3Com® Switch 8800 Family Firewall Configuration and ...h20628. · 3Com® Switch 8800 Family...

3Com® Switch 8800 Family Firewall Configuration and Command Reference Guide

Switch 8807Switch 8810Switch 8814

www.3Com.com Part No. 10015596, Rev. AA Published: January 2007

3Com Corporation 350 Campus Drive Marlborough, MA USA 01752-3064

Copyright © 2006-2007, 3Com Corporation. All rights reserved. No part of this documentation may be reproduced in any form or by any means or used to make any derivative work (such as translation, transformation, or adaptation) without written permission from 3Com Corporation.

3Com Corporation reserves the right to revise this documentation and to make changes in content from time to time without obligation on the part of 3Com Corporation to provide notification of such revision or change.

3Com Corporation provides this documentation without warranty, term, or condition of any kind, either implied or expressed, including, but not limited to, the implied warranties, terms or conditions of merchantability, satisfactory quality, and fitness for a particular purpose. 3Com may make improvements or changes in the product(s) and/or the program(s) described in this documentation at any time.

If there is any software on removable media described in this documentation, it is furnished under a license agreement included with the product as a separate document, in the hard copy documentation, or on the removable media in a directory file named LICENSE.TXT or !LICENSE.TXT. If you are unable to locate a copy, please contact 3Com and a copy will be provided to you.

UNITED STATES GOVERNMENT LEGEND

If you are a United States government agency, then this documentation and the software described herein are provided to you subject to the following:

All technical data and computer software are commercial in nature and developed solely at private expense. Software is delivered as “Commercial Computer Software” as defined in DFARS 252.227-7014 (June 1995) or as a “commercial item” as defined in FAR 2.101(a) and as such is provided with only such rights as are provided in 3Com’s standard commercial license for the Software. Technical data is provided with limited rights only as provided in DFAR 252.227-7015 (Nov 1995) or FAR 52.227-14 (June 1987), whichever is applicable. You agree not to remove or deface any portion of any legend provided on any licensed program or documentation contained in, or delivered to you in conjunction with, this User Guide.

Unless otherwise indicated, 3Com registered trademarks are registered in the United States and may or may not be registered in other countries.

3Com and the 3Com logo are registered trademarks of 3Com Corporation.

Cisco is a registered trademark of Cisco Systems, Inc.

Funk RADIUS is a registered trademark of Funk Software, Inc.

Aegis is a registered trademark of Aegis Group PLC.

Intel and Pentium are registered trademarks of Intel Corporation. Microsoft, MS-DOS, Windows, and Windows NT are registered trademarks of Microsoft Corporation. Novell and NetWare are registered trademarks of Novell, Inc. UNIX is a registered trademark in the United States and other countries, licensed exclusively through X/Open Company, Ltd.

IEEE and 802 are registered trademarks of the Institute of Electrical and Electronics Engineers, Inc.

All other company and product names may be trademarks of the respective companies with which they are associated.

ENVIRONMENTAL STATEMENT

It is the policy of 3Com Corporation to be environmentally-friendly in all operations. To uphold our policy, we are committed to:

Establishing environmental performance standards that comply with national legislation and regulations.

Conserving energy, materials and natural resources in all operations.

Reducing the waste generated by all operations. Ensuring that all waste conforms to recognized environmental standards. Maximizing the recyclable and reusable content of all products.

Ensuring that all products can be recycled, reused and disposed of safely.

Ensuring that all products are labelled according to recognized environmental standards.

Improving our environmental record on a continual basis.

End of Life Statement

3Com processes allow for the recovery, reclamation and safe disposal of all end-of-life electronic components.

Regulated Materials Statement

3Com products do not contain any hazardous or ozone-depleting material.

CONTENTS

ABOUT THIS GUIDE

Conventions 7Related Documentation 8

1 SWITCH 8800 FIREWALL MODULE

2 FIREWALL CONFIGURATION

Firewall Configuration 13Displaying Information about the Firewall Module 15

3 NETWORK SECURITY CONFIGURATION

Introduction to the Network Security Features 17Hierarchical Command Line Protection 18RADIUS-Based AAA 18Packet Filter and Firewall 18Security Authentication before Route Information Exchange 21

4 AAA AND RADIUS/HWTACACS PROTOCOL CONFIGURATION

Overview 23Configuring AAA 30Configuring the RADIUS Protocol 37Configuring HWTACACS Protocol 46Displaying and Debugging AAA and RADIUS/HWTACACS Protocols 51AAA and RADIUS/HWTACACS Protocol Configuration Example 52Troubleshooting AAA and RADIUS/HWTACACS Protocols 61

5 ACL CONFIGURATION

Introduction to ACL 63Configuring an ACL 74Configuring Time Range 76Displaying and Debugging ACL 77Typical Configuration Examples of ACL 77

6 NAT CONFIGURATION

NAT Overview 79Functions Provided by NAT 80

NAT Configuration 82Displaying and Debugging NAT 87NAT Configuration Example 87Troubleshooting NAT Configuration 90

7 FIREWALL CONFIGURATION

Introduction to Firewall 93Configuring Packet Filter Firewall 97Configuring ASPF 104Black List 110MAC and IP Address Binding 115Security Zone Configuration 119

8 TRANSPARENT FIREWALL

Transparent Firewall Overview 121Configuring Transparent Firewall 125Displaying and Debugging Transparent Firewall 128Transparent Firewall Configuration Example 129

9 WEB AND E-MAIL FILTERING

Introduction to Web and E-mail Filtering 133Configuring Web Filtering 133Configuring E-mail Filtering 139

10 ATTACK PREVENTION AND PACKET STATISTICS

Overview of Attack Prevention and Packet Statistics 145Configuring Attack Prevention 147Setting the Warning Level in Monitoring the Number and Rate of Connections 157Configuring System-Based Statistics 158Configuring Zone-Based Statistics 159Configuring IP-Based Statistics 161Displaying and Debugging Attack Prevention and Packet Statistics 163Configuring an SMTP Client 164Configuring DNS Client 165Attack Prevention and Packet Statistics Configuration Example 167Attack Prevention Troubleshooting 180

11 LOG MAINTENANCE

Introduction to Log 181Configuring Syslog Log 182Binary-Flow Log Configuration 183Clearing Log 184Log Configuration Example 184

12 RELIABILITY OVERVIEW

Introduction to Reliability 189

13 VRRP CONFIGURATIONS

Introduction to VRRP 191Configuring VRRP 192Displaying and Debugging VRRP 197VRRP Configuration Examples 197VRRP Troubleshooting 207

14 FIREWALL CONFIGURATION COMMANDS

Firewall Configuration Commands 209

15 AAA/RADIUS/HWTACACS CONFIGURATION COMMANDS

AAA Configuration Commands 215RADIUS Protocol Configuration Commands 231HWTACACS Configuration Commands 257

16 ACCESS CONTROL LIST CONFIGURATION COMMANDS

ACL Configuration Commands 275Time-range Configuration Commands 282

17 NAT CONFIGURATION COMMANDS

NAT Configuration Commands 285

18 FIREWALL CONFIGURATION COMMANDS

Packet Filtering Firewall Configuration Commands 299ASPF Configuration Commands 305Blacklist Configuration Commands 320MAC/IP Address Binding Configuration Commands 322Security Zone Configuration Commands 325

19 TRANSPARENT FIREWALL CONFIGURATION COMMANDS

Transparent Firewall Configuration Commands 329

20 VRRP CONFIGURATION COMMANDS

VRRP Configuration Commands 341

Conventions 7

ABOUT THIS GUIDE

This guide describes the 3Com® Switch 8800 and how to install hardware, configure and boot software, and maintain software and hardware. This guide also provides troubleshooting and support information for your switch.

This guide is intended for Qualified Service personnel who are responsible for configuring, using, and managing the switches. It assumes a working knowledge of local area network (LAN) operations and familiarity with communication protocols that are used to interconnect LANs.

nAlways download the Release Notes for your product from the 3Com World Wide Web site and check for the latest updates to software and product documentation:

http://www.3com.com

Conventions Table 1 lists icon conventions that are used throughout this guide.

Table 2 lists text conventions that are used throughout this guide.

Table 1 Notice Icons

Icon Notice Type Description

nInformation note Information that describes important features or

instructions.

cCaution Information that alerts you to potential loss of data

or potential damage to an application, system, or device.

wWarning Information that alerts you to potential personal

injury.

Table 2 Text Conventions

Convention Description

Screen displays This typeface represents information as it appears on the screen.

Keyboard key names If you must press two or more keys simultaneously, the key names are linked with a plus sign (+), for example:

Press Ctrl+Alt+Del

The words “enter” and “type” When you see the word “enter” in this guide, you must type something, and then press Return or Enter. Do not press Return or Enter when an instruction simply says “type.”

8 ABOUT THIS GUIDE

Related Documentation

The following manuals offer additional information necessary for managing your Switch 8800:

■ Switch 8800 Command Reference Guide — Provides detailed descriptions of command line interface (CLI) commands, that you require to manage your Switch 8800.

■ Switch 8800 Configuration Guide— Describes how to configure your Switch 8800 using the supported protocols and CLI commands.

■ Switch 8800 Release Notes — Contains the latest information about your product. If information in this guide differs from information in the release notes, use the information in the Release Notes.

These documents are available in Adobe Acrobat Reader Portable Document Format (PDF) on the 3Com World Wide Web site:

http://www.3com.com/

Words in italics Italics are used to:

Emphasize a point.

Denote a new term at the place where it is defined in the text.

Identify menu names, menu commands, and software button names.

Examples:

From the Help menu, select Contents.

Click OK.

Words in bold Boldface type is used to highlight command names. For example, “Use the display user-interface command to...”

Table 2 Text Conventions

Convention Description

1
SWITCH 8800 FIREWALL MODULE
This chapter describes the Firewall Module (3C17546), which is available for the Switch 8800.

The SW8800 Firewall Module provides an affordable stateful security firewall designed for the needs of medium-size enterprises. Enterprises are accelerating their deployments of stateful firewalls to protect their organizations from unwanted intrusions from attackers from both outside (e.g. from the Internet), and from internal attack.

The SW8800 Firewall Module represents a new era of integrated network security for 3Com’s Switch 8800 solution. Occupying a single I/O slot, the Firewall Module:

■ Provides an onboard operating system and custom hardware designed for high speed packet filtering, switching, protection, analysis, and reporting

■ Occupies any I/O slot in the chassis and is hot swappable

■ Interfaces to the SW8800 high capacity backplane and fully uses the internal switching capabilities of the system.

■ Has eight 1G SFP ports on the front panel for switching/routing. In addition, the eight 1G ports can be used as regular switching ports.

The SW8800 Firewall features include:

■ Both routed and transparent operation modes

■ High-efficiency packet filtering, transparent proxy, stateful detection, and security technology

■ In-depth statistical analysis functions

■ A broad range of security protection measures

■ Multiple intelligent analysis and management to fully protect the enterprise’s internal network, in addition to protection at the network layer.

■ Real-time network monitoring methods to help the administrator with network security management.

Application Specific Packet filter (ASPF) aims at packets at the application layer, (status-based packets). It works with ordinary static firewalls to implement security strategies for the internal network. With the ASPF stateful detection technology, the firewall can monitor the connection process and harmful commands. It implements packet filtering by working with the ACL. In addition, it supports NAT and dozens of attack-defend capabilities.

10 CHAPTER 1: SWITCH 8800 FIREWALL MODULE

Table 1 Firewall Module Functions

Attribute Description

Network security

Authentication, authorization and accounting service

RADIUSHWTACACSCHAP authenticationPAP authenticationDomain authentication

Firewall

Packet filteringAccess control list on the basis of interfaceAccess control list on the basis of time periodASPF status firewallAnti-attack features:Land, Smurf, Fraggle, WinNuke, Ping of Death, Tear Drop, IP Spoofing, SYN Flood, ICMP Flood, UDP Flood, ARP spoofing attack-defendingInitiative and reverse ARP queryDefending illegal flag bit attack of TCP packetsDefending super ICMP packet attackDefending address/port scanningDefending DoS/DDoS attackICMP redirection and controlling unreachable packetsControlling Tracert packetsControlling IP packets with route recordStatic and dynamic blacklist functionBinding MAC and IP addressesDefending worm virusTransparent firewallReverse path forwarding function

Mail /network page filtering

Mail filtering:Filtering SMTP mail addressesFiltering SMTP mail titlesFiltering SMTP mail contentsFiltering SMTP mail attachmentsNetwork page filtering:Filtering HTTP URLsFiltering HTTP contents

Security management

Real time attack logBlacklist logAddress binding logTraffic alarm logSession logBinary format log functionTraffic statistics and analysis functionMonitoring rate globally or on the basis of security domain connectionMonitoring rate globally or on the basis of security domain protocol packetSecurity event statistics functionReal time E-Mail alarmDistributing E-Mails periodically information

NAT

Address transfer in address pool modeAddress transfer by ACLsEasy IPNAT ServerValid time configured for address transferMultiple ALGs, including FTP, H323, DNS, and SIP.

11

VPN

L2TP VPN

Initiating connection to the specified LNS according to the full user name and domain name of the VPN user

Distributing addresses for VPN users

LCP re-negotiation and CHAP re-authentication

L2TP multi-instance

GRE VPNUse Tunnel technology to encapsulate and decapsulate data packets at both sides of the Tunnel

Network interconnection

LAN protocol

Ethernet_II

Ethernet_SNAP

VLAN

Data link layer protocol

PPP

PPPoE

Network protocol

IP service

ARP

Static domain name resolution

Borrowing IP addresses

DHCP relay

DHCP server

DHCP client

IP route

Static route management

RIP-1/RIP-2

OSPF

BGP

Rout policy

Policy route

Network reliability Supporting virtual router redundancy protocol to implement device backup



12 CHAPTER 1: SWITCH 8800 FIREWALL MODULE

Configuration management

Command line interface

Local configuration through the Console interface

Remote configuration through the AUX interface

Local or remote configuration through Telnet or SSH

Configuring the module through the Switch 8800 Family switch

Configuring hierarchical protection commands to make sure non-authenticated users cannot configure the device

Providing detailed debugging information to diagnose network failure

Providing network test tools such as the Tracert and Ping commands to rapidly diagnose whether the network is normal

You can use the Telnet command to directly log into and manage other network devices.

FTP Server/Client; you can use FTP to load and download configuration files and applications.

Supporting TFTP to load and download files

Supporting log function

File system management

Configuring the user-interface to provide multiple authentication and authorization functions for login users

Supporting standard network management SNMPv3 and being compatible with SNMPv2C and SNMPv1

Supporting NTP time synchronization



2
FIREWALL CONFIGURATION
Firewall Configuration To make the Switch 8800 Family routing switch and firewall module work together, you need to configure the firewall on the switch by:

■ “Configuring the Interface Aggregation”

■ “Creating the Firewall Module”

■ “Specifying the Layer 3 Interface Connecting the Switch and the Firewall”

■ “Specifying the VLAN Protected by the Firewall”

■ “Mapping the Firewall to the Firewall Module”

■ “Logging into the Firewall module”

■ “Configuring Default Login User Function” (optional)

Configuring the Interface Aggregation

Two internal GigabitEthernet interfaces connect the Firewall module to the switch. You can aggregate these two interfaces into a logical interface to provide broader interface bandwidth.

Perform the following configuration in switch system view.

By default, the interface is not aggregated. Only one GigabitEthernet interface can be used.

c CAUTION: When you use the secblade aggregation slot command to configure aggregation of the Firewall module interface, the module will occupy the resources occupied by other aggregation groups if aggregation resources are not sufficient.

Creating the Firewall Module

To make the Firewall module and Switch 8800 Family switch work together, first create a Firewall to enter SecBlade view.

Perform the following configuration in switch system view.

Table 2 Configure the Firewall module interface aggregation

Operation Command

Configure aggregation of two GE interfaces secblade aggregation slot slot-number

Cancel the configuration undo secblade aggregation slot slot-number

Table 3 Create the Firewall

Operation Command

Create the SecBlade secblade sec-mod-name

14 CHAPTER 2: FIREWALL CONFIGURATION

By default, the Firewall is not created.

Specifying the Layer 3 Interface Connecting the

Switch and the Firewall

To enable the Firewall and Switch 8800 Family switch to communicate at Layer 3, specify the Layer 3 interface connecting the switch and the firewall.

Perform the following configuration in SecBlade view of the switch.

By default, the Layer 3 interface connecting the switch and Firewall is not configured.

Specifying the VLAN Protected by the

Firewall

To make the Firewall protect the data stream of the specific VLAN, you need to specify the protected VLAN.

Perform the following configuration in SecBlade view of the switch.

By default, no VLAN is protected.

Mapping the Firewall to the Firewall Module

After implementing the above configuration on the Firewall, you need to map it to the Firewall module to apply the configuration. Perform the following configuration in SecBlade view of the switch.

By default, the Firewall is not mapped to the Firewall module.

Logging into the Firewall module

You can directly log into the Firewall module through the Switch 8800 Family switch to configure and manage the card. Perform the following configuration in switch user view.

Remove the SecBlade undo secblade sec-mod-name

Table 3 Create the Firewall

Operation Command

Table 4 Specify the Layer 3 interface connecting the switch and the SecBlade

Command Command

Specify the Layer 3 interface connecting the switch and the Firewall secblade-interface vlan-interface

Cancel the configuration undo secblade-interface vlan-interface interface-number

Table 5 Specify the VLAN protected by the Firewall

Operation Command

Specify the protected VLAN security-vlan vlan-range

Cancel the VLAN protection undo security-vlan vlan-range

Table 6 Map the firewall to the Firewall module

Operation Command

Map the firewall to the Firewall module map to slot slot-number

Cancel the configuration undo map to slot slot-number

Displaying Information about the Firewall Module 15

Configuring Default Login User Function

For login convenience, a user whose name and password are both SecBlade is created in the Firewall module. You can use this user name and password to log into the Firewall. Perform the following configuration in SecBlade system view.

By default, default login user function is enabled. That is, the user created internally in the module is allowed to log into the Firewall.

Displaying Information about the Firewall Module

After the above configuration, execute the following command in any view to display information about the module to verity the effect of the configuration.

Table 7 Log into the Firewall

Operation Command

Log into the Firewall secblade slot slot-number

Table 8 Configure default login user function

Operation Command

Enable default login user function default-login-user

Disable default login user function undo default-login-user

Table 9 Display information about the Firewall module

Operation Command

Display information about the module display secblade [sec-mod-name ]

3
NETWORK SECURITY CONFIGURATION
n The content below applies to the Firewall modue, so the command views in this document apply only to the module and not the Switch 8800 Family switches.

Introduction to the Network Security Features

A security gateway must be able to withstand the various malicious attacks from the public network. On the other hand, the accidental but destructive access of the user may also result in significant performance decrease and even the operation failure.

Comware provides the following network security characteristics:

■ AAA services based on Remote Authentication Dial-In User Service (RADIUS) provide the security services of Authentication, Authorization, and Accounting on accessing users for preventing illegal accessing.

■ Authentication protocol supports CHAP and PAP authentication on PPP line.

■ Packet filter implemented through access control list (ACL) specifies the type of packets that the security gateway will permit or deny.

■ Application specific packet filter (ASPF), or status firewall, is an advanced communication filtering approach that checks the application layer information and monitors connection-oriented application layer protocol state, maintain the state information of each connection, and dynamically makes decision in permitting or deny a packet.

■ IP security (IPSec): it guarantees the privacy, integrity and validity of the data packets while transmitted on the Internet through encryption and data source authentication on the IP layer.

■ Internet key exchange (IKE) provides the services of auto-negotiated key exchange and security association (SA) establishment to simplify the use and management of IPSec.

■ Event log is used to record system security events and trace illegal access in real time.

■ Address translation provided by NAT Gateway (GW), which separates the public network from the intranet, makes the IP addresses of the internal devices unknown to the public network and hence prevents the attacks initiated from it.

■ Dynamic routing protocol authentication: ensuring reliable route information to be exchanged.

■ Hierarchical view protection divides users into four levels, each assigned with a configuration right, and a user cannot access the view of a higher level.

18 CHAPTER 3: NETWORK SECURITY CONFIGURATION

The following chapters describe how to configure AAA and RADIUS, user password, firewall and packet filtering. Refer to the VPN part of this manual for IPSec/IKE configuration; refer to “NAT Configuration” for address translation configuration.

Hierarchical Command Line Protection

The system command lines are protected in a hierarchical way. In this approach, the command lines are divided into four levels: visit, monitor, system, and manage. You will be unable to use the corresponding levels of commands unless you have provided the correct login password.

RADIUS-Based AAA AAA is used for user access management. It can be implemented via multiple protocols but the AAA discussed here is RADIUS-based.

AAA provides the functions of:

■ Hierarchical user management. The users are allowed to perform the operations like managing and maintaining the system configuration data, and monitoring and maintaining the equipment that are crucial to the normal operation of the system. Therefore, it is necessary to strictly manage the users by classifying them into different levels and granting each with a specific right. In this case, a low-level user is allowed to perform but only some viewing operations and only a high-level user can modify data, maintain the equipment, and perform some other sensitive operations.

■ PPP authentication. With it, user name authentication will be performed before the setup of a PPP connection is allowed.

■ PPP address management and allocation. When setting up a PPP connection, the system may assign the pre-specified IP address to the PPP user.

The next chapter will cover the details of RADIUS protocol and its configurations, user password configuration, and PPP user address configuration. For PPP authentication protocols, refer to the User Access module of this manual.

Packet Filter and Firewall

Firewall Concept Firewall can prevent unauthorized or unauthenticated users on the Internet from accessing a protected network while allowing the users on the internal network to access web sites on the Internet and send/receive E-mails. It can also work as an Internet access right control GW by permitting only some particular users inside the organization to access the Internet.

Packet Filter and Firewall 19

Figure 1 A firewall separating the intranet from the Internet

The firewall is not only applied to the Internet connection, but also used to protect the mainframe and crucial resources like data on the intranet of the organization. Access to the protected data should be permitted by the firewall, even if the access is initiated from the organization.

An external network user must pass through the firewall before it can access the protected network resources. Likewise, an intranet user must pass through the firewall before it can access the external network resources. Thus, the firewall plays the role of "guard" and discards the denied packets.

Firewall Classification Normally, firewalls are classified into two categories: network layer firewalls and application layer firewalls. Network layer firewalls mainly obtain the header information of packet, such as protocol, source address, destination address, and destination port. Alternatively, they can directly obtain a segment of header data. The application layer firewalls, however, analyze the whole information traffic.

Firewalls that you often meet are divided into the following categories:

■ Application gateway: It verifies all the application layer data in packets that will traverse it. Take a File Transfer Protocol (FTP) application GW as an example. From the perspective of the client of a connection, the FTP application GW is an FTP server. However, from the perspective of the server, it is an FTP client. All the FTP packets transmitted on the connection must pass this FTP application GW.

■ Circuit-Level Gateway: The "circuit" in this particular context refers to Virtual Circuit (VC). Before TCP or UDP is allowed to open a connection or VC, the session reliability must be verified. The packet transmission is allowed only if the handshake has been proved valid and accomplished. After a session is set up, its information will be written into the valid connection table maintained by the firewall. A packet can be permitted only if the session information carried by it matches an entry in the valid connection table. After the session is terminated, the session entry will be deleted from the table. Circuit-level GW authenticates a connection only at the session layer. If the authentication is passed, any application can be run on the connection. Take FTP as an example. A circuit-level GW only authenticates an FTP session at the TCP layer at the beginning of the session. If the authentication is passed, all the data can be transmitted on this connection until the session is terminated.

Ethernet

Internet

PC

Firewall

PC PC


■ Packet filter: Such a firewall filters each packet depending on the items that defined by the user. For example, it compares the packets with the defined rules in source and destination addresses for a match. A packet filter neither considers the status of sessions, nor analyzes the data. If the user specifies that the packets carrying port number 21 or a port number no less than 1024 are permitted, all the packets matching the condition will be able to pass through the firewall. If the configured rules are properly set for the actual applications, many packets that bring potential threat to the security can be filtered at this layer.

■ Network Address Translation (NAT): Also called address proxy, NAT makes it possible for a private network to access an external network. The NAT mechanism is to substitute an external network address and port of security gateway for the IP address and port of a host on a private network and vice versa. In other words, it fulfills the conversion between <Private address + Port number> and <Public address + Port number>. The private address discussed here refers to an internal network or host address, and public address refers to a globally unique IP address on the Internet. Internet assigned number authority (IANA) provisioned that that the following IP address ranges are reserved for private addresses:

10.0.0.0 to 10.255.255.255

172.16.0.0 to 172.31.255.255

192.168.0.0 to 192.168.255.255

In other words, the addresses in these three ranges will be used inside an organization or companies rather than assigned on the Internet. A company can select a proper internal network address ranges, taking into consideration the number of the internal hosts and networks in the near future. The internal network addresses of different companies can be the same. However, it will be very likely to cause chaos if a company selects a segment beyond the three ranges given above as the internal network address. NAT allows internal hosts to access the Internet resources while keeping their "privacy".

Packet Filter Function

Normally, a packet filter filters the IP packets. For the packets that the security gateway will forward, the filter will first obtain the header information of each packet, including upper protocol carried by the IP layer, source and destination addresses of the packet, and source and destination ports. Then, it compares them with the preset rules to determine whether the packet should be forwarded or discarded.

Figure 1-2 illustrates the elements selected by a packet filter for decision making (on IP packets), given the upper layer carried by IP is TCP/UDP.

Security Authentication before Route Information Exchange 21

Figure 2 Packet filtering elements

Most packet filter systems do not make any operations on data itself or make contents-based filtering.

ACL

Before the system can filter the packets, you should configure some rules in ACLs to specify the types of packets allowed or denied.

A user should configure an ACL according to the security policy and apply it to a particular interface or the whole equipment. After that, the security gateway will examine all the packets on the interface or all the interfaces based on the ACL and make forwarding/discard decision on the packets matching the rules. In this way, it plays the role of a firewall.

Security Authentication before Route Information Exchange

The maintenance of route forwarding table depends on the dynamic route information exchanging between neighboring security gateways.

Necessity of implementing security authentication before route information exchange

As the neighboring routers on a network need to exchange enormous route information, there is the likelihood for a security gateway to receive the network equipment attacking information sent from unreliable routers. If available with the route authentication function, a security gateway will be able to authenticate the switching route update packets received from the neighboring routers and hence make sure to receive only the reliable route information.

Authentication Implementation

The routers exchanging route information share the same password key that is sent along with the route information packets. The routers receiving the route information will authenticate the packets, and verify the password key carried by the packets. If the key carried by the packets is the same as the shared password key, the packets will be accepted. If not, they will be discarded.

Authentication implementations fall into simple text authentication and MD5 authentication. The former sends password keys in plain text providing lower security, whereas the latter sends encrypted password keys providing higher security.

4
AAA AND RADIUS/HWTACACS PROTOCOL CONFIGURATION
Overview

Introduction to AAA Authentication, Authorization and Accounting (AAA) provide a uniform framework used for configuring these three security functions to implement the network security management.

The network security mentioned here refers to access control and it includes:

■ Which user can access the network server?

■ Which service can the authorized user enjoy?

■ How to keep accounts for the user who is using network resource?

Accordingly, AAA provides the following services:

Authentication

AAA supports the following authentication methods:

■ None authentication: All users are trusted and are not authenticated. Generally, this method is not recommended.

■ Local authentication: User information (including username, password, and attributes) is configured on the Broadband Access Server (BAS). Local authentication features high speed but low cost; the information can be stored in this approach is however limited depending on the hardware capacity.

■ Remote authentication: Supports both RADIUS and HWTACACS protocols. In this approach, the BAS acts as the client to communicate with the RADIUS or TACACS server. With respect to RADIUS, you can use the standard RADIUS protocol or 3Com extended RADIUS protocol to complete authentication in collaboration with devices like iTELLIN/CAMS.

Authorization

AAA supports the following authorization methods:

■ Direct authorization: All users are trusted and directly authorized to pass.

■ Local authorization: Users are authorized according to the attributes related to their accounts on the BAS.

■ HWTACACS authorization: Users are authorized using a TACACS server.

■ If-authenticated authorization: Users are authorized to pass if they are authenticated and using any allowed method other than none authentication.

■ RADIUS authorization following successful authentication: With RADIUS, users are authorized only after they pass authentication. In other words, you cannot perform RADIUS authorization without authentication.

24 CHAPTER 4: AAA AND RADIUS/HWTACACS PROTOCOL CONFIGURATION

Accounting

AAA supports the following accounting methods:

■ None accounting: no accounting required.

■ Remote accounting: conducted through a RADIUS server or TACACS server.

n Currently, security gateway supports accounting of PPP users and Telnet users only, but it does not support real-time accounting of Telnet users.

AAA usually utilizes a Client/Server model, where the client controls user access and the server stores user information. The framework of AAA thus allows for good scalability and centralized user information management. Being a management framework, AAA can be implemented using multiple protocols. In Comware, AAA is implemented based on RADIUS or HWTACACS.

Introduction to the RADIUS Protocol

What is RADIUS

Remote Authentication Dial-In User Service (RADIUS) is a distributed information switching protocol in Client/Server model. RADIUS can prevent the network from interruption of unauthorized access and it is often used in the network environments where both high security and remote user access are required. For example, it is often used for managing a large number of scattering dial-in users that use serial ports and modems. The RADIUS system is an important auxiliary part of a Network Access Server (NAS).

The RADIUS service involves three components:

■ Protocol: Based on the UDP/IP layer, RFC2865 and 2866 define the RADIUS frame format and the message transfer mechanism, and use 1812 as the authentication port and 1813 as the accounting port.

■ Server: RADIUS server runs on the computer or workstation at the center, and contains information on user authentication and network service access.

■ Client: Located at the Network Access Server (NAS) side. It can be placed anywhere in the network.

As the RADIUS client, the NAS (a switch or a router) is responsible for passing user information to a designated RADIUS server and acts on the response returned from the server (such as connecting/disconnecting users). The RADIUS server receives user connection requests, authenticates users, and returns the required information to the NAS.

In general, the RADIUS server maintains three databases, namely, Users, Clients and Dictionary, as shown in the following figure. "Users" stores user information such as username, password, applied protocols, and IP address; "Clients" stores information about RADIUS clients such as shared key; and "Dictionary" stores the information for interpreting RADIUS protocol attributes and their values.

Overview 25

Figure 3 Components of RADIUS server

In addition, RADIUS servers can act as the client of some other AAA server to provide the proxy authentication or accounting service. They support multiple user authentication methods, such as PPP-based PAP, CHAP and UNIX-based login.

Basic message exchange procedures in RADIUS

In most cases, user authentication using a RADIUS server always involves a device that can provide the proxy function, such as the NAS. Transactions between the RADIUS client and RADIUS server are authenticated through a shared key, and user passwords are sent encrypted over the network for the security sake. The RADIUS protocol combines the authentication and authorization processes by sending authorization information in the authentication response message. See the following figure.

Figure 4 The basic message interaction procedures of RADIUS

Following is how RADIUS operates:

1 The user enters the username and password.

2 Having received the username and password, the RADIUS client sends the authentication request (Access-Request) to the RADIUS server.

3 The RADIUS server compares the received user information against that in the Users database. If the authentication succeeds, it sends back an authentication

RADIUS Server

Users Clients Dictionary

PSTN/ISDN

RADIUS Server

The user enters the username and passwordAuthentication request (Access -request)

PC

Authentication accept (Access -accept)

Accounting -request (Start)

Accounting -response

Accounting -request (Stop)

Accounting -responseNotify the termination of the access

The user accesses the resources

Switch 8800RADIUS client


response (Access-Accept) containing the information of user’s right. If the authentication fails, it returns an Access-Reject message.

4 The RADIUS client acts on the returned authentication result to accept or deny the user. If it is allowed to accept the user, the RADIUS client sends an accounting start request (Accounting-Request) to the RADIUS server, with the value of Status-Type being "start".

5 The RADIUS server returns a start-accounting response (Accounting-Response).

6 The RADIUS client sends a stop-accounting request (Accounting-Request) to the RADIUS server, with the value of Status-Type being "stop".

7 The RADIUS server returns a stop-accounting response (Accounting-Response).

RADIUS packet structure

RADIUS uses UDP to transmit messages; with timer management, retransmission, and slave server mechanisms, it ensures the smooth message exchange between the RADIUS server and the client. The following figure shows the RADIUS packet structure.

Figure 5 RADIUS packet structure

The Identifier field is used for matching request packets and response packets. It varies with the Attribute field and the received valid response packets, but keeps unchanged during retransmission. The 16-byte Authenticator field is used to authenticate the request transmitted by the RADIUS server, and it also applies to the password hidden algorithm. There are two kinds of authenticators: Request and Response.

■ Request Authenticator is the random code of 16 bytes in length.

■ Response Authenticator is the result of applying the MD5 algorithm to Code, Identifier, Request Authenticator, Length, Attribute and shared-key.

1 The Code field decides the type of a RADIUS packet, as shown in the following table.

Code Identifier Length

Authenticator

Attribute

Table 10 Code values

Code Packet type Description

1 Access-Request

The packet carries user information and is transmitted by the client to the server to help the client determine whether the user can access the network. The packet carries the required attribute of User-Name and some other options, such as NAS-IP-Address, User-Password, and NAS-Port.

2 Access-Accept

The packet is transmitted by the server to the client. If all the attribute values carried in the Access-Request are acceptable, the server allows the user to pass authentication and sends back an Access-Accept response.

Overview 27

2 The Attribute field contains special authentication, authorization, and accounting information that provides the configuration details of a request or response. This field is represented by the triplet of Type and Length and Value. The following table lists the major standard attribute values defined by RFC:

3 Access-Reject

The packet is transmitted by the server to the client. If any attribute value carried in the Access-Request is unacceptable, the server rejects the user and sends back an Access-Reject response.

4 Accounting-Request

The packet carries user information and is transmitted by the client to the server to request the server to start accounting. The server can determine whether to start accounting according to the field of the Acct-Status-Type attribute. The attributes carried in this type of packet are basically the same as those carried by an Access-Request packet.

5 Accounting-Response

The packet is transmitted by the server to the client, notifying that the server has received the Accounting-Request and has correctly record the accounting information. The packet carries such information as input/output bytes and packets, and session duration.

Table 10 Code values

Code Packet type Description

Table 11 Attribute values

Type Attribute type Type Attribute type

1 User-Name 23 Framed-IPX-Network

2 User-Password 24 State

3 CHAP-Password 25 Class

4 NAS-IP-Address 26 Vendor-Specific

5 NAS-Port 27 Session-Timeout

6 Service-Type 28 Idle-Timeout

7 Framed-Protocol 29 Termination-Action

8 Framed-IP-Address 30 Called-Station-Id

9 Framed-IP-Netmask 31 Calling-Station-Id

10 Framed-Routing 32 NAS-Identifier

11 Filter-ID 33 Proxy-State

12 Framed-MTU 34 Login-LAT-Service

13 Framed-Compression 35 Login-LAT-Node

14 Login-IP-Host 36 Login-LAT-Group

15 Login-Service 37 Framed-AppleTalk-Link

16 Login-TCP-Port 38 Framed-AppleTalk-Network

17 (unassigned) 39 Framed-AppleTalk-Zone

18 Reply_Message 40-59 (reserved for accounting)

19 Callback-Number 60 CHAP-Challenge

20 Callback-ID 61 NAS-Port-Type

21 (unassigned) 62 Port-Limit

22 Framed-Route 63 Login-LAT-Port


The RADIUS protocol is extensible. The Attribute 26 (Vender-Specific) defined in it allows a user to define an extended attribute. The following figure illustrates the structure of a RADIUS packet:

Figure 6 A RADIUS packet segment containing the extended attribute

Features of RADIUS

RADIUS uses UDP as transfer protocol and has good capability for real-time applications. It also supports retransmission mechanism and backup server mechanism so that it boasts better reliability. RADIUS is easy to implement, and applicable to the multithreading structure of the server in the time of mass users. For all the advantages above, RADIUS protocol is used wildly.

Introduction to the HWTACACS Protocol

What is HWTACACS

HWTACACS is an enhanced security protocol based on TACACS (RFC1492). Similar to the RADIUS protocol, it implements AAA for different types of users (such as PPP/VPDN/login users) through communications with TACACS servers in the Server/Client model.

Compared with RADIUS, HWTACACS provides more reliable transmission and encryption, and therefore is more suitable for security control. The following table lists the primary differences between HWTACACS and RADIUS protocols.

In a typical HWTACACS application, a dial-up or terminal user needs to log onto the security gateway for operations. Working as the client of HWTACACS in this case, the security gateway sends the username and password to the TACACS server for authentication. After passing authentication and being authorized, the user can log onto the security gateway to perform operations, as shown in the following figure.

Vendor-IDType Length

Vendor-ID length(specified)

type(specified)

specified attribute value¡−¡−

Table 12 Comparison between HWTACACS and RADIUS

HWTACACS RADIUS

Adopts TCP, providing more reliable network transmission. Adopts UDP.

Encrypts the entire packet except for the standard HWTACACS header.

Encrypts only the password field in authentication packets.

Separates authentication from authorization. For example, you can provide authentication and authorization on different TACACS servers.

Brings together authentication and authorization.

Suitable for security control. Suitable for accounting.

Supports to authorize the use of configuration commands. Not supports.

Overview 29

Figure 7 Network diagram for a typical HWTACACS application

Basic message exchange procedures in HWACACS

For example, use HWTACACS to implement authentication, authorization, and accounting for a telnet user. The basic message exchange procedures are as follows:

1 A user requests access to the security gateway; the TACACS client sends a start-authentication packet to TACACS server upon receipt of the request.

2 The TACACS server sends back an authentication response requesting for the username; the TACACS client asks the user for the username upon receipt of the response.

3 The TACACS client sends an authentication continuance packet carrying the username after receiving the username from the user.

4 The TACACS server sends back an authentication response, requesting for the login password. Upon receipt of the response, the TACACS client requests the user for the login password.

5 After receiving the login password, the TACACS client sends an authentication continuance packet carrying the login password to the TACACS server.

6 The TACACS server sends back an authentication response indicating that the user has passed the authentication.

7 The TACACS client sends the user authorization packet to the TACACS server.

8 The TACACS server sends back the authorization response, indicating that the user has passed the authorization.

9 Upon receipt of the response indicating an authorization success, the TACACS client pushes the configuration interface of the security gateway to the user.

10 The TACACS client sends a start-accounting request to the TACACS server.

11 The TACACS server sends back an accounting response, indicating that it has received the start-accounting request.

12 The user logs off; the TACACS client sends a stop-accounting request to the TACACS server.

13 The TACACS server sends back a stop-accounting packet, indicating that the stop-accounting request has been received.

The following figure illustrates the basic message exchange procedures:

TACACS server

129.7.66.66

TACACS server

129.7.66.67

ISDN \PSTN

Dialup user

Terminal user

Quidway

HWTACACS client


Figure 8 The AAA implementation procedures for a telnet user

Configuring AAA AAA configuration tasks include:

1 Create an ISP domain and set the related attributes

■ Create an ISP domain

■ Configure an AAA scheme

■ Configure the ISP domain state

■ Set an access limit

■ Enable accounting optional

■ Define a local IP pool and allocate IP addresses to PPP users

2 Create a local user and set the related attributes (for local authentication only)

Creating an ISP Domain and Setting the Related

Attributes

Creating an ISP domain

An Internet service provider (ISP) domain is a group of users that belong to the same ISP. For a username in the userid@isp-name format, [email protected] for example, the isp-name (3com163.net) following the @ sign is the ISP domain name. When receiving a connection request from a

UserHWTACACS

Client

HWTACACS

Server

User logs in Authentication Start Request packet

Authentication response packet, requesting for the user name

Request User for the user name

User enters the user name Authentication continuance packetcarrying the user name

Authentication response packet, requesting for the password

Request User for the password

User enters the password Authentication continuance packet carrying the password

Authentication success packet

Authorization request packet

Authorization success packet

User is permitted

Accounting start request packet

Accounting start response packet

User quitsAccounting stop packet

Accounting stop response packet

UserHWTACACS

Client

HWTACACS

Server

User logs in Authentication Start Request packet

Authentication response packet, requesting for the user name

Request User for the user name

User enters the user name Authentication continuance packetcarrying the user name

Authentication response packet, requesting for the password

Request User for the password

User enters the password Authentication continuance packet carrying the password

Authentication success packet

Authorization request packet

Authorization success packet

User is permitted

Accounting start request packet

Accounting start response packet

User quitsAccounting stop packet

Accounting stop response packet

Configuring AAA 31

user named userid@isp-name, the security gateway system considers the userid part as the username for authentication and the isp-name part as the domain name.

The purpose of introducing ISP domain settings is to support the multi-ISP application environment, where one access device might access users of different ISPs. Because the attributes of ISP users, such as username and password formats, can be different, you must differentiate them through setting ISP domains. In ISP domain view, you can configure a complete set of exclusive ISP domain attributes on a per-ISP domain basis, including an AAA scheme.

For 3Com Series Security Gateways, each supplicant belongs to an ISP domain. Up to 16 domains can be configured in the system. If a user has not reported its ISP domain name, the system puts it into the default domain.

Perform the following configurations in system view.

By default, the default ISP domain in the system is system.

Configuring an AAA scheme

Users can configure authentication, authorization and charging schemes in the following two modes.

1 AAA binding mode

In this mode, you can use the scheme command to specify a scheme. If you choose the RADIUS or HWTACAS scheme, the corresponding RADIUS or HWTACAS server will perform the authentication, authorization and accounting tasks. That is, you cannot specify different schemes for authentication, authorization and accounting respectively. If you use the local scheme, only authentication and authorization but not accounting is implemented.

When the radius-scheme radius-scheme-name local or hwtacacs-scheme hwtacacs-scheme-name local command is configured, the local scheme applies as a backup scheme in case the RADIUS or TACACS server is not available. If the RADIUS or TACACS server is available, local authentication is not used.

If the local scheme applies as the first scheme, only local authentication is performed and the RADIUS, HWTACACS or none scheme cannot be adopted. If the none scheme applies as the first scheme, no RADIUS or HWTACACS scheme can be adopted.

Perform the following configuration in ISP domain view.

Table 13 Create/delete an ISP domain

Operation Command

Create an ISP domain or enter the view of a specified domain.

domain { isp-name | default { disable | enable isp-name } }

Remove a specified ISP domain. undo domain isp-name


The default AAA scheme is local.

c CAUTION:

■ An FTP user login cannot be authenticated in none mode because an FTP server implemented with Comware does not support anonymous login.

■ If the scheme none command is used, the priority level of a user logged into the system is level 0.

2 AAA separate mode

In this mode, you can use the authentication, authorization or accounting command to select schemes for the three tasks respectively. For example, you can specify the RADIUS scheme for authentication and authorization, and the HWTACACS scheme for optional accounting, so as to provide users with flexibility in scheme combination. Implementations of AAA services in this mode are listed below.

■ For terminal users

Use RADIUS, HWTACACS, local, RADIUS-local, HWTACACS-local or none for authentication;

Use HWTACACS or none for authorization;

Use RADIUS, HWTACACS or none for accounting.

You can custom an AAA scheme combination according to the above implementations.

■ For FTP users

Only authentication can be applied on FTP users.

Use RADIUS, HWTACACS, local, RADIUS-local or HWTACACS-local for authentication.

■ For PPP and L2TP users

Use RADIUS, HWTACACS, local, RADIUS-local, HWTACACS-local or none for authentication.

Use HWTACACS or none for authorization.

Use RADIUS, HWTACACS or none for accounting.

You can custom an AAA scheme combination according to the above implementations.

Table 14 Configure the related attributes of the ISP domain

Operation Command

Configure an AAA scheme for the domain.

scheme { radius-scheme radius-scheme-name [ local ] | hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none }

Restore the default AAA scheme. undo scheme [ radius-scheme | hwtacacs-scheme | none ]

Configuring AAA 33

■ For DVPN services

At present, only RADIUS, local and RADIUS-local support authentication and authorization, and only RADIUS supports accounting.


1 If separate AAA schemes are configured as well as the binding AAA scheme, the former ones are used.

2 The RADIUS and local schemes do not support separated authentication and authorization. Therefore, the following should be noted:

■ When the scheme radius-scheme or scheme local command is configured, and the authentication command is not configured: If authorization none is configured, the authorization data returned by the RADIUS or local scheme is still valid; If authorization hwtacacs is configured, the HWTACACS scheme is used for authorization.

■ If the scheme radius-scheme or scheme local command is configured as well as the authentication hwtacacs-scheme command, the HWTACACS scheme is used for authentication and no authorization is performed.

Configuring the ISP domain state

Every ISP has active/block states. If an ISP domain is in active state, the users in it can request for network service, while in block state, its users cannot request for any network service, which will not affect the users already online. An ISP is in the active state when it is first created. Users in the domain are allowed to request network service.


Table 15 Configure the related ISP domain attributes

Operation Command

Configure an authentication scheme for the domain.

authentication { radius-scheme radius-scheme-name [ local ] | hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none }

Restore the default authentication scheme for the domain.

undo authentication

Configure an authorization scheme for the domain.

authorization { hwtacacs-scheme hwtacacs-scheme-name | none }

Restore the default authorization scheme for the domain. undo authorization

Configure an accounting scheme for the domain.

accounting { radius-scheme radius-scheme-name | hwtacacs-scheme hwtacacs-scheme-name | none }

Restore the default accounting scheme for the domain. undo accounting

Table 16 Configure the ISP domain state

Operation Command

Configure the ISP domain state. state { active | block }


By default, an ISP domain is active when it is created.

Setting an access limit

You can specify the maximum number of users that an ISP domain can accommodate by setting an access limit.


By default, an ISP domain has no limit on the user number upon its creation.

Enabling accounting optional

If a user is configured with accounting optional, the device does not disconnect the user during the accounting even when it finds no available accounting server or fails to communicate with the accounting server.

Unlike the scheme none command, with the accounting optional command, the system sends accounting information to the accounting server but does not terminate the connection regardless of whether the accounting server responds or performs the accounting service. However, with the scheme none command, the system neither sends accounting information to the accounting server nor terminates the connection. If you specify RADIUS or HWTACACS in the scheme command without configuring accounting optional, the system sends accounting information to the accounting server and if the server does not respond or perform accounting service terminates the connection.


By default, when an ISP domain is created, accounting optional is disabled.

Defining an address pool and allocating IP addresses to PPP users

PPP users can obtain IP addresses from the device through PPP address negotiation. Three approaches are available for address allocation on an interface:

■ Directly allocate IP addresses on the interface without configuring an address pool.

■ Define an address pool in system view and assign it (only one is allowed) to the interface in the view of this interface for assigning addresses to the connected ends.

■ Define address pools in domain view and directly allocate the addresses from the pools to the login domain PPP users.

Table 17 Configure an access limit

Operation Command

Set an access limit to limit the number of users that the domain can accommodate.

access-limit { disable | enable max-user-number }

Restore the default value. undo access-limit

Table 18 Enable/disable accounting optional

Operation Command

Enable accounting optional. accounting optional

Disable accounting optional. undo accounting optional

Configuring AAA 35


By default, no address pool is configured.

The following are the principles of IP address allocation to PPP users in AAA:

1 For a domain user with a name either in the form of userid or userid@isp-name, the address is allocated as follows:

■ If RADIUS or TACACS authentication/authorization applies, the address that the server has issued to the user is allocated, if there is any.

■ If the server issues an address pool instead of an address, the device searches the address pool in domain view for an address.

■ In case no address can be allocated with the above two methods or local authentication is used, the device assigns the address configured on the interface to the user.

■ If the remote address ip-address command is issued on the interface and the specified address is not in use, the device assigns the address to the user.

■ If the remote address pool command is issued on the interface, the device searches for the address in the specified address pool in domain view and assigns the address to the user.

■ If the remote address command is not issued on the interface, the device searches for the address in all the address pools in domain view and assigns the address to the user.

2 For a user that is not to be authenticated, the device allocates address using the specified address pool (defined in system view) on the interface.

n For a user that is to be authenticated and is not assigned any address with the remote address ip-address command, you can still change how a PPP user is assigned an address.

Creating a Local User and Setting the Related

Attributes

Create a local user and configure the related attributes on the security gateway if you select the local authentication scheme in AAA.

n If you use a radius-scheme or hwtacacs-scheme to authenticate users, you must appropriately configure the RADIUS or TACACS server. The local configuration in this case does not take effect.

Creating a local user

A local user is a group of users set on NAS (a security gateway). The username is the unique identifier of a user. A user requesting network service can pass local authentication as long as its information has been added to the local user database of NAS.

Table 19 Define an IP address pool for PPP domain users

Operation Command

Define an IP address pool for allocating addresses to PPP users.

ip pool pool-number low-ip-address [ high-ip-address ]

Delete the specified address pool. undo ip pool pool-number


Perform the following configuration in system view

By default, there is no local user in the system.

Setting attributes of a local user

The attributes of a local user include user password display mode, user password, user state, and the type of service that is authorized to the user.

Perform the following configuration in system view.

Where, auto means that the password display mode will be the one specified by the user at the time of configuring password (see the password command in the following table for reference), and cipher-force means that the password display mode of all the accessing users must be in cipher text.

Perform the following configurations in local user view.

Table 20 Create/delete a local user and the relevant properties

Operation Command

Add a local user. local-user user-name

Delete a local user or the service type of the local user.

undo local-user user-name [ service-type | level ]

Delete all local users or all local users of a specific service type.

undo local-user all [ service-type { ftp | ppp | ssh | telnet | terminal } ]

Table 21 Set the password display mode for local users

Operation Command

Set the password display mode for all local users.

local-user password-display-mode { cipher-force | auto }

Cancel the password display mode for local users. undo local-user password-display-mode

Table 22 Set/remove the attributes concerned with a specified user

Operation Command

Set a user password. password { simple | cipher } password

Remove the user password. undo password

Set the user state. state { active | block }

Remove the user state setting. undo state { active | block }

Set a service type available for the user. service-type { telnet | ssh | terminal | pad }

Cancel the service type available for the user. undo service-type { telnet | ssh | terminal | pad }

Set a priority level for the user. level level

Restore the default priority level. undo level

Authorized DVPN service to the user service-type dvpn

Remove the DVPN service authorization undo service-type dvpn

Set the directory that can be accessed if the user is an FTP user. service-type ftp [ ftp-directory directory]

Restore the default directory that can be accessed if the user is an FTP user. undo service-type ftp [ ftp-directory ]

Configuring the RADIUS Protocol 37

By default, no service is authorized to users. The default user priority level is 0.

n If the configured authentication method requires username and password (including local, RADIUS, and HWTACACS authentication), your user priority determines which level of commands you can access after logging onto the system. If you adopt RSA authentication, your interface priority determines which level of commands you can access. If the authentication method is none or only requires password, your interface priority determines which level of commands you can access.

Configuring the RADIUS Protocol

The RADIUS protocol is configured scheme by scheme. In a real networking environment, a RADIUS scheme can comprise an independent RADIUS server or a pair of primary and secondary RADIUS servers with the same configuration but different IP addresses. Accordingly, attributes of every RADIUS scheme include IP addresses of primary and secondary servers, shared key, and RADIUS server type.

Actually, the RADIUS protocol configurations only define the parameters necessary for the information interaction between a NAS and a RADIUS server. To validate these parameter settings, you also need to reference the RADIUS scheme containing those parameter settings in ISP domain view. For more information about the configuration commands, refer to the section “Configuring AAA” “Configuring AAA”.

RADIUS protocol configuration includes:

■ Create a RADIUS scheme

■ Configure RADIUS authentication/authorization servers

■ Configure RADIUS accounting servers and the related attributes

■ Configure the shared key for RADIUS packet encryption

■ Set the maximum number of RADIUS request attempts

■ Set the supported RADIUS server type

■ Set RADIUS server state

■ Set the username format acceptable to the RADIUS server

■ Set the unit of data flows destined for the RADIUS server

■ Configure the source address in the RADIUS packets sent by NAS

■ Set timers regarding RADIUS server

■ Configure the RADIUS server to send a trap packet

Set the attributes of callback number and call number of PPP users.

service-type ppp [ callback-nocheck | callback-number callback-number | call-number call-number [ subcall-number ] ]

Restore the default callback number and call number of PPP users.

undo service-type ppp [ callback-nocheck | callback-number | call-number ]

Table 22 Set/remove the attributes concerned with a specified user

Operation Command


Among these tasks, creating a RADIUS scheme and configuring RADIUS authentication/authorization servers are required, while other tasks are optional at your discretion.

Creating a RADIUS Scheme

As mentioned earlier, the RADIUS protocol is configured scheme by scheme. Therefore, before performing other RADIUS protocol configurations, you must create a RADIUS scheme and enter its view.

You can use the following commands to create/delete a RADIUS scheme.


A RADIUS scheme can be referenced by several ISP domains at the same time.

By default, the system has a RADIUS scheme named system whose attributes are all default values.

c CAUTION: FTP, terminal, and SSH are not standard attribute values of the RADIUS protocol, so you need to define them in the attribute login-service (the standard attribute 15):

login-service(50) = SSH

login-service(51) = FTP

login-service(52) = Terminal

After that, reboot the RADIUS server to validate them.

Configuring RADIUS Authentication/Authoriz

ation Servers

You can use the following commands to configure IP address and port number of RADIUS authentication/authorization servers.

Perform the following configuration in RADIUS view.

Table 23 Create/delete a RADIUS scheme

Operation Command

Create a RADIUS scheme and enter its view. radius scheme radius-scheme-name

Delete a RADIUS scheme. undo radius scheme radius-scheme-name

Table 24 Configure IP address and port number of RADIUS authentication/authorization servers

Operation Command

Configure IP address and port number of the primary RADIUS authentication/authorization server.

primary authentication ip-address [ port-number ]

Restore IP address and port number of the primary RADIUS authentication/authorization server to the default values.

undo primary authentication

Configure IP address and port number of the secondary RADIUS authentication/authorization server.

secondary authentication ip-address [ port-number ]


As the authorization information from the RADIUS server is sent to RADIUS clients in authentication response packets, so you do not need to specify a separate authorization server.

In real networking environments, you may specify two RADIUS servers as primary and secondary authentication/authorization servers respectively, or specify one server to function as both.

Configuring RADIUS Accounting Servers and

the Related Attributes

Configuring RADIUS accounting servers

You can use the following commands to configure IP address and port number of RADIUS accounting servers.


In practice, you can specify two RADIUS servers as the primary and the secondary accounting servers respectively; or specify one server to function as both.

For normal interaction between the NAS and a RADIUS server, you must ensure the connectivity of the routes between the RADIUS server and the NAS before configuring the IP address and UDP port of the RADIUS server. In addition, since RADIUS uses different UDP ports for authentication/authorization and accounting, you must assign different numbers to the authentication/authorization port and the accounting port, which are 1812 and 1813 respectively as recommended by RFC2138/2139. You can assign port numbers different from the two recommended in the RFC, however. (For example, in the early stage of RADIUS server implementation, 1645 and 1646 were often assigned to the authentication/authorization port and accounting port). When doing this, make sure that the port settings on the security gateway and the RADIUS server are consistent.

You can use the display radius command to view the IP addresses and port number of the primary and secondary accounting servers in the RADIUS scheme.

Restore IP address and port number of the secondary RADIUS authentication/authorization server to the default values.

undo secondary authentication

Table 24 Configure IP address and port number of RADIUS authentication/authorization servers

Operation Command

Table 25 Configure IP address and port number of RADIUS accounting servers

Operation Command

Configure IP address and port number of the primary RADIUS accounting server.

primary accounting ip-address [ port-number ]

Restore the default IP address and port number of the primary RADIUS accounting server.

undo primary accounting

Configure IP address and port number of the secondary RADIUS accounting server.

secondary accounting ip-address [ port-number ]

Restore the default IP address and port number of the secondary RADIUS accounting server.

undo secondary accounting


Configuring optional accounting

If a user is configured with the accounting optional command, the device does not disconnect the user during the accounting even when it finds no available accounting server or fails to communicate with the accounting server.

Perform the following configuration in RADIUS domain view.

By default, when an RADIUS scheme is created, optional accounting is disabled.

Enabling the stop-accounting packet buffer and retransmission

Since the stop-accounting packet affects the bill and eventually the charge to a user, it has importance for both users and the ISP. Therefore, the NAS should make its best effort to send every stop-accounting packet to the RADIUS accounting server. If the NAS receives no response from the RADIUS accounting server to a stop-accounting packet that it has sent for a specified period, it buffers and resends the packet until the RADIUS accounting server responds, or discards the packet if the number of transmission attempts reaches the configured limit. You can use the following commands to enable the NAS to buffer stop-accounting packets and set the maximum number of transmission attempts.


By default, the stop-accounting packet buffer is disabled and the maximum number of packet transmission attempts is 500.

Configuring the maximum number of real-time accounting request attempts

A RADIUS server usually determines the online state of a user using the connection timeout timer. If the RADIUS sever receives no real-time accounting packets from the NAS for a long time, it considers that the line or device fails and stops user accounting. To work with this feature of the RADIUS server, the NAS is required to terminate user connections simultaneously with the RADIUS server when unpredictable faults occur. 3Com Series Security Gateways allow you to set the maximum number of continuous real-time accounting request attempts. The NAS

Table 26 Enable/disable optional accounting

Operation Command

Enable optional accounting. accounting optional

Disable optional accounting. undo accounting optional

Table 27 Enable the stop-accounting packet buffer and set the maximum number of transmission attempts

Operation Command

Enable the stop-accounting packet buffer. stop-accounting-buffer enable

Disable the stop-accounting packet buffer. undo stop-accounting-buffer enable

Enable stop-accounting packet retransmission and specify the maximum number of transmission attempts.

retry stop-accounting retry-times

Restore the default maximum number of transmission attempts. undo retry stop-accounting


terminates a user connection if it receives no response after the number of transmitted real-time accounting requests exceeds the configured limit.

You can use the following command to set the maximum number of real-time accounting request attempts.


By default, the maximum number of real-time accounting request attempts is 5.

Setting the Shared Key for RADIUS Packet

Encryption

The RADIUS client (the security gateway) and RADIUS server use the MD5 algorithm to hash the exchanged packets between them. The two ends verify the packets using a shared key. Only when the same key is used can they properly receive the packets and make responses.

Perform the following configurations in RADIUS view.

By default, the shared key 3com is used for RADIUS authentication/authorization and accounting packet encryption.

Setting the Maximum Number of RADIUS Request Attempts

Since RADIUS uses UDP packets to carry data, the communication process is not reliable. If the RADIUS server does not respond to the NAS before the response timer times out, the NAS should retransmit the RADIUS request. After the number of transmission attempts exceeds the specified retry-times, the NAS considers the communication with the current RADIUS server has been disconnected and turns to another RADIUS server.

You can use the following command to set the maximum number of allowed RADIUS request attempts.


Table 28 Set the maximum number of real-time accounting request attempts

Operation Command

Set the maximum number of real-time accounting request attempts. retry realtime-accounting retry-times

Restore the default maximum number of real-time accounting request attempts. undo retry realtime-accounting

Table 29 Set the shared key for RADIUS packet encryption

Operation Command

Set the shared key for RADIUS authentication/authorization packet encryption.

key authentication string

Restore the default shared key for RADIUS authentication/authorization packet encryption.

undo key authentication

Set the shared key for RADIUS accounting packet encryption. key accounting string

Restore the default shared key for RADIUS accounting packet encryption. undo key accounting


By default, a RADIUS request can be sent up to three times.

