Login
- Released At: 11-09-2024
- Page Views:
- Downloads:
- Related Documents
-
|
|
|
AD-WAN 6.6 Branch Solution |
|
Security Controller Service Configuration Guide |
|
|
|
|
Document version: 5W100-20240603
Copyright © 2024 New H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.
Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.
This document provides generic technical information, some of which might not be applicable to your products.
The information in this document is subject to change without notice.
Contents
Interface address and underlay network parameter configuration
Security zone division and default inter-zone policy
Update signature libraries of the security controller
Synchronize signature libraries
Update signature libraries on a device
Configure a URL filtering policy
Configure an anti-virus policy
Configure device security options
Enable the policy group, IPS, and AV security options for the HQ1 device
Configure a security policy rule
Configure a security policy and bind a rule
Configure a firewall and apply policies
Overview
This document mainly introduces the service configuration and usage guidelines for Security Controller. The security controller is mainly used for the configuration, deployment, and management of security services for network devices (CPEs), providing user Internet access control and security protection.
Plan the networks
Network diagram
Network configuration
Site network configuration
· HQ1: HQ site. It is a dual-gateway site, and the site role is RR&CPE.
· Branch1: Branch site. It is a dual-gateway site, and the site role is CPE.
· Branch2: Branch site. It is a dual-gateway site, and the site role is CPE.
· Branch3: Branch site. It is a single-gateway site, and the site role is CPE.
WAN network configuration
· HQ1: Connects to the Internet through Layer 3 firewall NAT1, and uses OSPF to learn routes. The public address of the site is configured on the firewall. NAT maps the private addresses and service ports of the controller and hub devices to the Internet. Hub1-2 accesses an L3VPN, and uses BGP to ensure connectivity. Because the AS number of SDWAN is different from the AS number of the underlay network, you must use the fake AS feature.
· Branch1: Spoke1-2 accesses an L3VPN, and uses OSPF to ensure connectivity. HQ1 and Branch1 are connected through an L2VPN and use OSPF to ensure connectivity.
· Branch2: Spoke2-2 accesses an L3VPN, and uses OSPF to ensure connectivity. Branch2 directly accesses the Internet. Spoke2-1 obtains a public address through PPPoE dialup. Spoke2-2 obtains a public address through DHCP.
· Branch3: Spoke3 accesses an L3VPN, and uses OSPF to ensure connectivity. The two Internet egresses of Spoke3 are configured with static addresses and use private addresses, and the source addresses are translated to public addresses through carrier-grade NAT.
LAN network configuration
· HQ1: Because the controller is deployed on the internal network, two hub devices must use two interfaces (management interface and LAN interface) to connect to LAN1. The management interface interconnects with LAN1 through OSPF to ensure a successful WebSocket registration. The LAN interface interconnects with LAN1 through OSPF. It uses OSPF to learn internal network routes, redistributes them to BGP, and advertises them to the branch. The branch routes learned from BGP are redistributed to OSPF and then advertised to LAN1 through OSPF.
· Branch1: VRRP is configured for the LAN interfaces of the dual-gateway site. The gateway for internal endpoints is configured as the VRRP virtual address, and you must add a route interconnect interface for route synchronization.
· Branch2: VRRP is configured for the LAN interfaces of the dual-gateway site. The gateway for internal endpoints is configured as the VRRP virtual address, and you must add a route interconnect interface for route synchronization.
· Branch3: A single LAN interface is used to access the LAN network.
|
|
CAUTION: For a dual-gateway site, if it accesses the LAN network through VRRP or static routes, you must add an interconnect link (which can use subinterfaces) to each service VPN and configure OSPF for route synchronization. |
Interface address and underlay network parameter configuration
Table 1 shows the addresses planned for interfaces on devices. The NAT server must be configured on device NAT1 to map internal addresses to the public network. Table 2 shows the NAT mappings.
