You are on page 1of 127

The privilege of HCNA/HCNP/HCIE:

With any Huawei Career Certification, you have the privilege on http://learning.huawei.com/en to enjoy:
n
1e-Learning Courses Logon http://learning.huawei.com/en and enter Huawei Training/e-Learning
/e

o m
If you have the HCNA/HCNP certificateYou can access Huawei Career Certification and Basic Technology e-Learning
courses.
e i .c
If you have the HCIE certificate: You can access all the e-Learning courses which marked for HCIE Certification Users.

aw

Methods to get the HCIE e-Learning privilege : Please associate HCIE certificate information with your Huawei account, and

hu

email the account to Learning@huawei.com to apply for HCIE e-Learning privilege.


g .
2 Training Material Download
i n

arn
Content: Huawei product training material and Huawei career certification training material.

//le
MethodLogon http://learning.huawei.com/en and enter Huawei Training/Classroom Training ,then you can download
training material in the specific training introduction page.
p :
3 Priority to participate in Huawei Online Open Class (LVC)
t t

s :h
The Huawei career certification training and product training covering all ICT technical domains like R&S, UC&C, Security,

4Learning Tools: rc e
Storage and so on, which are conducted by Huawei professional instructors.

s o
eNSP Simulate single Router&Switch device and large network.

R e
WLAN Planner Network planning tools for WLAN AP products.

n g
In addition, Huawei has built up Huawei Technical Forum which allows candidates to discuss technical issues with Huawei experts ,

ni
share exam experiences with others or be acquainted with Huawei Products.

a r
Statement:
L e
r e
This material is for personal use only, and can not be used by any individual or organization for any commercial purposes.
o
M
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 1
CSBN-HCNA-Security
Lab Guide
e n
/
o m
ISSUE 2.50
e i .c
aw
u
g .h
ni n
r
// lea
p :
t t
s:h
r c e
sou
Re
i n g
r n
e a
e L
or
M
ISSUE 2.50 .............................................................................................................................................................. 1
1 Overview ............................................................................................................................................................ 3
1.1 Application Scope ........................................................................................................................................ 3
1.2 Introduction of Firewall Products ................................................................................................................ 3
1.3 Terminal Security Products ........................................................................................................................ 10
1.4 Diagram of Network Elements .................................................................................................................. 14

e n
/
1.5 Security Declaration .................................................................................................................................. 15

m
2 How to Login Firewall...................................................................................................................................... 16
2.1 Login Through the Console Port ............................................................................................................... 16

.c o
2.2 Login Through Web Management Interface (Default Web-manager) ....................................................... 19
e i
2.3 Remote Login Through Telnet ................................................................................................................... 20

aw
2.4 Remote Login Through SSH ..................................................................................................................... 25

u
.h
2.5 Login Through the Web ............................................................................................................................. 31

g
3 Firewall Basic Configuration ............................................................................................................................ 36

i n
3.1 Firewall System Managment ..................................................................................................................... 36

n
r
4 Firewall Security Forwarding Policy ................................................................................................................ 45

lea
2.1 Configuring IP Address-Based Forwarding Policy .................................................................................... 45

//
5 Network Address Translate Lab ........................................................................................................................ 49
:
t t p
5.1 Source NAT Lab ........................................................................................................................................ 49
5.2 Source NAT & NAT Server Lab ................................................................................................................ 54

:h
6 Firewall Daul-system Hot Backup Lab ............................................................................................................ 61
s
r c e
6.1 Firewall Daul-system Hot Backup Lab ..................................................................................................... 61
7 Firewall User Management Lab ....................................................................................................................... 68

ou
7.1 Internet access user authentication lab. (Authentication exemption and local password authentication).. 68

es
8 VPN Lab ........................................................................................................................................................... 75

R
8.1 L2TP VPN LabClient-Initialized VPN .............................................................................................. 75

i n g
8.2 GRE VPN Lab ........................................................................................................................................... 82

n
9 IPSec VPN Lab ................................................................................................................................................. 88

ar
9.1 Configuring Point-to-Point IPSec Tunnel .................................................................................................. 88

L e
10 SSL VPN Lab ................................................................................................................................................. 95

e
10.1 Web Proxy/File Sharing/Port Forwarding/Network Extention ................................................................ 95

o r
11 UTM Lab ...................................................................................................................................................... 113

M
11.1 Virus Database or IPS Signature Database Update ................................................................................ 113
11.2 UTM IPS Lab ........................................................................................................................................ 117
11.3 UTM AV Lab ........................................................................................................................................... 122
1 Overview /en
o m
e i .c
w
This document describes the configuration and deployment of Huawei security products. You can understand
a
u
the lab on security products and have the capability of deploying devices and operating offices.

g .h
1.1 Application Scope
ni n
r
lea
This document is applicable to the lab described in the security product training courses for Huawei system

//
security engineers.

p :
The lab is applicable to the following products:
t t
:h
USG 6300&6500&6600 V100R001

e s
r c
1.2 Introduction ofou Firewall Products
es
R
1.2.1 USG6320 Description

i n g
rn
Device Overview

a
The USG6310 is a 1-U desktop device with an integrated structure. The device provides fixed ports, a

e
L
built-in fan module, and uses an external power adapter to supply power. The device does not support port

e
expansion. The size of the integrated chassis is 44.5 mm (H) x 300 (W) x 220 (D), which can be installed in
r
o
the 19-inch standard cabinet.

M Front panel
The USG6320 front panel provides a USB 2.0 port and system and port status indicators. Figure below
illustrates the front panel of the USG6310.
e n
/
o m
USB2.0
Name Description
USB ports allow you to insert USB devices for system e i .c
software upgrades
aw
Steady on: The link is connected. u
Interface status indicators 0
g
Blink (8 Hz): Data is being sent or received. .h
n
to 7 (green)
Off: The link is disconnected.
ni
PWR
r
Steady on: The power module works properly.

lea
indicator Off: The power module is faulty or the power cable is
(green) disconnected.
: //
t t p
Steady on: The system is powering on or restarting.
Blink (0.5 Hz): The system is running normally.
System SYS indicator
s :h
Blink (2 Hz): The system is starting.
status
indicators
(green)

r c e
Blink (8 Hz): The system software or configuration file is
being upgraded.

s ou
Off: The system is faulty.
ALM
indicator(red)
Re Steady on: The system is faulty.
Off: The system is running normally.

n g
USB indicator
i
Steady on: The USB 2.0 port is connected.

n
(green
r
Off: The USB 2.0 port is disconnected.

e a

e L Rear panel

o r
The rear panel of the USG6320 provides fixed ports, a protective ground terminal, RST button, and power
socket. Figure below illustrates the rear panel of the USG6320.

M
e n
/
o m
e i .c
aw
u
g .h
ni n
Name Description
r
lea
Console port (RJ45) Console ports allow you to locally connect to the device.

: //
The serial number that uniquely identifies the device. When
ESN
t p
applying for a license file, you must provide the ESN of the

t
:h
device.
8 10/100/1000M autosensing Ethernet electrical ports,

e s
numbered from GigabitEthernet 0/0/0 to GigabitEthernet 0/0/7.
0-7 (RJ45)
r c
GigabitEthernet 0/0/0 is an inband management port and its

ou
default IP address is 192.168.0.1.
s
RST button
Re
To restart the device, press the RST button. Ensure that the
running configuration is saved before pressing the RST button.

Protective ground
i n g
The M4 OT terminal connects the PGND cable to the ground

terminal
r n point of the cabinet, workbench, or wall, or the ground bar in an

e a equipment room.

e L
Power receptacle Connects to the 4-pin plug of the power adapter.

r
The hole is used to install the power cable clip, which is used to
Clip hole
o bind and fix the power cable.

M
1.2.2 USG6330 Description
Device Overview
The USG6330/6350/6360 uses an integrated chassis that contains the fixed interface board, power module,
and fan module. You can also add some optional modules, such as hard disk, additional power module, and
expansion cards, to improve system reliability and add more ports. The size of the integrated chassis is
44.4mm (H) x 442mm (W) x 421mm (D), which can be installed in the 19-inch standard cabinet.

e n
Front panel
/
o m
The front panel of the USG6330 provides fixed ports, ESD jack, and expansion slots. Figure below illustrates
the front panel of the USG6330.

e i .c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
n
Name Description

ar Identifies the slot type and number, with 0 indicating the

L e
Slot numbering
slot for the out-of-band MGMT port (GigabitEthernet

e
0/0/0), 1 the slot for the interface board, and 2 and 3 the

o r WSIC slots

M
Out-of-band 10/100/1000M RJ45 autosensing Ethernet
MGMT port
management port.
console port Console ports allow you to locally connect to the device.
Fixed
USB port allows you to insert USB device for system
interface USB2.0 port
software upgrades.
board
Ethernet electrical ports ports, 10/100/1000M
0-3 (RJ45)
autosensing.
4-5(RJ45+SFP) Combo ports. By default, the combo port is used as an
electical port.
Expansion slot Provides two WSIC slots.
The equipment end of the wrist strap is inserted into the
ESD jack ESD jack. For the wrist strap to be effective, ensure that
the device is already grounded.

n
Rear panel
The rear panel of the USG6330 provides the power module, protective ground terminal, and hard disk slot
/ e
for optional hard disk combination. Figure below illustrates the rear panel of the USG6330.
o m
e i .c
aw
u
g .h
ni n
r
// lea
Name
:
Description
p
Slot numbering
t t
Indicates the layout of the slots, including the slot number and

:h
module type.

s
Provides power input and distribution for the device. One power
e
Power modules
c
module is provided by default, but two power modules are
r
ou
supported to provide 1+1 power redundancy.
hard disk
s
Hard disks are used to store logs and reports.

e
R
combination

g
ESN The serial number that uniquely identifies the device.

n i n The M4 OT terminal of the ground cable is connected to the


Protective
r
ground

a
protective ground terminal of the device, and the other terminal

e
terminal of the ground cable is connected to the ground point of the

e L cabinet or workbench or the ground bar of the equipment room.

o r
M
1.2.3 USG6550 Description
Device Overview
The USG6550 uses an integrated chassis that contains the fixed interface board, power module, and fan
module. You can also add some optional modules, such as hard disk, additional power module, and
expansion cards, to improve system reliability and add more ports. The size of the integrated chassis is
44.4mm (H) x 442mm (W) x 421mm (D), which can be installed in the 19-inch standard cabinet.

e n
Front panel
/
o m
The front panel of the USG6550 provides fixed ports, ESD jack, and expansion slots. Figure below illustrates
the front panel of the USG6550.

e i .c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
r n
e a
Name Description

eL
Identifies the slot type and number, with 0 indicating the

or
slot for the out-of-band MGMT port (GigabitEthernet
Slot numbering
0/0/0), 1 the slot for the interface board, and 2 and 3 the
M WSIC slots
Out-of-band 10/100/1000M RJ45 autosensing Ethernet
MGMT port
management port.
Fixed console port Console ports allow you to locally connect to the device.
interface USB port allows you to insert USB device for system
USB2.0 port
board software upgrades.
Ethernet electrical ports ports, 10/100/1000M
0-7 (RJ45)
autosensing.
8-11(SFP) GE optical ports
Expansion slot Provides two WSIC slots.
The equipment end of the wrist strap is inserted into the
ESD jack ESD jack. For the wrist strap to be effective, ensure that
the device is already grounded.

Rear panel
The rear panel of the USG6550 provides the power module, protective ground terminal, and hard disk slot
e n
for optional hard disk combination. Figure below illustrates the rear panel of the USG6550.
/
o m
e i .c
aw
u
g .h
ni n
r
// lea
Name
:
Description
p
Slot numbering
t t
Indicates the layout of the slots, including the slot number and

:h
module type.

s
Provides power input and distribution for the device. One power
e
Power modules
c
module is provided by default, but two power modules are
r
ou
supported to provide 1+1 power redundancy.
hard disk
s
Hard disks are used to store logs and reports.

e
R
combination

g
ESN The serial number that uniquely identifies the device.

n i n The M4 OT terminal of the ground cable is connected to the


Protective
r
ground

a
protective ground terminal of the device, and the other terminal

e
terminal of the ground cable is connected to the ground point of the

e L cabinet or workbench or the ground bar of the equipment room.

o r
M
1.2.4 Physical Port Naming Methods
Interfaces are numbered in the format of "interface type A/B/C", where:
A is the slot number of the interface card.
B is the daughter card number, which is 0 because no daughter card is installed now.
C is the interface number, which begins with 0 and is numbered from bottom to top and left to right.

Assume that a 5FSW interface card is installed in slot 2 of the NGFW. The port numbers are Ethernet2/0/0,

e n
Ethernet2/0/1, Ethernet2/0/2, Ethernet2/0/3, and Ethernet2/0/4.
/
o m
e i .c
aw
u
1.3 Terminal Security Products g .h
ni n
1.3.1 Introduction of the Agile Controller
ar
l e
//
Agile Controller is a user- and application-based network resource auto control system developed by Huawei.
:
tp
As the brain on smart campus networks, Agile Controller dynamically allocates network and security

t
resources on the entire campus network based on software-defined networking (SDN), enabling networks to
h
be more agile for services.
s :
r c e
Agile Controller is composed of the following components: service manager (SM), service controller (SC),

o u
Security View (SV), and AnyOffice client. Network access devices (NADs) associate with the Agile

es
Controller server to implement user-based access control and free mobility.

R
i n g
arn
L e
r e
o
M
e n
/
o m
e i .c
aw
u
g .h
ni n
r
// lea
:
1.3.2 Agile Controller System Deployment
t tp
: h
s
The Agile Controller uses the client/server (C/S) or browser/server (B/S) architecture. On the server side, the

e
c
components include Management Center (MC), Service Manager (SM), Service Controller (SC), Security

ur
View (SV), and log collector and correlation analyzer (iRadar). On the user side, the components include the

s o
AnyOffice client, Web Agent client, and web client.

