Chapter 1 Overview
l This manual is applicable to the H3C SecPath F1000-E (hereinafter referred to as the F1000-E) and SecBlade firewall cards.
l All the networking and configuration examples are based on the F1000-E.
l A SecBlade firewall card is developed based on the high-end firewall product F1000-E. However, it mainly uses 10GE interfaces for data exchange with Ethernet switches. Therefore, a SecBlade firewall card can be understood as an F1000-E connected with an Ethernet switch through a 10GE interface. Therefore, an F1000-E and a SecBlade firewall card are configured in almost the same way, with the only difference in that the F1000-E uses physical interfaces for data forwarding while a SecBlade firewall card uses the logical interfaces (sub-interfaces, VLAN interfaces, and so on) of a 10GE interface for data forwarding.
l Due to the said difference, the configuration manuals of SecBlade firewall cards give detailed descriptions about the Layer 2 and Layer 3 forwarding configurations. In terms of security zone management, the F1000-E has its physical interfaces added into security zones, while a SecBlade firewall card has logical interfaces (sub-interfaces and VLAN interfaces) of a 10GE interface added into security zones. For the determination of zones for incoming and outgoing packets, refer to the Layer 2 and Layer 3 forwarding configuration manuals. The configurations of other security zone–based features, such as anti-attack and object-oriented ACL configurations, are the same as those for the F1000-E. For interface-based features, the configurations on a SecBlade firewall card are also similar to those on the F1000-E, with the only difference in that the configurations on the F1000-E are made on physical interfaces while the configurations on a SecBlade firewall card are made on logical interfaces (sub-interfaces, VLAN interfaces, and so on). By referring to the user manual of the F1000-E, you can configure all the functions in common on a SecBlade card.
This manual is organized as follows:
l Chapter 1 Overview: Presents a brief introduction to this manual.
l Chapter 2 Service Features: Briefly introduces the major features of the modules involved in this manual.
l Chapter 3 Login: Describes how to log in to the SecPath series security products through the console port or an Ethernet interface, and how to access and manage the security products through a Web browser.
l Chapter 4 Slot Arrangement and Interface Numbering: Describes the slot arrangement and interface numbering rules of the SecPath series to facilitate device configuration and maintenance.
For the information about the installation, startup and configuration, software maintenance, hardware maintenance, interface card and interface module functions, cable connection, and troubleshooting of the F1000-E, refer to the H3C SecPath F1000-E Firewall Installation Manual.
Follow these steps to obtain the latest product documentation from www.h3c.com:
l Select Technical Support & Document > Technical Documents on the home page.
l Select a product or product series to view and/or download manuals for that product or product series.
The Comware-based security product software features of the SecPath series are described in seven manual volumes, which are briefed as follows:
l Web-Based Configuration: Introduces the security features that can be configured on the firewalls through a Web browser, including virtual device management, security zone configuration, RADIUS, HWTACACS, attack detection, attack protection, session management, traffic management, NAT, address object, object-oriented ACL, ASPF policy, TCP proxy, IPSec, IKE, PKI, log report, session log, and so on.
l Security Volume: Introduces the CLI-based configuration of some security protocols supported by the firewalls, including SSH2.0, SSL, ALG and so on.
l Access Volume: Introduces the CLI-based configuration of different interfaces and link layer protocols supported by the firewalls.
l IP Services Volume: Introduces the CLI-based configuration of IP-related features supported by the firewalls, including ARP, IP performance, IP unicast policy routing and so on.
l IP Routing Volume: Introduces the CLI-based configuration of static routing and routing protocols supported by the firewalls, including RIP, OSPF, BGP and so on.
l System Volume: Introduces the CLI-based configuration of system-related protocols and features supported by the firewalls, including configuration environment setup, basic system configurations, user login, file management, system maintenance, NTP, SNMP, RMON, VRRP and so on.
l VPN Volume: Introduces the CLI-based configuration of VPN-related protocols supported by the firewalls, including GRE, L2TP, L3VPN and so on.
l IP Multicast Volume: Introduces the CLI-based configuration of IP Multicast protocols supported by the firewalls, including IGMP,MSDP,PIM and so on.