Setting the Supported RADIUS Server Type

You can use the following command to set the supported RADIUS server type.


By default, in system scheme, the RADIUS server type is 3com; in the newly added RADIUS scheme, the RADIUS server type is standard.

n If a 3Com CAMS server is used, some parameters, such as service type, EXEC priority level, and FTP directory, take effect only after service-type is configured as 3com.

Setting RADIUS Server State

For primary and secondary servers (no matter they are authentication/authorization servers or accounting servers) in a RADIUS scheme, if the primary server is disconnected from the NAS due to some fault, the NAS automatically turns to the secondary server. However, after the primary one recovers, the NAS does not resume the communication with it at once; instead, the NAS continues communicating with the secondary one and turns to the primary one again only after the secondary one fails. To have the NAS communicate with the primary server right after its recovery, you can manually set the primary server state to active.

When both primary and secondary servers are active or blocked, the NAS sends packets to the primary one only.


Table 30 Set the maximum number of RADIUS request attempts

Operation Command

Set the maximum number of RADIUS request attempts. retry retry-times

Restore the default maximum number of RADIUS request attempts. undo retry

Table 31 Set the supported RADIUS server type

Operation Command

Set the supported RADIUS server type. server-type { 3com | standard }

Restore the RADIUS server type to the default setting. undo server-type

Table 32 Set RADIUS server state

Operation Command

Set the state of the primary RADIUS authentication/authorization server. state primary authentication { block | active }

Set the state of the primary RADIUS accounting server. state primary accounting { block | active }

Set the state of the secondary RADIUS authentication/authorization server. state secondary authentication { block | active }

Set the state of the secondary RADIUS accounting server. state secondary accounting { block | active }


You can use the display radius command to view the server state in the RADIUS scheme.

Setting Username Format Acceptable to

RADIUS Server

As mentioned above, the supplicants are generally named in userid@isp-name format. The part following "@" is the ISP domain name. 3Com Series Security Gateways will put the users into different ISP domains according to the domain names. However, some earlier RADIUS servers reject the username including ISP domain name. In this case, you have to remove the domain name before sending the username to the RADIUS server. The security gateway provides the following command to specify whether the username to be sent to the RADIUS server carries ISP domain name or not.

n If a RADIUS scheme is configured not to allow usernames to include ISP domain names, the RADIUS scheme shall not be simultaneously used in more than one ISP domain. Otherwise, the RADIUS server will regard two users in different ISP domains as the same user by mistake, if they have the same username (excluding their respective domain names.)

By default, in system scheme, the NAS server sends user names without the ISP domain name to the RADIUS server; in the newly added RADIUS scheme, the NAS server sends user names with the ISP domain name to the RADIUS server.

Setting the Unit of Data Flows Destined for

RADIUS Server

3Com Series Security Gateways provide you with the following command to define the unit of the data flow sent to RADIUS servers.

In a RADIUS scheme, the default data unit is byte and the default data packet unit is one packet.

Configuring Source Address for RADIUS

Packets Sent by NAS

Perform the following configuration in the specified views.

Table 33 Set username format acceptable to RADIUS server

Operation Command

Set the username format transmitted to the RADIUS server.

user-name-format { with-domain | without-domain }

Table 34 Set the unit of data flows destined for RADIUS server

Operation Command

Set the unit of data flows transmitted to RADIUS server.

data-flow-format data { byte | giga-byte | kilo-byte | mega-byte } packet { giga-packet | kilo-packet | mega- packet | one-packet }

Restore the default unit. undo data-flow-format

Table 35 Configure source address for the RADIUS packets sent by the NAS

Operation Command

Configure the source address to be carried in the RADIUS packets sent by the NAS(RADIUS view).

nas-ip ip-address

Cancel the configured source address to be carried in the RADIUS packets sent by the NAS(RADIUS view).

undo nas-ip

Configure the source address to be carried in the RADIUS packets sent by the NAS(System view).

radius nas-ip ip-address


You can use either command to bind a source address with the NAS.

By default, no source address is specified and the source address of a packet is the address of the interface where it is sent.

Setting Timers Regarding RADIUS

Server

Setting the response timeout timer

If the NAS receives no response from the RADIUS server after sending a RADIUS request (authentication/authorization or accounting request) for a period, the NAS has to resend the request, thus ensuring the user can obtain the RADIUS service.

You can use the following commands to set the response timeout timer.


By default, the response timeout timer for the RADIUS server is set to three seconds.

Setting the quiet timer for the primary RADIUS server


By default, the primary RADIUS server must wait five minutes before it can resume the active state.

Setting a realtime accounting interval

The setting of real-time accounting interval is indispensable to real-time accounting. After an interval value is set, the NAS transmits the accounting information of online users to the RADIUS accounting server at intervals of this value.


Cancel the configured source address to be carried in the RADIUS packets sent by the NAS(System view).

undo radius nas-ip

Table 35 Configure source address for the RADIUS packets sent by the NAS

Operation Command

Table 36 Set the response timeout timer

Operation Command

Set the response timeout timer. timer response-timeout seconds

Restore the default response timeout timer. undo timer response-timeout

Table 37 Configure the quiet timer for the primary RADIUS server

Operation Command

Configure the quiet timer for the primary RADIUS server.

timer quiet minutes

Restore the default setting. undo timer quiet


In the command, minutes represents the interval for realtime accounting and it must be a multiple of three.

The setting of real-time accounting interval somewhat depends on the performance of the NAS and the RADIUS server: a shorter interval requires higher device performance. You are therefore recommended to adopt a longer interval when there are a large number of users (more than 1000, inclusive). The following table recommends the ratio of minutes to the number of users.

The realtime accounting interval defaults to 12 minutes.

Configure the RADIUS Server to Send a trap

Packet


By default, the RADIUS server does not send a trap packet when it goes down.

Configuring Local RADIUS Authentication

Server

The security gateway provides the simple local RADIUS server function, including authentication and authorization, called RADIUS authentication server function.

By default, a local RADIUS authentication server with the NAS-IP as 127.0.0.1 and key as 3com is created.

Table 38 Set a real-time accounting interval

Operation Command

Set a real-time accounting interval. timer realtime-accounting minutes

Restore the default real-time accounting interval.

undo timer realtime-accounting

Table 39 Recommended ratio of interval to user number

User number Interval for realtime accounting (minute)

1 - 99 3

100 - 499 6

500 - 999 12

1000 15

Table 40 Configure the RADIUS server to send a trap packet

Operation Command

Configure the RADIUS server to send a trap packet when it goes down.

radius trap { authentication-server-down | accounting-server-down }

Configure the RADIUS server not to send a trap packet when it goes down.

undo radius trap { authentication-server-down | accounting-server-down }

Table 41 Configure local RADIUS authentication server

Operation Command

Configure local RADIUS authentication server. local-server nas-ip ip-address key password

Cancel the local RADIUS authentication server configuration. undo local-server nas-ip ip-address


n When the local RADIUS authentication server function is enabled, the UDP port number for the authentication/authorization services must be 1645 and that for the accounting service must be 1646.

The packet key password configured here must be the same with the authentication/authorization packet key password configured in the key authentication command in RADIUS view.

The device supports 16 local RADIUS authentication servers at most, including default ones created by the system.

Configuring HWTACACS Protocol

The configuration tasks of HWTACACS include:

■ Create a HWTACACS scheme

■ Configure TACACS authentication servers

■ Configure TACACS authorization servers

■ Configure TACACS accounting servers

■ Configure a key for securing the communication with a TACACS server

■ Set the username format acceptable to a TACACS server

■ Set the unit of data flows destined for a TACACS server

■ Configure the source address to be carried by the HWTACACS packets sent by NAS

■ Set timers regarding TACACS server

n In contrast to the settings in RADIUS server, note the following points when configuring a TACACS server:

■ The system does not check whether users are using the current HWTACACS scheme when you change most of its attributes, except when you delete the scheme.

■ By default, the TACACS server has no key.

Among these configuration tasks, creating a HWTACAS scheme and configuring TACACS authentication/authorization server are mandatory, while others are arbitrary at your discretion.

Creating a HWTACAS scheme

As aforementioned, HWTACACS protocol is configured scheme by scheme. Therefore, you must create a HWTACACS scheme and enter HWTACACS view before you perform other configuration tasks.


Table 42 Create a HWTACACS scheme

Operation Command

Create a HWTACACS scheme and enter HWTACACS view. hwtacacs scheme hwtacacs-scheme-name

Delete a HWTACACS scheme. undo hwtacacs scheme hwtacacs-scheme-name

Configuring HWTACACS Protocol 47

If the HWTACACS scheme you specify does not exist, the system creates it and enters HWTACACS view.

In HWTACACS view, you can configure the HWTACACS scheme.

The system supports up to 128 HWTACACS schemes. You can only delete the schemes that are not being used.

By default, no HWTACACS scheme exists.

Configuring TACACS Authentication Servers

Perform the following configuration in HWTACACS view.

The primary and secondary authentication servers cannot use the same IP address. Otherwise, the system will prompt unsuccessful configuration. The default port number is 49.

If you execute this command repeatedly, the new settings will replace the old settings.

You can remove a server that cannot be removed otherwise, only when it is not used by any active TCP connection for sending authentication packets. This delete does not affect the packets sent before the operation.

Configuring TACACS Authorization Servers


n If TACACS authentication is configured for a user without TACACS authorization server, the user cannot log in regardless of its user type.

Table 43 Configure TACACS authentication servers

Operation Command

Configure the TACACS primary authentication server. primary authentication ip-address [ port ]

Delete the TACACS primary authentication server. undo primary authentication

Configure the TACACS secondary authentication server. secondary authentication ip-address [ port ]

Delete the TACACS secondary authentication server. undo secondary authentication

Table 44 Configure TACACS authorization servers

Operation Command

Configure the primary TACACS authorization server. primary authorization ip-address [ port ]

Delete the primary TACACS authorization server. undo primary authorization

Configure the secondary TACACS authorization server. secondary authorization ip-address [ port ]

Delete the secondary TACACS authorization server. undo secondary authorization


The primary and secondary authorization servers cannot use the same IP address. Otherwise, the system will prompt unsuccessful configuration. The default port number is 49.


You can remove a server that cannot be removed otherwise, only when it is not used by any active TCP connection for sending authorization packets.

Configuring TACACS Accounting Servers and

the Related Attributes

Configuring TACACS accounting servers


The primary and secondary accounting servers cannot use the same IP address. Otherwise, the system will prompt unsuccessful configuration. The default port number is 49.

The default IP address of TACACS accounting server is 0.0.0.0.


You can remove a server that cannot be removed otherwise, only when it is not used by any active TCP connection for sending accounting packets.

Enabling stop-accounting packet retransmission


By default, stop-accounting packet retransmission is enabled, and the allowed maximum number of transmission attempts is 100.

Table 45 Configure TACACS accounting servers

Operation Command

Configure the primary TACACS accounting server. primary accounting ip-address [ port ]

Delete the primary TACACS accounting server. undo primary accounting

Configure the secondary TACACS accounting server. secondary accounting ip-address [ port ]

Delete the secondary TACACS accounting server. undo secondary accounting

Table 46 Configure stop-accounting packet retransmission

Operation Command

Enable stop-accounting packet retransmission and set the allowed maximum number of transmission attempts.


Disable stop-accounting packet retransmission. undo retry stop-accounting

Configuring HWTACACS Protocol 49

Configuring Source Address for HWTACACS

Packets Sent by NAS

Perform the following configuration.

By default, no source address is specified and the source address to be carried in a packet is the address of the interface where the packet is sent.

Setting a Key for Securing the

Communication with TACACS Server

When using a TACACS server as an AAA server, you can set a key to improve the communication security between the security gateway and the TACACS server.


No key is configured by default.

Setting the Username Format Acceptable to

the TACACS Server

Username is usually in the "userid@isp-name" format, with the domain name following "@".

If a TACACS server does not accept the username with domain name, you can remove the domain name and resend it to the TACACS server.


By default, each username sent to a TACACS server contains a domain name.

Setting the Unit of Data Flows Destined for the

TACACS Server


Table 47 Configure the source address to be carried in HWTACACS packets sent by the NAS

Operation Command

Configure the source address to be carried in HWTACACS packets sent by the NAS(HWTACACS view). nas-ip ip-address

Delete the configured source address to be carried in the HWTACACS packets sent by the NAS (HWTACACS view). undo nas-ip

Configure the source address to be carried in the hwtacacs packets sent by the NAS(System view). hwtacacs nas-ip ip-address

Cancel the configured source address to be carried in the hwtacacs packets sent by the NAS(System view). undo hwtacacs nas-ip

Table 48 Set a key for securing the communication with the TACACS server

Operation Command

Configure a key for securing the communication with the TACACS accounting, authorization or authentication server.

key { accounting | authorization | authentication } string

Delete the configuration. undo key { accounting | authorization | authentication }

Table 49 Set the username format acceptable to the TACACS server

Operation Command

Send username with domain name. user-name-format with-domain

Send username without domain name. user-name-format without-domain


By default, data is sent in bytes. The packets are measured in the unit of one packet.

Setting Timers Regarding TACACS

Server

Setting the response timeout timer

Since HWTACACS is implemented based on TCP, server response timeout or TCP timeout may terminate the connection to the TACACS server.


The default response timeout timer is set to five seconds.

Setting the quiet timer for the primary TACACS server


By default, the primary TACACS server must wait five minutes before it can resume the active state.

Setting a realtime accounting interval



Table 50 Set the unit of data flows destined for the TACACS server

Operation Command

Set the unit of data flows destined for the TACACS server.

data-flow-format data { byte | giga-byte | kilo-byte | mega-byte }

data-flow-format packet { giga-packet | kilo-packet | mega-packet | one-packet }

Restore the default unit of data flows destined for the TACACS server.

undo data-flow-format { data | packet }

Table 51 Set the response timeout timer

Operation Command

Set the response timeout time. timer response-timeout seconds

Restore the default setting. undo timer response-timeout

Table 52 Set the quiet timer for the primary TACACS server

Operation Command

Set the quiet timer for the primary TACACS server. timer quiet minutes

Restore the default setting. undo timer quiet


Operation Command

Set a real-time accounting interval. timer realtime-accounting minutes

Displaying and Debugging AAA and RADIUS/HWTACACS Protocols 51

The interval is in minutes and must be a multiple of 3.

The setting of real-time accounting interval somewhat depends on the performance of the NAS and the TACACS server: a shorter interval requires higher device performance. You are therefore recommended to adopt a longer interval when there are a large number of users (more than 1000, inclusive). The following table recommends the ratio of minutes to the number of users.

The real-time accounting interval defaults to 12 minutes.

Displaying and Debugging AAA and RADIUS/HWTACACS Protocols

After the above configuration, execute the display commands in any view to view the running of the AAA and RADIUS/HWTACACS configurations and to check the configuration effect. Execute the reset commands in user view to reset the configurations. Execute the debugging commands in user view for debugging.

Restore the default real-time accounting interval. undo timer realtime-accounting

Table 54 Recommended ratio of the interval to the number of users

User number Real-time accounting interval (in minutes)

1 - 99 3

100 - 499 6

500 - 999 12

1000 15


Operation Command

Table 55 Display and debug the AAA protocol

Operation Command

Display the configuration information of the specified or all the ISP domains.

display domain [ isp-name ]

Display related information of user’s connection.

display connection [ domain isp-name | ip ip-address | mac mac-address | radius-scheme radius-scheme-name | ucibindex ucib-index | user-name user-name ]

Display related information of the local user

display local-user [ domain isp-name | service-type { dvpn | telnet | ssh | terminal | ftp | ppp } | state { active | block } | user-name user-name ]

Table 56 Display and debug the RADIUS protocol

Operation Command

Display the specified or all the RADIUS schemes or display the statistics about RADIUS.

display radius [ radius-scheme-name | statistics ]

Display the statistics on RADIUS packets. display radius statistics

Display information on the stop-accounting packets in the buffer.

display stop-accounting-buffer { radius-scheme radius-server-name | session-id session-id | time-range start-time stop-time | user-name user-name }


AAA and RADIUS/HWTACACS Protocol Configuration Example

Telnet/SSH User Authentication/Accounting Using RADIUS Server

n Authentication configuration on the RADIUS server for SSH users and that for Telnet users is similar. The following uses the configuration for Telnet users as an example.

Network requirements

Configure the module to enable the RADIUS server to provide authentication and accounting services for Telnet users accessing the module (see Figure 9).

Display the statistics on the local RADIUS authentication server. display local-server statistics

Enable RADIUS packet debugging. debugging radius packet

Disable RADIUS packet debugging. undo debugging radius packet

Enable local RADIUS authentication server debugging.

debugging local-server { all | error | event | packet }

Disable local RADIUS authentication server debugging.

undo debugging local-server { all | error | event | packet }

Clear stop-accounting packets from the buffer.

reset stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name }

Reset the statistics of RADIUS server. reset radius statistics

Table 57 Display and debug the HWTACACS protocol

Operation Command

Display the specified or all the HWTACACS schemes.

display hwtacacs [ hwtacacs-scheme-name [ statistics ] ]

Display information on the stop-accounting packets in the buffer.

display stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name

Enable HWTACACS debugging. debugging hwtacacs { all | error | event | message | receive-packet | send-packet }

Disable HWTACACS debugging. undo debugging hwtacacs { all | error | event | message | receive-packet | send-packet }

Clear stop-accounting packets from the buffer.

reset stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name

Reset the statistics about TACACS servers. reset hwtacacs statistics {accounting | authentication | authorization | all }

Table 56 Display and debug the RADIUS protocol

Operation Command

AAA and RADIUS/HWTACACS Protocol Configuration Example 53

Connect the module to the RADIUS server (functions as both authentication and accounting servers) whose IP address is 10.0.0.1/24. On the module, set the shared keys both for packet exchange with the authentication server and with the accounting server as "expert".

You can use a 3Com CAMS server as the RADIUS server. Set server-type in the RADIUS scheme to standard or 3com if a third-party RADIUS server is used and to 3com if a 3Com CAMS server is used. On the RADIUS server, set the shared key for packet exchange with the module as "expert"; set the authentication and accounting port numbers; add the usernames and login passwords of the Telnet users. If the module is configured in the RADIUS scheme not to remove the domain name from the user name but send the full username to the RADIUS server, the Telnet usernames added onto the RADIUS server are in the userid@isp-name format.

Network diagram

Figure 9 Network diagram for remote RADIUS authentication on Telnet users

Configuration procedure

1 Radius Server

IP address: 10.0.0.1/24.

Gateway: 10.0.0.254.

2 Telnet User

IP address: 50.0.0.1/24.

3 Switch 8807 (SecBlade)

# Divide VLANs.

<SW8800> system-view [SW8800] vlan 10 [3Com-vlan10] quit

SecBlade S

Vlan 30

Vlan 10

Vlan 50 Vlan 50

Radius Server

Telnet User

50 . 0 . 0 . 1 / 24

10 . 0 . 0 . 1 / 24

30 . 0 . 0 . 254 / 24

50 . 0 . 0 . 254 / 24

30 . 0 . 0 . 1 / 24

10 . 0 . 0 . 254 / 24 SecBlade

Vlan 30

Vlan 10

Vlan 50 Vlan 50

Radius Server

Telnet User

50 . 0 . 0 . 1 / 24

10 . 0 . 0 . 1 / 24

30 . 0 . 0 . 254 / 24

50 . 0 . 0 . 254 / 24

30 . 0 . 0 . 1 / 24

10 . 0 . 0 . 254 / 24

8800


[SW8800] vlan 30 [3Com-vlan30] quit [SW8800] vlan 50 [3Com-vlan50] quit

# Configure the IP address.

[SW8800] interface vlan-interface 10 [3Com-Vlan-interface10] ip address 10.0.0.254 24 [3Com-Vlan-interface10] quit [SW8800] interface vlan-interface 30 [3Com-Vlan-interface30] ip address 30.0.0.1 24 [3Com-Vlan-interface30] quit

# Configure the static route.

[SW8800] ip route-static 0.0.0.0 0 30.0.0.254

# Configure aggregation of the module interfaces (the module resides in slot 2).

[SW8800] secblade aggregation slot 2

# Create the module test.

[SW8800] secblade module test

# Specify the module interface VLAN.

[3Com-secblade-test] secblade-interface vlan-interface 30

# Configure the protected VLAN.

[3Com-secblade-test] security-vlan 50

# Map the module to the specified slot.

[3Com-secblade-test] map to slot 2 [3Com-secblade-test] quit [SW8800] quit

# Log into the module of the specified slot.

<SW8800> secblade slot 2 (Both the default user name and password are SecBlade) user: Secblade password: Secblade <secblade> system-view

# Create the sub-interface.

[secblade] interface GigabitEthernet 0/0.1 [secblade-GigabitEthernet0/0.1] vlan-type dot1q vid 30 [secblade-GigabitEthernet0/0.1] ip address 30.0.0.254 24 [secblade-GigabitEthernet0/0.1] quit [secblade] interface GigabitEthernet 0/0.2 [secblade-GigabitEthernet0/0.2] vlan-type dot1q vid 50 [secblade-GigabitEthernet0/0.2] ip address 50.0.0.254 24 [secblade-GigabitEthernet0/0.2] quit


# Add the sub-interface of the internal network to the trust zone.

[secblade] firewall zone trust [secblade-zone-trust] add interface GigabitEthernet 0/0.1 [secblade-zone-trust] quit

# Add the sub-interface of the external network to the untrust zone.

[secblade] firewall zone untrust [secblade-zone-untrust] add interface GigabitEthernet 0/0.2 [secblade-zone-untrust] quit


[secblade] ip route-static 10.0.0.0 24 30.0.0.1

# Configure the Telnet user to use AAA authentication mode.

[secblade] user-interface vty 0 4 [secblade-ui-vty0-4] authentication-mode scheme

# Configure the domain.

[secblade] domain cams [secblade-isp-cams] access-limit enable 10 [secblade-isp-cams] accounting optional [secblade-isp-cams] quit

# Configure a RADIUS scheme.

[secblade] radius scheme cams [secblade-radius-cams] primary authentication 10.0.0.1 1812 [secblade-radius-cams] primary accounting 10.0.0.1 1813 [secblade-radius-cams] key authentication expert [secblade-radius-cams] key accounting expert [secblade-radius-cams] server-type 3Com [secblade-radius-cams] user-name-format without-domain [secblade-radius-cams] quit

# Configure to associate the domain with the RADIUS.

[secblade] domain cams [secblade-isp-cams] scheme radius-scheme cams [secblade-isp-cams] quit

Telnet users use usernames in the userid@cams format to log onto the network and are to be authenticated as cams domain users.

# Quit SecBlade configuration view.

[secblade] quit <secblade> quit [SW8800]


Configuring FTP/Telnet User Local

Authentication

n Configuring local authentication for FTP users is similar to that for Telnet users. The following example is based on Telnet users.


Configure the module to authenticate the login Telnet users at the local (see Figure 10).

Network diagram

Figure 10 Network diagram for Telnet user local authentication


1 Telnet User

IP address: 10.0.0.1/24.

Gateway: 10.0.0.254.


# Divide VLANs.

<SW8800> system-view [SW8800] vlan 10 [3Com-vlan10] quit [SW8800] vlan 30 [3Com-vlan30] quit [SW8800] vlan 50 [3Com-vlan50] quit

Firewall S8800






# Configure the aggregation of the module interfaces (the module resides in slot 2).


# Create the module test.

[SW8800] secblade module test



# Set the protected VLAN.





<SW8800> secblade slot 2 (Both the default user name and password are SecBlade) user: SecBlade password: SecBlade <secblade> system-view









[secblade] ip route-static 0.0.0.0 0 50.0.0.1 [secblade] ip route-static 10.0.0.0 24 30.0.0.1

# Configure the Telnet user to use AAA authentication.


# Create the local user telnet.

[secblade] local-user telnet@system [secblade-luser-telnet@system] service-type telnet [secblade-luser-telnet@system] password simple 3com [secblade-luser-telnet@system] quit [secblade] domain system [secblade-isp-system] scheme local [secblade-isp-system] quit

Telnet users use usernames in the userid@system format to log onto the network and are to be authenticated as system domain users.

# Quit the Firewall module configuration view.

[secblade] quit <secblade> quit [SW8800]

Enabling the TACACS Server to Employ

One-Time Authentication

/Accounting on Telnet Users


In the network environment as shown in the following figure, make proper configuration to enable the TACACS server to employ one-time password authentication /accounting on Telnet users.

One TACACS server host, serving as both authentication server and accounting server, is connected to a module. The IP address of the server host is 10.0.0.1/24. Set the shared keys both for packet exchange with the authentication server and with the accounting server as "expert". The TACACS server provides one-time password authentication, and the module does not remove the domain name from the user name but sends them together to the TACACS server, so the user name you add on the TACACS server should be "test@tacacs".


Network diagram

Figure 11 Network diagram for remote RADIUS authentication on the Telnet user


1 TACACS Server

IP address: 10.0.0.1/24.

Gateway: 10.0.0.254.

2 Telnet User

IP address: 50.0.0.1/24.


# Divide VLANs.







# Configure aggregation Firewall module interfaces (the module resides in slot 2).


# Create SecBlade test.

[SW8800] secblade test

# Specify the the interface VLAN.
















Troubleshooting AAA and RADIUS/HWTACACS Protocols 61

# Configure the Telnet user to use AAA authentication.


# Configure the RADIUS scheme.

[secblade] hwtacacs scheme system [secblade-hwtacacs-system] primary authentication 10.0.0.1 49 [secblade-hwtacacs-system] primary accounting 10.0.0.1 49 [secblade-hwtacacs-system] key authentication expert [secblade-hwtacacs-system] key accounting expert [secblade-hwtacacs-system] server-type 3Com [secblade-hwtacacs-system] user-name-format with-domain [secblade-hwtacacs-system] quit

# Configure to associate the domain with the TACACS.

[secblade] domain tacacs [secblade-isp-tacacs] access-limit enable 10 [secblade-isp-tacacs] accounting optional [secblade-isp-tacacs] quit [secblade-isp-tacacs] scheme tacacs-scheme system

4 Configure the TACACS server

■ Configure the IP address

■ Configure the shared key

■ Add username test@ tacacs

■ Enable one-time authentication

Troubleshooting AAA and RADIUS/HWTACACS Protocols

Troubleshooting the RADIUS Protocol

The RADIUS protocol of the TCP/IP protocol suite is located at the application layer. It mainly provisions how to exchange user information between a NAS and a RADIUS server of an ISP. So it is very likely to get invalid.

■ Symptom 1: User authentication/authorization always fails

Troubleshooting:

Check that:

1 The username is in the userid@isp-name format or a default ISP domain is specified on the NAS.

2 The user exists in the database on the RADIUS server.

3 The password input by the user is correct.

4 The same shared key is configured on both the RADIUS server and the NAS.

5 The NAS can communicate with the RADIUS server (by pinging the RADIUS server).


■ Symptom 2: RADIUS packets cannot reach the RADIUS server.

Troubleshooting:

Check that:

1 The communication links (at both physical and link layers) between the NAS and the RADIUS server work well.

2 The IP address of the RADIUS server is correctly configured on the NAS.

3 Authentication/Authorization and accounting UDP ports are set in consistency with the port numbers set on the RADIUS server.

■ Symptom 3: A user passes the authentication and gets an authorization already, but its charging bill cannot be sent to the RADIUS server.

Troubleshooting:

Check that:

1 The accounting port number is correctly set.

2 The authentication/authorization and accounting servers are correctly configured on the NAS. For example, the fault can occur in the situation where one server is configured on the NAS to provide all the services of authentication/authorization and accounting, despite the fact that different server devices are used to provide the services.

Troubleshooting the HWTACACS Protocol

See the previous section if you encounter a HWTACACS fault.

Introduction to ACL 63

5ACL CONFIGURATION

Introduction to ACL

ACL Overview In order to filter data packets, a series of rules need to be configured on the security gateway to decide which data packets can pass. These rules are defined by ACL (Access Control List), which are a series of sequential rules consisting of the permit and the deny statements. The rules are described by source address, destination address and port number of data packets. ACL classifies data packets through these security gateway interface applied rules, by which the security gateway decides which packets can be received and which should be rejected.

Classification of ACL According to application purpose, ACL falls into four groups:

■ Basic ACL

■ Advanced ACL

■ Interface-based ACL

■ MAC-based ACL

The application purpose of ACL is specified by the range of the number. Interface-based ACL ranges from 1,000 to 1,999; basic ACL ranges from 2,000 to 2,999; advanced ACL ranges from 3,000 to 3,999; and MAC-based ACL ranges from 4,000 to 4,999.

Match Order of ACL An access control rule may consist of several permit and deny statements, each statement specifying different rules. In this case, match order problem exists on matching a packet and access control rule.

There are two kinds of match orders:

■ Configuration sequence: match ACL rules according to their configuration order.

■ Automatic sequencing: follow the principle of "depth priority".

Depth priority" rule puts the statement that specifies the smallest packet range into first place. This can be realized by comparing address wildcard. The smaller the wildcard is, the smaller the specified host range. For example, 129.102.1.1 0.0.0.0 specifies a host: 129.102.1.1, while 129.102.1.1 0.0.255.255 specifies a network segment: from 129.102.1.1 to 129.102.255.255. Obviously, the former is put first in access control rule. The detailed standard is: for statements of basic access control rule, directly compare their source address wildcards. If the same wildcard is shared, arrange them according to configuration sequence. For

64 CHAPTER 5: ACL CONFIGURATION

interface-based access control rules, put the rule configured with "any" behind, and arrange others according to configuration sequence. For advance access control rules, compare their source address wildcards first. If they are the same, compare their destination address wildcards. If they are also the same, compare their ranges of port number. Put those with smaller ranges before others. If the ranges of port number are still the same, arrange then according to configuration sequence.

The display acl command can be used to verify which rule takes effect first. Upon the display, the rule that is listed first takes effect first.

ACL Creation An ACL is virtually a series of rule lists that consist of permit and deny statements. Several rule lists constitute an ACL. Before configuring the rule of ACL, you need to create an ACL first.

The following command can be used to create an ACL:

acl number acl-number [ match-order { config | auto } ]

The following command can be used to delete an ACL:

undo acl { number acl-number | all }

Parameter description:

■ number acl-number: Specify an ACL.

■ acl-number: Number of ACL. An interface-based ACL takes a value in the range 1000 to 1999, a basic ACL in the range 2,000 to 2,999, an advanced ACL in the range 3,000 to 3,999, and a MAC-based ACL in the range 4,000 to 4,999.

■ match-order config: Specify to match rules according to configuration sequence of the user.

■ match-order auto: Specify to match rules by system automatic sequencing, namely in "depth priority" sequence.

■ all: Delete all configured ACL.

By default, the match order is configuration sequence of the user, namely "config" is in use. Once the user specifies the match order of a certain ACL, he can never change it, unless he deletes all the contents in the ACL and specifies its match order again.

ACL view can be entered after an ACL is created. ACL view is classified according to the application purpose of ACL. For example, advanced ACL view can be entered by creating ACL 3000. The following is the security gateway prompt:

[secblade_FW-acl-adv-3000]

After entering the ACL view, you can configure ACL rules. The rules of different ACLs are different. The detailed configuration method of each ACL rule will be introduced respectively in the following sections.

Ba

sic ACL Basic ACL can only adopt source address information to serve as element for defining ACL rule. A basic ACL can be created and basic ACL view be entered by the above-mentioned ACL command. In basic ACL view, the rule of basic ACL can be created.

The following command can be used to define a basic ACL rule:

rule [ rule-id ] { permit | deny } { source sour-addr sour-wildcard | any } ] [ time-range time-name ] [ logging ] [ fragment ]


■ rule-id: Optional, number of ACL rule, ranging from 0 to 65,534. After the number is specified, if the ACL rule related to the number has existed, the new rule will overwrite the old one, just as editing an existing ACL rule. If you want to edit an existing ACL rule, you are recommended to delete the existing rule and then create a new one. Otherwise, the edited rule may not be the expected ACL rule. If the ACL rule related to the number does not exist, use the specified number to create a new rule. When the number is not specified, it means to add a new rule. In this case, the system will assign a number automatically for the ACL rule and add the new rule.

■ permit: Permits qualified data packet.

■ deny: Discards qualified data packet.

■ source: Optional parameter, used to specify source address information of ACL rule. If it is not specified, it indicates any source address of the packet matches.

■ source-addr: Source address of data packet, in dotted decimal.

■ source-wildcard: Wildcard of source address, in dotted decimal.

■ any: Used to represent all source address. It is same with setting the source address as 0.0.0.0 and wildcard as 255.255.255.255.

■ time-range: Optional parameter, used to specify effective time range of ACL.

■ time-name: Name of ACL effective time range.

■ logging: Optional parameter, indicating whether to log qualified data packet. The log content includes sequence number of access control rule, data packet permitted or discarded and the number of data packets.

■ fragment: Optional parameter, used to specify whether the rule is only valid for non-first-fragment. When this parameter is included, it indicates the rule is only valid for non-first-fragment.

For existing ACL rule, if edit is performed with specified ACL rule number, the rest part will not be affected. For example:

First configure an ACL rule:

rule 1 deny source 1.1.1.1 0

Then edit the ACL rule:


rule 1 deny logging

Then, the ACL rule becomes:

rule 1 deny source 1.1.1.1 0 logging

The following command can be used to delete a basic ACL rule:

undo rule rule-id [ source ] [ time-range ] [ logging ] [ fragment ]


■ rule-id: Number of ACL rule, which should be an existing ACL rule number. If there is no parameter followed, the entire ACL rule will be deleted. Otherwise, only part of information related to the ACL rule will be deleted.

■ source: Optional parameter. Only the source address information setting of ACL rule with corresponding number will be deleted.

■ time-range: Optional parameter. Only the specific effective time range setting of ACL rule with corresponding number will be deleted.

■ logging: Optional parameter. Only the logging qualified packet setting of ACL rule with corresponding number will be deleted.

■ fragment: Optional parameter. Only the validation setting solely for non-first-fragment of ACL rule with corresponding number will be deleted.

Advanced ACL Advanced ACL can define rules by using such contents of data packet as source address information, destination address information, IP carried protocol type and protocol oriented feature (for example, source port and destination port of TCP, type and code of ICMP). Advance ACL can be used to define more accurate, diversified and flexible rules than basic ACL.

An advanced ACL can be created and advanced ACL view be entered by the previously mentioned ACL command. In advance ACL view, the rules of advanced ACL can be created.

The following command can be used to define an advanced ACL rule:

rule [ rule-id ] { permit | deny } protocol [ source source-addr source-wildcard | any ] [ destination dest-addr dest-wildcard | any ] [ source-port operator port1 [ port2 ] ] [ destination-port operator port1 [ port2 ] ] [ icmp-type { icmp-message | icmp-type icmp-code } ] [ dscp dscp ] [ established ] [ precedence precedence ] [ tos tos ] [ time-range time-name ] [ logging ] [ fragment ]


■ rule-id: Optional, number of ACL rule, ranging from 0 to 65,534. After the number is specified, if the ACL rule related to the number has existed, the new rule will overwrite the old one, just as editing an existing ACL rule. If you want to edit an existing ACL rule, you are recommended to delete the existing rule and then create a new one. Otherwise, the edited rule may not be the expected ACL rule. If the ACL rule related to the number does not exist, use the specified number to create a new rule. When the number is not specified, it


means to add a new rule. In this case, the system will assign a number automatically for the ACL rule and add the new rule.

■ deny: Discard qualified data packet.

■ permit: Permit qualified data packet.

■ protocol: IP carried protocol type represented by name or number. The number range is from 1 to 255. The name can be gre, icmp, igmp, ip, ipinip, ospf, tcp, and udp.

■ source: Optional parameter, used to specify source address information of ACL rule. If it is not configured, it indicates any source address of the packet matches.

■ source-addr: Source address of data packet, in dotted decimal.

■ destination: Optional parameter, used to specify destination address information of ACL rule. If it is not configured, it indicates any destination address of the packet matches.

■ dest-addr: Destination address of data packet, in dotted decimal.

■ dest-wildcard: Destination address wildcard, in dotted decimal.

■ any: used to represent all source or destination addresses. It is same with setting the source or destination address as 0.0.0.0 and wildcard as 255.255.255.255.

■ icmp-type: Optional parameter, used to specify type of ICMP packet and message code information, only valid when the packet protocol is ICMP. If it is not configured, it indicates any type of ICMP packet matches.

■ icmp-type: ICMP packet can be filtered according to the message type of ICMP. It is a number ranging from 0 to 255.

■ icmp-code: ICMP packet filtered according to ICMP message type can also be filtered according to message code. It is a number ranging from 0 to 255.

■ icmp-message: ICMP packets can be filtered according to the names of ICMP message types or the names of ICMP message types and ICMP message codes.

■ source-port: Optional parameter, used to specify source port information of UDP or TCP message, only valid when the specified protocol number is TCP or UDP. If it is not specified, it indicates any source port information of TCP/UDP packet matches.

■ destination-port: Optional parameter, used to specify destination port information of UDP or TCP packet, only valid when the protocol number specified by the rule is TCP or UDP. If it is not specified, it indicates any destination port information of TCP/UDP packet matches.

■ operator: Optional parameter. The port number operator, name and meaning of source/destination address are compared as follows: lt (lower than), gt (greater than), eq (equal to), neq (not equal to) and range (between). Only "range" needs two port numbers as operator, others only need one port number as operator

■ port1, port2: Optional parameter, port number of TCP or UDP, represented by name or number, with the number ranging from 0 to 65535.

■ dscp dscp: Specifies a DSCP field (the DS byte in IP packets). This keyword is mutually exclusive with the precedence keyword and the tos keyword.


■ established: Compares all TCP packets with ACK and RST flags set, including SYN+ACK, ACK, FIN+ACK, RST and RST+ACK packets.

■ precedence: Optional parameter, according to which data packet can be filtered. A number ranging from 0 to 7 or a name. This keyword is mutually exclusive with the dscp keyword.

■ tos tos: Optional parameter. Data packet can be filtered according to service type field. A number ranging from 0 to 15 or a name. This keyword is mutually exclusive with the dscp keyword.

■ logging: Optional parameter, indicating whether to log qualified data packet. The log contents include sequence number of ACL, data packet permitted/discarded, upper layer protocol type over IP, source/destination address, source/destination port number, and the number of data packets.

■ time-range time-name: The ACL rule is valid in the time range.

■ fragment: Used to specify whether the rule is only valid for non-first-fragment. When this parameter is included, it indicates the rule is only valid for non-first-fragment.

The ToS value is the forth bit to the seventh bit from left to right (four bits in all), in the range of 0 to 15, as shown in Figure 12. However, its real value is in the range of 0 to 30.

Figure 12 The ToS field in ACL

When you use the ToS value in the ping command, the ToS value must be twice the value configured in ACL (such as 1). Only in this way can you use the ping command to test the ToS value configured in the ACL.

For existing ACL rule, if edit is performed with specified ACL rule number, the rest part will not be affected. For example:

First configure an ACL rule:

rule 1 deny ip source 1.1.1.1 0

Then edit the ACL rule:

rule 1 deny ip destination 2.2.2.1 0

Then, the ACL rule becomes:

rule 1 deny ip source 1.1.1.1 0 destination 2.2.2.1 0

The following command can be used to delete an advanced ACL rule:


undo rule rule-id [ source ] [ destination ] [ source-port ] [ destination-port ] [ icmp-type ] [ dscp ] [ precedence ] [ tos ] [ time-range ] [ logging ] [ fragment ]


■ rule-id: Number of ACL rule, which should be an existing ACL rule number. If there is no parameter followed, the entire ACL rule will be deleted. Otherwise, only part of information related to the ACL rule will be deleted.

■ source: Optional parameter. Only the source address information setting of ACL rule with corresponding number will be deleted.

■ destination: Optional parameter. Only the destination address information setting of ACL rule with corresponding number will be deleted.

■ source-port: Optional parameter. Only source port information setting of ACL rule with corresponding number will be deleted. It is only valid when the protocol number of the rule is TCP or UDP.

■ destination-port: Optional parameter. Only the destination port information setting of ACL rule with corresponding number will be deleted. It is only valid when the protocol number of the rule is TCP or UDP.

■ icmp-type: Optional parameter. Only ICMP type and message code information setting of ACL rule with corresponding number will be deleted. It is only valid when the protocol number of the rule is ICMP.

■ dscp: Optional parameter. Only the DSCP setting in the ACL rule with corresponding number will be deleted.

■ precedence: Optional parameter. Only the precedence setting of ACL rule with corresponding number will be deleted.

■ tos: Optional parameter. Only the tos setting of ACL rule with corresponding number will be deleted.

■ time-range: Optional parameter. Only the specific effective time range setting of ACL rule with corresponding number will be deleted.

■ logging: Optional parameter. Only the logging qualified packet setting of ACL rule with corresponding number will be deleted.

■ fragment: Optional parameter. Only the validation setting solely for non-first-fragment of ACL rule with corresponding number will be deleted.

Only TCP and UDP protocols need to specify port range. The supported operators and grammar are listed below.

Table 58 Operator meaning of advanced ACL

Operator and grammar Meaning

eq portnumber Equal to port number

gt portnumber Greater than port number

lt portnumber Lower than port number

neq portnumber Not equal to port number

range portnumber1 portnumber2 Between portnumber1 and portnumber2


When specifying portnumber, part of common port numbers can use mnemonics to substitute actual numbers. The supported mnemonics are shown in the table below.

Table 59 Port number mnemonics

Protocol Mnemonics Meaning and actual value

TCP

Bgp

Chargen

Cmd

Daytime

Discard

Domain

Echo

Exec

Finger

Ftp

Ftp-data

Gopher

Hostname

Irc

Klogin

Kshell

Login

Lpd

Nntp

Pop2

Pop3

Smtp

Sunrpc

Syslog

Tacacs

Talk

Telnet

Time

Uucp

Whois

Www

Border Gateway Protocol (179)

Character generator (19)

Remote commands (rcmd, 514)

Daytime (13)

Discard (9)

Domain Name Service (53)

Echo (7)

Exec (rsh, 512)

Finger (79)

File Transfer Protocol (21)

FTP data connections (20)

Gopher (70)

NIC hostname server (101)

Internet Relay Chat (194)

Kerberos login (543)

Kerberos shell (544)

Login (rlogin, 513)

Printer service (515)

Network News Transport Protocol (119)

Post Office Protocol v2 (109)

Post Office Protocol v3 (110)

Simple Mail Transport Protocol (25)

Sun Remote Procedure Call (111)

Syslog (514)

TAC Access Control System (49)

Talk (517)

Telnet (23)

Time (37)

Unix-to-Unix Copy Program (540)

Nicname (43)

World Wide Web (HTTP, 80)


For ICMP, ICMP packet type can be specified. The default is all ICMP packets. When specifying ICMP packet type, it can be a number (ranging from 0 to 255) or a mnemonic.

UDP biff

bootpc

bootps

discard

dns

dnsix

echo

mobilip-ag

mobilip-mn

nameserver

netbios-dgm

netbios-ns

netbios-ssn

ntp

rip

snmp

snmptrap

sunrpc

syslog

tacacs-ds

talk

tftp

time

who

Xdmcp

Mail notify (512)

Bootstrap Protocol Client (68)

Bootstrap Protocol Server (67)

Discard (9)

Domain Name Service (53)

DNSIX Security Attribute Token Map (90)

Echo (7)

MobileIP-Agent (434)

MobilIP-MN (435)

Host Name Server (42)

NETBIOS Datagram Service (138)

NETBIOS Name Service (137)

NETBIOS Session Service (139)

Network Time Protocol (123)

Routing Information Protocol (520)

SNMP (161)

SNMPTRAP (162)

SUN Remote Procedure Call (111)

Syslog (514)

TACACS-Database Service (65)

Talk (517)

Trivial File Transfer (69)

Time (37)

Who(513)

X Display Manager Control Protocol (177)

Table 59 Port number mnemonics

Protocol Mnemonics Meaning and actual value


The user can add appropriate access rules by configuring firewall. IP packets passing the security gateway will be checked through packet filtering and the packets that the user does not want them to pass the security gateway will be ruled out. Thus, network security is protected.

Interface-Based ACL Interface-based ACL is a kind of special ACL, which specifies rules according to packet-receiving interface.

An interface-based ACL can be created and interface-based ACL view be entered by the previously mentioned ACL command. In interface-based ACL view, the rules of interface-based ACL can be created.

The following command can be used to define an interface-based ACL rule:

rule [ rule-id ] { permit | deny } interface { interface-type interface-number | any } [ time-range time-name ] [ logging ]


■ rule-id: Optional, number of ACL rule, ranging from 0 to 65,534. After the number is specified, if the ACL rule related to the number has existed, the new rule will overwrite the old one, just as editing an existing ACL rule. If you want to edit an existing ACL rule, you are recommended to delete the existing rule and then create a new one. Otherwise, the edited rule may not be the expected ACL rule. If the ACL rule related to the number does not exist, use the

Table 60 Mnemonics of ICMP packet type

Mnemonic Meaning

echo

echo-reply

fragmentneed-DFset

host-redirect

host-tos-redirect

host-unreachable

information-reply

information-request

net-redirect

net-tos-redirect

net-unreachable

parameter-problem

port-unreachable

protocol-unreachable

reassembly-timeout

source-quench

source-route-failed

timestamp-reply

timestamp-request

ttl-exceeded

Type=8, Code=0

Type=0, Code=0

Type=3, Code=4

Type=5, Code=1

Type=5, Code=3

Type=3, Code=1

Type=16,Code=0

Type=15,Code=0

Type=5, Code=0

Type=5, Code=2

Type=3, Code=0

Type=12,Code=0

Type=3, Code=3

Type=3, Code=2

Type=11,Code=1

Type=4, Code=0

Type=3, Code=5

Type=14,Code=0

Type=13,Code=0

Type=11,Code=0


specified number to create a new rule. When the number is not specified, it means to add a new rule. In this case, the system will assign a number automatically for the ACL rule and add the new rule.

■ deny: Discards qualified data packet.

■ permit: Permits qualified data packet.

■ interface interface-type interface-number: Specifies the interface information of the packets. If no interface is specified, all interfaces can be matched. any represents all interfaces.

■ logging: Optional parameter, indicating whether to log qualified packet. Log contents include sequence number of ACL rule, packet permitted or discarded and the number of data packets.

■ time-range time-name: Optional, specifies the time range in which the rule is valid.

The following command can be used to delete an interface-based ACL rule:

undo rule rule-id [ logging ] [ time-range ]


■ rule-id: Number of ACL rule, which must be an existing ACL rule number.

■ logging: Optional, indicating whether to log matched packets. The log contents include sequence number of ACL rule, packets permitted or discarded, upper layer protocol type over IP, source/destination address, source/destination port number, and number of packets.

■ time-range: Optional, specifies the time range in which the rule is valid.

MAC-Based ACL MAC-based ACLs are numbered in the range 4,000 to 4,999.

You can use the following command to configure a MAC-based ACL rule:

rule [ rule-id ] { deny | permit } [ type type-code type-mask | lsap lsap-code lsap-mask ] [ source-mac sour-addr sour-mask ] [ dest-mac dest-addr dest-mask ] [ time-range time-name ] [ logging ]

The parameters are described as follows:

rule-id represents a rule number.

type-code is a hexadecimal number in the format of xxxx, used for matching the protocol type of the transmitted packets.

type-mask represents the wildcard for the protocol type. For type-code values, refer to the chapter that discusses bridge configuration in the link layer protocol part of this manual.

lsap-code is a hexadecimal number in the format of xxxx, used for matching the encapsulation format of bridged packet on an interface. lsap-wildcard represents the wildcard of protocol type.


sour-addr represents the source MAC address of a data frame in the format of xxxx-xxxx-xxxx. sour-mask represents the wildcard of the source MAC address.

dest-addr represents the destination MAC address in the format of xxxx-xxxx-xxxx. dest-mask represents the wildcard of the destination MAC address.

The following command can be used to delete a MAC-based ACL rule:

undo rule rule-id [ time-range time-name ] [ logging ]

The parameters are described as follows:

rule-id: ACL rule number, which must exist already.

ACL Supporting Fragment

Traditional packet filtering does not process all IP packet fragments. Rather, it only performs matching processing on the first fragment and releases all the follow-up fragments. Thus, security dormant trouble exists, which makes attackers able to construct follow-up segments to realize traffic attack.

Packet filtering of 3Com security gateway provides fragment filtering function, including: performing Layer3 (IP Layer) matching and filtering on all fragments; at the same time, providing two kinds of matching, normal matching and exact matching, for ACL rule entries containing advanced information (such as TCP/UDP port number and ICMP type). Normal matching is the matching of Layer3 information and it omits non-Layer3 information. Exact matching matches all ACL entries, which requires firewall should record the state of first fragment so as to obtain complete matching information of follow-up fragments. If exact matching is used, make sure you disable the fast forwarding function by using the undo ip fast-forwarding command on the corresponding interface. The default function mode is normal matching.

The keyword fragment is used in the configuration entry of ACL rule to identify that the ACL rule is only valid for non-first fragments. For non-fragments and first fragment, this rule is omitted. In contrast, the configuration rule entry not containing this keyword is valid for all packets.

For example:

[3Com-acl-basic-2000] rule deny source 202.101.1.0 0.0.0.255 fragment [3Com-acl-basic-2000] rule permit source 202.101.2.0 0.0.0.255 [3Com-acl-adv-3001] rule permit ip destination 171.16.23.1 0 fragment [3Com-acl-adv-3001] rule deny ip destination 171.16.23.2 0

In above rule entries, all entries are valid for non-first fragments. The first and the third entries are omitted for non-fragments and first fragment, only valid for non-first fragments.

Configuring an ACL ACL configuration includes:

■ Configure a basic ACL

■ Configure an advanced ACL

■ Configure an interface-based ACL

■ Configure a MAC-based ACL

Configuring an ACL 75

■ Add description to an ACL

■ Add comment to an ACL rule

■ Delete an ACL

Configuring a Basic ACL Perform the following configuration.

For detailed introduction to parameters, refer to basic ACL.

Configuring an Advanced ACL


Configuring an Interface-Based ACL


You can specify an interface by specifying its type and number or all interfaces by specifying the any keyword.

Configuring a MAC-Based ACL


Table 61 Configure a basic ACL

Operation Command

Create a basic ACL in system view. acl number acl-number [ match-order { config | auto } ]

Configure/delete an ACL rule in basic ACL view.

rule [ rule-id ] { permit | deny } [ source source-addr source-wildcard | any ] [ time-range time-name ] [ logging ] [ fragment ]


Table 62 Configure an advanced ACL

Operation Command

Create an advanced ACL in system view. acl number acl-number [ match-order { config | auto } ]

Configure/delete an ACL rule in advanced ACL view.

rule [ rule-id ] { permit | deny } protocol [ source {sour-addr sour-wildcard | any ] [ destination dest-addr dest-wildcard | any } ] [ source-port operator port1 [ port2 ] ] [ destination-port operator port1 [ port2 ] ] [ icmp-type {icmp-type icmp-code| icmp-message} ] [ precedence precedence ] [ dscp dscp ] [ established ] [ tos tos ] [ time-range time-name ] [ logging ] [ fragment ]


Table 63 Configure an interface-based ACL

Operation Command

Create an interface-based ACL in system view. acl number acl-number [ match-order { config | auto } ]

Configure/delete an ACL rule in interface-based ACL view.

rule { permit | deny } interface { interface-type interface-number 1 any } [ time-range time-name ] [ logging ]

undo rule rule-id [ time-range ] [ logging ]*


Adding Description to an ACL

You can add description to an ACL for reminding purpose.

Perform the following configuration in ACL view.

An ACL description contains up to 127 characters.

Adding Comment to an ACL Rule

You can add comment to an ACL rule for reminding purpose.

Perform the following configuration in ACL view.

The Comment of an ACL rule contains up to 128 characters.

Deleting an ACL Perform the following configuration in system view.

Configuring Time Range

Time range configuration includes:

■ Create/Delete a time range

Creating/Deleting a Time Range

The configuration task is used to create a time range or many time ranges with the same name.


Table 64 Configure a MAC-based ACL

Operation Command

Create a MAC-based ACL in system view. acl number acl-number

Configure/delete an ACL rule in MAC-based ACL view.

rule [ rule-id ] { deny | permit } [ type type-code type-mask | lsap lsap-code lsap-mask ] [ source-mac sour-addr sour-wildcard ] [ dest-mac dest-addr dest-mask ] [ time-range time-name ]

undo rule rule-id

Table 65 Add description to an ACL

Operation Command

Add description to an ACL. description text

Remove the description. undo description

Table 66 Add comment to an ACL rule

Operation Command

Add comment to an ACL rule. rule rule-id comment text

Remove the comment of an ACL rule. undo rule rule-id comment

Table 67 Delete an ACL

Operation Command

Delete ACL undo acl { number acl-number | all }

Displaying and Debugging ACL 77

Displaying and Debugging ACL

After the above configuration, execute the display command in all views to display the running of the ACL configuration, and to verify the effect of the configuration. Execute the reset command in user view to rest ACL counters.

Typical Configuration Examples of ACL

Refer to the typical configuration examples in the part about packet filtering firewall.

Table 68 Configure time range

Operation Command

Create a time range time-range time-name [ start-time to end-time ] [ days ] [ from time1 date1 ] [ to time2 date2 ]

Delete a time range. undo time-range time-name [ start-time to end-time ] [ days ] [ from time1 date1 ] [ to time2 date2 ]

Table 69 Display and debug ACL

Operation Command

Display the configured ACL rules. display acl { all | acl-number }

Display information on time ranges. display time-range { all | time-name }

Reset ACL counters. reset acl counter { all | acl-number }

NAT Overview 79

6NAT CONFIGURATION

NAT Overview

Introduction to NAT As described in RFC1631, Network Address Translation (NAT) is to translate the IP address in IP data packet header into another IP address, which is mainly used to implement private network accessing external network in practice. NAT can reduce the depletion speed of IP address space via using several public IP addresses to represent multiple private IP addresses.

n Private address denotes the address of network or host on intranet, whereas public address denotes the universal unique IP address on Internet.

IP addresses that RFC1918 reserves for private and private use are.

Class A: 10.0.0.0 to 10.255.255.255 (10.0.0.0/8)

Class B: 172.16.0.0 to 172.31.255.255 (172.16.0.0/12)

Class C: 192.168.0.0 to 192.168.255.255 (192.168.0.0/16)

IP addresses in the above three ranges will not be assigned in the Internet, so they can be used in the intranet by a company or enterprise with no need for requesting ISP or register center.

A basic NAT application is shown in the following figure.

Figure 13 Network diagram for basic processes of address translation

NAT server such as the security gateway is located at the joint between private network and public network. When the internal PC at 192.168.1.3 sends the data

192.168.1.3

PC

Internet

192.168.1.2

Server

PC

Server

202.120.10.2

202.120.10.3

192.168.1.1 202.169.10.1

Data packet 1:Source: 192.168.1.3Destination: 202.120.10.2

Data packet 1:

Source: 202.169.10.1Destination:202.120.10.2

Data packet 2:Source: 202.120.10.2Destination:192.168.1.3


192.168.1.3

PC

Internet

192.168.1.2

Server

PC

Server

202.120.10.2

202.120.10.3

192.168.1.1 202.169.10.1


Data packet 1:

Source: 202.169.10.1Destination:202.120.10.2

Data packet 2:Source: 202.120.10.2Destination:192.168.1.3


80 CHAPTER 6: NAT CONFIGURATION

packet1 to the external server at 202.120.10.2, the data packet will traverse the NAT server. The NAT server checks the contents in the packet header. If the destination address in the header is an extranet address, the server will translate the source address 192.168.1.3 into a valid public address on the Internet 202.169.10.1, then forward the packet to the external server and record the mapping in the network address translation list. The external server sends the response packet2 (The destination is 202.169.10.1) to the NAT server. After inquiring the network address translation list, the NAT server replaces the destination address in packet2 header with the original private address 192.168.1.3 of the internal PC.

The above mentioned NAT process is transparent for terminals such as the PC and server in the above figure. NAT "hides" the private network of an enterprise because the external server regards 202.169.10.1 as the IP address of the internal PC without the awareness of the existence of 192.168.1.3.

The main benefit NAT offers is the easy access to the outside resources for the intranet hosts while maintaining the privacy of the inner hosts.

■ Since it is necessary to translate the IP address translation of data packets, the header of the data packet related to IP address cannot be encrypted. For example, encrypted FTP connection is forbidden to be used. Otherwise, FTP port cannot be correctly translated.

■ Network debugging becomes more difficult. For instance, while a certain internal network host attempts to attack other networks, it is hard to point out which computer is malicious, for the host IP address is shielded.

Functions Provided by NAT

Many-to-Many Address Translation and Address

Translation Control

As shown in Figure 13, the source address of the intranet will be translated into an appropriate extranet address (the public address of the outbound interface on the NAT server in the above figure) via NAT. In this way, all the hosts in the intranet share one extranet address when they access the external network. In other words, only one host can access the external network at a time when there are many access requirements, which is called "one-to-one address translation".

An extended NAT implements the concurrent access, that is, multiple public IP addresses are assigned to a NAT server. The NAT server assigns a public address IP1 to a requesting host, keeps a record in the address translation list and forwards the data packet, then assigns another public address IP2 to another request host and so on. This is called "many-to-many address translation".

n The number of public IP addresses on the NAT server is far less than the number of hosts in the intranet because not all hosts will access the extranet at one time. The public IP address number is determined based on the maximum number of intranet hosts at the rush hour of the network.

In practice, it may be required that only some intranet hosts can access the Internet (external network). In other words, the NAT server will not translate source IP addresses of those unauthorized hosts, which is called address translation control.

Security gateway

implements many-to-many address translation and address translation control via address pool and ACL respectively.

■ Address pool: A set of public IP addresses for address translation. A client should configure an appropriate address pool according to its valid IP address

number, internal host number as well as the actual condition. An address will be selected from the pool as the source address during the translation process.

■ ACL-based address translation: Only the data packet matching the ACL rule can be translated, which effectively limits the address translation range and allows some specific hosts to access Internet.

NAPT There is another way to implement the concurrent access, that is, Network Address Port Translation (NAPT), which allows the map from multiple internal addresses to an identical public address. Therefore, it can be called as "many-to-one address translation" or address multiplex informally.

NAPT maps IP addresses and port numbers of data packets form various internal addresses to an identical public address with different port numbers. In this way, different internal addresses can share an identical public address.

The fundamentals of NAPT are shown in the following figure.

