H3C SecPath F100-C Firewall Installation Manual(V1.02)

DownLoad Chapters Download(1 MB)

01-Text

Table of Contents

Chapter 1 Product Overview.. 1-1

1.1 Introduction. 1-1

1.2 Hardware Features. 1-2

1.2.1 Hardware Features of the H3C SecPath F100-C. 1-2

Chapter 2 Preparing for Installation. 2-1

2.1 Site Requirements. 2-1

2.1.1 Temperature/Humidity. 2-1

2.1.2 Cleanliness. 2-2

2.1.3 ESD Prevention. 2-3

2.1.4 Electromagnetic Environment 2-3

2.1.5 Lightning Protection. 2-4

2.1.6 Checking the Installation Site. 2-4

2.2 Safety Precautions. 2-5

2.3 Tools, Meters, and Devices. 2-6

Chapter 3 Installing the H3C SecPath F100-C. 3-1

3.1 Installation Procedure. 3-1

3.2 Installing the H3C SecPath F100-C. 3-2

3.2.1 Placing the H3C SecPath F100-C on a Table. 3-2

3.2.2 Mounting the H3C SecPath F100-C on a Vertical Surface  3-2

3.3 Connecting PGND Wire. 3-4

3.4 Connecting the Power Cord. 3-5

3.5 Connecting the H3C SecPath F100-C to a Console Terminal 3-7

3.6 Connecting the H3C SecPath F100-C to LAN. 3-8

3.7 Connecting the H3C SecPath F100-C to WAN. 3-10

3.8 Verifying Installation. 3-10

Chapter 4 Starting and Configuring the H3C SecPath F100-C. 4-1

4.1 Starting the H3C SecPath F100-C. 4-1

4.1.1 Setting Up a Configuration Environment 4-1

4.1.2 Powering On the H3C SecPath F100-C. 4-5

4.1.3 Startup Process. 4-6

4.2 Configuration Fundamentals. 4-8

4.2.1 Basic Configuration Procedure. 4-8

4.2.2 Command Line Interface. 4-9

Chapter 5 Maintaining the H3C SecPath F100-C. 5-1

5.1 Boot Menu. 5-1

5.2 Upgrading Application Programs and Boot ROM program Using XModem   5-4

5.3 Backing up and Restoring the Extended Segment of the Boot ROM Program   5-9

5.4 Upgrading the Application Programs Using TFTP. 5-10

5.5 Uploading/Downloading Application Programs/Files Using FTP. 5-13

5.5.1 Upgrading Application Programs Using FTP in Boot ROM.. 5-13

5.5.2 Upgrading Application Programs Using FTP in Host Software  5-16

5.6 Modifying Boot ROM Password. 5-23

5.7 Resetting a Lost Password. 5-25

Chapter 6 Troubleshooting. 6-1

6.1 Troubleshooting the Power System.. 6-1

6.2 Troubleshooting the Console Terminal 6-1




Chapter 1  Product Overview

1.1  Introduction

H3C SecPath F100-C Firewall (referred to as the H3C SecPath F100-C) is designed for small office home office (SOHO) users.

H3C SecPath F100-C provides the standard-compliant uplink Ethernet interface, and can interoperate with the products of other vendors at every layer, which protects customer’s investment.

H3C SecPath F100-C provides four 10/100 Mbps autosensing LAN FE interfaces and one 10 Mbps WAN Ethernet interface.

H3C SecPath F100-C employs application specific packet filter (ASPF) to monitor connection process and malicious commands, and works together with access control lists (ACLs) to implement dynamic packet filtering.

H3C SecPath F100-C supports authentication, authorization, accounting (AAA) and network address translation (NAT) to allow the secure and reliable network built over the open Internet.

H3C SecPath F100-C provides multiple attack prevention means, TCP proxy, inside network security, traffic policing, network address filtering, webpage filtering, mail filtering, to improve network security.

H3C SecPath F100-C provides multiple intelligent analysis and management means, as well as mail filtering, diverse logs, to help the network administrator perform security management.

H3C SecPath F100-C supports multiple virtual private network (VPN) services, such as Layer 2 tunneling protocol (L2TP) VPN, IP security (IPsec) VPN, generic routing encapsulation (GRE) VPN and dynamic VPN, to access remote branch office into the headquarters.

