequire more startup time than others. Different startup time results in aseries of problems. To reduce the influence of time difference, RG-WALL ClusterProtocol (RGCP) neglects 5-minute difference by default. In most of cases, RGCPcan help users realize their expected configuration easier. In the followingcases, the runtime difference will result in unexpected results:
1. When the firmware version is upgraded, uninterruptable-upgradeenable is run by default. The cluster will re-elect the master after allthe firewalls are upgraded. If he runtime difference caused by the upgrade isless than 5 minutes, it will be neglected.
2. When link failover is being tested repeatedly, the runtimedifference of devices in the cluster occurs. In general, failed devices re-jointhe cluster after failover and the runtime of these hosts is shorter than otherdevices. Therefore, they will not be elected as the master. If the failedfirewalls join the cluster and the runtime difference with others is smallerthan 5 minutes, the failed may be elected as new master.
Changing Runtime Difference
Use the following command to change runtimedifference:
RG-WALL#config system ha
RG-WALL(ha)#setha-uptime-diff-margin 60
RG-WALL(ha)#end
The runtime difference is set to 60 seconds.The runtime ranges from 1 to 65535 seconds. By default, the runtime is 300seconds. You can reduce the runtime difference manually, if you cannot wait forfive minutes to test or when the firewall OS is upgraded without beinginterrupted. You can increase runtime difference when the startup timedifference of the devices in the cluster increases.
HA Priority
With the same number of monitored ports andruntime, the device with a higher priority becomes the master. By default, theHA priority is 128. You can set the priority manually to prioritize a device asthe master. The priority will not be synchronized between HA members as the devicename. When a new device with a higher priority joins one cluster, it will nottrigger negotiation until the cluster re-negotiates. You can modify thepriority on the graphical interface or by running the following commands:
RG-WALL#config system ha
RG-WALL(ha)#Set priority 200
RG-WALL(ha)#end
Use the execute ha manage command tochange the priority of the slaves in a cluster. The master is re-elected afterpriority change.
SN
Different device has different SN. When thedevices in a cluster have the same number of valid interfaces, runtime, and HApriority, the SN determines the master. The one with the greatest SN willbecome the master.
Override
During HA configuration, the overrideparameter will affect the master election.
RG-WALL#config system ha
RG-WALL(ha)#set overridedisable/enable
RG-WALL(ha)#end
The override parameter should be setin the CLI. The default value is disable.
After the override parameter is set,the method of master election changes. The priority parameter takesprecedence over runtime.
.files/image317.jpg)
If the priority of a device is the highestwith override enabled, it runs as the master when it shares the samenumber of valid ports as others. Due to the feature of the overrideparameter, device configuration may be lost due to mis-operation. See thefollowing example:
1. The priority of device A is 200 with the override parameterset to enable. The priority of device B is 100 with the overrideparameter set to disable.
2. Device A fails, and device B becomes the master.
3. Change device A with a new one. The HA priority is set to 200, whilethe override parameter is set to enable. Business is not set.
4. After all the lines of the new device are connected, enable the newdevice. Though the new device and device B have the same number of validinterfaces, the new device has higher priority and thus acts as the master.
5. The null configuration file of the new device is synchronized todevice B. Data of device B will be lost.
Avoidance method: Check whether the overrideparameter is set to enable. Check the priority parameter. Anothermethod is not to connect the cable of any monitored port when a new deviceaccesses, which minimizes the number of valid ports.
When virtual cluster2 is enabled in thefirewall, the override parameter is set to enable by default tofacilitate control.
RG-WALL#config system ha
RG-WALL(ha)#set vcluster2enable
configsecondary-vcluster
set override disable // The default is disable.
set vdom"ts"
end
1.3 Basic Configuration
Network Topology
.files/image318.jpg)
Hardware and software need to meet the followingrequirements so that you can configure HA:
1. Hardware models of the firewalls are the same.
2. The same hardware model requires the samehardware version, memory capacity, CPU model, and hard disk capacity.
3. The software versions are the same.
4. All the interfaces of the device should not workin DHCP or PPPoE mode. For the interface IP address mode that is not used,choose self-defined.
Configuration Steps
Step 1: Configure HA for device 1.
Step 2: Configure HA for device 2.
Step 3: Establish HA.
Step 4: Display HA cluster.
Configuration Tips
1. Before device change in the HA environment, backup configuration to prevent configuration loss caused by mis-operation.
2. It is recommend to configure more than twoheartbeat cables to prevent HA cluster breakdown caused by the failure of asingle heartbeat cable. Use an independent heartbeat interface to avoid themixed usage of business ports.
3. Preferably use the fiber interface.
4. Enable session synchronization. Execute the session-pickup enablecommand or enable “session pickup” on the Web. (By default, session-pickupis set to disable.)
5. Use the override function with caution. Afteroverride is enabled, HA priority is prior to the runtime during election. Inthis case, the device expected to be a slave device is elected to be themaster, thus resulting in reversely configuration synchronization.
6. Change the ID of the default HA group to preventthat multiple HA clusters exist in one broadcast domain which avoids virtualMAC address conflict of interfaces.
7. Choose proper monitored port and heartbeat port.When the virtual cluster in VDOM is enabled, each cluster should beindependently configured.
8. If ping server is enabled, configure it by using the correspondingHA commands.
9. It is recommend to set the interface of the switch connected to thefirewall to fastport mode. In the case of failover, the interface of the switchwill be changed into forwarding status at once.
HA Basic Configuration
Use the following method to configure the twofirewalls to run in HA mode:
1. Configure the master.
Choose System> Config > HA. Choose Active-Passivefrom Mode drop-down list. Set Device Priority to 200 (themaster priority is higher than that of the slave). Keep the default group nameand password. Select Enable Session Pick-up. See the following figure:
.files/image319.jpg)
HA interface configuration:
2. PortMonitor: monitored port in HA mode, which is a basis for HA switchover. In thiscase, wan1 (extranet port), wan2 (extranet port) and internal1 (intranet port)are monitored.
3. Heartbeat Port: Enable two heartbeatports: internal13 and internal14.
.files/image320.jpg)
The following describes the steps for basicHA configuration of the firewalls:
1) Define the working mode. Choose Active-Passiveor Active-Active. In most of networks, choose Active-Passive,which indicates that the master deals with service, while the slave is instandby state. When the master fails or the interface link of the master fails,the slave continues service handling.
2) Define the device priority. The device with the highest priority iselected as the master preferably.
3) Group name and password: Keep the default group name and password.If you change the group name and password, the two devices in one HA clustershould be configured with the same group name and password.
4) Enable session pick-up. Sessions are synchronized between the masterfirewall and standby firewall in real time. In the case of switchover, thestandby firewall has the same session information and the original session willbe processed without interrupting sessions.
5) Define two heartbeat ports: internal6 and internal7. These two portsare used for special purposes such as configuring session synchronization anddetecting the alive heartbeat of the peer party. To keep cluster stable, it isrecommended to configure two or more lines.
6) When multiple heartbeat lines exist, the heartbeat priority of theheartbeat port determines the line used preferably for heartbeatsynchronization. (The line connected to the port with a higher priority ispreferably used.)
7) Define monitored ports: internal1 and wan1. Business ports need tobe monitored by the firewall. When a port fails, failover proceeds. The devicewith more valid monitored ports will work as a master firewall for dataprocessing.
8) Enter a new device name (optional), which facilitates identificationand operation.
4. Configure the slave device.
Except that the priority is different(priority of the slave device is lower than that of the master device), otherparameters are the same as those of device 1.
5. Establish HA.
1) Connect the heartbeat line. Internal13 and internal14 ports of themaster NGFW are connected to internal13 and internal14 ports of the slave NGFW.
2) The firewall begins negotiation about HA cluster establishment. Atthis time, the connection to the firewall will be lost at the moment. That’sbecause the MAC address of the firewall interface will be changed duringnegotiation. You can run the arp-d command to update the ARP table of the PC torestore the connection.
3) Connect the link of the business port.
4) After HA is established, two firewalls synchronize configuration.The two firewalls are equipped with the same configuration. Business is configuredby accessing the master firewall, such as IP address and policy. The newconfiguration will be automatically synchronized.
After HA is established, access and managementcan only be done by the master device. To log in to the slave device formanagement, see section 4.6 “Out-of-BandManagement of HA Cluster”.
6. Display HA cluster.
Choose System > Config > HighAvailability to display HA establishment, as shown in the following figure:
.files/image321.jpg){kind=small}
The status panel on the home page also showsgroup members, as shown in the following figure:
.files/image322.png)
1.4 Configuring Synchronization of Standalone Device Configuration andSessions
Overview
Since version 5.0, NGFW supportssynchronizing standalone device configuration and sessions. In some applicationscenarios, NGFW can replace HA function enabled by two devices to controlasynchronous traffic.
Network Topology
1. In the network topology, OSPF routing protocolis enabled between router1 and router2 and between SW1 and SW2.
2. NGFW1 and NGFW2 access the networktransparently. (TP mode; enabling VDOM)
3. Asynchronous traffic exists in the communicationbetween the client and server. Herein, internal4 is the HA heartbeat interfacefor synchronizing configuration. Internal3 is used to synchronize sessions,which should be configured with an interconnection IP address.
.files/image323.jpg)
NGFW1
internal1: 192.168.1.21/24
internal3: 10.1.1.1/24
NGFW2
internal1: 192.168.1.22/24
internal3: 10.1.1.2/24
Configuration Steps
Step 1: Configure synchronization of NGFWconfiguration in HA mode.
Step 2: On NGFW1, establish a VDOM to divideinterfaces and configure policies. (Configuration will be automaticallysynchronized to NGFW2.)
Step 3: Enables session pickup.
Step 4: Enable session synchronization.
Step 5: Verification.
Step 6: Notes.
Basic Configuration
Use the following method to configure the twofirewalls to run in HA mode:
Step 1: Respectively configure IPaddresses of two firewalls and enable configuration synchronization.
NGFW1
RG-WALL#config system interface
RG-WALL(interface) # edit internal1
RG-WALL(internal1) # set ip 192.168.1.21 255.255.255.0 //Set the management interfaceand IP address.
RG-WALL(internal1)# set allowaccess ping https ssh snmp http telnet
RG-WALL(internal1) #next
RG-WALL(interface) #edit internal3
RG-WALL(internal3) #set ip 10.1.1.1 255.255.255.0
RG-WALL(internal3) #set allowaccess ping https ssh http telnet
RG-WALL(internal3) #next
RG-WALL(interface) # end
RG-WALL#config system ha
RG-WALL(ha) #set hbdev internal4 0 //Set internal4 interface, which is used forconfiguration synchronization.
RG-WALL(ha) #set standalone-config-sync enable
RG-WALL(ha) #set priority 200 //Set priority.
RG-WALL(ha) #end
NGFW2
RG-WALL#config system interface
RG-WALL(interface)#edit internal1
RG-WALL(internal1) #set ip 192.168.1.22 255.255.255.0
RG-WALL(internal1) #set allowaccess ping https ssh snmp http telnet
RG-WALL(internal1) #next
RG-WALL(interface)#edit internal3 //Configure the IP address ofinternal3 interface, which is used to synchronize sessions.
RG-WALL(internal3) #set ip 10.1.1.2 255.255.255.0
RG-WALL(internal3) #set allowaccess ping https ssh http telnet fgfm
RG-WALL(internal3) #next
RG-WALL(interface)#end
RG-WALL#config system ha
RG-WALL(ha) #set hbdev internal4 0//Configure internal4, which is used forconfiguration synchronization.
RG-WALL(ha) #set standalone-config-sync enable
RG-WALL(ha) #set priority 100 //Set priority.
RG-WALL(ha) #end
Configuration of new NGFW1 will be synchronizedto NGFW2.
Step 2: On the web interface, add a VDOMin transparent mode to NGFW1. Enable policies. (Configuration will besynchronized to NGFW2.)
1. Add a VDOM in transparent mode.
.files/image324.jpg)
2. Add wan1 and internal2 to VDOM tp.
.files/image325.jpg)
3. Set the policy to allow the client to access theserver.
.files/image326.jpg)
Step 3: NGFW1 enables session pickup.(Configured in CLI)
NGFW1
RG-WALL#config global
RG-WALL(global)#config system ha
RG-WALL(ha)#set session-sync-dev internal3
RG-WALL(ha)set session-pickup enable
RG-WALL(ha)set session-pickup-connectionless enable
RG-WALL(ha)set session-pickup-expectation enable
RG-WALL(ha)set session-pickup-nat enable
RG-WALL(ha)end
Step 4: Two NGFWs respectively enablesession synchronization. (Configured in CLI)
NGFW1
RG-WALL#config global
RG-WALL(global)#config system session-sync
RG-WALL(session-sync)#edit 1
RG-WALL(1) # set peerip 10.1.1.2
RG-WALL(1) # set syncvd tp
RG-WALL(1) # next
RG-WALL(session-sync)#end
NGFW2
RG-WALL#config global
RG-WALL(global)#config system session-sync
RG-WALL(session-sync)#edit 1
RG-WALL(1) # set peerip 10.1.1.1
RG-WALL(1) # set syncvd tp
RG-WALL(1) # next
RG-WALL(session-sync)#end
Verification
After configuration synchronization isenabled, run dia sys ha status to display synchronization status. Run diasys ha showcsum to compare the details of configuration synchronization.