Figure 14 NAPT allowing multiple internal hosts to share a public address

As shown in the above figure, four data packets from internal addresses arrive at the NAT server. Among them, packet1 and packet2 come from the same internal address with different source port number; pakcet3 and packet4 come from different internal addresses with an identical source port number. After the NAT mapping, all the 4 packets are translated into an identical public address with different source port numbers, so they are still different from each other. As for the response packets, the NAT server can also differentiate these packets based on

192.168.1.3

PC

Internet

192.168.1.2

Server

PCServer

202.120.10.2

202.120.10.3

192.168.1.1 202.169.10.1

Data packet 1:Source IP:192.168.1.3Source port:1537




Source IP:192.168.1.1Source port:1111

Data packet 4:Source IP:192.168.1.2Source port: 1111

Source IP:202.169.10.1Source port:1111



their destination addresses and port numbers and forward the response packets to the corresponding internal hosts.

Static Network Address Translation

This new static NAT approach converts the internal host addresses in a specified range to the specified public network addresses (only the network part is converted and the host part is unchanged). When internal hosts access the outside network, their internal addresses are converted to public network addresses if their internal addresses are in the specified range. Accordingly, outside hosts can use the public network address to access directly internal hosts if the internal host addresses which are converted from the public network addresses are in the specified range.

Static NAT function creates direct mapping between internal host addresses and public network addresses, and implement the function similar to NAT server.

However, static NAT function requires a large IP address space since it holds the one-to-one mapping between internal host addresses and public network addresses. You can combine the static and dynamic NAT function, as long as the addresses are not in conflict.

NAT Configuration NAT configuration includes:

■ Configure address pool.

■ Configure Easy IP

■ Configure static NAT

■ Configure many-to-many NAT

■ Configure NAPT

■ Configure internal server support

■ Configure NAT effective time (Optional)

Configuring Address Pool

The address pool is a collection of some consecutive IP addresses, while internal data packet needs to access external network via NAT, a certain address in the address pool will be chosen as the source address. Perform the following configurations in the system view.

c CAUTION: An address pool is irremovable while this address pool has set up the association with a certain access control list for NAT.

n If Easy IP is the one and only function supported by the security gateway, the address of the interface will be used plainly as the translated IP address, no NAT pool needed.

Table 70 Configure address pool

Operation Command

Define an address pool nat address-group group-number start-addr end-addr

Delete an address pool undo nat address-group group-number

NAT Configuration 83

Configuring NAT The NAT is accomplished by associating address pool with ACL. The association creates a relationship between such IP packets, characterized in the ACL, and that addresses, defined in the address pool. When a packet is transferred from inner network to outer network, first, the packet is filtered by the ACL to let it out, then the association between the ACL and address pool is used to find an address, which will later serve actually as the translated address.

The configuration of ACL is discussed in “ACL Configuration”.

The configuration varies from kinds to kinds of NAT.

Easy IP

The NAT command without the address-group parameter functions as the nat outbound acl-number command, implementing the "easy-ip" feature. When performing address translation, the IP address of the interface is used as the translated address and the ACL can be used to control which addresses can be translated.

Perform the following configuration under the interface view.

Associating ACL with Loopback interface address

Perform the following configuration in interface view.

The source address of the data packets that match the ACL will be replaced with the IP specified address of the Loopback interface.

Configuring static NAT table

1 Configuring static one-to-one NAT table


Table 71 Configure Easy IP

Operation Command

Add association for access control list and address pool nat outbound acl-number

Delete association for access control list and address pool undo nat outbound acl-number

Table 72 Associate ACL with Loopback interface address

Operation Command

Associate the ACL with the specified Loopback interface address

nat outbound acl-number interface interface-type interface-number

Remove the association between the ACL and Loopback interface address

undo nat outbound acl-number interface interface-type interface-number

Table 73 Configure a one-to-one private-to-public address binding

Operation Command

Configure a one-to-one private-to-public address binding. nat static ip-addr1 ip-addr2

Delete an existing one-to-one private-to-public address binding. undo nat static ip-addr1 ip-addr2


2 Configuring static inside ip NAT table

Static NAT function only converts the network addresses and remains the host addresses unchanged.


The nat static inside ip and nat static commands create two different types of static NAT entries. Note that the two types cannot be in conflict.

c CAUTION: When configuring static inside ip NAT, you must make sure that the addresses after translation are not used by other devices in the network topology.

3 Applying static NAT entries on the interface


Configuring many-to-many NAT

The many-to-many NAT is accomplished by associating the ACL with the NAT pool.

Perform the following configuration under the interface view.

Configuring NAPT

While associating the ACL and NAT pool, the selected no-pat parameter denotes that only the IP address but the port information is translated, i.e. not using NAPT function; whereas the omit of the no-pat parameter denotes using the NAPT function.

By default, the NAPT function is active.


Table 74 Configure static inside ip NAT table

Operation Command

Configure a static inside ip NAT table

nat static inside ip inside-start-address inside-end-address global global-address mask

Remove the existing static inside ip NAT table

undo nat static inside ipinside-start-address inside-end-address global global-address mask

Table 75 Apply static NAT entries on the interface

Operation Command

Apply the configured static NAT entries on the interface nat outbound static

Disable the configured static entries on the interface undo nat outbound static

Table 76 Configure many-to-many NAT

Operation Command

Add association for access control list and address pool

nat outbound acl-number [ address-group group-number [ no-pat ] ]

Delete association for access control list and address pool

undo nat outbound acl-number [ address-group group-number [ no-pat ] ]

NAT Configuration 85

Configuring Internal Server

By configuring internal server, the related external address and port can be mapped into the internal server, thus enabling the function of external network accessing the internal server.

The mapping table for internal server and external network is configured by the nat server command.

The information user needs to provide includes external address, external port, internal server address, internal server port and the protocol type of the service.

Perform the following configuration in the interface view.

n ■ While either of global-port and inside-port is defined as "any", the other one

must either be defined as "any" or not be defined.

■ TFTP is a special protocol; therefore, make sure you configure the corresponding nat outbound command on the internal TFTP server when you configure NAT Server for the TFTP server.

Enabling NAT ALG Perform the following configuration in system view.

Table 77 Configure NAPT

Operation Command

Add association for access control list and address pool

nat outbound acl-number [ address-group group-number ]

Delete association for access control list and address pool

undo nat outbound acl-number [ address-group group-number ]

Table 78 Configure Overlap Address

Operation Command

Configure the mapping from the overlap address pool to the temporary address pool

nat overlapaddress number overlappool-startaddress temppool-startaddress { pool-length pool-length | address-mask mask }

Remove the mapping from the overlap address pool to the temporary address pool

undo nat overlapaddress number

Table 79 Configure internal server

Operation Command

Add an internal server

nat server [ acl-number ] protocol pro-type global global-addr [ global-port ] inside host-addr [ host-port ]

nat server [ acl-number ] protocol pro-type global global-addr global-port 1 global-port2 inside host-addr1 host-addr2 host-port

Delete an internal server

undo nat server [ acl-number ] protocol pro-type global global-addr [ global-port ] inside host-addr [ host-port ]

undo nat server [ acl-number ] protocol pro-type global global-addr global-port1 global-port2 inside host-addr1 host-addr2 host-port


By default, NAT ALG is enabled.

Configuring Domain Name Mapping

If the internal network does not have the DNS server, but does have several different internal servers (such as FTP and WWW). Internal hosts want to use different domain names to differentiate the servers and access them. You can use this command to match the requirements.


Up to 16 domain name mapping entries can be defined.

Configuring Address Translation Lifetimes

Since the Hash table used by NAT will not exist forever, the user can configure the lifetime of the Hash table for protocols such as TCP, UDP and ICMP respectively. If the Hash table is not used in the set time, the connection as well as the table it uses will be outdated.

For example, the user with the IP address 10.110.10.10 sets up an external TCP connection using port 2000, and NAT assigned corresponding address and port for it, but in a defined time, this TCP connection is not in use, the system will delete this connection.

Perform the following configuration in the system view.

If the nat aging-time default command is configured, the default address translation lifetime values of the system apply.

Following are the default address translation lifetime values for different protocols:

■ DNS: 60 seconds

■ FTP control link: 7,200 seconds

■ FTP data link: 240 seconds

Table 80 Enable NAT ALG

Operation Command

Enable NAT ALG (application level gateway) nat alg { dns | ftp | h323 | ils | msn | nbt | pptp | sip }

Disable NAT ALG undo nat alg { dns | ftp | h323 | ils | msn | nbt | pptp | sip }

Table 81 Configure domain name mapping

Operation Command

Configure a mapping entry from a domain name to the external IP address, port number and protocol type

nat dns-map domain-name global-addr global-port [ tcp | udp ]

Remove the domain name mapping entry undo nat dns-map domain-name

Table 82 Configure address translation lifetime values

Operation Command

Configure address translation lifetime values.

nat aging-time { default | { dns | ftp-ctrl | ftp-data | icmp | pptp | tcp | tcp-fin | tcp-syn | udp } seconds }

Displaying and Debugging NAT 87

■ PPTP: 86,400 seconds

■ TCP: 86,400 seconds

■ TCP FIN, RST or SYN connection: 60 seconds

■ UDP: 300 seconds

■ ICMP: 60 seconds

The default ALG aging time depends on the specific applications. To effectively prevent attacks, you can set the aging time of first packet to five seconds.

Displaying and Debugging NAT

After the above configuration, execute the display command in all views to display the running of the NAT configuration, and to verify the effect of the configuration.

Execute the reset command in user views to clear the running.

Execute the debugging command in user view for the debugging of NAT.

NAT Configuration Example


As shown in Figure 15, an enterprise is connected to the WAN by the address translation function of the module. It is required that the enterprise can access the Internet through the module, and provide www, ftp, and smtp services to the outside. The address of the internal ftp server is 10.0.1.2/24. The address of the internal www server is 10.0.1.1/24. The address of the internal smtp server is 10.0.1.3/24. It is expected to provide uniform server IP address to the outside. Internal network segment 10.0.0.0/24 may access Internet, but PC on other segments cannot access Internet. External PC may access internal server. The enterprise has six legal IP addresses from 202.38.160.100 to 202.38.160.105. Choose 202.38.160.100 to be the external IP address of the enterprise.

Table 83 Display and debug NAT

Operation Command

Check NAT status display nat { address-group | aging-time | all | outbound | server | statistics | session [ source { global global-addr | source inside inside-addr } ] }

Enable the debugging of NAT debugging nat { alg | event | packet [ interface { interface-type interface-number ] }

Disable the debugging of NAT undo debugging nat { alg | event | packet [ interface interface-type interface-number ] }

Clear NAT mapping table reset nat{ log-entry | session slot slot-number }


Network diagram

Figure 15 Network diagram for NAT configuration


1 For the PC, the IP address is 10.0.0.1/24 and gateway address is 10.0.0.254.

For the WWW Server, the IP address is 10.0.1.1/24 and gateway address is 10.0.1.254.

For the FTP Server, the IP address is 10.0.1.2/24 and gateway address is 10.0.1.254.

For the SMTP Server, the IP address is 10.0.1.3/24 and gateway address is 10.0.1.254.


# Divide VLANs.

<SW8800> system-view [SW8800] vlan 10 [3Com-vlan10] quit [SW8800] vlan 20 [3Com-vlan20] quit [SW8800] vlan 30 [3Com-vlan30] quit [SW8800] vlan 50 [3Com-vlan50] quit


SecBlade S8505

Vlan 30

Vlan10

Vlan 50

Vlan 50

Internet

PC 10.0.0.1/24

30.0.0.254/24

202.38.160.100

30.0.0.1/24

10.0.0.254/24

Vlan20

WWW 10.0.1.1/24

FTP 10.0.1.2/24

SMTP 10.0.1.3/24

10.0.1.254/24

Intranet

202.38.160.200 SecBlade S8800

Vlan 30

Vlan10

Vlan 50

Vlan 50

Internet

PC 10.0.0.1/24

30.0.0.254/24

202.38.160.100

30.0.0.1/24

10.0.0.254/24

Vlan20

WWW 10.0.1.1/24

FTP 10.0.1.2/24

SMTP 10.0.1.3/24

10.0.1.254/24

Intranet

202.38.160.200

NAT Configuration Example 89

[SW8800] interface vlan-interface 10 [3Com-Vlan-interface10] ip address 10.0.0.254 24 [3Com-Vlan-interface10] quit [SW8800] interface vlan-interface 20 [3Com-Vlan-interface20] ip address 10.0.1.254 24 [3Com-Vlan-interface20] quit [SW8800] interface vlan-interface 30 [3Com-Vlan-interface30] ip address 30.0.0.1 24 [3Com-Vlan-interface30] quit



# Configure aggregation of the module interface (the module resides in slot 2).

[[SW8800] secblade aggregation slot 2

# Create the SecBlade test.

[[SW8800] secblade test


















# Configure the address pool and ACL.

[secblade] nat address-group 1 202.38.160.101 202.38.160.105 [secblade] acl number 2001 [secblade-acl-basic-2001] rule permit source 10.0.0.0 0.0.0.255

# All 10.0.0.0/24 network segment to translation addresses.

[secblade-acl-basic-2001] quit [secblade] interface GigabitEthernet 0/0.2 [secblade-GigabitEthernet0/0.2] nat outbound 2001 address-group 1

# Set the internal ftp server.

[secblade-GigabitEthernet0/0.2] nat server protocol tcp global 202.38.160.100 inside 10.0.1.2 ftp

# Set the internal WWW server.

[secblade-GigabitEthernet0/0.2] nat server protocol tcp global 202.38.160.100 inside 10.0.1.1 www

# Set the internal smtp server.

[secblade-GigabitEthernet0/0.2] nat server protocol tcp global 202.38.160.100 inside 10.0.1.3 smtp

Troubleshooting NAT Configuration

Fault 1: address translation abnormal

Troubleshooting: enable the debug for NAT, and refer to debugging nat in the debugging command for specific operation. According to the Debugging information displayed on the security gateway, initially locate the failure, and then use other commands for further check. Observe the source address after translation carefully, and make sure that it is the expected address. Otherwise, it is possible the configuration of address pool is wrong. Meanwhile, make sure that there is route in the accessed network to return to the address segment defined in the address pool. Take into consideration the influence onto the NAT by the ACL of firewall and address conversion itself, and also route configuration.

Fault 2: internal server abnormal

Troubleshooting NAT Configuration 91

Troubleshooting: if an external host can not access the internal server normally, check the configuration on the internal server host, or the internal server configuration on the security gateway. It is possible that the internal server IP address is wrong, or that the firewall has inhibited the external host to access the internal network. Use the command display acl for further check. Refer to “Firewall Configuration”.

Introduction to Firewall 93

7FIREWALL CONFIGURATION

Introduction to Firewall

Network firewall serves to prevent the Internet danger from spreading to your internal network.

Firewall can prohibit unauthorized or unauthenticated access from the Internet to the protected network, and on the other hand, firewall can permit internal network subscribers to Web access the Internet or send/receive E-mails. Firewall can also serve as an authority control gateway for accessing the Internet, for example, to permit the specific subscriber(s) from the internal network to access the Internet. Besides, firewalls can also implement some other features, such as subscriber identification, information security (encryption) processing and so on.

In addition to protecting Internet connection, a firewall can protect mainframes and important resources (such as data) on your network as well. All accesses to the protected data should pass the firewall, even for internal access from inside the organization.

When users of external networks access internal network resources, they pass the firewall, so do internal network users who access external network resources. In this case, firewall plays a role like a "guard" who discards data packets that should be prohibited.

Firewall mainly refers to ACL-based packet filtering (ACL/packet filtering for short)), Application Specific packet filtering (status firewall for short) and address translation. For address translation, refer to “NAT Configuration”. The following sections in this chapter mainly introduce ACL/packet filtering firewall and status firewall.

ACL/Packet Filtering Firewall

ACL/Packet filtering overview

The application of ACL/packet filtering on the security gateway endows the security gateway with packet filtering function. ACL/packet filtering filters IP packets. For data packet that should be forwarded by the security gateway, first obtain the header information of the packet, including upper layer protocol number over IP Layer, source address, destination address, source port and destination port of the packet, then compare with the configured ACL rule. Decide whether to forward or discard the packet according to the comparison result.

Packet filtering supporting fragment filtering

ACL/packet filtering on 3Com Series Security Gateways support testing and filtering of fragments. Packet filtering firewall tests packet type (non-fragment packet, first fragment or non-first fragment), obtains such information as Layer3


(IP Layer) information about the packet (basic ACL rule and advanced ACL rule not containing information except Layer3) and non-Layer3 information (advanced ACL rule containing non-Layer3 information) for matching, and obtains configured ACL rule.

For advanced ACL rule that has configured exact matching filtering, packet filtering firewall need to record the non-Layer3 information of each first fragment. When the follow-up fragments arrive, the saved information will be used to perform full matching on each matching condition of ACL rule. If exact matching is used, make sure you disable the fast forwarding function by using the undo ip fast-forwarding command on the corresponding interface.

After exact matching is used for filtering, the implementation efficiency of packet filtering firewall will be slightly reduced. The more the configured matching entries, the more the efficiency is reduced. Threshold can be configured to limit the maximum processing number of firewall.

For definitions of normal matching and exact matching, refer to “ACL Configuration”.

Application Specific Packet Filter

ACL/packet filtering firewall is a static firewall with the following problems:

■ Some security policies are unable to foresee multi-channel application protocols such as FTP and H.323.

■ It is unable to detect some attacks such as TCP SYN and Java applet from the application layer.

Therefore, the concept of status firewall -- ASPF was brought forth. Application specific packet filter (ASPF) is packet filtering oriented to the application and transport layers, namely status based packet filtering. The application layer protocol detections include FTP, HTTP, SMTP, RTSP, and H.323 (Q.931, H.245, and RTP/RTCP) ones. The transport layer protocol detection contains general TCP/UDP detection.

ASPF is able to perform the primary functions as follows:

■ Check application layer protocol information, such as the protocol type of a packet and port number. In addition, it monitors the connection-based application layer protocol status. ASPF maintains the information of each connection and dynamically decides whether to permit a data packet into the internal network for malicious-intrusion prevention.

■ Detect the transport layer protocol information, that is, general TCP and UDP protocol detection. It can also decide whether to permit a TCP/UDP packet into the internal network.

ASPF implements the following additional functions:

■ It can detect and defend the Denial of Service (DoS) attack.

■ Not only can it filter the packet based on the conncection, but it can also detect the packet content at the application layer. Java Blocking to distrusted sites provided protects the network from malicious Java Applet.

Introduction to Firewall 95

■ It enhances the session logging function and can log all the connection information including time, source address, destination address, the port in use, and the number of transmitted bytes.

■ It supports Port to Application Map (PAM) and allows user-defined application protocol to use non-general port.

On the network edge, ASPF cooperates with common static firewall to provide comprehensive and practical security policy for intranets.

Basic Concepts

■ Java blocking

Java Blocking blocks the java applet transferred by HTTP protocol. When Java Blocking is configured, ASPF will block and filter out the request commands sent by users who attempt to obtain the Java applet-included programs from web pages. If Active Blocking is configured, ASPF will block Active controls transferred through HTTP protocols to protect the user from installing unsafe or malicious controls.

■ Port to application mapping

Application layer protocols use some (well-known) port numbers pre-defined by the system for communication. PAM (Port to Application Mapping) permits subscribers to define a set of new port numbers other than port numbers pre-defined by the system for different applications. PAM provides some mechanism to maintain and use port configuration information defined by subscribers.

PAM supports two kinds of mapping mechanisms: general port mapping and ACL-based host port mapping. General port mapping is to establish mapping relationship between user-defined port numbers and application layer protocols. For example, map 8080 port as HTTP protocol so that all TCP packets with destination port of 8080 could be regarded as HTTP packets. Basic ACL-based host mapping is to establish mapping relationship between user-defined port numbers and application protocols for packets to/from some specific hosts. For example, map the TCP packets using the port 8080 and destined to the network segment 10.110.0.0 to HTTP packets. The range of hosts is specified by basic ACL.

■ Single-channel protocol/multi-channel protocol

Single-channel protocol: Only one channel is available for data interaction from the establishment of a session to the end. Such protocols include SMTP and HTTP.

Multi-channel protocol: The interaction of the control information and the transfer of data are achieved in different channels. They can be FTP and RTSP.

■ Internal interface and external interface

If a security gateway connects an internal network and the Internet and deploys ASPF to protect the server of the internal network, the interface on the security gateway connecting with the internal network is an internal interface while the one connecting with Internet is an external interface.


When ASPF is applied to the outbound direction of an external interface on the security gateway, a temporary channel can be opened on the firewall for the returned packets of internal network users who access the Internet.

Fundamentals of application protocol layer detection

Figure 16 Fundamentals of application protocol layer detection

As shown in the above figure, generally a static ACL is needed on the security gateway to allow a host of the internal network to access the external network and to prohibit a host of the external network to access internal network. However, a static ACL will filter out the returned packets after the user initiates a connection, so the connection cannot be established. When a security gateway is configured with application layer protocol detection, ASPF is able to detect every session on application layer and create a status table and a temporary access control list (TACL). The status table is created once the first packet is detected and is used in maintaining the status of a session at a certain time detecting the session status transition is correct. The entry of a TACL is created together with a status entry and will be deleted after a session terminates. It seems like the permit entry in an advanced ACL to match all the returned packets in a session, which functions like that a temporary channel is created at the external interface of the firewall for some returned packets.

Take FTP detection for example to illustrate the process of a multi-channel application layer protocol detection.

Figure 17 FTP detection process

Following is how an FTP connection is set up:

Suppose that an FTP Client initiates an FTP control channel connection from its port 1333 to the port 21 of FTP Server. After negotiation, Server initiates a data channel connection from its port 20 to the port 1600 of Client. The timeout or end of a data transfer makes a connection deleted.

WAN

Client A Server

Protected network

Client A initializes a session

Returned packets of client A are permitted to pass

Packets of other sessions blocked

Quidway

Switch 8800

FTPClient

FTPServer

FTP command and responseControl channel connection

Data control connection

Port command

port: 21

port: 20

port: 1333

port: 1600

FTPClient

FTPServer

FTP command and responseControl channel connection

Data control connection

Port command

port: 21

port: 20

port: 1333

port: 1600

Following is how FTP

detection operates since an FTP connection is set up till it is disconnected:

1 Check the IP packet sent from the egress interface to the outside and acknowledges it is an FTP packet based on TCP.

2 Check the port number, acknowledges it as a control connection to create a TACL and status table for returned packets.

3 Check the FTP control connection packets, makes FTP instruction resolution, and updates the status table according to the instructions. If there are data channel establish instructions, then it the TACL for other data links. It does not detect the status of data links.

4 A match detection is performed on returned packets according to protocol type and then ASPF decides if to pass the packets after referring to the status table and TACL of the protocol.

5 The status table and TACL are cleared along with the deletion of an FTP connection.

The detection of single-channel application layer protocols, such as SMTP and HTTP, is rather simple. A TACL is created and cleared together with the connection.

Fundamentals of transport protocol layer detection

Here the transport layer protocol detection refers to TCP/UDP detection. Different from the application layer protocol detection, the transport layer protocol detects the packet information of transport layer, such as source address, destination address and port number. The TCP/UDP detection requires that the packets returned back to the external interface of ASPF match exactly the packets sent out it, that is, the source address, destination address and port number are right. Otherwise, the returned packets will be blocked. Therefore, you cannot establish a connection for the multi-channel application layer protocols such as FTP and .H.323, if you just configure TCP detection, but not application layer detection.

Configuring Packet Filter Firewall

Packet filtering firewall configuration includes:

■ Enable or Disable Firewall

■ Set the Default Filtering Mode of Firewall

■ Enable Packet Filtering Firewall Fragment Detection Switch

■ Configure High/Low Threshold of Fragment Inspection

■ Apply ACL on the Interface

Enabling or Disabling Firewall


By default, firewall is disabled.

Table 84 Enable or disable firewall

Operation Command

Enable firewall firewall packet-filter enable

Disable firewall undo firewall packet-filter enable


Setting the Default Filtering Mode of

Firewall

To set the default filtering mode of firewall means when there is no appropriate rule to judge whether the user packet can pass, the policy adopted by the firewall is to permit the packet to pass or not.


When firewall is enabled, the packets are denied.

Enabling Packet Filtering Firewall Fragment Detection Switch


n Only after fragment detection switch is enabled, can exact matching mode be valid in the real sense.

Configuring Upper/Lower Threshold of Fragment Inspection


The default number of upper threshold fragment state records is 2000. The default number of lower threshold fragment state records is 1500.

Applying ACL on the Interface

When applying access rule on the interface, the time range filtering principle is followed at the same time. Moreover, access rule can be specified respectively for transmitting and receiving packets on the interface.


Table 85 Set the default filtering mode of firewall

Operation Command

Set the default filtering mode as permitting the packet to pass firewall packet-filter default permit

Set the default filtering mode as denying the packet to pass firewall packet-filter default deny

Table 86 Enable fragment detection switch

Operation Command

Enable fragment detection switch firewall packet-filter fragments-inspect

Disable fragment detection switch undo firewall packet-filter fragments-inspect

Table 87 Configure upper/lower threshold of fragment inspection

Operation Command

Specify number of upper/lower threshold fragment state records

firewall packet-filter fragments-inspect { high | low } { default | number }

Restore the default number of upper/lower threshold fragment state records

undo firewall packet-filter fragments-inspect { high | low }

Table 88 Apply ACL on the interface

Operation Command

Specify the rule of filtering transmitting and receiving packets in the interface

firewall packet-filter acl-number { inbound | outbound } [ match-fragments { normally | exactly } ]

Configuring Packet Filter Firewall 99

You can only use the parameter outbound for interface-based ACL (ACL 1000 to 1999).

An advanced ACL can perform standard matching and exact matching. The standard matching matches no information except those of the third layer; whereas the exact matching matches information by all rules of advanced ACLs. Therefore, a firewall must be able to get and keep the state information of the first fragment packet to get complete matching information of the fragments that followed.

If exact matching is used, make sure you disable the fast forwarding function by using the undo ip fast-forwarding command on the corresponding interface.

The standard matching is used by default.

The match-fragments keyword can be applied to advanced ACLs only.

n To apply MAC address-based ACLs to interfaces, you must set the firewall in transparent mode. Otherwise, the system prompts the information "Please firstly active the Transparent mode!". See “Transparent Firewall” for more information about Transparent Firewall.

Displaying and Debugging Packet

Filtering Firewall

After the above configuration, execute display command in all views to display the running of the packet filtering firewall configuration, and to verify the effect of the configuration.

Execute debugging command in user view to debug the packet filtering firewall.

Remove the rule of filtering transmitting and receiving packets in the interface

undo firewall packet-filter acl-number { inbound | outbound }

Table 88 Apply ACL on the interface

Operation Command

Table 89 Display and debug firewall

Operation Command

Display statistics about firewall of the interface

display firewall packet-filter statistics { all | interface type number | fragments-inspect }

Display the fragments on the firewall display firewall fragment

Enable firewall packet filtering debugging (in user view)

debugging firewall packet-filter { all | denied | permitted | icmp | packet { permitted | denied } | tcp | udp | fragments-inspect | others } [ interface type number ]

Disable firewall packet filtering debugging (in user view)

undo debugging firewall packet-filter { all | denied | permitted | icmp | packet { permitted | denied } | tcp | udp | fragments-inspect | others } [ interface type number ]

Clear firewall packet filtering statistics

reset firewall packet-filter statistics { all | interface type number }


Packet Filtering Firewall Configuration Example


The company accesses the Internet through the Firewall module. It provides WWW and SMTP services externally. The internal WWW server address is 20.0.0.1; the internal SMTP server address is 20.0.0.2. Only the external specific PCs can access the internal server. However, they cannot access other resources of the internal network. Suppose the IP address of the external specific PC is 210.1.5.1.

Network diagram

Figure 18 Network diagram for packet filtering firewall configuration


1 For the internal PC, the IP address is 15.0.0.1/24 and the gateway address is 15.0.0.254.

For the external PC, the IP address is 210.1.5.1.

For the WWW server, the IP address is 20.0.0.1/24 and the gateway address is 20.0.0.254.

For the SMTP server, the IP address is 20.0.0.2/24 and the gateway address is 20.0.0.254.


# Divide VLANs.


SecBlade S 8505

Vlan 30

Vlan15

Vlan 50

Vlan 50

Internet

PC 15.0.0.1/24

30.0.0.254/24

50.0.0.254/4

30.0.0.1/24

15.0.0.254/24

Vlan20

WWW20.0.0.1/24

SMT20.0.0.2/24

20.0.0.254/4

Intranet

50.0.0.1/24

External PC 210.1.5.1

SecBlade S 8800

Vlan 30

Vlan15

Vlan 50

Vlan 50

Internet

Internal PC 15.0.0.1/24

30.0.0.254/24

50.0.0.254/24

30.0.0.1/24

15.0.0.254/24

Vlan20

WWW20.0.0.1/24

SMTP20.0.0.2/24

20.0.0.254/24

Intranet

50.0.0.1/24


[SW8800] vlan 50 [3Com-vlan50] quit


[SW8800] interface vlan-interface 15 [3Com-Vlan-interface15] ip address 15.0.0.254 24 [3Com-Vlan-interface15] quit [SW8800] interface vlan-interface 20 [3Com-Vlan-interface20] ip address 20.0.0.254 24 [3Com-Vlan-interface20] quit [SW8800] interface vlan-interface 30 [3Com-Vlan-interface30] ip address 30.0.0.1 24 [3Com-Vlan-interface30] quit



# Configure aggregation of module interface (the module resides in slot 2).




# Specify the SecBlade interface VLAN.
















[secblade] ip route-static 0.0.0.0 0 50.0.0.1 [secblade] ip route-static 15.0.0.0 24 30.0.0.1 [secblade] ip route-static 20.0.0.0 24 30.0.0.1

# Enable the firewall on the Firewall module.

[secblade] firewall packet-filter enable

# Create ACL 3002.

[secblade] acl number 3002

# Configure to only allow the specific external user to access the internal server from the external network and prohibit it from accessing other resources of the internal network.

[secblade-acl-adv-3002] rule permit tcp source 210.1.5.1 0 destination 20.0.0.1 0 destination-port eq 80 [secblade-acl-adv-3002] rule permit tcp source 210.1.5.1 0 destination 20.0.0.1 0 destination-port eq 25 [secblade-acl-adv-3002] rule deny ip

# Apply the ACL 3002 to the incoming data stream of the external sub-interface.

[secblade-GigabitEthernet0/0.2] firewall packet-filter 3002 inbound

Configuration Example of Fragment Packet

Filtering Through Packet Filtering Firewall


The company accesses the Internet through Ethernet1/0/0 on a 3Com security gateway that is connected the internal network through Ethernet0/0/0. It provides WWW and Telnet services externally. The corporate internal subnet address is 200.1.1.0/24; the internal WWW server address is 200.1.1.1; the internal Telnet server address is 200.1.1.2, and the address of the external interface Ethernet1/0/0 of the security gateway is 202.38.160.1.

To guard the internal WWW server and Telnet server against fragment packet attacks from outside, an ACL is applied on the inbound traffic through the external interface of the security gateway to prevent fragment packets from reaching the internal server.


Network diagram

Figure 19 Network diagram of fragment packet filtering through packet filtering firewall


# Define an ACL that enables the security gateway to block the fragment packets sourced from an external network and destined for the WWW server and Telnet server.

[SW8800] acl number 3001 [3Com-acl-adv-3001] rule 1 deny ip source any destination 200.1.1.1 0 fragment [3Com-acl-adv-3001] rule 2 deny ip source any destination 200.1.1.2 0 fragment [3Com-acl-adv-3001] rule 3 permit tcp source any destination 200.1.1.1 0 destination-port eq 80 [3Com-acl-adv-3001] rule 4 permit tcp source any destination 200.1.1.2 0 destination-port eq 23 [3Com-acl-adv-3001] rule 5 deny ip [3Com-acl-adv-3001] quit

# Configure the packet filtering firewall, applying the ACL in the inbound traffic through the external interface.

[SW8800] interface Ethernet 1/0/0 [3Com-Ethernet1/0/0] firewall packet-filter 3001 inbound

The ACL defined above for inbound traffic is used to block only the fragment packets destined for the specified internal server and allow an external host to access the internal server. For the traffic returned by the session initiated by the internal host to pass through the security gateway, you need to either define a new ACL rule or enable the ASPF function on the firewall.


Configuring ASPF ASPF configuration includes:

■ Enable firewall

■ Configure ACL

■ Define an ASPF policy

■ Apply the ASPF policy on specified interfaces

Enabling Firewall This configuration task is the same as the configuration of packet filtering firewall.

Configuring ACL To protect internal network, access control list should be configured on the security gateway and applied to external interface, permitting the internal hosts access external network and prohibiting external hosts from accessing internal network.

Defining an ASPF Policy Define an ASPF policy according to the following steps:

■ Create an ASPF policy

■ Configure aging-time value

■ Configure application layer protocol detection

■ Configure general TCP or UDP detection

Creating an ASPF policy


In the table, aspf-policy-number is ASPF policy number, ranging from 1 to 99. When the command is used to create an ASPF policy, the ASPF policy view is entered at the same time.

Configuring aging-time value

Perform the following configuration in ASPF policy view.

Table 90 Configure ACL

Operation Command

Configure ACL (in ACL view) rule deny

Apply ACL to external interface (in interface view) firewall packet-filter acl-num inbound

Table 91 Create an ASPF policy

Operation Command

Create an ASPF policy aspf-policy aspf-policy-number

Delete the created ASPF policy undo aspf-policy aspf-policy-number

Table 92 Configure aging-time value

Operation Command

Configure aging-time value aging-time { syn | fin | tcp | udp } seconds

Restore the default aging-time value undo aging-time { syn | fin | tcp | udp }

Configuring ASPF 105

This task is used to configure waiting timeout value in SYN state and FIN state of TCP, free timeout value of TCP and UDP session entries. The default timeout time of syn, fin, tcp and udp are 30s, 5s, 3600s and 30s respectively.

Configuring application layer protocol detection


The application protocol can be ftp, http, h323, smtp, rtsp, and the transport layer protocol can be tcp or udp.

The default TCP timeout time is 3600 seconds and the default UDP timeout time is 30 seconds.

When the protocol argument is set to http, Java blocking can be configured as follows.

Configuring generic TCP and UDP protocol detection


The TCP-based default timeout time is 3600 seconds and the UDP-based timeout time is 30 seconds.

You are recommended to use the application layer detection together with TCP/UDP detection, for a configuration of TCP/UDP detection without application layer protocol might cause packet return failures.

n For Telnet applications, just configure generic TCP detection to implement ASPF function.

Table 93 Configure application layer protocol detection

Operation Command

Configure ASPF detection for application layer protocol detect protocol [ aging-time seconds ]

Delete the configured application protocol detection undo detect protocol

Table 94 Configure Java blocking detection

Operation Command

Configure Java blocking detection detect http [ java-blocking acl-number ] [ aging-time seconds ]

Delete the configured ASPF detection rule undo detect http

Table 95 Configure general TCP and UDP protocol detection

Operation Command

Configure general TCP detection detect tcp [ aging-time seconds ]

Configure general UDP detection detect udp [ aging-time seconds ]

Delete general TCP detection undo detect tcp

Delete general UDP detection undo detect udp


Applying ASPF Policy on Specified Interface

The interface stream detection will take effect only after applying the pre-defined ASPF policy on the external interface.


The consecutive initiated packets and the returned ones should be pass the same interface as the preservation and maintenance of the application layer protocol status are both implemented at the interface.

Setting the Session Timeout Values


Refer to the Command Manual for default values of various protocols.

Configuring a Port Mapping Entry

Configuring a port mapping entry


The range of hosts in the host-specific PAM is specified using a basic ACL.

Displaying and Debugging ASPF

After the above configuration, execute display command in all views to display the running of the ASPF configuration, and to verify the effect of the configuration. Execute debugging command in user view for the debugging of ASPF.

Table 96 Apply ASPF policy on specified interface

Operation Command

Configure ASPF detection policy in specified interface

firewall aspf aspf-policy-number { inbound | outbound }

Delete the ASPF detection policy applied in the interface

undo firewall aspf aspf-policy-number { inbound | outbound }

Table 97 Set the session timeout values

Operation Command

Restore the default session timeout values of all firewall protocols. firewall session aging-time default

Set the session timeout values for different protocols.

firewall session aging-time { fin-rst | fragment | ftp | h323 | http | icmp | netbios | ras | rtsp | smtp | syn | tcp | telnet | udp } { default | seconds }

Table 98 Configure PAM

Operation Command

Configure the generic PAM function. port-mapping application-name port port-number

Delete the user-configured generic PAM. undo port-mapping application-name port port-number

Configure PAM for a host. port-mapping application-name port port-number acl acl-number

Delete the user-configured PAM of a host undo port-mapping application-name port port-number acl acl-number


Cautions about ASPF Configuration

If you use the detect, aging-time, or port-mapping command to modify the ASPF policy applied on the interface, or use the firewall aspf aspf-policy-number { inbound | outbound } command to modify the policy applied on the interface, the modifications take effect on the sessions subsequently established, but not on any existing session. To inconsistency between the session and the ASPF policy, you can clear the session manually. But be cautious because this operation will interrupt the existing session.

ASPF Configuration Example


Configure an ASPF detection policy on the firewall to detect the FTP and HTTP traffic passing the firewall. Requirement: If the packet is a returned packet of FTP and HTTP connections initiated by internal network users, permit it to pass the firewall and enter the internal network. For other packets, deny them. In addition, this detection policy can rule out Java Applets in HTTP packets from the server 202.0.0.1. This example can be applied in the case when local user needs to access remote network service.

Table 99 Display and debug ASPF

Operation Command

Display all ASPF configurations and current traced and detected sessions

display aspf all

Display application detection policy and interface configuration of access list

display aspf interface

Display the configuration of a specific detection policy display aspf policy aspf-policy-number

Display sessions currently traced and detected by ASPF display aspf session [ verbose ]

Display the session table on the firewall display firewall session table

Display the session timeout values of various protocols display firewall session aging-time

Display port mapping information. display port-mapping [ application-name | port port-number ]

Enable ASPF debugging function debugging aspf { all | verbose | events | ftp | h323 | rtsp | session | smtp | tcp | timers | udp }

Disable ASPF debugging function undo debugging aspf { all | verbose | events | ftp | h323 | rtsp | session | smtp | tcp | timers | udp }

Enable HTTP debugging function debugging aspf http { java-blocking | activex-blocking } { all | error | event | filter | packet }

Disable HTTP debugging function undo debugging aspf http { java-blocking | activex-blocking } { all | error | event | filter | packet }

Reset firewall session table reset firewall session table


Network diagram

Figure 20 Network diagram for ASPF configuration


1 For the PC, the IP address and gateway address 10.0.0.1/24 are 10.0.0.254 and respectively.

For the server host, the IP address is 202.0.0.1.


# Divide VLANs.






# Configure aggregation of module interfaces (the module card resides in slot 2).


SecBlade S8505

Vlan 30

Vlan10

Router

Vlan 50

Vlan 50

Trust Zone

Untrust Zone

50.0.0.1/24

PC 10.0.0.1/24

30.0.0.254/24

50.0.0.254/24

30.0.0.1/24

10.0.0.254/24

Server Host

202.0.0.1

SecBlade S8800

Vlan 30

Vlan10

Router

Vlan 50

Vlan 50

Trust Zone

Untrust Zone

50.0.0.1/24

PC 10.0.0.1/24

30.0.0.254/24

50.0.0.254/24

30.0.0.1/24

10.0.0.254/24

Server Host

202.0.0.1










# Log into the module card of the specified slot.










# Enable the firewall on the module.

[secblade] firewall packet-filter enable


# Configure ACL 3111 to refuse all TCP and UDP traffic to enter internal network. ASPF will create a temporary ACL for traffic that is permitted to pass.

[secblade] acl number 3111 [secblade-acl-adv-3111] rule deny ip

# Create ASPF policy, with a policy number of 1. The policy detects two protocols on application layer, FTP and HTTP, and defines the timeout time of FTP in case of no actions as 3,000 seconds.

[secblade] aspf-policy 1 [secblade-aspf-policy-1] detect ftp aging-time 3000 [secblade-aspf-policy-1] detect http java-blocking 2001 aging-time 3000

# Configure ACL 2001 so as to filter Java Applets from the site 202.0.0.2.

[secblade] acl number 2001 [secblade-acl-basic-2001] rule deny source 202.0.0.1 0 [secblade-acl-basic-2001] rule permit

# Apply the ASPF policy on the interface.

[secblade] interface GigabitEthernet 0/0.2 [secblade-GigabitEthernet0/0.2] firewall aspf 1 outbound

# Apply ACL 3111 on the interface.

[secblade-GigabitEthernet0/0.2] firewall packet-filter 3111 inbound

Black List

Introduction to Black List Black list is to filter packets based on source IP address of packets. Compared with ACL, the zones for black list to match are much simpler, and so it can filter packets in a high speed, which effectively shields the packets sent from the specific IP address. The most important feature of black list is that it can be added dynamically by the firewall module. When firewall discovers the attack attempt of a specific IP address based on the packet action, it can automatically modify its black list to filter all the packets sent from the specific address. This is one of security features of firewall.

Creating black list

Black list creation has two approaches: manual creation through command lines and dynamic creation by some modules of the firewall.

1 Creation through command lines

The following command is used to create a black list entry.

firewall blacklist sour-addr [ timeout minutes ]

Black list entry is created based on IP address. If identical IP address is configured in the black list, the newly configured entry will replace the old one. Without the parameter timeout minutes, a permanent entry is configured, that is, it will not

Black List 111

be aging. Otherwise, the blacklist entry will be removed automatically after the aging time. Accordingly, the filtering on the packets from the corresponding IP address will be invalid.

2 Dynamic creation by some modules of the firewall

Some modules of the firewall can dynamically insert an entry into the black list. For instance, when the attack prevention module discovers attack from a specific IP address, it will automatically insert the specific IP address into the black list. Therefore, any packet from the IP address will be denied in a specific period.

If identical IP addresses are inserted in the black list, the entry with a long aging period is reserved.

So far, the attack prevention firewall module can insert entries into the black list.

For the related configuration, refer to “Attack Prevention and Packet Statistics”.

In addition, if a Telnet client continuously enters a wrong password for three times when logging on the firewall, the system will automatically add its IP address into the blacklist and set a ten-minute aging time for it. In other words, once the blacklist on the firewall is enabled, the client cannot log on the firewall from that IP address in ten minutes.

Removing black list entry

Using the following command, you can remove the black list entries.

undo firewall blacklist [ sour-addr ]

With parameter sour-addr, the specific IP address entry will be removed. Without the parameter, all entries in the current black list will be removed.

The creation and deletion of black list entries is independent of the black list’s running status, that is, black list entries can be created and removed no matter whether the black list is enabled or not.

Enabling black list

Only when the black list is enabled, can the firewall filter the IP packet based on the black list. Otherwise, the IP packet will not be discarded though it is in the black list.

Use the firewall blacklist enable command to enable the black list.

Use the undo firewall blacklist enable command to disable the black list.

By default, the black list is disabled.

Configuring Black List Black list configuration includes:

■ Configure/remove black list entry

■ Configure the filtering type and range of the black list

■ Enable or disable black list


Configuring/removing black list entry


The value of minutes ranges from 1 to 1000, in minutes. Without parameter timeout minutes, the configured entry is a permanent entry. Without parameter sour-addr means removing all entries in the current black list.

Enabling or disabling black list


By default, black list is disabled.

Displaying and Debugging Black List

Execute the display command in all views to display the running of black list entry or black list configuration.

Execute the debugging command in user view to enable the debugging of the back list.

Black List Configuration Example


The server and the client PC are located in firewall trust zone and untrust zone respectively. It is required to filter all packets sent from the client PC within 100 minutes. The client IP address is 202.0.0.1.

Table 100 Configuring black list entry

Operation Command

Configure black list entry firewall blacklist sour-addr [ timeout minutes ]

Remove black list entry undo firewall blacklist [ sour-addr ]

Table 101 Enabling or disabling black list

Operation Command

Enable black list firewall blacklist enable

Disable black list undo firewall blacklist enable

Table 102 Display and debug black list

Operation Command

Display the current black list entry information or running status

display firewall blacklist { enable | item [ sour-addr ]

Enable the debugging for the black list debugging firewall blacklist { all | item | packet }

Black List 113

Network diagram

Figure 21 Network diagram for black list configuration


Switch 8807 (SecBlade)

# Divide VLANs.






# Configure aggregation of module interfaces (the module card resides in slot 2).





SecBlade S8505

Vlan 30

Vlan10

Router

Vlan 50

Vlan 50

Trust Zone

Untrust Zone

50.0.0.1/24

Server 10.0.0.1/24

30.0.0.254/24

50.0.0.254/24

30.0.0.1/24

10.0.0.254/24

Client 202.0.0.1

SecBlade S8807

Vlan 30

Vlan10

Router

Vlan 50

Vlan 50

Trust Zone

Untrust Zone

50.0.0.1/24

Server 10.0.0.1/24

30.0.0.254/24

50.0.0.254/24

30.0.0.1/24

10.0.0.254/24

Client 202.0.0.1







# Log into the module on the specified slot.










# Insert the IP address of the client PC into the black list.

[secblade] firewall blacklist 202.0.0.1 timeout 100

# Enable the black list.

[secblade] firewall blacklist enable

Based on the above configuration, all the packets sent from the client PC will be denied within the aging period 100 minutes. After that period, the packet sent from the client PC can pass the firewall.

MAC and IP Address Binding 115

MAC and IP Address Binding

Introduction to MAC and IP Address Binding

MAC and IP address binding means the firewall associates the specific IP address and MAC address based on the client configuration. In this way, firewall will discard the so-called packet whose MAC address does not correspond to the associated IP address and forcibly forwards the packet whose destination address is the specific IP address to the associated MAC address. This effectively avoids the imitated IP address attack to protect the network.

Creating MAC and IP address binding

Using the following commands, you can create an address binding map.

firewall mac-binding sour-addr mac-addr

Address binding map is created based on IP address. If an identical IP address is configured in the address binding map, the newly configured entry will replace the old one. One MAC address can be bound with various IP addresses.

Removing MAC and IP address binding

Using the following commands, you can remove one or all address binding map(s).

undo firewall mac-binding [ sour-addr ]

With parameter sour-addr, the specific IP address binding will be removed. Without this parameter, all entries in the current address binding list will be removed.

The creation and deletion of address binding map is independent of address binding function, that is, address binding map can be created and removed no matter whether the address binding is enabled or not.

Enabling MAC and IP address binding

Only when address binding is enabled, can firewall compare the IP address and MAC address of the packet based on the address binding map and deny the packet not meeting the binding map. Otherwise, it will not discard any packet even the packet whose IP address and MAC address do not meet the binding map.

Using the following commands, you can enable address binding.

firewall mac-binding enable

Using the following commands, you can disable address binding.

undo firewall mac-binding enable

By default, address binding is disabled.

Configuring MAC and IP Address Binding

MAC and IP address binding configuration includes:

■ Configuring MAC and IP address binding map


■ Enabling or disabling MAC and IP address binding

Configuring MAC and IP address binding map


Without the parameter sour-addr, all the current address binding entries are removed.

c CAUTION:

■ Address binding is regarded as another kind of expression of static ARP. In the case of address binding being enabled, the configuration of address binding, whose IP address has been configured in the static ARP list, will cause deletion of the corresponding static ARP entry. If identical IP address has been configured in the address binding, static ARP configuration will fail and receive prompt information. However, identical IP address can be configured in both address binding and static ARP if address binding function is disabled.

■ MAC and IP address binding is ineffective to PPPoE addresses, because the system cannot identify and handle the PPP packets over Ethernet frames.

■ Broadcasting addresses of classes A, B and C cannot be bound. When the address to be bound is not in the same subnet with the IP address of the firewall interface, a message appears, prompting "The ip to be bound is not in the same subnet of the interfaces’ ip".

Enabling/disabling MAC and IP address binding


By default, MAC and IP address binding is disabled.

Displaying and Debugging MAC and IP

Address Binding

Execute the display command in all views to display the running of address binding configuration.

Execute the debugging command in user view to debugging the address binding.

Table 103 Configuring MAC and IP address binding condition

Operation Command

Configure MAC and IP address binding map firewall mac-binding sour-addr mac-addr

Remove MAC and IP address binding map undo firewall mac-binding [ sour-addr ]

Table 104 Enabling or disabling MAC and IP address binding

Operation Command

Enable MAC and IP address binding firewall mac-binding enable

Disable MAC and IP address binding undo firewall mac-binding enable

Table 105 Display and debug MAC and IP address binding

Operation Command

Display the current MAC and IP address binding map information

display firewall mac-binding item [ sour-addr ]

Display the current running information of MAC and IP address binding function display firewall mac-binding enable

MAC and IP Address Binding 117

MAC and IP Address Binding Configuration

Example


The server and the client PC are located in the firewall trust zone and untrust zone respectively. The client PC is at 202.0.0.1 and the corresponding MAC address is 00e0-fc00-0100. Configure address binding map on the firewall that only the packet meeting the above map can pass the firewall and the packet sent to 202.0.0.1 is forwarded to the network card at 00e0-fc00-0100.

Network diagram

Figure 22 Network diagram for MAC and IP address binding



# Divide VLANs.



[SW8800] interface vlan-interface 10 [3Com-Vlan-interface10] ip address 10.0.0.254 24 [3Com-Vlan-interface10] quit [SW8800] interface vlan-interface 30

Enable the debugging of MAC and IP address binding

debugging firewall mac-binding [ all | item | packet ]

Table 105 Display and debug MAC and IP address binding

Operation Command

SecBlade S8505

Vlan 30

Vlan10

Vlan 50

Vlan 50

Trust Zone

Untrust Zone

Server 10.0.0.1/24

30.0.0.254/24

202.0.0.254/24

30.0.0.1/24

10.0.0.254/24 Client 202.0.0.1/24 SecBlade S8800

Vlan 30

Vlan10

Vlan 50

Vlan 50

Trust Zone

Untrust Zone

Server 10.0.0.1/24

30.0.0.254/24

202.0.0.254/24

30.0.0.1/24

10.0.0.254/24 Client 202.0.0.1/24


[3Com-Vlan-interface30] ip address 30.0.0.1 24 [3Com-Vlan-interface30] quit



# Configure aggregation of the module interface (the module resides in slot 2).


















Security Zone Configuration 119



# Insert IP address and MAC address of the client PC into the address binding map.

[secblade] firewall mac-binding 202.0.0.1 00e0-fc00-0100

# Enable the address binding function.

[secblade] firewall mac-binding enable

Security Zone Configuration

Introduction to Security Zone

Security zones refer to the networks connected to the firewall. Four security zones are predefined in the system: Local, Trust, Untrust and DMZ, with descending security levels.

■ Local zone stands for the local system on the firewall.

■ Trust zone stands for the private network over user network.

■ Untrust zone stands for public or insecure network, such as Internet.

■ DMZ (demilitarized zone) is an independent zone between the intranet and outside networks. It belongs neither to the intranet nor to outside networks. For example, in a network providing E-commerce services, some hosts, such as Web server, FTP server and mail server, are required to provide these services. To provide better services and effectively protect the intranet, you can add these servers into the DMZ zone to isolate them from the intranet. Then you can apply different firewall policies to intranet devices and these servers.

Configuring Security Zone

Entering security zone view


Enter interzone view


Creating security zone


Table 106 Enter security zone view

Operation Command

Enter the security zone view firewall zone zonename

Table 107 Enter interzone view

Operation Command

Enter the interzone view firewall interzone zone1 zone2


Four security zones are predefined in the system: Local, Trust, Untrust and DMZ. You cannot remove these security zones.

Adding interface into security zone

Perform the following configuration in zone view.

By default, all interfaces belong to the Trust zone.

An interface can belong to only one security zone. You must remove the interface from the original security zone before adding it to another security zone if an interface already belongs to a security zone.

c CAUTION: For interworking between the firewall and other devices, corresponding interfaces should be added to a security zone.

Setting priority value for the security zone

You can set priority value for the security zone. A large priority value means high security.


By default, the priority value for the Local zone is 100; that for the Trust zone is 85; that for Untrust zone is 5; that for DMZ zone is 50. You cannot change these priority values.

Table 108 Create security zone

Operation Command

Create a security zone firewall zone name zonename

Delete the security zone undo firewall zone name zonename

Table 109 Add interface into security zone

Operation Command

Add an interface into the security zone add interface interface-type interface-number

Remove the interface from the security zone undo add interface interface-type interface-number

Table 110 Set priority value for security zone

Operation Command

Set priority value for the security zone set priority number

Transparent Firewall Overview 121

8TRANSPARENT FIREWALL

Transparent Firewall Overview

By default, the firewall operates in route mode. When it is transparent mode (bridge mode), you cannot configure the IP address for its interfaces, the interfaces belong to Layer 2 security zones, and all outside users connected to the interfaces that belong to Layer 2 security zones are in the same subnet.

When packets are forwarded between the interfaces of Layer 2 security zones, the system determines the outgoing interfaces based the MAC addresses borne in packets. The firewall actually operates as a transparent bridge. Different from the bridge, however, the firewall matches packets against the session table and ACL rules and then determines if to forward the packets received to the upper layer for filtering other further processing. Other attack prevention checks are also implemented on the firewall. The transparent firewall supports ACL rule check, ASPF filtering, attack prevention check, flow control, and other functions.

The transparent firewall is connected to the LAN on the data link layer, and no special configuration is required for network client users, but treating them as common Ethernet switches when connecting them into the network.

Obtaining MAC Address Table

The transparent firewall forwards packets based on the MAC address table, which comprises two parts: MAC addresses and interfaces. Therefore, it must obtain the mapping between them.

Broadcasting packets

When connected with the physical network segment, the transparent firewall monitors all Ethernet frames on the segment. After detecting an Ethernet frame on an interface, the transparent firewall extracts its source MAC address and adds the mapping between the MAC address and the interface receiving the frame into the MAC address table. See Figure 23.

122 CHAPTER 8: TRANSPARENT FIREWALL

Figure 23 Broadcast packets

Stations A, B, C and D belong to two LANs. Ethernet segment 1 is connected to the interface 1 on the transparent firewall; Ethernet segment 2 is connected to the interface 2 on the firewall. When station A sends an Ethernet frame to station B, both the transparent firewall and station B can receive the frame.

Learning mapping between station A MAC address and the interface

After receiving the Ethernet frame, the transparent firewall knows station A is connected to it through interface 1 (since it receives the frame from interface 1). Therefore the transparent firewall add the mapping between station A MAC address and interface 1. See Figure 24.

Figure 24 Learn mapping between station A MAC address and the interface

Workstation A

00e0.fcaa.aaaa

Workstation B

00e0.fcbb.bbbb

Workstation C Workstation D

00e0.fcdd.dddd 00e0.fccc.cccc

Interface 1

Interface 2

Ethernet segment 1

Ethernet segment 2

Destination

00e0.fcbb.bbbb 00e0.fcaa.aaaa

Source

Switch 8800

Workstation A

00e0.fcaa.aaaa

Workstation B

00e0.fcbb.bbb



Interface 1

Interface 2

Ethernet segment 1

Ethernet segment 2

Destination 00e0.fcbb.bbbb 00e0.fcaa.aaaa

Source

MAC address Port 00e0.fcaa.aaaa 1

Address table

Switch 8800

Transparent Firewall Overview 123

Learning mapping between station B MAC address and the interface

When station B returns the response to the Ethernet frame, the transparent firewall also can detect the response and know that station B is connected to it through interface 1 (since it receives the frame from interface 1). Therefore the transparent firewall add the mapping between station B MAC address and interface 1. See Figure 25.

Figure 25 Learn mapping between station B MAC address and the interface

The reverse MAC address learning continues till the transparent firewall obtains the mapping entries between all MAC addresses (those of stations A, B, C and D in this example) and the interfaces (here we assume that all stations are in operation).

Forwarding and Filtering On the data link layer, the transparent firewall determines forwarding (or filtering) actions based on the following three cases:

Forwarding after successful lookup on address table

When station A sends an Ethernet frame to station C, the transparent firewall looks up on the address table and knows that station C corresponds to interface 2. It therefore forwards the frame from interface 2. See Figure 26.

Workstation A

00e0.fcaa.aaaa

Workstation B

00e0.fcbb.bbb


00e0.fcdd.dddd00e0.fccc.cccc

Interface 1

Interface 2

Ethernet segment 1

Ethernet segment 2

Destination 00e0.fcaa.aaaa 00e0.fcbb.bbbb

Source

MAC address Port 00e0.fcaa.aaaa 1 00e0.fcbb.bbbb 1

Address table

Switch 8800


Figure 26 Forwarding after successful lookup on address table

Note that the transparent firewall forwards to other interfaces the broadcast and multicast frames received on an interface or drop them.

No forwarding (filtering) after successful lookup on address table

When station A sends an Ethernet frame to station B, the transparent firewall filters out and does not forward the frame since stations A and B are in the same network segment.

Figure 27 No forwarding after successful lookup on address table

Forwarding after failed lookup on address table

If no mapping entry for station C MAC address is found in the MAC address table after station A sends an Ethernet frame to station C, the transparent firewall forwards the frame to all other interfaces except the source interfaces. In this case,

Workstation A

00 e 0 . fcaa . aaaa

Workstation B

00 e 0 . fcbb . bbbb

Workstation C

Workstation D

00 e 0 . fcdd . dddd 00 e 0 . fccc . cccc Interface 1

Interface 2

Ethernet segment 1

Ethernet segment 2

MAC address Port 00 e 0 . fcaa . aaaa 1 00 e 0 . fcbb . bbbb 1 00 e 0 . fccc . cccc 2

00 e 0 . fcdd . dddd 2

Address table

00 e 0 . fcaa . aaaa 00 e 0 . fccc . cccc Source Destination

00 e 0 . fccc . cccc 00 e 0 . fcaa . aaaa Source Destination

Forward

Switch 8800

Workstation A

00e0.fcaa.aaaa

Workstation B

00e0.fcbb.bbbb



Interface 1

Interface 2

Ethernet segment 1

Ethernet segment 2

MAC address Port 00e0.fcaa.aaaa 1 00e0.fcbb.bbbb 1 00e0.fccc.cccc 2 00e0.fcdd.dddd 2

Address table

00e0.fcaa.aaaa 00e0.fcbb.bbbb Source Destination

Do not forw ard

Switch 8800

the firewall works as a

HUB to guarantee that all packets are forwarded. See Figure 28.

Figure 28 Forwarding after failed lookup on address table

Configuring Transparent Firewall

The following sections describe transparent firewall configuration tasks:

■ “Configuring Firewall Mode”

■ “Configuring System IP Address”

■ “Enabling/Disabling Dynamic ARP Learning”

■ “Configuring Handling Approach for the Packets with Unknown MAC Address”

■ “Configuring MAC Address-Based ACLs”

■ “Applying MAC Address-Based ACL to the Interface”

■ “Configuring Aging Time of the MAC Forwarding Table”

■ “Defining Allowed Packet Types”

Configuring Firewall Mode


Workstation A

00 e 0 . fcaa . aaaa

Workstation B

00 e 0 . fcbb . bbbb


00 e 0 . fcdd . dddd 00 e 0 . fccc . cccc

Interface 1

Interface 2

Ethernet segment 1

Ethernet segment 2

MAC address Port 00 e 0 . fcaa . aaaa 1 00 e 0 . fcbb . bbbb 1

Address table

00 e 0 . fcaa . aaaa 00 e 0 . fccc . cccc Source Destination

Switch 8800

Table 111 Configure firewall mode

Operation Command

Set the firewall in transparent mode firewall mode transparent

Set the firewall in route mode firewall mode route

Restore the default firewall mode undo firewall mode


By default, the firewall operates in route mode.

n When operating in transparent mode, the firewall automatically enables bridging function.