Table 1 Device node address planning
|
Device |
Interface |
Interface address |
Peer device |
Peer interface |
Peer address |
Remarks |
|
Hub1-1 |
GE3/4/0 |
11.1.1.2/24 |
LAN1 |
|
11.1.1.1/24 |
Management network |
|
GE3/4/0.1 |
20.1.10.2/24 |
LAN1 |
|
20.1.10.1/24 |
LAN interface in VPN1 |
|
|
GE3/4/1 |
30.1.1.1/24 |
Hub1-2 |
GE3/4/1 |
30.1.1.2/24 |
Horizontal link |
|
|
GE3/4/2 |
11.1.5.1/24 |
Spoke1-1 |
GE0/2 |
11.1.5.2/24 |
L2VPN |
|
|
GE3/4/3 |
11.1.3.1/24 |
NAT1 |
GE0/1 |
11.1.3.2/24 |
Internet link |
|
|
Hub1-2 |
GE3/4/0 |
11.1.2.2/24 |
LAN1 |
|
11.1.2.1/24 |
Management network |
|
GE3/4/0.1 |
20.1.11.2/24 |
LAN1 |
|
20.1.11.1/24 |
LAN interface in VPN1 |
|
|
GE3/4/1 |
30.1.1.2/24 |
Hub1-2 |
GE3/4/1 |
30.1.1.1/24 |
Horizontal link |
|
|
GE3/4/2 |
11.1.6.1/24 |
Spoke1-2 |
GE0/2 |
11.1.6.2/24 |
L2VPN |
|
|
GE3/4/3 |
11.1.4.1/24 |
NAT1 |
GE0/2 |
11.1.4.2/24 |
Internet link |
|
|
GE3/4/4 |
12.1.1.1/24 |
MPLS |
|
12.1.1.2/24 |
L3VPN |
|
|
NAT1 |
GE0/0.1 |
110.1.1.1/24 |
Internet |
|
110.1.1.2/24 |
Public egress to Internet |
|
GE0/0.2 |
110.1.2.1/24 |
Internet |
|
110.1.2.2/24 |
Public egress to Internet |
|
|
GE0/1 |
11.1.3.2/24 |
Hub1-1 |
GE3/4/3 |
11.1.3.1/24 |
|
|
|
GE0/2 |
11.1.4.2/24 |
Hub1-2 |
GE3/4/3 |
11.1.4.1/24 |
|
|
|
Spoke1-1 |
GE0/0 |
20.1.2.2/24 |
LAN2 |
|
|
LAN interface in VPN1 VRRP: 20.1.2.1 (master) |
|
GE0/1 |
30.1.2.1/24 |
Spoke1 -2 |
GE0/1 |
30.1.2.2/24 |
Horizontal link |
|
|
GE0/2 |
11.1.5.2/24 |
Hub1-1 |
GE3/4/2 |
11.1.5.1/24 |
L2VPN |
|
|
GE0/4 |
20.1.21.1/24 |
Spoke1-2 |
GE0/4 |
20.1.22.2/24 |
LAN interface in VPN1 Horizontal route synchronization |
|
|
Spoke1-2 |
GE0/0 |
20.1.2.3/24 |
LAN2 |
|
|
LAN interface in VPN1 VRRP: 20.1.2.1 (backup) |
|
GE0/1 |
30.1.2.2/24 |
Spoke1-1 |
GE0/1 |
30.1.2.1/24 |
Horizontal link |
|
|
GE0/2 |
11.1.6.2/24 |
Hub1-2 |
GE3/4/2 |
11.1.6.1/24 |
L2VPN |
|
|
GE0/3 |
12.1.4.2/24 |
MPLS |
|
12.1.4.1/24 |
L3VPN |
|
|
GE0/4 |
20.1.21.2/24 |
Spoke1-1 |
GE0/4 |
20.1.21.1/24 |
LAN interface in VPN1 Horizontal route synchronization |
|
|
Spoke2-1 |
GE0/0 |
20.1.2.3/24 |
LAN3 |
|
|
LAN interface in VPN1 VRRP: 20.1.3.1 (master) |
|
GE0/1 |
30.1.3.1/24 |
Spoke2-2 |
GE0/1 |
30.1.3.2/24 |
Horizontal link |
|
|
GE0/2 |
PPPoE dialup Dialer1 |
Internet |
|
|
Internet link |
|
|
GE0/4 |
20.1.22.1/24 |
Spoke2-2 |
GE0/4 |
20.1.22.2/24 |
LAN interface in VPN1 Horizontal route synchronization |
|
|
Spoke2-2 |
GE0/0 |
20.1.3.3/24 |
LAN3 |
|
|
LAN interface in VPN1 VRRP: 20.1.3.1 (backup) |
|
GE0/1 |
30.1.3.2/24 |
Spoke2-1 |
GE0/1 |
30.1.3.1/24 |
Horizontal link |
|
|
GE0/2 |
DHCP |
Internet |
|
|
Internet link |
|
|
GE0/3 |
12.1.2.2/24 |
MPLS |
|
12.1.2.1/24 |
L3VPN |
|
|
GE0/4 |
20.1.22.2/24 |
Spoke2 -1 |
GE0/4 |
20.1.22.1/24 |
LAN interface in VPN1 Horizontal route synchronization |
|
|
Spoke3 |
GE0/0 |
20.1.4.1/24 |
LAN4 |
|
|
LAN interface in VPN1 |
|
GE0/1.1 |
10.1.100.2/24 |
Internet |
|
|
Internet link |
|
|
GE0/1.2 |
10.1.101.2/24 |
Internet |
|
|
Internet link |
|
|
GE0/2 |
12.1.3.2/24 |
MPLS |
|
12.1.3.1/24 |
L3VPN |
|
Device |
Interface |
Protocol |
External address: Port |
Internal address: Port |
Function |
|
NAT1 |
GE0/ 0.1 |
TCP |
110.1.1.1: 19443 |
Northbound virtual address of the controller: 19443 |
Registration via Websocket |
|
TCP |
110.1.1.1: 35000 |
Northbound virtual address of the controller: 35000 |
Device configuration backup and upgrade |
||
|
TCP |
110.1.1.1: 1234 |
10.1.3.1: 1234 |
SSL connection setup between CPE and RR |
||
|
UDP |
110.1.1.1: 4799 |
10.1.3.1: 4799 |
Default SDWAN tunnel encapsulation port mapping |
||
|
UDP |
110.1.1.1: 12288 |
10.1.3.1: 12288 |
Group ID-based SDWAN tunnel encapsulation port mapping |
||
|
UDP |
110.1.1.1: 12289 |
10.1.3.1: 12289 |
Group ID-based SDWAN tunnel encapsulation port mapping |
||
|
UDP |
110.1.1.1: 12290 |
10.1.3.1: 12290 |
Group ID-based SDWAN tunnel encapsulation port mapping |
||
|
UDP |
110.1.1.1: 12291 |
10.1.3.1: 12291 |
Group ID-based SDWAN tunnel encapsulation port mapping |
||
|
GE3/4/3 |
TCP |
110.1.2.1: 19443 |
Northbound virtual address of the controller: 19443 |