NGFW1
RG-WALL#config global
RG-WALL(global)# dia sys ha showcsum
is_manage_master()=1,is_root_master()=1
debugzone
global: 8efe 7b be 34 43 5e cc 3e 0c6b 31 02 f9 d5 d1
tp: 9f05 b8 6e f2 12 e8 f7 a1 58 9b b0 ad 60 1b 09
root: 4573 10 c7 19 9d a2 8fd9 20 71 6c98 48 e4 30
all: 26 6034 e7 7d 0e 6e 1fcc 73 96 c4 1b 17 ee 53
checksum
global: 8efe 7b be 34 43 5e cc 3e 0c6b 31 02 f9 d5 d1
tp: 9f05 b8 6e f2 12 e8 f7 a1 58 9b b0 ad 60 1b 09
root: 4573 10 c7 19 9d a2 8fd9 20 71 6c98 48 e4 30
all: 26 6034 e7 7d 0e 6e 1fcc 73 96 c4 1b 17 ee 53
NGFW2
RG-WALL#Config global
RG-WALL(global)# dia sys ha showcsum
is_manage_master()=1,is_root_master()=1
debugzone
global: 8efe 7b be 34 43 5e cc 3e 0c6b 31 02 f9 d5 d1
tp: 9f05 b8 6e f2 12 e8 f7 a1 58 9b b0 ad 60 1b 09
root: 4573 10 c7 19 9d a2 8fd9 20 71 6c98 48 e4 30
all: 26 6034 e7 7d 0e 6e 1fcc 73 96 c4 1b 17 ee 53
checksum
global: 8efe 7b be 34 43 5e cc 3e 0c6b 31 02 f9 d5 d1
tp: 9f05 b8 6e f2 12 e8 f7 a1 58 9b b0 ad 60 1b 09
root: 4573 10 c7 19 9d a2 8fd9 20 71 6c98 48 e4 30
all: 26 6034 e7 7d 0e 6e 1fcc 73 96 c4 1b 17 ee 53
In the preceding results of running commands,the highlighted characters indicate that synchronization status is consistent.
View session status.
NGFW1
RG-WALL#configvdom
RG-WALL(vdom)#edittp
RG-WALL(tp)# di sys session list
sessioninfo: proto=6 proto_state=01 duration=5 expire=3595 timeout=3600 flags=00000000sockflag=00000000 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
ha_id=0policy_dir=0 tunnel=/
state=may_dirtybr npu synced
statistic(bytes/packets/allow_err):org=92/2/1reply=0/0/0 tuples=2
orgin->sink:org pre->post, reply pre->post dev=15->16/16->15 gwy=0.0.0.0/0.0.0.0
hook=predir=org act=noop 192.168.1.11:1493->10.30.1.3:23(0.0.0.0:0)
hook=postdir=reply act=noop 10.30.1.3:23->192.168.1.11:1493(0.0.0.0:0)
pos/(before,after)0/(0,0), 0/(0,0)
misc=0policy_id=1 id_policy_id=0 auth_info=0 chk_client_info=0 vd=3
serial=0001572btos=ff/ff ips_view=0 app_list=0 app=0
dd_type=0dd_mode=0
npu_state=00000000
npu info:flag=0x81/0x00, offload=4/0, ips_offload=0/0, epid=11/0, ipid=10/0, vlan=0/0
NGFW2
RG-WALL#configvdom
RG-WALL(vdom)#tp
RG-WALL(tp)# dia sys session list
sessioninfo: proto=6 proto_state=01 duration=23 expire=3576 timeout=3600flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
ha_id=0policy_dir=0 tunnel=/
state=may_dirtybr npu
statistic(bytes/packets/allow_err):org=0/0/0 reply=104/2/1tuples=2
orgin->sink:org pre->post, reply pre->post dev=15->16/16->15 gwy=0.0.0.0/0.0.0.0
hook=predir=org act=noop 192.168.1.11:1493->10.30.1.3:23(0.0.0.0:0)
hook=postdir=reply act=noop 10.30.1.3:23->192.168.1.11:1493(0.0.0.0:0)
pos/(before,after)0/(0,0), 0/(0,0)
misc=0policy_id=1 id_policy_id=0 auth_info=0 chk_client_info=0 vd=3
serial=0001572btos=ff/ff ips_view=0 app_list=0 app=0
dd_type=0dd_mode=0
npu_state=00000000
npu info:flag=0x00/0x81, offload=0/4, ips_offload=0/0, epid=0/10, ipid=0/11, vlan=0/0
NGFW1
RG-WALL#configvdom
RG-WALL(vdom)#edittp
RG-WALL(tp)# dia sni packet any 'port 23' 4
interfaces=[any]
filters=[port23]
24.976627wan1 in 192.168.1.11.2323 -> 10.30.1.3.23:syn 408581540
24.976641internal2 out 192.168.1.11.2323 -> 10.30.1.3.23:syn 408581540
24.987196wan1 in 192.168.1.11.2323 -> 10.30.1.3.23:ack 129336467
24.987205internal2 out 192.168.1.11.2323 -> 10.30.1.3.23:ack 129336467
29.252381wan1 in 192.168.1.11.2323 -> 10.30.1.3.23:fin 408581616 ack 129336688
29.252386internal2 out 192.168.1.11.2323 -> 10.30.1.3.23:fin 408581616 ack 129336688
NGFW2
RG-WALL#configvdom
RG-WALL(vdom)#edittp
RG-WALL(tp)# dia sni packet any 'port 23' 4
interfaces=[any]
filters=[port23]
9.044384internal2 in 10.30.1.3.23-> 192.168.1.11.2323: syn 129336466 ack 408581541
9.044396wan1 out 10.30.1.3.23-> 192.168.1.11.2323: syn 129336466 ack 408581541
9.049790internal2 in 10.30.1.3.23-> 192.168.1.11.2323: psh 129336467 ack 408581541
9.049800wan1 out 10.30.1.3.23-> 192.168.1.11.2323: psh 129336467 ack 408581541
13.309659internal2 in 10.30.1.3.23-> 192.168.1.11.2323: fin 129336687 ack 408581616
13.309665wan1 out 10.30.1.3.23-> 192.168.1.11.2323: fin 129336687 ack 408581616
Notes
1. MAC Address Timeout (critical)
By default, the MAC address timeout of theNGFW is 300 seconds. If the upstream and downstream devices of the NGFW do notsend new ARP messages to request the MAC table of the NGFW after 300 seconds,timeout occurs and the forwarding traffic is interrupted.
a) Solution 1: Bind the MAC addresses of theupstream and downstream interfaces of the NGFW.
NGFW1 (global)# dia netlink brctl name host tp.b
showbridge control interface tp.b host.
fdb:size=2048, used=9, num=9, depth=1
Bridgetp.b host table
port nodevice devname mac addr ttl attributes
1 15 wan1 0a:9e:01:b3:dc:0a 0 Static Hit(254423)
2 16 internal2 00:1b:8f:61:08:c3 0 Static Hit(423913)
RG-WALL #config vdom
RG-WALL(vdom) # edit tp
RG-WALL(tp)#config system mac-address-table //Note:Enter print cliovrd enabl4e, and then press Enter. You can run the following commandsafter log out, and then log in.
RG-WALL(mac-address-table) # edit 0a:9e:01:b3:dc:0a
RG-WALL (0a:9e:01:b3:dc:0a)#set interface wan1
RG-WALL (0a:9e:01:b3:dc:0a)#next
RG-WALL(mac-address-table) #edit 00:1b:8f:61:08:c3
RG-WALL(00:1b:8f:61:08:c3)#set interface internal2
RG-WALL(00:1b:8f:61:08:c3)#next
RG-WALL(mac-address-table) #end
b) Solution 2: Set the MAC address timeout time ofthe NGFW to the maximum value (100 days).
RG-WALL #config vdom
RG-WALL(vdom) # edit tp
RG-WALL#configsystem settings
RG-WALL(settings)#setmac-ttl 8640000
RG-WALL(settings)#end
Disable anti-replay.
RG-WALL#config system global
RG-WALL(global) #set anti-replay disable
RG-WALL(global) #end
2. The following configuration can be synchronized between two NGFWs:
1) router
access-list
as-path
community-list
prefix-list
route-map
bgp(*exclude* neighbor, router-id, as)
2) firewall
address
addgrp
interface-policy
policy
servicecustom
servicegroup
shaper
schedule
vip
vipgrp
3) log
all items
4) system
accprofile
admin
console
global
ha
ntp
settings(*exclude* ip/gateway/manageip)
zone
[interface] --*name (16)
|- vdom (12)
|- vlanid (0,0)
|- interface (16)
|- type
1.5 Configuring the Ping Server
Overview
Ping server serves to prevent "feigndeath" of ports. The link status is normal, but links cannot work. Thefirewall can send ping packets to determine whether the port link is availableaccording to the response from the peer device.
Choose System > Router > Static> Settings > Dead Gateway Detection, as shown in thefollowing figure:
.files/image327.jpg)
Click Create New. Set ping serverdetection as shown in the following figure:
.files/image328.jpg)
Interface: Itindicates the interface to be monitored. Here, choose wan1.
Interface IP:It indicates the IP address of the interface and the source IP address of thedetection data packet.
Ping Server:Enter the IP address of the server for detection. In general, it is defined asthe IP address of the next-hop gateway.
DetectProtocol: Options are ICMP Ping, TCP echo, and UDP echo.
PingInterval (seconds):Enter 5. One detection data packet is sent every five seconds.
FailoverThreshold:If detection fails for five times, it indicates that the interface cannot beused.
HA Priority:Set it to 1. After interface detection fails, the values of users andthe variable (initial value is 0) for determining HA switchover in the HAprotocol increase by 1.
Configuration commands:
| config router gwdetect edit "wan1" |
Specifies the monitored interface. |
| set failtime 3 | If three detection data packets are lost continuously, it indicates that the interface fails. |
| set ha-priority 5 | After ping detection of the interface fails, HA association parameter value increases by 5. |
| set interval 2 | Second one ping packet every two seconds. |
| set server 202.1.1.5 | More than two detected gateways can be configured. As long as one gateway responds, it indicates that the interface works normally. |
| end |
|
Related HA Configuration
If only the preceding configuration is done,HA switchover is not carried out in the case of ping detection failure. Theroute to this interface is not valid again. HA configuration should tell wan1interface of the firewall that ping server will be used as the condition oftriggering HA switchover.
RG-WALL #config system ha
RG-WALL (ha)#Setpingserver-monitor-interface wan2 //Set ping server of wan2 interface.
RG-WALL (ha)#Set pingserver-failover-threshold0 //It indicates the threshold of HA switchover. By default, the value is 0.
RG-WALL (ha)#setpingserver-flip-timeout 60 //It indicates the interval at which HA switchover continuouslytriggered by ping server twice.
Related HA Configuration
The command set ha-priority 1 isrelated to pingserver-failover-threshold 0. When ping server detectionof wan1 interface fails, pingserver-failover-threshold value increasesby 1, which reaches the threshold (0) and HA switchover is triggered.
Inthe case of pingserver-failover-threshold 2, even if pingserver detection of wan1 interface fails, setha-prioirty 1 is smaller than pingserver-failover-threshold 2, whichdoes not reach the threshold, HA switchover is not triggered.
1.6 Configuring the Out-of-Band Management Interface
Management Requirements
In an HA cluster, the configuration of allthe cluster members is the same. The master device can be managed only throughits IP address. Each slave device cannot be separately managed through its IPaddress. To ensure business security, it is essential to separate themanagement network from the business network. To realize the aim, configure aspecialized out-of band management interface for HA. The configuration will notbe synchronized.
Network Topology
.files/image329.jpg)
Configuration Tips
1. Basic configuration.
2. Configure the reserved management port.
3. Configure the IP address for the out-of-band management port.
4. Configure the gateway for the out-of-band management port.
5. Configure SNMP.
Configuration Steps
1. Basic configuration.
Complete HA basic configuration according tothe section “BasicConfiguration” in this chapter.
2. Configure the reserved management port.
Choose System > Config > HA.Select Reserve Management Port for Cluster Member. Choose an interfaceas an independent management interface. Here, choose internal5. See thefollowing figure:
.files/image330.jpg)
3. Configure the IP address for theout-of-band management port.
1) Configure the IP address for the out-of-bandmanagement port on the master device.
Choose System > Network >Interface > internal5, as shown in the following figure:
.files/image331.jpg)
Configure the IP address of internal5. Set AdministrativeAccess.
2) Configure the management IP address for the slave device.
At the beginning, when HA is not established,set internal5 interface of the slave device through the web interface to be amanagement interface. If HA has been established and has started running, theslave device cannot be managed on the web interface at the beginning.
You can set the IP address of internal5interface of the slave device to be the out-of-band management address by usingthe following methods:
A. Manage the slave device on the masterdevice.
Run the following command on the masterdevice to enter the slave device. Run the following command to enter the slavedevice.
RG-WALL #exec ha manage ?
<id> please input peer box index.
<1> xxxxxxxx SN
RG-WALL # exec ha manage 1 //Jump to the slave device.
Run the following command to set the IPaddress of internal5 interface.
RG-WALL#config system interface
RG-WALL(interface)#editinternal5
RG-WALL(internal5)#setip 172.16.0.2/24
RG-WALL(internal5)#setallowaccess https ping snmp
RG-WALL(internal5)#end
B. The slave device can also be managedthrough the console interface.
Run the following command to set the IPaddress of internal5 interface.
RG-WALL#configsystem interface
RG-WALL(interface)#editinternal5
RG-WALL(internal5)#setip 172.16.0.2/24
RG-WALL(internal5)#setallowaccess https ping snmp
RG-WALL(internal5)#end
4. Configure the gateway for the out-of-bandmanagement port.
Run the following commands respectively ontwo firewalls:
RG-WALL#config system ha
RG-WALL(ha)#set ha-mgmt-interface-gateway 172.16.0.254
RG-WALL(ha)#end
5. Configure SNMP.
RG-WALL#configsystem snmp community
RG-WALL(community)#edit 1
RG-WALL(1)#config hosts
RG-WALL(hosts)#edit 1
RG-WALL(1)#set ha-direct enable / /This command is used to access the independentmanagement port only.
RG-WALL(1)#set ip 10.0.0.100 255.255.255.255
RG-WALL(1)#next
RG-WALL(hosts)#end
RG-WALL(community)#set name readfornm
RG-WALL(community)#next
Verification
Perform HTTPS management and SNMP monitor oftwo devices through the independent management interface.
1.7 Related Commands
Use the config system ha command toenter HA configuration mode. The following lists common configuration commands:
1) set group-id ID
This command is used to configure the groupID of an HA cluster. The members in one cluster must have the same group ID.The group ID is a component element of the virtual MAC address of the firewallinterface. When one broadcast domain contains more than two HA clusters, theirgroup IDs should be different to prevent MAC address conflict.
2) set group-name "Ruijie-HA"
The members in one cluster must have the samegroup name.