H3C SecPath F100-C supports the branch intelligent management system (BIMS) feature to automatically upgrade the configuration file and application programs, and the VPN manager function to configure and deploy VPNs.

H3C SecPath F100-C provides basic routing features, including the routing information protocol (RIP), open shortest path first (OSPF), routing policy, and policy routing, as well as abundant QoS features, such as traffic policing, traffic shaping, and queue scheduling.

1.2  Hardware Features

1.2.1  Hardware Features of the H3C SecPath F100-C

I. Appearance

(1) Ethernet LED LAN3

(2) Ethernet LED LAN2

(3) Ethernet LED LAN1

(4) Ethernet LED LAN0

(5) WAN LED

(6) System LED (SYS)

(7) Power LED (PWR)

 

Figure 1-1 Front panel of the H3C SecPath F100-C

(1) Power switch

(2) Power socket

(3) Console port (CONSOLE)

(4) Ethernet interface 0 (LAN0)

(5) Ethernet interface 1 (LAN1)

(6) Ethernet interface 2 (LAN2)

(7) Ethernet interface 3 (LAN3)

(8) Grounding screw

(9) WAN interface (WAN)

 

Figure 1-2 Rear panel of the H3C SecPath F100-C

II. System specifications

Table 1-1 Technical specifications of the H3C SecPath F100-C

Item

Description

Interface

One console port

One 10 Mbps Ethernet interface (WAN)

Four 10/100 Mbps Ethernet interface (LAN)

SDRAM

64 MB

Flash memory

8 MB

Max power consumption

10 W

Power supply (external)

Input

Rated voltage range: 100 VAC to 240 VAC, 50 Hz or 60 Hz

Max voltage range: 90 VAC to 264 VAC, 50 Hz or 60 Hz

Current: 0.5 A to 1 A

output

Voltage: 12 VDC

Current: 4 A

Physical dimensions (H x W x D)

45 ´ 300 ´ 180 mm (1.8 ´ 11.8 ´ 7.1 in), including bulge

Weight

1 kg (2.2 lb)

Operating temperature

0°C to 40°C (32°F to 104°F)

Relative humidity (noncondensing)

10% to 90%

 

III. LEDs

There are seven LEDs, which are described in Table 1-2, on the cover of the H3C SecPath F100-C firewall.

Table 1-2 LEDs on the H3C SecPath F100-C

LED

Description

LAN0/LAN1/LAN2/LAN3/WAN

OFF: No link is present.

ON: A link is present.

Blinking: Data is being received or transmitted on the interface.

SYS

Blinking: The system is operating normally.

ON or OFF: The system is faulty.

PWR

OFF: No power is supplied.

ON: Power is being supplied.

 

IV. Interface attributes

The H3C SecPath F100-C firewall provides the console port, 10 Mbps interface and 10/100 Mbps Ethernet interfaces.

1)         Console port

Table 1-3 Attributes of the console port

Item

Description

Connector

RJ-45

Interface standard

Asynchronous RS232

Baud rate

1200 bps to 115200 bps, defaults to 9600 bps

Service

Connected to an ASCII terminal

Connected to the serial interface on a PC running the terminal emulation software

Command line interface (CLI)

 

2)         Ethernet interface

Table 1-4 Attributes of the Ethernet interface

Item

10BASE-T

10/100BASE-T

Connector

RJ-45

Operating mode

10 Mbps

Half/full duplex

10/100 Mbps auto-sensing

Auto-MDI/MDIX

Half/full duplex

Only Layer 2 switching available

 


Chapter 2  Preparing for Installation

2.1  Site Requirements

Install the H3C SecPath F100-C indoors and make sure the environment meets the following requirements for its normal and durable usage.

2.1.1  Temperature/Humidity

The equipment room must maintain adequate temperature and humidity. Long-lasting high humidity is prone to cause bad insulation and even electricity leakage. Sometimes the mechanical performance changes of materials, the rustiness and corrosion of some metal parts are also likely to occur. If the relative humidity is too low, the captive screws can become loose due to insulation washer contraction. Meanwhile, the static is likely produced in the dry environments, jeopardizing the CMOS circuit of the product. The higher the temperature is, the greater the damage to your device. Long-lasting high temperature can speed up the aging of the insulation materials, greatly lower the device reliability, and hence significantly shorten its service life.

Table 2-1 lists the temperature and humidity requirements.