Registration via Websocket |
|
|
TCP |
110.1.2.1: 35000 |
Northbound virtual address of the controller: 35000 |
Device configuration backup and upgrade |
||
|
TCP |
110.1.2.1: 1234 |
10.1.4.1: 1234 |
SSL connection setup between CPE and RR |
||
|
UDP |
110.1.2.1: 4799 |
10.1.4.1: 4799 |
Default SDWAN tunnel encapsulation port mapping |
||
|
UDP |
110.1.2.1: 12288 |
10.1.4.1: 12288 |
Group ID-based SDWAN tunnel encapsulation port mapping |
||
|
UDP |
110.1.2.1: 12289 |
10.1.4.1: 12289 |
Group ID-based SDWAN tunnel encapsulation port mapping |
||
|
UDP |
110.1.2.1: 12290 |
10.1.4.1: 12290 |
Group ID-based SDWAN tunnel encapsulation port mapping |
||
|
UDP |
110.1.2.1: 12291 |
10.1.4.1: 12291 |
Group ID-based SDWAN tunnel encapsulation port mapping |
Security zone division and default inter-zone policy
Security zone division
· Public Untrust zone: On a device, all tenant VPNs use the same WAN interface. Therefore, you only need to create a public Untrust zone on the device and add the WAN interface to the public Untrust zone.
· Tenant Trust zone: You need to create a tenant Trust zone for each tenant VPN. A tenant VPN uses a LAN subinterface to connect the tenant LAN network. You need to add the LAN subinterface to the tenant Trust zone. Besides, you also need to add the interconnect subinterface bound with a tenant service VPN to the tenant Trust zone.
· Public Middle zone: Add the SDWAN tunnel interface to the public Middle zone. All tenants of a site share one Middle zone.
· Default zone: Add all other interfaces not bound to tenant VPNs to the Default zone, so that they can communicate with the interfaces added to previous security zones.
· Do not add Layer 2 interfaces, cellular interfaces, and Inloopback interfaces to security zones.
Default inter-zone policy
Table 3 Default inter-zone policy
|
No. |
Source zone |
Destination zone |
Default action |
Policy application direction |
Security policy |
IPS/anti-virus policy |
URL policy |
|
1 |
Tenant Trust |
Public Untrust |
Permit |
Outbound |
Yes |
Yes |
Yes |
|
2 |
Public Untrust |
Tenant Trust |
Deny |
Inbound |
Yes |
Yes |
Yes |
|
3 |
Tenant Trust |
Public Middle |
Permit |
Outbound |
Yes |
Yes |
No |
|
4 |
Public Middle |
Tenant Trust |
Permit |
Inbound |
Yes |
Yes |
No |
|
5 |
Public Middle |
Public Untrust |
Permit |
Outbound |
Yes |
Yes |
Yes |
|
6 |
Public Untrust |
Public Middle |
Deny |
Inbound |
Yes |
Yes |
Yes |
The default action for other zone pairs is permit.
Procedure
After branch network devices are deployed through the AD-WAN controller, you can use the security controller to configure and deploy security policies to the devices.
As shown in Figure 1, a user uses a PC to access an HTTP server on the Internet. Configure a security policy and then deploy the security policy to Spoke2-2 to implement access control and security protection. Network address configuration:
· User PC address: 53.1.1.200
· Server address: 90.5.1.100
Synchronize service resources
Perform this task to manually synchronize device and resource data to the security controller. When the AD-WAN controller and security controller are upgraded or manually restarted, data inconsistency might occur in the short term, requiring manual synchronization to accelerate environment recovery. When the device list or device interface changes, manual synchronization is not required in normal conditions, and the controllers can automatically perform incremental synchronization to ensure data consistency.
1. Log in to Unified Platform. Navigate to the System > System Maintenance > Security Controller > Network Controllers page. A synchronization task exists by default.
2. Click the 
icon in the Actions
column for the task. A confirmation dialog box opens.
3. Click OK.
4. Navigate to the System > System Maintenance > Security Controller > Service Resources page.
Import signature libraries
Download signature libraries
To download signature libraries, go to https://www.h3c.com/en/support/resource_center/en/security/catalog/database/database/?tbox=Software, as shown in Figure 6.