Configuring System IP Address

On the firewall in route mode, all interfaces work at Layer 3 and you can configure Layer 3 attributes for them. When the firewall is in transparent mode, all interfaces operate at Layer 2 and you cannot configure such Layer 3 attributes as IP address for them. The firewall must own an IP address for management over it and offerings of network services (Telnet or SNMP). To solve this problem, you can configure a system IP address, instead of interface IP address, for the transparent firewall.


The default system IP address of the transparent firewall is 169.0.0.1/8, and you can modify its system IP with the firewall system-ip command. When in route mode, you cannot configure system IP address for the firewall.

Enabling/Disabling Dynamic ARP Learning

Communications between the intranet and outside networks must go through the transparent firewall. ARP requests and responses are generated therefore when a device accesses itself or originates a connection to an outside device. The transparent can automatically learn ARP entries for later address translation.

Only limited ARP table entries are maintained on the firewall. When ARP Flood attacks occur, the firewall may have too many ARP table entries and normal ARP resolution processes will be affected. To avoid this problem, you can disable dynamic ARP learning and manually configure static ARP entries.


By default, ARP learning is enabled on the transparent firewall.

Configuring Handling Approach for the

Packets with Unknown MAC Address

Upon receiving the packets with unknown destination MAC address, the transparent firewall cannot determine the outgoing interfaces for them. Therefore it handle these packet in three ways:

■ Drops the IP packets with unknown destination MAC address.

■ Broadcasts the ARP request packet to the interfaces in a specific security zone other than the interface receiving the packet, and drops the IP packets with

Table 112 Configure system IP address

Operation Command

Configure system IP address for the firewall firewall system-ip system-ip-address [ address-mask ]

Restore the default system IP address undo firewall system-ip

Table 113 Enable/disable ARP learning

Operation Command

Enable dynamic ARP learning firewall arp-learning enable

Disable dynamic ARP learning undo firewall arp-learning enable

Configuring Transparent Firewall 127

unknown MAC address. The transparent firewall saves the mapping between the MAC address and the interface after receiving the ARP response packet.

■ Floods the ARP request packet to the interfaces in a specific security zone other than the interface receiving the packet. The transparent firewall saves the mapping between the MAC address and the interface after receiving the ARP response packet.


By default, the firewall handles IP unicast packets in arp mode, and IP broadcast and multicast packets in drop mode.

Configuring MAC Address-Based ACLs

You can configure MAC address-based ACLs, whose IDs are in the range of 4,000 to 4,999.

Perform the following configuration in specified views.

By default, no MAC-address ACL is defined.

Applying MAC Address-Based ACL to

the Interface


Table 114 Configure handling approach for the packets with unknown MAC address

Operation Command

Configure handling approach for unicast IP packets, multicast and broadcast packets with unknown MAC address

firewall unknown-mac { drop | flood }

Configure handling approach for the unicast IP packets with unknown MAC address

firewall unknown-mac [ unicast ] { drop | arp | flood }

Configure handling approach for IP broadcast and multicast packets

firewall unknown-mac { broadcast | multicast } { drop | flood }

Restore the default handling approach for the packets with unknown MAC address

undo firewall unknown-mac [ unicast | broadcast | multicast ]

Table 115 Configure MAC address-based ACLs

Operation Command

Configure a MAC address-based ACL and enter the corresponding view (system view)

acl number acl-number

Delete the existing ACL undo acl { number acl-number | all }

Define a MAC address-based ACL rule (ACL view)

rule [ rule-id ] { permit | deny } [ type type-code type-wildcard | lsap lsap-code lsap-wildcard ] ] [ source-mac sour-addr source-wildcard ] [ dest-mac dest-addr dest-wildcard ] [ time-range time-name ] [ logging ]

Delete the existing ACL rule undo rule rule-id [ time-range time-name ] [ logging ]

Table 116 Apply MAC address-based ACL to the interface

Operation Command

Apply the MAC address-based ACL to the interface

firewall ethernet-frame-filter acl-number { inbound | outbound }


By default, no MAC address-based ACL is applied to the interface.

n To apply MAC address-based ACLs to interfaces, you must set the firewall in transparent mode. Otherwise, the system prompts the information "Please firstly active the Transparent mode!"

Configuring Aging Time of the MAC Forwarding

Table

Aging time of the MAC forwarding table refers to the lifetime of a MAC forwarding table entry and is determined by the aging timer. When the timer expires, the corresponding entry will be removed from the MAC forwarding table.


By default, the aging time of the MAC forwarding table is 300 seconds.

Defining Allowed Packet Types

You can configure the transparent firewall to allow BPDU (bridge protocol data unit), DLSw (data link switching) or IPX (internetwork packet exchange) packets to pass.


By default, the firewall filters out all packets.

Displaying and Debugging Transparent Firewall

Use the commands listed in Table 119 to view the configuration information about transparent firewall and enable debugging for transparent firewall configuration.

Execute the display command in any view, and execute the debugging and reset commands in user view.

Remove the MAC address-based ACL on the interface

undo firewall ethernet-frame-filter { inbound | outbound }

Table 116 Apply MAC address-based ACL to the interface

Operation Command

Table 117 Configure aging time of the MAC forwarding table

Operation Command

Configure the aging time of the MAC forwarding table

firewall transparent-mode aging-time seconds

Restore the default aging time of the MAC forwarding table

undo firewall transparent-mode aging-time

Table 118 Define allowed packet types

Operation Command

Define the type of packets that are allowed to pass the transparent firewall

firewall transparent-mode transmit { bpdu | dlsw | ipx }

Define the type of packets that are not allowed to pass

undo firewall transparent-mode transmit { bpdu | dlsw | ipx }

Transparent Firewall Configuration Example 129

Transparent Firewall Configuration Example


The Firewall module operates in transparent mode. The module allows the hosts in the trust zone to access resources in the DMZ zone and untrust zone using ACLs on the basis of MAC addresses. The Firewall module also prevents host PC_B in the untrust zone from sending all packets using black lists. The MAC address of PC_A is 000f-1f7e-fec5, and the IP address of PC_B is 172.16.0.50/24.

Table 119 Display and debug transparent firewall

Operation Command

Display the current firewall mode display firewall mode

Display statistics on Ethernet frame filtering

display firewall ethernet-frame-filter { all | interface interface-type interface-number }

Display transparent firewall configuration display firewall transparent-mode config

Display the MAC address table on the transparent firewall

display firewall transparent-mode address-table [ interface interface-type interface-number | mac mac-address ]

Display traffic on the transparent firewall

display firewall transparent-mode traffic [ interface interface-type interface-number ]

Enable debugging for Ethernet frame filtering

debugging firewall eff [ interface interface-type interface-number ]

Enable debugging for Ethernet frame forwarding

debugging firewall transparent-mode eth-forwarding [ interface interface-type interface-number ]

Enable debugging for IP packet forwarding debugging firewall transparent-mode ip-forwarding

Clear Ethernet frame filtering information

reset firewall ethernet-frame-filter { all | interface interface-type interface-number }

Clear MAC address table reset firewall transparent-mode address-table [ interface interface-type interface-number ]

Clear traffic statistics on the transparent firewall

reset firewall transparent-mode traffic [ interface interface-type interface-number ]


Network diagram

Figure 29 Network diagram for transparent firewall configuration


3Com (SecBlade)

# Divide VLANs.


# Configure aggregation of the interfaces (the module resides in slot 2).


# Create a SecBlade test.



[3Com-secblade-test] security-vlan 10 50 60


SecBlade S8505

Vlan 60

Vlan10

Vlan 50

Vlan 10

Trust Zone

Untrust Zone

PC_A 172.16.0.10/24

DMZ Zone

PC C

172.16.0.60/24 Vlan 60

Vlan 50 PC_B

SecBlade S8800

Vlan 60

Vlan10

Vlan 50

Vlan 10

Trust Zone

Untrust Zone

PC_A 172.16.0.10/24

DMZ Zone

PC C

172.16.0.60/24 Vlan 60

Vlan 50 PC_B

Transparent Firewall Configuration Example 131




# Configure the Firewall module to operate in transparent mode.

[secblade] firewall mode transparent


[secblade] interface GigabitEthernet 0/0.1 [secblade-GigabitEthernet0/0.1] vlan-type dot1q vid 10 [secblade-GigabitEthernet0/0.1] quit [secblade] interface GigabitEthernet 0/0.2 [secblade-GigabitEthernet0/0.2] vlan-type dot1q vid 50 [secblade-GigabitEthernet0/0.2] quit [secblade] interface GigabitEthernet 0/0.3 [secblade-GigabitEthernet0/0.3] vlan-type dot1q vid 60 [secblade-GigabitEthernet0/0.3] quit





# Add the DMZ sub-interface to the DMZ.

[secblade] firewall zone dmz [secblade-zone-DMZ] add interface GigabitEthernet 0/0.3 [secblade-zone-DMZ] quit

# Configure the ACL rule on the basis of the MAC address.

[secblade] acl number 4000 [secblade-acl-ethernetframe-4000] rule permit source-mac 000f-1f7e-fec5 0000-0000-0000 [secblade-acl-adv-3000] quit

# Configure packet filtering.

[secblade] interface GigabitEthernet 0/0.2 [secblade-GigabitEthernet0/0.2] firewal ethernet-frame-filter 4000 outbound [secblade] interface GigabitEthernet 0/0.3 [secblade-GigabitEthernet0/0.3] firewal ethernet-frame-filter 4000 outbound


# Add PC_B address to the black list entry.

[secblade] firewall blacklist item 172.16.0.50 timeout 60

# Enable black list function.

[secblade] firewall blacklist enable

Introduction to Web and E-mail Filtering 133

9WEB AND E-MAIL FILTERING

Introduction to Web and E-mail Filtering

As network technology increasingly gain popularity in various fields, attacks sourced from within a LAN escalate. Faced with this situation, traditional network security schemes, which only focus on attacks sourced from external networks, become obsolete. At present, network devices are required to meet the demands of establishing secure internal networks to ensure internal network security.

The Web and e-mail filtering function provided by firewalls can deny accesses to illegal Web sites or Web pages and prevent internal users from sending mails that are unnecessary to illegal external mail box. The mail alarming function can inform administrators of external attacks through alarming mails for them to take proper measures on time.

The Firewall module can also prevent SQL (structure query language) attacks by checking the HTTP command in HTTP packets and judging if they are attacks to the system.

Configuring Web Filtering

Configuring Web Address Filtering

Enabling/Disabling Web address filtering

Before configuring Web address filtering for a firewall, you must enable this function first for related configurations to take effect.


Web address filtering is disabled by default.

c CAUTION: You must configure ASPF policies and execute the detect http and detect tcp commands first to enable Web address filtering. Refer to section “Configuring ASPF” “Configuring ASPF” for information about ASPF.

Table 120 Enable Web address filtering

Operation Command

Enable Web address filtering firewall url-filter host enable

Disable Web address filtering undo firewall url-filter host enable

134 CHAPTER 9: WEB AND E-MAIL FILTERING

Configuring the default filtering operation

You can configure the default filtering operation for a firewall to make the firewall to permit/deny packets that do not match the Web addresses set by the administrator.


Packets that do not match are permitted by default.

Configuring a Web address to be filtered

Web addresses are filtered according to the address items previously configured in a Web address filtering file. The administrator can manipulate this kind of files to add or delete Web addresses in them, or even clear all the Web addresses.


Saving/Loading a Web address filtering file

After configuring the Web addresses to be filtered, you can save them to a Web address filtering file for later use. You must load a Web address filtering file first to configure or modify items in it.


You must load the Web addresses filtering file for items in it to take effect, that is, for Web addresses that match these items to be filtered.

Configuring IP address filtering

If users access the Web through IP addresses, you can configure the firewall to control whether to allow such access requests.


Table 121 Configure the default filtering operation

Operation Command

Configure the default filtering operation firewall url-filter host default { permit | deny }

Table 122 Configure a Web address to be filtered

Operation Command

Add a Web address to be filtered firewall url-filter host add { permit | deny } url-address

Delete a Web address firewall url-filter host delete url-address

Clear all Web addresses firewall url-filter clear

Table 123 Save/Load a Web address filtering file

Operation Command

Save/Load a Web address filtering file firewall url-filter host { save-file | load-file } file-name

Unload the current Web address filtering file undo firewall url-filter host load-file

Configuring Web Filtering 135

By default, the firewall denies Web access requests with IP addresses as destination URLs.

Filtering IP addresses through ACL

This is to filter Web access requests with IP addresses as destination URLs through ACL.


By default, no ACL rule is configured.

Upon receiving a Web request with the destination URL as its IP address, the firewall first matches the request against the ACL defined with the firewall url-filter host acl-number command. If the match result is permit, the firewall permits the request to pass; if the match result is deny, the firewall denies the request. If the firewall finds no matching entry in the ACL or the firewall url-filter host acl-number command is not used, it determines whether to permit the request to pass based on how the firewall url-filter host ip-address { permit | deny } command is configured.

This command can only support one ACL rule. Any newly configured rule will overwrite the original rule.

Displaying and debugging Web address filtering

Use the commands listed in Table 126 to view information about Web address filtering and enable debugging Web address filtering.


Table 124 Configure IP address filtering

Operation Command

Configure IP address filtering. firewall url-filter host ip-address { permit | deny }

Table 125 Filter IP addresses through ACL

Operation Command

Filter IP addresses through ACL. firewall url-filter host acl-number number

Cancel the configured ACL rule. undo firewall url-filter host acl-number

Table 126 Display and debug Web address filtering

Operation Command

Display information about Web address filtering

display firewall url-filter host { enable | all | item { url-address | all } }

Enable debugging Web address filtering debugging firewall url-filter host { all | error | event | filter | packet }

Disable debugging Web address filtering undo debugging firewall url-filter host { all | error | event | filter | packet }

Clear statistics on Web address filtering reset firewall url-filter host counter


Configuring Web Content Filtering

Enabling/Disabling Web content filtering

Before configuring Web content filtering for a firewall, you must enable this function first for related configurations to take effect.


Web content filtering is disabled by default.

c CAUTION: You must configure ASPF policies and execute the detect http and detect tcp commands first to enable Web content filtering. Refer to section “Configuring ASPF” “Configuring ASPF” for information about ASPF.

Configuring a filtering keyword for Web content filtering

Web pages can be filtered according to the filtering keyword items previously configured in a Web content filtering file. The administrator can manipulate this kind of files to add or delete Web content filtering keywords in them, or even clear all the Web content filtering keywords.


c CAUTION: The new Web content filtering keyword cannot be an HTML tag such as <head>, <html>, <title> and <script>. Otherwise, valid web pages may be filtered.

Saving/Loading a Web content filtering file

After configuring the Web content filtering keywords, you can save them to a Web content filtering file for later use. You must load a Web content filtering file first to configure or modify items in it.


Table 127 Enable Web content filtering

Operation Command

Enable Web content filtering firewall webdata-filter enable

Disable Web content filtering undo firewall webdata-filter enable

Table 128 Configure a filtering keyword for Web content filtering

Operation Command

Add a Web content filtering keyword firewall webdata-filter add keywords

Delete a Web content filtering keyword firewall webdata-filter delete keywords

Clear all Web content filtering keywords firewall webdata-filter clear

Table 129 Save /Load a Web content filtering file

Operation Command

Save /Load a Web content filtering file firewall webdata-filter { save-file | load-file } file-name

Unload the current Web content filtering file undo firewall webdata-filter load-file

You must load the Web

content filtering file for items in it to take effect, that is, for Web contents that match these items to be filtered.

Displaying and debugging Web content filtering

Use the commands listed in Table 130 to view information about Web content filtering and enable debugging Web content filtering.


Configuring SQL Attack Prevention

Enabling/Disabling SQL attack prevention

To validate later configuration on the firewall, you must enable SQL attack prevention first before make any configuration on SQL attack prevention.


By default, SQL attack prevention is not enabled.

c CAUTION: To enable SQL attack prevention successfully, you must first configure ASPF policies, and the detect http and detect tcp commands. Refer to section “Configuring ASPF” “Configuring ASPF” for more information about ASPF.

Configuring filter keywords for SQL attack prevention

SQL attack prevention functions filters HTTP commands based on the predefined filter keywords. If the keyword is borne in a HTTP request, the firewall will block the request. You can define table names, fields, saving process names (default or custom) as keywords depending on specific needs.


Table 130 Display and debug Web content filtering

Operation Command

Display information about Web content filtering

display firewall webdata-filter { enable | all | item keywords | all } }

Enable debugging Web content filtering debugging firewall webdata-filter { all | error | event | filter | packet }

Disable debugging Web content filtering undo debugging firewall webdata-filter { all | error | event | filter | packet }

Clear statistics on Web content filtering reset firewall webdata-filter counter

Table 131 Enable SQL attack prevention

Operation Command

Enable SQL attack prevention firewall url-filter parameter enable

Disable SQL attack prevention undo firewall url-filter parameter enable


The system predefines these filter keywords for SQL attack prevention: ^select^, însert^, ûpdate^, ^delete^, ^drop^, -, ’, êxec^ and %27. If you delete some keywords unconsciously or use the firewall url-filter parameter clear command by mistake, you can restore the default configuration with this command.

Saving/loading SQL attack prevention filter file

After configuring filter keywords, you can save them in the filter file. You can load the filter file later if you want to modify the existing configuration or make other settings.


To validate the entries in SQL attack prevention filter file enable them to filter HTTP commands, you must load them.

Displaying and debugging SQL attack prevention configuration

Use the commands listed in Table 134 to display information about SQL attack prevention filtering and enable/disable debugging SQL attack prevention filtering.


Table 132 Configure filter keywords for SQL attack prevention

Operation Command

Add a filter keyword for SQL attack prevention firewall url-filter parameter add keywords

Add the system-default filter keywords firewall url-filter parameter add-default

Delete a filter keyword firewall url-filter parameter delete keywords

Clear all filter keywords firewall url-filter parameter clear

Table 133 Save/load SQL attack prevention filter file

Operation Command

Save/load SQL attack prevention filter file firewall url-filter parameter { save-file | load-file } file-name

Unload the SQL attack prevention filter file undo firewall url-filter parameter load-file

Table 134 Display and debug SQL attack prevention configuration

Operation Command

Display SQL attack prevention filter configuration

display firewall url-filter parameter { enable | all | item { keywords | all } }

Display the number for matching each filter keyword

display firewall url-filter parameter counter detail

Enable debugging for SQL attack prevention debugging firewall url-filter parameter { all | error | event | filter | packet }

Disable debugging for SQL attack prevention undo debugging firewall url-filter parameter { all | error | event | filter | packet }

Clear statistics on SQL attack prevention reset firewall url-filter parameter counter

Configuring E-mail Filtering 139

Configuring E-mail Filtering

Configuring E-mail Address Filtering

E-mail filtering is needed to prevent internal users from sending out unnecessary information to illegal targets outside intranets. The module enables you to filter E-mails by their addresses.

Enabling/Disabling E-mail address filtering

Before configuring E-mail address filtering for a firewall, you must enable this function first for related configurations to take effect.


E-mail address filtering is disabled by default.

c CAUTION: You must configure ASPF policies and execute the detect smtp and detect tcp commands first to enable E-mail address filtering. Refer to section “Configuring ASPF” “Configuring ASPF” for information about ASPF.

Configuring the default filtering operation

You can configure the default filtering operation for a firewall to make the firewall to permit/deny packets that do not match the E-mail addresses set by the administrator.


Packets that do not match are permitted by default.

Configuring an E-mail address to be filtered

E-mails are filtered according to the address items previously configured in an E-mail address filtering file. The administrator can manipulate this kind of files to add or delete E-mail addresses in them, or even clear all the E-mail addresses.


Table 135 Enable E-mail address filtering

Operation Command

Enable E-mail address filtering firewall smtp-filter rcptto enable

Disable E-mail address filtering undo firewall smtp-filter rcptto enable

Table 136 Configure the default filtering operation

Operation Command

Configure the default filtering operation firewall smtp-filter rcptto default { permit | deny }

Revert to the default filtering operation undo firewall smtp-filter rcptto default


Saving/Loading an E-mail address filtering file

After configuring the E-mail addresses to be filtered, you can save them to an E-mail address filtering file for later use. You must load an E-mail address filtering file first to configure or modify items in it.


You must load the E-mail addresses filtering file for items in it to take effect, that is, for E-mail addresses that match these items to be filtered.

Configuring E-mail Subject Filtering

You can also filter outgoing E-mails by their subjects.

Enabling/Disabling E-mail subject filtering

Before configuring E-mail subject filtering for a firewall, you must enable this function first for related configurations to take effect.


E-mail subject filtering is disabled by default.

c CAUTION: You must configure ASPF policies and execute the detect smtp and detect tcp commands first to enable E-mail subject filtering. Refer to section “Configuring ASPF” “Configuring ASPF” for information about ASPF.

Configuring a filtering keyword for E-mail subject filtering

E-mails can be filtered according to the filtering keyword items previously configured in an E-mail subject filtering file. The administrator can manipulate this kind of files to add or delete E-mail subject filtering keywords in them, or even clear all the E-mail subject filtering keywords.


Table 137 Configure an E-mail address to be filtered

Operation Command

Add an E-mail address to be filtered firewall smtp-filter rcptto add { permit | deny } mail-address

Delete an E-mail address firewall smtp-filter rcptto delete mail-address

Clear all E-mail addresses firewall smtp-filter rcptto clear

Table 138 Save/Load an E-mail address filtering file

Operation Command

Save/Load an E-mail address filtering file firewall smtp-filter rcptto { save-file | load-file } file-name

Unload the current E-mail address filtering file undo firewall smtp-filter rcptto load-file

Table 139 Enable E-mail subject filtering

Operation Command

Enable E-mail subject filtering firewall smtp-filter subject enable

Disable E-mail subject filtering undo firewall smtp-filter subject enable


Saving/Loading an E-mail subject filtering file

After configuring the E-mail subject filtering keywords, you can save them to an E-mail subject filtering file for later use. You must load an E-mail subject filtering file first to configure or modify items in it.


You must load the E-mail subject filtering file for items in it to take effect, that is, for E-mails that match these items to be filtered.

Configuring E-mail Content Filtering

E-mails can also be filtered according to their content.

Enabling//Disabling/ E-mail content filtering

Before configuring E-mail content filtering for a firewall, you must enable this function first for related configurations to take effect.


c CAUTION: You must configure ASPF policies and execute the detect smtp and detect tcp commands first to enable E-mail content filtering. Refer to section “Configuring ASPF” “Configuring ASPF” for information about ASPF.

E-mail content filtering is disabled by default.

Configuring a filtering keyword for E-mail content filtering

E-mails can be filtered according to the filtering keyword items previously configured in an E-mail content filtering file. The administrator can manipulate this kind of files to add or delete E-mail content filtering keywords in them, or even clear all the E-mail content filtering keywords.

Table 140 Configure an filtering keyword for E-mail subject filtering

Operation Command

Add an E-mail subject filtering keyword firewall smtp-filter subject add mail-subject

Delete an E-mail subject filtering keyword firewall smtp-filter subject delete mail-subject

Clear all E-mail subject filtering keywords firewall smtp-filter subject clear

Table 141 Save/Load an E-mail subject filtering file

Operation Command

Save/Load an E-mail subject filtering file firewall smtp-filter subject { save-file | load-file } file-name

Unload the current E-mail subject filtering file undo firewall smtp-filter subject load-file

Table 142 Enable E-mail content filtering

Operation Command

Enable E-mail content filtering firewall smtp-filter content enable

Disable E-mail content filtering undo firewall smtp-filter content enable



Saving/Loading an E-mail content filtering file

After configuring the E-mail content filtering keywords, you can save them to an E-mail content filtering file for later use. You must load an E-mail content filtering file first to configure or modify items in it.


You must load the E-mail content filtering file for items in it to take effect, that is, for E-mails that match these items to be filtered.

Configuring E-mail Attachment Filtering

You can also filter outgoing E-mails by their attachments.

Enabling/Disabling E-mail attachment filtering

Before configuring E-mail attachment filtering for a firewall, you must enable this function first for related configurations to take effect.


c CAUTION: You must configure ASPF policies and execute the detect smtp and detect tcp commands first to enable E-mail attachment filtering. Refer to section “Configuring ASPF” “Configuring ASPF” for information about ASPF.

E-mail attachment filtering is disabled by default.

Configuring an attachment name for E-mail attachment filtering

E-mails can be filtered according to the attachment name items previously configured in an E-mail attachment filtering file. The administrator can manipulate

Table 143 Configure a filtering keyword for E-mail content filtering

Operation Command

Add an E-mail content filtering keyword firewall smtp-filter content add content-keywords

Delete an E-mail content filtering keyword firewall smtp-filter content delete content-keywords

Clear all E-mail content filtering keywords firewall smtp-filter content clear

Table 144 Save /Load an E-mail content filtering file

Operation Command

Save /Load an E-mail content filtering file firewall smtp-filter content { save-file | load-file } file-name

Unload the current E-mail content filtering file undo firewall smtp-filter content load-file

Table 145 Enable E-mail attachment filtering

Operation Command

Enable E-mail attachment filtering firewall smtp-filter attach enable

Disable E-mail attachment filtering undo firewall smtp-filter attach enable


this kind of files to add or delete E-mail attachment names in it, or even clear all the E-mail attachment names.


Saving/Loading an E-mail attachment filtering file

After configuring the E-mail attachment names, you can save them to an E-mail attachment filtering file for later use. You must load an E-mail attachment filtering file first to configure or modify items in it.


You must load the E-mail attachment filtering file for items in it to take effect, that is, for E-mails that match these items to be filtered.

Displaying and Debugging E-mail

Filtering

Use the commands listed in Table 148 to display information about E-mail filtering and enable/disable debugging E-mail filtering.


Table 146 Configure an attachment name for E-mail attachment filtering

Operation Command

Add an E-mail attachment name firewall smtp-filter attach add filename

Delete an E-mail attachment name firewall smtp -filter attach delete filename

Clear all E-mail attachment names firewall smtp -filter attach clear

Table 147 Save/Load an E-mail attachment filtering file

Operation Command

Save/Load an E-mail attachment filtering file firewall smtp-filter attach { save-file | load-file } file-name

Unload the current E-mail attachment filtering file undo firewall smtp-filter attach load-file

Table 148 Display and Debug E-mail filtering

Operation Command

Display information about E-mail filtering display firewall smtp-filter { all | rcptto | subject | content | attach } item { string | all } }

Enable debugging E-mail filtering debugging firewall smtp-filter

Disable debugging E-mail filtering undo debugging firewall smtp-filter

Clear statistics on E-mail filtering reset firewall smtp-filter counter [ rcptto | subject | content | attach ]

Overview of Attack Prevention and Packet Statistics 145

10ATTACK PREVENTION AND PACKET STATISTICS

Overview of Attack Prevention and Packet Statistics

Introduction to Attack Prevention

Generally, network attacks intrude or destroy network servers (hosts) for stealing the sensitive data on servers or interrupting server services. There are also the network attacks that directly destroy network devices, which can make networks service abnormal or even out of service. The attack prevention function of the firewall can detect various types of network attacks and take the corresponding measures to protect internal networks against malicious attacks so as to assure the normal operations of internal networks and systems.

Classes of Network Attacks

Network attacks can be divided into three classes, denial of service attack, scanning and snooping attack and defective packet attack.

Denial of service attack

Denial of service (DoS) attack is to attack a system by sending a large number of data packets so that the system cannot receive requests from clients normally or the host is suspended and cannot work normally. The main DoS attacks include SYN Flood and Fraggle. Different from other types of attacks, the special feature of the DoS attack is that attackers prevent valid clients from accessing network resources instead of searching for ingresses of internal networks.

Scanning and snooping attack

Scanning and snooping attack is to point out a potential target by identifying an existing system in the network by ping scanning (including ICMP and TCP). Scanning through TCP and UDP ports, the attacker can detect the running system and the monitoring service and then get a general idea of the service type and the potential security defect of the system so as to prepare for the further intrusion.

Defective packet attack

Defective packet attack is to send a defective IP packet to the destination system so that the system will crash when it processes the IP packet. The main defective packets include Ping of Death and Teardrop.

Typical Examples of Network Attacks

IP spoofing attack

To get an access authority, an intruder generates a packet carrying a bogus source address, which can make an unauthorized client access the system applying the

146 CHAPTER 10: ATTACK PREVENTION AND PACKET STATISTICS

IP-based authentication even in the root authority. In this way, the system can also be destroyed even though the response packet does not reach the system. This is the IP Spoofing attack.

Land attack

Land attack is to configure both the source address and the destination address of the TCP SYN packet to the IP address of the attack target. Thus, the target sends the SYN-ACK message and sends back the ACK message to it, and then creates a null connection. Each of the null connection will be saved till the timeout. Different attack targets have different responses to the Land attack. For instance, many UNIX hosts will crash and Windows NT hosts will be slowdown.

Smurf attack

The simple Smurf attack is to attack a network by sending an ICMP request to the broadcast address of the target network. All the hosts in the network will respond to the request. Network congestion thus occurs.

The advanced Smurf attack is mainly used to attack the target host by configuring the source address of the ICMP packet to the address of the target host so as to make the host crash finally. It takes certain traffic and duration to send the attack packet to perform attack. Theoretically, the larger the number of the hosts is, the more obvious the effect will be. Another new form of the Smurf attack is the Fraggle attack.

WinNuke attack

WinNuke attack is to cause a NetBIOS fragment overlap by sending Out-Of-Band (OOB) data packets to the NetBIOS port (139) of the specified target installed with the Windows system so as to make the target host crash. There are also IGMP fragment packets. Because IGMP packets cannot be fragmented generally, few systems can solve the attack caused by IGMP fragment packets thoroughly.

SYN flood attack

Because of the limited resources, TCP/IP stacks only permit a restricted number of TCP connections. Based on the above defect, the SYN Flood attack forges an SYN packet whose source address is a bogus or non-existent address and initiates a connection to the server. Accordingly, the server will not receive the ACK packet for its SYN-ACK packet, which forms a semi-connection. A large number of semi-connections will exhaust the network resources so that normal clients cannot access the network until the semi-connections are timeout. The SYN Flood attack also takes effect in the applications whose connection number is not limited to consume the system resources such as memories.

ICMP and UDP flood attack

ICMP and UDP Flood attack is to send a large number of ICMP messages (such as ping) and UDP packets to the specific target in a short time so as to make the target system not be able to transmit valid packets normally.

Address/port scanning attack

Address/port scanning attack is to detect the target address and port with scanning tools to make sure the active system connected with the target network if it receives responses from the system and the port through which the host provides services.

Configuring Attack Prevention 147

Ping of death attack

The ping of death attack is to attack the system by some extra large ICMP packets. Because the field length of an IP packet is 16 bits, the maximum length of an IP packet is 65535. Therefore, if the data length of an ICMP request packet is larger than 65507, the entire length of the ICMP packet (ICMP data + IP header 20 + ICMP header 8) will be larger than 65535, which may make some routers or systems crash, die or reboot. This is the Ping of Death attack.

Introduction to Statistics Analysis

A firewall needs to perform a large amount of statistics calculation and analysis to monitor data traffic as well as to detect connections between intranet and extranet. On one hand, the firewall can perform after-the-fact analysis on the log information with the specific analysis software. On the other hand, the firewall can implement some analysis functions in real-time. For example, the firewall can determine whether to limit the new connections from external networks or the new connections to some internal IP address by analyzing whether the total number of TCP/UDP connections is greater than the configured value. For another example, if the firewall finds that the number of connections in the system exceeds the threshold, it speeds up the connection aging so that DoS will not occur and new connections can be set up.

The following figure shows a typical application of the firewall. If the IP-based statistics analysis function from the external network to the DMZ is enabled, the firewall will limit the new connections from the external network when the number of the TCP connections to the Web server at 129.9.0.1 is greater than the configured value until the number drops to the normal range.

Figure 30 Firewall denies the redundant external connections for the server

Configuring Attack Prevention

The attack prevention configuration includes:

■ Enabling ARP Flood attack prevention function

■ Enabling attack prevention for reverse ARP lookup

■ Enabling ARP spoofing attack prevention function

■ Enabling the IP Spoofing attack prevention function

■ Enabling the Land attack prevention function

■ Enabling the Smurf attack prevention function

TCP connection

Enable statistics function Swtich 8800

Internet

Server

PC

Internal netw ork

DMZ

Ethernet


■ Enabling the Fraggle attack prevention function

■ Enabling Frag Flood attack prevention function

■ Enabling the WinNuke attack prevention function

■ Enabling the SYN Flood attack prevention function

■ Enabling the ICMP Flood attack prevention function

■ Enabling the UDP Flood attack prevention function

■ Enabling the ICMP redirect packet control function

■ Enabling the ICMP unreachable packet attack prevention function

■ Enabling the IP Sweep attack prevention function

■ Enabling the port scan attack prevention function

■ Enabling the control on IP packets carrying the source routes

■ Enabling the attack prevention function for the IP packet carrying route record

■ Enabling the Tracert packet control function

■ Enabling the Ping of Death attack prevention function

■ Enabling the Teardrop attack prevention function

■ Enabling the TCP flag validity detection function

■ Enabling the IP fragment packet detection function

■ Enabling the large ICMP packet control function

Enabling/Disabling ARP Flood Attack Prevention


By default, ARP Flood attack prevention is not enabled. The rate threshold for receiving ARP packets is in the range of 1 to 10000 (pps) and defaults to 100 pps.

Enabling/Disabling Attack Prevention for Reverse ARP Lookup


By default, attack prevention for reverse ARP lookup is not enabled.

Enabling/Disabling ARP Spoofing Attack

Prevention


Table 149 Enable/disable ARP Flood attack prevention

Operation Command

Enable ARP Flood attack prevention firewall defend arp-flood [ max-rate rate-number ]

Disable ARP Flood attack prevention undo firewall defend arp-flood

Table 150 Enable/disable attack prevention for reverse ARP lookup

Operation Command

Enable attack prevention for reverse ARP lookup firewall defend arp-reverse-query

Disable attack prevention for reverse ARP lookup undo firewall defend arp-reverse-query

Table 151 Enable/

Operation

Enable ARP spoofing

disable ARP spoofing attack prevention

Command

attack prevention firewall defend arp-spoofing

Disable ARP spoofing attack prevention undo firewall defend arp-spoofing

By default, ARP spoofing attack prevention is not enabled.

Enabling/Disabling the IP Spoofing Attack

Prevention Function


By default, the IP Spoofing attack prevention function is disabled.

n The IP Spoofing attack prevention function cannot be used in transparent mode.

Enabling/Disabling the Land Attack Prevention

Function


By default, the Land attack prevention function is disabled.

Enabling/Disabling the Smurf Attack Prevention

Function


By default, the Smurf attack prevention function is disabled.

Enabling/Disabling the WinNuke Attack

Prevention Function


Table 152 Enable/disable the IP Spoofing attack prevention function

Operation Command

Enable the IP Spoofing attack prevention function firewall defend ip-spoofing

Disable the IP Spoofing attack prevention function undo firewall defend ip-spoofing

Table 153 Enable/disable the Land attack prevention function

Operation Command

Enable the Land attack prevention function firewall defend land

Disable the Land attack prevention function undo firewall defend land

Table 154 Enable/disable the Smurf attack prevention function

Operation Command

Enable the Smurf attack prevention function firewall defend smurf

Disable the Smurf attack prevention function undo firewall defend smurf

Table 155 Enable/disable the WinNuke attack prevention function

Operation Command

Enable the WinNuke attack prevention function firewall defend winnuke

Disable the WinNuke attack prevention function undo firewall defend winnuke


By default, the WinNuke attack prevention function is disabled.

Enabling/Disabling the Fraggle Attack

Prevention Function


By default, the Fraggle attack prevention function is disabled.

Enabling/Disabling Frag Flood Attack Prevention


By default, Frag Flood attack prevention is not enabled.

n If a fragment packet attack is targeted at the firewall itself, the firewall gives an alarm but discards no packet; otherwise, the firewall gives an alarm and discards the packets.

Enabling/Disabling the SYN Flood Attack

Prevention Function

The SYN Flood attack prevention function can be configured to the specific security zone or the specific IP address. Only when the SYN Flood attack prevention function is enabled and the inbound IP statistics function of the protected zone (or the zone to which the protected IP belongs) is enabled can the SYN Flood attack prevention function be enabled.

Enabling/disabling the SYN flood attack prevention function


By default, the SYN Flood attack prevention function is disabled.

Configuring the specified SYN Flood attack prevention function


Table 156 Enable/disable the Fraggle attack prevention function

Operation Command

Enable the Fraggle attack prevention function firewall defend fraggle

Disable the Fraggle attack prevention function undo firewall defend fraggle

Table 157 Enable/disable Frag flood attack prevention

Operation Command

Enable Frag Flood attack prevention firewall defend frag-flood [ max-identical-rate max-identical-rate ] [ max-total-rate max-total-rate ]

Disable Frag Flood attack prevention undo firewall defend frag-flood

Table 158 Enable/disable the SYN Flood attack prevention function

Operation Command

Enable the SYN Flood attack prevention function

firewall defend syn-flood enable

Disable the SYN Flood attack prevention function

undo firewall defend syn-flood enable


By default, the SYN Flood attack prevention function is disabled. The max-rate keyword indicates the maximum connection rate of SYN packets, in the range of 1 to 1,000,000, and the default value is 1000. The TCP proxy can start automatically when the protected host is attacked by SYN Flood and close automatically when the host is safe.

n ■ When configuring SYN Flood attack prevention, the IP-based priority is higher

than the zone-based priority. If the function of SYN Flood attack prevention is enabled both specific to a particular IP address and to all the IP addresses in the zone to which the IP address belongs, the IP-based detection parameters are preferred. If the IP-based configuration is disabled, the zone-based parameters will be applied.

■ The SYN Flood attack prevention function can protect up to 1,000 IP addresses at the same time.

■ To prevent SYN Flood attacks, TCP proxy must be enabled.

c CAUTION: Following three points are necessary to enable the SYN Flood attack prevention function.

■ Enable the inbound IP statistics function in the protected zone (or the zone where the protected IP locates);

■ Enable the SYN Flood attack prevention function;

■ Configure the specific SYN Flood attack prevention function.

Enabling/disabling TCP proxy

TCP proxy is used to protect the target host or all hosts in the target security zone from SYN Flood attacks. Before establishing a TCP connection to the protected host, an outside host must first run the three-way handshake with the firewall. If the three-way handshake fails, then the outside host cannot establish the TCP connection. This can effectively block malicious attacks to the internal hosts.

Table 159 Configuring the SYN Flood attack prevention function

Operation Command

Enable the SYN Flood attack prevention function for IP addresses

firewall defend syn-flood ip ip-address [ max-rate rate-number ] [ tcp-proxy ]

Enable the SYN Flood attack prevention function for all the IP addresses in a zone

firewall defend syn-flood zone zone-name [ max-rate rate-number ] [ tcp-proxy ]

Disable the SYN Flood attack prevention function for some IP addresses

undo firewall defend syn-flood ip ip-address [ max-rate ] [ tcp-proxy ]

Disable the SYN Flood attack prevention function for all IP addresses undo firewall defend syn-flood ip

Disable the SYN Flood attack prevention function for all the IP addresses in a zone

undo firewall defend syn-flood zone zone-name [ max-rate ] [ tcp-proxy ]

Disable the SYN Flood attack prevention function for the IP addresses in all zones undo firewall defend syn-flood zone

Disable all the SYN Flood attack prevention functions undo firewall defend syn-flood


By default, TCP proxy is not enabled on any host or security zone.

n Although you can also enable TCP proxy when configuring SYN flood attack prevention, the configuration with this command takes preference over that. That is, TCP proxy will be enabled for protecting the target host or security zone no matter if SYN flood attacks occur.

Enabling/Disabling the ICMP Flood Attack

Prevention Function

The ICMP Flood attack prevention function can be configured to the specific security zone or the specific IP address. Only when the ICMP Flood attack prevention function is enabled and the inbound IP statistics function of the protected zone (or the zone to which the protected IP belongs) is enabled, can the ICMP Flood attack prevention function be enabled.

Enabling/disabling ICMP flood attack prevention function


By default, the ICMP Flood attack prevention function is disabled.

Configuring the specified ICMP flood attack prevention function


Table 160 Enable/disable TCP proxy

Operation Command

Enable TCP proxy on a specified host or security zone

firewall tcp-proxy { ip ip-address | zone zone-name }

Disable TCP proxy on a specified host or security zone

undo firewall tcp-proxy { ip ip-address | zone zone-name }

Table 161 Enable/disable the ICMP Flood attack prevention function

Operation Command

Enable the ICMP Flood attack prevention function firewall defend icmp-flood enable

Disable the ICMP Flood attack prevention function undo firewall defend icmp-flood enable

Table 162 Configuring the ICMP Flood attack prevention function

Operation Command

Enable the ICMP Flood attack prevention function for IP addresses

firewall defend icmp-flood ip ip-address [ max-rate rate-number ]

Enable the ICMP Flood attack prevention function for all the IP addresses in a zone

firewall defend icmp-flood zone zone-name [ max-rate rate-number ]

Disable the ICMP Flood attack prevention function for some IP addresses

undo firewall defend icmp-flood ip ip-address

Disable the ICMP Flood attack prevention function for all IP addresses undo firewall defend icmp-flood ip

Disable the ICMP Flood attack prevention function for all the IP addresses in a zone

undo firewall defend icmp-flood zone zone-name

Disable the ICMP Flood attack prevention function for the IP addresses in all zones undo firewall defend icmp-flood zone

Disable all the ICMP Flood attack prevention functions undo firewall defend icmp-flood


By default, the ICMP Flood attack prevention function is disabled. The max-rate keyword indicates the maximum connection rate of ICMP packets, in the range of 1 to 1,000,000. The default value is 1,000.

n When configuring ICMP Flood attack prevention, the IP-based priority is higher than the zone-based priority. If the function of ICMP Flood attack prevention is enabled both specific to a particular IP address and to all the IP addresses in the zone to which the IP address belongs, the IP-based detection parameters are preferred. If the IP-based configuration is disabled, the zone-based parameters will be applied.

The ICMP Flood attack prevention function can protect up to 1000 IP addresses at the same time.

c CAUTION: Following three points are necessary to enable the ICMP Flood attack prevention function.


■ Enable the ICMP Flood attack prevention function;

■ Configure the specific ICMP Flood attack prevention function.

Enabling/Disabling the UDP Flood Attack

Prevention Function

The UDP Flood attack prevention function can be configured to the specific security zone or the specific IP address. Only when the UDP Flood attack prevention function is enabled and the inbound IP statistics function of the protected zone (or the zone to which the protected IP belongs) is enabled, can the UDP Flood attack prevention function be enabled.

Enabling/disabling UDP Flood attack prevention function


By default, the UDP Flood attack prevention function is disabled.

Configuring the specified UDP Flood attack prevention function


Table 163 Enable/disable the UDP Flood attack prevention function

Operation Command

Enable the UDP Flood attack prevention function firewall defend udp-flood enable

Disable the UDP Flood attack prevention function undo firewall defend udp-flood enable

Table 164 Configuring the UDP Flood attack prevention function

Operation Command

Enable the UDP Flood attack prevention function for IP addresses

firewall defend udp-flood ip ip-address [ max-rate rate-number ]

Enable the UDP Flood attack prevention function for all the IP addresses in a zone

firewall defend udp-flood zone zone-name [ max-rate rate-number ]

Disable the UDP Flood attack prevention function for some IP addresses

undo firewall defend udp-flood ip ip-address


By default, the UDP Flood attack prevention function is disabled. max-rate indicates the maximum connection rate of UDP packets, in the range of 1 to 1,000,000. The default value is 1,000.

n When configuring UDP Flood attack prevention, the IP-based priority is higher than the zone-based priority. If the function of UDP Flood attack prevention is enabled both specific to a particular IP address and to all the IP addresses in the zone to which the IP address belongs, the IP-based detection parameters are preferred. If the IP-based configuration is disabled, the zone-based parameters will be applied.

The UDP Flood attack prevention function can protect up to 1000 IP addresses at the same time.

c CAUTION: Following three points are necessary to enable the UDP Flood attack prevention function.


■ Enable the UDP Flood attack prevention function;

■ Configure the specific UDP Flood attack prevention function.

Enabling/Disabling the ICMP Redirect Packet

Control Function


By default, the ICMP redirect packet control function is disabled.

Enabling/Disabling the ICMP Unreachable

Packet Control Function


Disable the UDP Flood attack prevention function for all IP addresses undo firewall defend udp-flood ip

Disable the UDP Flood attack prevention function for all the IP addresses in a zone

undo firewall defend udp-flood zone zone-name

Disable the UDP Flood attack prevention function for the IP addresses in all zones undo firewall defend udp-flood zone

Disable all the UDP Flood attack prevention functions undo firewall defend udp-flood

Table 164 Configuring the UDP Flood attack prevention function

Operation Command

Table 165 Enable/disable the ICMP redirect packet control function

Operation Command

Enable the ICMP redirect packet control function firewall defend icmp-redirect

Disable the ICMP redirect packet control function undo firewall defend icmp-redirect

Table 166 Enable/disable the ICMP unreachable packet control function

Operation Command

Enable the ICMP unreachable packet control function firewall defend icmp-unreachable


By default, the ICMP unreachable packet control function is disabled.

Enabling/Disabling the IP Sweep Attack

Prevention Function


By default, the IP Sweep attack prevention function is disabled. The max-rate keyword indicates the maximum sweeping rate, in the range of 1 to 10,000. The default value is 4000. The blacklist-timeout keyword indicates the time when the address is in the blacklist, in the range of 1 to 1,000 in minutes. The default value is 0 indicating the address is not added in the blacklist.

c CAUTION:

■ To enable the IP Sweep attack prevention function, make sure you enable the outbound IP statistics function in the zone where the connection is initiated and configure the IP Sweep attack prevention function.

■ The timeout time for an address to remain blacklisted must be greater than the firewall session aging time (configured with the firewall session aging-time command); otherwise, an attack may bypass the Firewall module.

■ The blacklist function configured with this command takes effect only after the blacklist function is enabled on the firewall.

Enabling/Disabling the Port Scan Attack

Prevention Function


By default, the port scan attack prevention function is disabled. The max-rate keyword indicates the maximum scanning rate, in the range of 1 to 10,000. The default value is 4000. The blacklist-timeout keyword indicates the time when the address is in the blacklist, in the range of 1 to 1,000 in minutes. The default value is 0 indicating the address is not added in the blacklist.

c CAUTION:

Disable the ICMP unreachable packet control function undo firewall defend icmp-unreachable

Table 166 Enable/disable the ICMP unreachable packet control function

Operation Command

Table 167 Enable/disable the IP Sweep attack prevention function

Operation Command

Enable the IP Sweep attack prevention function

firewall defend ip-sweep [ max-rate rate-number ] [ blacklist-timeout minutes ]

Disable the IP Sweep attack prevention function undo firewall defend ip-sweep

Table 168 Enable/disable the port scan attack prevention function

Operation Command

Enable the port scan attack prevention function

firewall defend port-scan [ max-rate rate-number ] [ blacklist-timeout minutes ]

Disable the port scan attack prevention function undo firewall defend port-scan


■ To enable the port scan attack prevention function, make sure you enable the outbound IP statistics function in the zone where the connection is initiated and configure the port scan attack prevention function.

■ The timeout time for an address to remain blacklisted must be greater than the firewall session aging time (configured with the firewall session aging-time command); otherwise, an attack may bypass the Firewall module.

■ The blacklist function configured with this command takes effect only after the blacklist function is enabled on the firewall.

Enabling/Disabling the Attack Prevention

Function of the IP Packet Carrying Source Route


By default, the attack prevention function for the IP packet carrying source route is disabled.

Enabling/Disabling Attack Prevention for Route Record Options


By default, attack prevention for route record options is not enabled.

Enabling/Disabling the Tracert Packet Control

Function


By default, the Tracert packet control function is disabled.

Enabling/Disabling Ping of Death Prevention

Function


Table 169 Enable/disable the attack prevention function for the IP packet carrying source route

Operation Command

Enable the attack prevention function for the IP packet carrying source route firewall defend source-route

Disable the attack prevention function for the IP packet carrying source route undo firewall defend source-route

Table 170 Enable/disable attack prevention for route record options

Operation Command

Enable attack prevention for route record options firewall defend route-record

Disable attack prevention for route record options undo firewall defend route-record

Table 171 Enable/disable the Tracert packet control function

Operation Command

Enable the Tracert packet control function firewall defend tracert

Disable the Tracert packet control function undo firewall defend tracert

Table 172 Enable/disable the ping of death prevention function

Operation Command

Enable the ping of death prevention function firewall defend ping-of-death

Disable the ping of death prevention function undo firewall defend ping-of-death

Setting the Warning Level in Monitoring the Number and Rate of Connections 157

By default, the ping of death prevention function is disabled.

Enabling/Disabling the Teardrop Attack

Prevention Function


By default, the Teardrop attack prevention function is disabled.

Enabling/Disabling the TCP Flag Validity

Detection Function


By default, the TCP flag validity detection function is disabled.

Enabling/Disabling the IP Fragment Packet Detection Function


By default, the IP fragment packet detection function is disabled.

Setting the Warning Level in Monitoring the Number and Rate of Connections

The firewall can monitor the number and rate of connections by using its statistics function. When the number and rate of connections exceeds the set limit, the firewall will warn. There are two warning levels: one level is warning, that is, when the number and rate of connections exceeds the upper threshold value, only warning information is output; another level is drop, that is, when the number and rate of connections exceeds the upper threshold value, the warning information is output and the subsequent packets are dropped. When the number and rate of connections decreases to the lower threshold value, packets are not dropped.


Table 173 Enable/disable the Teardrop attack prevention function

Operation Command

Enable the Teardrop attack prevention function firewall defend teardrop

Disable the Teardrop attack prevention function undo firewall defend teardrop

Table 174 Enable/disable the TCP flag validity detection function

Operation Command

Enable the TCP flag validity detection function firewall defend tcp-flag

Disable the TCP flag validity detection function undo firewall defend tcp-flag

Table 175 Enable/disable the IP fragment packet detection function

Operation Command

Enable the IP fragment packet detection function firewall defend ip-fragment

Disable the IP fragment packet detection function undo firewall defend ip-fragment

Table 176 Set the warning level in monitoring the number and rate of connections

Operation Command

Set the warning level to warning and drop firewall statistic warning-level drop


By default, only the warning information is output, that is, the warning level is warning by default.

Enabling/Disabling the Oversized ICMP Packet

Control Function


By default, the oversized ICMP packet control function is disabled. The maximum length of the packet is 28 to 65535 bytes. The default value is 8000.

Configuring System-Based Statistics

The system-based statistics function of the Firewall module restricts connection number. Before configuring the traffic restriction function, you should enable the corresponding statistics function. Once the statistics function is disabled, the associated restriction alarm function will be invalid accordingly.

The system-based statistics function configuration includes:

■ Enabling the system-based statistics function

■ Enabling monitor the number of system-based connections

■ Enabling alarm detection for abnormal system packet rate

Enabling/Disabling the System-Based Statistics

Function

Enable the system-based statistics function to perform statistics on all the packets passing the firewall.


By default, the system-based statistics function is enabled.

c CAUTION: Please use the undo firewall statistics system enable command with caution. If the system-based statistics function is disabled, the associated detection function will be invalid accordingly. If there is traffic, disabling the statistics function may cause inaccurate statistics. Thus, functions related to statistics are affected.

Set the warning level to warning only undo firewall statistic warning-level drop

Table 176 Set the warning level in monitoring the number and rate of connections

Operation Command

Table 177 Enable/disable the oversized packet attack prevention function

Operation Command

Enable the oversized ICMP packet control function firewall defend large-icmp [ length ]

Disable the oversized ICMP packet control function undo firewall defend large-icmp

Table 178 Enable/disable the system-based statistics function

Operation Command

Enable the system-based statistics function firewall statistics system enable

Disable the system-based statistics function undo firewall statistics system enable

Configuring Zone-Based Statistics 159

Enabling/Disabling the System-Based

Connection Count Monitoring

Using this command, you can configure the threshold value for the number of connections in the system. The firewall will output an alarm log if the number of TCP/UDP connections is greater than the threshold value.


By default, restriction on the number of system-based connections is enabled and the default values apply. The default upper threshold of TCP and UDP connections allowed in the system is 500000 and the default lower threshold is 1. When this function is disabled, the firewall restricts the system-based connection count by using the default value.

Enabling/Disabling Alarm Detection for

Abnormal System Packet Rate

Using this command, you can configure the normal percentage for different types of packets and the permitted alternation percentage. The system detects in regular time the percentage of each type of packets, and compares the information with the configured values. If the percentage for one type (TCP, UDP, ICMP or others) of packets exceeds the configured upper threshold value (with the alternation added), the system exports log alarm; if the percentage for one type of packets falls below the lower threshold value (with the alternation added), the system exports log alarm.


By default, the percentages for TCP, UDP, and ICMP packets are 75, 15, and 5; alternation percentage is 25; detection period is 60 minutes.

You must configure the percentages for the three types (TCP, UDP, and ICMP) of packets simultaneously, and the sum of the three percentage numbers cannot exceed 100, otherwise, the command will not take effect; you do not need to configure packet percentages for other packets.

Configuring Zone-Based Statistics

The zone-based statistics function configuration includes:

■ Enabling the zone-based statistics function

■ Enabling the zone-based connection count monitoring

Table 179 Enable/disable the system-based connection count monitoring function

Operation Command

Enable the system-based connection count monitoring function

firewall statistics system connect-number { tcp | udp } { high high-value low low-value }

Disable the system-based connection count monitoring function

undo statistics system connect-number { tcp | udp }

Table 180 Enable/disable alarm detection for abnormal system packet rate

Operation Command

Enable alarm detection for abnormal system packet rate

firewall statistics system flow-percent { tcp tcp-percent udp udp-percent icmp icmp-percent alteration alteration-percent [ time time-value] }

Disable alarm detection for abnormal system packet rate

undo firewall statistics system flow-percent


■ Enabling the zone-based connection rate monitoring

Enabling/Disabling the Zone-Based Statistics

Function


Be default, the zone-based statistics function is disabled.

c CAUTION: If the zone-based statistics function is disabled, the associated traffic monitoring function will be invalid accordingly.

Enabling/Disabling the Zone-Based Connection

Count Monitoring

Using this command, you can configure the threshold value for the number of TCP/UDP connections based on one direction in a security zone. According to the above configuration, you can restrict the number of connections to or from the current zone. In other words, the system will deny the subsequent connection requests without any alarm if the connection number is greater than the set threshold value. Once the zone-based statistics function is enabled, the default value of the connection count monitoring function takes effect automatically.


By default, the zone-based connection count restriction function is disabled. The default upper threshold value of the zone-based TCP/UDP connections is 500,000, and the lower threshold value is 1.

c CAUTION: The connection count restriction function of a zone will not take effect unless the corresponding statistics function is enabled.

Enabling/Disabling the Zone-Based Connection

Rate Monitoring

Using this command, you can configure the threshold value for the rate (per second) of TCP/UDP connections based on one direction in a zone. According to the above configuration, you can restrict the rate of connections to or from the current zone. In other words, the system will export alarm log and deny the subsequent connection requests without any alarm if the connection rate is greater than the set threshold value. Once the zone-based statistics function is enabled, the default value of the connection rate monitoring function takes effect automatically.


Table 181 Enable/disable the zone-based statistics function

Operation Command

Enable the zone-based statistics function statistics enable zone { inzone | outzone }

Disable the zone-based statistics function undo statistics enable zone { inzone | outzone }

Table 182 Enable/disable the zone-based connection count monitoring function

Operation Command

Enable the zone-based connection count monitoring function

statistics connect-number { zone | ip } { inzone | outzone } { tcp | udp } { high high-limit low low-limit } [ acl acl-number ]

Disable the zone-based connection count monitoring function

undo statistics connect-number { zone | ip } { inzone | outzone } { tcp | udp } [ acl acl-number ]

Configuring IP-Based Statistics 161

By default, the zone-based connection rate restriction function is disabled. The default upper threshold value of the zone-based TCP/UDP connections is 10,000, and the lower threshold value is 1.

c CAUTION: The connection rate restriction function of a zone will not take effect unless the corresponding statistics function is enabled.

Configuring IP-Based Statistics

The IP-based statistics function configuration includes:

■ Enabling the IP-based statistics function

■ Enabling the IP-based connection count monitoring

■ Enabling the IP-based connection rate monitoring

Enabling/Disabling the IP-Based Statistics

Function

Once the IP-based statistics function is enabled, the firewall will perform statistics on the outbound/inbound data packets in the current zone based on IP addresses (source addresses in outbound direction and destination addresses in inbound direction).

The inbound direction indicates the packet whose destination address is the local zone and source address is other zone. The outbound direction is on the contrary.

Perform the following configuration in security zone view.

By default, the IP-based statistics function is disabled.

c CAUTION: Once the IP-based statistics function is disabled, the IP-based traffic monitoring function will be invalid accordingly.

Enabling/Disabling the IP-Based Connection

Count Monitoring Function

Using this command, you can configure the maximum number of TCP and UDP connections in the outbound/inbound direction of a local IP address. With the above configuration, you can restrict not only the number of connections initiated from the current zone but also that of connections initiated from external networks to the current zone. In other words, the system will deny the subsequent connection requests without any alarm if the connection count is greater than the set threshold value.


Table 183 Enable/disable zone-based connection rate monitoring function

Operation Command

Enable the zone-based connection rate monitoring function

statistics connect-speed { zone | ip } { inzone | outzone } { tcp | udp } { high high-limit low low-limit }

Disable the zone-based connection rate monitoring function

undo statistics connect-speed { zone | ip } { inzone | outzone } { tcp | udp }

Table 184 Enable/disable the IP-based statistics function

Operation Command

Enable the IP-based statistics function statistics enable ip { in | out }

Disable the IP-based statistics function undo statistics enable ip { in | out }


By default, the IP-based connection count monitoring function is disabled. The default upper threshold value of the IP-based TCP/UDP connections is 500,000, and the lower threshold value is 450,000.

c CAUTION:

■ The IP-based connection count monitoring function will not take effect unless the corresponding IP-based statistics function is enabled.

■ The ACL rule can only be used in one direction if you want to account the number of the IP-based connection that matches an ACL rule at the same time.

Enabling/Disabling the IP-Based Connection

Rate Monitoring Function

Using this command, you can configure the maximum rate of TCP and UDP connections in the outbound/inbound direction of a local IP address. With the above configuration, you can restrict not only the rate of connections initiated from the current zone but also that of connections initiated from external networks to the current zone. In other words, the system will deny the subsequent connection requests without any alarm if the connection rate is greater than the set threshold value.