Name Re Description
Management
i n g MC functions as the management center of the Agile Controller

rn
Center (MC) and is responsible for making the overall policies for Permission

e a Control and delivers the policies to each SM.

e L
Service Manager
SM functions as the service manager, which manages and sends

o r
(SM)
real-time instructions to connected SCs to provide various
services.

M Service Controller
SC integrates standard RADIUS, Portal, authentication, and
network servers. The SCs associate with network access devices
(SC) to provide user-based network access control policies and
management capabilities for Free Mobility and Service Chain.
Agile Controller supports access authentication through
AnyOffice clients. Users can install an AnyOffice client, a
AnyOffice Agent
standard 802.1x client, or a mainstream browser for access
authentication.
Agile Controller supports a variety of NADs, including WLAN ACs
Network Access
and APs, Huawei Portal switches, standard 802.1x switches, and
Device (NAD)
Huawei security access control gateways (SACGs).

The Agile Controller deployment is flexible to meet different network conditions and requirements. In
centralized networking, all Agile Controller servers are centrally deployed, usually in the enterprise data
center. This networking mode applies to centralized networks with large bandwidth (such as campus

n
networks) as well as networks with small branch networks.

/ e
Authentication pre-domain

o m
.c
TSM Manager + TSM Controller + TSM Controller + FTP TSM Controller + FTP

i
Scanner + FTP + Authentication + Primary database + Mirroring database

e
database

aw
u
LAN
g .h Isolation

n
domain
Anti-virus server

ni Patch server

r
lea
Router

//
Security access control
gateway

p :
Service system A Service system B

t t Authentication post-domain

:h
Switch Switch

e s
r c
s ou
Re
Terminals

i n g
r n
e a
1.3.3 Agile Controller Performance Indicators
e L
r
Controller Server Performance Indicators

o
M performance item
RADIUS server - local account 100 times per second
value

Portal server - local account 40 times per second


Terminal identification (Non-scanning) 1000 per minute
Maximum number of terminals 100,000
Maximum number of managed devices 2000

PC Client Performance Indicators


performance item value
Memory Usage 40 to 50 MB
Authentication Time (Non-802.1x) 3s
Authentication Time (802.1x) 10s
Authentication Time (802.1x certificate) 15s
PS: testing PC using a 2 GHz CPU, 4GB memory, and Operating Windows 7 system.

e n
/
o m
e i .c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
r n
e a
e L
o r
M
1.4 Diagram of Network Elements

e n
/
Internet PC

o m
e i .c
USG Firewall w
Network Cloud
u a
. h
i n g
Laptop
r nRouter

// lea
p :
t t
:h
Server
Wireless Station

e s
r c
s ou
Re
i n g
r n
e a
e L
or
M
1.5 Security Declaration
1.5.1 Encryption Algorithm Declaration
Currently, the device uses the following encryption algorithms: DES, 3DES, AES, RSA, SHA1, SHA-2, and
MD5. The encryption algorithm depends on the applicable scenario. Use the recommended encryption
algorithm; otherwise, security defense requirements may be not met.

For the symmetrical encryption algorithm, use AES with the key of 128 bits or more.

e n
For the asymmetrical encryption algorithm, use RSA with the key of 2048 bits or more.
/
For the hash algorithm, use SHA2 with the key of 256 bits or more.
o m
For the HMAC algorithm, use HMAC-SHA2.
e i .c
aw
DES, 3DES, RSA and AES are reversible encryption algorithm. If protocols are used for interconnection,

u
.h
the locally stored password must be reversible.

i n g
SHA1, SHA2, and MD5 are irreversible encryption algorithm. The irreversible encryption algorithm must

n
be used for the administrator password.
r
// lea
1.5.2 Feature Usage Declaration
p :
t t
:h
The device can transfer files through FTP, TFTP, SFTPv1, SFTPv2, and FTPS. Using FTP, TFTP or

s
SFTPv1 has potential security risks. SFTPv2 or FTPS is recommended.

c e
The device supports the packet capture function. This function is mainly used to detect transmission
r
ou
faults and errors. Huawei cannot collect or store user communication information without permission. It

s
is recommended that relevant functions used to collect or store user communication information be
e
R
enabled under applicable laws and regulations. During user communication information collection and

i n g
storage, measures must be taken to protect user communication information.

r n
e a
e L
o r
M
2 How to Login Firewall

2.1 Login Through the Console Port


e n
/
Lab Objectives

o m
.c
Through this task, you will know how to configure the terminal to access the device through the console
port, thus implementing the configuration and management on the device.
e i
Lab Devices
aw
u
.h
One PC and NGFW firewall.

Lab Topology
i n g
r n
// lea
Management PC

p : USG

t t
:h
COM 1

es
Console

c
Interface

r
ou
RS-232

es
R
Consiguration Procedure
i n g
Step 1
r n
After the connection to the device is established, power on both devices, and ensure that the

e a
devices run normally.

eL
Step 2 Run the terminal emulation program (such as the HyperTerminal on Windows XP) on the PC.

or
Choose Start > All programs > Accessories > Communications > Hyper Terminal. The
Connection Description dialog box is displayed.

M Step 3 In Name, enter the name of the connection between the PC and the NGFW, such as COMM1.
Then, select an icon in Icon, as shown in below figure.
e n
/
o m
e i .c
aw
u
Step 4 Click OK. The Connect dialog box is displayed.
g .h
Step 5
ni n
r
Select a serial interface (such as COM1) from the Connect using drop-down list for the

lea
connection between the PC and the NGFW, as shown in below figure.

: //
t t p
s :h
r c e
s ou
Re
i n g
r n
e a
e L
or
MStep 6 Click OK. The COM1 Properties dialog box is displayed. Set the communication parameters of
the port, as shown in below figure.
e n
/
o m
e i .c
aw
u
g .h
ni n
r
// lea
p :
Step 7 Click OK or Restore Defaults.
t t
:h
Step 8 On the PC emulation terminal, click Enter. After passing the authentication configured on the

s
NGFW, enter the user name and password according to the prompt. The user interview is
e
c
displayed, and the device is logged in.

r
ou
Result Verification

es
***********************************************************
*
R
All rights reserved 2013-2014 *
*

i n g
Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *

r n
* Notice: *
*
e a This is a private communication system. *

e L * Unauthorized access or use may lead to prosecution. *

o r ***********************************************************

M
2.2 Login Through Web Management Interface (Default
Web-manager)
Lab Objectives

Through this task, you will know how to connect to NGFW firewall though default web-management
interface.

n
Lab Devices

One NGFW (USG6000) and one PC.


/ e
Lab Topology
o m
e i .c
w
G0/0/0
Management PC

a
192.168.0.1/24 USG

u
192.168.0.2/24

.h
Ethernet

COM 1
i n g
Console
r n
lea
Interface

://
RS-232

tp
Cable

t
s :h
e
Configuration Procedure
Step 1
r c
After the connection to the device is established, power on both devices, and ensure that the

ou
devices run normally.
Step 2
es
Connect NGFW GE0/0/0 and PC by network cable.
Step 3 R
Set the IP address of PC to 192.168.0.2/24.
Step 4
i n g
Input http://192.168.0.1 to browser on PC, login NGFW firewall with the default account

r n
(admin/Admin@123).

e a
NoteBy default, the HTTP protocol is enabled. The default user name is admin and the password is

e L
Admin@123. You need to change the default password when you first logged into the device.

o r
M
Result Verification

Check whether you have logged in the web GUI.


e n
/
o m
e i .c
aw
u
g .h
2.3 Remote Login Through Telnet ni n
r
Lab Objectives
// lea
p :
t
Through this task, you will know how to configure the terminal to access the device through Telnet, thus
t
:h
implementing the configuration and management on the device.

Lab Devices
e s
One PC and one NGFW Firewall.
r c
Lab Topology
s ou
Re
ing
G1/0/1
Management PC 10.1.1.1/24 USG

rn
10.1.1.2/24

a
Ethernet Port

L e
r e COM 1
Console
o Interface

M RS-232
Cable

Configureation Procedure (CLI)


Step 1 Enter the user view of the NGFW through the console port.
Step 2 Enable telnet service.

<USG> system-view
[USG] telnet server enable

Step 3 Set the IP address of the interface of the NGFW.

For example, a local user connects to GigabitEthernet1/0/1 of the NGFW through Telnet. The
IP address of the interface is 10.1.1.1; the subnet mask is 255.255.255.0.
a) Set the IP address, and permit service-manage through telnet
[USG] interface GigabitEthernet 0/0/1
[USG-GigabitEthernet0/0/1] ip address 10.1.1.1 24

e n
/
[USG-GigabitEthernet0/0/1] service-manage enable
[USG-GigabitEthernet0/0/1] service-manage telnet permit

o m
.c
[USG-GigabitEthernet0/0/1] quit
b) Add the interface to the trust zone.
e i
[USG] firewall zone trust

aw
u
[USG-zone-trust] add interface GigabitEthernet0/0/1
[USG-zone-trust] quit

g .h
Step 4 Set the user information of the NGFW.

ni n
r
lea
For example, the authentication mode of the user interface on the virtual type terminal (VTY)
is AAA; the Telnet user name is telnetuser; the password is password@123; the password is
stored in cipher text at level 3.
: //
[USG] user-interface vty 0 4
t t p
:h
[USG-ui-vty0-4] authentication-mode aaa
[USG-ui-vty0-4] quit
e s
[USG] aaa
r c
ou
[USG-aaa] manager-user telnetuser

es
[USG-aaa-manager-use-telnetuser] password

R
(Enter Password)

n g
[USG-aaa-manager-use-telnetuser] level 3
i
n
[USG-aaa-manager-use-telnetuser] service-type telnet
r
e a[USG-aaa-manager-use-telnetuser] quit

eL
Step 5 Set IP address of local PC, and telnet NGFW.

or For example, Set the PC IP address to 10.10.10.9/255.255.255.0. On the PC, choose Start >

M Run. The Run window is displayed. Enter telnet 10.1.1.1 in Open, as shown in below figure.
e n
/
Step 6
m
After passing the authentication configured on the NGFW, you can enter the user view and log
o
.c
in to the device.

e i
Configuration Procedure (WEB)
aw
u
.h
Step 1 Log into NGFW web GUI through GE0/0/0. Details please go to 2.1 for the reference.
Step 2 Enable telnet service.

i n g
a) Choose System > Admin > Settings
r n
lea
b) Click to select check box of telnet service

: //
t t p
s :h
r c e
s ou
Re
i n g
r n
e a
L
Step 3 Configure the login interface.

r e a) Choose Network > Interface, select the interface you want to configure, for example,

o GE1/0/1

M b) Set the security zone as trust zone, IP address as 10.1.1.1/24, and allow telnet management.
e n
/
o m
e i .c
aw
u
g .h
ni n
r
lea
Thinking: Why should configure the Telnet management access function? (Answer: allow the

//
administrator to manage firewall through this interface by Telnet.)

p :
t
Step 4 Configure the Tenlnet user. (telnetuser/Admin@123)
t
:h
a) Choose System > Admin > Administrators, click Add

e s
r c
s ou
Re
i n g
r n
b) Set the user name as telnetuser, password as Admin@123, and add telnet service type.

e a
e L
or
M
e n
/
o m
e i .c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
ou
Step 5 The following takes a Windows OS for example. On the PC, choose Start > Run. The Run
window is displayed. Enter telnet 10.1.1.1 in Open (for example, the IP address of the connected

es
interface is 10.1.1.1), as shown in below figure.

R
i n g
r n
e a
e L
o r
M
Step 6 After the authentication with telnet account (telnetuser/Admin@123), you can login NGFW
firewall.
Result Verification

***********************************************************
* All rights reserved 2013-2014 *
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
* Notice: *
* This is a private communication system. *
* Unauthorized access or use may lead to prosecution. *
***********************************************************

e n
2.4 Remote Login Through SSH /
o m
Lab Objectives

e i .c
w
Through this task, you will know how to configure the terminal to access the device through SSH, thus
implementing the configuration and management on the device.
u a
Lab Devices
g .h
One PC and one NGFW fIrewall.

ni n
r
lea
Lab Topology

: //
p
G1/0/1

t
Management PC

t
10.1.1.1/24 USG
10.1.1.2/24
Ethernet Port

s :h
r c e
ou
COM 1
Console

s
Interface

Re RS-232

i n g Cable

r n
a
Configureation Procedure (CLI)
e
eL
Step 1 Enter the user view of the NGFW through the console port.

or
Step 2 Enable STelnet service

M Step 3
[USG] stelnet server enable

Configure the login interface.


a) Configure the IP address, and add the interface into trust zone.
b) Permit service-manage throuth ssh

[USG] interface GigabitEthernet 1/0/1


[USG-GigabitEthernet1/0/1] service-manage enable
[USG-GigabitEthernet1/0/1] service-manage ssh permit
[USG-GigabitEthernet1/0/1] quit

Step 4 Set the user information of the NGFW.


a) Configure the VTY user interface

[USG] user-interface vty 0 4


[USG-ui-vty0-4] authentication-mode aaa
[USG-ui-vty0-4]quit
b) Create SSH user sshuser, and configure the authentication mode as password.
e n
[USG] aaa
/
[USG-aaa] manager-user sshuser
o m
[USG-aaa-manager-use-sshuser] service-type ssh
[USG-aaa-manager-use-sshuser] level 3
e i .c
[USG-aaa-manager-use-sshuser] ssh authentication-type password
aw
u
.h
[USG-aaa-manager-use-sshuser] password
Enter Password:
Confirm Password:
i n g
r n
lea
[USG-aaa-manager-use-sshuser] ssh service-type telnet

//
[USG-aaa-manager-use-sshuser] quit

Step 5 Create rsa local-key-pair.


p :
t t
:h
[USG] rsa local-key-pair create

s
The key name will be: USG_Host

c e
The range of public key size is (512 ~ 2048).
r
ou
NOTES: A key shorter than 1024 bits may cause security risks.

s
The generation of a key longer than 512 bits may take several minutes.

e
R
Input the bits in the modulus [default = 2048]:

i n g
Generating keys...
...++++++++

r n
a
..++++++++

L e ..................................+++++++++

r e ............+++++++++

o
Step 6 Set the IP address of PC, and using Putty to STelnet to the firewall.