Figure 6 Downloading signature libraries
The security controller service has the following available signature libraries:
· IPS Signature V7: The IPS signature library is a collection of one or more IPS signatures. The system uses IPS signatures to scan attacks on the network, and then proactively take prevention actions. The firewall detects and defends against attacks by comparing data flows with IPS signatures.
· Anti-Virus Signature V7: The virus signature library is a collection of one or more virus signatures. A virus signature is a character string that uniquely identifies a specific virus in the application layer of packets.
· Application Signature V7: The APR signature library is a collection of one or more APR signatures.
· URL-Filter Signature V7: The URL filtering signature library is a collection of one or more URL categories.
To download a signature library, click a signature library version link, and then click the library version file link to save the version file to the local, as shown in Figure 7.
Figure 7 Signature library version files
Update signature libraries of the security controller
1. Use the admin account to log in to Unified Platform. Navigate to Automation > Branch Networks > DPI Libraries.
You are placed on the IPS Signature Library tab.
Figure 8 IPS signature library page
2. Click Local Upload. In the dialog box that opens, select a .dat file, and then click Upload to upload the signature library file to the security controller, as shown in Figure 9.
After upload, you can view the signature library information, as shown in Figure 10.
3. To import other signature libraries, click the Virus Signature Library, Application Signature Library, and URL Signature Library tabs as needed, as shown in Figure 11, Figure 12, and Figure 13, respectively. Then repeat step 2.
Figure 11 Virus signature list
Figure 12 Application signature list
Synchronize signature libraries
To synchronize a signature library to the most version on the controller for a device:
1. Use the admin account to log in to Unified Platform. Navigate to Automation > Branch Networks > DPI Signature Library. Click the Signature Library Sync tab, as shown in Figure 14.
Figure 14 Signature library list
2. Click the 
icon
before the target device name, and then click the 
icon
in the Actions column for the target signature library, and then click OK, as shown in Figure 15.
Figure 15 Synchronizing a signature library
3. Wait for the synchronization to complete. You can view the sync state of the signature library turns green, as shown in Figure 16.
Figure 16 Synchronization completed
|
|
CAUTION: · When synchronizing a signature library, first make sure the device is online. · When the controller is on the internal network and the device is registered through the public network, signature library synchronization cannot be performed on the controller. The device directly downloads the signature library through FTP using the northbound IP address of the controller. You need to modify the host name or IP address used by the device to access the controller on the service parameters page of the controller. |
In NAT traversal scenarios like above, you can configure the IP address used by the device to access the controller on the System > System Maintenance > Security Controller > Service Parameters page, as shown in Figure 17.
Figure 17 Security controller service parameters
After you configure the address as the public network address registered by the device, during signature library synchronization, the device will send an FTP download request to this address. However, because the controller is in a NAT traversal scenario, you need to permit the FTP ports (62121 and 62120 by default) on the headquarters' public network device, as shown in Figure 18.
Figure 18 Permitting the ports
Update signature libraries on a device
|
|
IMPORTANT: Before a signature library update, you must install the corresponding license. |
Anytime you find a new release of signature library files on the official website, you can trigger the device to immediately and automatically update the signature libraries. If the device cannot access the signature library service on the official website, you can manually update the signature library offline.
Update the IPS signature library
Trigger an immediate IPS signature library update online
Before triggering an immediate IPS signature library update online, make sure the device can connect to the network.
To trigger an immediate IPS signature library update online:
1. Enter system view.
<spoke> system-view
2. Trigger an immediate IPS signature library update online.
[spoke] ips signature auto-update-now
Manually update the IPS signature library offline
Before manually updating the IPS signature library offline, make sure a signature library file of a new version has been uploaded to the device.
To manually update the IPS signature library offline:
1. Enter system view.
<spoke> system-view
2. Manually update the IPS signature library offline.
[spoke] ips signature update V7-IPS-1.0.199.dat
Update the anti-virus signature library
Trigger an immediate anti-virus signature library update online
Before triggering an immediate anti-virus signature library update online, make sure the device can connect to the network.
To trigger an immediate anti-virus signature library update online:
1. Enter system view.
<spoke> system-view
2. Trigger an immediate anti-virus signature library update online.
[spoke] anti-virus signature auto-update-now
Manually update the anti-virus signature library offline
Before manually updating the anti-virus signature library offline, make sure a signature library file of a new version has been uploaded to the device.
To manually update the anti-virus signature library offline:
3. Enter system view.
<spoke> system-view
4. Manually update the anti-virus signature library offline.
[spoke] anti-virus signature update V7-AV-1.0.164.dat
Update the APR signature library
Trigger an immediate APR signature library update online
Before triggering an immediate APR signature library update online, make sure the device can connect to the network.
To trigger an immediate APR signature library update online:
1. Enter system view.
<spoke> system-view
2. Trigger an immediate APR signature library update online.
[spoke] apr signature auto-update-now
Manually update the APR signature library offline
Before manually updating the APR signature library offline, make sure a signature library file of a new version has been uploaded to the device.
