Chapter 3 - Lab Environment Settings

HCSA-NGFW 2022
 1 Working Mode
Contents
2 Basic command

3 Data Forwarding

4 Lab
Working Mode
Routing Mode

Internet
E0/4
untrust

E0/1 E0/2
trust dmz

192.168.10.0/24 192.168.20.0/24

www.hillstonenet.com
Transparent Mode

Internet

LAN interface ： 192.168.10.254/24

E0/4 L2-untrust

E0/1 L2-trust

192.168.10.10/24 www.hillstonenet.com
Tap Mode

Internet

LAN interface ： 192.168.10.254/24

mirror
E0/4

zone TAP

192.168.10.10/24
www.hillstonenet.com
Mix Mode

Internet
E0/4
untrust

E0/1 vSwitchif1 E0/2

trust l2-dmz
l2-trust
192.168.10.254/24

192.168.10.0/24 192.168.10.0/24
Gw ： Gw ：
192.168.10.254 192.168.10.254

www.hillstonenet.com
Basic command
CLI Configuration Mode
• Execution mode
The execution mode is the CLI mode right after you enter the username and password. In this mode, you can only configure the
device with your privilege.
hostname#

• Global configuration mode

In execution mode, typing “configure” leads you into the global configuration mode where you can modify the device settings. The command prompt is
as follows:

hostname(config)#

• Sub-module configuration mode

Some specific features can only be set in their own sub-module configuration modes. Use different commands to enter different sub-module
configuration modes, e.g., the command interface ethernet0/0 can lead you to the interface configuration mode of ethernet0/0, where the command
prompt is as the following:

hostname(config-if-eth0/0)#

www.hillstonenet.com
Commonly Used Show Commands

• show version //check system version info.

• show interface //check interface info.
• show ip route //check routings
• show snat //check source NAT
• show dnat //check destination NAT
• show policy //check policy
• show configuration //check current settings
• save //save current settings
• unset all //reset device to factory default

www.hillstonenet.com
Check System Status - CLI
• In CLI, show is used to check
system status:
- Device SN
- StoneOS version
- Running time/status
- Hardware platform
- Licenses
- ……
SG-6000# show version
Hillstone Networks StoneOS software, Version 5.5
Copyright (c) 2009-2020 by Hillstone Networks
Product name: SG-6000-E1600 S/N: 2508132161001434
Assembly number: B102
Boot file is SG6000-M-3-5.5R7P4.bin from flash
Built by buildmaster8 2020/02/11 13:42:52
Uptime is 0 day 22 hours 36 minutes 27 seconds
System language is "en"
VRouter feature: disabled
IPS feature: enabled
IPS magic: 4f091997b9b65ef441b19b86d33f77bf49fb
APP feature: enabled
APP magic: b99d863d7d12a2962d5e98b20f375f0c7791
www.hillstonenet.com
Check Interface Status - CLI
• In CLI, show is used to check status information:
- e.g. to check interface status:

SG-6000# show interface

H:physical state;A:admin state;L:link state;P:protocol state;U:up;D:down;K:ha keep up

==========================================================
Interface name IP address/mask Zone name H A L P MAC address Description

----------------------------------------------------------------------------------------------------
----
ethernet0/0 192.168.1.1/24 trust D U D D 001c.5482.ff63 ------

ethernet0/1 192.168.10.1/24 trust U U U U 001c.5482.ff64 ------

ethernet0/2 0.0.0.0/0 NULL D U D D 001c.5482.ff65 ------

ethernet0/3 0.0.0.0/0 NULL D U D D 001c.5482.ff66 ------
ethernet0/4 200.0.0.200/24 untrust U U U U 001c.5482.ff67 ------