By default, the IP-based connection rate restriction function is disabled. The default upper threshold value of the IP-based TCP/UDP connections is 10,000, and the lower threshold value is 1.

c CAUTION: The ACL rule can only be used in one direction if you want to account the number of the IP-based connection that matches an ACL rule at the same time.

Table 185 Enable/disable the IP-based connection count monitoring function

Operation Command

Enable the IP-based connection count monitoring function

statistics connect-number ip { inbound | outbound } { tcp | udp } { high high-limit low low-limit } [ acl acl-number ]

Disable the IP-based connection count monitoring function

undo statistics connect-number ip { inbound | outbound } { tcp | udp } [ acl acl-number ]

Table 186 Enable/disable monitor of the IP-based connection rate

Operation Command

Enable monitor of the IP-based connection rate

statistics connect-speed ip { inzone | outzone } { tcp | udp } { high high-limit low low-limit } [ acl acl-number ]

Disable monitor of the IP-based connection rate

undo statistics connect-speed ip { inzone | outzone } { tcp | udp } [ acl acl-number ]

Displaying and Debugging Attack Prevention and Packet Statistics 163

Displaying and Debugging Attack Prevention and Packet Statistics

Displaying and Debugging Attack

Prevention

After the above configuration, execute the display command in all views to display the running of the attack prevention to verify the effect of the configuration. Execute the debugging command to debug the attack prevention.

Table 187 Display and debug attack prevention

Operation Command

Display the currently enabled attack prevention type display firewall defend flag

Enable all attack prevention debugging debugging firewall defend all

Enable debugging for ARP Flood attack prevention debugging firewall defend arp-flood

Enable debugging for attack prevention for reverse ARP lookup

debugging firewall defend arp-reverse-query

Enable debugging for ARP spoofing attack prevention debugging firewall defend arp-spoofing

Enable the debugging of IP spoofing attack prevention debugging firewall defend ip-spoofing

Enable the Land attack prevention debugging debugging firewall defend land

Enable the debugging of Smurf attack prevention debugging firewall defend smurf

Enable the debugging of Fraggle attack prevention debugging firewall defend fraggle

Enable debugging for Frag Flood attack prevention debugging firewall defend frag-flood

Enable the WinNuke attack prevention debugging debugging firewall defend winnuke

Enable the debugging of SYN Flood attack prevention debugging firewall defend syn-flood

Enable the debugging of ICMP Flood attack prevention debugging firewall defend icmp-flood

Enable the debugging of UDP Flood attack prevention debugging firewall defend udp-flood

Enable the debugging of ICMP redirection packet attack prevention debugging firewall defend icmp-redirect

Enable the debugging of ICMP unreachable packet attack prevention

debugging firewall defend icmp-unreachable

Enable the debugging of address sweep attack prevention debugging firewall defend ip-sweep

Enable the debugging of port sweep attack prevention debugging firewall defend port-scan

Enable debugging for attack prevention for route record options debugging firewall defend route-record

Enable the debugging of source route option packet attack prevention debugging firewall defend source-route

Enable the debugging of Tracert attack prevention debugging firewall defend tracert


Displaying and Debugging Packet

Statistics

You can execute the display command in any view and the reset command in user view.

Configuring an SMTP Client

The Firewall module supports SMTP client functions, which can create and send mails to the specified address at a predefined time. Timed mails can provide the administrator with firewall information on attacks and defends, traffic alarms, web page filtering and mail filtering. This enables the administrator informed of firewall statistics, and improves firewall flexibility and maintainability significantly.

n Normal SMTP client operation relies on the name resolution by the DNS client (DNSC). For DNSC configuration, see section “Configuring DNS Client” “Configuring DNS Client”.

Configuring Mail Triggering Time

This is to specify the time that the firewall triggers mails.


By default, no mail triggering time is configured.

Enable the debugging of Ping of Death attack prevention debugging firewall defend ping-of-death

Enable the debugging of TearDrop attack prevention debugging firewall defend teardrop

Enable the debugging of TCP flag validity detection attack prevention debugging firewall defend tcp-flag

Enable the debugging of IP fragmentation packet detection attack prevention debugging firewall defend ip-fragment

Enable the debugging of large ICMP packet attack prevention debugging firewall defend large-icmp

Table 187 Display and debug attack prevention

Operation Command

Table 188 Displaying packet statistics

Operation Command

Display statistics of the firewall display firewall statistic { system | zone zone-name { inzone | outzone } | ip ip-address { source-ip | destination-ip | both } }

Display the statistics of the firewall display firewall statistic system [ defend | flow-percent ]

Clear the statistics of the firewall reset firewall statistic system [ defend | current ]

Clear the zone statistics of the firewall reset firewall statistic zone zone-name { inzone | outzone }

Clear the IP statistics of the firewall reset firewall statistic ip ip-address { source-ip | destination-ip | both }

Table 189 Configure mail triggering time

Operation Command

Configure mail triggering time. smtpc trigger time hh:mm

Cancel the configured mail triggering time. undo smtpc trigger { all | time hh:mm }

Configuring DNS Client 165

The value for hh:mm falls between 00:00 to 23:59. You can execute this command for several times to add up to five triggering time points.

Configuring Timed Mail Check Interval

This is to specify the interval at which the firewall check whether the triggering time for timed mails arrives. If yes, it will then send the mail. If not, no operation is performed.


By default, the time interval for timed mail check is 1 minute.

The shorter the interval is, the more instant information and efficiency is provided. However, this also occupies more system resources.

Configuring Mail Addresses

This is to configure the receiver’s address of timed mails.


By default, no receiver’s address is configured for timed mails.

The specified address must be a standard SMTP mail address. You can execute this command for several times to add up to five addresses.

Displaying and Debugging SMTP Client

After the above configurations, you can execute the display command to display configuration statistics of the SMTP client, so as to validate your configurations. You can also run the debugging command to debug the SMTP client.

Configuring DNS Client

A DNS client (DNSC) is a component that is important for normal SMTP client operation. A DNSC resolves a domain name into an IP address so that the SMTP client can send the mail to the right destination address.

Table 190 Configure timed mail check interval

Operation Command

Configure timed mail check interval. smtpc timer interval minutes

Restore the default check interval for timed mails. undo smtpc timer interval

Table 191 Configure a timed mail address

Operation Command

Configure a receiver’s address of timed mail. smtpc administrator mail mail-address

Cancel the configured timed mail addresses. undo smtpc administrator { all | mail mail-address }

Table 192 Display and debug SMTP client

Operation Command

Display SMTP client configuration information display smtpc [ administrator | timer | trigger ]

Enable SMTP client debugging. debugging smtpc

Disable SMTP client debugging. undo debugging smtpc


Configuring a DNS Server

For DNS domain name resolution, a domain name server address is required so that the query request message can be sent to the correct server for resolution. You can use the following commands to configure or remove the IP address of a DNS server.


By default, no DNS server is configured.

Configuring DNS Cache When resolving a name, a DNSC caches the result returned by the name server. In this way, upon receiving a request for resolving the same name, the DNSC can directly search for the name in the DNS cache, instead of sending a query request to the name server again. This reduces network traffic.


By default, no DNS cache entry is configured.

Displaying and Debugging DNS Client

Configuration

After the above-mentioned configuration, you can display the DNS client configuration by using the display command in any view, so as to verify the configuration. You can debug DNS client configuration by using the debugging command in user view.

Table 193 Configure a DNS server

Operation Command

Configure a DNS server IP address dnsc server ip ip-address

Remove the DNS server IP address configured undo dns server { all | ip ip-address ]

Table 194 Configure the DNS cache

Operation Command

Add a DNS cache entry dnsc cache add domain domain-name type { a | mx } ip ip-address ttl ttl

Remove a DNS cache entry dnsc cache delete domain domain-name type { a | mx }

undo dnsc cache { all | domain domain-name type { a | mx } }

Table 195 Display and debug DNS client configuration

Operation Command

Display DNS client configuration display dnsc { server | cache }

Enable DNS client debugging debugging dnsc

Disable DNS client debugging undo debugging dnsc

Attack Prevention and Packet Statistics Configuration Example 167

Attack Prevention and Packet Statistics Configuration Example

Enabling the Land Attack Prevention

Function


On the Firewall module, add GigabitEthernet 0/0.1, GigabitEthernet 0/0.2 and GigabitEthernet 0/0.3 sub-interfaces to the trust zone, untrust zone, DMZ respectively.

Network diagram

Figure 31 Network diagram for firewall attack prevention configuration



# Divide VLANs.


SecBlade S8505

Vlan 60

Vlan10

Vlan 50

Vlan 30

Trust Zone

Untrust Zone

10.0.0.1/24

30.0.0.1/24

10.0.0.254/24

DMZ Zone

Server

60.0.0.1/24 Vlan 60

Vlan 50 PC_B 50.0.0.254/24 60.0.0.254/24

50.0.0.1/24 30.0.0.254/24 SecBlade S8800

Vlan 60

Vlan10

Vlan 50

Vlan 30

Trust Zone

Untrust Zone

10.0.0.1/24

30.0.0.1/24

10.0.0.254/24

DMZ Zone

Server

60.0.0.1/24 Vlan 60

Vlan 50 PC_B 50.0.0.254/24 60.0.0.254/24

50.0.0.1/24 30.0.0.254/24






# Configure the aggregation of the Firewall module interfaces (the module resides in slot 2).




# Specify the Firewall module interface VLAN.



[3Com-secblade-test] security-vlan 50 60






[secblade] interface GigabitEthernet 0/0.1 [secblade-GigabitEthernet0/0.1] vlan-type dot1q vid 30 [secblade-GigabitEthernet0/0.1] ip address 30.0.0.254 24 [secblade-GigabitEthernet0/0.1] quit [secblade] interface GigabitEthernet 0/0.2 [secblade-GigabitEthernet0/0.2] vlan-type dot1q vid 50 [secblade-GigabitEthernet0/0.2] ip address 50.0.0.254 24 [secblade-GigabitEthernet0/0.2] quit [secblade] interface GigabitEthernet 0/0.3 [secblade-GigabitEthernet0/0.3] vlan-type dot1q vid 60 [secblade-GigabitEthernet0/0.3] ip address 60.0.0.254 24 [secblade-GigabitEthernet0/0.3] quit






# Add sub-interface GigabitEthernet0/0.3 to the DMZ.

[secblade] firewall zone DMZ [secblade-zone-DMZ] add interface GigabitEthernet 0/0.3 [secblade-zone-DMZ] quit



# Enable Land attack prevent function.

[secblade] firewall defend land

Enabling the SYN Flood Attack Prevention

Function


On the Firewall module, add GigabitEthernet 0/0.1, GigabitEthernet 0/0.2 and GigabitEthernet 0/0.3 sub-interfaces to the trust zone, untrust zone and DMZ zone respectively. You are required to enable the SYN Flood attack prevention function on the server in the DMZ zone.

Network diagram

Refer to Figure 31.



# Divide VLANs.



[SW8800] interface vlan-interface 10 [3Com-Vlan-interface10] ip address 10.0.0.254 24 [3Com-Vlan-interface10] quit


[SW8800] interface vlan-interface 30 [3Com-Vlan-interface30] ip address 30.0.0.1 24 [3Com-Vlan-interface30] quit



# Configure the aggregation of the Firewall module interface (the module resides in slot 2).



















# Add GigabitEthernet0/0.3 sub-interface to the DMZ.




# Enable the inbound IP statistics function in the DMZ zone.

[secblade] firewall zone DMZ [secblade-zone-DMZ] statistics enable ip inzone [secblade-zone-DMZ] quit

# Enable the SYN Flood attack prevention function in the global scope.

[secblade] firewall defend syn-flood enable

# Enable the SYN Flood attack prevention function on the server at 60.0.0.1, set the maximum connection rate of SYN packets to 500 packets per second, the maximum number of semi-connections to 2,000 and enable the TCP proxy manually.

[secblade] firewall defend syn-flood ip 60.0.0.1 max-rate 500 max-number 2000 tcp-proxy on

Enabling the Address Scanning Attack

Prevention Function


On the Firewall module, add GigabitEthernet 0/0.1, GigabitEthernet 0/0.2 and GigabitEthernet 0/0.3 sub-interfaces to the trust zone, untrust zone and DMZ respectively. You are required to enable the address scanning attack prevention function on the server in the untrust zone.

Network diagram

Refer to Figure 31.

Network procedure


# Divide VLANs.



[SW8800] vlan 60 [3Com-vlan60] quit





# Configure aggregation of the Firewall module interface (the module resides in slot 2).













[secblade] interface GigabitEthernet 0/0.1 [secblade-GigabitEthernet0/0.1] vlan-type dot1q vid 30 [secblade-GigabitEthernet0/0.1] ip address 30.0.0.254 24 [secblade-GigabitEthernet0/0.1] quit [secblade] interface GigabitEthernet 0/0.2 [secblade-GigabitEthernet0/0.2] vlan-type dot1q vid 50 [secblade-GigabitEthernet0/0.2] ip address 50.0.0.254 24 [secblade-GigabitEthernet0/0.2] quit [secblade] interface GigabitEthernet 0/0.3 [secblade-GigabitEthernet0/0.3] vlan-type dot1q vid 60


[secblade-GigabitEthernet0/0.3] ip address 60.0.0.254 24 [secblade-GigabitEthernet0/0.3] quit









# Enable the outbound IP statistics function in the untrust zone.

[secblade] firewall zone untrust [secblade-zone-untrust] statistics enable ip outzone [secblade-zone-untrust] quit

# Enable the address scanning attack prevention, set the maximum scanning rate to 1,000 packets per second and the valid time of the blacklist to 5 minutes, and enable the blacklist function.

[secblade] firewall defend ip-sweep max-rate 1000 blacklist-timeout 5 [secblade] firewall blacklist enable

Enabling the Zone-Based Connection Count

Monitoring Function


On the Firewall module, add GigabitEthernet 0/0.1, GigabitEthernet 0/0.2 and GigabitEthernet 0/0.3 sub-interfaces to the trust zone, untrust zone and DMZ respectively. You are required to configure restriction on the number of connections to or from the trust zone respectively.

Network diagram

Refer to Figure 31.



# Divide VLANs.

<SW8800> system-view [SW8800] vlan 10 [3Com-vlan10] quit


[SW8800] vlan 30 [3Com-vlan30] quit [SW8800] vlan 50 [3Com-vlan50] quit [SW8800] vlan 60 [3Com-vlan60] quit





# Configure theaggregation of Firewall module interfaces (the module resides in slot 2).













[secblade] interface GigabitEthernet 0/0.1 [secblade-GigabitEthernet0/0.1] vlan-type dot1q vid 30 [secblade-GigabitEthernet0/0.1] ip address 30.0.0.254 24 [secblade-GigabitEthernet0/0.1] quit [secblade] interface GigabitEthernet 0/0.2 [secblade-GigabitEthernet0/0.2] vlan-type dot1q vid 50


[secblade-GigabitEthernet0/0.2] ip address 50.0.0.254 24 [secblade-GigabitEthernet0/0.2] quit [secblade] interface GigabitEthernet 0/0.3 [secblade-GigabitEthernet0/0.3] vlan-type dot1q vid 60 [secblade-GigabitEthernet0/0.3] ip address 60.0.0.254 24 [secblade-GigabitEthernet0/0.3] quit









# Enable the outbound packet statistics function in the trust zone.

[secblade] firewall zone trust [secblade-zone-trust] statistics enable zone outzone

# Enable the inbound packet statistics function in the trust zone.

[secblade-zone-trust] statistics enable zone inzone

# Configure the upper limit of the number for the inbound TCP connections in the trust zone as 120,000.

[secblade-zone-trust] statistics enable zone inzone tcp high 120000 low 10000

# Configure the upper limit of the number for the outbound TCP connections in the trust zone as 200,000.

[secblade-zone-trust] statistics enable zone inzone tcp high 200000 low 10000

Monitoring the Number of the IP-Based

Connections Matching with the ACL Rule


On the Firewall module, add GigabitEthernet 0/0.1, GigabitEthernet 0/0.2 and GigabitEthernet 0/0.3 sub-interfaces to the trust zone, untrust zone and DMZ respectively. You are required to configure restriction on the number of connections from the host whose IP address is 10.0.0.1 in the trust zone.

Network diagram

Refer to Figure 31.


Network procedure


# Divide VLANs.





























# Configure the ACL rule.

[secblade] acl number 1 [secblade-acl-basic-1] rule permit source 10.0.0.1 0

# Enter zone view, and configure the upper limit of the number for TCP connections initiated by the IP source address and matching ACL rule as 2,000.

[secblade] firewall zone trust [secblade-zone-trust] statistic connect-number ip outzone tcp high 2000 low 512 acl 1

Displaying Statistics Information of Specified

IP Address


On the Firewall module, add GigabitEthernet 0/0.1, GigabitEthernet 0/0.2 and GigabitEthernet 0/0.3 sub-interfaces to the trust zone, untrust zone and DMZ respectively.

Network diagram

Refer to Figure 31.


Network procedure


# Divide VLANs.





























# Enter zone view.

[secblade] firewall zone trust

# Enable the outbound IP packet statistics function in the zone to perform statistics on source addresses.

[secblade-zone-trust] statistic enable ip outzone

# Enable the inbound IP packet statistics function in the zone to perform statistics on destination addresses.

[secblade-zone-trust] statistic enable ip inzone

# Display statistics of connections initiated from 192.168.1.3 in the trust zone to the external zone.

<secblade> display firewall statistics ip 10.0.0.1 source-ip


# Display statistics of connections initiated from the external zone to 192.168.1.3 in the trust zone.

<secblade> display firewall statistics ip 10.0.0.1 destination-ip

Attack Prevention Troubleshooting

Fault1: The SYN Flood attack prevention function is invalid.

Troubleshooting: Take the following procedure.

1 Check whether the SYN Flood attack prevention function is enabled for the destination zone or for the destination IP.

2 Check whether the SYN Flood attack prevention function is enabled in the global scope.

3 Check whether the inbound IP statistics function is enabled in the destination zone or in the zone to which the destination IP belongs.

Fault2: The address scanning attack prevention function is invalid.

Troubleshooting: Take the following procedure.

1 Check whether the address scanning attack prevention function is enabled.

2 Check whether the outbound IP statistics function is enabled in the zone to which the scanning source belongs.

Introduction to Log 181

11LOG MAINTENANCE

Introduction to Log Types

Log functions to save system messages or packet filtering actions to the buffer, or direct them to log host. By analyzing and managing log information, network administrators can detect security leaks and attack types. Furthermore, real-time log records help to detect ongoing intrusions.

The Firewall module uniformly takes various attacks and events into account, and standardizes kinds of log formats and statistics, so as to ensure a uniform log style and serious log functions.

The Firewall module includes the following log information:

■ NAT/ASPF log

■ Attack prevention log

■ Traffic monitoring log

■ Black list log

■ Address binding log

Output principle

On the Firewall module, log information can be output in binary-flow format or in Syslog format. Figure 32 shows the corresponding relationship between log type and log output format.

Figure 32 Log output principles on the Firewall module

Log Server

Informationcenter

Attackdefence

Blacklist

Addressbinding

Binary-f low log

Syslog log

Monitoring terminal

Console

BufferRedirection

NAT/ASPF Log information

Log information

Log information

Traff icstatistics

Log information

Log information

Log information

182 CHAPTER 11: LOG MAINTENANCE

In the Firewall module, the log information about attack prevention, traffic monitoring, blacklist and address binding are generated in little capacities. Therefore, such logs are outputted in Syslog format. The information must be sent to the Comware-based information center for log management and redirection. In this case, you can choose to either display the log information on the terminal screen or output the Syslog log to the log server for storage and analysis.

Conversely, log information about NAT/ASPF is generated in a large capacity, and so the system directly outputs this type of log traffic in binary format to the log server for storage and analysis, regardless of the Comware-based information centre. Therefore, the transmission efficiency of binary-flow log seems to be higher than that of Syslog log.

Configuring Syslog Log

Syslog configuration includes:

■ Configuring Syslog log output format

■ Configuring the sweep time for the Syslog log buffer

■ Configuring the log redirection of the information center

Configuring Syslog Log Output Format

Use this command to configure the output mode of the log to text format.


By default, the output mode of the log is Syslog.

Configuring the Log Redirection for the Information Center

Generally, the log information exported to the information center is redirected in the following ways:

■ Export information to the local console through the Console port.

■ Export information to the remote Telnet terminal, which can be used for remote maintenances.

■ Allocate log buffer with proper size inside the Firewall module that can be used to record information.

■ Configure log server to which the information center sends information directly, and the information will be saved in the format of file for you to view it anytime.

■ Allocate trap buffer with proper size inside the Firewall module, which can be used to record information.

■ Export information to SNMP agent.


Table 196 Configure the output mode of the log to text format

Operation Command

Configure the output mode of the log to text format firewall session log-type syslog

Binary-Flow Log Configuration 183

Binary-Flow Log Configuration

Binary-flow log configuration includes:

■ Enabling binary-flow log output in interzone

■ Configuring host address and port of receiving binary-flow log

Enabling/Disabling Binary-Flow Log Output

in Interzone

Use the following commands to enable/disable interzone binary-flow log.

Perform the following configuration in interzone view.

By default, binary-flow log is disabled.

Configuring Host Address and Port of

Receiving Binary-Flow Log

Use this command to configure the host address and port of receiving binary-flow log.


Table 197 Configure the log redirection for the information center

Operation Command

Export information to the console info-center console channel { channel-number | channel-name }

Export information to the Telnet terminal or dumb terminal

info-center monitor channel { channel-number | channel-name }

Export information to SNMP info-center snmp channel { channel-number | channel-name }

Set the log buffer size, and set the information channel to the log buffer

info-center logbuffer [ channel { channel-number | channel-name } | size buffersize ] *

Set the information channel to the log host and other parameters

info-center loghost X.X.X.X [ channel { channel-number | channel-name } | facility local-number | language { chinese | english } ] *

Set the trap buffer size, and set the information channel to the trap buffer

info-center trapbuffer [ channel { channel-number | channel-name } | size buffersize ] *

Table 198 Enable interzone binary-flow log output

Operation Command

Enable to output the binary-flow log matching ACL session log enable [ acl-number access-list ]

Disable interzone binary-flow log output undo session log enable

Table 199 Configuring host address and port of receiving binary-flow log

Operation Command

Configure host address and port of receiving binary-flow log

firewall session log-type binary host ipaddr port

Delete the host address and port of receiving binary-flow log and restore the default log output format

undo firewall session log-type


Clearing Log Execute the reset command in user view to clear the log buffer.

Log Configuration Example

Outputting Attack Prevention Log to Host



Network diagram

Refer to Figure 31.

Configuration procedures


# Divide VLANs.






# Configure aggregation of Firewall module interfaces (the module resides in slot 2).



Table 200 Display and debug log

Operation Command

Clear the log buffer on the firewall reset firewall log-buff { defend | session | statistics | http | smtp }



# Enable the information center and set the IP address of the log host in the trust zone to 10.0.0.1.

[secblade] info-center enable [secblade] info-center loghost 10.0.0.1 language english

# Enable the port-scan attack switch to add source address of the attacker to blacklist, set aging time to 10 minutes, and enable the blacklist function.

[secblade] firewall defend port-scan max-rate 100 blacklist-timeout 10 [secblade] firewall blacklist enable

# Enable IP outbound packet statistics in the trust zone.

[secblade] firewall zone trust [secblade-zone-trust] statistics enable ip outzone

You can use a tool (such as nmap) on the PC in untrust zone to perform port scanning over the server in trust zone. Then, the firewall adds the address of the PC to blacklist (aging time is set to 10 minutes) and immediately outputs blacklist log information. After the scanning time for attack prevention reaches, the system outputs log information about UDP port-scan attack.

Outputting Binary-Flow Log to Host



Network diagram

Refer to Figure 31.

Configuration procedures


# Divide VLANs.



[SW8800] interface vlan-interface 10 [3Com-Vlan-interface10] ip address 10.0.0.254 24 [3Com-Vlan-interface10] quit [SW8800] interface vlan-interface 30

Log Configuration Example 187

[3Com-Vlan-interface30] ip address 30.0.0.1 24 [3Com-Vlan-interface30] quit



# Configure the aggregation of the Firewall module interface (the module resides in slot 2).























# Configure the ACL rule.

[secblade] acl number 3000 [secblade-acl-adv-3000] rule permit ip source 10.0.0.0 0.0.0.255

# Enter interzone mode and enable binary-flow log switch matching ACL.

[secblade] firewall interzone trust untrust [secblade-interzone-trust-untrust] session log enable acl-number 3000

# Configure the binary-flow log output format and set the IP address of log host and the interface receiving log.

[secblade] firewall session log-type binary host 10.0.0.5 9002

You can connect the PC in untrust zone to the server in trust zone through FTP. Then, you can see the firewall outputs the connection established binary-flow log information.

12
RELIABILITY OVERVIEW
n The content below applies to the Firewall and IPsec modues, so the command views in this document apply to the modules and not the Switch 8800 Family switches.

Introduction to Reliability

During communication, any software or hardware error, network device or line fault for example, may disrupt the connection, causing transmission failure. To avoid these situations, Comware provides, virtual router redundancy protocol (VRRP) and hot backup technologies to ensure availability of a backup scheme when faults occur. This guarantees smooth communication, and makes the network more robust and reliable.

VRRP improves reliability of connections to the outside networks and as such, is well suited to multicast or broadcast LANs such as Ethernet. Multiple routers can form a standby group or a virtual router, acting as the only egress gateway for the local network. These routers, however, are transparent to the local network. In the standby group, a router is engaged in packet forwarding, a backup router is ready for replacing the active router, and the other routers are listening. In case the active router fails, the backup router would take over and the other routers would elect from them a new backup router. This improves reliability, allowing the local hosts to continue their operation without any modification.

190 CHAPTER 12: RELIABILITY OVERVIEW

13
VRRP CONFIGURATIONS
Introduction to VRRP Virtual router redundancy protocol (VRRP) is a fault-tolerant protocol. Normally, you can configure a default route for the hosts on a network, for example, 10.100.10.1 in the following figure. All packets destined to the external network are sent over this default route to Router to gain access to the external networks. When Router fails, all the hosts using Router as the default next-hop router are isolated from the external network.

Figure 33 Network diagram for a LAN

VRRP was designed to address this problem on multicast and broadcast LANs such as Ethernet.

The following figure illustrates how VRRP is implemented.

VRRP combines a group of routers on a LAN (including a master and multiple backups) into a virtual router called standby group.

192 CHAPTER 13: VRRP CONFIGURATIONS

Figure 34 VRRP networking diagram

This virtual router has its own IP address: 10.100.10.1 (it can be the interface address on a router in the standby group). The routers in the standby group also have their own IP addresses: 10.100.10.2 for the master and 10.100.10.3 for a backup router for example.

The hosts on the LAN, however only know the IP address of this virtual router or 10.100.10.1 and as such, use this IP address as the address of the default next-hop router when communicating with the external network.

When the master in the standby group fails, the backup routers in the standby group elects a new master to take over, allowing the hosts on the network to communicate with the external network without interruption.

For more information about VRRP, refer to RFC 2338.

Configuring VRRP The basic VRRP configuration tasks are described in the following sections:

■ “Adding or Deleting a Virtual IP Address”

■ “Configuring Priority in a Standby Group”

■ “Configuring Preemption Mode and Preemption Delay”

The advanced VRRP configuration tasks are described in the following sections:

■ “Configuring Authentication Mode and Authentication Key”

■ “Configuring the Adver_Timer of VRRP”

■ “Configuring Interface Tracking”

■ “Enabling/Disabling Virtual IP Address Pinging”

■ “Enabling/Disabling TTL Check for VRRP Packets”

Configuring VRRP 193

Adding or Deleting a Virtual IP Address

You may assign an IP address on this network segment to a virtual router or standby group or delete the specified or all virtual IP address from the virtual address list.


The standby group number virtual-router-ID is in the range 1 to 255. The virtual IP address can be an unassigned address on the network segment to which the standby group belongs, or the IP address of an interface in the standby group. In the latter case, the security gateway with the IP address is called IP address owner.

The system creates a standby group the first time that you assign an IP address to it. When you assign virtual IP addresses to the group after that, the system only adds the addresses to the virtual IP address list of this standby group. You can assign an interface to 14 standby groups, while one standby group can accommodate up to 16 virtual IP addresses.

Note that before you can configure a standby group, you must create it by assigning an IP address to it. Deleting the last virtual IP address from the standby group also deletes the standby group. After that, all its configurations become invalid.

Configuring Priority in a Standby Group

In VRRP, the role that a security gateway plays in a standby group depends on its priority. The security gateway with the highest priority becomes the master.

The priority is in the range 0 to 255, with a larger number indicating a higher priority. However, the configurable range is 1 to 254. The priority 0 is reserved for special use and 255 for the IP address owner.


The priority is 100 by default.

n The IP address owner has two priorities: configurable and operating. The configurable priority is the one assigned using the vrrp vrid command and the operating priority is always 255 and not configurable.

Table 201 Add/delete a virtual IP address

Operation Command

Add a virtual IP address. vrrp vrid virtual-router-ID virtual-ip virtual-address

Delete the specified or all virtual IP addresses. undo vrrp vrid virtual-router-ID virtual-ip virtual-address

Table 202 Configure the priority of the interface in the standby group

Operation Command

Configure the priority of the interface in the standby group.

vrrp vrid virtual-router-ID priority priority-value

Restore the default value. undo vrrp vrid virtual-router-ID priority


Configuring Preemption Mode and Preemption

Delay

In non-preemption mode, once a security gateway in the standby group becomes the master and operates well, other security gateways, even assigned higher priority later, cannot preempt it. A security gateway working in preemption mode however, can preempt a lower priority master. Accordingly, the existing master becomes a backup.

When enabling preemption in a standby group, you can configure a delay by using the vrrp vrid command to have the backup wait for a while before preempting the existing master. This is to prevent frequent state transitions on an unstable network where the backup group security gateways cannot receive packets from the master regularly due to network congestion.

The delay is in the range 0 to 255 seconds.


The default mode is preemption without delay.

n After you disable preemption, the preemption delay automatically becomes to 0 seconds.

Configuring Authentication Mode

and Authentication Key

VRRP provides two authentication modes: simple (simple text authentication) and MD5.

On a secure network, you can use the default where no authentication key is required. It this way, the security gateway will authenticate neither VRRP packets to be sent nor those received.

On a network where potential threats are present, you can set the authentication mode to simple, where the authentication key must not be greater than eight bytes. When the security gateway sends a VRRP packet, it fills the authentication key into the VRRP packet. When the security gateway receives a VRRP packet, it compares the authentication key in the packet with the one that it retains. If they are the same, the packet is considered genuine and legitimate. Otherwise, the packet is considered illegitimate and is discarded.

On an unsafe network, you can set the authentication mode to MD5, where the authentication key must not be greater than eight bytes. This allows the security gateway to authenticate VRRP packets using the authentication method provided by authentication header (AH) and the MD5 algorithm. The length of the authentication key can be either less than eight characters or 24 characters. If you input in plain text, the length ranges from one to eight characters, such as 1234567; if you input in encrypted text, the length must be 24 characters, such as (TT8F]Y5SQ=^Q‘MAF4<1!!.

The security gateway discards the packets that fail authentication and sends traps.

Table 203 Configure the preemption mode and preemption delay for a standby group

Operation Command

Enable preemption and configure preemption delay for a standby group.

vrrp vrid virtual-router-ID preempt-mode [ timer delay delay-value ]

Disable preemption in the standby group. undo vrrp vrid virtual-router-ID preempt-mode

Configuring VRRP 195


By default, the security gateway does not authenticate VRRP packets.

n For the standby groups on the same interface, you must set the same authentication mode and authentication key.

Configuring the Adver_Timer of VRRP

In a VRRP standby group, the master security gateway tells other security gateways that it is alive by sending VRRP packets regularly. If no VRRP packets are received after a specified period, the backup assumes the master has failed and changes its state to master. The VRRP packet sending interval and the state transition of the backup are controlled by two timers: Adver_Timer and Master_Down_Timer.

The Master_Down_Timer is about three times that of the Adver_Timer. Either enormous traffic or difference of the timer settings on the security gateways can result in abnormal timeout of the Master_Down_Timer, causing state transition. One solution to this problem is to set Adver_Timer (in seconds) to a greater value and/or configure preemption delay.


The adver_interval argument is in the range of 1 to 255 seconds and defaults to 1 second.

Configuring Interface Tracking

The interface tracking function expands the backup functionality of VRRP. It provides backup not only when the interface to which a standby group is assigned fails but also when other interfaces on the security gateway become unavailable. This is achieved by tracking interfaces. When a monitored interface goes down, the priority of the security gateway owning this interface automatically decreases by the value specified by value-reduced, allowing a higher priority security gateway in the standby group to take over as the master.


Table 204 Configure the authentication mode and authentication key

Operation Command

Configure the authentication mode and authentication key.

vrrp authentication-mode { md5 key | simple key }

Restore the default. undo vrrp authentication-mode

Table 205 Configure the Adver_Timer of VRRP

Operation Command

Configure the Adver_Timer of VRRP. vrrp vrid virtual-router-ID timer advertise adver-interval

Restore the default. undo vrrp vrid virtual-router-ID timer advertise


The priority-reduced argument defaults to 10.

n You cannot configure interface tracking on the security gateway that is IP address owner.

Enabling/Disabling Virtual IP Address

Pinging

This configuration enables the users to ping the virtual IP addresses of the standby groups. According to VRRP, users cannot ping the virtual IP addresses of standby groups. In this case, users cannot determine whether an IP address is assigned to a standby group by using the ping command. If a host on the network uses the same IP address of a standby group coincidently, all packets in this network will be forwarded to the host, so that the data in this network segment cannot be forwarded properly.

However, you can use the following configuration to enable users to ping the virtual IP addresses of standby groups.


By default, virtual IP address pinging is disabled.

Note that you must configure this command before creating standby groups. Once a standby group is created, you cannot use this command and its undo form.

Enabling/Disabling TTL Check for VRRP Packets

This configuration disables the backup switch from checking TTL values for VRRP packets. According to VRRP, the TTL value of VRRP packets must be 255. If detecting that the TTL value of a packet is not 255, the backup switch will drop the packet.

You can use the following configuration to disable TTL check for VRRP packets.

Perform the following configuration in VLAN interface view.

Table 206 Configure interface tracking

Operation Command

Configure the interface to be tracked. vrrp vrid virtual-router-ID track interface-type interface-number [ reduced priority-reduced ]

Disable to track the specified interface. undo vrrp vrid virtual-router-ID track [ interface-type interface-number ]

Table 207 Enable/disable virtual IP address pinging

Operation Command

Enable virtual IP address pinging. vrrp ping-enable

Disable virtual IP address pinging. undo vrrp ping-enable

Table 208 Enable/Disable TTL check for VRRP packets

Operation Command

Disable TTL check for VRRP packets vrrp un-check ttl

Restore TTL check for VRRP packets undo vrrp un-check ttl

Displaying and Debugging VRRP 197

By default, the backup switch checks the TTL value for VRRP packets.

Displaying and Debugging VRRP

After completing the above configurations, you may execute the display command in any view to view the operating state about VRRP after VRRP configuration, and to verify the effect of the configurations.

Execute the debugging command in user view.

You may enable/disable VRRP packet debugging and VRRP state debugging to check VRRP debugging state.

By default, the debugging for VRRP is disabled.

VRRP Configuration Examples

VRRP Single Standby Group Example 1


As shown in Figure 35, insert two modules into a Switch 8807. Two modules run VRRP and a virtual IP address is provided for the switch to implement redundant backup. Normally, the data stream to the Internet passes by SecBlade_A. When SecBlade_A fails, all data stream to the Internet passes by SecBlade_B.

Table 209 Display and debug VRRP

Operation Command

Display state information about VRRP. display vrrp [ interface type number [ virtual-router-ID ] ]

Enable VRRP packet debugging. debugging vrrp packet

Disable VRRP packet debugging. undo debugging vrrp packet

Enable VRRP state debugging. debugging vrrp state

Disable VRRP state debugging. undo debugging vrrp state


Network diagram

Figure 35 VRRP network diagram


1 PC A

IP address: 10.0.0.1/24.

Gateway address: 10.0.0.254.

2 PC B

IP address: 20.0.0.1/24.

Gateway address: 20.0.0.254.

3 Switch 8807

# Divide VLANs.

<Switch 8807> system-view [Switch 8807] vlan 10 [Switch 8807-vlan10] quit [Switch 8807] vlan 20 [Switch 8807-vlan20] quit [Switch 8807] vlan 30 [Switch 8807-vlan30] quit [Switch 8807] vlan 50 [Switch 8807-vlan50] quit


SecBlade

S 8800 Vlan 10

Vlan 50

Internet

PC _ A 10 . 0 . 0 . 1 / 24

PC _ B 20 . 0 . 0 . 1 / 24

Vlan 2 0

10 . 0 . 0 . 254 / 24

20 . 0 . 0 . 254 / 24

Vlan 3 0

Vlan 50

Vlan 50 _ A

SecBlade _ B 50 . 0 . 0 . 2 / 24

50 . 0 . 0 . 1 / 24

30 . 0 . 0 . 254 / 24

30 . 0 . 0 . 1 / 24

30 . 0 . 0 . 2 / 24

Virtual IP 30 . 0 . 0 . 100 / 24

VRRP Configuration Examples 199

[Switch 8807] interface vlan-interface 10 [Switch 8807-Vlan-interface10] ip address 10.0.0.254 24 [Switch 8807-Vlan-interface10] quit [Switch 8807] interface vlan-interface 20 [Switch 8807-Vlan-interface20] ip address 20.0.0.254 24 [Switch 8807-Vlan-interface20] quit [Switch 8807] interface vlan-interface 30 [Switch 8807-Vlan-interface30] ip address 30.0.0.254 24 [Switch 8807-Vlan-interface30] quit

# Configure the static route. The next hop is the virtual IP address of the VRRP standby group.

[Switch 8807] ip route-static 0.0.0.0 0 30.0.0.100

# Configure aggregation of interfaces on the SecBlade_A card (the module resides in slot 1).

[Switch 8807] secblade aggregation slot 1

# Create module test1 for SecBlade_A.

[Switch 8807] secblade test1


[Switch 8807-secblade-test1] secblade-interface vlan-interface 30


[Switch 8807-secblade-test1] security-vlan 50

# Map module test1 for SecBlade_A to the module of slot 1.

[Switch 8807-secblade-test1] map to slot 1 [Switch 8807-secblade-test1] quit [Switch 8807] quit

# Configure aggregation of interfaces on the SecBlade_B card (the module resides in slot 2).

[Switch 8807] secblade aggregation slot 2

# Create module test2 for SecBlade_B.

[Switch 8807] secblade test2


[Switch 8807-secblade-test2] secblade-interface vlan-interface 30


[Switch 8807-secblade-test2] security-vlan 50

# Map the SecBlade_B module to the module of slot 2.


[Switch 8807-secblade-test2] map to slot 2 [Switch 8807-secblade-test2] quit [Switch 8807] quit

4 SecBlade_A

# Log into the SecBlade_A card of slot 1.

<Switch 8807> secblade slot 1 (Both the default user name and password are SecBlade) user: SecBlade password: SecBlade <SecBlade_A> system-view


[SecBlade_A] interface GigabitEthernet0/0.1 [SecBlade_A-GigabitEthernet0/0.1] vlan-type dot1q vid 30 [SecBlade_A-GigabitEthernet0/0.1] ip address 30.0.0.1 24 [SecBlade_A-GigabitEthernet0/0.1] vrrp vrid 1 virtual-ip 30.0.0.100 [SecBlade_A-GigabitEthernet0/0.1] vrrp vrid 1 priority 120 [SecBlade_A-GigabitEthernet0/0.1] vrrp vrid 1 preempt-mode [SecBlade_A-GigabitEthernet0/0.1] quit [SecBlade_A] interface GigabitEthernet0/0.2 [SecBlade_A-GigabitEthernet0/0.2] vlan-type dot1q vid 50 [SecBlade_A-GigabitEthernet0/0.2] ip address 50.0.0.1 24 [SecBlade_A-GigabitEthernet0/0.2] quit

# Quit Firewall module configuration view.

[SecBlade_A] quit <SecBlade_A> quit [Switch 8807_A]

5 SecBlade_B

# Log into the SecBlade_B card of slot 2.

<Switch 8807> secblade slot 2 (Both the default user name and password are SecBlade) user: SecBlade password: SecBlade <SecBlade_B> system


[SecBlade_B] interface GigabitEthernet0/0.1 [SecBlade_B-GigabitEthernet0/0.1] vlan-type dot1q vid 30 [SecBlade_B-GigabitEthernet0/0.1] ip address 30.0.0.2 24 [SecBlade_B-GigabitEthernet0/0.1] vrrp vrid 1 virtual-ip 30.0.0.100 [SecBlade_B-GigabitEthernet0/0.1] quit [SecBlade_B] interface GigabitEthernet0/0.2 [SecBlade_B-GigabitEthernet0/0.2] vlan-type dot1q vid 50 [SecBlade_B-GigabitEthernet0/0.2] ip address 50.0.0.2 24 [SecBlade_B-GigabitEthernet0/0.2] quit



[SecBlade_B] quit <SecBlade_B> quit [Switch 8807_B]

VRRP Single Standby Group Example 2


The VRRP standby group consisting of SecBlade_A and SecBlade_B serves as the default gateway of hosts in VLAN 10. Hosts in Vlan10 access the Internet through their gateway.

About the VRRP standby group: the standby group number is 1; the virtual IP address is 10.0.0.254; SecBlade_A functions as the Master, while SecBlade_B as the Backup. Preemption is enabled.

Network diagram

Figure 36 Network diagram for VRRP configuration

Network procedure

1 PC A

IP address: 10.0.0.50/24.

Gateway address: 10.0.0.254 (the virtual IP address of the standby group)

2 PC B

IP address: 10.0.0.60/24.

Vlan 50

SecBlade _ A

S 8800 _ A

Vlan 50

Vlan 50

Vlan 10

50 . 0 . 0 . 1 / 24 10 . 0 . 0 . 1 / 24

SecBlade _ B

S 8800 _ B

Vlan 50 Vlan 10

Vlan 10

50 . 0 . 0 . 2 / 24 2

The Internet

10 . 0 . 0 . 2 / 24

Vlan 10

Trunk

Virtual IP address 10 . 0 . 0 . 254 / 24

PC A

PC B


Gateway address: 10.0.0.254 (the virtual IP address of the standby group)

3 Switch 8807_A (SecBlade_A)

# Divide VLANs.

<Switch 8807_A> system-view [Switch 8807_A] vlan 10 [Switch 8807_A-vlan10] quit [Switch 8807_A] vlan 50 [Switch 8807_A-vlan50] quit

# Configure aggregation of Firewall module interfaces (the module interface resides in slot 2).

[Switch 8807_A] secblade aggregation slot 2


[Switch 8807_A] secblade test


[Switch 8807_A-secblade-test] security-vlan 10 50


[Switch 8807_A-secblade-test] map to slot 2 [Switch 8807_A-secblade-test] quit [Switch 8807_A] quit


<Switch 8807_A> secblade slot 2 (Both the default user name and password are SecBlade) user: SecBlade password: SecBlade <SecBlade_A> system-view


[SecBlade_A] interface g0/0.1 [SecBlade_A-GigabitEthernet0/0.1] vlan-type dot1q vid 10 [SecBlade_A-GigabitEthernet0/0.1] ip address 10.0.0.1 24 [SecBlade_A-GigabitEthernet0/0.1] vrrp vrid 1 virtual-ip 10.0.0.254 [SecBlade_A-GigabitEthernet0/0.1] vrrp vrid 1 priority 120 [SecBlade_A-GigabitEthernet0/0.1] vrrp vrid 1 preempt-mode [SecBlade_A-GigabitEthernet0/0.1] quit [SecBlade_A] interface g0/0.2 [SecBlade_A-GigabitEthernet0/0.2] vlan-type dot1q vid 50 [SecBlade_A-GigabitEthernet0/0.2] ip address 50.0.0.1 24 [SecBlade_A-GigabitEthernet0/0.2] quit




4 Switch 8807_B (SecBlade_B)

# Divide VLANs.

<Switch 8807_B> system-view [Switch 8807_B] vlan 10 [Switch 8807_B-vlan10] quit [Switch 8807_B] vlan 50 [Switch 8807_B-vlan50] quit

# Configure aggregation of two GigabitEthernet interfaces of the SecBlade (SecBlade slot number is 2).

[Switch 8807_B] secblade aggregation slot 2


[Switch 8807_B] secblade test


[Switch 8807_B-secblade-test] security-vlan 10 50


[Switch 8807_B-secblade-test] map to slot 2 [Switch 8807_B-secblade-test] quit [Switch 8807_B] quit


<Switch 8807_B> secblade slot 2 (Both the default user name and password are SecBlade) user: SecBlade password: SecBlade <SecBlade_B> system-view


[SecBlade_B] interface g0/0.1 [SecBlade_B-GigabitEthernet0/0.1] vlan-type dot1q vid 10 [SecBlade_B-GigabitEthernet0/0.1] ip address 10.0.0.2 24 [SecBlade_B-GigabitEthernet0/0.1] vrrp vrid 1 virtual-ip 10.0.0.254 [SecBlade_B-GigabitEthernet0/0.1] quit [SecBlade_B] interface g0/0.2 [SecBlade_B-GigabitEthernet0/0.2] vlan-type dot1q vid 50 [SecBlade_B-GigabitEthernet0/0.2] ip address 50.0.0.2 24 [SecBlade_B-GigabitEthernet0/0.2] quit



In normal cases, SecBlade_A is responsible for gateway work, unless it is switched off or malfunctioning. And then SecBlade_B shall take the charge. The preemption


mode is configured for SecBlade_A to resume its gateway function as the Master when it recovers.

Multi-Standby Group Configuration Example


Such a multi-standby configuration can implement load sharing. SecBlade_A serves as the Master of standby group 1 and simultaneously a backup of standby group 2, while SecBlade_B is quite the contrary, serving as the Master of standby group 2 but a backup of standby group 1. PC A shall take standby group 1 as its gateway, and PC B takes standby group 2 as its gateway. In this way, both purposes of data stream balancing and mutual standby are achieved.

Network diagram

Figure 37 Network diagram for VRRP configuration


1 PC A

IP address: 10.0.0.50/24.

Gateway address: 10.0.0.253 (the virtual IP address of standby group 1)

2 PC B

IP address: 10.0.0.60/24.

SecBlade

Vlan10

Vlan 50

Internet

PC_A 10.0.0.1/24

PC_B 20.0.0.1/24

Vlan20

10.0.0.254/24

20.0.0.254/24

Vlan30

Vlan 50

Vlan 50

_A

SecBlade _B 50.0.0.2/24

50.0.0.1/24

30.0.0.254/24

30.0.0.1/24

30.0.0.2/24

Virtual IP 30.0.0.100/24

Switch 8800


Gateway address: 10.0.0.254 (the virtual IP address of standby group 2)

3 Switch 8807_A (SecBlade_A)

# Divide VLANs.

<Switch 8807_A> system-view [Switch 8807_A] vlan 10 [Switch 8807_A-vlan10] quit [Switch 8807_A] vlan 50 [Switch 8807_A-vlan50] quit

# Configure aggregation of two GigabitEthernet interfaces of the Firewall module (the module slot number is 2).

[Switch 8807_A] secblade aggregation slot 2


[Switch 8807_A] secblade test


[Switch 8807_A-secblade-test] security-vlan 10 50


[Switch 8807_A-secblade-test] map to slot 2 [Switch 8807_A-secblade-test] quit [Switch 8807_A] quit


<Switch 8807_A> secblade slot 2 (Both the default user name and password are SecBlade) user: SecBlade password: SecBlade <SecBlade_A> system-view


[SecBlade_A] interface g0/0.1 [SecBlade_A-GigabitEthernet0/0.1] vlan-type dot1q vid 10 [SecBlade_A-GigabitEthernet0/0.1] ip address 10.0.0.1 24 [SecBlade_A-GigabitEthernet0/0.1] vrrp vrid 1 virtual-ip 10.0.0.253 [SecBlade_A-GigabitEthernet0/0.1] vrrp vrid 1 priority 120 [SecBlade_A-GigabitEthernet0/0.1] vrrp vrid 1 preempt-mode [SecBlade_A-GigabitEthernet0/0.1] vrrp vrid 2 virtual-ip 10.0.0.254 [SecBlade_A-GigabitEthernet0/0.1] quit [SecBlade_A] interface g0/0.2 [SecBlade_A-GigabitEthernet0/0.2] vlan-type dot1q vid 50 [SecBlade_A-GigabitEthernet0/0.2] ip address 50.0.0.1 24 [SecBlade_A-GigabitEthernet0/0.2] quit




4 Switch 8807_B (SecBlade_B)

# Divide VLANs.

<Switch 8807_B> system-view [Switch 8807_B] vlan 10 [Switch 8807_B-vlan10] quit [Switch 8807_B] vlan 50 [Switch 8807_B-vlan50] quit

# Configure aggregation of two GigabitEthernet interfaces of the Firewall module (the module slot number is 2).

[Switch 8807_B] secblade aggregation slot 2


[Switch 8807_B] secblade test


[Switch 8807_B-secblade-test] security-vlan 10 50


[Switch 8807_B-secblade-test] map to slot 2 [Switch 8807_B-secblade-test] quit [Switch 8807_B] quit


<Switch 8807_B> secblade slot 2 (Both the default user name and password are SecBlade) user: SecBlade password: SecBlade <SecBlade_B> system-view


[SecBlade_B] interface g0/0.1 [SecBlade_B-GigabitEthernet0/0.1] vlan-type dot1q vid 10 [SecBlade_B-GigabitEthernet0/0.1] ip address 10.0.0.2 24 [SecBlade_B-GigabitEthernet0/0.1] vrrp vrid 1 virtual-ip 10.0.0.253 [SecBlade_B-GigabitEthernet0/0.1] vrrp vrid 2 virtual-ip 10.0.0.254 [SecBlade_B-GigabitEthernet0/0.1] vrrp vrid 2 priority 120 [SecBlade_B-GigabitEthernet0/0.1] vrrp vrid 2 preempt-mode [SecBlade_B-GigabitEthernet0/0.1] quit [SecBlade_B] interface g0/0.2 [SecBlade_B-GigabitEthernet0/0.2] vlan-type dot1q vid 50 [SecBlade_B-GigabitEthernet0/0.2] ip address 50.0.0.2 24 [SecBlade_B-GigabitEthernet0/0.2] quit

# Quit the Firewall module configuration view.

VRRP Troubleshooting 207


VRRP Troubleshooting The configuration of VRRP is simple. You can locate most of the problems by checking the output of the display command and the debugging command. The following present some troubleshooting cases.

Symptom 1:

The console screen displays error prompts frequently.

Solution:

Check that the received VRRP packets are correct.

The security gateway may receive an incorrect VRRP packet for two reasons: its configuration is inconsistent with that on another security gateway in the standby group; a device is attempting to send illegitimate VRRP packets. In the first case, modify the configuration. In the second case, you must resort to non-technical measures.

Symptom 2:

Multiple master security gateways are present in the same standby group.

Solution:

If presence of multiple masters lasts a short period, this is normal and requires no manual intervention. If it lasts long, you must check that these masters can receive VRRP packets and the received packets are legitimate.

Do the following:

Have these masters ping each other.

If they can be pinged, check that their configurations are consistent, making sure that the same number of virtual IP addresses, the configured virtual IP addresses, timer setting and authentication mode are configured for the same VRRP standby group.

If they cannot be pinged, check for other reasons.

Symptom 3:

Frequent VRRP state transition is present.

Solution:

Set the Adver_Timer of the standby group to a larger value or configure a preemption delay.

14
FIREWALL CONFIGURATION COMMANDS
Firewall Configuration Commands

default-login-user Syntax

default-login-user

undo default-login-user

View

Firewall system view

Parameter

None

Description

Use the default-login-user command to enable default Firewall login user function.

Use the undo default-login-user command to disable default Firewall login user function.

For login convenience, a user whose name and password are both SecBlade is created in the Firewall module.

By default, the Firewall login user function is enabled. That is, the user created internally in the Firewall module is allowed to log into the module.

n This command is configured on the Firewall module.

Example

# Disable default Firewall module login user function.

[SecBlade_FW] undo default-login-user

display secblade module Syntax

display secblade module [sec-mod-name ]

View

Any view of the switch

Parameter

sec-mod-name: The module name.

210 CHAPTER 14: FIREWALL CONFIGURATION COMMANDS

Description

Use the display secblade module command to view the Firewall module information.

Example

# Display the Firewall module information.

[SW8800]display secblade module newsec module newsec: security-vlan: 10,20,30 secblade-interface: Vlan-interface192 vlan passing: 10,20,30,192 map to slot: 5

map to slot Syntax

map to slot slot-number

undo map to slot slot-number

View

Firewall module view of the switch

Parameter

slot-number: The number of the slot where the Firewall module is located.

Description

Use the map to slot command to map the current module to the Firewall module corresponding to the slot number.

Use the undo map to slot command to cancel the mapping relation.

By default, no module is mapped to any card.

Example

# Map the current module to the Firewall module in slot 2.

[3Com-secblade-newsec] map to slot 2

secblade aggregation slot

Syntax

secblade aggregation slot slot-number

undo secblade aggregation slot slot-number

View

System view of the switch

Parameter

slot-number: The number of slot where the Firewall module is located.

Description

Use the secblade aggregation slot command to configure the Firewall module interface aggregation.


Use the undo secblade aggregation slot command to cancel the configuration.

Two internal GigabitEthernet interfaces connect the Firewall module to the switch. You can aggregate these two interfaces into a logical interface to provide broader interface bandwidth.

By default, the interface is not aggregated. Only one GigabitEthernet interface can be used.

n When you use the secblade aggregation slot command to configure the Firewall module interface aggregation, the Firewall module will occupy the resources occupied by other aggregation groups if aggregation resources are not sufficient.

Example

# Set the interface aggregation for the Firewall module of slot 2.


secblade module Syntax

secblade module sec-mod-name

undo secblade module sec-mod-name

View

System view of the switch

Parameter

sec-mod-name: Firewall module name, which must start with letters or numbers.

Description

Use the secblade module command to create a Firewall module and enter the Firewall module view to configure the Firewall attribute.

Use the undo secblade module command to remove the Firewall module. You cannot remove the module if it has been mapped to a Firewall module.

Example

# Enter Firewall module View.

[SW8800] secblade module newsec [3Com-secblade-newsec]

secblade slot Syntax

secblade slot slot-number

View

User view of the switch

Parameter

slot-number: The number of slot where the Firewall module is located.


Description

Use the secblade slot command to log into the Firewall module.

Example

# Log into the Firewall module in slot 2.

<SW8800> secblade slot 2

secblade-interface Syntax

secblade-interface vlan-interface interface-number

undo secblade-interface vlan-interface interface-number

View


Parameter

interface-number: Number of the specified interface.

Description

Use the secblade-interface command to set an interface as a Layer 3 interface connecting the switch and SecBlade.

Use the undo secblade-interface command to cancel the configuration.

By default, the Layer 3 interface connecting the switch and SecBlade is not configured.

The VLAN which the specified VLAN interface corresponds to cannot belong to the security-vlan.

Example

# Set the VLAN interface 40 of the switch as the Layer 3 interface connecting the switch and SecBlade module.

[3Com-secblade-newsec] secblade-interface vlan-interface 40

security-vlan Syntax

security-vlan vlan-range

undo security-vlan vlan-range

View


Parameter

vlan-range: VLAN range.

Description

Use the security-vlan command to specify all VLANs in the VLAN range are protected by SecBlade.


Use the undo security-vlan command to cancel the configuration.

By default, no VLAN is protected.

Example

# Set 10, 20 and 30 VLANs to be protected by SecBlade.

[3Com-secblade-newsec] security-vlan 10 20 30

15
AAA/RADIUS/HWTACACS CONFIGURATION COMMANDS
n The commands described in this document apply to the Firewall module, and not to the Switch 8800 Family switches.

AAA Configuration Commands

access-limit Syntax

access-limit { disable | enable max-user-number }

undo access-limit

View

ISP domain view

Parameter

disable: No limit to the supplicant number in the current ISP domain.

enable max-user-number: Specifies the maximum supplicant number in the current ISP domain, ranging from 1 to 1048.

Description

Use the access-limit command to configure a limit to the amount of supplicants in the current ISP domain.

Use the undo access-limit command to restore the limit to the default setting.

By default, there is no limit to the amount of supplicants in the current ISP domain.

This command limits the amount of supplicants contained in the current ISP domain. The supplicants may compete for the network resources. So setting a suitable limit to the amount will guarantee the reliable performance to the existing supplicants.

Example

# Set a limit of 500 supplicants for the ISP domain 3com163.net.

[SecBlade_FW-isp-3com163.net] access-limit enable 500

accounting Syntax

accounting { hwtacacs-scheme hwtacacs-scheme-name | radius-scheme radius-scheme-name | none }

216 CHAPTER 15: AAA/RADIUS/HWTACACS CONFIGURATION COMMANDS

undo accounting

View

ISP domain view

Parameter

hwtacacs-scheme hwtacacs-scheme-name: Specifies the HWTACACS scheme used for accounting.

radius-scheme radius-scheme-name: Specifies the RADIUS scheme used for accounting.

none: Indicates that no accounting scheme is adopted.

Description

Use the accounting command to configure the accounting scheme adopted by the current ISP domain.

Use the undo accounting command to delete the accounting scheme adopted by the current ISP domain.

By default, the system does not adopt any accounting scheme.

The adopted RADIUS/HWTACACS scheme which is specified by the accounting command for the current ISP domain must have been configured already.

If you configure the accounting command in domain view, the accounting scheme specified by this command will be adopted. Otherwise, the accounting scheme specified by the scheme command is adopted.

Related command: scheme, radius scheme, and hwtacacs scheme.

Example

# Specify the current ISP domain, h3c163.net, to adopt the RADIUS accounting scheme radius.

[SecBlade_FW-isp-h3c163.net] accounting radius-scheme radius

# Specify the current ISP domain, h3c, to adopt the HWTACACS accounting scheme hwtac.

[SecBlade_FW-isp-h3c] accounting hwtacacs-scheme hwtac

accounting optional Syntax

accounting optional

undo accounting optional

View

ISP domain view

Parameter

None

AAA Configuration Commands 217

Description

Use the accounting optional command to enable optional accounting.

Use the undo accounting optional command to disable it.

By default, optional accounting is disabled.

With the accounting optional command, a user that will be disconnected otherwise can use the network resources even when there is no available accounting server or the communication with the current accounting server fails. This command is normally used for the authentication without accounting.

Example

# Enable optional accounting for users in the domain 3com163.net.

[SecBlade_FW] domain 3com163.net [SecBlade_FW-isp-3com163.net] accounting optional

authentication Syntax

authentication { hwtacacs-scheme hwtacacs-scheme-name [ local ] | radius-scheme radius-scheme-name [ local ] | local | none }

undo authentication

View

ISP domain view

Parameter

hwtacacs-scheme hwtacacs-scheme-name: Specifies the HWTACACS scheme adopted for authentication.

radius-scheme radius-scheme-name: Specifies the RADIUS scheme adopted for authentication.

local: Local authentication scheme.

none: Indicates that no authentication scheme is adopted.