To manually update the APR signature library offline:
3. Enter system view.
<spoke> system-view
4. Manually update the APR signature library offline.
[spoke] apr signature update V7-APR-1.0.140.dat
Update the URL filtering signature library
|
|
IMPORTANT: Before updating the URL filtering signature library, install the corresponding license. |
Trigger an immediate URL filtering signature library update online
Before triggering an immediate URL filtering signature library update online, make sure the device can connect to the network.
To trigger an immediate URL filtering signature library update online:
1. Enter system view.
<spoke> system-view
2. Trigger an immediate URL filtering signature library update online.
[spoke] url-filter signature auto-update-now
Manually update the URL filtering signature library offline
Before manually updating the URL filtering signature library offline, make sure a signature library file of a new version has been uploaded to the device.
To manually update the URL filtering signature library offline:
1. Enter system view.
<spoke> system-view
2. Manually update the URL filtering signature library offline.
[spoke] url-filter signature update V7-URL-1.0.67.dat
Configure DPI policies
Deep packet inspection (DPI) is a deep packet inspection technology based on data packets. It inspects different application layer payloads (such as HTTP and DNS) to determine the legitimacy of packets. When the system cannot identify and filter packets by five-tuple method, DPI is applied to inspect packets for security control and attack prevention.
Configure a URL filtering policy
A URL filtering policy can associate all URL filtering settings. You can bind actions to be taken for URL filtering categories in a URL filtering policy. You can also apply a URL filtering policy to firewall rules and deploy it with those firewall rules to implement URL filtering on specific traffic.
View URL filtering policies
Log in to Unified Platform as a tenant service administrator. Navigate to Automation > Branch Networks > Security Services > URL Filtering, as shown in Figure 19.
Figure 19 URL filtering policies
After you import the URL filtering signature library, the system generates a default URL filtering policy on the URL Filtering. If you do not need to customize rules or denylist or allowlist settings, you can use the default policy directly in a security policy.
If the default signature library cannot meet requirements, you can add new URL filtering categories to match corresponding host names and URLs
Add a URL filtering category
URL filtering provides the URL categorization feature to facilitate filtering rule management. You can use URL categories for URL control in a URL filtering policy or security policy.
To add a URL category:
1. Log in to Unified Platform as a tenant service administrator. Navigate to Automation > Branch Networks > Security Services > URL Filtering.
2. Click Category.
3. Click Add.
Figure 20 Adding a URL category
4. Configure a URL category.
a. Configure basic settings as follows:
- Name: Enter the URL category name.
- Description: Enter a description.
- Severity: Specifies a severity level for the URL category, in the range of 1000 to 65535. The greater the value, the higher the severity level.
b. In the Rule area, click Add, and then configure rule settings as follows:
- Host filtering type: Select a host filtering type. Options include REGEX and TEXT. As a best practice, select TEXT in this example.
- Host name: Enter the host name field of URLs. In this example, set the host name to the server address, 90.5.1.100 and 33.1.1.100.
- URI filtering type: Configure URI settings when URI matching is required.
- URI: Enter URI information of URLs. If the system cannot match the source of packets via host name, you can configure URI information for packet matching.
c. Click Apply. The URL filtering rule is added to the rule list. You can add multiple rules as needed.
5. Click Apply.
Add a URL filtering policy
1. Log in to Unified Platform as a tenant service administrator. Navigate to Automation > Branch Networks > Security Services > URL Filtering.
2. Click Add policy.
Figure 21 Adding a URL filtering policy
3. Enter a name and a description for the URL filtering policy.
4. Configure actions for URL categories.
¡ Select an action from the drop-down list in the Action column for a category, for example, User-defined. The selected action applies to all user-defined URL categories, and then click Apply.
¡ Select
an action and enable or disable
logging for a child URL
category by click 
in
the Actions column for a URL category, and then click Apply, as shown in Figure 22.
The following actions are available:
¡ Permit—Permits the packets that match URL categories to pass through.
¡ Drop—Drops the packets that match URL categories.
¡ Advanced settings.
This example selects Drop for URL categories to drop packets that match URL categories.
Figure 22 Configuring child URL category settings
5. Click Apply.
Apply a URL filtering policy
For information about how to apply a URL filtering policy to a security policy, see "Configure security policies."
Verify the configuration
In this example, create a URL filtering policy and apply the URL filtering policy to a security policy. The URL filtering policy is configured to drop the URLs of http://90.5.1.100 in the simulated public network and http://33.1.1.100 in the simulated private network. The branch device can access Internet services at http://90.5.1.100 and access the internal services of the headquarters at http://33.1.1.100 through the headquarters device.
Before the URL filtering configuration is deployed, http://90.5.1.100 and http://33.1.1.100 are reachable, as shown in Figure 23 and Figure 24.
Figure 23 Reachable to 90.5.1.100
Figure 24 Reachable to 33.1.1.100
After the URL filtering configuration is deployed, http://90.5.1.100 and http://33.1.1.100 are unreachable, as shown in Figure 25 and Figure 26.
Figure 25 Unreachable to 90.5.1.100
Figure 26 Unreachable to 33.1.1.100
Configure an IPS policy
IPS policies can be associated with firewall rules and deployed together with the corresponding firewall configuration to the firewall device to perform IPS inspection on specific traffic.