M
e n
/
o m
e i .c
aw
u
g .h
ni n
r
lea
Configuration Procedure (WEB)

//
Step 1 After the connection to the device is established, power on both devices, and ensure that the
devices run normally.

p :
Step 2 Configure the login interface.
t t
:h
a) Choose Network > Interface, select the interface you want to configure, for example,
s
e
GE1/0/1.

r c
b) Set the security zone, IP address and permit management-access through SSH.

s ou
Re
i n g
r n
e a
e L
o r
M
Step 3 Configure the SSH user account. (sshuser/Admin@123).
a) Choose System > Admin > Administrators, click Add

e n
/
b) Set the user name as sshuser, password as Admin@123, and add STelnet service type.

o m
e i .c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
r n
e a
e L
or
Step 4 Enable STelnet service. Choose System > Admin > Settings, in the SSH configuration list,

M
enable STelnet service.
e n
/
o m
e i .c
aw
u
g .h
ni n
r
// lea
Step 5
p :
Configure the IP address of PC as 10.1.1.2/24. Then login NGFW by using Putty client through
SSH.
t t
Result Verification
s :h
c e
Double-click Putty on the desktop, choose ssh to connect:
r
s ou
Re
i n g
r n
e a
e L
o r
M
e n
/
o m
e i .c
aw
u
g .h
ni n
r
// lea
Yes to security alert:
p :
t t
s:h
r c e
sou
Re
i n g
r n
e a
e L
or Input the ssh user account and login:

M
***********************************************************
* All rights reserved 2013-2014 *
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
* Notice: *
* This is a private communication system. *
* Unauthorized access or use may lead to prosecution. *
***********************************************************
2.5 Login Through the Web
Lab Objectives

Through this task, you will know how to configure the terminal to access the device through Web, thus
implementing the configuration and management on the device.

Lab Devices

e n
/
One PC and one NGFW firewall.

Lab Topology
o m
e i .c
w
G1/0/1

a
Management PC 10.1.1.1/24 USG

u
10.1.1.2/24

.h
Ethernet Port

i n g
r n
lea
Cable

: //
t t p
:h
Configureation Procedure (CLI)
Step 1 Telnet/SSH to NGFW.
e s
Step 2
r c
Enable the Web management function.

ou
[NGFW] web-manager security enable port 2000
s
enable HTTP management. Re
NoteParemeter security indicate https management, if there is no parementer security, NGFW will

i n g
NoteCan not to configure the same port to HTTP and HTTPS. That will be conflict.

Step 3
r n
Configure the login interface.

e a
L
a) Set the IP address of GE1/0/1 as 10.1.1.2/24.

r e b) Add the interface into trust zone.

o c) Permit service-manage throuth https.

M [USG-GigabitEthernet0/0/1] service-manage enable


[USG-GigabitEthernet0/0/1] service-manage https permit

Step 4 Configure Web user.

[USG] aaa
[USG-aaa] manager-user webuser
[USG-aaa-manager-use-webuser] password
Enter Password:
Confirm Password:
[USG-aaa-manager-use-webuser] level 3
[USG-aaa-manager-use-webuser] service-type web
[USG-aaa-manager-use-webuser] quit

Step 5 Check the configuration.

Set the PC address as 10.1.1.2/24. Use the Web browser on the PC to access http://10.1.1.1,

n
enter the user name (webuser) and password (Admin@123), and check whether you can log
in to the NGFW. If the login succeeds, the configuration is successful. If the login fails, check
/ e
the configuration.

o m
.c
Configuration Procedure (WEB)
Step 1
e i
After the connection to the device is established, power on both devices, and ensure that the
devices run normally.
aw
Step 2 Configure the login interface.
u
g .h
a) Choose Network > Interface, select the interface you want to configure, for example,
GE1/0/1.

ni n
r
b) Set the security zone, IP address and permit management-access through HTTPS.

// lea
p :
t t
s :h
r c e
s ou
Re
i n g
r n
e a
e L
o r
M Step 3 Configure the web user accunt. (webuser/Admin@123).
a) Choose System > Admin > Administrators, click Add
b) Set the user name as webuser, password as Admin@123, and add WEB service type.

e n
/
o m
e i .c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
r n
e a
eL
Step 4 Enable HTTP/HTTPS service. Choose System > Admin > Settings, select HTTPS service and

or
input service port.

M
e n
/
o m
Step 5
e i .c
Configure the IP address of PC as 10.1.1.100/24. Input https://10.1.1.1:2000 on PCs browser to

w
login.
Result Verification
u a
The Security Alert, click Yes to continue.
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
r n
e a
e L
o r
M
e n
/
o m
e i .c
aw
u
g .h
ni n
r
// lea
p :
t t
s:h
r c e
sou
Re
i n g
r n
e a
e L
or
M
3 Firewall Basic Configuration /en
o m
e i .c
3.1 Firewall System Managment
aw
u
Lab Objectives

g .h
Configure the hostname.

ni n
Configure the system time.
r
lea
Configure the SNMP server.

//
Configure the log server.
Configure license.
p :
Configure the file backup and recover.
t t
Lab Device
s :h
One NGFW firewall and one PC.
r c e
Lab Topology
s ou
Re
i n g
Management PC USG

r n Ethernet Port G0/0/1

e a 192.168.0.2 192.168.0.1/24

e L
o r Cable

M
Configuration Procedure (CLI)
Step 1 After the connection to the device is established, power on both devices, and ensure that the
devices run normally.
Step 2 Login NGFW firewall through Console/Telnet/SSH. Details please refer to 2.1-2.6. (omitted.)
Step 3 Configure the hostname of NGFW.

<NGFW>system-view
[NGFW]sysname NGFW_A
[NGFW_A]

Step 4 Configure the system time.

<sysname>clock datetime 0:0:0 2009/01/01

Step 5 Configuring SNMP Server.

Configure SNMP version to v2c.


[NGFW] snmp-agent sys-info version v2c
e n
/
m
Setting the SNMP Community Name.
[NGFW] snmp-agent community read public

.c o
[NGFW] snmp-agent community write private
e i
w
Configuring User Information.
[NGFW] snmp-agent usm-user v3 test NMS1
u a
.h
Configure SNMP trap.
[NGFW]snmp-agent trap enable
i n g
n
[NGFW]snmp-agent target-host trap address udp-domain 192.168.1.2 params securityname
r
lea
swebUser v2c

//
Thinking: Whats function of SNMP Agent Trap?

:
(Answer: SNMP Agent Trap command makes device send alert to SNMP server actively. If there is no
p
t t
SNMP Trap, SNMP server will just send query message to device and device response server

:h
periodicity.)

Step 6 Configuring log server.


e s
r c
ou
Enable the information center.

s
[NGFW] info-center enable

e
R
Configure the source interface that sends logs.

i n g
[NGFW] info-center loghost source GigabitEthernet 0/0/1
Configure a log host whose name is local2 . The IP address of the log host is 192.168.1.1, and

r n
the output language is English.

e a[NGFW] info-center loghost 192.168.1.1 facility local2 language english

eL
Set the threshold of the information severity level to informational. The information about the

or
PPP module and the IP module can be output.

M [NGFW] info-center source acl channel loghost log level informational


[NGFW] info-center source ip channel loghost log level informational

Step 7 Import License

[NGFW]license file hda1:/license.dat

Step 8 Configure the system backup and recover.

Set NGFW as FTP server.


Basic configurations including IP address and network connection. (Omitted)
Enable FTP server function; configure FTP account and FTP path.
<NGFW>system-view
[NGFW]ftp server enable
Info:Start FTP server

[NGFW]aaa
[NGFW-aaa]local-user ftpuser password cipher Ftppass#
[NGFW-aaa]local-user ftpuser service-type ftp
e n
[NGFW-aaa]local-user ftpuser level 3
/
[NGFW-aaa]local-user ftpuser ftp-directory hda1:/
o m
Configure FTP acl.
[NGFW]acl 2002 e i .c
[NGFW-acl-basic-2002]rule permit source any logging
aw
u
.h
[NGFW-acl-basic-2002]quit
[NGFW]ftp acl 2002

i n g
r n
lea
Log in NGFW FTP server from terminal PC.

Configure system backup.


: //
t p
Run get command to download file to terminal PC.
t
:h
The following takes a Windows OS for example. On the PC, choose Start > Run. The Run

s
window is displayed. Input cmd and click OK

e
c
C:\Documents and Settings\Administrator> ftp 192.168.0.1
r
ou
Connected to 192.168.0.1.

s
220 FTP service ready.

e
R
User (192.168.0.1:(none)): ftpuser

i n
Password: g
331 Password required for ftpuser.

r n
a
230 User logged in.

Le ftp> get flash:/vrpcfg.zip.bak

r e 200 Port command okay.

o 150 Opening ASCII mode data connection for vrpcfg.cfg.

M 226 Transfer complete.


ftp: got 5203 bytetime 0.01Seconds 346.87Kbytes/sec.
ftp> lcd
Local directory now C:\Documents and Settings\Administrator.
ftp>
Configure system recover.
Run put command to upload files to NGFW device.
ftp> put vrpcfg.cfg
200 Port command okay.
150 Opening ASCII mode data connection for vrpcfg.cfg.
226 Transfer complete.
ftp: send 5203 bytetime 0.00Seconds 5203000.00Kbytes/sec.
By using startup saved-configuration vrpcfg.cfg command to configure the next-startup
configuration file.
<sysname> startup saved-configuration vrpcfg.cfg

Configuration Procedure (WEB)


e n
/
m
Step 1 After the connection to the device is established, power on both devices, and ensure that the devices
run normally.

.c o
Step 2
i
Login NGFW through Web GUI. How to login through web please refer to 2.2 or 2.5. (Omitted.)
e
Step 3
w
Configure the hostname of NGFW. Login to the NGFW through http://192.168.0.1, in the system
a
u
information of system panel, you will the system information and change the system name.

g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
r n
a
Step 4 Go to System > Configuration > Time to configure the system time.

e
eL
Set the system time by manually.

or
M
e n
/
o m
e i .c
You can set the time zone, date and system time by manually, or select the configuration mode
to choose use NTP server to synchronize the time.
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Step 5
e
Configuring SNMP V2c Server. The server address is 192.168.1.2.
R
i n g
Go to System > Configuration > SNMP, Set the parameters for connecting managed devices
to the NMS. Click Apply.

r n
e a
e L
or
M
Step 6 Configuring log server.

Go to Log > Log Configuration > Information Center Configuration, click the enable
check box of information center switch.

e n
/
o m
e i .c
w
Choose Log > Log Configuration > Syslog Configuration. Select parameter Log Host

a
u
Source Interface in Configure Syslog. Select GE0/0/0 as the log host source interface. Click

.h
Apply.

i n g
r n
// lea
p :
t t
s :h
r c e
ou
Adding a Log Host. Choose Log > Log Configuration > Syslog Configuration. Click Add in

s
Log Host List. Enter or select parameters, Click Apply.

Re
i n g
r n
e a
e L
or
M
Step 7 Configure the License

Check the ESN code. Log in to the device. Choose System > Dashboard > Status. The ESN
is SN in System Information.
e n
/
o m
e i .c
aw
u
g .h
Go to System > Maintenance > License Management. Check the license state.

ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
Go to System > Maintenance > License Management. Select Local Manual Activation

n
from the License Activation Mode. Click Browse. Select the license file to be uploaded.

ar
Click Activate to activate the current license file.

L e
r e
o
M

Step 8 Configure the system backup and recover.

Configure system backup.


Choose System > Maintenance > Configuration Management.
Check the configuration file in use. For the next startup configuration file, click Select, the
Configuration File Management window is displayed.

e n
/
o m
e i .c
aw
u
g .h
ni n
r
// lea
Click
:
to download the configuration file to local PC to backup it.
p
indicates the

t t
:h
configuration file is in use, indicates the configuration file is not in use.

e s
r c
s ou
Re
i n g
r n
e a
eL
Configure system recover:

or
Click Upload. The Upload File window is displayed.

M
e n
/
Click Browse. Select the configuration file to be uploaded. Click Import to upload the
o m
configuration file.
e i .c
aw
u
g .h
ni n
r
// lea
p :
t t
:h
After the configuration file is successfully uploaded, return to the Configuration File
s
r c e
Management window. The corresponding file is displayed in the list. Click to configure the
current configuration file as the next startup configuration file. The user should re-startup the

ou
device to complete updating system configuration.

es
Choose System > Maintenance > Restart. Enter the password of the current login user in

R
Password. Click Save and Restart to save the configuration and restart the system.

i n g
r n
e a
e L
o r
M
Result Verification

Choose System > Maintenance > Configuration Management to check the next startup configuration
file.
4 Firewall Security Forwarding Policy

2.1 Configuring IP Address-Based Forwarding Policy


e n
/
Lab Objectives
o m
This section provides an example for controlling the access based on IP addresses.

e i .c
w
Lab Device

One NGFW and two PCs.


u a
Lab Topology
g .h
ni n
r
lea
Trust Untrust Internet Server

//
Internal User USG 1.1.1.2/24
G1/0/3 G1/0/1

:
192.168.5.2/24
192.168.5.1/24 1.1.1.1/24
192.168.5.3/24

t t p
:h
192.168.5.4/24

e s
r c
ou
Configuration Procedure (CLI)
Step 1
es
Set IP addresses for interfaces and add the interfaces to security zones.