Description

Use the authentication command to configure the authentication scheme adopted by the current ISP domain.

Use the undo authentication command to restore the default authentication scheme.

By default, the local authentication scheme is adopted.

The adopted RADIUS/HWTACACS scheme which is specified by the authentication command for the current ISP domain must have been configured already.


If you configure the authentication command in domain view, the authentication scheme specified by this command will be adopted. Otherwise, the authentication scheme specified by the scheme command is adopted.

When the authentication radius-scheme radius-scheme-name local command or the authentication hwtacacs-scheme hwtacacs-scheme-name local command is configured, the local authentication scheme applies as a backup scheme in case the RADIUS or TACACS server is not available. If the RADIUS or TACACS server is available, local authentication is not used.

If the local or none scheme applies as the first scheme, no RADIUS or HWTACACS scheme can be adopted.

If you configure the authentication command in domain view, the authentication scheme specified by this command will be adopted. Otherwise, the authentication scheme specified by the scheme command is adopted.

Related command: scheme, radius scheme, hwtacacs scheme.

Example

# Specify the current ISP domain, h3c163.net, to adopt the RADIUS authentication scheme radius.

[SecBlade_FW-h3c163.net] authentication radius-scheme radius

# Specify the ISP domain, h3c, to adopt the RADIUS authentication scheme rd and the local scheme to be the backup scheme.

[SecBlade_FW-isp-h3c] authentication radius-scheme rd local

# Specify the ISP domain, h3c, to adopt the HWTACACS authentication scheme hwtac and the local scheme to be the backup scheme.

[SecBlade_FW-isp-h3c] authentication hwtacacs-scheme hwtac local

authorization Syntax

authorization { hwtacacs-scheme hwtacacs-scheme-name | none }

undo authorization

View

ISP domain view

Parameter

hwtacacs-scheme hwtacacs-scheme-name: Specifies the HWTACACS scheme adopted for authorization.

none: Indicates that no authorization scheme is adopted.

Description

Use the authorization command to configure the authorization scheme adopted by the current ISP domain.


Use the undo authorization command to restore the default authorization scheme.

By default, the local authorization scheme is adopted.

The adopted RADIUS/HWTACACS scheme which is specified by the authorization command for the current ISP domain must have been configured already.

If you configure the authorization command in domain view, the authorization scheme specified by this command will be adopted. Otherwise, the authorization scheme specified by the scheme command is adopted.

Related command: scheme, radius scheme, hwtacacs scheme.

Example

# Specify the ISP domain h3c to adopt the HWTACACS authorization scheme hwtac.

[SecBlade_FW-isp-h3c] authorization hwtacacs-scheme hwtac

display connection Syntax

display connection [ domain isp-name ip ip-address | mac mac-address | radius-scheme radius-scheme-name | hwtacacs-scheme hwtacacs-scheme-name | ucibindex ucib-index | user-name user-name ]

View

Any view

Parameter

domain isp-name: Displays all the user connections belonging to the ISP domain specified by isp-name, a string of up to 24 characters. The specified ISP domain must an existing one.

ip ip-address: Displays all the user connections related to the specified IP address.

mac mac-address: Displays a user connection by specifying its hexadecimal MAC address in the format of x-x-x.

radius-scheme radius-scheme-name: Displays all the user connections of the RADIUS scheme specified by radius-scheme-name, a string of up to 32 characters.

hwtacacs-scheme hwtacacs-scheme-name: Displays all the user connections of the HWTACACS scheme specified by hwtacacs-scheme-name, a string of up to 32 characters.

ucibindex ucib-index: Displays information on a user connection by specifying its connection index number, that is, ucib-index ranging from 0 to 7,071.

user-name user-name: Displays the connection information of a specific user. user-name are in the format of pure-username@domain. pure-username comprises up to 55 characters and domain is the domain name, consisting of up to 24 characters.


Description

Use the display connection command to view the relevant information on the specified user connection or all the connections. The output can help you troubleshoot user connections.

By default, information about all user connections is displayed.

Related command: cut connection.

Example

# Display information on the connections of the user system.

<SecBlade_FW> display connection domain system Index=0 ,Username=hfx@system IP=188.188.188.3 Total 1 connections matched, 1 listed.

display domain Syntax

display domain [ isp-name ]

View

Any view

Parameter

isp-name: Specifies the ISP domain name, with a string of up to 24 characters. The specified ISP domain must be an existing one.

Description

Use the display domain command to view the configuration of a specified ISP domain or display the summary information of all ISP domains.

If the domain name is not specified, the summary information of all ISP domains is displayed.

This command is used to output the configuration of a specified ISP domain or display the summary information of all ISP domains. If an ISP domain is specified, the configuration information will be displayed exactly the same, concerning the content and format, as the displayed information of the display domain command. The output information can help with ISP domain diagnosis and troubleshooting.

Related command: access-limit, domain, scheme, state, display domain.

Example

# Display the summaries of all ISP domains in the system.

Table 210 Description on the fields of the display connection command

Field Description

Index Index number

Username User name

IP IP address of the user


<SecBlade_FW> display domain 0 Domain = system State = Active Scheme = LOCAL Access-limit = Disable Domain User Template: Default Domain Name: system Total 1 domain(s).1 listed.

display local-user Syntax

display local-user [ domain isp-name | service-type { telnet | ssh | terminal | dvpn | ftp | ppp } | state { active | block } | user-name user-name ]

View

Any view

Parameter

domain isp-name: Displays all the local users in the ISP domain specified by isp-name, a string of up to 24 characters. The specified ISP domain must be an existing one.

service-type: Displays local users by specifying service type, which can be telnet for Telnet users, ssh for SSH users, terminal for terminal users logging on from Console, or AUX port, ftp for FTP users, ppp for PPP users, or dvpn for DVPN users.

state { active | block }: Displays local users by specifying user state, where active means users allowed to request for network services and block means the opposite.

user-name user-name: Displays a user by specifying its user-name, a string of up to 80 characters. It must exclude forward slashes (/), colons (:), asterisks (*), question marks (?), less-than signs (<), and greater-than signs (>). The @ sign can be present once in a user name. The user name without domain name (the part before @, namely the user ID) cannot exceed 55 characters.

Description

Use the display local-user command to view the relevant information on the specified local user or all the local users. The output can help you troubleshoot faults related to local user.

By default, information on all local users is displayed.

Related command: local-user.

Table 211 Description on the fields of the display domain command

Field Description

Domain Domain name and sequence number

State State of the domain user (active/block)

Scheme Authentication scheme for the domain user (local/RADIUS/TACACS)

Access-limit Whether to limit the number of accessed users (disable/enable)


Example

# Display the relevant information of all the local users.

<SecBlade_FW> display local-user The contents of local user admin: State: Active ServiceType Mask: T Idle-cut: Disable Access-limit: Disable Current AccessNum: 0 Bind location: Disable Vlan ID: Disable IP address: Disable MAC address: Disable User Privilege: 3 The contents of local user ftpuser: State: Active ServiceType Mask: F Idle-cut: Disable Access-limit: Disable Current AccessNum: 0 Bind location: Disable Vlan ID: Disable IP address: Disable MAC address: Disable FTP Directory: flash: Total 2 local user(s) Matched, 2 listed. ServiceType Mask Meaning: A--PAD C--Terminal D--DVPN F--FTP P--PPP S--SSH T-Telnet

domain Syntax

domain [ isp-name | default { disable | enable isp-name } ]

undo domain isp-name

View

System view

Parameter

isp-name: Specifies an ISP domain name. It comprises up to 24 characters, excluding forward slashes (/), colons (:), asterisks (*), question marks (?), less-than signs (<), and greater-than signs (>).

default: Configures the default ISP domain. The system-default ISP domain is system.

Table 212 Description on the fields of the display local-user command

Field Description

State User state (active/block)

ServiceType Mask Abbreviation for service type

Idle-cut Idle-cut switch

Access-Limit Limit of user connections

Current AccessNum Number of the current login users

Bind location Indicates if it is bound with the port

VLAN ID VLAN for the user

IP address User IP address

MAC address User MAC address

FTP Directory Directory authorized to FTP users

User Privilege User level


disable: Disables the configured default ISP domain. It results in refusal of the usernames that are sent excluding domain names. If you configure user names to be sent to RADIUS servers without domain names, these user names will not be rejected.

enable: Enables the configured default ISP domain. It is to be appended to the usernames that are received without domain name before they are sent to the intended AAA servers. If you configure user names to be sent to RADIUS servers without domain names, these user names will not appended with the default domain name.

Description

Use the domain command to configure an ISP domain or enter the view of an existing ISP domain.

Use the undo domain command to cancel a specified ISP domain.

By default, the system uses the domain named system. You cannot delete it, but you are allowed to modify its configuration. In addition, you can view its settings using the display domain command.

ISP domain is a group of users belonging to the same ISP. Generally, for a username in the userid@isp-name format, [email protected] for example, the isp-name ("3com163.net" in the example) following the "@" is the ISP domain name. When an AAA server controls user access, for an ISP user whose username is in userid@isp-name format, the system takes the part "userid" as username for identification and takes the part "isp-name" as domain name.

The purpose of introducing ISP domain settings is to support the application environment with several ISP domains. In this case, an access device may have supplicants from different ISP domains. Because the attributes of ISP users, such as username and password structures, service types, may be different, it is necessary to separate them by setting ISP domains. In ISP domain view, you can configure a complete set of ISP domain attributes for each ISP domain, including an AAA scheme (the RADIUS scheme applied).

For a security gateway, each supplicant belongs to an ISP domain. The system supports to configure up to 16 ISP domains.

When this command is used, if the specified ISP domain does not exist, the system will create a new ISP domain. All the ISP domains are in the active state when they are created.

Related command: access-limit, scheme, state, and display domain.

Example

# Create a new ISP domain, 3com163.net, and enters its view.

[SecBlade_FW] domain 3com163.net New Domain added. [SecBlade_FW-isp-3com163.net]

ip pool Syntax

ip pool pool-number low-ip-address [ high-ip-address ]


undo ip pool pool-number

View

System view, ISP domain view

Parameter

pool-number: Address pool number, ranging from 0 to 99.

low-ip-address and high-ip-address: The start and end IP addresses of the address pool. The number of in-between addresses cannot exceed 1024. If end IP address is not specified, there will be only one IP address in the pool, namely the start IP address.

Description

Use the ip pool command to configure a local address pool for assigning addresses to PPP users.

Use the undo ip pool command to delete the specified local address pool.

By default, no local IP address pool is configured.

You can configure an IP address pool in system view and use the remote address command in interface view to assign IP addresses from the pool to PPP users.

You can also configure an IP address pool in ISP domain view for assigning IP addresses to PPP users in the current ISP domain. This applies to the case where an interface serves a great amount of PPP users but with inadequate address resources for allocation. For example, an Ethernet interface running PPPoE can accommodate 4095 users at most. However, only one address pool with up to 1024 addresses can be configured on its Virtual Template (VT). This is obviously far from what is required. To address the issue, you can configure address pools for ISP domains and assign addresses from them to their PPP users.

Related command: remote address.

Example

# Configure the local IP address pool 0 with the address range of 129.102.0.1 to 129.102.0.10.

[SecBlade_FW] domain 3com163.net [SecBlade_FW-isp-3com163.net] ip pool 0 129.102.0.1 129.102.0.10

level Syntax

level level

undo level

View

Local user view

Parameter

level: Specifies user priority level, an integer ranging from 0 to 3.


Description

Use the level command to configure user priority level.

Use the undo level command to restore the default user priority level.

By default, user priority level is 0.

Related command: local user.

n If the configured authentication mode is none authentication or password authentication, the command level that a user can access after login depends on the priority of user interface. For the users employing RAS authentication, the accessible command level depends on the priority of user interface. In the case of authentication requiring both username and password, however, the accessible command level depends on user priority level.

Example

# Set the priority level of the 3com user to 3.

[SecBlade_FW-luser-3com] level 3

local-user Syntax

local-user user-name

undo local-user user-name [ service-type | level ]

undo local-user all [ service-type { ftp | ppp | ssh | telnet | terminal } ]

View

System view

Parameter

user-name: Specifies a local username with a string of up to 80 characters, excluding forward slashes (/), colons (:), asterisks (*), question marks (?), less-than signs (<), and greater-than signs (>). The @ sign can be used only once in one username. The username without domain name (the part before @, namely the user ID) cannot exceed 55 characters. user-name is case-insensitive, so UserA and usera are the same.

service-type: Service type.

all: All the users.

ftp: FTP service type.

ppp: PPP service type.

ssh: SSH service type.

telnet: Telnet service type.

terminal: Terminal service type.


Description

Use the local-user command to add a local user and enter the local user view.

Use the undo local-user user-name command to remove the specified local user or the related attributes of the specified local user.

Use the undo local-user all command to remove all local users or all local users of a specific service type.

By default, no local user is configured.

Related command: display local-user.

Example

# Add a local user named 3com1.

[SecBlade_FW] local-user 3com1 [SecBlade_FW-luser-3com1]

local-user password-display-mode

Syntax

local-user password-display-mode { cipher-force | auto }

undo local-user password-display-mode

View

System view

Parameter

cipher-force: Forced cipher mode specifies that the passwords of all the accessed users must be displayed in cipher text.

auto: The auto mode specifies that a user is allowed to use the password command to set a password display mode.

Description

Use the local-user password-display-mode command to configure the password display mode of all the local users.

Use the undo local-user password-display-mode command to restore the default password display mode of all the local users.

If cipher-force applies, the effort of specifying in the password command to display passwords in simple text is rendered useless.

By default, auto applies when displaying passwords of local users.

Related command: display local-user and password.

Example

# Force all the local users to have passwords displayed in cipher text.

[SecBlade_FW] local-user password-display-mode cipher-force


password Syntax

password { simple | cipher } password

undo password

View

Local user view

Parameter

simple: Specifies to display passwords in simple text.

cipher: Specifies to display passwords in cipher text.

password: Defines a password. For the simple keyword, the password is a string of 1 to 16 characters in simple text; for the cipher keyword, the password can be a string of 1 to 16 characters in simple text, 1234567 for example, or a string of 24 characters in cipher text, (TT8F]Y5SQ=^Q‘MAF4<1!! for example.

Description

Use the password command to configure a password for a local user.

Use the undo password command to cancel the password of the local user.

If local-user password-display-mode cipher-force applies, the effort of specifying in the password command to display passwords in simple text is rendered useless.

Related command: display local-user.

Example

# Display the password of the user 3com1 in simple text, with the password being 20030422.

[SecBlade_FW-luser-3com1] password simple 20030422

scheme Syntax

scheme { radius-scheme radius-scheme-name [ local ] | hwtacacs-scheme hwtacacs-scheme-name [ local ] | local | none }

undo scheme [ radius-scheme | hwtacacs-scheme | none ]

View

ISP domain view

Parameter

radius-scheme-name: RADIUS scheme, a string of up to 32 characters

hwtacacs-scheme-name: HWTACACS scheme, a string of up to 32 characters

local: Local authentication

none: No authentication


Description

Use the scheme command to configure the AAA scheme to be referenced by the current ISP domain.

Use the undo scheme command to restore the default AAA scheme.

The default AAA scheme in the system is local.

With this command the current ISP domain can reference a RADIUS/HWTACACS scheme that has been configured.

When the radius-scheme radius-scheme-name local command or the hwtacacs-scheme hwtacacs-scheme-name local command is configured, the local scheme applies as a backup scheme if the RADIUS or TACACS server is not available. If the RADIUS or TACACS server is available, local authentication is not used.

If the local scheme applies as the first scheme, only the local authentication is adopted, and no RADIUS or HWTACACS scheme can be adopted.

If the none scheme applies as the first scheme, no authentication is adopted, and no RADIUS or HWTACACS scheme can be adopted.

An FTP user login cannot be authenticated in none mode because an FTP server implemented with Comware does not support anonymous login.

If the scheme none command is used, the priority level of a user logged into the system is level 0.

Related command: radius scheme and hwtacacs scheme.

Example

# Specify the current ISP domain, 3com163.net, to use the RADIUS scheme 3Com.

[SecBlade_FW-isp-3com163.net] scheme radius 3Com

# Set the authentication scheme referenced by the ISP domain 3Com to radius-scheme "rd", using the local scheme as the backup.

[SecBlade_FW-isp-3com] scheme radius-scheme rd local

# Set the authentication scheme referenced by the ISP domain 3Com to hwtacacs-scheme "hwtac", using the local scheme as the backup.

[SecBlade_FW-isp-3com] scheme hwtacacs-scheme hwtac local

service-type Syntax

service-type { telnet | ssh | terminal }* [ level level ]

undo service-type { telnet | ssh | terminal }*

View

Local user view


Parameter

telnet: Authorizes the user to use the Telnet service.

ssh: Authorizes the user to use the SSH service.

terminal: Authorizes the user to use the terminal service (login from the Console, or AUX port).

level level: Specifies user priority. level is a integer in the range of 0 to 3.

Description

Use the service-type command to configure a service type for a particular user.

Use the undo service-type command to delete one or all service types configured for the user.

By default, no service is available for the user.

Related command: service-type ppp and service-type ftp.

Example

# Authorize the user to use the Telnet service.

[SecBlade_FW-luser-3com1] service-type telnet

service-type dvpn Syntax

service-type dvpn

undo service-type dvpn

View

Local user view

Parameter

None

Description

Use the service-type dvpn command to authorize DVPN service to a particular user.

Use the undo service-type dvpn command to remove DVPN service authorization.

By default, DVPN service is not authorized to users.

Example

# Authorize DVPN service the user.

[SecBlade_FW-luser-3com1] service-type dvpn

service-type ftp Syntax

service-type ftp [ ftp-directory directory]


undo service-type ftp [ ftp-directory ]

View

Local user view

Parameter

ftp-directory directory: Specifies a directory accessible for the FTP user.

Description

Use the service-type ftp command to authorize the user to use FTP service and specify a directory accessible for the FTP user.

Use the undo service-type ftp command to forbid the use to use FTP service and restore the default directory accessible for the FTP user.

By default, no services of any type are authorized to any user and access of anonymous FTP users is not allowed, but a user that is granted the FTP service is authorized to access the root directory "flash:/".

Example

# Authorize the user to use the FTP service.

[SecBlade_FW-luser-3com1] service-type ftp

service-type ppp Syntax

service-type ppp

undo service-type ppp

View

Local user view

Parameter

None

Description

Use the service-type command to authorize the user to use the PPP service.

Use the undo service-type command to forbid the user to use the PPP service.

By default, no service of any type is authorized to any user.

Example

# Allow PPP users to use the PPP service.

[3Com-luser-3com1] service-type ppp

state Syntax

state { active | block }

View

ISP domain view, local user view

RADIUS Protocol Configuration Commands 231

Parameter

active: Configured to allow users in the current ISP domain or the current local user to request for network services.

block: Configured to block users in the current ISP domain or the current local user to request for network services.

Description

Use the state command to configure the state of the current ISP domain or local user.

By default, both ISP domain (in ISP domain view) and local user (in local user view) are in the active state upon their creation (in ISP domain view).

Every ISP domain can be active or blocked. If an ISP domain is configured to be active, the supplicants in it can request for network services; whereas in the block state, its users are disallowed to request for any network service, which does not affect the users currently online. This is also applies to local users.

Related command: domain.

Example

# Set the state of the current ISP domain "3com163.net" to block. The supplicants in this domain cannot request for network services.

[SecBlade_FW-isp-3com163.net] state block

# Set the state of the user "3com1" to block.

[SecBlade_FW-luser-3com1] state block

RADIUS Protocol Configuration Commands

accounting optional Syntax

accounting optional

undo accounting optional

View

RADIUS domain view

Parameter

None

Description

Use the accounting optional command to enable optional accounting.

Use the undo accounting optional command to disable it.

By default, the optional accounting is disabled.


With the accounting optional command, a user that will be disconnected otherwise can use the network resources even when there is no available accounting server or the communication with the current accounting server fails. This command is normally used for the authentication without accounting.

Example

# Enable the optional accounting of the RADIUS scheme 3com.

[SecBlade_FW-radius-3com] accounting optional

data-flow-format Syntax

data-flow-format data { byte | giga-byte | kilo-byte | mega-byte } packet { giga-packet | kilo-packet | mega-packet | one-packet }

undo data-flow-format

View

RADIUS view

Parameter

data: Sets data unit.

byte: Data flows are sent in bytes.

giga-byte: Data flows are sent in gigabytes.

kilo-byte: Data flows are sent in kilobytes.

mega-byte: Data flows are sent in megabytes.

packet: Sets data packet unit.

giga-packet: Data packets are sent in giga-packets.

kilo-packet: Data packets are sent in kilo-packets.

mega-packet: Data packets are sent in mega-packets.

one-packet: Data packets are sent in the units of one-packet.

Description

Use the data-flow-format command to configure the unit in which data flows are sent to a RADIUS Server.

Use the undo data-flow-format command to restore the unit to the default setting.

By default, data flows are sent in bytes and data packets in the units of one-packet.

Related command: display radius.


Example

# Send data flows and packets destined for the RADIUS server "3Com" in kilobytes and kilo-packets.

[SecBlade_FW-radius-3com] data-flow-format data kilo-byte packet kilo-packet

debugging local-server Syntax

debugging local-server { all | error | event | packet }

undo debugging local-server { all | error | event | packet }

View

User view

Parameter

all: All debugging.

error: Error debugging.

event: Event debugging.

packet: Packet debugging.

Description

Use the debugging local-server command to enable the debugging for the local RADIUS authentication server.

Use the undo debugging local-server command to disable the debugging for the local RADIUS authentication server.

By default, the debugging for the local RADIUS authentication server is disabled.

Example

# Enable the debugging for the local RADIUS authentication server.

[SecBlade_FW] debugging local-server all *0.9045238 3Com LS/8/EVENT-MSG:Message received. MessageType = 1 *0.9045238 3Com LS/8/PACKET:Packet Received,Code = 1 *0.9045239 3Com LS/8/PACKET:Packet Send auth pkt ,Code =

debugging radius Syntax

debugging radius packet

undo debugging radius packet

View

User view

Parameter

packet: Enables packet debugging.


Description

Use the debugging radius command to enable RADIUS debugging.

Use the undo debugging radius command to disable RADIUS debugging.

By default, RADIUS debugging is disabled.

Example

# Enable RADIUS debugging.

<SecBlade_FW> debugging radius packet

display local-server statistics

Syntax

display local-server statistics

View

All views

Parameter

None

Description

Use the display local-server statistics command to display the statistics of the local RADIUS authentication server.

Related command: local-server.

Example

# Display the statistics of the local RADIUS authentication server.

<SecBlade_FW> display local-server statistics The localserver packet statistics: Receive: 82 Send: 61 Discard: 21 Receive Packet Error: 0 Auth Receive: 82 Auth Send: 61 Acct Receive: 0 Acct Send: 0

display radius Syntax

display radius [ radius-scheme-name ]

View

Any view

Parameter

radius-scheme-name: Specifies a RADIUS scheme with a string of up to 32 characters. If no scheme is specified, all RADIUS schemes are displayed.

Description

Use the display radius command to view the configuration information about the specified or all RADIUS schemes or to view statistics about RADIUS.

By default, the configuration information about all RADIUS schemes is displayed.


Related command: radius scheme.

Example

# Display the configurations of all RADIUS schemes.

<SecBlade_FW> display radius ------------------------------------------------------------------ SchemeName = system Index=0 Type=3com Primary Auth IP =127.0.0.1 Port=1645 State=active Primary Acct IP =127.0.0.1 Port=1646 State=active Second Auth IP =0.0.0.0 Port=1812 State=block Second Acct IP =0.0.0.0 Port=1813 State=block Auth Server Encryption Key= 3com Acct Server Encryption Key= 3com Accounting method = required TimeOutValue(in second)=3 RetryTimes=3 RealtimeACCT(in minute)=12 Permitted send realtime PKT failed counts =5 Retry sending times of noresponse acct-stop-PKT =500 Quiet-interval(min) =5 Username format =without-domain Data flow unit =Byte Packet unit =one packet ------------------------------------------------------------------ Total 1 RADIUS scheme(s). 1 listed

display radius statistics Syntax

display radius statistics

Table 213 Information about RADIUS server configuration

Field Description

SchemeName RADIUS scheme name

Index Index number of the RADIUS scheme

Type Type of the RADIUS scheme

Primary Auth IP/ Port/ State IP address/access port number/current state of the primary authentication server

Primary Acct IP/ Port/ State IP address/access port number/current state of the primary accounting server

Second Auth IP/ Port/ State IP address/access port number/current state of the secondary authentication server

Second Acct IP/ Port/ State IP address/access port number/current state of the secondary accounting server

Auth Server Encryption Key Shared key of the authentication server

Acct Server Encryption Key Shared key of the accounting server

TimeOutValue (seconds) Duration of the RADIUS server timeout timer

Permitted send realtime PKT failed counts

The maximum number of realtime-accounting packet transmission attempts

Retry sending times of noresponse acct-stop-PKT

The maximum number of retries allowed when sending a buffered stop-accounting packet

Quiet-interval(min) The interval for the primary server to resume the active state.

Username format Format of username

Data flow unit Unit of data flows

Packet unit Unit of packets


View

Any view

Parameter

None

Description

Use the display radius statistics command to view the statistics information on RADIUS packets. The displayed packet information can help you troubleshoot RADIUS faults.


Example

# Display the statistics information on RADIUS packets.

<SecBlade_FW> display radius statistics state statistic(total=1048): DEAD=1047 AuthProc=0 AuthSucc=0 AcctStart=0 RLTSend=0 RLTWait=1 AcctStop=0 OnLine=1 Stop=0 StateErr=0 Received and Sent packets statistic: Sent PKT total :38 Received PKT total:2 Resend Times Resend total 1 12 2 12 Total 24 RADIUS received packets statistic: Code= 2,Num=1 ,Err=0 Code= 3,Num=0 ,Err=0 Code= 5,Num=1 ,Err=0 Code=11,Num=0 ,Err=0 Running statistic: RADIUS received messages statistic: Normal auth request , Num=13 , Err=0 , Succ=13 EAP auth request , Num=0 , Err=0 , Succ=0 Account request , Num=1 , Err=0 , Succ=1 Account off request , Num=0 , Err=0 , Succ=0 PKT auth timeout , Num=36 , Err=12 , Succ=24 PKT acct_timeout , Num=0 , Err=0 , Succ=0 Realtime Account timer , Num=0 , Err=0 , Succ=0 PKT response , Num=2 , Err=0 , Succ=2 EAP reauth_request , Num=0 , Err=0 , Succ=0 PORTAL access , Num=0 , Err=0 , Succ=0 Update ack , Num=0 , Err=0 , Succ=0 PORTAL access ack , Num=0 , Err=0 , Succ=0 Session ctrl pkt , Num=0 , Err=0 , Succ=0 RADIUS sent messages statistic: Auth accept , Num=0 Auth reject , Num=0 EAP auth replying , Num=0 Account success , Num=0 Account failure , Num=0 Cut req , Num=0 RecError_MSG_sum:0 SndMSG_Fail_sum :0 Timer_Err :0 Alloc_Mem_Err :0 State Mismatch :0 Other_Error :0


No-response-acct-stop packet =0 Discarded No-response-acct-stop packet for buffer overflow =0

Table 214 Description on the fields for the display radius statistics command

Field Description

state statistic(total=1048)

DEAD=1047 AuthProc=0 AuthSucc=0

AcctStart=0 RLTSend=0 RLTWait=1

AcctStop=0 OnLine=1 Stop=0

StateErr=0

Packet statistics:

Total outbound packets: 38 Total inbound packets: 2

Retransmission number: Total packets retransmitted:

1 12

2 12

Total 24

Statistics on the packets that the RADIUS server receives:

Code = 2, Num = 1 ,Err = 0

One authentication response packet received, no error packet

Code = 3, Num = 0 ,Err = 0

One authentication reject packet received, no error packet

Code= 5, Num = 1 ,Err = 0

One accounting response packet received, no error packet

Code = 11, Num = 0 ,Err = 0

One Access-Challenge (for EAP authentication) packet received, no error packet


Received and Sent packets statistic:

Sent PKT total :38 Received PKT total:2

Resend Times Resend total

1 12

2 12

Total 24

RADIUS received packets statistic:

Code= 2,Num=1 ,Err=0



Code=11,Num=0 ,Err=0

Statistics on the information the RADIUS server receives:

Normal authentication request

Count = 13, Error = 0, Success = 0

EAP authentication request


Accounting request


Accounting stop request


Authentication timeout


Accounting timeout


Number of real-time accounting attempts


Response packet


EAP re-authentication request


PORTAL access authentication request


Upgrade packet


Session control packet

Authentication request


Statistics on the information the RADIUS server sends:

Authentication succeeds, Count = 0

Authentication rejected, Count = 0

Accounting succeeds, Count = 0

Accounting fails, Count = 0

EAP authentication response, Count = 0

Accounting succeeds, Count = 0

Accounting fails, Count = 0

Delete request, Count = 0

Number of error packets received: 0

Number of failed send attempts: 0

Time error: 0 Memory allocation error: 0

State mismatch error: 0 Other error: 0


Field Description


display stop-accounting-buffer

Syntax

display stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name }

Running statistic:

RADIUS received messages statistic:

Normal auth request , Num=13 , Err=0 , Succ=13

EAP auth request , Num=0 , Err=0 , Succ=0

Account request , Num=1 , Err=0 , Succ=1

Account off request , Num=0 , Err=0 , Succ=0

PKT auth timeout , Num=36 , Err=12 , Succ=24

PKT acct_timeout , Num=0 , Err=0 , Succ=0

Realtime Account timer , Num=0 , Err=0 , Succ=0

PKT response , Num=2 , Err=0 , Succ=2

EAP reauth_request , Num=0 , Err=0 , Succ=0

PORTAL access , Num=0 , Err=0 , Succ=0

Update ack , Num=0 , Err=0 , Succ=0

PORTAL access ack , Num=0 , Err=0 , Succ=0

Session ctrl pkt , Num=0 , Err=0 , Succ=0

RADIUS sent messages statistic:

Auth accept , Num=0

Auth reject , Num=0

EAP auth replying , Num=0

Account success , Num=0

Account failure , Num=0

Cut req , Num=0

RecError_MSG_sum:0 SndMSG_Fail_sum :0

Timer_Err :0 Alloc_Mem_Err :0

State Mismatch :0 Other_Error :0

-

No-response-acct-stop packet =0

Discarded No-response-acct-stop packet for buffer overflow =0

-


Field Description


View

Any view

Parameter

radius-scheme radius-scheme-name: Displays information on buffered stop-accounting requests related to the RADIUS scheme specified by radius-scheme-name. It is a string not exceeding 32 characters and excluding forward slashes (/), colons (:), asterisks (*), question marks (?), less-than signs (<), and greater-than signs (>).

session-id session-id: Displays information on the buffered stop-accounting requests related to the session ID specified by session-id, a string of up to 50 characters.

time-range start-time stop-time: Displays the buffered stop-accounting requests by the time range of requests. It is specified by start-time and stop-time in the format of hh:mm:ss-mm/dd/yyyy or hh:mm:ss-yyyy/mm/dd, that is, hours:minutes:seconds-months/days/years or hours:minutes:seconds-years/months/days.

user-name user-name : Displays information on the buffered stop-accounting requests by user name.

Description

Use the display stop-accounting-buffer command to view information on the stop-accounting requests buffered in the security gateway by RADIUS scheme, session ID, or time range. The displayed packet information can help you troubleshoot RADIUS faults.

If receiving no response after sending a stop-accounting request to a RADIUS server, the security gateway buffers the request packet and retransmits it. The number of allowed transmission attempts can be set using the retry stop-accounting command.

Related command: reset stop-accounting-buffer, stop-accounting-buffer enable, and retry stop-accounting.

Example

# Display information on the buffered stop-accounting requests between 0:0:0 and 23:59:59 on August 31, 2002.

<SecBlade_FW> display stop-accounting-buffer time-range 0:0:0-08/31/2002 23:59:59-08/31/2002 Total find 0 record

key Syntax

key { accounting | authentication } string

undo key { accounting | authentication }

View

RADIUS view


Parameter

accounting: Sets/Deletes a shared key for encrypting RADIUS accounting packets.

authentication: Sets/Deletes a shared key for encrypting RADIUS authentication/authorization packets.

string: Shared key, a string of up to 16 characters.

Description

Use the key command to configure a shared key for encrypting RADIUS authentication/authorization or accounting packets.

Use the undo key command to restore the default shared key.

The RADIUS client (that is, the security gateway) and RADIUS server use MD5 algorithm to encrypt the exchanged packets. The two ends verify packets using a shared key. Only when the same key is used can both ends accept the packets from each other and give responses. Therefore, it is necessary to ensure that the same key is set on the security gateway and the RADIUS server. If the authentication/authorization and accounting are performed on two server devices with different shared keys, you must set one shared key for each.

By default, the key for authentication/authorization packets and accounting packets is "3com".

Related command: primary accounting, primary authentication, and radius scheme.

Example

# In the RADIUS scheme "3com", set the shared key used for encrypting authentication/authorization packets to "hello".

[SecBlade_FW-radius-3com] key authentication hello

# In the RADIUS scheme "3com", set the shared key for encrypting accounting packets to "ok".

[SecBlade_FW-radius-3com] key accounting ok

local-server Syntax

local-server nas-ip ip-address key password

undo local-server nas-ip ip-address

View

System view

Parameter

nas-ip ip-address: NAS-IP address of the access server, in dotted decimal format.

key password: Shared key of the access server, with a character string of up to 16 characters.


Description

Use the local-server command to configure related parameters of the local RADIUS authentication server.

Use the undo local-server command to delete some configured NAS-IP address.

By default, the system creates a local RADIUS authentication server with the NAS-IP address being 127.0.0.1 and the shared key being 3com.

Note the following:

■ The device not only can serve as the RADIUS client to perform authentication management on users through the authentication/authorization server and the accounting server, but also can function as a simple RADIUS server (including authentication and authorization).

■ If the local RADIUS authentication server function is adopted, the UDP port used for authentication/authorization must be 1645, and the UDP port used for accounting must be 1646.

■ The key configured by this command must be consistent with the key used for authentication/authorization which is configured by the key authentication command in RADIUS scheme view.

■ The device supports up to 16 network access servers, including the local RADIUS authentication server created by the system.

Related command: radius scheme, state.

Example

# For the local RADIUS authentication server, set the IP address to be 10.110.1.2 and the login password to be aabbcc.

[SecBlade_FW] local-server nas-ip 10.110.1.2 key aabbcc

nas-ip Syntax

nas-ip ip-address

undo nas-ip

View

RADIUS view

Parameter

ip-address: IP address in dotted decimal format.

Description

Use the nas-ip command to set the source IP address of the network access server (NAS, the security gateway in this manual), so that all packets destined for the RADIUS server carry the same source IP address.

Use the undo nas-ip command to cancel the configuration.


Specifying a source address for the RADIUS packets to be transmitted can avoid the situation where the packets sent back by the RADIUS server cannot be received as the result of a physical interface failure. The address of a loopback interface is usually used as the source address.

By default, the source IP address of packets is the IP address of the output port.


Example

# Set the source IP address that is carried in the RADIUS packets sent by the NAS (the security gateway) to 10.1.1.1.

[SecBlade_FW] radius scheme test1 [SecBlade_FW-radius-test1] nas-ip 10.1.1.1

primary accounting Syntax

primary accounting ip-address [ port-number ]


View

RADIUS view

Parameter

ip-address: IP address in dotted decimal format. By default, in system scheme, the IP address of the primary accounting server is 127.0.0.1; in the newly added RADIUS scheme, the IP address of the primary accounting server is 0.0.0.0.

port-number: UDP port number of the primary accounting server, which is ranging from 1 to 65535. By default, in system scheme, the UDP port of the primary accounting server is 1646; in the newly added RADIUS scheme, the UDP port of the primary accounting server is 1813.

Description

Use the primary accounting command to configure IP address and port number of the primary RADIUS accounting server.

Use the undo primary accounting command to restore the default IP address and port number of the primary RADIUS accounting server.

After creating a RADIUS scheme, you are supposed to configure IP address and UDP port of each RADIUS server (primary/secondary authentication/authorization or accounting server). The configuration of RADIUS servers is at your discretion except that there must be at least one authentication/authorization server and one accounting server. Besides, ensure that the RADIUS service port settings on the security gateway are consistent with the port settings on the RADIUS servers.

Related command: key, radius scheme, and state.


Example

# Set the IP address of the primary accounting server in the RADIUS scheme "3com" to 10.110.1.2 and use the UDP port 1813 to provide the RADIUS accounting service.

[SecBlade_FW-radius-3com] primary accounting 10.110.1.2 1813

primary authentication Syntax

primary authentication ip-address [ port-number ]


View

RADIUS view

Parameter

ip-address: IP address in dotted decimal format. By default, in system scheme, the IP address of the primary authentication/authorization server is 127.0.0.1; in the newly added RADIUS scheme, the IP address of the primary authentication/authorization server is 0.0.0.0.

port-number: UDP port number of the primary authentication/authorization server, which is ranging from 1 to 65535. By default, in system scheme, the UDP port of the primary authentication/authorization server is 1645; in the newly added RADIUS scheme, the UDP port of the primary authentication/authorization server is 1812.

Description

Use the primary authentication command to configure IP address and port number of the primary RADIUS authentication/authorization server.

Use the undo primary authentication command to restore the default IP address and port number of the primary RADIUS authentication/authorization server.

After creating a RADIUS scheme, you are supposed to configure IP address and UDP port of each RADIUS server (primary/secondary authentication/authorization or accounting server). The configuration of RADIUS servers is at your discretion except that there must be at least one authentication/authorization server and one accounting server. Besides, ensure that the RADIUS service port settings on the security gateway are consistent with the port settings on the RADIUS servers.


Example

# Set IP address of the primary authentication/authorization server in the RADIUS scheme "3com" to 10.110.1.1 and use the UDP port 1812 to provide the RADIUS authentication/authorization service.

[SecBlade_FW-radius-3com] primary authentication 10.110.1.1 1812


radius scheme Syntax

radius scheme radius-scheme-name

undo radius scheme radius-scheme-name

View

System view

Parameter

radius-scheme-name: RADIUS scheme name, a string of up to 32 characters.

Description

Use the radius scheme command to configure a RADIUS scheme and enter its view.

Use the undo radius scheme command to delete the specified RADIUS scheme.

By default, the RADIUS scheme named system exists in the system, with all attributes being the defaults that are not configurable. You can use the display radius command to view the settings of the system scheme.

RADIUS protocol is configured scheme by scheme. Every RADIUS scheme must at least specify IP address and UDP port number of RADIUS authentication/authorization/accounting server and the parameters necessary for the RADIUS client (a security gateway) to interact with the servers. You must first create a RADIUS scheme and enter its view before you can perform RADIUS protocol configurations.

A RADIUS scheme can be referenced by several ISP domains at the same time.

The undo radius scheme command can be used to delete any RADIUS scheme except for the default one. Note that a RADIUS scheme currently being used by any online users cannot be removed.

Related command: key, retry realtime-accounting, scheme, timer realtime-accounting, stop-accounting-buffer enable, retry stop-accounting, server-type, state, user-name-format, retry, display radius and display radius statistics.

Example

# Create a RADIUS scheme named "3com" and enter its view.

[SecBlade_FW] radius scheme 3com [SecBlade_FW-radius-3com]

radius nas-ip Syntax

radius nas-ip ip-address

undo radius nas-ip

View

System view


Parameter

ip-address: Specifies a source IP address, which must be the address of this device. It cannot be the address of all zeros, or class D address, or network address, or an address starting with 127.

Description

Use the radius nas-ip command to specify the source address of the RADIUS packet sent from NAS.

Use the undo radius nas-ip command to restore the default setting..

By specifying the source address of the RADIUS packet, you can avoid unreachable packets as returned from the server upon interface failure. The source address is normally recommended to be a loopback interface address.

By default, the source address is not specified, that is, the address of the interface sending the packet serves as the source address.

This command specifies only one source address; therefore, the newly configured source address may overwrite the original one.

Example

# Configure the security gateway to send RADIUS packets from 129.10.10.1.

[SecBlade_FW] radius nas-ip 129.10.10.1

radius trap Syntax

radius trap { authentication-server-down | accounting-server-down }

undo radius trap { authentication-server-down | accounting-server-down }

View

System view

Parameter

authentication-server-down: RADIUS authentication server goes down.

accounting-server-down: RADIUS accounting server goes down.

Description

Use the radius trap command to configure the RADIUS server to send a trap packet when it goes down.

Use the undo radius trap command to configure the RADIUS server not to send a trap packet when it goes down.

By default, the RADIUS server does not send a trap packet when it goes down.

Example

# Configure the RADIUS server to send a trap packet when it goes down.

[SecBlade_FW] radius trap authentication-server-down


reset radius statistics Syntax

reset radius statistics

View

User view

Parameter

None

Description

Use the reset radius statistics command to clear the statistic information related to the RADIUS protocol.


Example

# Clear the RADIUS protocol statistics.

<SecBlade_FW> reset radius statistics

reset stop-accounting-buffer

Syntax

reset stop-accounting-buffer { radius-scheme radius-scheme-name | session-id session-id | time-range start-time stop-time | user-name user-name }

View

System view

Parameter

radius-scheme radius-scheme-name: Clears the buffered stop-accounting requests related to the RADIUS scheme specified by radius-scheme-name, a string of up to 32 characters.

session-id session-id: Clears the buffered stop-accounting requests related to the session ID specified by session-id, a string of up to 50 characters.

time-range start-time stop-time: Clears the buffered stop-accounting requests by the time range of requests. The time range is specified by start-time and stop-time in the format of hh:mm:ss-mm/dd/yyyy or hh:mm:ss-yyyy/mm/dd, that is, hours:minutes:seconds-months/days/years or hours:minutes:seconds-years/months/days.

user-name user-name: Clears the buffered stop-accounting requests by user name.

Description

Use the reset stop-accounting-buffer command to clear the buffered stop-accounting requests that have no responses.

If receiving no response after sending a stop-accounting request to a RADIUS server, the security gateway buffers the request packet and retransmits it. The number of allowed transmission attempts can be set using the retry stop-accounting command.


You can clear the buffered stop-accounting requests by RADIUS scheme, session ID, username, or time range.

Related command: stop-accounting-buffer enable, retry stop-accounting, and display stop-accounting-buffer.

Example

# Clear the buffered stop-accounting requests related to the user "[email protected]".

<SecBlade_FW> reset stop-accounting-buffer user-name [email protected]

# Clear the buffered stop-accounting requests in the time range 0:0:0 to 23:59:59 on August 31, 2002.

<SecBlade_FW> reset stop-accounting-buffer time-range 0:0:0-08/31/2002 23:59:59-08/31/2002

retry Syntax

retry retry-times

undo retry

View

RADIUS view

Parameter

retry-times: The maximum number of request attempts, which is ranging from 1 to 20.

Description

Use the retry command to configure the number of RADIUS request attempts.

Use the undo retry command to restore the default.

In the RADIUS protocol, UDP applies to provide unreliable transmission. If the NAS receives no response from the current RADIUS server when the response timeout timer expires, it has to retransmit the RADIUS request. If the number of request attempts exceeds the specified retry-times, the NAS considers that the current RADIUS server is disconnected and turns to another RADIUS server.

Appropriately set the retry-times parameter to maintain an acceptable system response speed.

The default retry times is 3.


Example

# With the RADIUS scheme "3com", a RADIUS request can be sent up to five times.

[SecBlade_FW-radius-3com] retry 5


retry realtime-accounting

Syntax

retry realtime-accounting retry-times

undo retry realtime-accounting

View

RADIUS view

Parameter

retry-times: The maximum number of real-time accounting request attempts that have no responses. It is in the range 1 to 255.

Description

Use the retry realtime-accounting command to configure the maximum number of real-time accounting request attempts allowed to have no responses.

Use the undo retry realtime-accounting command to restore the default.

RADIUS server usually checks whether a user is online using a timeout timer. If the RADIUS server has not received the real-time accounting packet from NAS, it will consider that there is line or device failure and stop accounting. Accordingly, it is necessary to disconnect the user at NAS end and on RADIUS server synchronously when some unexpected failure occurs. 3Com Series Security Gateways support to set maximum times of real-time accounting request failing to be responded. NAS will disconnect the user if it has not received real-time accounting response from RADIUS server for some specified times.

Suppose the response timeout timer of the RADIUS server is T and the real-time accounting interval of NAS is t. Set T to 3, t to 12, and the maximum number of real-time request retries to 5. With these values being configured, the NAS generates an accounting request every 12 minutes, and retries if no response is received within 3 minutes. If no response is received after five attempts, the NAS assumes that this accounting fails. Normally, the result of retry-times multiple by T is smaller than t.

The default realtime accounting retry times is 5.

Related command: radius scheme and timer realtime-accounting.

Example

# Configure the RADIUS scheme "3com" to allow up to ten real-time accounting request attempts.

[SecBlade_FW-radius-3com] retry realtime-accounting 10

retry stop-accounting Syntax


undo retry stop-accounting

View

RADIUS view


Parameter

retry-times: Specifies the maximal retransmission times after stop-accounting request,. ranging from 10 to 65535.

Description

Use the retry stop-accounting command to configure the maximal retransmission times after stop-accounting request.

Use the undo retry stop-accounting command to restore the retransmission times to the default value.

Because the stop-accounting request concerns account balance and will affect the amount of charge, which is very important for both the user and ISP, NAS shall make its best effort to send the message to RADIUS accounting server. Accordingly, if the message from the security gateway to RADIUS accounting server has not been responded, the security gateway shall save it in the local buffer and retransmit it until the server responds or discard the messages after transmitting for specified times.

Related command: reset stop-accounting-buffer, radius scheme, display stop-accounting-buffer.

The default maximal retransmission times after stop-accounting request is 500.

Example

# Indicate that, when stop-accounting request for the server in the RADIUS scheme "3com", the security gateway system will retransmit the packets for up to 1000 times.

[SecBlade_FW-radius-3com] retry stop-accounting 1000

secondary accounting Syntax

secondary accounting ip-address [ port-number ]


View

RADIUS view

Parameter

ip-address: IP address, in dotted decimal format. By default, the IP address of secondary accounting server is at 0.0.0.0.

port-number: Specifies the UDP port number, ranging from 1 to 65535. By default, the accounting service is provided through UDP 1813.

Description

Use the secondary accounting command to configure the IP address and port number for the secondary RADIUS accounting server.

Use the undo secondary accounting command to restore the IP address and port number to the defaults.


For detailed information, refer to the description of the primary accounting command.


Example

# Set the IP address of the secondary accounting server of RADIUS scheme, 3com, to 10.110.1.1 and the UDP port 1813 to provide RADIUS accounting service.

[SecBlade_FW-radius-3com] secondary accounting 10.110.1.1 1813

secondary authentication

Syntax

secondary authentication ip-address [ port-number ]


View

RADIUS view

Parameter


port-number: UDP port number, ranging from 1 to 65535. By default, the authentication/authorization service is provided through UDP 1812

Description

Use the secondary authentication command to configure the IP address and port number of the secondary RADIUS authentication/authorization server.

Use the undo secondary authentication command to restore the IP address and port number to the defaults.

For detailed information, refer to the description of the primary authentication command.

By default, the IP address of the secondary authentication/authorization server is 0.0.0.0.


Example

# Set IP address of the secondary authentication/authorization server in the RADIUS scheme "3com" to 10.110.1.2 and use the UDP port 1812 to provide the RADIUS authentication/authorization service.

[SecBlade_FW-radius-3com] secondary authentication 10.110.1.2 1812

server-type Syntax

server-type { 3com | standard }

undo server-type


View

RADIUS view

Parameter

3com: Specifies the RADIUS server of 3Com type (generally CAMS), which requires the RADIUS client (security gateway) and RADIUS server to interact according to the procedures and packet format provisioned by the private RADIUS protocol of 3Com Corporation.

standard: Specifies the RADIUS server of Standard type, which requires the RADIUS client end (security gateway) and RADIUS server to interact according to the regulation and packet format of standard RADIUS protocol (RFC 2138/2139 or newer).

Description

Use the server-type command to configure the RADIUS server type supported by the security gateway.

Use the undo server-type command to restore the default type of the RADIUS server.

By default, in system scheme, the RADIUS server type is 3com; in the newly added RADIUS scheme, the RADIUS server type is standard.


Example

# Set RADIUS server type of RADIUS scheme 3com to 3com.

[SecBlade_FW-radius-3com] server-type 3com

state Syntax

state { primary | secondary } { accounting | authentication } { block | active }

View

RADIUS view

Parameter

primary: Sets the state of the primary RADIUS server.

secondary: Sets the state of the secondary RADIUS server.

accounting: Sets the state of RADIUS accounting server.

authentication: Sets the state of RADIUS authentication/authorization server.

block: Sets state of the RADIUS server to block.

active: Sets state of the RADIUS server to active, namely the normal operation state.


Description

Use the state command to configure the state of a RADIUS server.

By default, in system scheme, the primary authentication/authorization and accounting servers are in active state, and the secondary authentication/authorization and accounting servers are in block state; in the newly added RADIUS scheme, all RADIUS servers are in block state.

When the primary server (accounting or authentication) in a RADIUS scheme becomes unavailable, the NAS automatically turns to the secondary server. After the primary one recovers however, the NAS does not resume the communication with it at once; instead, the NAS continues the communication with the secondary one and turns to the primary one again only after the secondary one fails. To have the NAS communicate with the primary server right after its recovery, you can manually set the state of the primary server to active.

When both the primary and secondary servers are active or blocked, the NAS only sends packets to the primary server.

Related command: radius scheme, primary authentication, secondary authentication, primary accounting, secondary accounting.

Example

# Set the state of the secondary authentication server in the RADIUS scheme "3com" to active.

[SecBlade_FW-radius-3com] state secondary authentication active

stop-accounting-buffer enable

Syntax


undo stop-accounting-buffer enable

View

RADIUS view

Parameter

None

Description

Use the stop-accounting-buffer enable command to enable the security gateway to buffer the stop-accounting requests that have no responses.

Use the undo stop-accounting-buffer enable command to disable the security gateway to buffer the stop-accounting requests that have no responses.

By default, the security gateway is enabled to buffer the stop-accounting requests that have no responses.

Since the stop-accounting packet affects the charge to a user, it has importance for both users and ISPs. Therefore, the NAS makes its best effort to send every stop-accounting request to RADIUS accounting servers. If receiving no response after a specified period of time, the NAS buffers and resends the packet until


receiving a response or discards the packet when the number of transmission retries reaches the configured limit.

Related command: reset stop-accounting-buffer, radius scheme, display stop-accounting-buffer.

Example

# In the RADIUS scheme "3Com", enable the security gateway to buffer the stop-accounting requests that have no responses.

[SecBlade_FW-radius-3com] stop-accounting-buffer enable

timer quiet Syntax

timer quiet minutes

undo timer quiet

View

RADIUS view

Parameter

minutes: Ranges from 1 to 255.

Description

Use the timer quiet command to set the duration that the primary server must wait before it can resume the active state.

Use the undo timer quiet command to restore the default (five minutes).

By default, the primary server must wait five minutes before it can resume the active state.


Example

# Set the quiet timer for the primary server to ten minutes.

[SecBlade_FW] radius scheme test1 [SecBlade_FW-radius-test1] timer quiet 10

timer realtime-accounting

Syntax

timer realtime-accounting minutes


View

RADIUS view

Parameter

minutes: Real-time accounting interval, which is a multiple of 3 in the range 3 to 60 minutes.


Description

Use the timer realtime-accounting command to configure a real-time accounting interval.

Use the undo timer realtime-accounting command to restore the default interval.


The setting of real-time accounting interval somewhat depends on the performance of the NAS and the RADIUS server: a shorter interval requires higher device performance. You are therefore recommended to adopt a longer interval when there are a large number of users (more than 1000, inclusive). The following table recommends the ratio of minutes to the number of users.

By default, the interval of realtime accounting is 12 minutes.

Related command: retry realtime-accounting and radius scheme.

Example

# Set the real-time accounting interval in the RADIUS scheme "3com" to 51 minutes.

[SecBlade_FW-radius-3com] timer realtime-accounting 51

timer response-timeout Syntax

timer seconds

undo timer

timer response-timeout seconds

undo timer response-timeout

View

RADIUS view

Parameter

seconds: RADIUS server response timeout timer, ranging from 1 to 10 seconds.

Table 215 Recommended ratio of minutes to the number of users

Number of users Real-time accounting interval (minute)

1 - 99 3

100 - 499 6

500 - 999 12

Š1000 Š15


Description

Use the timer response-timeout command and the timer command to configure the RADIUS server response timer.

Use the undo timer command and the undo timer response-timeout command to restore the default.

If the NAS receives no response from the RADIUS server after sending a RADIUS request (authentication/authorization or accounting request) for a period, the NAS resends the request, thus ensuring the user can obtain the RADIUS service. You can specify this period by setting the RADIUS server response timeout timer using the timer command and the timer response-timeout command, taking into consideration the network condition and the desired system performance.

By default, the response timeout timer of the RADIUS server is three seconds.

Related command: radius scheme and retry.

Example

# Set the response timeout timer in the RADIUS scheme 3com to 5 seconds.

[SecBlade_FW-radius-3com] timer response-timeout 5

user-name-format Syntax


View

RADIUS view

Parameter

with-domain: Includes the ISP domain name in the username sent to the RADIUS server.

without-domain: Excludes the ISP domain name from the username sent to the RADIUS server.

Description

Use the user-name-format command to configure the format of the username to be sent to a RADIUS server.

By default, in system scheme, the NAS server sends user names without the ISP domain name to the RADIUS server; in the newly added RADIUS scheme, the NAS server sends user names with the ISP domain name to the RADIUS server.

The supplicants are generally named in the userid@isp-name format, of which isp-name is used by the security gateway to decide the ISP domain to which a supplicant belongs. Some earlier RADIUS servers however, cannot recognize usernames including an ISP domain name. Before sending a username including a domain name to such a RADIUS server, the security gateway must remove the domain name. This command is thus provided for you to decide whether to include a domain name in a username to be sent to a RADIUS server.

HWTACACS Configuration Commands 257

n If a RADIUS scheme defines that the username is sent without the ISP domain name, do not apply the RADIUS scheme to more than one ISP domains, thus avoiding the confused situation where the RADIUS server regards two users in different ISP domains but with the same userid as one.


Example

# Send the username without the domain name to the RADIUS servers in the RADIUS scheme "3com".

[SecBlade_FW-radius-3com] user-name-format without-domain

HWTACACS Configuration Commands

data-flow-format Syntax

data-flow-format data { byte | giga-byte | kilo-byte | mega-byte }

data-flow-format packet { giga-packet | kilo-packet | mega-packet | one-packet }

undo data-flow-format { data | packet }

View

HWTACACS view

Parameter

data: Sets data unit.

byte: Sets ’byte’ as the unit of data flow.

giga-byte: Sets ’giga-byte’ as the unit of data flow.

kilo-byte: Sets ’kilo-byte’ as the unit of data flow.

mega-byte: Sets ’mega-byte’ as the unit of data flow.

packet: Sets data packet unit.

giga-packet: Sets ’giga-packet’ as the unit of packet flow.

kilo-packet: Sets ’kilo-packet’ as the unit of packet flow.

mega-packet: Sets ’mega-packet’ as the unit of packet flow.

one-packet: Sets ’one-packet’ as the unit of packet flow.

Description

Use the data-flow-format command to configure the unit of data flows sent to the TACACS server.


Use the undo data-flow-format command to restore the default.

By default, the data unit is byte and the data packet unit is one-packet.

Related command: display hwtacacs.

Example

# Set the unit of data flow destined for the HWTACACS server "3com" to be kilo-byte and the data packet unit be kilo-packet.

[SecBlade_FW-hwtacacs-3com] data-flow-format data kilo-byte packet kilo-packet

debugging hwtacacs Syntax

debugging hwtacacs { all | error | event | message | receive-packet | send-packet }

undo debugging hwtacacs { all | error | event | message | receive-packet | send-packet }

View

User view

Parameter

all: Specifies all HWTACACS debugging.

error: Specifies error debugging.

event: Specifies event debugging.

message: Specifies message debugging.

receive-packet: Specifies incoming packet debugging.

send-packet: Specifies outgoing packet debugging.

Description

Use the debugging hwtacacs command to enable HWTACACS debugging.

Use the undo debugging hwtacacs command to disable HWTACACS debugging.

By default, HWTACACS debugging is disabled.

Example

# Enable the event debugging of HWTACACS.

<SecBlade_FW> debugging hwtacacs event

display hwtacacs Syntax

display hwtacacs [ hwtacacs-scheme-name [ statistics ] ]


View

Any view

Parameter

hwtacacs-scheme-name: HWTACACS scheme name, a string of 1 to 32 case-insensitive characters. If no HWTACACS scheme is specified, the system displays the configuration of all HWTACACS schemes.

statistics: Displays complete statistics about HWTACACS packets.

Description

Use the display hwtacacs command to view configuration information of one or all HWTACACS schemes.

Without any parameter, the command displays the configuration information of all HWTACACS schemes.

Related command: hwtacacs scheme.

Example

# View all configuration information of HWTACACS schemes gy.

<SecBlade_FW> display hwtacacs gy -------------------------------------------------------------------- HWTACACS-server template name : gy Primary-authentication-server : 172.31.1.11:49 Primary-authorization-server : 172.31.1.11:49 Primary-accounting-server : 172.31.1.11:49 Secondary-authentication-server : 0.0.0.0:0 Secondary-authorization-server : 0.0.0.0:0 Secondary-accounting-server : 0.0.0.0:0 Current-authentication-server : 172.31.1.11:49 Current-authorization-server : 172.31.1.11:49 Current-accounting-server : 172.31.1.11:49 Source-IP-address : 0.0.0.0 key authentication : 790131 key authorization : 790131 key accounting : 790131 Quiet-interval(min) : 5 Response-timeout-Interval(sec) : 5 Domain-included : No Traffic-unit : B Packet traffic-unit : one-packet

Table 216 Description on the fields of the display stop-accounting-buffer command

Field Description

HWTACACS-server template name HWTACACS server template name (that is, HWTACACS scheme name)

Primary-authentication-server IP address and port number of the primary authentication server

Primary-authorization-server IP address and port number of the primary authorization server

Primary-accounting-server IP address and port number of the primary accounting server


display stop-accounting-buffer

Syntax

display stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name

View

Any view

Parameter

hwtacacs-scheme hwtacacs-scheme-name: Displays information on buffered stop-accounting requests related to the HWTACACS scheme specified by hwtacacs-scheme-name, a string of up to 32 characters.