vswitchif1 0.0.0.0/0 NULL D U D D 001c.5482.ff74 ------

==========================================================
SG-6000# www.hillstonenet.com
Interface Configuration （ CLI ）
SG-6000# configure
Enter global configuration mode
SG-6000 （ config ） # interface ethernet0/1
Enter interface configuration module
SG-6000 （ config-if-eth0/1 ） # zone trust
SG-6000 （ config-if-eth0/1 ） # ip address 192.168.10.10/24
Configure layer 3 zone
SG-6000 （ config-if-eth0/1 ） # manage https
SG-6000 （ config-if-eth0/1 ） # exit
Configure interface management method
SG-6000 （ config-if-eth0/1 ） # zone l2-trust
Configure layer 2 zone

www.hillstonenet.com
Route Configuration （ CLI ）

SG-6000# configure
Enter global configuration mode
SG-6000 （ config ） # ip vrouter trust-vr
Enter policy configuration mode
SG-6000 （ config-vrouter ） # ip route 10.18.0.0/16 10.1.1.1
SG-6000 （ config-vrouter ） # exit

www.hillstonenet.com
Policy Configuration （ CLI ）

SG-6000# configure
Enter global configuration mode
SG-6000 （ config ） # policy-global
Enter policy configuration mode
SG-6000 （ config-policy ） # rule from any to any service any
permit

SG-6000 （ config-policy ） # rule from address-book1 to any from-

zone trust to-zone untrust service any permit

www.hillstonenet.com
NAT Configuration （ CLI ）

SG-6000# configure
Enter global configuration mode
SG-6000 （ config ） # nat
Enter NAT configuration mode (option1)
SG-6000 （ config-nat ） # snatrule from any to any service eif
e0/0 trans-to eif-ip mode dynaimicport log
SG-6000 （ config-nat ） # dnatrule from any to 200.0.0.10/32
service http trans-to 192.168.10.10/32 port 80
Enter vrouter configuration mode （ option2 ）
SG-6000 （ config ） # ip vrouter trust-vr
SG-6000 （ config-vrouter ） # snatrule from any to any service eif
e0/0 trans-to eif-ip mode dynaimicport log
www.hillstonenet.com
Data Forwarding
Data Forwarding Example (1 of 4)

Trust Untrust
Zone Zone

E0/1 E0/4
192.168.10.254/24 200.1.1.0/24
Internet
.254
192.168.10.10/24 200.5.5.5

www.hillstonenet.com
Requirements (2 of 4)
• In order to achieve the Internet Access:
- Interface ： How to configure ？
- Route ： Which type of route needs to be set ？
- NAT ： Which type of NAT needs to be used and why?
- Policy ： What policy needs to be set for allowing the traffic pass through the
FW ？

www.hillstonenet.com
Configuration (3 of 4)
interface ethernet0/1
zone trust
ip address 192.168.10.10/24
Interface interface ethernet0/4
： zone untrust
ip address 200.1.1.1/24

Route ： Ip route 0.0.0.0/0 200.1.1.254

Snatrule from any to any service any eif e0/4 trans-to eif-ip
SNAT ：
mode dynamicport

Policy-global

Policy rule from any to any from-zone trust to-zone untrust

service any permit
：
www.hillstonenet.com
 Data Forwarding Analysis (4 of 4)
SRC-IP DST-IP Protocol SRC-Port DST-Port

192.168.10.10 200.5.5.5 6 1025 80

1. Has the session been established? Session Table

Address Pair Protocol Port Pair
No
(no match)
2. Is there a reachable route? Routing Table
Net Int NHR
Yes 192.168.10.0/24 E1 (connected)
200.1.1.0/24 E4 (connected)
0.0.0.0/0 E4 200.1.1.254

3. Is there any traffic inside a zone Zone Table

Int Zone
or among zones? E1 trust
Yes E4 untrust

www.hillstonenet.com
Data Forwarding Analysis (4 of 4 Cont.)
4. SNAT ? SA DA
Yes any any Translate to Egress Interface IP

5. Does the policy permit From trust to untrust

the traffic? SA DA Service Action

any any any permit
Yes any any any deny

SRC-IP DST-IP Protocol SRC-Port DST-Port

Action: Permit 192.168.10.10 200.5.5.5 6 6 80

Session Table
Create a session Address Pair Protocol Port Pair
192.168.10.10 200.5.5.5 6 55908 80
www.hillstonenet.com
Lab
Setting Up Lab Environment
• Configuration Steps of Routing mode:
a. Configure L3 interface
b. Add default route
c. Add SNAT rule
d. Add policy