R
g
<NGFW>system-view

i n
[NGFW]interface GigabitEthernet 1/0/3

n
ar[NGFW-GigabitEthernet1/0/3]ip address 192.168.5.1 24

e [NGFW-GigabitEthernet1/0/3]quit

eL
[NGFW]interface GigabitEthernet 1/0/1

or
[NGFW-GigabitEthernet1/0/1]ip address 1.1.1.1 24

M
[NGFW-GigabitEthernet1/0/1]quit
[NGFW]firewall zone trust
[NGFW-zone-trust]add interface GigabitEthernet 1/0/3
[NGFW-zone-trust]quit
[NGFW]firewall zone untrust
[NGFW-zone-untrust]add interface GigabitEthernet1/0/1
[NGFW-zone-untrust]quit
Step 2 Configure address set ip_deny, and add the denied IP addresses to the address set.

[NGFW]ip address-set ip_deny type object


[NGFW-object-address-set-ip_deny]address 192.168.5.2 mask 32
[NGFW-object-address-set-ip_deny]address 192.168.5.3 mask 32
[NGFW-object-address-set-ip_deny]address 192.168.5.4 mask 32
[NGFW-object-address-set-ip_deny]quit

Step 3 Create a forwarding policy preventing some special IP addresses from accessing the Internet.

e n
[NGFW]security-policy
/
[NGFW-policy-security]rule name policy_deny
o m
[NGFW-policy-security-rule-policy_deny]source-zone trust
[NGFW-policy-security-rule-policy_deny]destination-zone untrust
e i .c
[NGFW-policy-security-rule-policy_deny]source-address address-set ip_deny
aw
u
.h
[NGFW-policy-security-rule-policy_deny]action deny

g
[NGFW-policy-security-rule-policy_deny]quit

Step 4
ni n
Create a forwarding policy allowing the 192.168.5.0/24 network to access the Internet and
reference the Web filtering policy.
r
[NGFW-policy-security]rule name policy_permit
// lea
:
[NGFW-policy-security-rule-policy_permit]source-zone trust
p
t t
[NGFW-policy-security-rule-policy_permit]destination-zone untrust

:h
[NGFW-policy-security-rule-policy_permit]source-address 192.168.5.0 24

e s
[NGFW-policy-security-rule-policy_permit]action permit

r c
[NGFW-policy-security-rule-policy_permit]quit

Configuration Procedure (WEB)


s ou
Step 1
Re
Set IP addresses for interfaces and add the interfaces to security zones. Shown as the below

g
figure:

n i n
ar
L e
r e
o
M

Repeat the previous steps to configure interface GigabitEthernet 1/0/1.


e n
/
o m
e i .c
Step 2
w
Configure an address group named ip_deny and add the IP addresses not permitted to access the

a
Internet to the address group. Choose Object > Address > Address. In Address List, click
u
.h
to access the Add Address interface. Configure a name and IP information .

g
ni n
r
// lea
p :
t t
s :h
Step 3
c e
Configure a security policy denying Internet accesses of users whose IP addresses are in the

r
ip_deny address group. Choose Policy > Security Policy > Security Policy. Click the Security

s ou
Policy tab. In Security Policy List, click .

Re
i n g
r n
e a
e L
or
M
Step 4 Configure an address group named ip_deny and add the IP addresses permitted to access the
Internet to the address group. Choose Object > Address > Address. In Address List, click
to access the Add Address interface. Configure a name and IP informatiok.
Step 5 Configure another security policy permitting users on network segment 192.168.5.0/24 to access
e n
/
the Internet and reference the Web filtering policy in the forwarding policy. Choose Policy >

m
Security Policy > Security Policy. Click the Security Policy tab. In Security Policy List, click
.
.c o
e i
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
Result Verification
r c e
s ou
Check whether the Internet accesses of the three PCs whose IP addresses are respectively 192.168.5.2,

e
192.168.5.3, and 192.168.5.4 are denied.
R
g
Check whether users with other IP addresses on network segment 192.168.5.0/24 can access the Internet.

n i n
ar
L e
r e
o
M
5 Network Address Translate Lab

5.1 Source NAT Lab


e n
/
Lab Objectives
o m
Through this task, you will able to know the detail configuration of source NAT.

e i .c
w
Lab Device

One NGFW firewall and one PC.


u a
Lab Topology
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Configuration Procedure (CLI)
Re
Step 1
n g
Set the IP address of PC1 and PC2 as 192.168.1.10/24 and 2.2.2.10/24 respectively. (omitted)
i
Step 2
r n
Set the IP addresses of interfaces, and then add the interfaces to security zones.

e a [NGFW]interface GigabitEthernet 1/0/0

eL
[NGFW-GigabitEthernet1/0/0]ip address 192.168.1.1 255.255.255.0

or
[NGFW-GigabitEthernet1/0/0]quit

M
[NGFW]interface GigabitEthernet 1/0/1
[NGFW-GigabitEthernet1/0/1]ip address 2.2.2.1 255.255.255.0
[NGFW-GigabitEthernet1/0/1]quit

[NGFW]firewall zone trust


[NGFW-zone-trust]add interface GigabitEthernet 1/0/0
[NGFW-zone-trust]quit
[NGFW]firewall zone untrust
[NGFW-zone-untrust]add interface GigabitEthernet 1/0/1
[NGFW-zone-untrust]quit

Step 3 Configure interzone packet filtering to ensure normal network communication.

[NGFW] security-policy
[NGFW-policy-security] rule name source_nat
[NGFW-policy-security-rule-source_nat] source-addresss 192.168.1.0 24

n
[NGFW-policy-security-rule-source_nat] source-zone trust
[NGFW-policy-security-rule-source_nat] destination-zone untrust
/ e
[NGFW-policy-security-rule-source_nat] action permit
o m
Step 4 Configure IP address pool 1, the range of the address is 2.2.2.2 2.2.2.5

e i .c
w
[NGFW] nat address-group 1
[NGFW-nat-address-group-1] section 2.2.2.2 2.2.2.5
u a
Step 5 Configure the NAT outbound policy
g .h
[NGFW] nat-policy
ni n
r
lea
[NGFW-policy-nat] rule name source_nat

//
[NGFW-policy-nat-rule-source_nat] destination-address 2.2.2.10 24

:
[NGFW-policy-nat-rule-source_nat] source-address 192.168.1.0 24
p
t t
[NGFW-policy-nat-rule-source_nat] source-zone trust

:h
[NGFW-policy-nat-rule-source_nat] destination-zone untrust

e s
[NGFW-policy-nat-rule-source_nat] action nat address-group 1

Configuration Procedure (WEB)


r c
Step 1
s ou
Set the IP address of PC1 and PC2 as 192.168.1.10/24 and 2.2.2.10/24 respectively. (omitted)
Step 2
Re
Set the IP addresses of GE1/0/0 and GE1/0/1, and then add the interfaces to security zones.

g
Choose Network > Interface . In Interface List, click of interfaces, Configure interfaces.

i n
Click Apply when you finished the configuration. Shown as the below figure:

n
ar
L e
r e
o
M
e n
/
o m
e i .c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
r n
e a
e L
or
MStep 3 Configure interzone packet filtering to ensure normal network communication. Choose Policy >
Security Policy. In Security Policy List, click . Click OK when you finished the
configuration. Shown as the below figure:
e n
/
o m
e i .c
aw
u
g .h
ni n
r
// lea
p :
Step 4
t
Configure IP address pool 1, the range of the address is 2.2.2.2 2.2.2.5. Choose Policy > NAT
t
:h
Policy > Source NAT. In NAT Address Pool tab, click . Click OK when you finished the

s
configuration. Shown as the below figure:

e
r c
s ou
Re
i n g
r n
e a
e L
or
Step 5 Configure the NAT outbound policyChoose Policy > NAT Policy > Source NAT. Click the

M Source NAT tab. In Source NAT Policy List, click


configuration. Shown as the below figure:
. Click OK when you finished the
e n
/
o m
e i .c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
ou
Result Verification

Ping from PC1 to PC2


es
PC1>ping 2.2.2.10
R
i n g
Ping 2.2.2.10: 32 data bytes, Press Ctrl_C to break

n
From 2.2.2.10: bytes=32 seq=1 ttl=127 time=79 ms

ar
From 2.2.2.10: bytes=32 seq=2 ttl=127 time=31 ms

L e
From 2.2.2.10: bytes=32 seq=3 ttl=127 time=94 ms

r e From 2.2.2.10: bytes=32 seq=4 ttl=127 time=62 ms

o From 2.2.2.10: bytes=32 seq=5 ttl=127 time=94 ms

M --- 2.2.2.10 ping statistics ---


5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 31/72/94 ms
Check the address translation by using display firewall session table command:
[NGFW]dis firewall session table
Current Total Sessions : 15
icmp VPN:public --> public 192.168.1.10:45346[2.2.2.5:45346]-->2.2.2.10:2048
icmp VPN:public --> public 192.168.1.10:45602[2.2.2.5:45602]-->2.2.2.10:2048
icmp VPN:public --> public 192.168.1.10:45858[2.2.2.5:45858]-->2.2.2.10:2048
icmp VPN:public --> public 192.168.1.10:46114[2.2.2.5:46114]-->2.2.2.10:2048
icmp VPN:public --> public 192.168.1.10:46370[2.2.2.5:46370]-->2.2.2.10:2048
From the result we can see that the source address of 192.168.1.10 has translated to 2.2.2.5 which in the
address pool.

e n
/
5.2 Source NAT & NAT Server Lab o m
e i .c
w
Lab Objectives

u a
Through this experiment, you will able to configure the NAT server. And also know how to configure the
bidectional NAT.
g .h
Lab Device

ni n
r
lea
One NGFW firewall, one PC and one server.

//
Lab Topology

p :
t t
:h
G1/0/0 G1/0/1
192.168.1.1/24 2.2.2.1/24

e s
r c
ou
DMZ Untrust
FTP Server PC
192.168.1.2/24
es 2.2.2.2/24

R
g
Configuration Procedure (CLI)
Step 1
n i n
Set the IP address of server and PC as 192.168.1.2/24 and 2.2.2.2/24 respectively. (omitted)
Step 2
ar
Set the IP addresses of GE0/0/0 and GE0/0/1. And then add the interfaces to security zones.
e
eL
[NGFW]interface GigabitEthernet 1/0/0

or
[NGFW-GigabitEthernet1/0/0]ip address 192.168.1.1 255.255.255.0
[NGFW-GigabitEthernet1/0/0]quit
M [NGFW]interface GigabitEthernet 1/0/1
[NGFW-GigabitEthernet1/0/1]ip address 2.2.2.1 255.255.255.0
[NGFW-GigabitEthernet1/0/1]quit

[NGFW]firewall zone DMZ


[NGFW-zone-dmz]add interface GigabitEthernet 1/0/0
[NGFW-zone-dmz]quit
[NGFW]firewall zone untrust
[NGFW-zone-untrust]add interface GigabitEthernet 1/0/1
[NGFW-zone-untrust]quit

Step 3 Configure interzone packet filtering to ensure normal network communication.

[NGFW] security-policy
[NGFW-policy-security] rule name bidectinal_nat

n
[NGFW-policy-security-rule-bidectinal_nat] source-zone untrust
[NGFW-policy-security-rule-bidectinal_nat] destination-zone dmz
/ e
[NGFW-policy-security-rule-bidectinal_nat] destination-address 192.168.1.2 32
o m
.c
[NGFW-policy-security-rule-bidectinal_nat] service ftp
[NGFW-policy-security-rule-bidectinal_nat] action permit
e i
Step 4
aw
Configure the NAT server. Create the mapping relations between the public IP addresses and
private IP addresses of internal servers.
u
g .h
[NGFW] nat server ftpserver protocol tcp global 2.2.2.4 ftp inside 192.168.1.2 ftp

Step 5 Configure the NAT address pool.


ni n
r
lea
[NGFW] nat address-group 2

//
[NGFW-nat-address-group-2] section 192.168.1.10 192.168.1.20
:
Step 6
t p
(Optional. By default, detect ftp has been configured under system view of firewall ) Apply the
t
:h
NAT ALG function to the DMZ-Untrust interzone to ensure that the server provides FTP
services for extranet users normally.

e s
c
[NGFW] firewall interzone dmz untrust
r
ou
[NGFW-interzone-dmz-untrust] detect ftp

s
[NGFW-interzone-dmz-untrust] quit

e
Step 7
R
Create a NAT policy for the DMZ-Untrust interzone, define the range of source IP addresses for

i n g
NAT, and bind the NAT policy to NAT address pool 1.

n
[NGFW] nat-policy

ar
[NGFW-policy-nat] rule name biderectinal_nat

e
eL
[NGFW-policy-nat-rule-biderectinal_nat] source-zone untrust

or
[NGFW-policy-nat-rule-biderectinal_nat] destination-zone dmz
[NGFW-policy-nat-rule-biderectinal_nat] source-address 2.2.2.0 24

M [NGFW-policy-nat-rule-biderectinal_nat] action nat address-group 2

Configuration Procedure (WEB)


Step 1 Set the IP address of server and PC as 192.168.1.10/24 and 2.2.2.10/24 respectively. (omitted)
Step 2 Set the IP addresses of GE1/0/0 and GE1/0/1, and then add the interfaces to security zones.
Choose Network > Interface. In Interface List, click of interfaces, Configure interfaces.
Click OK when you finished the configuration. Shown as the below figure:
e n
/
o m
e i .c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
r n
e a
e L
or
Step 3 Configure interzone packet filtering to ensure normal network communication. . Choose Policy >