Secondary-authentication-server IP address and port number of the secondary authentication server

Secondary-authorization-server IP address and port number of the secondary authorization server

Secondary-accounting-server IP address and port number of the secondary accounting server

Current-authentication-server IP address and port number of the current authentication server

Current-authorization-server IP address and port number of the current authorization server

Current-accounting-server IP address and port number of the current accounting server

Source-IP-address Source IP address used by the router to send HWTACACS packets

key authentication Shared key of the HWTACACS authentication server

key authorization Shared key of the HWTACACS authorization server

key accounting Shared key of the HWTACACS accounting server

Quiet-interval(min) Time period for the primary server to restore its active state

Response-timeout-Interval(sec) Response timeout of the TACACS server

Domain-included Format of the user name which is sent to the TACACS server with the domain name included

Traffic-unit

Traffic unit:

B: Data are sent in bytes.

GB: Data are sent in gigabytes.

KB: Data are sent in kilobytes.

MB: Data are sent in megabytes.

Packet traffic-unit

Packet unit:

giga-packet: Data packets are sent in giga-packets.

kilo-packet: Data packets are sent in kilo-packets.

mega-packet: Data packets are sent in mega-packets.

one-packet: Data packets are sent in one-packets.


Field Description


Description

Use the display stop-accounting-buffer command to view information on the stop-accounting requests buffered in the security gateway.

Related command: reset stop-accounting-buffer, stop-accounting-buffer enable, and retry stop-accounting.

Example

# Display information on the buffered stop-accounting requests related to the HWTACACS scheme "3com".

<SecBlade_FW> display stop-accounting-buffer hwtacacs-scheme 3com ------------------------------------------------------------- NO. SendTime IP Address Template 1 10 172.31.1.27 3com ------------------------------------------------------------- Whole accounting stop packet to resend:1

hwtacacs nas-ip Syntax

hwtacacs nas-ip ip-address

undo hwtacacs nas-ip

View

System view

Parameter

ip-address: Specifies a source IP address, which must be the address of this device. It cannot be the address of all zeros, r class D address, or network address, or an address starting with 127.

Description

Use the hwtacacs nas-ip command to specify the source address of the hwtacacs packet sent from NAS.

Use the undo hwtacacs nas-ip command to restore the default setting.

By specifying the source address of the hwtacacs packet, you can avoid unreachable packets as returned from the server upon interface failure. The source address is normally recommended to be a loopback interface address.

By default, the source address is not specified, that is, the address of the interface sending the packet serves as the source address.

This command specifies only one source address; therefore, the newly configured source address may overwrite the original one.


Filed Description

NO. Sequence number of the accounting stop request packet

SendTime Number of the accounting stop request packets

IP Address IP address of the TACACS server

Template Name of the HWTACACS authentication scheme


Example

# Configure the security gateway to send hwtacacs packets from 129.10.10.1.

[SecBlade_FW] hwtacacs nas-ip 129.10.10.1

hwtacacs scheme Syntax

hwtacacs scheme hwtacacs-scheme-name

undo hwtacacs scheme hwtacacs-scheme-name

View

System view

Parameter

hwtacacs-scheme-name: Specifies an HWTACACS server scheme, with a character string of 1 to 32 characters.

Description

Use the hwtacacs scheme command to enter HWTACACS Server view. If the specified HWTACACS server scheme does not exist, you can create a new HWTACACS scheme.

Use the .undo hwtacacs scheme command to delete an HWTACACS scheme.

Example

# Create an HWTACACS scheme named "test1" and enter the relevant HWTACACS scheme view.

[SecBlade_FW] hwtacacs scheme test1 [SecBlade_FW-hwtacacs-test1]

key Syntax

key { accounting | authentication | authorization } string

undo key { accounting | authentication | authorization } string

View

HWTACACS view

Parameter

accounting: Shared key of the accounting server.

authentication: Shared key of the authentication server.

authorization: Shared key of the authorization server.

string: The shared key, a string up to 16 characters.

Description

Use the key command to configure a shared key for HWTACACS authentication, authorization or accounting.


Use the undo key command to delete the configuration.

By default, no key is set for any TACACS server.

The TACACS client (the security gateway) and TACACS server use the MD5 algorithm to encrypt the exchanged packets. The two ends verify packets using a shared key. Only when the same key is used can both ends accept the packets from each other and give responses. Therefore, it is necessary to ensure that the same key is set on the security gateway and the TACACS server. If the authentication/authorization and accounting are performed on two server devices with different shared keys, you must set one shared key for each.


Example

# Use hello as the shared key for HWTACACS accounting.

[SecBlade_FW] hwtacacs scheme test1 [SecBlade_FW-hwtacacs-test1] key accounting hello

nas-ip Syntax

nas-ip ip-address

undo nas-ip

View

HWTACACS view

Parameter


Description

Use the nas-ip command to have all the HWTACACS packets sent by the NAS (the security gateway) carry the same source address.

Use the undo nas-ip command to delete the setting.

Specifying a source address for the HWTACACS packets to be transmitted can avoid the situation where the packets sent back by the TACACS server cannot be received as the result of a physical interface failure. The address of a loopback interface is usually used as the source address.

By default, the source IP address of a HWTACACS packet sent by the NAS is the IP address of the output port.


Example

# Set the source IP address carried in the HWTACACS packets that are sent by the NAS to 10.1.1.1.

[SecBlade_FW] hwtacacs scheme test1 [SecBlade_FW-hwtacacs-test1] nas-ip 10.1.1.1


primary accounting Syntax

primary accounting ip-address [ port ]


View

HWTACACS view

Parameter

ip-address: IP address of the server, a valid unicast address in dotted decimal format.

port: Port number of the server, which is in the range 1 to 65,535 and defaults to 49.

Description

Use the primary accounting command to configure a primary TACACS accounting server.

Use the undo primary accounting command to delete the configured primary TACACS accounting server.

By default, IP address of TACACS accounting server is 0.0.0.0.

You are not allowed to assign the same IP address to both primary and secondary accounting servers.

You can configure only one primary accounting server in a HWTACACS scheme. If you repeatedly use this command, the latest configuration replaces the previous one.

You can remove an accounting server only when it is not being used by any active TCP connections, and the removal impacts only packets forwarded afterwards.

Example

# Configure a primary accounting server.

[SecBlade_FW] hwtacacs scheme test1 [SecBlade_FW-hwtacacs-test1] primary accounting 10.163.155.12 49

primary authentication Syntax

primary authentication ip-address [ port ]


View

HWTACACS view

Parameter



port: Port number of the server, which is in the range 1 to 65535 and defaults to 49.

Description

Use the primary authentication command to configure a primary TACACS authentication server.

Use the undo primary authentication command to delete the configured authentication server.

By default, IP address of TACACS authentication server is 0.0.0.0.

You are not allowed to assign the same IP address to both primary and secondary authentication servers.

You can configure only one primary authentication server in a HWTACACS scheme. If you repeatedly use this command, the latest configuration replaces the previous one.

You can remove an authentication server only when it is not being used by any active TCP connections, and the removal impacts only packets forwarded afterwards.


Example

# Configure a primary authentication server.

[SecBlade_FW] hwtacacs scheme test1 [SecBlade_FW-hwtacacs-test1] primary authentication 10.163.155.13 49

primary authorization Syntax

primary authorization ip-address [ port ]

undo primary authorization

View

HWTACACS view

Parameter


port: Port number of the server, which is in the range 1 to 65535 and defaults to 49.

Description

Use the primary authorization command to configure a primary TACACS authorization server.

Use the undo primary authorization command to delete the configured primary authorization server.


By default, IP address of TACACS authorization server is 0.0.0.0.

If TACACS authentication is configured for a user without TACACS authorization server, the user cannot log in regardless of any user type.

You are not allowed to assign the same IP address to both primary and secondary authorization servers.

You can configure only one primary authorization server in a HWTACACS scheme. If you repeatedly use this command, the latest configuration replaces the previous one.

You can remove an authorization server only when it is not being used by any active TCP connections, and the removal impacts only packets forwarded afterwards.


Example

# Configure a primary authorization server.

[SecBlade_FW] hwtacacs scheme test1 [SecBlade_FW-hwtacacs-test1] primary authorization 10.163.155.13 49

reset hwtacacs statistics Syntax

reset hwtacacs statistics { accounting | authentication | authorization | all }

View

User view

Parameter

accounting: Clears all the HWTACACS accounting statistics.

authentication: Clears all the HWTACACS authentication statistics.

authorization: Clears all the HWTACACS authorization statistics.

all: Clears all statistics.

Description

Use the reset hwtacacs statistics command to clear HWTACACS protocol statistics.


Example

# Clear all HWTACACS protocol statistics.

<SecBlade_FW> reset hwtacacs statistics

reset stop-accounting-buffer

Syntax

reset stop-accounting-buffer hwtacacs-scheme hwtacacs-scheme-name


View

User view

Parameter

hwtacacs-scheme hwtacacs-scheme-name: Configures to delete the stop-accounting requests from the buffer according to the specified HWTACACS scheme name. The hwtacacs-scheme-name specifies the HWTACACS scheme name with a string of up to 32 characters.

Description

Use the reset stop-accounting-buffer command to clear the stop-accounting requests that have no response and are buffered on the security gateway.

Related command: stop-accounting-buffer enable, retry stop-accounting, display stop-accounting-buffer.

Example

# Delete the buffered stop-accounting requests that are related to the HWTACACS scheme "3com".

<SecBlade_FW> reset stop-accounting-buffer hwtacacs-scheme 3com

retry stop-accounting Syntax


undo retry stop-accounting

View

HWTACACS view

Parameter

retry-times: The maximum number of real-time accounting request attempts. It is in the range 1 to 300.

Description

Use the retry stop-accounting command to enable stop-accounting packet retransmission and configure the maximum number of stop-accounting request attempts.

Use the undo retry stop-accounting command to restore the default setting.

By default, stop-accounting packet retransmission is enabled and up to 100 packets are allowed to be transmitted for each request.

Related command: reset stop-accounting-buffer, hwtacacs scheme, and display stop-accounting-buffer.

Example

# Enable stop-accounting packet retransmission and allow up to 50 packets to be transmitted for each request.

[SecBlade_FW-hwtacacs-test] retry stop-accounting 50


secondary accounting Syntax

secondary accounting ip-address [ port ]


View

HWTACACS view

Parameter



Description

Use the secondary accounting command to configure a secondary TACACS accounting server.

Use the undo secondary accounting command to delete the configured secondary TACACS accounting server.

By default, IP address of TACACS accounting server is 0.0.0.0.

You are not allowed to assign the same IP address to both primary and secondary accounting servers.

You can configure only one secondary accounting server in a HWTACACS scheme. If you repeatedly use this command, the latest configuration replaces the previous one.

You can remove an accounting server only when it is not being used by any active TCP connections, and the removal impacts only packets forwarded afterwards.

Example

# Configure a secondary accounting server.

[SecBlade_FW] hwtacacs scheme test1 [SecBlade_FW-hwtacacs-test1] secondary accounting 10.163.155.12 49

secondary authentication

Syntax

secondary authentication ip-address [ port ]


View

HWTACACS view

Parameter




Description

Use the secondary authentication command to configure a secondary TACACS authentication server.

Use the undo secondary authentication command to delete the configured secondary authentication server.

By default, IP address of TACACS authentication server is 0.0.0.0.

You are not allowed to assign the same IP address to both primary and secondary authentication servers.

You can configure only one primary authentication server in a HWTACACS scheme. If you repeatedly use this command, the latest configuration replaces the previous one.

You can remove an authentication server only when it is not being used by any active TCP connections, and the removal impacts only packets forwarded afterwards.


Example

# Configure a secondary authentication server.

[SecBlade_FW] hwtacacs scheme test1 [SecBlade_FW-hwtacacs-test1] secondary authentication 10.163.155.13 49

secondary authorization Syntax

secondary authorization ip-address [ port ]

undo secondary authorization

View

HWTACACS view

Parameter

ip-address: IP address of the server, a legal unicast address in dotted decimal format.

port: Port number of the server, ranging from 1 to 65535. By default, it is 49.

Description

Use the secondary authorization command to configure a secondary TACACS authorization server.

Use the .undo secondary authorization command to delete the configured secondary authorization server.

By default, IP address of TACACS authorization server is 0.0.0.0.


You are not allowed to assign the same IP address to both primary and secondary authorization servers.

You can configure only one primary authorization server in a HWTACACS scheme. If you repeatedly use this command, the latest configuration replaces the previous one.

You can remove an authorization server only when it is not being used by any active TCP connections, and the removal impacts only packets forwarded afterwards.


Example

# Configure the secondary authorization server.

[SecBlade_FW] hwtacacs scheme test1 [SecBlade_FW-hwtacacs-test1] secondary authorization 10.163.155.13 49


Syntax


undo stop-accounting-buffer enable

View

HWTACACS view

Parameter

None

Description

Use the stop-accounting-buffer enable command to buffer the stop-accounting request packets with no response on the security gateway.

Use the undo stop-accounting-buffer enable command to forbid buffering the stop-accounting request packets with no response on the security gateway.

By default, the stop-accounting request packets with no response can be buffered on the security gateway.

For the detailed description, refer to the stop-accounting-buffer enable command in the RADIUS scheme.

Example

# For the server in the HWTACACS scheme named "3com", allow the stop-accounting request packets with no response to be buffered on the security gateway system.

[3Com-hwtacacs-test] stop-accounting-buffer enable

timer quiet Syntax

timer quiet minutes


undo timer quiet

View

HWTACACS view

Parameter

minutes: Ranges from 1 to 255 minutes.

Description

Use the timer quiet command to set the duration that a primary server must wait before it can resume the active state.

Use the undo timer quiet command to restore the default (five minutes).

By default, the primary server must wait five minutes before it resumes the active state.


Example

# Set the quiet timer for the primary server to ten minutes.

[SecBlade_FW] hwtacacs scheme test1 [SecBlade_FW-hwtacacs-test1] timer quiet 10

timer realtime-accounting

Syntax

timer realtime-accounting minutes


View

HWTACACS view

Parameter

minutes: Real-time accounting interval, which is a multiple of 3 in the range 3 to 60 minutes.

Description

Use the timer realtime-accounting command to configure a real-time accounting interval.

Use the undo timer realtime-accounting command to restore the default interval.

Real-time accounting interval is necessary for real-time accounting. After an interval value is set, the NAS transmits the accounting information of online users to the TACACS accounting server at intervals of this value.

The setting of real-time accounting interval depends somewhat on the performance of the NAS and the TACACS server: a shorter interval requires higher device performance. You are therefore recommended to adopt a longer interval


when there are a large number of users (more than 1000, inclusive). The following table recommends the ratio of minutes to the number of users.

By default, the real-time accounting interval is 12 minutes.

Related command: retry realtime-accounting and radius scheme.

Example

# Set the real-time accounting interval in the HWTACACS scheme "3com" to 51 minutes.

[SecBlade_FW-hwtacacs-3com] timer realtime-accounting 51

timer response-timeout Syntax

timer response-timeout seconds

undo timer response-timeout

View

HWTACACS view

Parameter

seconds: Ranges from 1 to 300 seconds.

Description

Use the timer response-timeout command to set the response timeout timer of the TACACS server.

Use the .undo timer response-timeout command to restore the default (five seconds).

By default, the response timeout timer of the TACACS server is five seconds.

n As the HWTACACS is based on TCP, either the server response timeout and or the TCP timeout may cause disconnection to the TACACS server.


Example

# Set the response timeout time of the TACACS server to 30 seconds.

[SecBlade_FW] hwtacacs scheme test1 [SecBlade_FW-hwtacacs-test1] timer response-timeout 30

Table 218 Recommended ratio of minutes to the number of users

Number of users Real-time accounting interval (minute)

1 - 99 3

100 - 499 6

500 - 999 12

Š1000 Š15


user-name-format Syntax


View

HWTACACS view

Parameter

with-domain: Specifies to send the username with domain name to the TACACS server..

without-domain: Specifies to send the username without domain name to the TACACS server.

Description

Use the user-name-format command to configure the username format sent to the TACACS server.

By default, HWTACACS scheme acknowledges that the username sent to it includes ISP domain name.

The supplicants are generally named in userid@isp-name format. The part following the @ sign is the ISP domain name, according to which the security gateway assigns a user to the corresponding ISP domain. However, some earlier TACACS servers reject the user name including ISP domain name. In this case, the user name is sent to the TACACS server after its domain name is removed. Accordingly, the security gateway provides this command to decide whether the username is sent to the TACACS server, carrying ISP domain name or not.

n If a HWTACACS scheme is configured to reject usernames including ISP domain names, the TACACS scheme shall not be simultaneously used in more than one ISP domains. Otherwise, the TACACS server will regard two users in different ISP domains as the same user by mistake, if they have the same username (excluding their respective domain names.)

Related command: hwtacacs scheme.

Example

# Specify to send the username without domain name to the HWTACACS scheme "3com".

[SecBlade_FW-hwtacacs-3com] user-name-format without-domain

16
ACCESS CONTROL LIST CONFIGURATION COMMANDS
ACL Configuration Commands

acl Syntax

acl number acl-number [ match-order { config | auto } ]


View

System View

Parameter

number: Defines a numbered access control list (ACL).

acl-number: ACL number, with the range 1000 to 1999 for interface-based ACLs, 2000 to 2999 for basic ACLs, 3000 to 3999 for advanced ACLs, and 4000 to 4999 for MAC-based ACLs.

match-order: Indicates the order in which rules are configured.

config: Indicates to match the rule according to configuration order that the user configured them.

auto: Indicates to match the rule in automatic order (in accordance with "Depth first" principle.)

all: Deletes all ACLs.

Description

Use the acl command to create an access control list and enter ACL view.

Use the undo acl command to delete an access control list.

An access control list consists of a list of rules that are described by a series of permit or deny sub-sentences. Several rule lists form an ACL. Before configuring the rules for an access control list, you should create the access control list first.

Example

# Create an ACL numbered 2000.

[SecBlade_FW] acl number 2000 [SecBlade_FW-acl-basic-2000]

276 CHAPTER 16: ACCESS CONTROL LIST CONFIGURATION COMMANDS

description Syntax

description text

undo description

View

ACL view

Parameter

text: ACL description, a string of up to 127 characters.

Description

Use the description command to add description to an ACL.

Use the undo description command to delete the description of the ACL.

Example

# Add description to ACL 2001.

[SecBlade_FW-acl-basic-2001] description Deny HTTP from host 10.0.0.1

display acl Syntax

display acl { all | acl-number }

View

Any view

Parameter

all: All ACL rules.

acl-number: ACL expressed by number.

Description

Use the display acl command to view the rules of access control list.

The rule match order defaults to config or the configuration order. If it applies, the display command does not show information on the match order. If the match order auto applies, the display command shows that.

Example

# Display the contents of ACL 2000 rule.

[SecBlade_FW-acl-basic-2000] display acl 2000 Basic ACL 2000, 2 rules, rule 1 permit (0 times matched) rule 2 permit source 1.1.1.1 0 (0 times matched)

reset acl counter Syntax

reset acl counter { all | acl-number }

View

User View

ACL Configuration Commands 277

Parameter

acl-number: ACL expressed by number.

all: All ACL rules.

Description

Use the reset acl counter command to clear the statistics of access control list.

Example

# Reset the statistics of access control list 1000.

<SecBlade_FW> reset acl counter 1000

rule Syntax

1 Create or delete a rule of a basic access control list.

rule [ rule-id ] { permit | deny } [ source sour-addr sour-wildcard | any ] [ time-range time-name ] [ logging ] [ fragment ]


2 Create or delete a rule of an advanced access control list.

rule [ rule-id ] { permit | deny } protocol [ source source-addr source-wildcard | any ] [ destination dest-addr dest-wildcard | any ] [ source-port operator port1 [ port2 ] ] [ destination-port operator port1 [ port2 ] ] [ icmp-type { icmp-message | icmp-type icmp-code } ] [ dscp dscp ] [ established ] [ precedence precedence ] [ tos tos ] [ time-range time-name ] [ logging ] [ fragment ]


3 Create or delete a rule of an interface-based ACL rule.

rule [ rule-id ] { permit | deny } interface { interface-type interface-number | any } [ time-range time-name ] [ logging ]

undo rule rule-id [ time-range | logging ] *

4 Add/delete a MAC-based ACL rule

rule [ rule-id ] { deny | permit } [ type type-code type-mask | lsap lsap-code lsap-mask ] [ source-mac sour-addr sour-mask ] [ dest-mac dest-addr dest-mask ]

undo rule rule-id

View

ACL view

Parameter

In the rule command:


rule-id: ID of an ACL rule, optional, ranging from 0 to 65534. If you specify a rule-id, and the ACL rule related to the ID already exists, the newly defined rule will overwrite the existing rule, just as editing the existing ACL rule. If the rule-id you specify does not exist, a new rule number with the specified rule-id will be created. If you do not specify the rule-id, A new rule will be created and the system will assign a rule-id to the ACL rule automatically.

deny: Discards matched packets.

permit: Permits matched packets.

protocol: Protocol type over IP expressed by name or number. The number range is from 0 to 255, and the name range covers GRE, ICMP, IGMP, IP, IPINIP, OSPF, TCP and UDP.

source: Optional, specify source address information of ACL rule. If it is not configured, it indicates that any source address of the packets matches.

sour-addr: Source IP address of packets in dotted decimal format.

sour-wildcard: Source address wildcard in dotted decimal format.

destination: Optional, specify destination address information of ACL rule. If it is not configured, it indicates that any destination address of the packets matches.

dest-addr: Destination IP address of packets in dotted decimal format.

dest-wildcard: Destination address wildcard in dotted decimal format.

any: Represents the source or destination address 0.0.0.0 with the wildcard 255.255.255.255.

icmp-type: Optional, specify ICMP packet type and ICMP message code, only valid when packet protocol is ICMP. If it is not configured, it indicates any ICMP packet matches.

icmp-type: ICMP packet can be filtered according to ICMP message type. It is a number ranging from 0 to 255.

icmp-code: ICMP packets that can be filtered according to ICMP message type can also be filtered according to message code. It is a number ranging from 0 to 255.

icmp-message: ICMP packets can be filtered according to ICMP message type or ICMP message code.

source-port: Optional, specify source port information of UDP or TCP packets, valid only when the protocol specified by the rule is TCP or UDP. If it is not specified, it indicates that any source port information of TCP/UDP packets matches.

destination-port: Optional, specify destination port information of UDP or TCP packets, valid only when the protocol specified by the rule is TCP or UDP. If it is not specified, it indicates that any destination port information of TCP/UDP packets matches.


operator: Optional, comparison between port numbers of source and destination addresses. Their names and meanings are as follows: lt (lower than), gt (greater than), eq (equal to), neq (not equal to) and range (between). If the operator is range, two port numbers should follow it. Others only need one port number.

port1, port2: Optional, port number of TCP or UDP, expressed by name or number. The number range is from 0 to 65535.

dscp dscp: Specifies a DSCP field, the DS byte in IP packets.

established: Compares all TCP packets with ACK and RST flags set, including SYN+ACK, ACK, FIN+ACK, RST and RST+ACK packets. This option can compare the traffic of the established TCP session, that is, filtering out initial TCP session requests.

precedence: Optional, a number ranging from 0 to 7, or a name. Packets can be filtered according to precedence field.

tos tos: Optional, a number ranging from 0 to 15 or a name. Packets can be filtered according to type of service.

logging: Optional, indicating whether to log qualified packets. The log contents include sequence number of ACL rule, packets passed or discarded, upper layer protocol type over IP, source/destination address, source/destination port number, and number of packets.

time-range time-name: Specifies that the ACL is valid in this time range.

fragment: Specifies that this rule is only valid for the fragment packets that are not the first fragment. When this parameter is contained, it indicates that the rule is only valid for the fragment packets that are not the first fragment.

interface interface-type interface-number: Specifies the interface information of the packets. If no interface is specified, all interfaces can be matched. any represents all interfaces.

In the undo rule command:

rule-id: ID of an ACL rule, it should be an existing ACL rule number. If the command is not followed by other parameters, this ACL rule will be deleted completely; otherwise, only part of information related to this ACL rule will be deleted.

source: Optional. Only the information settings related to the source address part of the ACL rule number will be deleted.

destination: Optional. Only the information setting related to the destination address part of the ACL rule number will be deleted.

source-port: Optional. Only the information setting related to the source port part of the ACL rule number will be deleted, valid only when the protocol is TCP or UDP.


destination-port: Optional. Only the information setting related to the destination port part of the ACL rule number will be deleted, valid only when the protocol is TCP or UDP.

icmp-type: Optional. Only the information setting related to ICMP type and message code part of the ACL rule number will be deleted, valid only when the protocol is ICMP.

precedence: Optional. Only the setting of precedence configuration of the ACL rule will be deleted.

tos tos: Optional. Only related tos setting corresponding to the ACL rule will be deleted.

time-range time-name: Optional, specifies that the ACL is valid in this time range.

logging: Optional. Only the setting corresponding to the logging part of the ACL rule will be deleted.

fragment: Optional. Only the setting corresponding to the validity of non-first packets fragmentation of the ACL rule will be deleted.

type-code: Type of the Data frame, a 16-bit hexadecimal number corresponds to the type-code field in Ethernet_II and Ethernet_SNAP frames.

type-mask: A 16-bit hexadecimal number used for specifying the mask bits.

lsap-code: Encapsulation format of data frames, a 16-bit hexadecimal number.

lsap-mask: LSAP mask, a 16-bit hexadecimal number used to specify mask bits.

sour-addr: Source MAC address in the format of xxxx-xxxx-xxxx, used to match the source address of a packet.

sour-mask: Source MAC address mask.

dest-addr: Destination MAC address in the format of xxxx-xxxx-xxxx, Used to match the destination address of a packet.

dest-mask: Destination MAC address mask.

Description

Use the rule command to add a rule in current ACL view.

Use the undo rule command to delete a rule.

The rule ID is needed when you try to delete a rule. If you do not know the ID, using the display acl command to find it out.

Example

# Create ACL 3001 and add a rule to deny RIP packets.

[SecBlade_FW] acl number 3001 [SecBlade_FW-acl-adv-3001] rule deny udp destination-port eq rip


# Add a rule to permit hosts in the network segment 129.9.0.0 to send WWW packet to hosts in the network segment 202.38.160.0.

[SecBlade_FW-acl-adv-3001] rule permit tcp source 129.9.0.0 0.0.255. 255 destination 202.38.160.0 0.0.0.255 destination-port eq www

# Add a rule to deny the WWW access (80) from the host in network segment 129.9.0.0 to the host in network segment 202.38.160.0, and log events that violate the rule.

[SecBlade_FW-acl-adv-3001] rule deny tcp source 129.9.0.0 0.0.255. 255 destination 202.38.160. 0 0.0.0.255 eq www logging

# Add a rule to permit the WWW access (80) from the host in network segment 129.9.8.0 to the host in network segment 202.38.160.0.

[SecBlade_FW-acl-adv-3001] rule permit tcp source 129.9.8.0 0.0.0. 255 destination 202.38.160.0 0.0.0.255 destination-port eq www

# Add a rule to prohibit all hosts from establishing Telnet (23) connection to the host with the IP address 202.38.160.1.

[SecBlade_FW-acl-adv-3001] rule deny tcp destination 202.38.160.1 0 destination-port eq telnet

# Add a rule to prohibit create UDP connections with port number greater than 128 from the hosts in network segment 129.9.8.0 to the hosts in network segment 202.38.160.0

[SecBlade_FW-acl-adv-3001] rule deny udp source 129.9.8.0 0.0.0.255 destination 202.38.160.0 0.0.0.255 destination-port gt 128

rule comment Syntax

rule rule-id comment text

undo rule rule-id comment

View

ACL view

Parameter

rule-id: ID of an existing ACL rule.

comment text: Comment of an ACL rule, a string of up to 128 characters.

Description

Use the rule comment command to add comment to an ACL rule.

Use the undo rule comment command to remove the comment of the ACL rule.

Example

# Add comment to ACL rule 7.


[SecBlade_FW-acl-adv-3001] rule 7 comment Allow FTP from any source to host 172.16.0.1

Time-range Configuration Commands

display time-range Syntax

display time-range { all | time-name }

View

Any view

Parameter

time-name: Name of the time range.

all: Displays all the configured time ranges.

Description

Use the display time-range command to view the configuration and the status of time range. For the active time range at present, it displays "active" and for the inactive time range, it displays "inactive".

Since there is a time deviation when the system updates acl status, which is about 1 minute, but display time-range will display the information of time range at the current time exactly. Thus, the following case may happen: use the command display time-range to find that a time range is activated but the acl that should be active in the time range is inactive. This case is normal.

Example

# Display all time ranges.

[SecBlade_FW] display time-range all

# Display the time range named trname.

[SecBlade_FW] display time-range trname Current time is 02:49:36 2/15/2003 Saturday Time-range : trname ( Inactive ) 14:00 to 16:00 off-day from 00:00 12/1/2002 to 00:00 12/1/2003

time-range Syntax

time-range time-name [ start-time to end-time ] [ days ] [ from time1 date1 ] [ to time2 date2 ]

undo time-range time-name [ start-time to end-time ] [ days ] [ from time1 date1 ] [ to time2 date2 ]

View

System view

Time-range Configuration Commands 283

Parameter

time-name: Name of time range, which consists of 32 characters at most and must start with a letter of a-z or A-Z.

start-time: Start time of a time range, in the format of HH:MM.

end-time: End time of a time range, in the format of HH:MM.

days: Indicates on which day of a week the time range is valid or from which day in a week the time range is valid. It is represented by numbers 0 through 6, respectively for Sunday, Monday, Tuesday, Wednesday, Thursday, Friday, Saturday, and Sunday.

Working-day includes Monday through Friday;

Off-day includes Saturday and Sunday;

Daily includes the seven days of a week.

from time1 date1: Optional, which is used to indicate the start time and date. The input format of time is hh:mm, which is shown in 24-hour notation. The range of hh is from 0 to 23 and the range of mm is from 0 to 59. The input format of date is MM/DD/YYYY. DD can be in the value range from 1 to 31. MM is one number in the range form 1 to 12 and YYYY is a 4-digit number and in the range of 1970 to 2100. If no start time is set, it means that there is no restriction on start time and only the end time should be considered.

to time2 date2: Optional. It is used to indicate the end time and date. In addition, the input format of time and date is the same with that of the start time. The end time must be greater than the start time. If the end time is not set, it will be the maximum time that the system can set.

Description

Use the time-range command to specify a time range.

Use the undo time-range command to delete a time range.

A time range consists of 2 parts, the first is the periodic time range within one week described by the parameters start-time and end-time, depending on the parameter days to specify on which day it is valid; the second is the time range specified by from and to, which can be used to emphasize in what time range the periodical time range is valid.

You can configure multiple time ranges with the same time-name, which are in "OR" relationship.

Example

# Configure the time range valid at 0:0 on Jan. 1, 2003, always valid.

[SecBlade_FW] time-range test from 0:0 1/1/2003

# Configure the time range valid between 14:00 and 16:00 in every weekend from 20:00 on Apr.01, 2003 to 20:00 on Dec.10, 2003.


[SecBlade_FW] time test 14:00 to 16:00 off-day from 20:00 04/01/2003 to 20:00 12/10/2003

# Configure the time range valid between 8:00 and 18:00 in each working day.

[SecBlade_FW] time-range test 8:00 to 18:00 working-day

# Configure the time range valid between 14:00 and 18:00 in each weekend day.

[SecBlade_FW] time-range test 14:00 to 18:00 off-day

17
NAT CONFIGURATION COMMANDS
NAT Configuration Commands

debugging nat Syntax

debugging nat { alg | event | packet } [ interface { interface-type interface-number ]

undo debugging nat { alg | event | packet } [ interface interface-type interface-number ]

View

User view

Parameter

alg: Enables the application level gateway NAT debugging information.

event: Enables NAT event debugging information.

packet: Enables NAT data packet debugging information.

interface: Enables NAT packet debugging for a special interface.

Description

Use the debugging nat command to enable the NAT debugging function.

Use the undo debugging nat command to disable the NAT debugging function.

Example

# Enable the NAT event debugging.

<SecBlade_FW> debugging nat event

display nat Syntax

display nat { address-group | aging-time | all | outbound | server | statistics | session [ source { global global-addr | inside inside-addr } ]

View

Any view

Parameter

address-group: Displays the information of the address pool.

286 CHAPTER 17: NAT CONFIGURATION COMMANDS

aging-time: Displays the effective time for NAT connection.

all: Displays all the information about NAT.

outbound: Displays the information of the outbound NAT.

server: Displays the information of the internal server.

statistics: Displays the statistics of current NAT records.

session: Displays the information of the currently activated connection.

source global global-addr: Only displays the NAT entry with address as global-addr after NAT.

source inside inside-addr: Only displays the NAT entry with internal address as inside-addr.

destination ip-addr: Displays the NAT table items of a special IP destination.

Description

Use the display nat command to display the configuration of address translation. Users can verify if the configuration of address translation is correct according to the output information after execution of this command. When address translation connection information is displayed, the parameters of global-addr and inside-addr can be specified for the display nat session command simultaneously.

Example

# Display all the information about address translation.

<SecBlade_FW> display nat all NAT address-group Information: 1: from 11.1.1.1 to 11.1.1.20 2: from 22.1.1.1 to 22.1.1.20 NAT outbound information: GigabitEthernet0/0.1: acl(2011)-NAT address-group(1) [no-pat] GigabitEthernet0/0.1: acl(2022)-NAT address-group(2) [no-pat] Server in private network information: Interface GlobalAddr GlobalPort InsideAddr InsidePort Pro GigabitEthernet0/0.1 201.119.11.3 8080 5.5.5.5 80(www) 6(tcp) GigabitEthernet0/0.1 201.119.11.3 2121 5.5.5.5 21(ftp) 6(tcp) NAT aging-time value information: tcp ---- aging-time value is 86400 (seconds) udp ---- aging-time value is 300 (seconds) icmp ---- aging-time value is 60 (seconds) pptp ---- aging-time value is 86400 (seconds) dns ---- aging-time value is 60 (seconds) tcp-fin ---- aging-time value is 60 (seconds) tcp-syn ---- aging-time value is 60 (seconds) ftp-ctrl ---- aging-time value is 7200 (seconds) ftp-data ---- aging-time value is 300 (seconds)

The information above indicates:

Two address pools are configured: Address pool 1 ranges from 11.1.1.1 to 11.1.1.20, and address tool 2 ranges from 22.1.1.1 to 22.1.1.20.


Two address translation associations are configured at GigabitEthernet0/0.1: ACL 2011 is associated with address pool 1 and one-to-one address translation is performed; and ACL 2022 is associated with address pool 2, and one-to-one address translation is performed.

GgiabitEthernet0/0.1 is configured with 2 internal servers: the www server of http://202.119.11.3:8080, whose internal address is 5.5.5.5; and the ftp server of ftp://202.119.11.3:2121, whose internal address is 5.5.5.5.

# Display NAT information.

<SW8800> display nat session There are currently 40001 NAT sessions: Protocol GlobalAddr Port InsideAddr Port DestAddr Port - 192.168.100.10 --- 192.168.1.5 --- --- --- status: NOPAT, TTL: 00:04:00, Left: 00:04:00 6 192.168.100.10 1024 192.168.1.5 1024 192.168.100.1 1025 status: NOPAT, TTL: 00:01:00, Left: 00:00:59 6 192.168.100.10 2048 192.168.1.5 2048 192.168.100.1 2049 status: NOPAT, TTL: 00:01:00, Left: 00:01:00 6 192.168.100.10 1025 192.168.1.5 1025 192.168.100.1 1026 status: NOPAT, TTL: 00:01:00, Left: 00:00:59

n In No-PAT address translation, when you use the display nat session command to display NAT entries, you can see that multiple No-PAT entries correspond to multiple connection translations initiated by each internal network address, as shown above. This ensures that only the connections initiated from the internal network to the external network will be translated and no connection initiated from the external network will be translated, thereby enhancing network security.

nat address-group Syntax

nat address-group group-number start-addr end-addr

undo nat address-group group-number

View

System view

Parameter

group-number: Address pool number, an integer ranging from 0 to 31.

start-addr: Starting IP address in the address pool.

end-addr: Ending IP address in the address pool.

Description

Use the nat address-group command to configure an address pool.

Use the undo nat address-group command to delete an IP address pool.

Address pool indicates the cluster of some outside IP addresses. If start-addr and end-addr are the same, it means that there is only one address.


c CAUTION:

■ The length of an address pool (numbers of all addresses contained in an address pool) cannot exceed 255.

■ The address pool cannot be deleted, if it has been correlated to some certain access control list to perform the address translation.

Example

# Configure an address pool from 202.110.10.10 to 202.110.10.15, with its NAT pool ID being 1.

[SecBlade_FW] nat address-group 1 202.110.10.10 202.110.10.15

nat aging-time Syntax

nat aging-time { default | { dns | ftp-ctrl | ftp-data | icmp | pptp | tcp | tcp-fin | tcp-syn | udp } seconds }

View

System view

Parameter

default: Sets the address translation lifetime values to the defaults.

dns: Sets the address translation lifetime for DNS, which defaults to 60 seconds.

ftp-ctrl: Sets the address translation lifetime for FTP control links, which defaults to 7200 seconds.

ftp-data: Sets the address translation lifetime for FTP data links, which defaults to 300 seconds.

icmp: Sets the address translation lifetime for ICMP, which defaults to 60 seconds.

pptp: Sets the address translation lifetime for PPTP, which defaults to 86400 seconds.

tcp: Sets the address translation lifetime for TCP, which defaults to 86400 seconds.

tcp-fin: Sets the address translation lifetime for TCP FIN or TCP RST connections, which defaults to 60 seconds.

tcp-syn: Sets the address translation lifetime for TCP SYN connections, which defaults to 60 seconds.

udp: Sets the address translation lifetime for UDP, which defaults to 300 seconds.

seconds: Time value, in the range 10 to 86400 (24 hours).

Description

Use the nat aging-time command to set the lifetime of NAT connections.

This command is used to set the lifetime of address translation connection in seconds, and different time values are set for different types of protocols. The


default ALG aging time depends on the specific application type. To effectively prevent attacks, you can set the aging time of first packet to five seconds.

Example

# Set the valid connection time of TCP to 240 seconds.

[SecBlade_FW] nat aging-time tcp 240

nat alg Syntax

nat alg { dns | ftp | h323 | ils | msn | nbt | pptp }

undo nat alg { dns | ftp | h323 | ils | msn | nbt | pptp }

View

System view

Parameter

dns: Supports the DNS protocol.

ftp: Supports the FTP protocol.

h323: Supports the H.323 protocol.

ils: Supports the ILS protocol.

msn: Supports the MSN protocol.

nbt: Supports the NBT protocol.

pptp: Supports the PPTP protocol.

Description

Use the nat alg command to enable the application level gateway (ALG) function of NAT.

Use the undo nat alg command to disable the ALG function of NAT.

By default, the ALG function of NAT is enabled.

Example

# Enable the ALG function of NAT, allowing it to support FTP.

[SecBlade_FW] nat alg ftp

nat dns-map Syntax

nat dns-map domain-name global-addr global-port [ tcp | udp ]

undo nat dns-map domain-name

View

System view


Parameter

domain-name: Valid domain name that can be correctly translated by external DNS servers.

global-addr: IP address (a valid one) that outside hosts can access.

global-port: Port number of the services that outside hosts can access.

tcp: Indicates that TCP protocol is borne by the IP protocol.

udp: Indicates that UDP protocol is borne by the IP protocol.

Description

Use the nat dns-map command to configure a mapping entry from a domain name to the external IP address, port number and protocol type.

Use the undo nat dns-map command to remove the mapping entry from a domain name to the external IP address, port number and protocol type.

If an internal host does not have any DNS server configured, the host can differentiate various internal servers and access them with the domain names after you configure the mapping entries with this command.

By default, no mapping entry is configured. Then the domain name request of the internal host can be mapped only to one internal server after being resolved by the external DNS server to get the external IP address.

Up to 16 mapping entries can be added.

Example

# Configure a mapping entry from the domain name to the external IP address, port number and protocol type.

[SecBlade_FW] nat dns-map www.abc.com 202.112.0.1 80 tcp

nat outbound Syntax

nat outbound acl-number [ address-group group-number [ no-pat ] ]

undo nat outbound acl-number [ address-group group-number [ no-pat ] ]

View

Interface view

Parameter

address-group: Configures address translation by means of address pool. If the address pool is not specified, use the IP address of the interface as the translated address, i.e., the "easy-ip" feature.

no-pat: Uses simple address translation, which means only to translate the address of the packet but not use port information.

acl-number: ACL index in the range of 2000 to 3999 (the advanced ACL can be used).


group-number: The number of a defined address pool.

Description

Use the nat outbound command to associate an ACL with an address pool, indicating that the address specified in the acl-number can be translated by using address pool group-number.

Use the undo nat outbound command to remove the corresponding address translation.

Translation of the source address of the packet that conforms to the ACL is accomplished by configuring the association between the ACL and the address pool. The system performs address translation by selecting one address in the address pool or by directly using the IP address of the interface. Users can configure different address translation associations at the same interface. The corresponding undo form of the command can be used to delete the related address translation association. Normally, this interface is connected to ISP, and serves as the exit interface of the inside network.

The command without the address-group parameter implements the "easy-ip" feature. When performing address translation, the IP address of the interface is used as the translated address and the ACL can be used to control which addresses can be translated.

Example

# Enable the hosts of the 10.110.10.0/24 network segment to perform address translation by selecting the addresses from 202.110.10.10 to 202.110.10.12 as the translated address. Suppose that the interface GigabitEthernet0/0.1 connects to ISP.

[SecBlade_FW] acl number 2001 [SecBlade_FW-acl-basic-2001] rule permit source 10.110.10.0 0.0.0.255 [SecBlade_FW-acl-basic-2001] rule deny

# Configure the address pool.

[SecBlade_FW] nat address-group 1 202.110.10.10 202.110.10.12

# Allow address translation and use the addresses of address pool 1 for address translation. During translation, the information of TCP/UDP port is used.

[SecBlade_FW-GigabitEthernet0/0/0] nat outbound 2001 address-group 1

# Delete the corresponding configuration.

[SecBlade_FW-GigabitEthernet0/0/0] undo outbound 2001 address-group 1

# Configuration of simple address translation (Not using the TCP/UDP port information to perform the address translation)

[SecBlade_FW-GigabitEthernet0/0.1] nat outbound 2001 address-group 1 no-pat


[SecBlade_FW-GigabitEthernet0/0.1] undo nat outbound 2001 address-group 1 no-pat


# The configuration that can be used when performing address translation by using the IP address of interface GigabitEthernet0/0.1 directly.

[SecBlade_FW-GigabitEthernet0/0.1] nat outbound 2001


[SecBlade_FW-GigabitEthernet0/0.1] undo nat outbound 2001

nat outbound interface Syntax

nat outbound acl-number interface interface-type interface-number

undo nat outbound acl-number interface interface-type interface-number

View

Interface view

Parameter

acl-number: ACL index, in the range of 2000 to 3999.

interface interface-type interface-number: Specified interface type and interface number, Currently, only the loopback interface is supported.

Description

Use the nat outbound interface command to associate an ACL with a specific interface and to set the interface address as the converted address (that is, to replace the source address of the data packets with the IP address of the specified interface).

Use the undo nat outbound interface command to remove the configuration.

Currently, only the loopback interface address can be specified as the converted address.

Example

# Set the IP address of the loopback0 interface as the converted address.

[SecBlade_FW]interface loopback0 [SecBlade_FW-LoopBack0] ip address 202.38.160.106 [SecBlade_FW-LoopBack0] quit [SecBlade_FW] acl number 2000 [SecBlade_FW-acl-basic-2000] rule permit source 10.110.12.0 0.0.0.255 [SecBlade_FW-acl-basic-2000] quit [SecBlade_FW] interface GigabitEthernet0/0.3 [SecBlade_FW- GigabitEthernet0/0.3] nat outbound 2 interface loopback 0

nat outbound static Syntax

nat outbound static

undo nat outbound static

View

Interface view


Parameter

None

Description

Use the nat outbound static command to apply on the interface the static NAT entries configured using the nat static command.

Use the undo nat outbound static command to disable the static NAT entries on the interface.

Example

# Apply the static NAT entries on the interface GigabitEthernet0/0.1.

[SecBlade_FW-GigabitEthernet0/0.1] nat outbound static

nat overlapaddress Syntax

nat overlapaddress number overlappool-startaddress temppool-startaddress { pool-length pool-length | address-mask mask }

undo nat overlapaddress number

View

System view

Parameter

number: Sequence number of the address pool pair, in the range of 0 to 7.

overlappool-startaddress: Start address of the overlap address pool. Note that no intersection is allowed between overlap address pools.

temppool-startaddress: Start address of the temporary address pool. Note that no intersection is allowed between temporary address pools. Temporary addresses cannot be the existing internal or external addresses, so you are recommended to choose private network addresses as temporary addresses.

pool-length: Length of the address pool, in decimal format. The associated overlap and temporary address pools must be configured in the same length, with one overlap address corresponding to one temporary.

mask: Subnet mask of the address pool.

Description

Use the nat overlapaddress command to configure the mapping entry from an overlap address pool to a temporary address pool.

Use the undo nat overlapaddress command to remove the mapping configuration.

n One overlap address pool corresponds to one temporary address pool. The conversion rule is as follows:

Temporary address = Start address of the temporary address pool + (overlap address - start address of the overlap address pool)


Overlap address = Start address of the overlap address pool + (temporary address - start address of the temporary address pool)

Example

# Configure a mapping entry from 171.69.100.0 to 192.168.0.0, with address pool pair number as 0.

[SecBlade_FW] nat overlapaddress 0 171.69.100.0 192.168.0.0 address-mask 24

nat server Syntax

nat server [ acl-number ] protocol pro-type global global-addr global-port1 global-port2 inside host-addr1 host-addr2 host-port

nat server [ acl-number ] protocol pro-type global global-addr [ global-port ] inside host-addr [ host-port ]

undo nat server [ acl-number ] protocol pro-type global global-addr global-port1 global-port2 inside host-addr1 host-addr2 host-port

undo nat server [ acl-number ] protocol pro-type global global-addr [ global-port ] inside host-addr [ host-port ]

View

Interface view

Parameter

acl-number: Basic or advanced ACL number, in the range of 2000 to 3999.

global-addr: An IP address provided for the outside to access (a legal IP address).

global-port: A service port number provided for the outside to access. If ignored, its value shall be the same with the host-port’s value.

host-addr: IP address of the server in internal LAN.

host-port: Service port number provided for a server in the range of 0 to 65535, and the common used port numbers are replaced by key words. For example, www service port number is 80, which can also be represented by www. ftp service port number is 21, and ftp can also stands for it. If the inside-port is 0, it indicates that all the types of services can be provided and the key word any can be used to stand for it in this situation. If the parameter is not configured, it is considered as the case of any, which is the same as that there is a static connection between global-addr and host-addr. When the host-port is configured as any, the global-port also should be any, otherwise the configuration is illegal.

global-port1, global-port2: Specifies a port range through two port numbers, forming a corresponding relation with the internal host address range. global-port2 must be larger than global-port1.

host-addr1, host-addr2: Defines a group of consecutive address ranges, which respectively one-to-one matches the port ranges defined above. host-addr2 must be bigger than host-addr1. The number of the address ranges should be the same as the number of ports defined by global-port1 and global-port2.


pro-type: The protocol type carried by IP, possibly being a protocol ID, or a key word as a substitution. For example: icmp (its protocol ID is 1), tcp (its protocol ID is 6), udp (its protocol ID is 7).

Description

Use the nat server command to define the mapping table of an internal server. Users can access the internal server with the address and port as host-addr and host-port respectively through the address port defined by global-addr and global-port.

Use the undo nat server command to remove the mapping table.

Through this command, you can configure some internal network servers for outside use. The internal server can locate in the ordinary private network. For example, www, ftp, telnet, pop3, dns and so on.

Up to 256 internal server conversion commands can be configured on one interface and at most 4096 internal servers can be configured on one interface. Up to 1024 internal server conversion commands can be configured in one system. If the nat servers are configured in the form of port range (i.e., specify a port range through configuring global-port1 and global-port2, forming a corresponding relation with the address range of the internal hosts), then the number of internal servers will be the same as that of the ports configured, and the max number of them are also 4096.

TFTP is a special protocol; therefore, make sure you configure the corresponding nat outbound command on the internal TFTP server when you configure NAT Server for the TFTP server.

The interface on which this command is configured is interconnected with ISP and serves as the gateway of the internal network.

Example

# Specify the IP address of the interior www server of the LAN as 10.110.10.10, the IP address of the interior ftp server as 10.110.10.11. It is expected that the outside can access WEB through http:// 202.110.10.10:8080 and connect FTP web site through ftp://202.110.10.10. Suppose that GigabitEthernet0/0.1 is connected to ISP.

[SecBlade_FW-GigabitEthernet0/0.1] nat server protocol tcp global 202.110.10.10 8080 inside 10.110.10.10 www [SecBlade_FW-GigabitEthernet0/0.1] nat server protocol tcp global 202.110.10.10 inside 10.110.10.11 ftp

# Specify one interior host 10.110.10.12, expecting that the host of the exterior network can ping it with ping 202.110.10.11 command.

[SecBlade_FW-GigabitEthernet0/0.1] nat server protocol icmp global 202.110.10.11 inside 10.110.10.12

# Delete the www server.

[SecBlade_FW-GigabitEthernet0/0.1] undo nat server protocol tcp global 202.110.10.10 8070 inside 10.110.10.10 www


# By the command below, the internal ftp server of VPN vrf10 can be removed.

[SecBlade_FW-GigabitEthernet0/0.1] undo nat server protocol tcp global 202.110.10.11 8070 inside 10.110.10.11 ftp

# Specify an outside address as 202.110.10.10, and map the ports ranging from 1001 to 1100 to the addresses of 10.110.10.1 to 10.110.10.100 respectively to access ftp service inside VPN vrf10. 202.110.10.10:1001 accesses 10.110.10.1 and 202.110.10:1002 accesses 10.110.10.2, etc.

[SecBlade_FW-GigabitEthernet0/0.1] nat server protocol tcp global 202.110.10.10 1001 1100 inside 10.110.10.1 10.110.10.100 telnet

nat static Syntax

nat static ip-addr1 ip-addr2

undo nat static ip-addr1 ip-addr2

View

System view

Parameter

ip-addr1: Private IP address of an internal host.

ip-addr2: Public IP address.

Description

Use the nat static command to configure a one-to-one private-to-public address binding.

Use the undo nat static command to delete an existing one-to-one private-to-public address binding.

Example

# Bind an internal private IP address with a public IP address for one-to-one address translation.

[SecBlade_FW] nat static 192.168.1.1 2.2.2.2

nat static inside ip Syntax

nat static inside ip inside-start-address inside-end-address global global-address mask

undo nat static inside ip inside-start-address inside-end-address global global-address mask

View

System view

Parameter

inside-start-address: Start internal address that the specified static NAT entry will convert.


inside- end -address: End internal address that the specified static NAT entry will convert.

global-address: Public network address converted by the specified static NAT entry.

mask: Subnet address of the public network segment address.

Description

Use the nat static inside ip command to configure the static NAT entry. Then in the conversion with the static NAT entry, only the network address is converted and the host address remains unchanged.

Use the undo nat static inside ip command to delete the existing static NAT entry.

The global-address can be any address. Then it will be calculated by combining with the mask and the length of the mask.

The nat static inside ip and nat static commands create two different types of static NAT entries. Note that the two types of addresses cannot be in conflict.

By default, no static NAT entry is configured.

Example

# Configure the static NAT entry, which can convert the network addresses of 10.1.1.1 to 10.1.1.100 to 211.1.1.0 and remains their host addresses unchanged.

[SecBlade_FW] nat static inside ip 10.1.1.1 10.1.1.100 global 211.1.1.0 255.255.255.0

reset nat Syntax

reset nat { log-entry | session }

View

User view

Parameter

log-entry: Clears NAT log buffer.

session: Clears the information of the address translation table.

Description

This command is used to clear up the mapping tables of address translation in the memory and release all the memory dynamically allocated to store the mapping tables.

Example

# Clear NAT log buffer.

<SecBlade_FW> reset nat log-entry

# Clear information of the address translation table.

<SecBlade_FW> reset nat session

18
FIREWALL CONFIGURATION COMMANDS
Packet Filtering Firewall Configuration Commands

debugging firewall packet-filter

Syntax

debugging firewall packet-filter { { all | icmp | tcp | udp | fragments-inspect | others } [ interface type number ] | denied | permitted }

undo debugging firewall packet-filter { { all | icmp | tcp | udp | fragments-inspect | others } [ interface type number ] | denied | permitted }

View

User view

Parameter

all: Debugging for all packets.

icmp: ICMP packet filtering debugging.

packet: Packet filtering debugging. You can specify the permitted or denied keyword to display the debugging information about the permitted or denied packets.

tcp: TCP packet filtering debugging.

udp: UDP packet filtering debugging.

fragments-inspect: Fragment debugging.

others: Debugging of all the packets except ICMP, TCP and UDP.

interface type number: Debugging information of the corresponding packets passing the interface. The debugging information of all the interfaces will be displayed if this parameter is not configured.

Denied: Debugging for the denied packets.

Permitted: Debugging for the permitted packets.

Description

Use the debugging firewall packet-filter command to enable the debugging for the firewall packet filtering.


Use the undo debugging firewall packet-filter command to disable the debugging output.

By default, all the debugging for the firewall packet filtering is disabled.

Related command: display debugging.

Example

# Enable the debugging information about UDP packet filtering.

<SecBlade_FW> debugging firewall packet-filter udp

debugging firewall packet-filter

fragments-inspect events

Syntax

debugging firewall packet-filter fragments-inspect events

undo debugging firewall packet-filter fragments-inspect events

View

User view

Parameter

None

Description

Use the debugging firewall packet-filter fragments-inspect events command to enable the debugging of fragments detection events.

Use the undo debugging firewall packet-filter fragments-inspect events command to disable it.

By default, the debugging of fragments detection events is disabled.

Example

# Enable the debugging of fragments detection events.

<SecBlade_FW> debugging firewall packet-filter fragments-inspect events

display firewall fragment

Syntax

display firewall fragment

View

Any view

Parameter

None

Description

Use the display firewall fragment command to display the fragment table of the firewall.

Example

# Display the fragment table of the firewall.

Packet Filtering Firewall Configuration Commands 301

<SecBlade_FW> display firewall fragment

display firewall packet-filter statistics

Syntax

display firewall packet-filter statistics { all | interface type number | fragments-inspect }

View

Any view

Parameter

all: Displays the filtering packet statistics of all the interfaces.

interface type number: Displays the filtering packets statistics of the specified interface.

fragments-inspect: Displays the fragment inspection information.

Description

Use the display firewall packet-filter statistics command to view the firewall packet filtering statistics.

Example

# Display the information of fragment inspection.

<SecBlade_FW> display firewall-statistics fragments-inspect Fragments inspection is enabled. The high-watermark for clamping is 10000. The low-watermark for clamping is 1000. Current records for fragments inspection is 0.

firewall packet-filter default

Syntax

firewall packet-filter default { permit | deny }

View

System view

Parameter

permit: Default filter rule is permitting packets to pass.

deny: Default filter rule is denying packets to pass.

Description

Use the firewall packet-filter default command to configure the default filtering rule of the firewall packet filtering, whether to be "permit" or "deny".

By default, the system denies all packets.

Example

# Set the default filtering rule of the firewall packet filtering to "deny".

[SecBlade_FW] firewall packet-filter default deny


firewall packet-filter enable

Syntax

firewall packet-filter enable

undo firewall packet-filter enable

View

System view

Parameter

None

Description

Use the firewall packet-filter enable command to enable the firewall packet filtering.

Use the undo firewall packet-filter enable command to disable the firewall packet filtering.

By default, the firewall is disabled.

Example

# Enables the firewall

[SecBlade_FW] firewall packet-filter enable

firewall packet-filter fragments-inspect

Syntax

firewall packet-filter fragments-inspect

undo firewall packet-filter fragments-inspect

View

System view

Parameter

None

Description

Use the firewall packet-filter fragments-inspect command to enable fragment inspection switch.

Use the undo firewall packet-filter fragments-inspect command to disable fragment inspection switch.

By default, fragment inspection switch is disabled.

This command is the premise of realizing exact match. Only after fragment inspection switch is enabled, can fragment exact match be implemented. Packet filtering firewall will record the status of a fragment, and perform the exact matching to advanced ACL rules according to the information beyond the layer 3 (IP layer).

Packet Filtering Firewall Configuration Commands 303

Packet filtering firewall will consume some system resources for recording the fragment status. If the exact match mode is not used, you are recommended to disable this function so as to improve the running efficiency of system and reduce the system cost.

Only when the fragment packet inspection is enabled, can the exact match really take effect.

Related command: firewall packet-filter (interface view).

Example

# Enable the fragment inspection switches

[SecBlade_FW] firewall packet-filter fragments-inspect

firewall packet-filter fragments-inspect { high

| low }

Syntax

firewall packet-filter fragments-inspect { high | low }

undo firewall packet-filter fragments-inspect { high | low }

View

System view

Parameter

high number: Specifies the high threshold of the fragment status records. It is in the range from 100 to 10000.

low number: Specifies the low threshold of the fragment status records. It is in the range from 100 to 10000.

default: Default number of fragment status records. The default high threshold of the fragment status records is 2000 and the default low threshold of the fragment status records is 1500.

Description

Use the firewall packet-filter fragments-inspect { high | low } command to configure the high and low thresholds of records for fragment inspection.

Use the undo firewall packet-filter fragments-inspect { high | low } command to restore the default high and low thresholds.

If fragment inspection switch is enabled and exact match filtering is applied, the executing efficiency of the packet filtering will be slightly reduced. As the number of matching entries increases, efficiency is reduced. Therefore, the (high and low) thresholds should be set. When the number of fragment status records reaches the high threshold, those status entries first reserved will be deleted until the number of records is below the low threshold.

The low threshold must be no greater than the high threshold.

Related command: display firewall packet-filter statistics fragments-inspect and firewall packet-filter fragments-inspect.


Example

# Configure the high threshold for fragment packet inspection to 3000 and configure the low threshold to the default value.

[SecBlade_FW] firewall packet-filter fragments-inspect high 3000 [SecBlade_FW] firewall packet-filter fragments-inspect low default

firewall packet-filter Syntax

firewall packet-filter acl-number { inbound | outbound } [ match-fragments { normally | exactly } ]

undo firewall packet-filter acl-number { inbound | outbound }

View

Interface view

Parameter

acl-number: Serial number of access control list rule.

inbound: Filters the packet received on the interface.

outbound: Filters the packet sent on the interface.

match-fragments: Specify the matching mode of fragments. This parameter can only be applied to advanced ACLs.

Packet-filtering on Comware platform can filter fragment packets, which matches and filters all fragment packets on the third layer (IP layer) by source IP address, destination IP address etc. It also provides standard matching and exact matching for advanced ACL rules that contain extended information such as TCP/UDP port number and type of ICMP. The standard matching matches information of the third layer, Information that is not of the third layer will be ignored. The exact matching matches packets according to all advanced ACL rules. To do this, the firewall must be able to store the state of the first fragment packet to get the whole matching information of the followed fragments. The standard matching is the default.

normally: Normal matching mode, the default mode. This parameter is only available for the advanced ACLs.

exactly: Exact matching mode. This parameter is only available for the advanced ACLs.

