Professional Documents
Culture Documents
Chapter 4 - LAB
Chapter 4 - LAB
HCSA-NGFW 2022
1 Basic command
Contents
2 Data Forwarding
3 LAB
4
Basic command
CLI Configuration Mode
• Execution mode
The execution mode is the CLI mode right after you enter the username and password. In this mode, you can
only configure the device with your privilege.
hostname#
hostname(config)#
hostname(config-if-eth0/0)#
www.hillstonenet.com
Commonly Used Show Commands
www.hillstonenet.com
Check System Status - CLI
• In CLI, show is used to check SG-6000# show version
Hillstone Networks StoneOS software, Version 5.5
system status: Copyright (c) 2009-2020 by Hillstone Networks
- Device SN
Product name: SG-6000-E1600 S/N: 2508132161001434
- StoneOS version Assembly number: B102
- Running time/status Boot file is SG6000-M-3-5.5R7P4.bin from flash
Built by buildmaster8 2020/02/11 13:42:52
- Hardware platform
- Licenses Uptime is 0 day 22 hours 36 minutes 27 seconds
System language is "en"
- ……
VRouter feature: disabled
www.hillstonenet.com
Check Interface Status - CLI
• In CLI, show is used to check status information:
- e.g. to check interface status:
www.hillstonenet.com
Interface Configuration(CLI)
SG-6000# configure
Enter global configuration mode
SG-6000(config)# interface ethernet0/1
Enter interface configuration module
SG-6000(config-if-eth0/1)# zone trust
SG-6000(config-if-eth0/1)# ip address 192.168.10.10/24
Configure layer 3 zone
SG-6000(config-if-eth0/1)# manage https
SG-6000(config-if-eth0/1)# exit
Configure interface management method
SG-6000(config-if-eth0/1)# zone l2-trust
Configure layer 2 zone
www.hillstonenet.com
Route Configuration(CLI)
SG-6000# configure
Enter global configuration mode
SG-6000(config)# ip vrouter trust-vr
Enter policy configuration mode
SG-6000(config-vrouter)# ip route 10.18.0.0/16 10.1.1.1
SG-6000(config-vrouter)# exit
www.hillstonenet.com
Policy Configuration(CLI)
SG-6000# configure
Enter global configuration mode
SG-6000(config)# policy-global
Enter policy configuration mode
SG-6000(config-policy)# rule from any to any service any permit
www.hillstonenet.com
NAT Configuration(CLI)
SG-6000# configure
Enter global configuration mode
SG-6000(config)# nat
Enter NAT configuration mode (option1)
SG-6000(config-nat)# snatrule from any to any service eif e0/0
trans-to eif-ip mode dynaimicport log
SG-6000(config-nat)# dnatrule from any to 200.0.0.10/32 service
http trans-to 192.168.10.10/32 port 80
Enter vrouter configuration mode(option2)
SG-6000(config)# ip vrouter trust-vr
SG-6000(config-vrouter)# snatrule from any to any service eif
e0/0 trans-to eif-ip mode dynaimicport log
www.hillstonenet.com
Data Forwarding
Data Forwarding Example (1 of 4)
Trust Untrust
Zone Zone
E0/1 E0/4
192.168.10.254/24 200.1.1.0/24
Internet
.254
192.168.10.10/24 200.5.5.5
www.hillstonenet.com
Requirements (2 of 4)
• In order to achieve the Internet Access:
- Interface:How to configure?
- Route:Which type of route needs to be set?
- NAT:Which type of NAT needs to be used and why?
- Policy:What policy needs to be set for allowing the traffic pass through the FW?
www.hillstonenet.com
Configuration (3 of 4)
interface ethernet0/1
zone trust
ip address 192.168.10.10/24
Interface: interface ethernet0/4
zone untrust
ip address 200.1.1.1/24
Snatrule from any to any service any eif e0/4 trans-to eif-ip
SNAT:
mode dynamicport
Policy-global
Policy: rule from any to any from-zone trust to-zone untrust
service any permit
www.hillstonenet.com
Data Forwarding Analysis (4 of 4)
SRC-IP DST-IP Protocol SRC-Port DST-Port
No Address Pair
(no match)
Protocol Port Pair
or among zones?
Int Zone
E1 trust
Yes E4 untrust
www.hillstonenet.com
Data Forwarding Analysis (4 of 4 Cont.)