View IPS policies
Log in to Unified Platform as a tenant service administrator. Navigate to Automation > Branch Networks > Security Services > IPS page, as shown in Figure 27.
Figure 27 Viewing IPS policies
After you import the IPS signature library, the system generates a default IPS policy. If you do not need to customize rules, you can use the default policy directly in a security policy.
If the default signature library cannot meet requirements, you can add new IPS policies.
Add an IPS policy
1. Log in to Unified Platform as a tenant service administrator. Navigate to Automation > Branch Networks > Security Services > IPS.
2. Click Add policy.
Figure 28 Adding an IPS policy
3. Enter a name and a description for the IPS policy name, and select a default policy template.
4. Configure IPS actions for access requests to protected objects such as FTP servers and operating systems. This example configures IPS actions for FTP servers.
¡ To configure actions for
an IPS signature of an FTP server,
click 
in the Actions column for that FTP
server, and then click Apply.
¡ To configure actions for all IPS signatures of an FTP server, select an action from the drop-down list in the Action column for that FTP server.
The following actions are available:
¡ Permit—Permits matching packets to pass through.
¡ Drop—Drops matching packets.
¡ Blacklist—Drops matching packets and adds the sources of the packets to the IP blacklist.
¡ Reset—Closes the TCP connections for matching packets by sending TCP reset messages.
¡ Redirect—Redirects matching packets to a webpage.
This example specifies the reset action for the IPS signature with ID 23318.
5. Click Apply.
Apply an IPS policy
For information about how to apply an IPS policy to a security policy, see "Configure security policies."
Verify the configuration
In this example, a default IPS policy is configured and applied to a security policy. The reset action is specified for the IPS signature with ID 47175. The system will close the TCP connections for matching packets by sending TCP reset messages.
Test the reachability of a branch client to the simulated public network: http://90.5.1.100/?s=index/think\Error/appError&errfile=../../test&code=1
Test the reachability of a branch client to the simulated private network: http://90.5.1.100/?s=index/think\Error/appError&errfile=../../test&code=1
Before deploying IPS configuration, the branch client can reach 90.5.1.100 and 33.1.1.100, as shown in Figure 29 and Figure 30.
Figure 29 Reachable to 90.5.1.100
Figure 30 Reachable to 33.1.1.100
After IPS configuration is deployed, the branch client cannot reach 90.5.1.100 or 33.1.1.100 and the requests are reset when network connectivity is normal, as shown in Figure 31 and Figure 32.
Figure 31 Unreachable to 90.5.1.100
Figure 32 Unreachable to 33.1.1.100
Configure an anti-virus policy
Anti-virus policies can be associated with firewall rules and deployed together with the corresponding firewall configuration to the firewall device to perform anti-virus inspection on specific traffic.
View anti-virus policies
Log in as a tenant service administrator. Navigate to Automation > Branch Networks > Security Services > Anti-Virus, as shown in Figure 33.
Figure 33 Viewing anti-virus policies
After you import the anti-virus signature library, the system generates a default anti-virus policy. If you do not need to customize rules, you can use the default policy directly in a security policy.
If the default signature library cannot meet requirements, you can add new anti-virus policies. Only the firewall supports the anti-virus feature.
Add an anti-virus policy
1. Use an administrator account to log in to the platform and navigate to Automation > Branch Networks > Security Services > Anti-Virus.
2. Click Add policy.
Figure 34 Adding an anti-virus policy
3. Enter a name and a description for the anti-virus policy and select a policy.
4. On the Application layer protocol tab, configure anti-virus settings for a protocol as follows:
¡ Enable—Select the option to enable anti-virus for the protocol.
¡ Direction—Specify the anti-virus detection direction, including both, download, and upload.
¡ Action—Specify an anti-virus action, including alert, block, and redirect.
5. Click Apply.
Apply an anti-virus policy
For information about how to apply an anti-virus policy to a security policy, see "Configure security policies."
Verify the configuration
In this example, a default anti-virus is configured and applied to a security policy to block requests to download virus files through FTP.
Use a branch client to access the FTP server in the headquarters to download a virus file, as shown in Figure 35 and Figure 36.
Figure 35 Connecting to the FTP server
Figure 36 Downloading a virus file
As shown in Figure 36, the downloading of the virus file fails.
As shown in Figure 37, you can view anti-virus statistics about block downloading virus files through FTP.
Figure 37 Anti-virus statistics on the firewall
Configure security policies
After you bind security policies to a firewall, the firewall uses the security policies to filter packets and execute the actions configured in the rules on matching packets to perform accurate packet control.
Configure a security policy rule
Use an administrator account to log in to the platform and navigate to Automation > Branch Networks > Security Services > Security Policies. Click the Rules tab and click Add Rule. On the page that opens, configure the following parameters and click Apply:
· Name: Enter the rule name.
· Description: Enter the rule description.
· IP Version: Select an IP version. Options include IPv4 and IPv6.
· Service: Select a protocol type. Options include UDP, TCP, ICMP, and All. If you are not sure of the protocol type, select All as a best practice.