M Security Policy. In Security Policy List, click


configuration. Shown as the below figure:
. Click OK when you finished the
e n
/
o m
e i .c
aw
u
g .h
ni n
r
// lea
Step 4
:
Configure the NAT server. Create the mapping relations between the public IP addresses and

p
t
private IP addresses of internal servers. Choose Policy > NAT Policy> Server Mapping. In

t
:h
Server Mapping List, click . Click OK when you finished the configuration. Shown as the

s
below figure:

r c e
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
o m
e i .c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
Step 5
i n g
Configure the NAT address pool. Choose Policy > NAT Policy> Source NAT. Click the NAT

r n
Address Pool tab. In NAT Address Pool List, click .

e a
e L
or
M
Step 6 Create a NAT policy for the DMZ-Untrust interzone, define the range of source IP addresses for
NAT, and bind the NAT policy to NAT address pool 1. Choose Policy > NAT Policy> Source
NAT. Click the Source NAT tab. In Source NAT Policy List, click .

e n
/
o m
e i .c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
r n
e a
e L
r
Result Verification
o
M Login PC (2.2.2.2/24) and access to the FTP server (2.2.2.4), should be sueccsfully. Then check the
below infomations.
Check the NAT server mapping relationship by using display nat server command.
<NGFW>dis nat server
Server in private network information:
name : ftpserver
zone : ---
interface : ---
global-start-addr : 2.2.2.4 global-end-addr : ---
inside-start-addr : 192.168.1.2 inside-end-addr : ---
global-start-port : 21(ftp) global-end-port : ---
insideport : 21(ftp)
globalvpn : public insidevpn : public
protocol : tcp vrrp : ---
no-reverse : no

e n
Total 1 NAT servers
/
o m
e i .c
aw
u
g .h
ni n
r
// lea
p :
t t
s:h
r c e
s ou
Re
i n g
r n
e a
e L
or
M
6 Firewall Daul-system Hot Backup Lab /en
o m
e i .c
6.1 Firewall Daul-system Hot Backup Lab
aw
u
Lab Objectives

g .h
i n
Be familiar with how to configure firewall dual-system hot backup both on CLI and Web GUI. The NGFW is

n
r
deployed on a service node serving as a security device. Both upstream and downstream devices are switches.

lea
NGFW_A and NGFW_B work in active/standby mode and their service interfaces work at Layer 3.

: //
Lab Device
t t p
:h
1. 2 same model NGFW series firewalls, 2 switches and 2 PCs.

e s
2. At least 3 service interface on each firewall.

Lab Topology
r c
s ou
e
Master

R
NGFW_A
Backup Group 2

g
G1/0/3 G1/0/1
Virtual IP Address

n
10.3.0.1/24 10.2.0.1/24

i
10.3.0.3/24 PC2

n
1.1.1.2/24

r
G1/0/7

a
10.10.0.1/24

L e
r e PC1

o
10.3.0.100/24 G1/0/7
10.10.0.2/24

M Trust

G1/0/3
10.3.0.2/24
G1/0/1
10.2.0.2/24
Untrust
Backup Group 1
Virtual IP Address
1.1.1.1/24
Backup
NGFW_B

Configuration Procedure (CLI)


Step 1 Complete the configurations of the upstream and downstream interfaces of NGFW_A. Set IP
addresses for interfaces and add the interfaces to security zones.
<NGFW_A> system-view
[NGFW_A] interface GigabitEthernet 1/0/1
[NGFW_A-GigabitEthernet1/0/1] ip address 10.2.0.1 255.255.255.0
[NGFW_A-GigabitEthernet1/0/1] quit
[NGFW_A] interface GigabitEthernet 1/0/3
[NGFW_A-GigabitEthernet1/0/3] ip address 10.3.0.1 255.255.255.0
[NGFW_A-GigabitEthernet1/0/3] quit
[NGFW_A] firewall zone trust
e n
[NGFW_A-zone-trust] add interface GigabitEthernet 1/0/3
/
[NGFW_A-zone-trust] quit
o m
[NGFW_A] firewall zone untrust
[NGFW_A-zone-untrust] add interface GigabitEthernet 1/0/1
e i .c
[NGFW_A-zone-untrust] quit
aw
u
.h
Create VRRP backup group 1 on interface GigabitEthernet 1/0/1, and add it to the VGMP
management group whose status is Active.
[NGFW_A] interface GigabitEthernet 1/0/1
i n g
r n
lea
[NGFW_A-GigabitEthernet1/0/1] vrrp vrid 1 virtual-ip 1.1.1.1 255.255.255.0 active
[NGFW_A-GigabitEthernet1/0/1] quit

: //
Create VRRP backup group 2 on interface GigabitEthernet 1/0/3, and add it to the VGMP
management group whose status is Active.
t t p
:h
[NGFW_A] interface GigabitEthernet 1/0/3

s
[NGFW_A-GigabitEthernet1/0/3] vrrp vrid 2 virtual-ip 10.3.0.3 active
e
r c
[NGFW_A-GigabitEthernet1/0/3] quit

ou
Step 2 Complete the heartbeat link configuration on NGFW_A.

es
Set the IP address of interface GigabitEthernet 1/0/7.
R
g
[NGFW_A] interface GigabitEthernet1/0/7

i n
[NGFW_A-GigabitEthernet1/0/7] ip address 10.10.0.1 255.255.255.0

n
r
[NGFW_A-GigabitEthernet1/0/7] quit

a
L e
Add interface GigabitEthernet 1/0/7 to the DMZ.

r e [NGFW_A] firewall zone dmz

o [NGFW_A-zone-dmz] add interface GigabitEthernet1/0/7

M [NGFW_A-zone-dmz] quit
Specify interface GigabitEthernet 1/0/7 as the heartbeat interface.
[NGFW_A] hrp interface GigabitEthernet1/0/7

Step 3 Configure the forward policy for the Trust-Untrust interzone.

H RP_A[NGFW_A]security-policy
HRP_A[NGFW_A-policy-security] rule name trust_untrust
HRP_A[NGFW_A-policy-security-rule-policy_sec] source-zone trust
HRP_A[NGFW_A-policy-security-rule-policy_sec] destination-zone untrust
HRP_A[NGFW_A-policy-security-rule-policy_sec] action permit
HRP_A[NGFW_A-policy-security-rule-policy_sec] quit
HRP_A[NGFW_A-policy-security]rule name local_trust
HRP_A[NGFW_A-policy-security-rule-local_trust]source-zone trust local
HRP_A[NGFW_A-policy-security-rule-local_trust]destination-zone trust local
HRP_A[NGFW_A-policy-security-rule-local_trust]action permit
e n
HRP_A[NGFW_A-policy-security-rule-local_trust]quit
/
Step 4 Enable the HRP backup function.
o m
[NGFW_A] hrp enable
e i .c
Step 5 Configure NGFW_B.
aw
u
.h
The configurations on NGFW_B are the same as those on NGFW_A except that:


i n g
The IP addresses of interfaces on NGFW_B are different from those of interfaces on
NGFW_A.
r n
lea
Add service interfaces GigabitEthernet 1/0/1 and GigabitEthernet 1/0/3 of NGFW_B to the

//
VGMP management group whose status is Standby.

p :
Step 6 Configure the switches.
t t
:h
On the switches, add the three interfaces of each switch to the same VLAN,the default
s
r c e
configuration is ok. For configuration commands, refer to related documents of the switch.

ou
Configuration Procedure (WEB)

s
Step 1 Set the IP addresses of interfaces on NGFW_A, and the interfaces to security zones. Choose
e
R
Network > Interface, In Interface List, click of the interface, On the Modify

i n g
GigabitEthernet Interface page, complete the configurations then click OK.The configuration
of interface 1/0/3 and interface 1/0/7 are similar to interface 1/0/1.

r n
e a
e L
o r
M
e n
/
o m
e i .c
aw
u
Step 2 Configure a forwarding policy for NGFW_A.

g .h
i n
Forwarding policy between the Trust zone to access the Untrust zone: Choose Policy > Security

n
r
Policy > Security Policy, In Security Policy List, click Add, Configure security policy

lea
policy_sec and set the parameters as follows:

: //
t t p
s :h
r c e
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
o m
e i .c
Step 3 Configure the VRRP backup group 1 and backup group 2 of NGFW_A.
aw
u
Choose System > High Availability > Dual-System Hot Backup, Click Edit, Select the Enable
check box and set the parameters as follows:
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
r n

e a The IP addresses of interfaces on NGFW_B are different from those of interfaces on

e L NGFW_A.

o r The service interfaces of NGFW_B, namely, interfaces GE1/0/1 and GE1/0/3, are added to the

M standby management group

Result Verification
Run the display vrrp command on NGFW_A to check the status of the interfaces in the VRRP
backup group. If the following information is displayed, the VRRP backup group is successfully
created.
HRP_A<NGFW_A>display vrrp
GigabitEthernet1/0/1 | Virtual Router 1
VRRP Group : Active
state : Active
Virtual IP : 1.1.1.1
Virtual MAC : 0000-5e00-0101
Primary IP : 10.2.0.1
PriorityRun : 120
PriorityConfig:100
e n
ActivePriority : 120
/
Preempt : YES Delay Time : 0
o m
Advertisement Timer : 1
Auth Type : NONE
e i .c
Check TTL : YES
aw
u
GigabitEthernet1/0/3 | Virtual Router 2
g .h
VRRP Group : Active
ni n
r
lea
state : Active

//
Virtual IP : 10.3.0.3
Virtual MAC : 0000-5e00-0102
p :
Primary IP : 10.3.0.1
t t
:h
PriorityRun : 120
PriorityConfig:100
e s
ActivePriority : 120
r c
ou
Preempt : YES Delay Time : 0

es
Advertisement Timer : 1

R
Auth Type : NONE

n g
Check TTL : YES
i
r n
Run the display hrp state command on NGFW_A to check the current HRP status. If the following

a
output is displayed, an HRP relationship is successfully established.
e
eL
HRP_A<NGFW_A>display hrp state

or
The firewall's config state is: ACTIVE
Current state of virtual routers configured as active:
M GigabitEthernet1/0/3 vrid 2 : active
GigabitEthernet1/0/1 vrid 1 : active
Ping the virtual IP address 10.3.0.3 of VRRP group 2 on PC1 in the Trust zone. Then check the
sessions on NGFW_A.
HRP_A<NGFW_A>display firewall session table
Current Total Sessions : 1
icmp VPN:public --> public 10.3.0.100:1-->10.3.0.3:2048
The virtual IP address of VRRP group 2 can be pinged on PC1 after the VRRP groups are
configured correctly.
PC2 is the server in the Untrust zone. PC1 on trust zone can ping the server on Untrust zone. Check
session information on NGFW_A and NGFW_B.
HRP_A<NGFW_A>display firewall session table
Current Total Sessions : 1
icmp VPN:public --> public 10.3.0.100:1-->1.1.1.2:2048

e n
HRP_S<NGFW_B>display firewall session table
/
Current Total Sessions : 1
o m
icmp VPN:public --> public Remote 10.3.0.100:1-->1.1.1.2:2048

e i .c
w
As shown in the previous information, a session tagged with Remote is created on NGFW_B,

a
indicating that the session is successfully synchronized after you configure dual-system hot backup.

u
.h
Run ping 1.1.1.2 -t on PC1, and unplug network cable from GE1/0/1 on NGFW_A, check the

g
firewall status and packet dropout status.

ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
r n
e a
e L
or
M
7 Firewall User Management Lab
o m
/ e n

e i .c
aw
7.1 Internet access user authentication lab. (Authentication
hu
exemption and local password authentication) g .
ni n
Lab Objectives
ar
l e
//
This section describes how to exempt intranet users from authentication and using local password to
authenticate internet access user.
:
Lab Device
t tp
: h
One NGFW firewall, one PC.

e s
Lab Topology
r c
o u
Auth.
Exemption user
es
R
G1/0/0 Internet Server
192.168.0.2/24 USG G1/0/2
192.168.0.1/24 1.1.1.2/24

g
1.1.1.1/24

i n
arn
Local password
auth, user
G1/0/1
192.1681.1/24

L e
192.168.1.2/24

e
Auth. Exemption traffic flow

o r Local password auth. Traffic flow

MConfiguration Procedure (WEB)


Step 1 Configure the basic parameters of the interfaces and add the interface to security zones. Add
GE1/0/0 to guest zone, adds GE1/0/1 to trust zone and add GE1/0/2 to untrust zone. (ommitted)
Step 2 Configure the default route. Assume that the next-hop IP address is 1.1.1.2.
e n
/
o m
e i .c
aw
u
g .h
Step 3
ni n
Create authentication exemption user group. Choose Object > User > Group/User. In

r
Organizational Structure, select Default. Click Add in Member Management and select

lea
Create Group, create a group named auth_exemption.

: //
t t p
s :h
r c e
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
o m
e i .c
Step 4
w
Create a user authentication policy Guest specifically for the subnet 192.168.0.0/24. Choose

a
Policy > Authentication Policy, click Add Enter or select parameters, Click OK.
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
r n
e a
e L
or
Step 5
M
Create local password authentication user and user group. Choose Object > User > Group/User.
In Organizational Structure, select Default. Click Add in Member Management and select
Create Group, name the new group as Normal.
e n
/
o m
e i .c
In Organizational Structure, select Normal. In Member Management, select Add, choose
create a user, create a new user user01/Admin@123.
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
r n
e a
e L
or
M
e n
/
o m
e i .c
aw
u
g .h
ni n
r
lea
Step 6 Create a user authentication policy Normal specifically for the subnet 192.168.1.0/24.