Table 2-1 Temperature and humidity requirements in the equipment room

Temperature

Relative Humidity

0°C to 40°C (32°F to 104°F)

10% to 90%

 

2.1.2  Cleanliness

The equipment room must be free of explosion hazards and the electrical and magnetic conductible dust as well. The contents of the dust must be limited as shown in the following table:

Table 2-2 Limit to the content of dust in an equipment room

Substance

Unit

Content

Dust

Particle/m³

≤ 3 X 104

(No visible dust on the table top for three days)

Note: Diameter of a dust particle ≥ 5μm

 

Besides the dust, there are rigorous limits on the harmful gases that can accelerate the erosion and aging of metals, such as salts, acids, and sulfides, as shown in the following table.

Table 2-3 Limits of harmful gases in the equipment room

Gas

Maximum (mg/m3)

SO2

0.2

H2S

0.006

NH3

0.05

Cl2

0.01

 

2.1.3  ESD Prevention

Although the H3C SecPath F100-C takes measures to prevent electrostatic discharge (ESD), its card circuits and even the device can be badly damaged when excessive static electricity is present.

On the communication network connected to your device, the static electricity mainly comes from the outside electrical fields, such as outdoor high-voltage power cables and lightning, and from the indoor environments, floor materials and the internal system such as the equipment frame. To prevent damage, observe the following:

l           Earth the device and floor well.

l           Keep the equipment room as clean as possible.

l           Maintain adequate temperature and humidity.

l           Wear an ESD-preventive wrist strap and clothes when handling the circuit board.

l           Place the removed circuit board upward on the ESD-preventive table, or into a static shielding bag.

l           Hold the circuit board by its edge when observing or moving it, avoiding direct contact with the elements on it.

2.1.4  Electromagnetic Environment

All interference sources, wherever they are from, impact the H3C SecPath F100-C negatively in the conducted emission patterns of capacitance coupling, inductance coupling, electromagnetic wave radiation, and common impedance (including the grounding system) coupling. To resist the interference, make sure to:

l           Take effective measures against the interference caused by the power supply grid.

l           Use a grounding system or lightning protection grounding different from that for the power supply equipment and keep them as far as possible.

l           Keep the device far from the strong power radio launchers, radar launchers, and high frequency and high-current equipment.

l           Use electromagnetic shielding when necessary.

2.1.5  Lightning Protection

Although the H3C SecPath F100-C takes necessary measures against lightning, the device can get damaged when excessive lightning is present. To protect device against lightning:

l           Ensure the chassis is connected to the earth ground.

l           Ensure the earth point of the power socket is well connected to the earth ground.

l           Add a lightning arrester to the front end of the power input to better protect the power supply from lightning strikes.

l           Add a special device to the input end of the signal cable which lies in the open air for a better protection from the lightning.

2.1.6  Checking the Installation Site

When installing the H3C SecPath F100-C, make sure that:

l           Enough space is left between the air inlet/exhaust vents.

l           The workbench has a good ventilation system.

l           The workbench is firm enough to support device and its accessories.

l           The workbench is well earthed.

2.2  Safety Precautions

Be sure that you observe all safety precautions when you install your H3C SecPath F100-C and pay adequate attention to the following icons:

  Caution means care should be taken in these operations during installation and use. Improper operations might cause bodily injury to the operators or damage the device.

Follow these safety precautions when installing or using the H3C SecPath F100-C:

l           Keep the H3C SecPath F100-C away from moisture and heat.

l           The H3C SecPath F100-C is well earthed.

l           Always wear an ESD-preventive wrist strap when installing and maintaining the H3C SecPath F100-C, making sure the strap has good skin-contact.

l           Do not plug/unplug the cable when there is power supply.

l           It is recommended to use uninterrupted power supply (UPS).

2.3  Tools, Meters, and Devices

I. Tools

l           ESD-preventive wrist strap

II. Cables

l           PGND wire, power cord and power supply unit (PSU)

l           Console cable

l           Optional cables, such as network cable, AUX cable, and synchronous /asynchronous serial interface cable

III. Devices and meters

l           HUB or LAN Switch

l           Console terminal (can be a PC)

l           Multimeter

 

  Caution:

The installation tools, meters, and devices are not provided with the H3C SecPath F100-C.