• Configuration Steps of Transparent mode:

a. Configure L2 interface
b. Add policy

www.hillstonenet.com
Topology of Routing Mode

• Intranet PC access to Internet

Internet
E0/4 untrust Gw ： 200.1.1.254
200.1.1.1/24

E0/1 trust
192.168.10.254/24

192.168.10.10/24

www.hillstonenet.com
L3 Interface Settings (WebUI)
Network > Interface select the interface ， and click 『 Edit 』 button

www.hillstonenet.com
Default Route Settings (WebUI)
Network > Routing > Destination Route, click 『 New 』

www.hillstonenet.com
SNAT Settings （ WebUI ）
Policy > NAT> SNAT, click 『 New 』

www.hillstonenet.com
Policy Setting (WebUI)
Policy > Security Policy > Policy, click 『 New 』 to create a permit policy from trust to untrust

www.hillstonenet.com
Routing Mode Configurations (CLI ）

1 、 Enter the interface configuration mode, bind the interface to a zone, assign an IP address

SG-6000(config)# interface eth0/4

SG-6000(config-if-eth0/4)# zone untrust

SG-6000(config-if-eth0/4)# ip address 200.1.1.1/24

SG-6000(config-if-eth0/4)# interface eth0/1

SG-6000(config-if-eth0/1)# zone trust

SG-6000(config-if-eth0/1)# ip address 192.168.10.254/24

SG-6000(config-if-eth0/1)# manage http

www.hillstonenet.com
Routing Mode Configurations (CLI ）

2 、 Default Routing and SNAT

SG-6000(config)# ip vrouter trust-vr
SG-6000(config-vrouter)# ip route 0.0.0.0/0 200.1.1.1
SG-6000(config-vrouter)# snatrule from any to any service any eif e0/4 trans-to
eif-ip mode dynamicport

3 、 Add Policy
SG-6000(config)# policy-global
SG-6000(config-policy)# rule from any to any from-zone trust to-zone untrust
permit

www.hillstonenet.com
Check Settings
SG-6000# show interface

H:physical state;A:admin state;L:link state;P:protocol state;U:up;D:down;K:ha keep up;C:lacp down

=========================================================================================
Interface name IP address/mask Zone name H A L P MAC address Description
-----------------------------------------------------------------------------------------
vswitchif1 0.0.0.0/0 NULL D U D D 001c.5426.5c14 ------
ethernet0/0 10.86.100.198/24 trust U U U U 5000.0004.0000 ------
ethernet0/1 192.168.10.10/24 trust U U U U 5000.0004.0001 ------
ethernet0/2 0.0.0.0/0 NULL U U U D 5000.0004.0002 ------
ethernet0/3 0.0.0.0/0 NULL U U U D 5000.0004.0003 ------
ethernet0/4 200.1.1.1/24 untrust U U U U 5000.0004.0004 ------
=========================================================================================

SG-6000# show ip route

Codes: K - kernel route, C - connected, S - static, Z - ISP, R - RIP, O - OSPF,
B - BGP, D - DHCP, P - PPPoE, W - wireless, H - HOST, G - SCVPN, V - VPN, M - IMPORT,
I - ISIS, Y - SYNC, L - llb outbound, > - selected first nexthop, * - FIB route, b - BFD
enable

Routing Table for Virtual Router <trust-vr>

==============================================================================
S>* 0.0.0.0/0 [1/0/1] via 200.1.1.254, ethernet0/4
C>* 10.86.100.0/24 is directly connected, ethernet0/0
H>* 10.86.100.198/32 [0/0/1] is local address, ethernet0/0
C>* 192.168.10.0/24 is directly connected, ethernet0/1
H>* 192.168.10.10/32 [0/0/1] is local address, ethernet0/1
C>* 200.1.1.0/24 is directly connected, ethernet0/4
H>* 200.1.1.1/32 [0/0/1] is local address, ethernet0/4
============================================================================== www.hillstonenet.com
Check Settings – Cont.
SG-6000# show snat
-------------------------------------------------------------------------------
vr name:trust-vr
snat rules total number is :1
==================================================================================
id ingress if from to service egress if/vr
translate to mode start end size
-------------------------------------------------------------------------------
1 Any Any Any ethernet0/4
egress if's IP Dyn-Pt
==================================================================================