//
p :
t t
s :h
r c e
s ou
Re
i n g
r n
e a
e L
o r
M

Step 7 Add a new forwarding policy for exemption authentication user. Select source as Guest, the
destination as untrust, add select user as guest, action as permit.
e n
/
o m
e i .c
aw
u
g .h
ni n
r
// lea
Step 8
:
Add a new forwarding policy for local password authentication user. Source is turst, destination is

p
t
untrust, the user is normal and action is permit.

t
s :h
r c e
s ou
Re
i n g
r n
e a
e L
or
M
Step 9 Configuring Redirection webpage After Successful Authentication. Choose Object > User >
Authentication Item. Click the Global Configuration tab. Configure the Redirect to the latest
web page.

e n
/
o m
e i .c
aw
u
g .h
ni n
r
// lea
p :
t t
:h
When users access the service, the device pushes the authentication URL to the users for authentication.

e s
Thinking: Whats the difference between HTTP and HTTPS?

r c
Answer: HTTP indicates that the Web browser exchanges with the device through HTTP. HTTPS

ou
indicates that the Web browser exchanges with the device through HTTPS.

es
Step 10 Configure Local zone security policy. Allow port 8887 traffic flow going through firewall.
R
i n g
r n
e a
e L
Result Verification

o r
After a guest connects to the intranet, there is no need to enter account and password, they can access to

M internet.
When the normal employee access to internet, NGFW firewall will redirect the uaser authentication page, ask
the user to enter accout and password. Only when user entered the right account and password, they can
access to the network resource.
8 VPN Lab

8.1 L2TP VPN LabClient-Initialized VPN


e n
/
Lab Objectives

o m
Through this task, you will know how to configure the Client-Initialized L2TP.

e i .c
w
Lab Device

One USG6000 Firewall and two PCs.


u a
Lab Topology
g .h
LAC
ni n
r
LNS
Client

lea
L2TP VPN Tunnel
192.168.1.2/24

: //
t
GE1/0/1
t p GE1/0/0

:h
192.168.2.2/24 192.168.2.1/24 192.168.1.1/24

es
Server

r c
ou
Configuration Procedure (CLI)
Step 1
es
Configure the LNS side. Set the IP address of the interface.

R
<NGFW> system-view

i n g
[NGFW] sysname LNS

r n
[LNS] interface GigabitEthernet 1/0/1

e a [LNS-GigabitEthernet1/0/1] ip address 192.168.2.1 255.255.255.0

eL
[LNS-GigabitEthernet1/0/1] quit

or
[LNS] interface GigabitEthernet 1/0/0

M
[LNS-GigabitEthernet1/0/0] ip address 192.168.1.1 255.255.255.0
[LNS-GigabitEthernet1/0/0] quit

Step 2 Create and configure the virtual interface template.

[LNS] interface virtual-template 1


[LNS-Virtual-Template1] ip address 192.168.0.1 255.255.255.0
[LNS-Virtual-Template1] ppp authentication-mode chap
[LNS-Virtual-Template1] quit
Step 3 Enable L2TP.

[LNS] l2tp enable

Step 4 Create and configure an L2TP group.

[LNS] l2tp-group 1
[LNS-l2tp1] tunnel name LNS
[LNS-l2tp1] allow l2tp virtual-template 1 remote client1
[LNS-l2tp1] tunnel authentication

e n
[LNS-l2tp1] tunnel password cipher Huawei@123
/
Step 5
o
Define an address pool and allocate the IP address for the LAC client. Set the user name and m
password (the same as those on the LAC client side).

e i .c
w
[LNS] user-manage user vpdnuser
[LNS-localuser-pc1] password Admin@123
u a
.h
[LNS-localuser-pc1] parent-group /default
[LNS]aaa

i n g
n
[LNS-aaa] domain default

r
lea
[LNS-aaa-domain-default] ip pool 1 192.168.0.2 192.168.0.100

//
[LNS-aaa-default] quit

Step 6
p :
Allocate an IP address for the peer interface from the IP address pool.

t t
:h
[LNS] interface virtual-template 1

s
[LNS-Virtual-Template1] remote address pool 1

e
c
[LNS-Virtual-Template1] quit
r
ou
Step 7 Add the interface to the security zones and configure the interzone packet filtering.

es
[LNS]firewall zone trust
R
g
[LNS-zone-trust]add interface GigabitEthernet 1/0/0

i n
[LNS-zone-trust]add interface virtual-template 1

n
r
[LNS-zone-trust]quit

a
e [LNS]firewall zone untrust

eL
[LNS-zone-untrust]add interface GigabitEthernet 1/0/1

or
[LNS-zone-untrust]quit

M
[LNS]security-policy
[LNS-policy-security]rule name trust_untrust
[LNS-policy-security-rule-trust_untrust]source-zone trust
[LNS-policy-security-rule-trust_untrust]destination-zone untrust
[LNS-policy-security-rule-trust_untrust]source-address 192.168.1.0 24
[LNS-policy-security-rule-trust_untrust]action permit
[LNS-policy-security-rule-trust_untrust]quit
[LNS-policy-security]rule name untrust_trust
[LNS-policy-security-rule-untrust_trust]source-zone untrust
[LNS-policy-security-rule-untrust_trust]destination-zone trust
[LNS-policy-security-rule-untrust_trust]destination-address 192.168.1.0 24
[LNS-policy-security-rule-untrust_trust]quit
[LNS-policy-security]rule name local_untrust
[LNS-policy-security-rule-local_untrust]source-zone local
[LNS-policy-security-rule-local_untrust]destination-zone untrust
[LNS-policy-security-rule-local_untrust]source-address 192.168.2.1 24
e n
[LNS-policy-security-rule-local_untrust]quit
/
[LNS-policy-security]rule name untrust_local
o m
[LNS-policy-security-rule-untrust_local]source-zone untrust
[LNS-policy-security-rule-untrust_local]destination-zone local
e i .c
aw
[LNS-policy-security-rule-untrust_local]destination-address 192.168.2.1 24

u
.h
[LNS-policy-security-rule-untrust_local]quit

Step 8
n g
Configure the LAC client side. The LAC client must be installed with the L2TP client software
i
n
and is connected to the Internet in dialing mode. The following takes the Secoway VPN Client

r
lea
as an example. Click to establish a new connection according the New Connection

//
Wizard. Choose Create a new connection by inputing paremeters, then clicks Next.

p :
t t
s :h
r c e
s ou
Re
i n g
r n
e a
e L
or
M

Step 9 Set LNS Server IP, Username, and Passwordvpdnuser/Admin@123on the Basic Settings
page. Click Next.
e n
/
o m
e i .c
aw
u
g .h
ni n
r
// lea
Step 10
:
Input Tunnel Nameclient1and Authentication ModeCHAPSelect Enable Tunnel
p
t t
Authentication and input the Tunnel Authentication PasswordHuawei@123. Complete to

:h
create L2TP connection. Click Next.

e s
r c
s ou
Re
i n g
r n
e a
e L
o r
M

Step 11 Click the connection already created, and click Connect.


e n
/
o m
e i .c
aw
u
g .h
ni n
r
Configuration Procedure (WEB)

// lea
Step 1
p :
Configure the LNS side. Set the IP address of the interface. Choose Network > Interface >
Interface. In Interface List, click
t t
of GE1/0/1, Configure interfaces. Click Apply when

:h
you finished the configuration. Shown as the below figure:

e s
r c
s ou
Re
i n g
r n
e a
e L
o r
M Step 2 Configure the security forwarding poliy. Choose Policy > Security Policy. Click the Security
Policy tab. In Security Policy List, click . Click Apply when you finished the configuration.
Shown as the below figure:.
e n
/
o m
e i .c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
ou
Step 3 Configure the L2TP parameters. Choose Network > L2TP > L2TP. In Configure L2TP, select
the Enable check box of L2TP, and then click Apply.

es
R
i n g
r n
Step 4
e a
L
In L2TP Group List, click Add. Set Group Type to LNS. Click Add to create user vpdnuser
(vpdnuser/Admin@123).

r e
o
M
e n
/
o m
Step 5
e i
Configure other L2TP parameters. Tunnel Name on Peer must be the same as Tunnel Name .c
w
on Local configured on the LAC side. The peer tunnel name should be client1/Password123.

u a
g .h
ni n
r
// lea
p :
t t
Step 6
:h
Configure the server address and address pool. As shown in below figure. Click Apply after
s
e
finished all the configurations.

r c
s ou
Re
Step 7
i n g
Configura LAC client. Steps are the same as CLI configuration procedure, see step 8 step 11 in

r n
configuration procedure (CLI) for your reference.

e a
Result Verification

e L
Check the VPN users by using display l2tp tunnel command on LNS side.

o r [LNS] display l2tp tunnel

M Total tunnel = 1
LocalTID RemoteTID RemoteAddress Port Sessions RemoteName
2 2 192.168.2.2 1701 1 client1
In the web GUI, Choose VPN > L2TP > Monitor. If the ID of the L2TP tunnel exists, the L2TP tunnel
is successfully established.
8.2 GRE VPN Lab
Lab Objectives

Upon completion this experiment, you will able to know how to configure GER VPN.

Lab Device

Two USG6000 Firewalls , and two PCs.

Lab Topology

e n
/
GRE Tunnel
o m
NGFW_A
G1/0/1
NGFW_B
e i .c
Tunnel 0 192.13.2.1/24

a w
Tunnel 0

hu
10.1.2.1/24 G1/0/1 10.1.3.1/24

G1/0/0
192.13.2.2/24

g .
G1/0/0
192.168.0.1/24

nin
192.168.1.1/24

ar
// le
p :
t t
:h
PC A PC B

s
192.168.0.2/24 192.168.1.2/24

r c e
Configuration Procedure (CLI)
s ou
Step 1
e
Configeure the IP address of PCs. (omitted)
R
Step 2
g
Configure the IP address of firewall interface.

i n
r n
Configure USG_A

e a [NGFW_A]interface GigabitEthernet 1/0/0

eL
[NGFW_A-GigabitEthernet1/0/0]ip address 192.168.0.1 24

or
[NGFW_A-GigabitEthernet1/0/0]quit
[NGFW_A]interface GigabitEthernet 1/0/1

M [NGFW_A-GigabitEthernet1/0/1]ip add 192.13.2.1 24


Configure USG_B
[NGFW_B]interface GigabitEthernet 1/0/0
[NGFW_B-GigabitEthernet1/0/0]ip address 192.168.1.1 24
[NGFW_B-GigabitEthernet1/0/0]quit
[NGFW_B]interface GigabitEthernet 1/0/1
[NGFW_B-GigabitEthernet1/0/1]ip add 192.13.2.2 24
Step 3 Add the interfaces into security zones and configure the interzone packet filtering policy.

Configure NGFW_A
[NGFW_A]firewall zone trust
[NGFW_A-zone-trust]add interface GigabitEthernet 1/0/0
[NGFW_A-zone-trust]quit
[NGFW_A]firewall zone untrust
[NGFW_A-zone-untrust]add interface GigabitEthernet 1/0/1
[NGFW_A-zone-untrust]quit
e n
[NGFW_A]security-policy /
[NGFW_A-policy-security]rule name policy_sec
o m
[NGFW_A-policy-security-rule-policy_sec]source-zone trust untrust local
e i .c
w
[NGFW_A-policy-security-rule-policy_sec]destination-zone trust untrust local
[NGFW_A-policy-security-rule-policy_sec]action permit
u a
.h
[NGFW_A-policy-security-rule-policy_sec]quit
Configure NGFW_B

i n g
n
[NGFW_B]firewall zone trust
r
lea
[NGFW_B-zone-trust]add interface GigabitEthernet 1/0/0

//
[NGFW_B-zone-trust]quit
[NGFW_B]firewall zone untrust
p :
t t
[NGFW_B-zone-untrust]add interface GigabitEthernet 1/0/1
[NGFW_B-zone-untrust]quit

s :h
[NGFW_B]security-policy

r c e
[NGFW_B-policy-security]rule name policy-sec

ou
[NGFW_B-policy-security-rule-policy_sec]source-zone trust untrust local
s
Re
[NGFW_B-policy-security-rule-policy_sec]destination-zone trust untrust local
[NGFW_B-policy-security-rule-policy_sec]action permit

i n g
[NGFW_B-policy-security-rule-policy_sec]quit

Step 4
r n
Configure the tunnel interface, add the tunnel interface into untrust zone.

e a
e L Configure NGFW_A

r
[NGFW_A]interface Tunnel 0

o [NGFW_A-Tunnel0]tunnel-protocol gre

M [NGFW_A-Tunnel0]ip address 10.1.2.1 24


[NGFW_A-Tunnel0]source 192.13.2.1
[NGFW_A-Tunnel0]destination 192.13.2.2
[NGFW_A-Tunnel0]quit
[NGFW_A]firewall zone untrust
[NGFW_A-zone-untrust]add interface Tunnel 0
[NGFW_A-zone-untrust]quit
Configure NGFW_B
[NGFW_B]interface Tunnel 0
[NGFW_B-Tunnel0]tunnel-protocol gre
[NGFW_B-Tunnel0]ip address 10.1.3.1 24
[NGFW_B-Tunnel0]source 192.13.2.2
[NGFW_B-Tunnel0]destination 192.13.2.1
[NGFW_B-Tunnel0]quit
[NGFW_B]firewall zone untrust
[NGFW_B-zone-untrust]add interface Tunnel 0
e n
[NGFW_B-zone-untrust]quit
/
Step 5
o m
.c
Configure the static route.

Configure NGFW_A
e i
[NGFW_A]ip route-static 192.168.1.0 24 Tunnel 0
aw
Configure NGFW_B
u
[NGFW_B]ip route-static 192.168.0.0 24 Tunnel 0
g .h
Configuration Procedure (WEB)
ni n
r
lea
Step 1 Configeure the IP address of PCs. (omitted)

//
Step 2 Configure the IP address of firewall interface. Choose Network > Interface. In Interface List,
click of interfaces.
p :
Configure NGFW_A
t t
s :h
r c e
s ou
Re
i n g
r n
e a
e L
o r
M
e n
/
o m
Configure NGFW_B
e i .c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
r n
e a
e L
or
MStep 3 Configure the interzone packet filtering policy to ensure normal network communication.
Policy > Security Policy. In Security Policy List, click .