The H3C SecPath F series firewalls are a new generation professional firewall product series developed by Hangzhou H3C Technologies Co., Ltd. (hereinafter referred to as H3C) for large enterprise users. In addition to traditional firewall functions, the SecPath F series also
l Supports virtual firewall, security zone management, attack prevention, P2P flow control, and URL filtering features to effectively protect network security.
l Supports a variety of virtual private network (VPN) services, such as IPSec VPN, to construct various forms of VPNs.
l Provides abundant routing capabilities by supporting various routing protocols including Routing Information Protocol (RIP), Open Shortest Path First (OSPF), and Border Gateway Protocol (BGP).
2.2 Feature List
Table 2-1 SecPath series firewalls feature list
Module | Features |
Web-Based Configuration | Web overview | Device information | Firewall policy configuration wizard | IPSec VPN configuration wizard |
System time | Software upgrade | Configuration maintenance | Device reboot |
Session management | Interface management | Security zone management | Virtual device configuration |
Device management | VLAN | Route display | Static routing |
DHCP | DNS | Policy routing | Inline forwarding |
MAC address table management | MSTP | Local user | Online user |
RADIUS | HWTACACS | Address object | Service object |
Time range | NAT address pool | ACL | NAT |
ASPF policy | Object-oriented ACL | Virtual fragment reassembly | Traffic statistics |
Attack detection | URPF check | Checksum check | TCP proxy |
Dual-System hot backup | IKE | IPSec | PKI |
Log report | Session log | Forwarding statistics | Load balancing |
P2P traffic control | QoS | | |
Security Volume | ALG | Rsh | SSH2.0 | SSL |
Web filtering | | | |
Access Volume | Ethernet interface | Logical interface | | |
IP Services Volume | ARP | IP performance | IP unicast policy routing | Adjacency table |
IPv6 basics | | | |
IP Routing Volume | IP routing overview | BGP | OSPF | RIP |
Static routing | | | |
System Volume | GR overview | VRRP | Device management | NQA |
NTP | RMON | SNMP | File system management |
System maintaining and debugging | Basic system configuration | Information center | User interface |
HTTP | Track | Hotfix | |
VPN Volume | GRE | L2TP | L3VPN | |
IP Multicast Volume | Multicast overview | Multicast routing and forwarding configuration | IGP configuration | MSDP configuration |
PIM configuration | | | |
In the PDF version of this manual, you can access the Operation Manual, Command Manual, and Web Manual for the features by clicking the corresponding links in the Operation Manual, Command Manual, and Web Manual columns; to return to this Feature Description page, use the Alt-ß key combination.
Table 2-2 Web-based features
Feature | Manual | Description |
Web overview | Web Overview | Introduces the Web-based management of the firewalls, including: l Loading the Web interface l Logging in to the Web interface l Saving the current configuration l Introduction to the Web interface layout l Web user level l Introduction to Web-based management functions l Introduction to common buttons on the Web-based management pages l Managing the Web-based management system through the CLI |
Device information | Device Information | Provides the device state and summary information, such as the resource state and device interface information. |
Firewall policy configuration wizard | Firewall Policy Configuraiton Wizard | Provides a way for fast configuration of firewall policies for virtual devices, and helps you configure object-oriented ACL parameters between zones. |
IPSec VPN configuration wizard | IPSec VPN Configuration Wizard | Helps you configure rapidly IPSec VPN–related configuration tasks, including: l Configuring a center node l Configuring a branch node l Configuring a peer node |
System time | System Time Configuration | Displays the system time and enables you to set the system time on the Web interface. l Setting system time |
Software upgrade | Software Upgrade Configuration | Guides you on how to download the software from a TFTP server to the device and update the device software. Software upgrade involves the following task: l Configuring software upgrade |
Configuration maintenance | Configuration Maintenance | Guides you on how to manage device configurations, including how to save the current configuration to a configuration file on the device, upload a configuration file to a TFTP server for backup, and download a configuration file from a TFTP server to the device for configuration restoration. Configuration maintenance involves the following tasks: l Saving the configuration l Backing up the configuration l Restoring the configuration |
Device reboot | Device Reboot Configuration | Describes how to reboot the device through the Web interface. Device reboot involves the following task: l Configuring device reboot |
Session management | Session Management | Session management is a common function that allows you to manage session-based applications such as network address translation (NAT), application specific packet filter (ASPF), and attack protection. Session management involves the following tasks: l Configuring basic session management settings l Viewing session table information l Viewing session relation table information l Viewing or clearing session statistics |