3) set mode standalone/a-a/a-p
In HA, generally set it to a-p. In AAmode, HA roles contain master and slave devices. Generally, they are regardedto work in active-active mode. Actually, although the master and slave devicesare working, one device will act as the master device to control and assigntraffic and sessions to other devices in the cluster. In AA mode, by default,only the UTM traffic is balanced. Therefore, when the UTM function is not used,recommend using AP mode.
4) set password
The members in one cluster must have the samepassword.
5) set hbdev port_number priority
Use this command to configure the heartbeatinterface. The port with a higher priority is preferably used.
6) unset session-sync-dev
You can configure a dedicated heartbeatinterface for synchronizing session information. By default, the heartbeatinterface for synchronizing session information and the heartbeat interface forsynchronizing control information are the same.
7) set route-ttl time
It indicates the alive time of the routeforwarding table. Between HA devices, only the forwarding table is synchronizedinstead of the routing table. After one slave device is elected to be themaster device, the alive time of the original forwarding table is set to 10seconds by default. Later, the forwarding table is generated by the static ordynamic routing protocol and the device continues working.
8) set route-wait time
Use this command to set the waiting time forconfiguration synchronization to slaves after the master device receives a newrouting entry.
9) set route-hold time
Use this command to set the routingsynchronization interval for the master device to avoid repeated route updatecaused by route flapping.
10) set sync-config enable
Use this command to enable automaticsynchronization of configuration files.
11) set encryption {enable | disable}
Usethis command to enable or disable AES-128 and SHA1 toencrypt and verify heartbeat information.
12) set authentication {enable | disable}
Use this command to enable or disable SHA1algorithm to verify heartbeat information.
13) set hb-interval time
Use this command to set the interval atwhich heartbeat packets are sent in the unit of 100 ms. If the interval is setto 2, it indicates that one heartbeat message is sent every 200 ms.
14) set hb-lost-threshold number
Use this command to set the threshold forheartbeat packet loss. If six heartbeat messages are lost continuously, thepeer device is thought to die.
15) set helo-holddown number
Use this command to set the hello interval.It is the waiting time before a device joins an HA cluster to prevent HArepeated negotiation caused by the member discovering failure.
16) set arps number
Use this command to configure the updatenumber. After a device becomes the master, it shall send a gratuitous ARPpacket to announce its MAC address, so that the connected switches can timelyupdate the MAC address table.
17) set arps-interval time
Use this command to set the interval atwhich gratuitous ARP packets are sent in the unit of seconds.
18) set session-pickup {enable | disable}
Use this command to enable or disable sessionsynchronization. The default is disable. Generally, it is set to enable.
19) set session-pickup-delay {enable | disable}
Use this command to synchronize the sessionsthat keep alive for more than 30 seconds. After it is set to enable, theperformance is optimized. The sessions that keep alive for less than 30 secondswill be lost during HA failover. By default, it is set to disable. Usethis command with caution.
20) set link-failed-signal disable
Use this command to shut down all theinterfaces except the heartbeat interface for one second when the HA failoveris triggered by the port failure, so that the connected switch can timelyupdate the MAC address table.
21) set uninterruptable-upgrade enable
Use this command to enable uninterrupted OSupgrade. The system automatically upgrades the devices in the cluster and thedevices in the cluster automatically switch over without business interruption.
22) set ha-uptime-diff-margin time
Use this command to set the interval ofstartup difference neglection. During HA master election, startup time isfactor. When the startup time difference between two devices is less than 300,it will be ignored.
23) set override disable
By default, it is set to disable.During HA election, elements are compared in the following order: validinterface quantity > runtime > HA priority > device SN. When it is setto enable, the order is changed into: valid interface quantity > HApriority > Runtime > device SN. Every time when a device joins or leavesfrom the cluster, the entire cluster is forced to begin the election of themaster device again.
24) set priority number
Use this command to set the HA priority tofacilitate management. It is recommend to set the HA priority of the masterdevice to 200, while that of slave devices to 100.
25) set monitor port_number
Use this command to configure the port to bemonitored. The device with the maximum number of valid ports becomes the masterdevice.
26) unset pingserver-monitor-interface
Use this command to unset the pingservermonitored port.
27) set pingserver-failover-threshold 0
Use this command to set the failoverthreshold for pingserver. If the threshold is 0, it indicates that anypingserver failure will trigger HA failover.
28) set pingserver-flip-timeout time
Use this command to set the failoverinterval for the pingserver. If A fails, pingserver is switched over to B. If Balso fails, it waits for 60 minutes to switch back to A.
29) set ha-mgmt-status enable
Use this command to configure out-of-bandmanagement. Use the following two commands to respectively set the out-of-bandmanagement interface and gateway IP address.
set ha-mgmt-interface port_number
set ha-mgmt-interface-gateway x.x.x.x
Universal Typical Functions
1.1 UTM Security Applications
1.1.1 Intrusion Prevention
1.1.1.1 Protecting the Intranet Server
Application Scenario:
One Web server (IP address: 192.168.1.2) is deployed inside the company, which is mapped to the extranet IPaddress 202.1.1.11.Open the HTTP service to the extranet.
Networking Requirements
The Web server opens HTTP service to theInternet, thus increasing the risk in attacking the server. The IPS functionshould be used for protection against the access from the Internet.
Network Topology
Configuration Tips
1) Initialize Internet access configuration.
2) Configure the virtual IP (DNAT).
3) Define the IPS sensor.
4) Configure policies and enable IPS.
5) Enable the logging function.
Configuration Steps
1. Basic configuration for Internet access
For the detailed configuration process, seesection “Configuring InternetAccess via a Static Link”section under section “InternetAccess via a Single Line” in “Configuring Routing Mode”.
IP address configuration of the interfaces isas shown in the following figure:
.files/image332.jpg)
The route configuration is as shown in thefollowing figure:
2. Configure the virtual IP address (DNAT).
Choose Firewall > Virtual IP> Virtual IP, and then click Create New, as shown in thefollowing figure:
.files/image333.jpg)
Configure the virtual IP address. Enter thename: webserver. The virtual IP address is used for the destination address translation ofwan1 interface.
.files/image334.jpg)
3. Define the IPS sensor.
Customize the signature database of the IPSfor the system and programs of the server. Suppose that the system is installedwith Windows and enables HTTP service.
a) Choose System > IntrusionProtection > IPS Sensor. The pre-defined sensor has beenembedded. Click Create New.
Enter the sensor name httpserver, andthen click OK.
.files/image335.jpg)
b) Add the IPS filter (multiple IPS filters can be added) to thesensor. On the Edit IPS Sensor page, click Create New, as shownin the following figure:
.files/image336.jpg)
The IPS signature configuration page isdisplayed. Signatures arefiltered in the following two manners:
A. Basic mode
.files/image337.jpg)
Severity: Classifiedaccording to severity. Choose all the options.
Target: Inthis example, it is a Web server. For the attack against the server, choose server.
OS: Choosethe OS type of the system to be protected.
The following page lists the IPS attack typesto be filtered:
.files/image338.jpg)
B. Advanced mode (Recommended)
In this mode, more accurate matching can bedone to improve system efficiency.Choose IIS, HTTP, TCP, and UDP as prompted.
.files/image339.jpg)
After the IPS signature is chosen, choose theactions for handling these attack signatures:
.files/image340.jpg)
Signature Defaults: By default, each IPS signature defines the action against theattack. The firewall is processed according to the pre-defined action.
Monitor All: Onlymonitor applications and generate logs without interrupting service.
Block All: Blockand discard data packets.
Reset: Resetsessions.
Quarantine: Quarantiningmanners are classified into the attacked IP address, attacker IP address and attackeddevice IP address, and quarantining interfaces. After quarantining proceeds fora period of time, disable service communication of the quarantined device. Usethis function with caution.
c) Click OK to finish the filter configuration.To add more filters, repeat the preceding method.
.files/image341.jpg)
As shown in the above figure, there are 39IPS signatures matching the filter.
4. Configure policies and enable IPS.
.files/image342.jpg)
.files/image343.jpg)
Source Interface/Zone: Choose wan1.
Source address:Choose all.
Destination Interface/Zone: Choose internal.
Destination address: Choose webserver. It indicates the defined object mapped by thevirtual IP address.
Service: ChooseHTTP. The system allows Internet access only by HTTP.
UTM: Selectit.
Enable IPS: Choosethe defined IPS sensor httpserver.
5. Enable packet logging.
RG-WALL #config ips sensor
RG-WALL(sensor) # edit httpserver
new entry'httpserver' added
RG-WALL(httpserver) # set log enable
RG-WALL(httpserver) # config entries
RG-WALL(entries) # edit 1
new entry '1'added
RG-WALL(1) # set log enable
RG-WALL(1) # set log-packet enable
RW-WALL(1) # end
1.1.1.2 Preventing DoS Attacks
Application Scenario:
DoS focuses on initiating attacks by usingthe specific vulnerabilities of the host, resulting in network stack failure,system breakdown, and host breakdown. Therefore, the host fails to providenormal network service functions, which results in denial of service. Common DoSattacks include TearDrop, Land, Jolt, IGMP Nuker, Boink, Smurf, Bonk, and OOB. Scanning is also a kind of networkattack. Before initiating network attacks, attackers generally try to determinethe open TCP/UDP ports on the target device. An open port indicates anapplication.
DoS has two manners: traffic attack and resource exhaustion attack.Traffic attack is the attack against network bandwidth. Large number of attackpackets block network bandwidth and legal packets cannot reach the host.Resource exhaustion attack is the attack against servers. The attackers send alarge number of attack packets to exhaust host memory or the CPU, resulting in disruptnetwork service.
The NGFW anti-SYN Flood attack function employs the latest SYN cookietechnology, which occupies few system resources and effectively prevents DoSattacks against servers.
The anti-SYN Flood function can preventexternal malicious attacks and protect devices and intranet. An alarm isreported when such attacks are detected..
In the preceding example “protecting intranet servers”, apart from IPS protection, DoS protectionis required.
Networking Requirements
The Web server IP address is 192.168.1.2,mapped to the extranet IP address 202.1.1.11. The Web server opensHTTP service to the Internet, thus increasing the server attack risk. DoS preventionshould be enabled to ensure Internet access security.
Network Topology
Configuration Tips
1. Configure the server IP address.
2. Define the DoS policy.
Configuration Steps
1. Configure the server IP address.
Choose Firewall > Address> Address, and then click Create New, as shown in thefollowing figure:
.files/image344.jpg)
Set Name to server. Choose Subnetas Type. Set Subnet/IP Range to 202.1.1.8/29. Click OK.See the following figure:
.files/image345.jpg)
TheIP range includes the server IP address (202.1.1.11)and the extranet port IP address (202.1.1.10) of the firewall.
2. Define the DoS policy.
Choose Firewall > Policy> DoS Policy, and then click Create New, as shown in thefollowing figure: .files/image346.jpg)
Configure DoS policy parameters, as shown inthe following figure:
.files/image347.jpg)
Source Interface/Zone: Choose wan1. Wan1 interface is the extranetinterface. Apply the DoS policy on the wan1 interface.
Source address:Choose all.
Destination address: The protected IP address.
Service: Itindicates the protected service, such as HTTP80 in this example.
Anomalies: Itindicates the DoS protection type.
tcp_sysn_flood: Itis a DoS attack name.
Status: Itindicates whether to enable the protection.
Logging: Itindicates whether to enable logging. DoS logging can be enabled without theneed of running the command in the CLI. You just need to select Logging.
Action: Itindicates the action upon detecting an attack. There are two options: Blockand Pass.
Threshold: Itindicates the number of attacks detected every second that will trigger thecorresponding action.
Click OK to finish configuration.
3. View DOS protection logs.
.files/image348.jpg)
1.1.2 Anti-Virus
1.1.2.1 Enabling Anti-Virus Function
Application Scenario:
As the Internet rapidly develops, the networkenvironment becomes more and more complicated. A mix of malicious attacks,Trojan horse viruses, and worms increase. Enterprises need to protect thenetwork deeply at multiple layers, thus effectively protecting networksecurity. IPS provides deep protection against the network. If vulnerabilitiesin the intranet server are not timely repaired, these vulnerabilities may beused by attackers to cause the consequences that cannot be avoided. In thiscase, enable virus, vulnerability, and Trojan horse filter functions on theegress firewall.
Principles:
The protocol analysis module identifiesprotocols of the data packets, including TCP, UDP, and ICMP and commonprotocols, such as HTTP, FTP, SMTP, POP3 and IMAP. After protocolidentification, the alarm information is reported.
Note:
The intrusion prevention, anti-virus, andapplication control functions of the NGFW can be used only when thecorresponding signature databases are imported. By default, the NGFW is equippedwith the latest signature database version. To keep the ideal effects of thesefunctions, you need to update the signature feature in real time. If you do notpurchase the formal license, the signature database cannot be updated andfunctions are not ideal. If you purchase the formal license and import thelicense to the device, the system automatically updates the signature databaseto the latest version.
Networking Requirements
When intranet users view Web pages andreceive/send emails, the system needs to detect viruses in the filestransmitted via the related protocols to prevent viruses from spreading to theintranet.
Network Topology
Configuration Tips
1. Initialize Internet access configuration.
2. Configure anti-virus function.
3. Configure the proxy options.
4. Enable anti-virus function in the policy.
Configuration Steps
1. Initialize Internet access configuration.
For the detailed configuration process, seesection “Configuring InternetAccess via a Static Link” undersection “Internet Access via a Single Line” in “Configuring Routing Mode”.
.files/image349.jpg)
2. Configure anti-virus function.
Choose UTM > AntiVirus > Profile,as shown in the following figure:
.files/image350.jpg)
You can view two embedded anti-virus profiles:
AV-flow: It isthe script for flow-basedinspection mode. In this mode, virus scanning is fast and accuracy is lowerthan the proxy mode.
default: It isthe script for proxy inspection mode. In this mode, files are buffered in thememory for scanning. The accuracy is high, but scanning is slow.
You can directly use the default profiles andedit the profile script (if needed), or create a new anti-virus profile. Thefollowing takes creating a new anti-virus profile as an example. Click CreateNew, then fill in the following parameters:
.files/image351.jpg)
Name: Configurethe anti-virus profile name. Here, set it to myantivirus.