Configure NGFW_A
e n
/
o m
Configuration on NGFW_B is the same as NGFW_A. e i .c
Step 4
aw
u
Configure the tunnel interface, and add the tunnel interface into untrust zone. Choose Network >

.h
GRE > GRE. In GRE Interface List, click Add. Configure GRE interface parameters, shown

g
as below figure:

Configure NGFW_A
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
Configure NGFW_B

r n
e a
e L
or
M

Step 5 Configure the static route. Choose Network > Route > Static Route. In Static Route List, click
Add. On Add Static Route, set the following parameters which shown as below figures:
Configure NGFW_A

e n
/
o m
e i .c
aw
u
.h
Configure NGFW_B

i n g
r n
// lea
p :
t t
s :h
r c e
s ou
Re
Result Verification
i n g
r n
PCA and PCB can ping from each other.

e a
e L
o r
M
9 IPSec VPN Lab

9.1 Configuring Point-to-Point IPSec Tunnel


e n
/
Lab Objectives

o m
.c
Through this task, you will know how to configure point-point IPSec tunnel with the fixed public IP
address in peer end.
e i
Lab Device
aw
u
.h
Two USG6000 Firewalls and two PCs.

Lab Topology
i n g
r n
lea
NGFW_A NGFW_B

//
G1/0/1 G1/0/1

:
1.1.3.1/24 1.1.3.2/24

t t p
:h
G1/0/3 G1/0/3
10.1.1.1/24

e s 10.1.2.1/24

r c
ouHost 1
s10.1.1.100/24 Host 2

Re 10.1.2.100/24

i n g
Configuration Procedure (CLI)

r n
a
Configure NGFW_A

e
eL
Step 1 Basic configurations which contain IP address of PC and USG interface. (omitted)

or
Step 2 Configure the interzone packet filtering policy.

M
[NGFW_A]security-policy
[NGFW_A-policy-security]rule name policy_sec1
[NGFW_A-policy-security-rule-policy_sec1]source-zone trust untrust
[NGFW_A-policy-security-rule-policy_sec1]destination-zone trust untrust
[NGFW_A-policy-security-rule-policy_sec1]source-address 10.1.1.0 24
[NGFW_A-policy-security-rule-policy_sec1]source-address 10.1.2.0 24
[NGFW_A-policy-security-rule-policy_sec1]destination-address 10.1.1.0 24
[NGFW_A-policy-security-rule-policy_sec1]destination-address 10.1.2.0 24
[NGFW_A-policy-security-rule-policy_sec1]action permit
[NGFW_A-policy-security-rule-policy_sec1]quit
[NGFW_A-policy-security]rule name policy_sec2
[NGFW_A-policy-security-rule-policy_sec2]source-zone local untrust
[NGFW_A-policy-security-rule-policy_sec2]destination-zone local untrust
[NGFW_A-policy-security-rule-policy_sec2]source-address 1.1.3.0 24
[NGFW_A-policy-security-rule-policy_sec2]destination-address 1.1.3.0 24
[NGFW_A-policy-security-rule-policy_sec2]action permit
e n
[NGFW_A-policy-security-rule-policy_sec2]quit
/
Step 3
o m
.c
Configure ACL on NGFW_A to define the data flow to be protected.

[NGFW_A]acl 3000
e i
w
[NGFW_A-acl-adv-3000]rule permit ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0
a
0.0.0.255
u
[NGFW_A-acl-adv-3000]quit
g .h
Step 4 Configure static routes from NGFW_A to the peer end.
ni n
r
lea
[NGFW_A] ip route-static 10.1.2.0 255.255.255.0 1.1.3.2

//
Step 5 Create IPSec proposals on NGFW_A. (by default configuration.)

p :
[NGFW_A] ipsec proposal tran1
t t
:h
[NGFW_A-ipsec-proposal-tran1]quit

Step 6
e s
Create IKE proposals on NGFW_A. (By default configuration.)

r c
ou
[NGFW_A] ike proposal 10

s
[NGFW_A-ike-proposal-10] quit
Step 7
Re
Configure IKE peers.

n g
[NGFW_A]ike peer b
i
n
[NGFW_A-ike-peer-b]ike-proposal 10
r
e a
[NGFW_A-ike-peer-b]remote-address 1.1.3.2

eL
[NGFW_A-ike-peer-b]pre-shared-key huawei

or
[NGFW_A-ike-peer-b]quit

Step 8 Create IPSec policies on NGFW_A


M [NGFW_A] ipsec policy map1 10 isakmp
[NGFW_A-ipsec-policy-isakmp-map1-10] security acl 3000
[NGFW_A-ipsec-policy-isakmp-map1-10] proposal tran1
[NGFW_A-ipsec-policy-isakmp-map1-10] ike-peer b
[NGFW_A-ipsec-policy-manual-map1-10] quit

Step 9 Apply IPSec policies to interfaces on NGFW_A


[NGFW_A] interface GigabitEthernet 1/0/1
[NGFW_A-GigabitEthernet1/0/1] ipsec policy map1
Configure NGFW_B

Step 10 Basic configurations which contain IP address of PC and NGFW interface. (omitted)
Step 11 Configure the default interzone packet filtering policy between the Trust zone and the Untrust
zone.

n
[NGFW_B]security-policy
[NGFW_B-policy-security]rule name policy_sec1
/ e
[NGFW_B-policy-security-rule-policy_sec1]source-zone trust untrust

o m
.c
[NGFW_B-policy-security-rule-policy_sec1]destination-zone trust untrust
[NGFW_B-policy-security-rule-policy_sec1]source-address 10.1.1.0 24
e i
[NGFW_B-policy-security-rule-policy_sec1]source-address 10.1.2.0 24
aw
u
[NGFW_B-policy-security-rule-policy_sec1]destination-address 10.1.1.0 24

.h
[NGFW_B-policy-security-rule-policy_sec1]destination-address 10.1.2.0 24
g
[NGFW_B-policy-security-rule-policy_sec1]action permit

ni n
r
[NGFW_B-policy-security-rule-policy_sec1]quit

lea
[NGFW_B-policy-security]rule name policy_sec2

//
[NGFW_B-policy-security-rule-policy_sec2]source-zone local untrust
:
t p
[NGFW_B-policy-security-rule-policy_sec2]destination-zone local untrust

t
:h
[NGFW_B-policy-security-rule-policy_sec2]source-address 1.1.3.0 24

s
[NGFW_B-policy-security-rule-policy_sec2]destination-address 1.1.3.0 24

c e
[NGFW_B-policy-security-rule-policy_sec2]action permit

r
ou
[NGFW_B-policy-security-rule-policy_sec2]quit

Step 12
s
Configure ACL on NGFW_B to define the data flow to be protected.
e
R
[NGFW_B]acl 3000

i n g
[NGFW_B-acl-adv-3000]rule permit ip source 10.1.2.0 0.0.0.255 destination 10.1.1.0

r n
0.0.00.255

e a
[NGFW_B-acl-adv-3000]quit

eL
Step 13 Configure static routes from NGFW_B to the peer end.

or [NGFW_B] ip route-static 10.1.1.0 255.255.255.0 1.1.3.1

MStep 14 Create IPSec proposals on NGFW_B. (by default configuration.)

[NGFW_B] ipsec proposal tran1


[NGFW_B-ipsec-proposal-tran1]quit

Step 15 Create IKE proposals on NGFW_B. (By default configuration.)

[NGFW_B] ike proposal 10


[NGFW_B-ike-proposal-10] quit
Step 16 Configure IKE peers.

[NGFW_B]ike peer a
[NGFW_B-ike-peer-b]ike-proposal 10
[NGFW_B-ike-peer-b]remote-address 1.1.3.1
[NGFW_B-ike-peer-b]pre-shared-key huawei
[NGFW_B-ike-peer-b]quit

Step 17 Create IPSec policies on NGFW_B.

e n
[NGFW_B] ipsec policy map1 10 isakmp
/
[NGFW_B-ipsec-policy-isakmp-map1-10] security acl 3000
o m
[NGFW_B-ipsec-policy-isakmp-map1-10] proposal tran1
[NGFW_B-ipsec-policy-isakmp-map1-10] ike-peer a
e i .c
[NGFW_B-ipsec-policy-manual-map1-10] quit
aw
u
.h
Step 18 Apply IPSec policies to interfaces on NGFW_B

[NGFW_B] interface GigabitEthernet 1/0/1


i n g
[NGFW_B-GigabitEthernet1/0/1] ipsec policy map1
r n
lea
Configuration Procedure (WEB)

Configure NGFW_A
: //
Step 19
t t p
Basic configurations which contain IP address of PC and NGFW interface. (omitted)
Step 20
s :h
Configure the interzone packet filtering policy between the Trust zone and the Untrust zone.

r c e
Configure the security policy between the Local zone and the Untrust zone.
NGFW_A=10.1.1.0/24 NGFW_B=10.1.2.0/24

ou
LOCAL_A=1.1.3.0/24 LOCAL_B=1.1.3.0/24

es
R
i n g
r n
e a
e L
o r
Step 21 Configure a static route from NGFW_A to network B, with the next-hop IP address of 1.1.3.2.

M Choose Network > Router > Static Route. In Static Route List, click Add. On the Add Static
Route page, configure the following parameters.
e n
/
o m
e i .c
aw
u
.h
Step 22 Configure IPSec tunnel. Choose Network > IPSec > IPSec , Click Add ,Choose Site-to-site
Scenario.

i n g
r n
// lea
p :
t t
s :h
r c e
Step 23
s ou
e
Configure the data flow to be protected,click add in Data Flow to Be Encypted.

R
i n g
r n
e a
e L
o r
MStep 24 Configure the serucity proposal. Choose IKE/IPSec Proposal > Advanced ,the configuration
include ike parameters and ipsec parameters,we use the default configurations.
e n
/
o m
e i .c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
r n
e a
e L
o r
M NOTE:

The configuration of NGFW_B is simiral with NGFW_A except the static route, peer end IP address and
data flow to be protected. For those three different parts of configuration, please see below procedures.
Others omitted.
Result Verification

After the configuration is complete, ping an IP address of network B from network A. The IP address
can be pinged through successfully. Run the display ike sa and display ipsec sa commands on NGFW_A
and NGFW_B to view the establishment of SAs. For example, for NGFW_B, if the following
information is displayed, it indicates that the IKE SA and IPSec SA are established successfully.

<NGFW_B> display ike sa


current ike sa number: 2
---------------------------------------------------------------------------------------------------
conn-id peer flag phase vpn
---------------------------------------------------------------------------------------------------
e n
101 1.1.3.1 RD v2:2 public
/
100 1.1.3.1 RD v2:1 public
o m
flag meaning
e i .c
RD--READY ST--STAYALIVE RL--REPLACED
aw
FD--FADING

u
.h
TO--TIMEOUT TD--DELETING NEG--NEGOTIATING DDPD

i n g
In Web GUI, check the establishment of a security association (SA) on NGFW_A and NGFW_B. For

r n
example, on NGFW_A, if the following information is displayed, an IPSec tunnel is established

lea
successfully.Choose Network> IPSec > Monitor.

: //
t t p
s :h
r c e
s ou
Re
i n g
r n
e a
e L
or
M
10 SSL VPN Lab /en
o m
e i .c
aw
10.1 Web Proxy/File Sharing/Port Forwarding/Network
. hu
Extention
i n g
r n
Lab Objectives

l e a
: //
Through this task, you will know how to configure below functions of SSL VPN:
Web Porxy
t tp
Port Forwading
: h

e
File sharings
r c
u
Network extension
Lab Device
s o
Re
One NGFW firewall and two PCs.

Lab Topology
i n g
arn PC

L e Mobile Employee
e
NGFW

o r GE1/0/1
Intranet
M 1.1.1.1/24
Untrust GE1/0/2
10.2.0.1/16
SSL VPN
Trust
Server

Configuration Procedure (WEB)

Step1 Basic configurations which contain IP address of PC and NGFW interface. (omitted)
Step2 Configure user objects and authentication. Create a user group object and a user object for a top
executive.Choose Object > User >User/Group.Click default and set the following parameters.

e n
/
o m
Create a user group.Set the following parameters. Click OK.
e i .c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
ou
In Member Management, click Add, select Create a User, and set the following parameters. Click OK.

es
R
i n g
r n
e a
e L
o r
M
e n
/
o m
e i .c
aw
u
g .h
ni n
r
// lea
Create a user group object and a user object for an employee. Choose Object > User > User/Group.

p :
Select default. In Member Management, click Add, select Create Group, and set the following
parameters. Click OK.
t t
s :h
r c e
s ou
Re
i n g
r n
e a
e L
or
M In Member Management, click Add, select Create a User, and set the following parameters. Click
OK.
e n
/
o m
e i .c
aw
u
g .h
ni n
r
// lea
Configure an authentication domain. Choose Object > User > Authentication Domain. Click default
and set the following parameters. Click OK.
p :
t t
s :h
r c e
s ou
Re
i n g
r n
a
Step3 Configure an SSL VPN gateway, including the gateway address, user authentication, and maximum

L e
number of concurrent users. Choose Network > SSL VPN > SSL VPN. Click the Gateway

e
Configuration tab. Configure an SSL VPN gateway and set the parameters as follows:

o r
M
e n
/
o m
e i .c
aw
u
g .h
ni n
r
Click Next.
// lea
Step4
p :
Select the services to be enabled.Select Web Proxy / Network Extension /File Sharing and Port
Forwarding.
t t
s :h
r c e
s ou
Re
i n g
r n
e a
e L
o r
M
Click Next.
Step6 Configure the web proxy function and add resources Webmail and ERP.In Web Proxy Resource
List, click Add.
e n
/
o m
e i .c
aw
u
g .h
ni n
r
// lea
Add web proxy resource Webmail as follows:
p :
t t
s :h
r c e
sou
Re
i n g
r n
e a
e L
or Click OK.