· Source Address/Destination Address: Enter the source and destination addresses. In this example, the destination address is 90.5.1.100.
· Source Port/Destination Port: Enter the source port and destination port. These fields are not required in this example.
· Applications/Application Groups: Select applications and application groups such as WeChat and QQ.
· Validation Time: Specify the time span during which the rule takes effect. By default, this field is not specified.
· Action: Specify an action. Options include:
¡ Permit—Allows matching packets to pass.
¡ Deny—Discards matching packets.
¡ DPI—Filters matching packets further by using DPI policies. This can realize URL filtering, IPS protection, and antivirus protection.
In this example, the action is DPI and the URL filter policy, IPS policy, and anti-virus policy are configured accordingly.
Figure 38 Adding a rule
Figure 39 Adding a DPI rule
Configure a security policy
1. Use an administrator account to log in to the platform and navigate to Automation > Branch Networks > Security Services > Security Policies. Click the Policies tab and click Add Policy.
2. On the page that opens, enter the policy name and description.
3. Select Activate.
4. Click Apply.
Figure 40 Adding a security policy
Bind rules to a security policy
1. Use an administrator account to log in to the platform and navigate to Automation > Branch Networks > Security Services > Security Policies. Click the Policies tab and click the link in the rule column for a security policy.
2. On the page that opens, select Activate. In the
Available Rules list, select target rules and click the 
icon
to add the rules into the Selected
Rules list.
Figure 41 Binding rules to a security policy
Bind security policies to a firewall
To bind the created security polices to a firewall, see "Bind a firewall."
Verify the configuration
According to quintuple-based packet control, create a security policy to drop packets destined to 90.5.1.100 in the public network or 33.1.1.100 in the private network.
As shown in Figure 42 and Figure 43, test the connectivity to the destinations.
Figure 42 Testing the connectivity to 90.5.1.100
Figure 43 Testing the connectivity to 33.1.1.100
In this example, the test results show that 90.5.1.100 and 33.1.1.100 cannot be reached and other addresses can be reached.
Figure 44 Unreachable to 90.5.1.100
Figure 45 Unreachable to 33.1.1.100
Bind a firewall
Perform this task to configure the virtual firewall function. It controls access permissions between VMs in a tenant network and between the VMs and the external network, providing effective security protection for the tenant network.
1. Log in as a tenant service administrator. Navigate to the Automation > Branch Networks > Security Services > Firewalls page. Click Add Firewall.
2. Configure basic settings:
¡ Enter a name and description and select a scenario for the firewall.
¡ Configure the inbound policy: Select a previously configured security policy. The following application scenarios exist:
- Apply the security policy to the traffic from the WAN interface to the LAN interface, that is, the downlink direction of the user's local Internet access.
- Apply the security policy to the traffic from the tunnel interface to the LAN interface, that is, the downlink direction of the user's private network access.
- Apply the security policy to the traffic from the WAN interface to the tunnel interface, that is, the downlink direction of the user’s centralized Internet access.
¡ Configure the outbound policy: Select a previously configured security policy. The following application scenarios exist:
- Apply the security policy to the traffic from the LAN interface to the WAN interface, that is, the uplink direction of the user's local Internet access.
- Apply the security policy to the traffic from the LAN interface to the tunnel interface, that is, the uplink direction of the user's private network access.
- Apply the security policy to the traffic from the tunnel interface to the WAN interface, that is, the uplink direction of the user’s centralized Internet access.
For the inter-zone policy application direction, see "Default inter-zone policy."
3. Configure the source security zone/resource:
select the sites/service nodes as needed from the Available Services
Resources list, and then click the 
icon to add the
selected resources to the Selected Services Resources list.
4. Click Apply.
Configuration audit
Perform this task to perform security service configuration audit and synchronization for devices.
Procedure
1. Log in as a tenant service administrator. Navigate to the Automation > Branch Networks > Security Services > Config Audit page.
Figure 47 Configuration audit device list
2. Click the 
icon to open the
data synchronization page, as shown in Figure 48.
Click Audit. The system starts to audit the security configuration on
the controller and on the device.
Figure 48 Device data synchronization details
3. Click Sync Data to synchronize the device configuration and the security controller configuration, as shown in Figure 49.
Verification
1. After the security controller deploys the configuration to the device, manually add or delete security related configuration, for example, delete an anti-virus policy and add a URL filter.
Figure 50 Delete an anti-virus policy
2. Click Audit and then view the audit result. You can see that the configuration that the controller has more than the device is the anti-virus policy and that the controller has less than the device is the URL filter.
Figure 52 Configuration only on controller
Figure 53 Configuration only on device
3. Click Sync Data and then view the configuration on the device. You can see that all manually configured settings are restored.
Figure 54 Manually deleted configuration is recovered
Figure 55 Manually added configuration is deleted
Device log audit
The device generates log messages during running. You can configure the device to send the log messages of specific severity levels and from specific modules to log hosts for log audit.
Add a log host
1. Log in as a tenant service administrator. Navigate to Automation > Branch Networks > Security Services > Device Log Audit page.