Interface management | Interface Management Configuration | Describes how to manage all the physical interfaces and two types of logical interfaces (loopback and null interfaces) of a device through the Web interface. Interface management involves the following tasks: l Creating an interface l Editing an interface l Shutting down/bringing up an interface l Viewing interface statistics l Deleting an interface |
Security zone management | Security Zone Management | A security zone is an abstract concept that can contain physical interfaces, logical interfaces, and L2 trunk interfaces + VLANs. Interfaces in the same security zone typically have the same security requirements in security policy control. With the concept of security zone introduced, the security administrator can divide interfaces with different security requirements into different zones for hierarchical policy management. Security zone management involves the following tasks: l Creating a security zone l Adding an interface to the security zone. |
Virtual device configuration | Virtual Device Configuration | The introduction of the virtual device concept allows you to divide a physical firewall device into multiple logical firewalls to support firewall rental service. Virtual device configuration involves the following tasks: l Creating a virtual device l Adding an interface to the virtual device l Adding a VLAN to the virtual device |
Device management | Device Management Configuration | l Specifying the system name of the device l If a user logs in to the Web interface without performing any operation within the specified period, the system automatically logs the user out to ensure the device security. |
VLAN | VLAN Configuration | The VLAN technology allows you to break a LAN down into separate VLANs that are isolated from each other at Layer 2. A VLAN is a broadcast domain, and all broadcast traffic is contained within it. VLAN configuration involves the following tasks: l Creating a VLAN l Modifying a port in a VLAN or a VLAN containing a specific port |
Route display | Route Display Configuration | Displays route information |
Static routing | Static Route Configuration | l Static routing overview l Configuring a static route |
DHCP | DHCP Configuration | DHCP is built on a client-server model, in which a client sends a configuration request and then the server returns a reply carrying the configuration parameters such as an IP address to the client. DHCP configuration involves the following tasks: l Enabling DHCP l Configuring the DHCP service type on an interface l Configuring a static address pool for the DHCP server l Configuring a dynamic address pool for the DHCP server l Configuring a DHCP service group |
DNS | DNS Configuration | Domain name system (DNS) is a distributed database used by TCP/IP applications to translate domain names into corresponding IP addresses. DNS configuration involves the following tasks: l Configuring static domain name resolution l Configuring dynamic domain name resolution |
Policy routing | Policy Routing Configuration | Policy routing is a mechanism that implements route selection based on the user-defined policies. Policy routing configuration involves the following tasks: l Creating a policy l Enabling local policy routing l Enabling interface policy routing |
Inline forwarding | Inline Forwarding | High-end firewalls support Layer 2 inline forwarding, that is, you can configure to have packets received on one interface directly forwarded out a specified interface. Inline forwarding configuration involves mainly the following task: l Configuring inline forwarding |
MAC address table management | MAC Address Table Management Configuration | A device maintains a MAC address table for frame forwarding. Each entry in this table indicates the MAC address of a connected device, the interface through which that device is connected and the VLAN to which the interface belongs. MAC address table management involves mainly the following tasks: l Adding a MAC address entry l Querying a MAC address entry |
MSTP | MSTP Configuration | The Multiple Spanning Tree Protocol (MSTP) overcomes the shortcomings of STP and RSTP. In addition to the support for rapid network convergence, it also allows data flows of different VLANs to be forwarded along separate paths, thus providing a better load sharing mechanism for redundant links. MSTP configuration involves mainly the following tasks: l Configuring an MSTP region l Configuring MSTP globally l Configuring MSTP on a port |
Local user | Local User | A local user is a user configured on the Network Access Server (NAS). A local user is identified by a unique user name. l Configuring a local user |
Online user | Online User | An online user refers to a user who has got online after passing AAA authentication. l Viewing online users |
RADIUS | RADIUS | Remote Authentication Dial-In User Service (RADIUS) is a distributed information interaction protocol built on the client/server model to protect networks against unauthorized access. RADIUS configuration involves the following main tasks: l Configuring RADIUS server l Configuring RADIUS parameters |
HWTACACS | HWTACACS | Huawei Terminal Access Controller Access Control System (HWTACACS) is an enhanced security protocol based on TACACS (RFC 1492), used to implement Authentication, Authorization, and Accounting (AAA). HWTACACS configuration involves the following main tasks: l Creating a HWTACACS scheme l Configuring HWTACACS server l Configuring HWTACACS parameters |
Address object |