Comments: Addthe description of the script.
Inspection Mode: Choose the virus scanning mode. Consider the current network trafficand the device type. Here, choose Proxy.
Block Connections to Botnet Servers: Choose this option. It indicates that the system blocks the connectionsto Botnet servers and therefore enables protection against Botnets and phishingattacks.
Protocol: Selectthe protocol types for virus scanning. Here, select HTTP, SMTP, and POP3.
3. Configure the proxy options. (Optional)
Generally, keep the default proxy options.
Choose Firewall > Policy> Protocol Options, as shown in the following figure:
.files/image352.jpg)
Edit the default file, as shown in thefollowing figure:
.files/image353.jpg)
4. Protocol Port Mapping:
Enable, Protocol, Inspection Port(s): Configure the proxy options of different protocols, for example,enable HTTP port scanning. To scan multiple ports, ports should be separated withspace, for example, 80 80 80 .
Common Options(Taking effect only for proxy inspection mode)
Comfort Clients: When viruses are scanned in proxy mode, files should be bufferedin the firewall. After the files are scanned and the system ensures that thefiles are safe, the system sends them to users. In this process, users do notreceive any data file. If file size is large, users need to wait for a longertime. To refine such poor user experience, the firewall is enabled to sendfiles at a slow speed during scanning, while users are informed that the filerequests have been responded and handled.
Interval (seconds): Set it to 10. It indicates that data is sent once every 10seconds.
Amount (bytes):Set it to 1. It indicates the number of bytes sent every time.
Block Oversized File/Email: It indicates that the file that exceeds the virus scanning buffersize (10 MB) is blocked. If Black Oversized File/Email is not chosen, theoversized file is permitted without virus scanning.
If Block Oversized File/Email is enabled, thefile that exceeds the threshold will be deleted directly, which may affect userservices. Confirm with the users about whether to choose this option.
Click OK to validate configuration.
5. Enable anti-virus function in the policy.
Edit the policy for Internet access in step1.
.files/image354.jpg)
.files/image355.jpg){kind=small}
Choose UTM and Enable AntiVirus.Choose default from Protocol Options drop-down list and myantivirusfrom Enable AntiVirus drop-down list. Click OK to finish the configuration.
6. Enable anti-virus logging.
RG-WALL #config antivirus profile
RG-WALL(profile) # edit myantirus
RG-WALL(default) # set extended-utm-log enable
RG-WALL(default) # set av-virus-log enable
RG-WALL(default) # set av-block-log enable
RG-WALL(default) # end
Verification
1. Intercept HTTP Web page viruses.
Accesshttp://www.eicar.org/85-0-Download.html.Download the virus testing file.
.files/image356.jpg)
The virus file is successfully intercepted.
.files/image357.png)
Virus interception log is as follows:
.files/image358.jpg)
1.1.3 Web Filter
1.1.3.1 URL Filter
Application Scenario:
Restrict the behavior of the specificInternet users according to the specific URL.
Networking Requirements
Intranet users are only allowed to access thewebsites of 163.com and Baidu.com.
Network Topology
.files/image359.png)
Intranet users access the Internet throughfirewalls.
Configuration Tips
1. Initialize Internet access configuration.
2. Configure the Web filter.
3. Enable Web filter function in the policy.
Configuration Steps
1. Initialize Internet access configuration.
For the detailed configuration process, seesection “Configuring InternetAccess via a Static Link” undersection “Internet Access via a Single Line” in “Configuring Routing Mode”.
2. Define Web filter configuration.
Choose UTM > Web Filter >Profile. Some Web filters are embedded, such as default andflow-monitor-all, as shown in the following figure. You can modify the embeddedfilter configuration, or self-define filters. Click Create New.
.files/image360.jpg)
On the New Web Filter Profile page, fillin the following parameters:
Name: Enterthe name: mywebfilter.
Inspection Mode: Choose Flow-based.
.files/image361.jpg)
Choose Enable Web Site Filter.
.files/image362.jpg)
You can edit the URL filter or create newfilters..
*.baidu.com: It indicates that all Baiduwebsites are allowed.
*.163.com: It indicates that all NetEasewebsites are allowed.
*: It indicates that other websites arerejected. The following figure shows the configuration after URLs are added:
.files/image363.jpg)
The URL filters in this list are executedfrom top to bottom. To adjust the sequence, click the item, and then drag it.
3. Enable Web filter in the policy.
On the Edit Policy page, choose UTMand Enable Web Filter. Choose mywebfilter from EnableWeb Filter drop-down list. See the following figure:
.files/image364.jpg)
.files/image365.jpg)
Verification
The URL of www.baidu.comcan be accessed. The URL of www.sina.com.cnis blocked.
.files/image366.png)
The log is as follows:
.files/image367.jpg)
1.1.4 Mail Filter
1.1.4.1 Mail Filter
Networking Requirements
The emails received/transmitted by theintranet are filtered via a firewall, and the emails sent by @qq.com are markedas spam emails.
Network Topology
The intranet users access the Internet via afirewall.
Configuration Tips
1. Initialize the configurations on Internet access
2. Define the anti-spam configurations
3. Configure the proxy options
4. Enable the Web filtering function in the policy
Configuration Steps
1) Initialize the configurations on Internet access
For details about the configurationprocedure, refer to the section “Configuring Routing Mode” > “InternetAccess via a Single Line” > “Configuring Internet Access via a Static Link”.
.files/image368.jpg)
2) Define the anti-spam configurations
Choose the UTM > Email Filter >Email List menu.
.files/image369.jpg)
Click Create New, and define the nameas maillist.
.files/image370.jpg)
Click Create New to create specificmaillist entries:
.files/image371.jpg)
.files/image372.jpg)
Type: Select Email Address.
Email Address: Enter *@qq.com.
Action: Select Mark as Spam.
Click OK. Then, the maillist isdisplayed as follows:
.files/image373.jpg)
Choose the UTM > Email Filter> Config menu, and click Create New.
.files/image374.jpg)
You can directly edit the defaultconfiguration file. You can also create a new configuration file, for example:
.files/image375.jpg)
Name: Enter the name of the configurationfile, here, mymail.
Comments: Add the descriptions of the script.
Inspection Mode: Select Proxy.
Enable Spam Detection and Filtering: Select IAMP,POP3, and SMTP.
Local Spam Filtering: Select HELO DNS Lookupand Remain E-mail DNS Check.
BWL Check: Select maillist. Use localblacklist and whitelist, which need to be manually configured as follows:
3) Enable the anti-spam function in the policy
In the firewall policy for Internet access,enable UTM and select Enable Email Filter.
.files/image376.jpg)
4) Enable log display
If the log is not displayed, you can enablelog display via a CLI.
Before performing the operations, it isrecommended that you upgrade the current version to P2. If you perform theoperations under the P1 version, you need to enter print cliovrd enabl4eand press Enter; after logging in and then logging out, execute thefollowing command.
RG-WALL #config spamfilter profile
RG-WALL(profile) # edit mymail
RG-WALL(mymail) # set extended-utm-log enable
RG-WALL(mymail) # end
Verification
For each email originated from qq, the spamcharacters are inserted into its header, indicating that the email is a spamemail.
For each email destined for qq, the spamcharacters are inserted into its header, indicating that the email is a spamemail. Therefore, it is recommended that POP3 and SMTP are processedrespectively.
1.1.5 Network Application Control
1.1.5.1 Configuring Application Control
Networking Requirements
The employees in a company can accessInternet. The company forbids employees to use instant messaging (IM) applications, or allows onlythe specified employees to use the IM applications.
Network Topology
.files/image377.png)
Configuration Tips
1. Initialize Internet access configuration.
2. Configure application control sensors.
l BlockIM applications.
l Configureflow control for P2P applications.
3. Enable application control in the policy.
Configuration Steps
1. Initialize Internet access configuration.
For the detailed configuration process, seesection “Configuring Internet Access via a Static Link under section “InternetAccess via a Single Line” in “Configuring Routing Mode”.
2. Define the application control sensor.
Choose UTM > Application Control> Application Control List. Click Create New, as shown in the following figure:
.files/image378.jpg)
a) Create a sensor. Enter the name: office,then click Apply. See the following figure:
.files/image379.jpg)
b) Choose the office sensor, then click CreateNew. Add the application control filter entry to the sensor, as shown inthe following figure:
.files/image380.jpg)
c) Block QQ and related software, as shown in thefollowing figure:
.files/image381.jpg)
Sensor Type:Choose Specify Applications. Then enter qq.
The all the QQ-related applications aredisplayed. Click the target application.
Action: Click Block.
d) Configure flow control for P2P applications, asshown in the following figure:
.files/image382.jpg)
.files/image383.jpg)
Sensor Type:Choose Filter Based.
Category:Choose P2P.
Action: ClickTraffic Shaping.
Forward Direction Traffic Shaping: Set it to 1M.
e) The application control sensor configuration isas follows:
.files/image384.jpg)
3. Enable application control in the policy.
.files/image385.jpg)
.files/image386.jpg)
Choose Enable Application Control, andselect office from Enable Application Control drop-down list.
4. Enable log display.
If logs are not displayed, run a command toenable log display.
RG-WALL #config application list
RG-WALL(list) # edit office
new entry'office' added
RG-WALL(office) # set extended-utm-log enable
RG-WALL(office) # end
Verification
Use an application for testing.
.files/image387.jpg)
1.1.5.2 Traffic Rate Limit
Networking Requirements
A company performs traffic management overintranet users. The egress bandwidth is restricted to20 Mbps.
Manager: Traffic for 192.168.1.10 is notrestricted.
Staff: The total bandwidth for192.168.1.50-100 is restricted to 15 Mbps. Traffic of each employee cannotexceed 1 Mbps.
IP phone and video: The bandwidth for192.168.1.20 is 3 Mbps to guarantee smooth video playing.
Network Topology
.files/image388.jpg)
Configuration Tips
1) Basic configuration of the interfaces and routesfor Internet access.
2) Define the address object according to the IPaddress segments to be restricted.
3) Define the traffic shaper.
4) Configure the policy and enable flow control.
To control upload and download traffic, enablereverse flow control. Reverse flow control refers to control the flow inthe downloading direction. After reverse flow control is enable, upload anddownload traffic is separately controlled.
Configuration Steps
1. Basic configuration of the interfaces and routes for Internetaccess.
For the detailed configuration process, seesection “Configuring InternetAccess via a Static Link”section under “Internet Access via a Single Line” in “Configuring Routing Mode”.
IP address configuration of the interfaces isas shown in the following figure:
2. Define the address object according to the IP address segments to berestricted.
Define three address objects:
manager: 192.168.1.10
sip: 192.168.1.20
staff:192.168.1.50-100
Choose Firewall > Address> Address, and then click Create New, as shown in thefollowing figure:
.files/image389.jpg)
1) Define the IP address of the leader’s PC. Set Name to manage andset Subnet/IP Range to 192.168.1.10, as shown in the followingfigure:
.files/image390.jpg)
2) Define the IP address of SIP. Set Name to sip and set Subnet/IPRange to 192.168.1.20, as shown in the following figure:
.files/image391.jpg)
3) Define the IP address of the staff’s PC. Set Name to staffand set Subnet/IP Range to 192.168.1.50-100 as shown in thefollowing figure:
.files/image392.jpg)
3. Define the traffic shaper.
Choose Firewall > Traffic Shaper> Shared, and then click Create New, as shown in the followingfigure:.files/image393.jpg)
a) Create a 15 Mbps shared traffic shaper, as shownin the following figure:
.files/image394.jpg)
Name: Configurethe shaper name.
Apply Shaper: Sethow the flow control script is applied by the policy.
Per Policy: Eachpolicy that uses the traffic shaper to control flow independently. For example,if 10 policies use the 15Mbps flow control script, each policy can use 15 Mbpsbandwidth.
For All Policies Using This Shaper: All the policies that use this script control flows together. Forexample, if 10 policies use the 15 Mbps flow control script, all the users ofthe policy share 15 Mbps bandwidth.
That is, the maximum traffic used by the 10policies is 15 Mbps.
Traffic Priority: The firewall interface defines 6 FIFO queues, among which queue 0has the highest priority, while queue 5 has the lowest priority. Queue 0 isused for firewall management and VPN negotiation. All the traffic sent or receivedby the firewall is automatically put into queue 0 and forwarded first.
For the traffic enabled with the traffic shaperin the policy and forwarded by the firewall, its priority is classified intohigh, medium, and low levels. The traffic with high level is forwarded by thefirewall first. High, medium, and low priority levels are corresponding toqueues 1, 2, and 3:
High (queue 1), medium (queue 2), low (queue3).
Traffic priorities can be classifiedaccording to service type. Set priorities of services such as VoIP to highpriority. Set priorities of HTTP, POP3, SNTP, and OA services to mediumpriority. Set priorities of other services to low priority.
If the priority level is not specified in thepolicy, by default, the priority is high.
Maximum Bandwidth: It indicates the maximum bandwidth that is allowed by the policy, andthe unit is Kbps. When thetraffic exceeds the threshold, the data packets that exceed traffic will bediscarded. Setting this value to 0 indicates that the maximum bandwidthis not restricted.
Guaranteed Bandwidth: It indicates the bandwidth guaranteed by the policy. When thetraffic is lower than the guaranteed bandwidth, data packets will be put intoqueue 0. That is, data packets will be forwarded first, thus ensuring that theservice occupies the lowest bandwidth. Setting the parameter for non-criticalbusiness is not recommended.
When the policy bandwidth is between themaximum bandwidth and guaranteed bandwidth, data packets are forwardedaccording to the priority defined in the policy.
DSCP: Itdetermines whether to use differentiatedservices code point (DSCP) , which is used to configure point-to-point QoS services on the entire network.
b) Create a 3Mbps traffic shaper for voice andvideo.
c) Create a 1 Mbps per-IP traffic shaper.
Choose Firewall > Traffic Shaper> Per-IP, as shown in the following figure: .files/image395.jpg)
Name: configurethe traffic shaper.
Maximum Bandwidth: It indicates the maximum bandwidth used by each IP address. It isthe sum of the upstream anddownstream traffic. Set it to 1000 Kbps.
