Professional Documents
Culture Documents
HCSA-NGFW 2022
1 Working Mode
Contents
2 Basic command
3 Data Forwarding
4 Lab
Working Mode
Routing Mode
Internet
E0/4
untrust
E0/1 E0/2
trust dmz
192.168.10.0/24 192.168.20.0/24
www.hillstonenet.com
Transparent Mode
Internet
E0/4 L2-untrust
E0/1 L2-trust
192.168.10.10/24 www.hillstonenet.com
Tap Mode
Internet
mirror
E0/4
zone TAP
192.168.10.10/24
www.hillstonenet.com
Mix Mode
Internet
E0/4
untrust
192.168.10.0/24 192.168.10.0/24
Gw : Gw :
192.168.10.254 192.168.10.254
www.hillstonenet.com
Basic command
CLI Configuration Mode
• Execution mode
The execution mode is the CLI mode right after you enter the username and password. In this mode, you can only configure the
device with your privilege.
hostname#
hostname(config)#
hostname(config-if-eth0/0)#
www.hillstonenet.com
Commonly Used Show Commands
www.hillstonenet.com
Check System Status - CLI
• In CLI, show is used to check SG-6000# show version
Hillstone Networks StoneOS software, Version 5.5
system status: Copyright (c) 2009-2020 by Hillstone Networks
- Device SN
Product name: SG-6000-E1600 S/N: 2508132161001434
- StoneOS version Assembly number: B102
- Running time/status Boot file is SG6000-M-3-5.5R7P4.bin from flash
Built by buildmaster8 2020/02/11 13:42:52
- Hardware platform
- Licenses Uptime is 0 day 22 hours 36 minutes 27 seconds
- …… System language is "en"
www.hillstonenet.com
Check Interface Status - CLI
• In CLI, show is used to check status information:
- e.g. to check interface status:
----------------------------------------------------------------------------------------------------
----
ethernet0/0 192.168.1.1/24 trust D U D D 001c.5482.ff63 ------
www.hillstonenet.com
Route Configuration ( CLI )
SG-6000# configure
Enter global configuration mode
SG-6000 ( config ) # ip vrouter trust-vr
Enter policy configuration mode
SG-6000 ( config-vrouter ) # ip route 10.18.0.0/16 10.1.1.1
SG-6000 ( config-vrouter ) # exit
www.hillstonenet.com
Policy Configuration ( CLI )
SG-6000# configure
Enter global configuration mode
SG-6000 ( config ) # policy-global
Enter policy configuration mode
SG-6000 ( config-policy ) # rule from any to any service any
permit
www.hillstonenet.com
NAT Configuration ( CLI )
SG-6000# configure
Enter global configuration mode
SG-6000 ( config ) # nat
Enter NAT configuration mode (option1)
SG-6000 ( config-nat ) # snatrule from any to any service eif
e0/0 trans-to eif-ip mode dynaimicport log
SG-6000 ( config-nat ) # dnatrule from any to 200.0.0.10/32
service http trans-to 192.168.10.10/32 port 80
Enter vrouter configuration mode ( option2 )
SG-6000 ( config ) # ip vrouter trust-vr
SG-6000 ( config-vrouter ) # snatrule from any to any service eif
e0/0 trans-to eif-ip mode dynaimicport log
www.hillstonenet.com
Data Forwarding
Data Forwarding Example (1 of 4)
Trust Untrust
Zone Zone
E0/1 E0/4
192.168.10.254/24 200.1.1.0/24
Internet
.254
192.168.10.10/24 200.5.5.5
www.hillstonenet.com
Requirements (2 of 4)
• In order to achieve the Internet Access:
- Interface : How to configure ?
- Route : Which type of route needs to be set ?
- NAT : Which type of NAT needs to be used and why?