SG-6000# show policy

Total rules count: 1
S: Rule Status (E - Enabled; D - Disabled)
Flag: * - Need Application Identification
S - Log Session Start; E - Log Session End; D - Log Policy Deny
F - Drop Fragment; P - Permit Unknown Application; W - Web Redirect
Default action DENY. Default log OFF. Check to-self OFF. Session rematch ON
=========================================================================================
S Id Name RBNS_Attr Source Destination Service
Application Action Flag
-----------------------------------------------------------------------------------------
trust => untrust
E 1 Any Any Any
PERMIT ------
=========================================================================================
www.hillstonenet.com
Topology of Transparent Mode
• FW deployed in transparent mode, PC1 need to access PC2

vswitchif1
192.168.10.1/24
E0/1 E0/2
L2-trust L2-untrust

PC1 PC2
192.168.10.10/24 192.168.10.20/24

www.hillstonenet.com
Configure L2 Interface （ WebUI ）
Network > Interface

www.hillstonenet.com
 Configure Policy （ WebUI ）
Policy > Security Policy

www.hillstonenet.com
Transparent Mode （ CLI ）
1 、 Enter interface configuration mode and bind interface to security zone

SG-6000(config)# interface e0/1

SG-6000(config-if-eth0/1)# zone l2-trust

SG-6000(config-if-eth0/1)# exit

SG-6000(config)# interface e0/2

SG-6000(config-if-eth0/2)# zone l2-untrust

SG-6000(config-if-eth0/2)# exit

SG-6000(config)# interface vswitchif1

SG-6000(config-if-vsw1)# zone trust

SG-6000(config-if-vsw1)# ip address 192.168.10.1/24

SG-6000(config-if-vsw1)# manage ping

SG-6000(config-if-vsw1)# manage http

SG-6000(config-if-vsw1)# exit

www.hillstonenet.com
Transparent Mode （ CLI ）

2 、 Configure Policy
SG-6000(config)# policy-global
SG-6000(config-policy)# rule
SG-6000(config-policy-rule)# src-zone l2-trust
SG-6000(config-policy-rule)# dst-zone l2-untrust
SG-6000(config-policy-rule)# src-addr any
SG-6000(config-policy-rule)# dst-addr any
SG-6000(config-policy-rule)# service any
SG-6000(config-policy-rule)# action permit
SG-6000(config-policy-rule)# exit

www.hillstonenet.com
Questions
1. What is the difference between routing mode and transparent mode?
R1 – O modo roteado funciona em camada 3 e o modo trasparente funciona em camada 2

2. What settings need to be done in routing mode?

R2 – 1 -Enter the interface configuration mode, bind the interface to a zone, assign an IP address
2 - Default Routing and SNAT
3 - Add Policy

3. What settings need to be done in transparent mode?

1 、 Enter interface configuration mode and bind interface to security zone
2 、 Configure Policy

3. Can security zones access to each other by default ？

R4 - Não

www.hillstonenet.com
Lab-1 Topology (Routing mode)
Requirement ： Intranet PC can access to Internet in routing mode

Internet
E0/4 untrust Gw ： 200.1.1.254
200.1.1.1/24

E0/1 trust
192.168.10.254/24

192.168.10.10/24

www.hillstonenet.com
Lab-2 Topology (Transparent mode)
Requirement ：
1 、 PC1 can access to PC2 ；
2 、 manage FW via IP 192.168.10.1

vswitchif1
192.168.10.1/24
E0/1 E0/2
L2-trust L2-untrust

PC1 PC2
192.168.10.10/24 192.168.10.20/24

www.hillstonenet.com
Thanks