Maximum Concurrent Connections: The maximum number of connections that can be initiated by each userin the policy. If the maximum number of connections is exceeded, users cannotcreate a new connection. Set this option as required.
Forward DSCP:It determines whether to use DSCP, which is used to configure point-to-pointQoS services on the entire network.
Reverse DSCP:It determines whether to use DSCP, which is used to configure point-to-pointQoS services on the entire network.
4. Configure the policy and enable traffic control.
a) Add the policy for leaders to access theInternet without any restriction, as shown in the following figure:
.files/image396.jpg)
b) Add the policy for SIP to use the trafficshaping policy, as shown in the following figure:
.files/image397.jpg)
.files/image398.jpg)
c) Add the policy for the staffs to access theInternet, as shown in the following figure:
.files/image399.jpg)
.files/image400.jpg)
Reverse Direction Traffic Shaping: This option is used to control the download traffic. After you enableit, the upload and download traffic is separately controlled. The upload anddownload rates are respectively 15 Mbps. If you do not choose this option, thesum of upload and download rates is 15 Mbps.
Verification
Use the FTP tool for downloading to observerate.
If you choose Per-IP Traffic Shaping,the sessions that exceed the limit are blocked and you cannot accessing theInternet.
FAQs
Ask: Becauseper-IP does not respectively restrict upload and download rates, is there anyproblem during actual application?
Answer:Generally, there is no problem. In the preceding example, upload and download ratesare not restricted separately.
1.1.6 Data Leakage Prevention (DLP)
1.1.6.1 File Blocking - Non-Blocking List
I. Networking Requirements
The system needs to directlytransmit executable files, and filter executable files from Web pages and emails.
II. Network Topology
Intranet users access theInternet through the firewall.
III. Configuration Tips
1. Initialize Internet access configuration.
2. Define DLP configuration.
3. Configure the proxy options.
4. Enable the DLP sensor in the policy.
IV. Configuration Steps
1. Initialize Internet access configuration.
Configure an access policyfrom Internal to wan1, set Destination address to all,and tick Enable NAT.
.files/image401.jpg)
Define configuration for DLP sensor.
(1) File filter
a. A file filter is used to define the type of filtered files. Directlyuse the built-in all_executables file filter or define a new one.
Choose UTM >Data Leakage Prevention > File Filter, and then click CreateNew.
.files/image402.jpg)
b. Create file types for the file filter table. Click Create New.
.files/image403.jpg)
.files/image404.jpg)
Filter Type: Choose File Type.
File Type: Choose Executable (exe).
c. Create all file types in the above way. The result is displayed as follows:
.files/image405.jpg)
(2) Choose UTM > Data Leakage Prevention > Sensor, and then click CreateNew.
.files/image406.jpg)
Enter the name office,and then click Create New to create the file filter.
.files/image407.jpg)
Filter: Tick Files.
File Type included in: Choose exe-doc.
Examine the FollowingServices: It indicates files to be filtered.
Action: Choose Log Only to isolate this IP address and the source interface(use it with caution because it may lead to communication failure on the interface).
Configure the proxy options.(Optional)
Generally, retain the defaultproxy options and some advanced parameters. For modification, see the section "Anti-Virus".
Protocol Port Mapping:
Enable, Protocol, InspectionPort(s): Configure the proxy options of different protocols,for example, enable scanning on HTTP port 80. To scan multiple ports, ports shouldbe separated with space, for example, 80 80 80 .
Common Options (Takingeffect only for proxy inspection mode)
Comfort Clients: When viruses are scanned in proxy mode, files should be buffered inthe firewall. After the files are scanned and ensured safe, the system sends themto users. In this process, users do not receive any data files. If the file sizeis large, users need to wait for a longer time. To refine such poor user experience,the firewall is enabled to send files at a slow speed during scanning, while usersare informed that the file requests have been responded and handled.
Interval (seconds): Set it to 10. It indicates that data is sent once every 10 seconds.
Amount (bytes): Set it to 1. It indicates the number of bytes sent every time.
Block Oversized File/Email: It indicates that the file exceeding the virus scanning buffer size(10 MB) is blocked. If Block Oversized File/Email is not chosen, the oversizedfile is permitted without virus scanning.
Click OK to validatethe configuration.
Enable the DLP sensor in thepolicy.
Edit the policy for Internetaccess. Choose UTM. Choose default from Protocol Options drop-downlist. Choose office from Enable DLP Sensor drop-down list.
.files/image408.jpg)
.files/image409.jpg)
Tick UTM, choosedefault from the Protocol Options drop-down list, and lick OKto finish the configuration.
Enable log display.
If logs are not displayed,run a command to enable log display.
Note: Before operation, it is recommended to update the version to P2. UnderP1 version, a user can run the following commands only after entering print cliovrdenabl4e, pressing Enter, logging out, and then logging in.
RG-WALL # config dlp sensor
RG-WALL (sensor) # edit office
RG-WALL (office) # set extended-utm-logenable
RG-WALL (office) # end
V. Verification
Send, download, or uploadexe and bat files via email or FTP. The files are intercepted.
1.1.7 User Authentication
1.1.7.1 LDAP User Authentication
I. Requirements
Only authenticated userscan access the Internet. For Internet access, user authentication information shouldbe provided by users in the LDAP server.
II. Topology
.files/image410.png)
III. Configuration Tips
1. Create a LDAP server.
2. Create a user group.
3. Configure an identity-based Internet access policy.
IV. Configuration Steps
1. Create a LDAP server.
Choose User >Remote > LDAP.
.files/image411.jpg)
Click Create New.
.files/image412.jpg)
Name: Enter a name. This item is user-defined.
Server/IP: Set it to 192.168.1.102. It indicates IP address of the LDAP server.
Port: The default value is 389.
Common Name Identifier: Set it to cn. It is set to uid in some systems.
Distinguished Name: Set it to dc=fei,dc=com. This item is based on the LDAP database.
Bind Type: Tick Regular.
User DN and Password: The items indicate an account of the LDAP server.
Click Test to checkthe configuration.
Run the following commandsto check the server:
NGFW # diagnose test authserver ldapldap test fei!@#
authenticate 'test' against 'ldap' succeeded!
Group membership(s) - CN=rj,OU=rj,DC=fei,DC=com
2. Create a user group.
Choose System >User > User Group, and then click Create New.
.files/image413.jpg)
Name: Set it to webuser. This item can be set optionally.
Remote Server: Set it to ldap.
3. Configure an identity-based Internet access policy.
Choose Firewall> Policy > Policy, and then click Create New. Configurean Internet access policy as follows:
.files/image414.jpg)
Tick Enable IdentityBased Policy and click Add. In the Edit Authentication Rule, selectthe user group webuser, and configure Available Destination Addressesand Available Services.
.files/image415.jpg)
The policy is displayedas follows:
.files/image416.jpg)
V. Verification
Choose Firewall> Policy > Policy. In the browser window, the AuthenticationRequired page is displayed. Enter the user name and password of the LDAP accountto access the Internet.
.files/image417.png)
Choose Firewall> User > Monitor to view authenticated users.
Troubleshooting commands:
RG-WALL #diagnose deb enable
RG-WALL #diagnose debugapplication fnbamd -1//Note: Before operation, it is recommended to updatethe version to P2. Under P1 version, a user can run the following command only afterentering print cliovrd enabl4e, pressing Enter, logging out, and thenlogging in.
Run the following commandto check whether the account is valid.
RG-FW # diagnose test authserver ldapldap test fei!@# //The authentication type is ldap, server nameis ldap, user name is test, and password is fei!@#.
1.2 Configuring Log
1.2.1 Log Storage Manner
Setting Log Storage Manner
Currently, firewall logs can be stored inthree manners: 1) hard disk; 2) memory; 3) the third-party server (sendingsyslog).
On the Log Settings page, you can setthe log storage manner.
Disk: If youchoose Disk, logs will be stored in the hard disk.
Syslog Server:It indicates the third-party syslog storage server. You can set three SyslogServers.
Event Logging:Choose the event log type.
Local Traffic Logging: Choose the local traffic log type. Local traffic refers to thetraffic for accessing the firewall.
GUI Preferences: Choose the source of the logs: hard disk or memory.
1. By default, logs are stored in the hard disk.
2. The S3100 and M6600 are not installed withhard disks. Therefore, you cannot choose Disk.
3. Choosing Resolve Hostnames and ResolveUnknown Applications is not recommended.
.files/image418.jpg)
1.2.2 Storing Logs in the Hard Disk
Requirements
All the logs generated on the firewall arestored in the hard disk, such as traffic logs, event logs, and security logs. Inthis example, configure the local traffic logging to log allowed traffic andenable event loggings, and store logs in the hard disk.
The S3100 and M6600 are not installed with harddisks. Therefore, they do not support log storage in the hard disk. Refer tosection 5.2.3“Storing Logs in the Memory”.
Because there is a great number of allowed traffic logs, performanceof the device will be consumed and hard disk lifecycle is reduced when logs arestored in the hard disk. It is recommended to send logs to the third-partyserver. For details, see section 5.2.4“Sending Syslog”.
Configuration Tips
1. Choose Firewall > Policy, and edit thespecific policy. Choose Log Allowed Traffic. See the following figure:
.files/image419.jpg)
2. Choose Log&Report > Log Config> Log Setting.
Choose Disk in the Logging andArchiving pane. Choose Disk from Display Logs From drop-downlist in the GUI Preferences pane. Choose the event log and local trafficlog types to be recorded.
For how to enable logs of each UTM function, (Bydefault, such logs are not enabled.), see section “UTM Log Configuration” in “UniversalTypical Functions”.
.files/image420.jpg)
3. Set the parameters for storing logs inthe hard disk. (Only configured through CLI)
RG-WALL # config log disk setting
RG-WALL (setting) # set maximum-log-age30 //Set the log storage period to 30 days.
RG-WALL (setting) # end
RG-WALL # config log disk filter
RG-WALL (filter) # set forward-trafficdisable //Disable forward-traffic.
RG-WALL (filter) # end
Forward-trafficrefers to enabling Log Allowed Traffic. It is strongly recommended to disableit.
4. View the parameters for storing logs inthe hard disk. (Only configured through CLI)
a) View the parameters for recording logs in thehard disk.
RG-WALL #get log disk setting
status : enable
ips-archive : enable
max-policy-packet-capture-size:10
log-quota : 0 //By default, it is not restricted. Enter the harddisk space size assigned for hard disk logs.
dlp-archive-quota : 0
report-quota : 0
maximum-log-age : 30 //Set it to 30. By default, logs are kept for 7days.
upload : disable
drive-standby-time : 0
full-first-warning-threshold:75 //Enter the value before the threshold reaches 75% to configure thefirst warning.
full-second-warning-threshold:90 //Enter the value before the threshold reaches 90% to configure the secondwarning.
full-final-warning-threshold:95 //Enter the value before the threshold reaches 95% to configure the lastwarning.
: 100
storage :
roll-schedule : daily //It indicates the log rolling frequency. By default,logs are rolled every day.
roll-time : 00:00 //By default, logs are rolled at 00:00.
diskfull : overwrite //By default, set it to overwrite. When you enter nolog,the RG-WALL device stops logging. When you enter overwrite and the harddisk is full, the file with the longest time will be immediately overwritten.
report : enable
b) View the options for recording logs in the harddisk.
RG-WALL #get log disk filter
severity : information
traffic : enable
forward-traffic : disable
local-traffic : enable
attack : enable
web : enable
netscan : enable
dlp : enable
virus : enable
email : enable
voip : enable
app-ctrl : enable
dlp-archive : enable
multicast-traffic : enable
signature : enable
anomaly : enable
web-content : enable
url-filter : enable
ftgd-wf-block : enable
ftgd-wf-errors : enable
web-filter-activex : enable
web-filter-cookie : enable
web-filter-applet : enable
web-filter-script-other:enable
web-filter-ftgd-quota-counting:enable
web-filter-ftgd-quota-expired:enable
web-filter-ftgd-quota:enable
web-filter-command-block:enable
discovery : enable
vulnerability : enable
dlp-all : enable
dlp-docsource : enable
infected : enable
blocked : enable
scanerror : enable
suspicious : enable
analytics : enable
oversized : enable
switching-protocols: enable
email-log-smtp : enable
email-log-pop3 : enable
email-log-imap : enable
email-log-msn : enable
email-log-yahoo : enable
email-log-google : enable
app-ctrl-all : enable
Verification
After the preceding configuration iscompleted, choose Log&Report > Traffic Log or Eventor Security Log to view specific logs, as shown in the following figure:
.files/image421.jpg)
1.2.3 Storing Logs in the Memory
Requirements
For the devices that are not installed withhard disks, such as the S3100 and M6600, you can store the logs generated onthe firewall in the memory, such as traffic logs, event logs, and securitylogs. In this example, configurethe local traffic logging to log allowed traffic and enable event loggings, andstore logs in the memory.
Because there is a great number of allowed traffic logs, performanceof the device will be consumed and memory lifecycle is reduced when logs arestored in the memory. It is recommended to send logs to the third-party server.For details, see section 5.2.4“Sending Syslog”.
Configuration Tips
1. Choose Firewall >Policy, and edit the specific policy. Choose Log Allowed Traffic. See thefollowing figure:
2. Choose Log&Report > Log Config> Log Setting.
Choose Disk in the Logging andArchiving pane. Choose Memory from Display Logs Fromdrop-down list in the GUI Preferences pane. Choose the event log andlocal traffic log types to be recorded.
For how to enable logs of each UTM function (Bydefault, such logs are not enabled.), see section “UTM Log Configuration” in “UniversalTypical Functions”.
.files/image422.jpg)
3. Set the parameters for storing logs inthe memory. (Only configured through CLI)
RG-WALL #config log memory setting
RG-WALL(setting) # set status enable //Enable log storage in the memory.
RG-WALL(setting) # end
RG-WALL #config log memory filter
RG-WALL (filter) # set forward-trafficdisable //Disable forward-traffic.
RG-WALL(filter) # end
Forward-trafficrefers to enabling Log Allowed Traffic. It is strongly recommended todisable it.
4. View the parameters for storing logs inthe memory. (Only configured through CLI)
a) View the parameters for recording logs in thememory.
RG-WALL #get log memory setting
status : enable
diskfull : overwrite
b) View the options for recording logs in thememory.