2. Select the Log Hosts tab, and then click Add to open the Add Log Host page.
3. Configure the log host parameters as needed:
¡ Log Host: Enter the IP address of a log host. The IP address must be reachable from the device.
¡ Port: Enter the log receiving port number.
¡ Tenant: Select a tenant for the log host. Tenant System administrator can select another tenant, while a tenant service administrator can select only its own tenant.
Add a syslog policy
1. Log in as a tenant service administrator. Navigate to Automation > Branch Networks > Security Services > Device Log Audit page.
2. Select the Syslog Policies tab, and then click Add.
3. Configure the syslog policy parameters:
¡ Policy Name: Enter the syslog policy name.
¡ Log Severity: Select a log severity level. The system will send logs of the selected level and higher levels to the specified log hosts.
¡ Log Hosts: Select the created log host.
Figure 57 Adding a syslog policy
Bind devices to the syslog policy
1. Log in as a tenant service administrator. Navigate to the Automation > Branch Networks > Security Services > Device Log Audit page.
2. Select the Device and Log Policy Bindings tab.
3. Select the devices that need to send logs and then click Bind Log Policy.
4. On the Bind Log Policy page, configure the following parameters:
¡ Syslog Policy: Select the created syslog policy.
¡ Device VRF: Select the VPN instance where the outgoing interface used to access the log host resides.
Figure 58 Binding a log policy
Verification
After the log host, syslog policy, and device and syslog policy binding are configured, you can go to the log host to view log messages sent from the devices.
Figure 59 View log information on the log host server
Site device settings
Traffic between sites is allowed by default. You can enable AV in default policy and IPS in default policy to enhance IPS and virus protection. Enabling policy group will deploy configurations according to the security policy group setup, simplifying management.
Configure device security options
Navigate to the Security Services > Site Device Settings page. To enable or disable the device security options for a device, click the Edit Device Security Options icon in the Actions column for that device.
Figure 60 Enable or disable security options for a device
To enable or disable device security options for devices in bulk, click Device Security Options and select the security option to be edited.
Figure 61 Enable or disable security options for devices in bulk
Enable the policy group, IPS, and AV security options for the HQ1 device
Navigate to the Security Services > Site Device Settings page. Click the Operate icon in the Action column for the device to enable the device security options.
Figure 62 Enable the policy group, IPS, and AV security options for the HQ1 device
Configure a security policy rule
Navigate to Automation > Branch Networks > Security Services > Security Policies. Click the Rules tab, and then click Add. On the page that opens, configure the parameters as follows:
· Rule Name: HQ1_vpn1_rule1.
· Source IP: 11.1.1.3.
· Destination IP: 110.1.1.2.
· Action: Deny.
Figure 63 Configure a security policy rule
Configure a security policy and bind a rule
Configure a security policy
1. Navigate to Automation > Branch Networks > Security Services > Security Policies. Click the Policies tab, and then click Add. On the page that opens, configure the parameters as follows:
Figure 64 Add a security policy
2. Enter the policy name and description to create a security policy. This example creates a firewall policy named policy1_HQ1_vpn1.
3. Select Activate to make the policy take effect.
4. Click Apply.
Bind rules to the security policy
1. Navigate to Automation > Branch Networks > Security Services > Security Policies. Click the Policies tab, and then click the link in the Rules column for a policy to open the Bind Rule page.
Figure 65 Binding rules
2. Select Activate.
Select the required rules from the Available Rules
list, and then click the 
icon to add these rules to the Selected Rules
list.
Configure a firewall and apply policies
1. Navigate to Automation > Branch Networks > Security Services > Security Policies. Click the Firewalls tab, and then click Add. On the page that opens, configure the parameters as follows:
Configure basic settings:
¡Enter a name and description and select a scenario for the firewall.
¡Configure the inbound policy: Select a previously configured security policy. This example selects security policy policy1_HQ1_vpn1.
¡Configure the outbound policy: Select a previously configured security policy. This example selects security policy policy1_HQ1_vpn1.
2. Configure the security zone/resource: select
the sites/service nodes as needed from the Available
Services Resources list, and then click the 
icon
to add the selected resources to the Selected Services
Resources list.
3. Click Apply.
Verify the configuration
For the HQ1 device, when the policy group, IPS, and AV security options are enabled, the default security policy and policy group configuration are correctly issued. Traffic processing is not affected by the security options. For example, when HQ1 accesses the Internet, the traffic can normally match rules. The mutual access traffic between HQ1 and Spoke1 are not affected by the device security options.
Device deploys AV and IPS in default policy
Security policy group successfully deployed
Traffic from HQ1 to Internet matches firewall rule and thus is discarded
Traffic between HQ1 sites remains unaffected
Restrictions and guidelines
· A device must install required licenses to upgrade and install signature libraries.
· In a dual-gateway network, the outbound security policy and inbound security policy must be the same.
· In a dual-gateway network, features such as IPS and anti-virus take effect only when the forward and return traffic passes through the same gateway device.
· To synchronize signature libraries for a device, make sure the device and the controller's northbound IP address can reach each other.
· The site device settings feature supports only firewall devices.