- Policy : What policy needs to be set for allowing the traffic pass through the
FW ?
www.hillstonenet.com
Configuration (3 of 4)
interface ethernet0/1
zone trust
ip address 192.168.10.10/24
Interface interface ethernet0/4
: zone untrust
ip address 200.1.1.1/24
Snatrule from any to any service any eif e0/4 trans-to eif-ip
SNAT :
mode dynamicport
Policy-global
www.hillstonenet.com
Data Forwarding Analysis (4 of 4 Cont.)
4. SNAT ? SA DA
Yes any any Translate to Egress Interface IP
Session Table
Create a session Address Pair Protocol Port Pair
192.168.10.10 200.5.5.5 6 55908 80
www.hillstonenet.com
Lab
Setting Up Lab Environment
• Configuration Steps of Routing mode:
a. Configure L3 interface
b. Add default route
c. Add SNAT rule
d. Add policy
www.hillstonenet.com
Topology of Routing Mode
E0/1 trust
192.168.10.254/24
192.168.10.10/24
www.hillstonenet.com
L3 Interface Settings (WebUI)
Network > Interface select the interface , and click 『 Edit 』 button
www.hillstonenet.com
Default Route Settings (WebUI)
Network > Routing > Destination Route, click 『 New 』
www.hillstonenet.com
SNAT Settings ( WebUI )
Policy > NAT> SNAT, click 『 New 』
www.hillstonenet.com
Policy Setting (WebUI)
Policy > Security Policy > Policy, click 『 New 』 to create a permit policy from trust to untrust
www.hillstonenet.com
Routing Mode Configurations (CLI )
1 、 Enter the interface configuration mode, bind the interface to a zone, assign an IP address
www.hillstonenet.com
Routing Mode Configurations (CLI )
3 、 Add Policy
SG-6000(config)# policy-global
SG-6000(config-policy)# rule from any to any from-zone trust to-zone untrust
permit
www.hillstonenet.com
Check Settings
SG-6000# show interface
vswitchif1
192.168.10.1/24
E0/1 E0/2
L2-trust L2-untrust
PC1 PC2
192.168.10.10/24 192.168.10.20/24
www.hillstonenet.com
Configure L2 Interface ( WebUI )
Network > Interface
www.hillstonenet.com
Configure Policy ( WebUI )
Policy > Security Policy
www.hillstonenet.com
Transparent Mode ( CLI )
1 、 Enter interface configuration mode and bind interface to security zone
SG-6000(config-if-eth0/1)# exit
SG-6000(config-if-eth0/2)# exit
SG-6000(config-if-vsw1)# exit
www.hillstonenet.com
Transparent Mode ( CLI )
2 、 Configure Policy
SG-6000(config)# policy-global
SG-6000(config-policy)# rule
SG-6000(config-policy-rule)# src-zone l2-trust
SG-6000(config-policy-rule)# dst-zone l2-untrust
SG-6000(config-policy-rule)# src-addr any
SG-6000(config-policy-rule)# dst-addr any
SG-6000(config-policy-rule)# service any
SG-6000(config-policy-rule)# action permit
SG-6000(config-policy-rule)# exit
www.hillstonenet.com
Questions
1. What is the difference between routing mode and transparent mode?
R1 – O modo roteado funciona em camada 3 e o modo trasparente funciona em camada 2
www.hillstonenet.com
Lab-1 Topology (Routing mode)
Requirement : Intranet PC can access to Internet in routing mode
Internet
E0/4 untrust Gw : 200.1.1.254
200.1.1.1/24
E0/1 trust
192.168.10.254/24
192.168.10.10/24
www.hillstonenet.com
Lab-2 Topology (Transparent mode)
Requirement :
1 、 PC1 can access to PC2 ;
2 、 manage FW via IP 192.168.10.1
vswitchif1
192.168.10.1/24
E0/1 E0/2
L2-trust L2-untrust
PC1 PC2
192.168.10.10/24 192.168.10.20/24
www.hillstonenet.com
Thanks