RG-WALL #get log memory filter
severity : information
traffic : enable
forward-traffic :disable
local-traffic : enable
attack : enable
web : enable
netscan : enable
dlp : enable
virus : enable
email : enable
voip : enable
app-ctrl : enable
multicast-traffic : enable
signature : enable
anomaly : enable
web-content : enable
url-filter : enable
ftgd-wf-block : enable
ftgd-wf-errors : enable
web-filter-activex : enable
web-filter-cookie : enable
web-filter-applet : enable
web-filter-script-other:enable
web-filter-ftgd-quota-counting:enable
web-filter-ftgd-quota-expired:enable
web-filter-ftgd-quota:enable
web-filter-command-block:enable
discovery : enable
vulnerability : enable
dlp-all : enable
dlp-docsource : enable
infected : enable
blocked : enable
scanerror : enable
suspicious : enable
analytics : enable
oversized : enable
switching-protocols: enable
email-log-smtp : enable
email-log-pop3 : enable
email-log-imap : enable
email-log-msn : enable
email-log-yahoo : enable
email-log-google : enable
app-ctrl-all : enable
Verification
After the preceding configuration iscompleted, choose Log&Report > Traffic Log or Eventor Security Log to view specific logs, as shown in the following figure:
.files/image423.jpg)
1.2.4 Sending Syslog
Requirements
For the devices that are not installed withhard disks, such as the S3100 and M6600, you can send the logs, such as trafficlogs, event logs, and security logs, which are generated on the firewall to athird-party server. (This storage manner is recommended.) In this example, configure the localtraffic logging to log allowed traffic and enable event loggings, and send logsto a syslog server.
Configuration Tips
1. Choose Firewall > Policy, and edit thespecific policy. Choose Log Allowed Traffic. See the following figure:
2. Choose Log&Report > Log Config > Log Setting.
.files/image424.jpg)
Logging and Archiving: Clear Disk.
Syslog Server 1: Set the IP address of the log server.
Facility: Setthe level to define the emergency of messages.
Source IP: Setthe IP address of the firewall that can interwork with the log server. Here,enter the internal port IP address.
Event Logging:Choose the events logs to be recorded.
3. On the third-party server, install software to receive syslog fromthe firewall, such as Syslog watcher.
.files/image425.png)
4. View the parameters for storing syslogs. (Only configured throughCLI)
a) View the parameters for recording syslogs.
RG-WALL #get log syslogd setting
status : enable
b) View the options for recording syslogs.
RG-WALL #get log syslogd filter
severity : information
traffic : enable
forward-traffic : enable
local-traffic : enable
attack : enable
web : enable
netscan : enable
dlp : enable
virus : enable
email : enable
voip : enable
app-ctrl : enable
multicast-traffic : enable
signature : enable
anomaly : enable
web-content : enable
url-filter : enable
ftgd-wf-block : enable
ftgd-wf-errors : enable
web-filter-activex : enable
web-filter-cookie : enable
web-filter-applet : enable
web-filter-script-other:enable
web-filter-ftgd-quota-counting:enable
web-filter-ftgd-quota-expired:enable
web-filter-ftgd-quota:enable
web-filter-command-block:enable
discovery : enable
vulnerability : enable
dlp-all : enable
dlp-docsource : enable
infected : enable
blocked : enable
scanerror : enable
suspicious : enable
analytics : enable
oversized : enable
switching-protocols: enable
email-log-smtp : enable
email-log-pop3 : enable
email-log-imap : enable
email-log-msn : enable
email-log-yahoo : enable
email-log-google : enable
app-ctrl-all : enable
Verification
After the preceding configuration iscompleted, open Syslog watcher on the log server for viewing logs. See thefollowing figure.
.files/image426.jpg)
1.2.5 Configuring UTM Logging
1.2.5.1 Enabling UTM Logging
UTM logging including IPS and anti-virus logsshould be enabled through CLI.
1. Enable IPS logging.
RG-WALL #config ips sensor
RG-WALL(sensor) # edit httpserver
new entry'httpserver' added
RG-WALL(httpserver) # set log enable
RG-WALL(httpserver) # config entries
RG-WALL(entries) # edit 1
new entry'1' added
RG-WALL(1) # set log enable
RG-WALL(1) # set log-packet enable
RW-WALL(1) # end
2. Enable anti-virus logging.
RG-WALL #config antivirus profile
RG-WALL(profile) # edit default
RG-WALL(default) # set extended-utm-log enable
RG-WALL(default) # set av-virus-log enable
RG-WALL(default) # set av-block-log enable
RG-WALL (default) # end
3. Enable email filter logging.
RG-WALL #config spamfilter profile
RG-WALL(profile) # edit mymail
RG-WALL(mymail) # set extended-utm-log enable
RG-WALL(mymail) # end
4. Enable application control logging.
RG-WALL #config application list
RG-WALL(list) # edit office
new entry'office' added
RG-WALL(office) # set extended-utm-log enable
RG-WALL(office) # end
5. Enable anti-data-leakage logging.
RG-WALL #config dlp sensor
RG-WALL(sensor) # edit office
RG-WALL(office) # set extended-utm-log enable
RG-WALL(office) # end
1.2.6 Email Configuration
Alert Email Configuration:
(1) Configuration of the incoming mailbox and outgoing mailbox (on the Webor on the command line)
Method 1: Configurationon the Web (as shown in the following screenshot)
.files/image427.png)
.files/image428.jpg)
Method 2: Configurationon the command line
config system email-server //Enters theemail server configuration.
set reply-to "sample@yahoo.com" //Indicates the incoming mailbox.
set server "mail.yahoo.com" //Indicates the outgoing mailbox.
set authenticate enable //Enablesoutgoing mailbox authentication.
set username "sample" //Indicates the user name for sending emails.
set password xxxxxx //Indicates the passwordfor sending emails.
(2) Configuration of the mailbox associated with alert messages (on the commandline only)
config alertemail setting //Configuresalert email sending settings.
set username "sample@yahoo.com"
set mailto1 "sample_receive@yahoo.com" //Sets the incoming mailbox of alert emails.
set filter-mode threshold //Sets themessage threshold for email 1 to critical.
set filter-mode threshold //Sets themessage threshold for email 2 to critical.
1.2.7 Traffic Rate Limit
I. Networking Requirements
A company performs trafficmanagement over intranet users. The egress bandwidth is restricted to 20 Mbps.
Manager: Traffic for 192.168.1.10is not restricted.
Staff: The total bandwidthfor 192.168.1.50-100 is restricted to 15 Mbps. Traffic of each employee cannot exceed1 Mbps.
IP phone and video: Thebandwidth for 192.168.1.20 is 3 Mbps to guarantee smooth video playing.
II. Network Topology
.files/image429.png)
III. Configuration Tips
1. Basic configuration of the interfaces and routes for Internet access
2. Define the address object according to the IP address segments to berestricted.
3. Define the traffic shaper.
4. Configure the policy and enable traffic control.
Note: To control upload and download traffic, enable reverse flow control.Reverse flow control refers to controlling the flow in the downloading direction.After reverse flow control is enabled, upload and download traffic is separatelycontrolled.
IV. Configuration Steps
1. Basic configuration of the interfaces and routes for Internet access
For the detailed configurationprocess, see "Configuring Internet Access via a Static Link" under "InternetAccess via a Single Line" in "Functions of Firewall".
IP address configurationof the interfaces is shown in the following figure:
.files/image430.jpg)
2. Define the address object according to the IP address segments to berestricted.
Define three address objects:
manager: 192.168.1.10
sip: 192.168.1.20
staff: 192.168.1.50-100
Choose Firewall> Address > Address, and then click Create New.
.files/image431.jpg)
a) Define the IP address of the leader's PC. Set Name to managerand set Subnet/IP Range to 192.168.1.10.
.files/image432.jpg)
b) Define the IP address of SIP. Set Name to sip and set Subnet/IPRange to 192.168.1.20.
.files/image433.jpg)
c) Define the IP address of the staff's PC. Set Name to staffand set Subnet/IP Range to 192.168.1.50-100.
.files/image434.jpg)
3. Define the traffic shaper.
Choose Firewall> Traffic Shaper > Shared, and then click Create New.
.files/image435.jpg)
a) Create a 15 Mbps shared traffic shaper.
.files/image436.jpg)
Name: It is user-defined for identification.
Apply Shaper: Set how the flow control script is applied by the policy.
Per Policy: Each policy that uses the traffic shaper to control flow independently.For example, if 10 policies use the 15 Mbps flow control script, each policy canuse 15 Mbps bandwidth.
For All Policies UsingThis Shaper: All the policies using this script controlflows together. For example, if 10 policies use the 15 Mbps flow control script,all the users of the policy share 15 Mbps bandwidth.
That is, the maximum trafficused by the 10 policies is 15 Mbps.
Traffic Priority:
The firewall interfacedefines six FIFO queues, among which queue 0 has the highest priority while queue5 has the lowest priority.
Queue 0 is used for firewallmanagement and VPN negotiation. All the traffic sent or received by the firewallis automatically put into queue 0 and forwarded first.
For the traffic enabledwith the traffic shaper in the policy and forwarded by the firewall, its priorityis classified into high, medium, and low levels. The traffic with high level isforwarded by the firewall first. High, medium, and low priority levels are correspondingto queues 1, 2, and 3:
High (queue 1), medium(queue 2), low (queue 3).
Traffic priorities canbe classified by service type. Set priorities of services such as VoIP to high,priorities of HTTP, POP3, SNTP, and OA services to medium, and prioritiesof other services to low.
If the priority level isnot specified in the policy, the priority is high by default.
Maximum Bandwidth:
It indicates the maximumbandwidth that is allowed by the policy, and the unit is Kbps. When the trafficexceeds the threshold, the data packets that exceed the threshold will be discarded.Setting this value to 0 indicates that the maximum bandwidth is not restricted.
Guaranteed Bandwidth:
It indicates the bandwidthguaranteed by the policy. When the traffic is lower than the guaranteed bandwidth,data packets will be put into queue 0. That is, data packets will be forwarded first,thus ensuring that the service occupies the lowest bandwidth. Setting the parameterfor non-critical business is not recommended.
When the policy bandwidthis between the maximum bandwidth and guaranteed bandwidth, data packets are forwardedaccording to the priority defined in the policy.
DSCP: It determines whether to use differentiated services code point (DSCP),which is used to configure point-to-point QoS services on the entire network.
b) Create a 3 Mbps traffic shaper for voice and video.
.files/image437.jpg)
c) Create a 1 Mbps per-IP traffic shaper.
Choose Firewall> Traffic Shaper > Per-IP.
.files/image438.jpg)
Name: It is user-defined.
Maximum Bandwidth: It indicates the maximum bandwidth used by each IP address. It is thesum of the upstream and downstream traffic. Set it to 1000 Kbps.
Maximum Concurrent Connections: It indicates the maximum number of connections that can be initiatedby each user in the policy. If the maximum number of connections is exceeded, userscannot create a new connection.
Forward DSCP: It determines whether to use DSCP, which is used to configure point-to-pointQoS services on the entire network.
Reverse DSCP: It determines whether to use DSCP, which is used to configure point-to-pointQoS services on the entire network.
4. Configure policies and enable traffic control.
a) Add a policy for leaders to access the Internet without any restriction.
.files/image439.jpg)
b) Add a policy for SIP to use the traffic shaping policy.
.files/image440.jpg)
c) Add a policy for the staff to access the Internet.
.files/image441.jpg)
Note: Reverse Direction Traffic Shaping: This option is used to control thedownload traffic. After you enable it, the upload and download traffic is separatelycontrolled. The upload and download rates are respectively 15 Mbps. If you disablethis option, the sum of upload and download rates is 15 Mbps.
V. Verification
Download via FTP or observerate via speedtest. If you choose Per-IP Traffic Shaping, the sessions that exceedthe limit are blocked and you cannot access the Internet. According to a test, therate is 4-6 Mbps when Per-IP Traffic Shaping is disabled; the rate is lowered toaround 1 Mbps when Per-IP Traffic Shaping is enabled.
VI. Notes
Q: Because per-IP doesnot respectively restrict upload and download rates, is there any problem duringactual application?
A: Generally, there is no problem. In the preceding example, upload anddownload rates are not restricted separately.
1.3 Converting Interface Attribute
1.3.1.1 Converting the Interface Attribution for M5100
M5100 Switching Interface
The M5100 has 48 switching interfaces. One ormore of the LAN interfaces can be split into independent routing interfaces asneeded. As compared with the S3100 and S3600, the M5100 is used more flexibly.
You can split the switching interfaces of theM5100 on a Web interface or CLI. It is recommended that you perform theconfigurations on a Web interface.
.files/image442.jpg)
After logging in to the M5100, you can onlyview LAN interfaces, but not specific switching interfaces.
.files/image443.jpg)
Method 1: Configuration via Web Interface
1) Set the routing interface
Step 1: Choose the System > Network> Interface menu, click Edit Interface.
Step 2: For an interface that will be splitinto independent routing interfaces, click the small X after it, andclick OK.
.files/image444.jpg)
2) Cancel routing interfaces, and return them to the lan switchinginterface
Step 1: Choose the System > Network> Interface > Edit Interface menu, and click the .files/image445.png){kind=small}
.
.files/image446.jpg)
Step 2: Select the interfaces that will bereturned to the switching interface, and click OK.
.files/image447.jpg)
A lan interface cannot be deleted on a Webinterface, and it comprises at least two physical interface (as an integralpart of the lan interface, the remaining two interfaces cannot be removed).
Method 2: Configurations via CLI
Step 1. Delete the internal associatedinterfaces
To split an internal interface into multipleindependent routing interfaces, you need to delete all configurationsassociated with the internal interface. Otherwise, the system displays thefollowing error prompt:
intf lanis used
The associated configurations to be deletedinclude the following content:
(1) Firewall policy: For example, the internal interface is configuredas a source or destination interface.
(2) Static route: Delete the route entries related to the internalinterface.
(3) DHCP service.
(4) IPsec and VIP.
(5) address objects.