M
Repeat the preceding steps to add web proxy resource ERP as follows:

e n
/
o m
e i .c
aw
u
.h
Click OK. Click Next.

extension function as follows:


i n g
Step7 Configure the network extension function. Set the range of IP addresses available to the network

r n
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
r n
e a
e L
o r
M
In Accessible Private Network Segment List, click Add. Set the accessible IP address range on the
intranet as follows:
e n
/
o m
e i .c
aw
u
g .h
ni n
r
// lea
Click OK. Click Next.
p :
Step8
t t
Enable the file sharing function and add file sharing resources. In the Configure File Sharing area,

:h
select the Enable check box to the right of File Sharing.
s
r c e
s ou
Re
i n g
r n
e a
e L
o r
M

In File Sharing Resource List, click Add. Add a file sharing resource named Study based on the
parameters described in the following table. Click Next.

e n
/
o m
e i .c
aw
u
g .h
ni n
r
// lea
p :
t t
:h
Step9 Enable port forwarding and add port forwarding resources. In the Configure Port Forwarding area,

e s
select the Enable check box next to Port Forwarding.

r c
s ou
Re
i n g
r n
e a
e L
o r
M
e n
/
o m
e i .c
aw
u
g .h
ni n
r
// lea
p :
In Port Forwarding Resource List, click Add. Set the following parameters for a port forwarding
resource named SQL. Click Next.
t t
s :h
r c e
s ou
Re
i n g
r n
e a
e L
or
M
Step10 Configure SSL VPN role authorization/users.Under User/User Group List, click Add. Add all
users that use the SSL VPN service to the user list. user_0001 is used as an example. Click OK.
Click Finish.

e n
/
o m
e i .c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
Repeat the preceding steps to configure user_0002. Click OK. Click Finish.

s ou
Re
i n g
r n
e a
e L
o r
M
e n
/
o m
e i .c
aw
u
g .h
ni n
r
// lea
p :
Under List of Authorized Roles, click Add.Add director user group to a role and associate
corresponding permissions. Click OK.
t t
s :h
r c e
s ou
Re
i n g
r n
e a
e L
or
M

Add employee user group to a role and associate corresponding permissions. Click OK.
e n
/
o m
e i .c
aw
u
g .h
ni n
r
Step11
// lea
Configure security policies to allow users to use SSL VPN services. Choose Policy > Security

p :
Policy > Security Policy. Click Add. Configure security policy policy_sslvpn_1 and set the
parameters as follows:
t t
s :h
r c e
s ou
Re
i n g
r n
e a
e L
o r
M
Click OK.

Repeat the preceding steps to configure security policy policy_sslvpn_2 as follows:

e n
/
o m
e i .c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
ou
Repeat the preceding steps to configure security policy policy_sslvpn_3 as follows:

es
R
i n g
r n
e a
e L
or
M
e n
/
o m
e i .c
aw
u
g .h
ni n
r
// lea
p :
Configuration Verification
t t
s :h
e
1. Enter www.example.com or https://1.1.1.1 in the address box of the browser to access the SSL VPN login

r c
page using the teleworker account. Upon initial login, install the controls as instructed by the browser.

s ou
NOTE:
Re
i n g
r n
e a
e L
o r
2. Enter the user name and password on the login page to log in to the SSL VPN gateway.
M
e n
/
o m
e i .c
aw
u
.h
3. After logging in to the SSL VPN gateway using the top executive account user_0001, you can use the

g
Web Proxy / File Sharing / Port Forwarding and Network Extension.

ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
r n
e a
e L
or
M
4. Web Proxy :You can click Webmail and ERP to use corresponding services.
5. File Sharing: Click Study and enter the user name and password. user_0001 then can view and
e n
/
m
download the enterprise's internal files.

.c o
e i
aw
u
g .h
ni n
r
lea
6. Port Forwarding: Click Start , user_0001 then can use SQL database software to import business

//
information.

p :
t t
s :h
r c e
s ou
Re
i n g
r n
7.
e a
Network Extension :Click Start to automatically install the virtual network adapter to obtain a virtual

e L
IP address. After that, you can use various services just as you are on a LAN.

or
M

8. Use common employee account user_0002 to log in to the SSL VPN gateway. You can use the Web
Proxy / File Sharing and Port Forwarding..
e n
/
o m
e i .c
aw
u
g .h
ni n
r
// lea
p :
t t
s:h
r c e
sou
Re
i n g
r n
e a
e L
or
M
11 UTM Lab /en
o m
e i .c
11.1 Virus Database or IPS Signature Databasew Update
a
Lab Objectives
. hu
i n g
Get firamily with how to update AV database and IPS singnature database through schedule online update.

r n
1. Update AV database and IPS singnature database through security service center with scheduled
time;

l e a
//
2. Confirure IPS schedule online update function, update time is 02:00 am;

:
tp
3. Configure AV database schedule online update function; the update time is 01:00 am.

Lab Device
ht
1.
s
One USG 6000 firewall, One PC.:
2.
c e
Firewall can access to internet.
r
Lab Topology
o u
es 1
R
i n g
rn
2

e a
e L
o r
M Firewall
Security Service
Center
Intranet

Item Device Data


(1) NGFW(whose signature Interface numberGigabitEthernet 1/0/0
database and virus database IP address192.168.17.3/24
need to be updated)
Secuirty zoneTrust
(2) NGFW(whose signature Next-hop IP address: 192.168.17.254
database and virus database Firewall can access to internet
need to be updated)

Configuration Procedure (WEB)


Step 1 Configure security service center. Choose System > Upgrade Center. Click Server IP Address to
configure upgrade center information.
e n
/
o m
e i .c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
Step 2 Add DNS server. Choose network > DNS > DNS. In DNS Server List, add a new DNS server.

r n
e a
e L
o r
M
e n
/
o m
e i .c
aw
u
g .h
Result Verification
ni n
r
lea
Result:

//
1. Run display update configuration command, check internal update information.

p :
t
<USG>display update configuration

t
:h
11:49:24 2015/05/06

s
Update Configuration Information:

c e
------------------------------------------------------------

r
ou
Update Server : sec.huawei.com
Update Port

es : 80

R
Proxy Server :-

ing
Proxy Port :-
Proxy User :-

arn
Proxy Password :-

L e IPS-SDB:

r e Application Confirmation : Disable

o Schedule Update : Enable

M Schedule Update Frequency : Daily


Schedule Update Time : 02:00
AV-SDB:
Application Confirmation : Disable
Schedule Update : Enable
Schedule Update Frequency : Daily
Schedule Update Time : 02:00
SA-SDB:
Application Confirmation : Disable
Schedule Update : Enable
Schedule Update Frequency : Daily
Schedule Update Time : 02:00
------------------------------------------------------------
2. Run display version ips-sdb and display version av-sdb, check the version of the updated
signature database or virus database. If the updated version meets requirements, the update
succeeds.
e n
<USG>display version ips-sdb
/
14:02:35 2015/05/06
o m
IPS SDB Update Information List:
----------------------------------------------------------------
e i .c
Current Version:
aw
u
.h
Signature Database Version : 2014082604

g
Signature Database Size(byte) : 1849702
Update Time : 13:44:29 2015/03/31

ni n
Issue Time of the Update File : 15:15:43 2014/08/26
r
// lea
Backup Version:

p :
Signature Database Version :
t t
:h
Signature Database Size(byte) : 0

es
Update Time : 00:00:00 0000/00/00

r c
Issue Time of the Update File : 00:00:00 0000/00/00

ou
----------------------------------------------------------------

es
IPS Engine Information List:

R
----------------------------------------------------------------

n g
Current Version:

i
r n
IPS Engine Version : V200R001C10SPC225

e a IPS Engine Size(byte) : 3145728

eL
Update Time : 13:44:28 2015/03/31

or
Issue Time of the Update File : 10:51:45 2014/09/21

M Backup Version:
IPS Engine Version :
IPS Engine Size(byte) :0
Update Time : 00:00:00 0000/00/00
Issue Time of the Update File : 00:00:00 0000/00/00
----------------------------------------------------------------

<USG>display version av-sdb


14:03:42 2015/05/06
AV SDB Update Information List:
----------------------------------------------------------------
Current Version:
Signature Database Version : 2014091500
Signature Database Size(byte) : 115294666
Update Time : 13:44:29 2015/03/31
Issue Time of the Update File : 01:50:47 2014/09/15
e n
/
Backup Version:
o m
Signature Database Version
Signature Database Size(byte) : 0
:

e i .c
Update Time : 00:00:00 0000/00/00
aw
u
.h
Issue Time of the Update File : 00:00:00 0000/00/00
----------------------------------------------------------------

i n g
r n
11.2 UTM IPS Lab
// lea
Lab Objectives
p :
t t
:h
Configure IPS function on NGFW to protect enterprise internal PC and HTTP server.

Lab Device
e s
One USG6000 firewall, two PC.
r c
Lab Topology
s ou
Trust
Re Firewall Untrust

i n g
Internal Network G1/0/1 G1/0/2

n
10.1.8.22/24 10.1.10.22/24

ar
e
eL
HTTP Server
PC

or
10.1.10.11/24
10.1.8.100/24

M
Configuration Procedure (WEB)
Step 1 Complete the firewall basic configuration. (Omitted)
Step 2 Configre IPS policy. Choose Object > Security Profiles > Intrusion Prevention. Click Add,
create one IPS Policy named IPS_policy.
Step 3 Under this IPS policy, add a new signature filter.
e n
/
o m
e i .c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
r n
e a
e L
o r
M
e n
/
o m
e i .c
aw
u
g .h
ni n
r
// lea
p :
t t
s:h
r c e
sou
Re
i n g
r n
e a
e L
or
M
e n
/
o m
e i .c
Step 4 Configure the security policy, agssin the IPS policy under security policy.
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
s ou
Re
i n g
r n
e a
e L
o r
M
Result Verification
1.Click IPS test file on the client.
e n
/
o m
e i .c
aw
u
g .h
ni n
r
// lea
2.When the user download the test file, connection will be blocked.

p :
3.In the device dashboard, you can check the threat log list.

t t
s :h
r c e
s ou
Re
i n g
r n
e a
e L
or
M
11.3 UTM AV Lab
Lab Objectives

Be familiar with the configuration of the AV for intranet users accessing Web pages on the Internet

Lab Device

One USG6000 firewall, two PCs.

Lab Topology
e n
/
m
Trust Firewall Untrust

Internal Network G1/0/1 G1/0/2


.c o
10.1.8.22/24 10.1.10.22/24

e i
HTTP Server aw

hu
PC

.
10.1.10.11/24
10.1.8.100/24

Configuration Procedure
i n g
r n
lea
Step 1 Configure the basic parameters of the interfaces. (Omitted)

//
Step 2 Configure AV policy. Choose Object > Security Profiles > Anti-Virus, Click Add create one
AV policy named AV_Policy.
p :
t t
s :h
r c e
s ou
Re
i n g
r n
e a
e L
o r
M
Step 3 Configure the security policy, agssin the AV policy under security policy.
e n
/
o m
e i .c
aw
u
g .h
ni n
r
// lea
p :
t t
s :h
r c e
Result Verification
s ou
Re
When users access Web pages containing viruses, the NGFW blocks the connection.

i n g
r n
e a
e L
o r
M

In the device dashboard, you can check the threat log list.
e n
/
o m
e i .c
aw
u
g .h
ni n
r
// lea
p :
t t
s:h
r c e
sou
Re
i n g
r n
e a
e L
or
M
e n
/
m
e.i co
aw
hu
g.
ni n
ar
//le
p :
t t
s:h
r ce
sou
Re
i n g
rn
e a
e L
or
M
The privilege of HCNA/HCNP/HCIE:
With any Huawei Career Certification, you have the privilege on http://learning.huawei.com/en to enjoy:
n
1e-Learning Courses Logon http://learning.huawei.com/en and enter Huawei Training/e-Learning
/e

o m
If you have the HCNA/HCNP certificateYou can access Huawei Career Certification and Basic Technology e-Learning
courses.
e i .c
If you have the HCIE certificate: You can access all the e-Learning courses which marked for HCIE Certification Users.

aw

Methods to get the HCIE e-Learning privilege : Please associate HCIE certificate information with your Huawei account, and

hu

email the account to Learning@huawei.com to apply for HCIE e-Learning privilege.


g .
2 Training Material Download
i n

arn
Content: Huawei product training material and Huawei career certification training material.

//le
MethodLogon http://learning.huawei.com/en and enter Huawei Training/Classroom Training ,then you can download
training material in the specific training introduction page.
p :
3 Priority to participate in Huawei Online Open Class (LVC)
t t

s :h
The Huawei career certification training and product training covering all ICT technical domains like R&S, UC&C, Security,

4Learning Tools: rc e
Storage and so on, which are conducted by Huawei professional instructors.

s o
eNSP Simulate single Router&Switch device and large network.

R e
WLAN Planner Network planning tools for WLAN AP products.

n g
In addition, Huawei has built up Huawei Technical Forum which allows candidates to discuss technical issues with Huawei experts ,

ni
share exam experiences with others or be acquainted with Huawei Products.

a r
Statement:
L e
r e
This material is for personal use only, and can not be used by any individual or organization for any commercial purposes.
o
M
HUAWEI TECHNOLOGIES CO., LTD. Huawei Confidential 1