4. SNAT ? SA DA
Yes any any Translate to Egress Interface IP
Session Table
Create a session Address Pair Protocol Port Pair
192.168.10.10 200.5.5.5 6 55908 80
www.hillstonenet.com
Lab
Setting Up Lab Environment
• Configuration Steps of Routing mode:
a. Configure L3 interface
b. Add default route
c. Add SNAT rule
d. Add policy
www.hillstonenet.com
Topology of Routing Mode
E0/1 trust
192.168.10.254/24
192.168.10.10/24
www.hillstonenet.com
L3 Interface Settings (WebUI)
Network > Interface select the interface,and click『Edit』button
www.hillstonenet.com
Default Route Settings (WebUI)
Network > Routing > Destination Route, click『New』
www.hillstonenet.com
SNAT Settings(WebUI)
Policy > NAT> SNAT, click『New』
www.hillstonenet.com
Policy Setting (WebUI)
Policy > Security Policy > Policy, click『New』to create a permit policy from trust to untrust
www.hillstonenet.com
Routing Mode Configurations (CLI)
1、Enter the interface configuration mode, bind the interface to a zone, assign an IP address
SG-6000(config)# interface eth0/4
SG-6000(config-if-eth0/4)# zone untrust
SG-6000(config-if-eth0/4)# ip address 200.1.1.1/24
SG-6000(config-if-eth0/4)# interface eth0/1
SG-6000(config-if-eth0/1)# zone trust
SG-6000(config-if-eth0/1)# ip address 192.168.10.254/24
SG-6000(config-if-eth0/1)# manage http
www.hillstonenet.com
Routing Mode Configurations (CLI)
3、 Add Policy
SG-6000(config)# policy-global
SG-6000(config-policy)# rule from any to any from-zone trust to-zone untrust
permit
www.hillstonenet.com
Check Settings
SG-6000# show interface
H:physical state;A:admin state;L:link state;P:protocol state;U:up;D:down;K:ha keep up;C:lacp
down
=========================================================================================
Interface name IP address/mask Zone name H A L P MAC address Description
-----------------------------------------------------------------------------------------
vswitchif1 0.0.0.0/0 NULL D U D D 001c.5426.5c14 ------
ethernet0/0 10.86.100.198/24 trust U U U U 5000.0004.0000 ------
ethernet0/1 192.168.10.10/24 trust U U U U 5000.0004.0001 ------
ethernet0/2 0.0.0.0/0 NULL U U U D 5000.0004.0002 ------
ethernet0/3 0.0.0.0/0 NULL U U U D 5000.0004.0003 ------
ethernet0/4 200.1.1.1/24 untrust U U U U 5000.0004.0004 ------
=========================================================================================
SG-6000# show ip route
Codes: K - kernel route, C - connected, S - static, Z - ISP, R - RIP, O - OSPF,
B - BGP, D - DHCP, P - PPPoE, W - wireless, H - HOST, G - SCVPN, V - VPN, M - IMPORT,
I - ISIS, Y - SYNC, L - llb outbound, > - selected first nexthop, * - FIB route, b -
BFD enable
Routing Table for Virtual Router <trust-vr>
==============================================================================
S>* 0.0.0.0/0 [1/0/1] via 200.1.1.254, ethernet0/4
C>* 10.86.100.0/24 is directly connected, ethernet0/0
H>* 10.86.100.198/32 [0/0/1] is local address, ethernet0/0
C>* 192.168.10.0/24 is directly connected, ethernet0/1
H>* 192.168.10.10/32 [0/0/1] is local address, ethernet0/1
C>* 200.1.1.0/24 is directly connected, ethernet0/4
H>* 200.1.1.1/32 [0/0/1] is local address, ethernet0/4
============================================================================== www.hillstonenet.com
Check Settings – Cont.
SG-6000# show snat
-------------------------------------------------------------------------------
vr name:trust-vr
snat rules total number is :1
==================================================================================
id ingress if from to service egress if/vr
translate to mode start end size
-------------------------------------------------------------------------------
1 Any Any Any ethernet0/4
egress if's IP Dyn-Pt
==================================================================================
vswitchif1
192.168.10.1/24
E0/1 E0/2
L2-trust L2-untrust
PC1 PC2
192.168.10.10/24 192.168.10.20/24
www.hillstonenet.com
Configure L2 Interface(WebUI)
Network > Interface
www.hillstonenet.com
Configure Policy(WebUI)
Policy > Security Policy
www.hillstonenet.com
Transparent Mode(CLI)
1、Enter interface configuration mode and bind interface to security zone
SG-6000(config)# interface e0/1
SG-6000(config-if-eth0/1)# zone l2-trust
SG-6000(config-if-eth0/1)# exit
SG-6000(config)# interface e0/2
SG-6000(config-if-eth0/2)# zone l2-untrust
SG-6000(config-if-eth0/2)# exit
www.hillstonenet.com
Transparent Mode(CLI)
2、Configure Policy
SG-6000(config)# policy-global
SG-6000(config-policy)# rule
SG-6000(config-policy-rule)# src-zone l2-trust
SG-6000(config-policy-rule)# dst-zone l2-untrust
SG-6000(config-policy-rule)# src-addr any
SG-6000(config-policy-rule)# dst-addr any
SG-6000(config-policy-rule)# service any
SG-6000(config-policy-rule)# action permit
SG-6000(config-policy-rule)# exit
www.hillstonenet.com
Questions
www.hillstonenet.com
Thanks