Check command:
RG-WALL # diagnosesys checkused system.interface.name lan // Check the use of the internalinterface in the configurations.
entry usedby table system.dhcp.server:id '1'
entry usedby child table srcintf:name 'lan' of table firewall.policy:policyid '1'
Delete the associated configurations one byone according to the above results.
Step 2: Switch the working mode of theinternal interface
Before performing the switching operation, it isrecommended that you upgrade the current version to P2. If you perform theswitching operation under the P1 version, you need to enter print cliovrdenabl4e and press Enter; after logging in and then logging out,execute the following command.
You can execute the following command toswitch the working mode of the internal interface:
RG-WALL #config system virtual-switch
RG-WALL(virtual-switch) #delete lan
RG-WALL(virtual-switch) #end
Step 3. Verification
After interface switching is complete, log into the network interface configuration page. Then, you can see that all laninterface are split into routing interfaces.
1.4 Configuring LACP
Application Scenarios
Port aggregation is supported by high-enddevices, but not supported by the S3100 and S3600.
1. When bandwidths are limited, bandwidths can be expanded to be ntimes as much as the original links via logical aggregation;
2. If links need to be backed up dynamically, link aggregation can beconfigured to ensure that the member ports in the same aggregation group aredynamically backed up by each other.
LACP Modes
LACP ports support the following modes:static, passive and active.
Static: The aggregation group is configuredmanually; the system is not allowed to automatically add or delete any manualor static aggregated port.
Passive: A port in passive mode will notactively send LACPDU packets, and enters a protocol computation state afterreceiving the LACP packets sent by the peer.
Active: A port in active mode will activelysend LACPDU packets to the peer to perform PACP computation.
It is recommended that one of theinterconnected two devices should be active and the other of them should bepassive.
Configuration Steps
Step 1: Add aggregated ports
In the configuration page, choose the System> Network > Interface > Create New menu.
.files/image448.jpg)
Type: 802.3ad aggregation; select PhysicalInterface;
.files/image449.jpg)
Step 2: Modify the LACP
RG-WALL #config system interface
RG-WALL(interface) # edit lacp
RG-WALL(lacp) # set lacp-mode static // Configure the mode of LACPnegotiation: active, passive or static (dynamic bydefault)
RG-WALL(lacp) # set algorithm L3 // Load balancing algorithm L3: Hash algorithm based on IP addresses; L4: Hash algorithm basedon Layer 4
RG-WALL(lacp) # end
After theconfigurations are complete, check the configurations of the aggregated ports,and check the established soft switching interface on the interfaceconfiguration page.
Note: Thecorresponding physical ports will disappear on the Web interface or CLI, andare not configurable.
Executethe command below to check the configurations:
RG-WALL #show system interface lacp
configsystem interface
edit"lacp"
set vdom "root"
set type aggregate
set member "port13" "port14"
set description " "
set snmp-index 51
set lacp-mode static
set algorithm L3
next
end
The commands above are the logics and referencesconfigured on the CLI.
Verification
RG-WALL #diagnose netlink aggregate list
List of802.3ad link aggregation interfaces:
1 namelacp status up algorithm L3 lacp-mode static
RG-WALL #diagnose netlink aggregate name lacp
LACPflags: (A|P)(S|F)(A|I)(I|O)(E|D)(E|D)
(A|P) -LACP mode is Active or Passive
(S|F) -LACP speed is Slow or Fast
(A|I) -Aggregatable or Individual
(I|O) -Port In sync or Out of sync
(E|D) -Frame collection is Enabled or Disabled
(E|D) -Frame distribution is Enabled or Disabled
status: up
npu: y
flush: n
asichelper: y
oid: 135
ports: 2
ha: master
distributionalgorithm: L4
LACP mode:active
LACPspeed: slow
LACP HA:enable
aggregatorID: 1
actor key:17
actor MACaddress: 14:14:4b:7e:e1:69
partnerkey: 17
partnerMAC address: 14:14:4b:7e:e1:67
slave:port13
linkstatus: up
linkfailure count: 0
permanent MAC addr: 14:14:4b:7e:e1:69
LACP state: established
actorstate: ASAIEE // Local status
actorport number/key/priority: 1 17 255
partnerstate: ASAIEE // Peer status
partnerport number/key/priority: 1 17 255
partner system: 65535 14:14:4b:7e:e1:67
aggregator ID: 1
speed/duplex: 1000 1
RXstate: CURRENT 6
MUXstate: COLLECTING_DISTRIBUTING 4
slave:port14
linkstatus: up
linkfailure count: 0
permanent MAC addr: 14:14:4b:7e:e1:68
LACP state: established
actorstate: ASAIEE
actorport number/key/priority: 2 17 255
partnerstate: ASAIEE
partnerport number/key/priority: 2 17 255
partner system: 65535 14:14:4b:7e:e1:67
aggregator ID: 1
speed/duplex: 1000 1
RXstate: CURRENT 6
MUX state:COLLECTING_DISTRIBUTING 4
Configuring IPv6
1.1 Enabling IPv6 on the Web Page
Choose System > Dashboard> Status. Click Widget, and then click Features. Seethe following figure:
.files/image450.jpg)
The following widgets of features are added.Click the button next to IPv6 to enable IPv6 configuration on the Web page.Click Apply.
.files/image451.png)
1.2 Configuring Internet Access
Networking Requirements
Intranet uses the IPv6 network. The RG-WALLfirewall, as the Internet border access device of Intranet, enables Internetaccess.
The wan1 interface is connected to theInternet access service provider of IPv6 network.
The internal interface is connected to theIPv6 Intranet.
Network Topology
.files/image452.png)
Configuration Tips
1. Configure IP addresses of interfaces.
2. Configure a route.
3. Configure the policy.
4. Configure UTM and flow control.
Configuration Steps
1. Configure IP addresses of interfaces.
.files/image453.jpg)
.files/image454.jpg)
2. Configure a route.
.files/image455.jpg)
.files/image456.jpg)
configrouter static6
edit 1
set gateway 2001:aa:1::10
set device "wan1"
next
end
3. Configure the policy.
Define the IP address.
Choose Firewall > Address >Address, click Create New, and then choose IPv6 Address,as shown in the following figure:
.files/image457.jpg)
Edit address lan. The IPv6 address is 2001:bb:1::1/48. See the following figure:
.files/image458.jpg)
Define the IPv6 policy.
.files/image459.jpg)
Define the policy to allow Intranet users toaccess the IPv6 network, as shown in the following figure:
.files/image460.jpg)
4. Configure UTM and flow control.
Add UTM and flow control function to policy configuration.See the following figure:
.files/image461.jpg)
Verification
The user can access the Internetsuccessfully.
1.2.1 Configuring NAT64&DNS64
Networking Requirements
Intranet uses the IPv6 network. The RG-WALLfirewall, as the Internet access border of Intranet, enables Internet access byNAT64.
The wan1 interface is connected to theInternet access service provider of IPv4 network.
The internal interface is connected to accessthe IPv6 Intranet.
Network Topology
.files/image462.png)
Configuration Tips
1. Configure IP addresses of interfaces.
2. Configure a route.
3. Configure the address pool.
4. Configure the policy.
5. Configure the DNS64.
6. Configure the PC.
Configuration Steps
1. Configure IP addresses of interfaces.
Choose System > Network >Interface > Edit Interface, as shown in the following figure:
.files/image463.jpg)
configsystem interface
edit"internal"
set vdom "root"
set ip192.168.1.200 255.255.255.0
set allowaccess ping https ssh http
set type physical
set description " "
set snmp-index 1
config ipv6
set ip6-address 2001:aa:1::10/48
set ip6-send-adv enable
config ip6-prefix-list
edit 2001:db8:1::/48
set autonomous-flag enable
set onlink-flag enable
next
end
end
Edit wan1interface:
2. Configure a route.
Choose Router > Static > StaticRoute, and then click Create New, as shown in the following figure:
.files/image464.jpg)
Destination IP/Mask: Keep the default value 0.0.0.0/0.0.0.0.
Device: Choosewan1, which is associated with this route. It must be set correctly.Otherwise, the route cannot work.
Gateway: TheIP address of the next hop, that is, the IP address of the peer carrier device.
Distance: Thedefault value is 10. The route with a shorter distance will be written into therouting table.
Priority: Thedefault value is 0. The route with a smaller value is used preferably.
3. Configure the address pool.
IPv4 address pool
configfirewall ippool
edit"ippool64"
set startip 192.168.118.88
set endip 192.168.118.90
next
end
Configurethe IPv6 address prefix in NAT64.
configsystem nat64
setstatus enable
setnat64-prefix 64:ff9b::/96
end
4. Configure the policy.
Choose System > Firewall> Policy > NAT64 Policy, as shown in the following figure:
.files/image465.jpg)
CLI configuration is as follows:
configfirewall policy64
edit 1
set srcintf "internal"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "all"
setaction accept
set schedule "always"
set service "ALL"
set ippool enable
set poolname "ippool64"
next
end
5. Configure the DNS64.
IPv6 Intranet users initiate AAAA recordquery. DNS64 (FGT) proxy server requests A record on the IPv4 network. Afterreceiving the response of A record, DNS64 server converts A record to AAA, andthen returns it to users.
configsystem nat64
setstatus enable
setnat64-prefix 64:ff9b::/96
set always-synthesize-aaaa-recordenable //Enabled by default.
end
configsystem dns-server //Intranet interface is used as the DNS proxy.
edit"internal"
set mode forward-only
next
end
configsystem dns //Set the DNS server for the system.
setprimary 8.8.8.8
end
6. Configure the PC.
DNS server address is the IP address of theinternal interface. RG-WALL firewall acts as the DNS proxy server.
Verification
Ping the IP address 8.8.8.8.The prefix of NAT64 is 64:ff9b. Convert the IP4 address 8.8.8.8 into thehexadecimal IP address: 0808:0808.
C:\Users\Administrator>ping-6 64:ff9b::0808:0808
Pinging 64:ff9b::808:808 with 32 bytes of data:
Reply from64:ff9b::808:808: Time = 63 ms
Reply from64:ff9b::808:808: Time = 63 ms
Ping www.baidu.com.
C:\Users\Administrator>ping -6 www.baidu.com
Pinging www.a.shifen.com [64:ff9b::774b:d96d] with 32 bytes of data:
Reply from64:ff9b::774b:d96d: Time = 2 ms
Reply from64:ff9b::774b:d96d: Time = 1 ms
Use a domain name to access IPv4 Internetthrough a browser.
id=13trace_id=142 msg="vd-root received a packet(proto=58,2001:bb:1::10:1->64:ff9b::808:808:128) from internal."
id=13trace_id=142 msg="vd-root received a packet(proto=58,2001:bb:1::10:1->64:ff9b::808:808:128) from internal."
id=13trace_id=142 msg="allocate a new session-0000184e"
id=13trace_id=142 msg="find a route: gw-fe80::a5b:eff:fe6f:f7a6via wan1 err 0 flags 00000003"
id=13trace_id=142 msg="Check policy between internal -> wan1"
id=13trace_id=142 msg="Allowed by Policy-1:"
id=13trace_id=143 msg="vd-root received a packet(proto=58,64:ff9b::808:808:1->2001:bb:1::10:129) from wan1."
id=13trace_id=143 msg="Find an existing session, id-0000184e, replydirection"
id=13trace_id=143 msg="vd-root received a packet(proto=58,64:ff9b::808:808:1->2001:bb:1::10:129) from wan1."
id=13trace_id=143 msg="Find an existing session, id-0000184e, replydirection"
1.2.2 Configuring VIP46 Mapping
Networking Requirements
Access the IPv6 internal server through theIPv4 network. Allow users to access the IPv6 internal server through192.168.118.86.
Network Topology
.files/image466.jpg)
Configuration Tips
1. Basic configuration for Internet access
2. Configure the virtual IP address (DNAT).
3. Configure the security policy.
4. Enable NAT64.
Configuration Steps
1. Basic configuration
Choose System > Network >Interface > Edit Interface, as shown in the followingfigure:
.files/image467.jpg)
configsystem interface
edit"internal"
set vdom "root"
set ip 192.168.1.200 255.255.255.0
set allowaccess ping https ssh http
set type physical
set description " "
set snmp-index 1
config ipv6
set ip6-address 2001:aa:1::10/48
set ip6-send-adv enable
config ip6-prefix-list
edit 2001:db8:1::/48
set autonomous-flag enable
set onlink-flag enable
next
end
end
Edit wan1interface:
2. Configure a route.
Choose Router > Static > StaticRoute, and then click Create New, as shown in the following figure:
.files/image468.jpg)
Destination IP/Mask: Keep the default value 0.0.0.0/0.0.0.0.
Device: Choosewan1, which is associated with this route. It must be set correctly.Otherwise, the route cannot work.
Gateway: TheIP address of the next hop, that is, the IP address of the peer carrier device.
Distance: Thedefault value is 10. The route with a shorter distance will be written into therouting table.
Priority: Thedefault value is 0. The route with a smaller value is used preferably.
3. Configure the virtual IP address (DNAT).
a) Choose Firewall > Virtual IP > NAT46 VirtualIP, as shown in the following figure:
.files/image469.jpg)
b) Configure the virtual IP address, as shown in the following figure:
.files/image470.jpg)
configfirewall vip46
edit"webserver"
set extip 192.168.118.86
setmappedip 2001:aa:1::11
next
end
4. Configure the policy.
configfirewall policy46
edit 1
set srcintf "wan1"
set dstintf "internal"
set srcaddr "all"
set dstaddr "webserver" // vip46
set schedule "always"
set service "all"
next
end
5. Enable NAT64.
configsystem nat64
setstatus enable
end
Verification
The user can access https://192.168.118.86successfully.