Description

Use the firewall packet-filter command to apply the access control list to the corresponding interface.

Use the undo firewall packet-filter command to delete the corresponding setting.

Interface-based ACL (namely ACL rule with sequence number from 1000 to 1999) can only use the parameter outbound.

ASPF Configuration Commands 305

Packet-filtering on Comware platform can filter fragment packets, which matches and filters all fragment packets on the third layer (IP layer) by source IP address, destination IP address etc. It also provides standard matching and exact matching for advanced ACL rules that contain extended information such as TCP/UDP port number and type of ICMP. The standard matching matches information of the third layer, Information that is not of the third layer will be ignored. The exact matching matches packets according to all advanced ACL rules. To do this, the firewall must be able to store the state of the first fragment packet to get the whole matching information of the followed fragments. If exact matching is used, make sure you disable the fast forwarding function by using the undo ip fast-forwarding command on the corresponding interface.

The standard matching is the default.

Related command: acl, display acl and firewall packet-filter fragments-inspect.

Example

# Apply ACL 3001 to the GigabitEthernet0/0.2 interface to filter the packets sent on the interface.

[SecBlade_FW-GigabitEthernet0/0.2] firewall packet-filter 3001 outbound

reset firewall packet-filter statistics

Syntax

reset firewall packet-filter statistics { all | interface type number }

View

User view

Parameter

all: Clears the filtering packet statistics of all the interfaces.

interface: Clears the filtering packet statistics of a certain interface.

type number: Specifies an interface by its type and number.

Description

Use the reset firewall packet-filter statistics command to clear the firewall statistics.

Example

# Clear filtering packet statistics of the interface GigabitEthernet0/0.2.

< SecBlade_FW > reset firewall packet-filter statistics interface GigabitEthernet0/0.2

ASPF Configuration Commands

aging-time Syntax

aging-time { syn | fin | tcp | udp } seconds


undo aging-time { syn | fin | tcp | udp }

View

ASPF policy view

Parameter

seconds: Idle timeout time of the session entry when the SYN and FIN packets or TCP and UDP protocols are detected.

Description

Use the aging-time command to configure SYN status waiting timeout value and FIN status waiting timeout value of TCP, session entry idle timeout value of TCP and UDP.

Use the undo aging-time command to restore the default value.

Before the aging-time expires, the system will retain the connections and the sessions that have been set up.

By default, the timeout time for SYN packets, FIN packets, TCP protocol and UDP protocol are 30 seconds, 30 seconds, 3,600 seconds and 30 seconds respectively.

Related command: display aspf all, display aspf policy, display aspf session and display aspf interface.

Example

# Configure SYN status waiting timeout value of TCP as 20 seconds.

[SecBlade_FW-aspf-policy-1] aging-time syn 20

# Configure FIN status waiting timeout value of FIN as 10 seconds.

[SecBlade_FW-aspf-policy-1] aging-time fin 10

# Configure TCP idle timeout value as 3000 seconds.

[SecBlade_FW-aspf-policy-1] aging-time tcp 3000

# Configure UDP idle timeout value as 110 seconds.

[SecBlade_FW-aspf-policy-1] aging-time udp 110

aspf-policy Syntax

aspf-policy aspf-policy-number

undo aspf-policy aspf-policy-number

View

System view

Parameter

aspf-policy-number: ASPF policy number, ranging from 1 to 99.


Description

Use the aspf-policy command to define an ASPF policy. For a defined policy, the policy can be invoked through its policy number.

Example

# Define an ASPF policy and enter ASPF view.

[SecBlade_FW] aspf-policy 1 [SecBlade_FW-aspf-policy-1]

debugging aspf Syntax

debugging aspf { all | verbose | events | ftp | h323 | rtsp | session | smtp | tcp | timers | udp }

undo debugging aspf { all | verbose | events | ftp | h323 | rtsp | session | smtp | tcp | timers | udp }

View

User view

Parameter

all: All ASPF debugging switch.

verbose: Detailed debugging switch.

events: Event debugging switch.

ftp: Debugging switch for FTP detect information .

h323: Debugging switch for H.323 information detection.

rtsp: Debugging switch for RTSP information detection.

session: Debugging switch for Session information .

smtp: Debugging switch for SMTP information detection.

tcp : Debugging switch for TCP information detection.

timers: Debugging switch for Timer information .

udp: Debugging switch for UDP information detection.

Description

Use the debugging aspf command to enable ASPF debugging function.

Use the undo debugging aspf command to disable ASPF debugging function.

By default, ASPF debugging function is disabled.



Example

# Open all the switches of debugging aspf

<SecBlade_FW> debugging aspf all

debugging aspf http Syntax

debugging aspf http { java-blocking | activex-blocking } { all | error | event | filter | packet }

undo debugging aspf http { java-blocking | activex-blocking } { all | error | event | filter | packet }

View

User view

Parameter

java-blocking: Java Applet blocking debugging.

activex-blocking: ActiveX blocking debugging.

all: All debugging.

error: Error debugging.

event: Event debugging.

filter: Filter debugging.

packet: Packet debugging.

Description

Use the debugging aspf http java-blocking command to enable Java Applet blocking debugging for HTTP detection.

Use the undo debugging aspf http java-blocking command to disable Java Applet blocking debugging for HTTP detection.

Use the debugging aspf http activex-blocking command to enable ActiveX blocking debugging for HTTP detection.

Use the undo debugging aspf http activex-blocking command to disable ActiveX blocking debugging for HTTP detection.

By default, neither Java Applet blocking debugging nor ActiveX blocking debugging for HTTP detection is enabled.

Example

# Enable all Java Applet blocking debugging.

<SecBlade_FW> debugging aspf http java-blocking all

detect Syntax

detect protocol [ aging-time seconds ]


undo detect protocol

View

ASPF policy view

Parameter

protocol: Name of the protocol supported by ASPF. It can be an application layer protocol of ftp, http, h323, smtp, or rtsp, or a transport layer protocol of tcp or udp.

seconds: Configures the idle timeout time of the protocol, ranging from 5 to 43200 seconds. The default TCP-based timeout time is 3600 seconds, and the default UDP-based timeout time is 30 seconds.

Description

Use the detect command to specify ASPF policy for application layer protocols.

Use the undo detect command to cancel the configuration.

When the protocol is HTTP, Java Applet blocking and Active X control blocking are permitted.

If both application layer protocol specific detection and generic TCP/UDP-based detection are configured, the former has priority.

ASPF uses the timeout mechanism to manage session state information of protocols so that it can decide when to stop managing the state information of a session or delete a session that cannot be set up normally. The timeout time setting is a global setting applicable to all sessions; it can protect system resources against malicious occupation.


Example

# Configure to specify an ASPF policy for FTP protocol with policy number 1.

[SecBlade_FW] acl number 1 [SecBlade_FW-aspf-policy-1] detect ftp

detect http Syntax

detect http [ java-blocking [ acl-number1 ] | activex-blocking [ acl-number2 ] ]* [ aging-time seconds ]

undo detect http [ java-blocking | activex-blocking ]*

View

ASPF policy view

Parameter

java-blocking: Indicates that Java Applet is blocked.


acl-number1: Number of a basic ACL, in the range of 2000 to 2999. If this argument is not specified, it indicates that all Java Applets are blocked.

activex-blocking: Indicates that ActiveX is blocked.

acl-number2: Number of a basic ACL, in the range of 2000 to 2999. If this argument is not specified, it indicates that all ActiveX controls are blocked.

seconds: Protocol idle timeout, in the range of 5 to 43200 seconds. By default, it is 3600 seconds for the application layer protocols and the TCP protocol, and is 30 seconds for the UDP protocol.

Description

Use the detect http command to configure the detection of the HTTP protocol and the blocking of Java Applet and ActiveX as well.

Use the undo detect http command to cancel the detection.

By default, HTTP is not detected.

Example

# Configure the ASPF policy to detect HTTP and block all ActiveX controls and the Java Applet from the server at 10.1.1.1.

[SecBlade_FW] acl number 2000 [SecBlade_FW-acl-basic-2000] rule permit source 10.1.1.1 0 [SecBlade_FW-acl-basic-2000] rule deny source any [SecBlade_FW-acl-basic-2000] quit [SecBlade_FW] aspf-policy 1 [SecBlade_FW-aspf-policy-1] detect http activex-blocking java-blocking 2000

display aspf all Syntax

display aspf all

View

Any view

Parameter

None

Description

Use the display aspf all command to view the information of all ASPF policies and sessions.

Example

# View the information of ASPF policy and session.

[SecBlade_FW] display aspf all [ASPF Policy Configuration] Policy Number 1: Log: disable SYN timeout: 30 s FIN timeout: 30 s TCP timeout: 3600 s UDP timeout: 30 s


Detect Protocols: h323 timeout 3600 rtsp timeout 3600 http timeout 3600 smtp timeout 3600 ftp timeout 3600 tcp timeout 3600 udp timeout 30 [Interface Configuration] Interface InboundPolicy OutboundPolicy --------------------------------------------------------------- GigabitEthernet0/0.1 none 1

display aspf interface Syntax

display aspf interface

View

Any view

Parameter

None

Description

Use the display aspf interface command to view the interface configuration of the inspection policy.

Example

# View the interface configuration of the inspection policy.

[SecBlade_FW] display aspf interface [Interface Configuration] Interface InboundPolicy OutboundPolicy --------------------------------------------------------------- GigabitEthernet0/0.1 none 1

Table 219 Description on the fields of the display aspf all command

Field Description

Log Whether the session logging function is enabled.

SYN timeout The timeout value of the SYN status in TCP connection is 30 seconds.

FIN timeout The timeout value of the FIN status in RCP connection is five seconds.

TCP timeout The idle timeout value of TCP sessions is 3,600 seconds.

UDP timeout The idle timeout value of UDP sessions is 30 seconds.

Detect Protocols Protocols detected by the ASPF policies

InboundPolicy Inbound ASPF policies

OutboundPolicy Outbound ASPF policies

Table 220 Description on the fields of the display aspf interface command

Field Description

Inbound Policy Inbound ASPF policies

outbound Policy Outbound ASPF policies


display aspf policy Syntax

display aspf policy aspf-policy-number

View

Any view

Parameter

aspf-policy-number: ASPF policy number, ranging from 1 to 99.

Description

Use the display aspf policy command to view the configuration of a specific inspection policy.

Example

# Display the configuration information of the inspection policy with policy number of 1.

[SecBlade_FW] display aspf policy 1 [ASPF Policy Configuration] Policy Number 1: Log: disable SYN timeout: 30 s FIN timeout: 30 s TCP timeout: 3600 s UDP timeout: 30 s Detect Protocols: h323 timeout 3600 rtsp timeout 3600 http timeout 3600 smtp timeout 3600 ftp timeout 3600 tcp timeout 3600 udp timeout 30

Refer to Table 219 for the description on the fields above.

display aspf session Syntax

display aspf session [ verbose ]

View

Any view

Parameter

verbose: Displays the detail information of the sessions.

Description

Use the display aspf session command to display the information of the ASPF sessions.

The display aspf session command and the display firewall session table command display different session tables with different default aging time. A data flow may be present in the ASPF session table but aged out and removed from the


session table of the firewall, or the data flow may be present in the session table of the firewall but aged out and removed from the ASPF session table.

Example

# Display information on current ASPF sessions.

[SecBlade_FW] display aspf session [Established Sessions] Session Initiator Responder Application Status 212BA84 169.254.1.121:1427 169.254.1.52:0 ftp-data TCP_DOWN 2B738C4 169.254.1.121:1426 169.254.1.52:21 ftp FTP_CONXN_UP

# Display detailed information of current ASPF sessions.

[SecBlade_FW] display aspf session verbose [ Established Sessions ] [ Session 0xC7E2B4 ] (192.168.0.1:2125)=>(13.1.0.5:2093) h245-media-control H245_OPEN SessNum: 229, TransProt: 6, AppProt: 21 Prev: 0x0, Next: 0x0, Child: 0xCA9EA4, Parent: 0x0 SynNode: 0x0, FinNode: 0x0 Interface: GigabitEthernet0/0.2, Direction: outbound Bytes/Packets sent (initiator:responder) [1339/15 : 1309/12] Tcp SeqNum/AckNum [352115193/62885460 : 62885456/352115193] Timeout 00:02:00(120),

display firewall session aging-time

Syntax

display firewall session aging-time

View

Any view

Parameter

None

Description

Use the display firewall session aging-time command to display the session timeout values of all firewall protocols.

Table 221 Information of current ASPF sessions

Field Description

TransProt: 6 Transport layer protocol is numbered 6, which means that TCP is used.

AppProt: 21 Application layer protocol uses port 21, which means that the sessions are FTP sessions

Interface: GigabitEthernet0/0.1

Direction: outbound

ASPF policy is applied in outbound direction of the interface Ethernet1/0/0

Bytes/Packets sent Bytes/Packets transmitted between the originating and responding sides of the connection

Timeout 00:02:00(120) Timeout time set for the protocol is 120 seconds


Related command: firewall session aging-time and firewall session aging-time default.

Example

# Display the session timeout values of all firewall protocols.

[SecBlade_FW] display firewall session aging-time NAT aging-time value information: tcp ---- aging-time value is 240 (seconds) udp ---- aging-time value is 40 (seconds) icmp ---- aging-time value is 20 (seconds) finrst ---- aging-time value is 10 (seconds) syn ---- aging-time value is 5 (seconds) fragment ---- aging-time value is 5 (seconds) h.323 ---- aging-time value is 600 (seconds) ftp ---- aging-time value is 600 (seconds) ras ---- aging-time value is 600 (seconds) http ---- aging-time value is 240 (seconds) smtp ---- aging-time value is 40 (seconds) rtsp ---- aging-time value is 240 (seconds) telnet ---- aging-time value is 240 (seconds) netbios ---- aging-time value is 240 (seconds)

display firewall session table

Syntax

display firewall session table

View

Any view

Parameter

None

Description

Use the display firewall session table command to display the session tables of the firewall.

The display firewall session table command and the display aspf session command display different session tables with different default aging time. A data flow may be present in the ASPF session table but aged out and removed from the session table of the firewall, or the data flow may be present in the session table of the firewall but aged out and removed from the ASPF session table.

A firewall session enters the timeout state once it is aged out. A time interval elapses before a session in timeout state is removed. This time interval varies depending on actual networking.

Example

# Display the session tables of the firewall.

[Quiddway] display firewall session table Total session number: 12 HTTP:192.168.4.1:80<--192.168.4.8:3391 HTTP:192.168.4.1:80<--192.168.4.8:3392 HTTP:192.168.4.1:80<--192.168.4.8:3387


NBT datagram:192.168.4.255:138<--192.168.4.8:138 HTTP:192.168.4.1:80<--192.168.4.8:3396 NBT name:192.168.4.255:137<--192.168.4.8:137 HTTP:192.168.4.1:80<--192.168.4.8:3389 HTTP:192.168.4.1:80<--192.168.4.8:3398 HTTP:192.168.4.1:80<--192.168.4.8:3397 HTTP:192.168.4.1:80<--192.168.4.8:3393 HTTP:192.168.4.1:80<--192.168.4.8:3390 HTTP:192.168.4.1:80<--192.168.4.8:3395

display port-mapping Syntax

display port-mapping [ application-name | port port-number ]

View

Any view

Parameter

application-name: Specifies the name of application for PAM. Optional applications include FTP, HTTP, H323, SMTP and RTSP.

port-number: Port number in the range of 0 to 65,535.

Description

Use the display port-mapping command to view PAM information.

Related command: port-mapping.

Example

# Display all PAM information.

[SecBlade_FW] display port-mapping SERVICE PORT ACL TYPE ------------------------------------------------- ftp 21 system defined smtp 25 system defined http 80 system defined rtsp 554 system defined h323 1720 system defined

firewall aspf Syntax

firewall aspf aspf-policy-number { inbound | outbound }

undo firewall aspf aspf-policy-number { inbound | outbound }

View

Interface view

Parameter

aspf-policy-number: ASPF policy number used on the interface.

inbound: Applies ASPF policy in inbound direction of the interface.

outbound: Applies ASPF policy in outbound direction of the interface.


Description

Use the firewall aspf command to apply ASPF policy in specified direction to an interface.

Use the undo firewall aspf command to delete the applied ASPF policy on the interface.

There are two concepts is ASPF: inbound interface and outbound interface. If the security gateway connects with both intranet and internet, and uses ASPF to protect the servers of intranet, the security gateway interface connected with intranet is regarded as inbound interface and that connected with internet is regarded as outbound interface.

When ASPF is applied on outbound interface, ASPF will refuse the access of intranet from internet users, but the returning packets of intranet users accessing internet can pass the detection of ASPF.

Example

# Configure ASPF firewall function in outbound direction of GigabitEthernet0/0.2.

[SecBlade_FW-GigabitEthernet0/0.2] firewall aspf 1 outbound

firewall session aging-time

Syntax

firewall session aging-time { fin-rst | fragment | ftp | h323 | http | icmp | netbios | ras | rtsp | smtp | syn | tcp | telnet | udp } { default | seconds }

View

System view

Parameter

default: Chooses the default timeout values for the protocols.

seconds: Default timeout value for the protocol, in seconds.

The default timeout values for the different protocols are as follows:

fin-rst: 10 seconds

fragment: 5 seconds

ftp: 600 seconds

h323: 600 seconds

http: 240 seconds

icmp: 20 seconds

netbios: 240 seconds

ras: 600 seconds

rtsp: 240 seconds


smtp: 40 seconds

syn: 5 seconds

tcp: 240 seconds

telnet: 240 seconds

udp: 40 seconds

Description

Use the log enable command to set the session timeout values for different protocols.

Related command: firewall session aging-time default and display firewall session aging-time.

Example

# Set the session timeout value for the HTTP protocol to 1200 seconds.

[SecBlade_FW] firewall session aging-time http 1200

firewall session aging-time default

Syntax

firewall session aging-time default

View

System view

Parameter

None

Description

Use the firewall session aging-time default command to restore the default session timeout values of all firewall protocols.

Related command: firewall session aging-time and display firewall session aging-time.

Example

# Restore the default session timeout values of all firewall protocols.

[SecBlade_FW] firewall session aging-time default

log enable Syntax

log enable

undo log enable

View

ASPF policy view


Description

Use the log enable command to enable ASPF session logging function.

Use the undo log enable command to disable logging function.

By default, session logging function is disabled.

ASPF provides enhanced session logging function, which can log all connections, including connection time, source address, destination address, port in use and transmitted bytes number.

Related command: display aspf all, display aspf policy, display aspf session, display aspf interface.

Example

# Enable ASPF session logging function.

[SecBlade_FW-aspf-policy-1] log enable

port-mapping Syntax

port-mapping application-name port port-number [ acl acl-number ]

undo port-mapping [ application-name port port-number [ acl acl-number ] ]

View

System view

Parameter

application-name: Name of the application protocol, including FTP, HTTP, H323, SMTP and RTSP.

port-number: Port number, ranging from 0 to 65,535.

acl-number: Number of basic ACL, which is in the range from 2,000 to 2,999.

Description

Use the port-mapping command to establish a mapping from the port to application layer protocol.

Use the undo port-mapping command to delete the PAM ingress defined by the user.

PAM supports two mapping mechanisms: general port mapping and host port mapping based on basic ACL. The former is to establish the mapping relation between a user-defined port number and an application protocol. For example, mapping the port 8080 to the HTTP will make all the TCP packets destined to 8080 be regarded as HTTP packets. The latter is to map the self-defined port number to the application protocol for the packets from some specific hosts. For example, you can map the TCP packets using the port 8080, which destine to the hosts residing on the segment 1.1.0.0 to be the HTTP packets. The range of hosts will be specified by the basic ACL.


For the same port, general port mapping and host port mapping based on basic ACL cannot be configured at the same time.

Related command: display port-mapping.

Example

# Map port 3456 to FTP service, with this configuration, all the data flows destined to port 3456 will be regarded as FTP data flows.

[SecBlade_FW] port-mapping ftp port 3456

reset aspf session Syntax

reset aspf session

View

User view

Parameter

None

Description

Use the reset aspf session command to reset ASPF session information.

<SW8800> reset aspf session

Example

# Reset ASPF session information.

<SW8800> reset aspf session

reset firewall session table

Syntax

reset firewall session table

View

User view

Parameter

None

Description

Use the reset firewall session table command to clear the session tables of the firewall.

Example

# Clear the session tables of the firewall.

<SecBlade_FW> reset firewall session table


Blacklist Configuration Commands

debugging firewall blacklist

Syntax

debugging firewall blacklist { all | item | packet }

undo debugging firewall blacklist { all | item | packet }

View

User view

Parameter

all: Specifies to enable all debugging for blacklist.

item: Specifies to enable debugging for the changes of blacklist items.

packet: Specifies to enable debugging for blacklist items in packets.

Description

Use the debugging firewall blacklist command to enable debugging for blacklist on the firewall.

Use the undo debugging firewall blacklist command to disable debugging for blacklist on the firewall.

Any debugging for blacklist is disabled by default.


Example

# Enable all debugging for blacklist function.

<SecBlade_FW> debugging firewall blacklist all

display firewall blacklist Syntax

display firewall blacklist { enable | item [ sour-addr ]

View

Any view

Parameter

enable: Displays the operation of blacklist.

item sour-addr: Displays one specific entry (with the IP address sour-addr) or all of the entries of blacklist.

Description

Use the display firewall blacklist command to view the running state and entries of the blacklist on the firewall. You can view item information in the blacklist by configuring the item keyword in the command. If no IP address is specified, you can view the summary information of the current blacklist items.

Blacklist Configuration Commands 321

You can view the verbose information of a specific blacklist item by configuring the corresponding IP address in the command. By configuring the enable keyword, you can view the running state of the blacklist.

Example

# Display the summary information of all blacklist entries.

<SecBlade_FW> display firewall blacklist item Firewall blacklist items : Current manual insert items:2 Current automatic insert items:0 Need aging items:1 192.168.1.1 20.202.16.5

# Display the verbose information of a specific blacklist entries.

<SecBlade_FW> display firewall blacklist item 192.168.1.1 Firewall blacklist items : 192.168.1.1 Insert reason : Manual Insert time : 2003/06/11 08:04:56 Age action : Aging Age time : 100 minutes

# Display the running of the blacklist.

<SecBlade_FW> display firewall blacklist enable Blacklist is Disabled

firewall blacklist Syntax

firewall blacklist { enable | sour-addr [ timeout minutes ] }

undo firewall blacklist [ enable | sour-addr ]

View

System view

Parameter

enable: Enables blacklist.

sour-addr: Specifies the IP address to be added into the blacklist.

timeout minutes: Specifies the timeout time. The minutes argument ranges from 1 to 1000 (in minutes).

Description

Use the firewall blacklist command to enable the blacklist function, add blacklist items and configure the blacklist filtering types and filtering range.

Use the undo firewall blacklist command to disable the blacklist function, remove a blacklist item, or revert to the default filtering type and filtering range.


Example

# Add a blacklist item with IP address of 192.168.10.10 and timeout time of 100 minutes.

[SecBlade_FW] firewall blacklist item 192.168.10.10 timeout 100

# Enable the blacklist function.

[SecBlade_FW] firewall blacklist enable

MAC/IP Address Binding Configuration Commands

debugging firewall mac-binding

Syntax

debugging firewall mac-binding { all | item | packet }

undo debugging firewall mac-binding { all | item | packet }

View

User view

Parameter

all: Enables all debugging.

item: Enables debugging for changes of address binding items.

packet: Enables debugging for address binding items in packets.

Description

Use the debugging firewall mac-binding command to enable debugging for address binding on a firewall.

Use the undo debugging firewall mac-binding command to disable debugging for address binding on a firewall.

Any debugging for address binding function is disabled by default.


Example

# Enable all debugging for address binding items.

<SecBlade_FW> debugging firewall mac-binding all

display firewall mac-binding

Syntax

display firewall mac-binding { enable | item [ ip-addr ] [ statistic ] }

View

Any view

MAC/IP Address Binding Configuration Commands 323

Parameter

enable: Displays the running state of address binding.

item: Displays address binding items.

ip-addr: Entries with the specified IP address.

statistic: Displays statistics on address binding.

Description

Use the display firewall mac-binding command to view the running state and items of address binding on the firewall. You can view the information of address binding items by configuring item [ ip-addr ] in the command. If no IP address is specified, you can view the summary information of all the current address binding items. You can view the verbose information of a specific address binding item by configuring the corresponding IP address in the command. And you can specify the enable keyword in the command to view the running state of address binding.

Example

# Display the summary information of all address binding items.

<SecBlade_FW> display firewall mac-binding item Firewall mac-binding items : Current items:2 192.168.1.1 00e0-0f0c-1149 20.202.16.5 0adc-0e0f-23ed

# Display the verbose information of a specific address binding item.

<SecBlade_FW> display firewall mac-binding item 192.168.1.1 Firewall mac-binding items : 192.168.1.1 00e0-0f0c-1149

# Display the running state of address binding.

<SecBlade_FW> display firewall mac-binding enable Mac-binding is Disabled

# Display the statistics on address binding.

<SecBlade_FW> display firewall mac-binding item statistic Firewall Mac-binding item(s) : IP Address Mac True Pkts False Pkts 192.168.1.2 000f-1f73-fec5 0 57

firewall mac-binding Syntax

firewall mac-binding { enable | ip-addr mac-addr }

undo firewall mac-binding { enable | ip-addr }

View

System view


Parameter

enable: Enables address binding.

ip-addr: Specifies an IP address of an address binding pair.

mac-addr: Specifies a MAC address of an address binding pair.

Description

Use the firewall mac-binding command to enable address binding and add an address binding entry.

Use the undo firewall mac-binding command to disable address binding or delete an address binding entry.

Example

# Add an address binding item with IP address of 192.168.10.10 and MAC address of 00e0-0000-0001.

[SecBlade_FW] firewall mac-binding 192.168.10.10 00e0-0000-0001

# Enable address binding.

[SecBlade_FW] firewall blacklist enable


Syntax


undo firewall mac-binding enable

View

System view

Parameter

enable: Enables the address binding function.

Description

Use the firewall mac-binding enable command to enable the MAC address binding function.

Use the command to disable the MAC address binding function.

Example

# Enable the MAC address binding function.

[SecBlade_FW] firewall mac-binding enable

reset firewall mac-binding

Syntax

reset firewall mac-binding item [ ip-addr ] statistic

View

User view

Security Zone Configuration Commands 325

Parameter

item: MAC-to-IP binding entries.

ip-addr: Clears the binding information about the specified IP address.

statistic: Statistics information about MAC-to-IP binding.

Description

Use the reset firewall mac-binding command to clear the statistics information about MAC-to-IP binding.

Example

# Clear the statistics information about all the MAC-to-IP binding.

<SecBlade_FW> reset firewall mac-binding item statistic

Security Zone Configuration Commands

add interface Syntax

add interface interface-type interface-number

undo add interface interface-type interface-number

View

Zone view

Parameter

interface-type interface-number: Specifies interface type and interface number.

Description

Use the command to add an interface into the security zone.

Use the undo add interface command to remove the interface from the security zone.

An interface can belong to only one security zone. You must remove the interface from the original security zone before adding it to another security zone if an interface already belongs to a security zone.

By default, no interface is added in the security zone.

To interwork the firewall with other devices, you need to add the corresponding interface in a security zone.

Example

# Add the GigabitEthernet0/0.1 interface to the DMZ zone.

[SecBlade_FW] firewall zone trust [SecBlade_FW-zone-trust] undo add interface GigabitEthernet0/0.1 [SecBlade_FW-zone-trust] quit


[SecBlade_FW] firewall zone DMZ [SecBlade_FW-zone-DMZ] add interface GigabitEthernet0/0.1

display zone Syntax

display zone [ zone-name ] [ interface | priority ]

View

Any view

Parameter

zone-name: Name of the security zone. There are four pre-defined security zones in the system, which are Trust, Untrust, DMZ, and Local.

interface: Displays the interfaces in the security zone.

priority: Displays the priority of the security zone.

Description

Use the command to display the interfaces in the security zone and the priority of the security zone.

Example

# Display the priorities of all the security zones.

<SW8800> display zone priority local priority is 100 # trust priority is 85 # untrust priority is 5 # DMZ priority is 50 #

set priority Syntax

set priority number

View

Area view

Parameter

number: Priority value of the security zone, in the range of 1 to 100.

Description

Use the set priority command to set priority value for the security zone. High priority value means high security.

Security Zone Configuration Commands 327

Four security zones are predefined in the system: Local, Trust, Untrust and DMZ. You cannot change their priority values, but you can use this command to set and change the priority values of the security zone you define.

By default, the priority value for the Local zone is 100; that for the Trust zone is 85; that for Untrust zone is 5; that for DMZ zone is 50.

Example

# Set the priority value of the security zone newzone to 70.

[SecBlade_FW] firewall zone newzone [SecBlade_FW-zone-newzone] set priority 70

firewall interzone Syntax

firewall interzone zone1 zone2

View

System view

Parameter

zone1: Security zone name.

zone2: Security zone name.

Description

Use the firewall interzone command to enter the specific inter-zone view.

Example

# Enter the inter-zone view between the Trust and Untrust zone.

[SecBlade_FW] firewall interzone trust untrust [SecBlade_FW-interzone-trust-untrust]

firewall zone Syntax

firewall zone zonename

View

System view

Parameter

zonename: Security zone name.

Description

Use the firewall zone command to enter the security zone view.

Example

# Enter the DMZ zone view.

[SecBlade_FW] firewall zone DMZ [SecBlade_FW_FW-zone-DMZ]


firewall zone name Syntax

firewall zone name zonename

undo firewall zone name zonename

View

System view

Parameter

zonename: Security zone name.

Description

Use the firewall zone name command to create a new security zone.

Use the undo firewall zone name command to remove the existing security zone.

Four security zones are predefined in the system: Local, Trust, Untrust and DMZ. You cannot change their priority values.

Example

# Create the new security zone newzone.

[SecBlade_FW] firewall zone name newzone [SecBlade_FW-zone-newzone]

19
TRANSPARENT FIREWALL CONFIGURATION COMMANDS
Transparent Firewall Configuration Commands

acl number Syntax

acl number acl-number


View

System view

Parameter

number acl-number: Sequence number of the MAC-address based ACL, in the range of 4000 to 4999.

all: Removes all ACLs, including the interface-based ACLs, basic ACLs and advanced ACLs.

Description

Use the acl number command to create ACLs.

Use the undo acl command to remove the existing ACLs.

By default, no MAC address-based ACL is defined.

Refer to “acl” and “rule” for other ACL commands.

Example

# Create the MAC address-based ACL 4009.

[SecBlade_FW] acl number 4009

debugging firewall eff Syntax

debugging firewall eff [ interface interface-type interface-number ]

undo debugging firewall eff [ interface interface-type interface-number ]

View

User view

330 CHAPTER 19: TRANSPARENT FIREWALL CONFIGURATION COMMANDS

Parameter

interface interface-type interface-number: Debugging information about the specified interface.

Description

Use the debugging firewall eff command to enable debugging for Ethernet frame filtering.

Use the undo debugging firewall eff command to disable debugging for Ethernet frame filtering.

By default, debugging for Ethernet frame filtering is not enabled.

Example

# Enable debugging for Ethernet frame filtering.

<SecBlade_FW> debugging firewall eff Ethernet-frame-filter’s debugging is on <SecBlade_FW> *0.1350738 3Com EFF/8/DEBUGGING: OutBound List 4001, deny the frame with the following head : dest-mac is 000f-1f7e-fec5,sour-mac is 00e0-fc36-a7a9, type is 0800 *0.1350739 3Com BRIDGE/8/DEBUGGING: Discard a frame for the filter on outport ; received from interface GigabitEther net0/1;and try to send to interface GigabitEthernet0/0, with following frame head : 00 0f 1f 7e fe c5 00 e0 fc 36 a7 a9 08 00 *0.1352740 3Com EFF/8/DEBUGGING: OutBound List 4001, deny the frame with the following head : dest-mac is 000f-1f7e-fec5,sour-mac is 00e0-fc36-a7a9, type is 0800 *0.1352740 3Com BRIDGE/8/DEBUGGING: Discard a frame for the filter on outport ; received from interface GigabitEther net0/1;and try to send to interface GigabitEthernet0/0, with following frame head : 00 0f 1f 7e fe c5 00 e0 fc 36 a7 a9 08 00 *0.1352925 3Com EFF/8/DEBUGGING: InBound List 4001, deny the frame with the following head : dest-mac is ffff-ffff-ffff,sour-mac is 000f-1f7e-fec5, type is 0806 *0.1352925 3Com BRIDGE/8/DEBUGGING: Discard a frame for the filter on inport ; received from interface GigabitEthern et0/0, with following frame head : ff ff ff ff ff ff 00 0f 1f 7e fe c5 08 06 *0.1354741 3Com EFF/8/DEBUGGING: OutBound List 4001, deny the frame with the following head : dest-mac is 000f-1f7e-fec5,sour-mac is 00e0-fc36-a7a9, type is 0800 *0.1354741 3Com BRIDGE/8/DEBUGGING: Discard a frame for the filter on outport ; received from interface GigabitEther net0/1;and try to send to interface GigabitEthernet0/0, with following frame head : 00 0f 1f 7e fe c5 00 e0 fc 36 a7 a9 08 00 *0.1356742 3Com EFF/8/DEBUGGING: OutBound List 4001, deny the frame with the following head : dest-mac is 000f-1f7e-fec5,sour-mac is 00e0-fc36-a7a9, type is 0800 *0.1356742 3Com BRIDGE/8/DEBUGGING: Discard a frame for the filter on outport ; received from interface GigabitEther net0/1;and try to send to interface GigabitEthernet0/0, with following frame head : 00 0f 1f 7e fe c5 00 e0 fc 36 a7 a9 08 00

debugging firewall transparent-mode

eth-forwarding

Syntax

debugging firewall transparent-mode eth-forwarding [ interface interface-type interface-number ]


undo debugging firewall transparent-mode eth-forwarding [ interface interface-type interface-number ]

View

User view

Parameter

None

Description

Use the debugging firewall transparent-mode eth-forwarding command to enable debugging for Ethernet forwarding on the transparent firewall.

Use the undo debugging firewall transparent-mode eth-forwarding command to disable debugging for Ethernet forwarding on the transparent firewall.

By default, debugging for Ethernet forwarding on the transparent firewall is not enabled.

Example

# Enable debugging for Ethernet forwarding on the transparent firewall.

<SecBlade_FW> debugging firewall transparent-mode eth-forwarding The Transparent-mode eth-forwarding Debugging is on *0.695514 3Com BRIDGE/8/DEBUGGING: Forward a frame; received from interface GigabitEthernet0/0;and try to send to interface GigabitEthernet0/1, with following frame head : 00 e0 fc 36 a7 a9 00 0f 1f 7e fe c5 08 00 *0.695514 3Com BRIDGE/8/DEBUGGING: Forward a frame; received from interface GigabitEthernet0/1;and try to send to interface GigabitEthernet0/0, with following frame head : 00 0f 1f 7e fe c5 00 e0 fc 36 a7 a9 08 00 *0.696515 3Com BRIDGE/8/DEBUGGING: Forward a frame; received from interface GigabitEthernet0/0;and try to send to interface GigabitEthernet0/1, with following frame head : 00 e0 fc 36 a7 a9 00 0f 1f 7e fe c5 08 00 *0.696515 3Com BRIDGE/8/DEBUGGING: Forward a frame; received from interface GigabitEthernet0/1;and try to send to interface GigabitEthernet0/0, with following frame head : 00 0f 1f 7e fe c5 00 e0 fc 36 a7 a9 08 00 *0.696582 3Com BRIDGE/8/DEBUGGING: Forward a frame; received from interface GigabitEthernet0/1;and try to send to interface GigabitEthernet0/0, with following frame head : 00 0f 1f 7e fe c5 00 e0 fc 36 a7 a9 08 00 *0.696582 3Com BRIDGE/8/DEBUGGING: Forward a frame; received from interface GigabitEthernet0/0;and try to send to interface GigabitEthernet0/1, with following frame head : 00 e0 fc 36 a7 a9 00 0f 1f 7e fe c5 08 00 *0.696584 3Com BRIDGE/8/DEBUGGING: Forward a frame; received from interface GigabitEthernet0/1;and try to send to interface GigabitEthernet0/0, with following frame head : 00 0f 1f 7e fe c5 00 e0 fc 36 a7 a9 08 00 *0.696584 3Com BRIDGE/8/DEBUGGING: Forward a frame; received from interface GigabitEthernet0/0;and try to send to interface GigabitEthernet0/1, with following frame head : 00 e0 fc 36 a7 a9 00 0f 1f 7e fe c5 08 00

debugging firewall transparent-mode

ip-forwarding

Syntax

debugging firewall transparent-mode ip-forwarding


undo debugging firewall transparent-mode ip-forwarding

View

User view

Parameter

None

Description

Use the debugging firewall transparent-mode ip-forwarding command to enable debugging for IP packet forwarding on the transparent firewall.

Use the undo debugging firewall transparent-mode ip-forwarding command to disable debugging for IP packet forwarding on the transparent firewall.

By default, debugging for IP packet forwarding on the transparent firewall is not enabled.

Example

# Enable debugging for IP packet forwarding on the transparent firewall.

<SecBlade_FW> debugging firewall transparent-mode ip-forwarding The Transparent-mode Ip-forwarding Debugging is on <SecBlade_FW> *0.11355193 3Com FWTP/8/rcv_ip:Receive an IP packet interface: GigabitEthernet0/0 source_ip_addr : 192.168.3.6 source_port : 33073 destination_ip_addr : 192.168.3.8 destination_port : 52128 protocol : 1 *0.11355193 3Com FWTP/8/sndto_secur:Send an IP packet to security module source_ip_addr : 192.168.3.6 source_port : 17664 destination_ip_addr : 192.168.3.8 destination_port : 60 protocol : 1 return value:0 *0.11355193 3Com FWTP/8/snd_ip:Send an IP packet interface: GigabitEthernet0/1 source_ip_addr : 192.168.3.6 source_port : 0 destination_ip_addr : 192.168.3.8 destination_port : 1 protocol : 1 *0.11355193 3Com FWTP/8/rcv_ip:Receive an IP packet interface: GigabitEthernet0/1 source_ip_addr : 192.168.3.8 source_port : 33073 destination_ip_addr : 192.168.3.6 destination_port : 52128 protocol : 1 *0.11355193 3Com FWTP/8/sndto_secur:Send an IP packet to security module source_ip_addr : 192.168.3.8 source_port : 17664 destination_ip_addr : 192.168.3.6 destination_port : 60 protocol : 1 return value:0


*0.11355193 3Com FWTP/8/snd_ip:Send an IP packet interface: GigabitEthernet0/0 source_ip_addr : 192.168.3.8 source_port : 0 destination_ip_addr : 192.168.3.6 destination_port : 1 protocol : 1

display firewall ethernet-frame-filter

Syntax

display firewall ethernet-frame-filter { all | interface interface-type interface-number }

View

Any view

Parameter

all: Ethernet frame filtering statistics on all interfaces.

interface interface-type interface-number: Ethernet frame filtering statistics on a specified interface.

Description

Use the display firewall ethernet-frame-filter command to display Ethernet frame filtering statistics.

Example

# Display Ethernet frame filtering statistics on all interfaces.

<SecBlade_FW> display firewall ethernet-frame-filter all Interface: GigabitEthernet0/1 In-bound Policy: acl 4000 From 2099-08-02 5:55:05 to 2099-08-02 5:55:41 11 packets, 668 bytes, 100% permitted, 0 packets, 0 bytes, 0% denied, 0 packets, 0 bytes, 0% permitted default, 0 packets, 0 bytes, 0% denied default, Totally 11 packets, 668 bytes, 100% permitted, Totally 0 packets, 0 bytes, 0% denied. Out-bound Policy: acl 4000 From 2099-08-02 5:55:07 to 2099-08-02 5:55:41 0 packets, 0 bytes, 0% permitted, 0 packets, 0 bytes, 0% denied, 0 packets, 0 bytes, 0% permitted default, 0 packets, 0 bytes, 100% denied default, Totally 0 packets, 0 bytes, 0% permitted, Totally 0 packets, 0 bytes, 100% denied.

display firewall mode Syntax

display firewall mode

View

Any view


Parameter

None

Description

Use the display firewall mode command to display the operating mode of the current firewall.

Example

# Display the operating mode of the current firewall.

<SecBlade_FW> display firewall mode Firewall mode: transparent

display firewall transparent-mode

address-table

Syntax

display firewall transparent-mode address-table [ interface interface-type interface-number | mac mac-address ]

View

Any view

Parameter

interface interface-type interface-number: Information about the MAC address associated the specified interface.

mac mac-address: Information about the specified MAC address entry.

Description

Use the display firewall transparent-mode address-table command to display the MAC address table of the transparent firewall.

Example

# Display the MAC address table of the transparent firewall.

<SecBlade_FW> display firewall transparent-mode address-table The total of the address-items is 2 Mac-address Flag Aging-time Receive Send Interface-name 00e0-fc36-a7a9 PD 00:01:41 23 13 GigabitEthernet0/0.1 000f-1f7e-fec5 PD 00:03:28 121 12 GigabitEthernet0/0.2 Flag meaning: P--PERMIT N--DENY D--DYNAMIC S--STATIC

display firewall transparent-mode

config

Syntax

display firewall transparent-mode config

View

Any view

Parameter

None

Description

Use the display firewall transparent-mode config command to display the configuration information of the transparent firewall.


Example

# Display the configuration information of the transparent firewall.

<SecBlade_FW> display firewall transparent-mode config Firewall transparent-info: ARP learning : enable System IP address: 169.0.0.1 System IP mask : 255.0.0.0 Unknown-mac: Unicast IP packet : arp broadcast IP packet: drop Multicast IP packet: drop

display firewall transparent-mode traffic

Syntax

display firewall transparent-mode traffic [ interface interface-type interface-number ]

View

Any view

Parameter

interface interface-type interface-number: Displays the traffic information about the specified interface.

Description

Use the display firewall transparent-mode traffic command to display the traffic information about the transparent firewall.

Example

# Display the traffic information about the transparent firewall.

<SecBlade_FW> display firewall transparent-mode traffic system error is 0,inport error is 0, outport error is 0 ,other error is 0 the total statistic : Input: 860 total, 0 bpdu, 750 single, 0 multi, 110 broadcast; 860 ip,0 ipx, 0 other protocol; 860 eth2, 0 snap, 0 dlsw, 0 other, 0 vlan; Output: 747 total, 0 bpdu, 747 single, 0 multi, 0 broadcast; 747 ip, 0 ipx, 0 other protocol; 747 eth2, 0 snap, 0 dlsw, 0 other, 0 vlan; Send way: 0 broadcast, 0 fast, 747 other Discard: 0 by inport state, 0 for local frame , 0 by mac table,


0 by inport filter, 0 by outport filter, 113 by ip filter , 0 other the statistic of interface GigabitEthernet0/1 Input: 376 total, 0 bpdu, 375 single, 0 multi, 1 broadcast; 376 ip,0 ipx, 0 other protocol; 376 eth2, 0 snap, 0 dlsw, 0 other, 0 vlan; Output: 374 total, 0 bpdu, 374 single, 0 multi, 0 broadcast; 374 ip, 0 ipx, 0 other protocol; 374 eth2, 0 snap, 0 dlsw, 0 other, 0 vlan; Send way: 0 broadcast, 0 fast, 374 other Discard: 0 by inport state, 0 for local frame , 0 by mac table, 0 by inport filter, 0 by outport filter, 3 by ip filter , 0 other the statistic of interface GigabitEthernet0/0 Input: 484 total, 0 bpdu, 375 single, 0 multi, 109 broadcast; 484 ip,0 ipx, 0 other protocol; 484 eth2, 0 snap, 0 dlsw, 0 other, 0 vlan; Output: 373 total, 0 bpdu, 373 single, 0 multi, 0 broadcast; 373 ip, 0 ipx, 0 other protocol; 373 eth2, 0 snap, 0 dlsw, 0 other, 0 vlan; Send way: 0 broadcast, 0 fast, 373 other Discard: 0 by inport state, 0 for local frame , 0 by mac table, 0 by inport filter, 0 by outport filter, 110 by ip filter , 0 other


firewall arp-learning enable

Syntax

firewall arp-learning enable

undo firewall arp-learning enable

View

System view

Parameter

None

Description

Use the firewall arp-learning enable command to enable learning of dynamic ARP entries on the transparent firewall.

Use the undo firewall arp-learning enable command to disable learning of dynamic ARP entries on the transparent firewall.

By default, learning of dynamic ARP entries on the transparent firewall is enabled.

Example

# Enable learning of dynamic ARP entries on the transparent firewall.

[SecBlade_FW] firewall arp-learning enable

firewall ethernet-frame-filter

Syntax

firewall ethernet-frame-filter acl-number { inbound | outbound }

undo firewall ethernet-frame-filter { inbound | outbound }

View

Ethernet interface view

Parameter

acl-number: Sequence number of the MAC-address based ACL, in the range of 4000 to 4999.

inbound: Filters inbound frames.

outbound: Filters outbound frames.

Description

Use the firewall ethernet-frame-filter command to apply the MAC address-based ACL to the interface.

Use the undo firewall ethernet-frame-filter command to remove the MAC address-based ACL from the interface.

By default, no MAC address-based ACL is applied to the interface.

Example

# Apply the MAC address-based ACL 4009 to GigabitEthernet0/0.1.


[SecBlade_FW-GigabitEthernet0/0.1] firewall ethernet-frame-filter 4009 inbound

firewall mode Syntax

firewall mode { route | transparent }

undo firewall mode

View

System view

Parameter

route: Specifies that the firewall operate in routing mode.

transparent: Specifies that the firewall operate in transparent mode.

Description

Use the firewall mode command to specify the operating mode of a firewall.

Use the undo firewall mode command to revert to the default operating mode.

A firewall operates in routing mode by default.

When a firewall operates in routing mode, all the interfaces of it operate in Layer 3. That is, you can assign IP addresses for these interfaces. Whereas when a firewall operates in transparent mode, all the interfaces of it operate in Layer 2. That is, the interfaces act as switching ports, and you cannot specify Layer 3 properties (such as assigning IP addresses) for them.

Example

# Specify the firewall to operate in transparent mode.

[SecBlade_FW] firewall mode transparent Set system ip address successfully. All the Interfaces’s ips have been deleted. The mode is set successfully.

The output indicates that the firewall operates in transparent mode, and the IP addresses of all its interfaces are removed.

firewall system-ip Syntax

firewall system-ip ip-address [ mask ]

undo firewall system-ip

View

System view

Parameter

ip-address: IP address of the firewall system.


mask: Subnet mask of the firewall system. If not provided, the default subnet mask of the class to which the IP address belongs is used.

Description

Use the firewall system-ip command to assign an IP address for a firewall system.

Use the undo firewall system-ip command to revert to the default system IP address.

The IP address of a firewall system is 169.0.0.1/8 by default.

When a firewall operates in transparent mode, all the interfaces of it operate in Layer 2. That is, the interfaces act as switching ports, and you cannot specify Layer 3 properties (such as assigning IP addresses) for them. But a firewall must have an IP address for administrators to manage it or for it to provide network services. To solve this problem, a firewall that operates in transparent mode is assigned a default system IP address (169.0.0.1/8). You can change this IP address using this command.

You cannot configure the system IP address of a firewall when the firewall operates in routing mode.

Example

# Configure a system IP address for a firewall.

[SecBlade_FW] firewall mode transparent Set system ip address successfully. All the Interfaces’s ip addresses have been deleted. The mode is set successfully. [SecBlade_FW] firewall system-ip 10.1.1.5 255.255.255.0 Set system ip address successfully.

firewall transparent-mode

aging-time

Syntax

firewall transparent-mode aging-time seconds

undo firewall transparent-mode aging-time

View

System view

Parameter

seconds: Aging time of the MAC forwarding table, in the range of 10 to 1000000 (seconds).

Description

Use the firewall transparent-mode aging-time command to configure the aging time of the MAC forwarding table.

Use the undo firewall transparent-mode aging-time command to restore the default configuration.

By default, the aging time of the MAC forwarding table is 300 seconds.


Example

# Configure the aging time of the MAC forwarding table to 1800 seconds.

[SecBlade_FW] firewall transparent-mode aging-time 1800

firewall transparent-mode

transmit

Syntax

firewall transparent-mode transmit { bpdu | dlsw | ipx }

undo firewall transparent-mode transmit { bpdu | dlsw | ipx }

View

System view

Parameter

bpdu: Bridge protocol data unit.

dlsw: Data link switching.

ipx: Internetwork packet exchange.

Description

Use the firewall transparent-mode transmit command to define the type of packets that are allowed to pass.

Use the undo firewall transparent-mode transmit command to define the type of packets that are not allowed to pass.

By default, the firewall filters out all packets.

Example

# Configure the transparent firewall to allow BPDU packets to pass.

[SecBlade_FW] firewall transparent-mode transmit bpdu

firewall unknown-mac Syntax

firewall unknown-mac { drop | flood }

undo firewall unknown-mac

View

System view

Parameter

drop: Drops the IP unicast, multicast and broadcast packets with unknown MAC address.

flood: Floods the IP unicast, multicast and broadcast packets with unknown MAC address to the interfaces in a specific security zone other than the interface receiving the packet. The system saves the MAC address after receiving the ARP response packet, and forwards subsequent packets through this MAC address.

20
VRRP CONFIGURATION COMMANDS
n The commands described in this document apply to the Firewall module, and not to the Switch 8800 Family switches.

VRRP Configuration Commands

n You can also use the following commands with SecBlade_VPN prompt character.

debugging vrrp Syntax

debugging vrrp { packet | state }

undo debugging vrrp { packet | state }

View

User view

Parameter

packet: Enables VRRP packet debugging.

state: Enables VRRP state debugging.

Description

Use the debugging vrrp command to enable VRRP debugging.

Use the undo debugging vrrp command to disable VRRP debugging.

By default, VRRP debugging is disabled.

Example

# Enable VRRP packet debugging.

[SecBlade_FW] debugging vrrp packet

display vrrp Syntax

display vrrp [ interface type number [ virtual-router-ID ] ]

View

Any view

342 CHAPTER 20: VRRP CONFIGURATION COMMANDS

Parameter

interface type number: Specifies an interface type and interface number.

virtual-router-ID: Standby group number.

Description

Use the display vrrp command to view current configuration and state information about VRRP.

If the interface and standby group number are not specified, the state information about all the standby groups is displayed. If only the interface is specified, the state information about all the standby groups on the interface is displayed. If both arguments are specified, the state information about the specified standby group is displayed.

Example

# Display information about all standby groups.

<SecBlade_FW> display vrrp Virtual Ip Ping : Disable GigabitEthernet0/0.1 | Virtual Router 1 state : Initialize Virtual IP : 22.2.2.2 Config Priority : 100 Run Priority : 100 Preempt : YES Delay Time : 0 Timer : 1 Auth Type : NONE GigabitEthernet0/0.2 | Virtual Router 1 state : Initialize Virtual IP : 1.1.11.1 Config Priority : 100 Run Priority : 100 Preempt : YES Delay Time : 0 Timer : 1 Auth Type : NONE

vrrp authentication-mode

Syntax

vrrp authentication-mode { md5 key | simple key }

undo vrrp authentication-mode

View

Interface view

Parameter

simple: Adopts plain text authentication.

md5: Adopts ciphertext authentication using the MD5 algorithm.

key: Authentication key. When simple authentication applies, the authentication key is in plain text with a length of 1 to 8 characters. When md5 authentication applies, the authentication key is in MD5 ciphertext and the length of the key


depends on its input format. If the key is input in plain text, its length is 1 to 8 characters, such as 1234567; if the key is input in ciphertext, its length must be 24 characters, such as _(TT8F]Y5SQ=^Q‘MAF4<1!!.

Description

Use the vrrp authentication-mode command to configure authentication mode and authentication key for the VRRP standby groups on the interface.

Use the undo vrrp authentication-mode command to disable authentication in the VRRP standby groups on the interface.

By default, authentication is disabled.

With this command, all standby groups on the interface share the same authentication type and authentication key.

Note that the members of the same standby group must use the same authentication mode and authentication key.

The authentication key is case sensitive.

Example

# Set the authentication mode and authentication key of all VRRP standby groups on GigabitEthernet0/0.1 sub-interface.

[SecBlade_FW-GigabitEthernet0/0.1] vrrp authentication-mode simple aabbcc

vrrp ping-enable Syntax

vrrp ping-enable

undo vrrp ping-enable

View

System view

Parameter

None

Description

Use the vrrp ping-enable command to enable users to ping the virtual IP addresses of standby groups.

Use the undo vrrp ping-enable command to disable users to ping the virtual IP addresses of standby groups.

By default, users cannot ping the virtual IP addresses of standby groups.

Note that you must configure this command before creating standby groups. Once a standby group is created, you cannot use this command and its undo form.

Example

# Enable users to ping the virtual IP addresses of standby groups.


[SecBlade_FW] vrrp ping-enable

vrrp un-check ttl Syntax

vrrp un-check ttl

undo vrrp un-check ttl

View

Interface view

Parameter

None

Description

Use the vrrp un-check ttl command to disable time to live (TTL) check for VRRP packets.

Use the undo vrrp ping-enable command to enable TTL check for VRRP packets.

According to the VRRP protocol, the TTL value of VRRP packets must be 255. If detecting that the TTL value of a packet is not 255, the backup security gateway drops the packet.

By default, the TTL value of VRRP packets will be checked.

Example

# Disable TTL check for VRRP packets.

[SecBlade_FW-GigabitEthernet0/0.1] vrrp un-check ttl

vrrp vrid preempt-mode Syntax

vrrp vrid virtual-router-ID preempt-mode [ timer delay delay-value ]

undo vrrp vrid virtual-router-ID preempt-mode

View

Interface view

Parameter

virtual-router-ID: Virtual router ID or VRRP standby group number, in the range of 1 to 255.

delay-value: Delay in the range of 0 to 255 in seconds.

Description

Use the vrrp vrid preempt-mode command to enable preemption on the security gateway and configure its preemption delay in the specified standby group.

Use the undo vrrp vrid preempt-mode command to disable preemption on the security gateway in the specified standby group.


To allow a backup security gateway in a standby group to preempt the current master when it has a higher priority, you must enable preemption on it. If immediate preemption is not desired, you can set a preemption delay. The delay automatically changes to 0 seconds when preemption is disabled.

By default, the preemption mode is adopted with the delay of 0 seconds.

Example

# Enable preemption on the security gateway in standby group 1.

[SecBlade_FW-GigabitEthernet0/0.1] vrrp vrid 1 preempt-mode

# Set the preemption delay to five seconds.

[SecBlade_FW-GigabitEthernet0/0.1] vrrp vrid 1 preempt-mode timer delay 5

# Disable preemption on the security gateway in standby group 1.

[SecBlade_FW-GigabitEthernet0/0.1] undo vrrp vrid 1 preempt-mode

vrrp vrid priority Syntax

vrrp vrid virtual-router-ID priority priority-value

undo vrrp vrid virtual-router-ID priority

View

Interface view

Parameter

virtual-router-ID: VRRP standby group number, in the range of 1 to 255.

priority-value: Priority value, in the range 1 to 254.

Description

Use the vrrp vrid priority command to configure the priority of the security gateway in the specified standby group.

Use the undo vrrp vrid priority command to restore the default.

In VRRP, the role that a Firewall module plays in a standby group depends on its priority. A higher priority means that the security gateway is more likely to become the master. Note that priority 0 is reserved for special use and 255 for the IP address owner.

BY default, the priority is 100.

Example

# Set the priority of the security gateway in standby group 1 to 150.

[SecBlade_FW-GigabitEthernet0/0.1] vrrp vrid 1 priority 150

vrrp vrid timer advertise Syntax

vrrp vrid virtual-router-ID timer advertise adver-interval


undo vrrp vrid virtual-router-ID timer advertise

View

Interface view

Parameter


adver-interval: Interval at which the master in the specified standby group sends VRRP packets. It is in the range of 1 to 255 in seconds.

Description

Use the vrrp vrid timer advertise command to configure the Adver_Timer of the specified standby group.

Use the undo vrrp vrid timer advertise command to restore the default.

The Adver_Timer controls the interval at which the master sends VRRP packets.

By default, the value of the timer is 1 second.

Example

# Set the master in standby group 1 to send VRRP packets at intervals of five seconds.

[SecBlade_FW-GigabitEthernet0/0.1] vrrp vrid 1 timer advertise 5

vrrp vrid track Syntax

vrrp vrid virtual-router-ID track interface-type interface-number [ reduced priority-reduced ]

undo vrrp vrid virtual-router-ID track [ interface-type interface-number ]

View

Interface view

Parameter


interface-type interface-number: Interface to be tracked.

priority-reduced: Value by which the priority is reduced. It is in the range of 1 to 255.

Description

Use the vrrp vrid track command to configure the interface to be tracked.

Use the undo vrrp vrid track command to disable tracking the specified interface.

The interface tracking function expands the backup functionality of VRRP. It provides backup not only when a security gateway fails but also when a network interface goes down.


When the monitored interface specified in this command goes down, the priority of the security gateway owning this interface automatically decreased by the value specified by value-reduced, allowing a higher priority member in the standby group to take over as the master. When the security gateway is the IP address owner, however, you cannot configure interface tracking on it.

By default, the priority is reduced by 10.

Example

# Track GigabitEthernet0/0.1 sub-interface.

[SecBlade_FW-GigabitEthernet0/0.1] vrrp vrid 1 track GigabitEthernet0/0.300 reduced 50

# Disable the tracking of GigabitEthernet0/0.1 sub-interface.

[SecBlade_FW-GigabitEthernet0/0.1] undo vrrp vrid 1 track GigabitEthernet0/0.300

vrrp vrid virtual-ip Syntax

vrrp vrid virtual-router-ID virtual-ip virtual-address

undo vrrp vrid virtual-router-ID virtual-ip [ virtual-address ]

View

Interface view

Parameter


virtual-address: Virtual IP address.

Description

Use the vrrp vrid virtual-ip command to create a standby group the first time that you add a virtual IP address or add a virtual IP address to it after that.

Use the undo vrrp vrid virtual-ip virtual-router-ID command to remove a standby group.

Use the undo vrrp vrid virtual-router-ID virtual-ip virtual-address command to delete a virtual IP address from the specified standby group.

The system removes a standby group after you delete all the virtual IP addresses in it.

By default, no standby group exists.

Example

# Create a standby group.

[SecBlade_FW-GigabitEthernet0/0.1] vrrp vrid 1 virtual-ip 10.10.10.10

# Add a virtual IP address to the existing standby group.


[SecBlade_FW-GigabitEthernet0/0.1] vrrp vrid 1 virtual-ip 10.10.10.11

# Delete a virtual IP address.

[SecBlade_FW-GigabitEthernet0/0.1] undo vrrp vrid 1 virtual-ip 10.10.10.10

3Com® Switch 8800 Family Firewall Configuration and ...h20628. · 3Com® Switch 8800 Family...

Documents

Transcript of 3Com® Switch 8800 Family Firewall Configuration and ...h20628. · 3Com® Switch 8800 Family...