View the session:
RG-WALL #diagnose sys session list
sessioninfo: proto=6 proto_state=05 duration=1 expire=0 timeout=3600 flags=00000000sockflag=00000000 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
ha_id=0policy_dir=0 tunnel=/
state=may_dirtynpu nlb
statistic(bytes/packets/allow_err):org=820/6/1reply=389/6/1 tuples=2
orgin->sink:org pre->org, reply nataf->post dev=5->3/3->5 gwy=192.168.118.86/0.0.0.0
hook=predir=org act=dnat 10.10.69.80:55035->192.168.118.86:443(192.168.118.86:443)
hook=postdir=reply act=snat 192.168.118.86:443->10.10.69.80:55035(192.168.118.86:443)
hook=5dir=org act=noop 64:ff9b::a0a:4550:55035 ->2001:aa:1::11:443(:::0)
hook=6dir=reply act=noop 2001:aa:1::11:443 ->64:ff9b::a0a:4550:55035(:::0)
pos/(before,after)0/(0,0), 0/(0,0)
misc=0policy_id=1 id_policy_id=0 auth_info=0 chk_client_info=0 vd=0
serial=0000a00dtos=ff/ff ips_view=0 app_list=0 app=0
dd_type=0dd_mode=0
npu_state=00000000
npu info:flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0/0
1.2.3 Configuring VIP64 Mapping
Networking Requirements
Map the server (IP address: 192.168.118.1) onthe IPv4 network to 2001:aa:1::20on the IPv6 network.
Network Topology
.files/image471.jpg)
Configuration Tips
1. Basic configuration
2. Configure the virtual IP address (DNAT).
3. Configure the security policy.
4. Enable NAT64.
Configuration Steps
1. Basic configuration
Choose System > Network >Interface > Edit Interface, as shown in the following figure:
.files/image472.jpg)
configsystem interface
edit"internal"
set vdom "root"
set ip 192.168.1.200 255.255.255.0
set allowaccess ping https ssh http
set type physical
set description " "
set snmp-index 1
configipv6
set ip6-address 2001:aa:1::10/48
set ip6-send-adv enable
config ip6-prefix-list
edit 2001:db8:1::/48
set autonomous-flag enable
set onlink-flag enable
next
end
end
Edit wan1interface:
2. Configure a route.
Choose Router > Static > StaticRoute, and then click Create New, as shown in the following figure:
.files/image473.jpg)
Destination IP/Mask: Keep the default value 0.0.0.0/0.0.0.0.
Device: Choosewan1, which is associated with this route. It must be set correctly. Otherwise,the route cannot work.
Gateway: TheIP address of the next hop, that is, the IP address of the peer carrier device.
Distance: Thedefault value is 10. The route with a shorter distance will be written into therouting table.
Priority: Thedefault value is 0. The route with a smaller value is used preferably.
3. Configure the virtual IP address (DNAT).
a) Choose Firewall > Virtual IP > NAT46 VirtualIP, as shown in the following figure:
.files/image474.jpg)
b) Configure the virtual IP address, as shown in the following figure:
.files/image475.jpg)
configfirewall vip64
edit"v4server"
set extip 2001:aa:1::20
set mappedip 192.168.118.1
next
end
4. Configure the policy.
configfirewall policy64
edit 2
set srcintf "internal"
set dstintf "wan1"
set srcaddr "all"
set dstaddr "v4server"
set action accept
setschedule "always"
set service "ALL"
next
end
5. Enable NAT64.
configsystem nat64
setstatus enable
end
Verification
Telnet 2001:aa:1::20.
View thesession:
RG-WALL #diagnose sys session list
sessioninfo: proto=6 proto_state=01 duration=2 expire=3598 timeout=3600 flags=00000000sockflag=00000000 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
ha_id=0policy_dir=0 tunnel=/
state=npu
statistic(bytes/packets/allow_err):org=510/11/1reply=669/15/1 tuples=2
orgin->sink:org nataf->post, reply pre->org dev=16->5/5->16 gwy=0.0.0.0/192.168.118.25
hook=5dir=org act=noop 192.168.118.25:59531->192.168.118.1:23(0.0.0.0:0)
hook=6dir=reply act=noop 192.168.118.1:23->192.168.118.25:59531(0.0.0.0:0)
hook=predir=org act=dnat 2001:aa:1::1:55303 ->2001:aa:1::20:23(64:ff9b::c0a8:7601:23)
hook=postdir=reply act=snat 64:ff9b::c0a8:7601:23 ->2001:aa:1::1:55303(2001:aa:1::20:23)
pos/(before,after)0/(0,0), 0/(0,0)
misc=0policy_id=2 id_policy_id=0 auth_info=0 chk_client_info=0 vd=0
serial=0000b2d2tos=ff/ff ips_view=0 app_list=0 app=0
dd_type=0dd_mode=0
npu_state=00000000
npu info:flag=0x00/0x00, offload=0/0, ips_offload=0/0, epid=0/0, ipid=0/0, vlan=0/0
1.2.4 Configuring OSPFv3
Networking Requirements
Use OSPFv3 on the IPv6 network.
Network Topology
.files/image476.jpg)
Configuration Tips
RGW1
1) Configure the basic Internet access function.
2) Configure OSPFv3.
RGW2
1) Configure Internet access through NAT64.
2) Configure OSPF.
Configuration Steps
RGW1
Configure basic Internet access function. Seesection 1.1.2“Internet Access Configuration” in section 6.1 “IPv6 Configuration”.
configsystem interface
edit "internal"
config ipv6
set ip6-allowaccess ping https http
setip6-address 2001:bb:1::1/48
next
edit"wan1"
config ipv6
set ip6-allowaccess ping https
set ip6-address 2001:aa:1::1/48
next
end
Configure OSPFv3.
RG-WALL #show router ospf6
configrouter ospf6
setrouter-id 192.168.1.200 //Specify route ID.
config area
edit 0.0.0.0 //Configure area 0.
next
end
config ospf6-interface
edit "wan1" //The interface name can beself-defined.
set interface "wan1" //Enable OSPFv3 for the wan1interface.
next
end
config redistribute "connected" //Redistribute the directlyconnected route.
set status enable
end
config redistribute "static"
end
RGW2
Configure NAT64 Internet access function. Fordetails, see section 6.1.3“NAT64&DNS64”in section 6.1 “IPv6 Configuration”.
configsystem interface
edit"internal"
config ipv6
set ip6-allowaccess ping https telnet
set ip6-address 2001:aa:1::10/48
next
edit"wan1"
set vdom "root"
set ip 192.168.118.25 255.255.255.0
set allowaccess ping https
set type physical
set description " "
set snmp-index 2
next
end
Configure OSPFv3.
configrouter ospf6
setdefault-information-originate always //Distribute adefault route to the OSPF neighbor RGW1.
setrouter-id 192.168.1.99 //Set route ID.
config area //Configure area 0.0.0.0.
edit 0.0.0.0
next
end
config ospf6-interface //Enable OSPF for the internal interface.
edit "internal" //The interface name can beself-defined.
set interface "internal"
next
end
end
Verification
View OSPF neighbors.
RG-WALL #get router info6 ospf neighbor
OSPFv3Process (*null*)
NeighborID Pri State Dead Time Interface Instance ID
192.168.1.99 1 Full/Backup 00:00:34 wan1 0
View the routing table of RGW1.
RG-WALL #get router info6 routing-table
IPv6Routing Table
Codes: K -kernel route, C - connected, S - static, R - RIP, O - OSPF,
IA- OSPF inter area
N1- OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1- OSPF external type 1, E2 - OSPF external type 2
I - IS-IS,B - BGP
* -candidate default
Timers:Uptime
O*E2 ::/0 [110/1] via fe80::a5b:eff:fe6f:f7a6,wan1, 00:20:29 //Learned default route.
C ::1/128 via ::, root, 02:21:41
C 2001:aa:1::/48via ::, wan1, 02:13:38
C 2001:bb:1::/48 via ::, internal, 01:58:51
RGW1 can access IPv4 Internet through RGW2.
1.2.5 Common Commands
Commands for reference:
RG-WALL # diag sni p any 'host2001:aa:1::10' 4 //Based on IPv6 address
interfaces=[any]
filters=[host2001:aa:1::10]
1.389573internal in 2001:bb:1::10 -> 2001:aa:1::10: icmp6: echo request seq 415
1.389692wan1 out 2001:bb:1::10 -> 2001:aa:1::10: icmp6: echo request seq 415
1.389912wan1 in 2001:aa:1::10 -> 2001:bb:1::10: icmp6: echo reply seq 415
1.389983internal out 2001:aa:1::10 -> 2001:bb:1::10: icmp6: echo reply seq 415
2.391299internal in 2001:bb:1::10 -> 2001:aa:1::10: icmp6: echo request seq 416
2.391426wan1 out 2001:bb:1::10 -> 2001:aa:1::10: icmp6: echo request seq 416
2.391671wan1 in 2001:aa:1::10 -> 2001:bb:1::10: icmp6: echo reply seq 416
2.391735internal out 2001:aa:1::10 -> 2001:bb:1::10: icmp6: echo reply seq 416
8 packetsreceived by filter
0 packetsdropped by kernel
RG-WALL # diag sni p any icmp6 42 //Based on ICMPv6
interfaces=[any]
filters=[icmp6]
1.410860internal in 2001:bb:1::10 -> 2001:aa:1::10: icmp6: echo request seq 431
1.410986wan1 out 2001:bb:1::10 -> 2001:aa:1::10: icmp6: echo request seq 431
RG-WALL # diagnose sys session6list
session6info: proto=17 proto_state=01 duration=0 expire=179 timeout=0 flags=00000000sockport=0 sockflag=0 use=3
origin-shaper=shared-1M-pipeprio=2 guarantee 0Bps max 131072Bps traffic 787Bps)
reply-shaper=shared-1M-pipeprio=2 guarantee 0Bps max 131072Bps traffic 787Bps)
per_ip_shaper=
ha_id=0
policy_dir=0tunnel=/
state=may_dirtyos rs
statistic(bytes/packets/allow_err):org=83/1/0 reply=276/1/0 tuples=2
orgin->sink:org pre->post, reply pre->post dev=3->5/5->3
hook=predir=org act=noop 2001:bb:1::10:57194 ->2001:aa:1::10:53(:::0)
hook=postdir=reply act=noop 2001:aa:1::10:53 ->2001:bb:1::10:57194(:::0)
misc=0policy_id=1 auth_info=0 chk_client_info=0 vd=0 serial=000003f1
npu_state=00000000
RG-WALL #diagnose sys session6 full-stat
sessiontable: table_size=131072 max_depth=1 used=188
miscinfo: session_count=94 setup_rate=20 exp_count=0 clash=0
memory_tension_drop=0 ephemeral=0/0 removeable=0
delete=0,flush=0, dev_down=0/0
TCPsessions:
19 in ESTABLISHED state
debug flow command
l diagnosedebug enable
l diagnosedeb flow filter6 proto 1
l diagnosedeb flow show con en
l diagnosedeb flow show con enable
l diadeb flow trace start6 10
Troubleshooting
1.1 Debug Flow Command
Overview
When the firewall is deployed, the firewalloften receives data packets, but does not forward them. You can run the diagnosedebug flow command to track the processing procedure of data packets.Specifically, you can clearly view the processing procedure of data packets ineach functional module, thus judging how the data packets are forwarded ordiscarded.
Command Description
diagnose debug enable Enable the debugging function
diagnose debug flow show console enable Begin to output the flow
diagnose debug flow filter add119.253.62.131 Customize the filters,support diverse filtering modes; you can add multiple combinations of filters
diagnose debug flow filter View the filter configurations
diagnose debug flow trace start 6 Define the number of data packets to be tracked
Filtering Parameters
RG-WALL# diagnose deb flow filter
addr IP address. // IP address
clear Clear filter. // Clear thefilter
daddr Destination IP address. //Destination address
dport Destination port. //Destination port
negate Inverse filter. // Reverse filtering
port port // Interface, for example,port1
proto Protocol number. // Protocol, for example, 6 (TCP), 17 (UDP), and 1(ICMP)
saddr Source IP address. // Sourceaddress
sport Source port. // Source port
vd Index of virtual domain. //vdom
Analysis Examples
RG-WALL# id=36871 trace_id=1msg="vd-root received a packet(proto=6, 192.168.
1.110:51661->119.253.62.131:80)from internal."id=36871 trace_id=1 msg="allocate a newsession-00016920" // The internal interface receives data, and a new session is setup.
id=36871trace_id=1 msg="find a route: gw-192.168.118.1 via wan1" // Find therouting table
id=36871trace_id=1 msg="find SNAT: IP-192.168.118.28, port-43333"// Detectthe NAT configurations
id=36871trace_id=1 msg="Allowed by Policy-1: SNAT" //Matching policy, ID1
id=36871trace_id=1 msg="SNAT 192.168.1.110->192.168.118.28:43333" // ConductNAT
id=36871trace_id=3 msg="vd-root received a packet(proto=6, 119.253.62.131:80->1
92.168.118.28:43333)from wan1." // The Wan1 port receives the returned data packets.
id=36871trace_id=3 msg="Find an existing session, id-00016920, replydirection" // The data packet matches the session ID 0001692.
id=36871trace_id=3 msg="DNAT192.168.118.28:43333->192.168.1.110:51661" //Conduct reverse DNAT
id=36871trace_id=3 msg="find a route: gw-192.168.1.110 viainternal" // Find routes, and sent themto the internal interface
id=36871trace_id=5 msg="vd-root received a packet(proto=6, 192.168.1.110:51661-
>119.253.62.131:80)from internal." // The internal interface receives subsequent data packets.
id=36871trace_id=5 msg="Find an existing session, id-00016920, originaldirection" // Match the session ID 0001692
id=36871trace_id=5 msg="enter fast path" // Direct forwarding
id=36871trace_id=5 msg="SNAT 192.168.1.110->192.168.118.28:43333" // NAT
Example: The policy denies the access
RG-WALL#id=36871 trace_id=23msg="vd-root received a packet(proto=6, 192.168
.1.110:51768->119.253.62.131:80)from internal."
id=36871trace_id=23 msg="allocate a new session-00017537"
id=36871trace_id=23 msg="find a route: gw-192.168.118.1 via wan1"
id=36871trace_id=23 msg="Denied by forward policy check" // Thedata packet is directly denied by the policy; check the policy configurations.
Common debug flow results:
This policy is not available, or does notmatch the data packet; the data packet is discarded:msg="iprope_in_check() check failed, drop"
The data packet is denied by the policy, orhits the implicit policy; the data packet is denied: msg="Denied byforward policy check"
Reverse path check failed, and the datapacket is discarded: msg="reverse path check fail, drop"
The session is processed via session-helper:msg="run helper-ftp(dir=original)"