 


Chapter 3  Installing the H3C SecPath F100-C

3.1  Installation Procedure

Figure 3-1 Installation procedure

3.2  Installing the H3C SecPath F100-C

Install the H3C SecPath F100-C firewall in two ways:

l           Placing it on a table

l           Mounting it on a vertical surface

3.2.1  Placing the H3C SecPath F100-C on a Table

It is simple to place the H3C SecPath F100-C firewall on a clean and flat table. When placing it, make sure:

l           The table is steady

l           10 cm (3.9 in) space is left for heat dissipation around the H3C SecPath F100-C.

l           Do not place one H3C SecPath F100-C on another.

3.2.2  Mounting the H3C SecPath F100-C on a Vertical Surface

Mount the H3C SecPath F100-C firewall on a vertical surface with four pan-head screws and the four brackets at the bottom of its chassis.

 

  Caution:

l      Make sure the screws are firm enough to hold the H3C SecPath F100-C.

l      Mount the H3C SecPath F100-C to such a height that you can easily observe the LEDs status.

l      Fix the external power cable of the H3C SecPath F100-C from dropping down.

 

Follow these steps to mount the H3C SecPath F100-C on a vertical surface:

Step 1: Install four pan-head screws on a wall or other flat vertical surface and ensure that each screw comes 6 mm (0.2 in) out of the wall.

Figure 3-2 Bottom of the H3C SecPath F100-C chassis

Step 2: Hang the H3C SecPath F100-C on the screws by the four brackets.

Figure 3-3 Wall-mounting the H3C SecPath F100-C

3.3  Connecting PGND Wire

 

  Caution:

Properly connect the PGND wire before connecting other cables and use the cable as short as possible to protect the H3C SecPath F100-C from possible lightning, which otherwise may damage the device.

 

At the AC-input end of the H3C SecPath F100-C firewall, there is an AC-noise filter. Its center, connected to the chassis, is called protection ground (PGND). The PGND should be well earthed to direct the induction or leaking power to the earth ground and to protect the whole device from electromagnetic interference. The PGND also directs to the earth ground the lightning current coming along the external cable.

The grounding screw of the H3C SecPath F100-C is on its rear panel. Connect this screw to the earth ground using a PGND wire. The grounding resistance cannot be greater than 5-ohm.

3.4  Connecting the Power Cord

I. AC-input power supply

The electrical specifications of the external AC-input PSU of the H3C SecPath F100-C firewall:

Rated input voltage range: 100 VAC to 240 VAC, 50 Hz or 60 Hz

Max input voltage range: 90 VAC to 264 VAC, 50 Hz or 60 Hz

Input current: 0.5 A to 1 A

Output voltage: 12 VDC

Output current: 4 A

Figure 3-4 illustrates the AC-input PSU:

Figure 3-4 AC-input PSU

II. Recommended power socket

You are recommended to use a single-phase three-terminal socket with an earth contact, which must be properly grounded. The building ground system is often buried during the wiring engineering. Make sure that the building ground system is normal before connecting the AC power cord.

III. Connecting the AC power cord

Step 1: Check the power switch of the H3C SecPath F100-C is in OFF position.

Step 2: Connect the output of the PSU to the input on the rear panel of the H3C SecPath F100-C, and then insert the input connector of the PSU into an AC power outlet.

Step 3: Push the power switch of the H3C SecPath F100-C in ON position.

Step 4: Check that the PWR LED on the front panel of the H3C SecPath F100-C is ON. If the LED is OFF, repeat steps 2 through 4.

 

  Caution:

If the Power LED is still off after you repeat steps 2 through 4 several times, refer to Chapter 6  Troubleshooting”.

 

3.5  Connecting the H3C SecPath F100-C to a Console Terminal

I. Console port

The H3C SecPath F100-C firewall provides a RS232 asynchronous serial console port through which you can configure it. For the attributes of the console port, refer to section 1.2.1  IV. Interface attributes”.

II. Console cable

The console cable is an 8-core shielded cable with an RJ-45 connector at one end for the console port of H3C SecPath F100-C and a DB9 (female) connector at the other end for the serial interface of the terminal.

Figure 3-5 shows the console cable assembly:

Figure 3-5 Console cable assembly

III. Connecting the console cable

Follow these steps to connect the H3C SecPath F100-C to a console terminal:

Step 1: Select a console terminal.

The console terminal can be either a standard ASCII terminal with an RS232 serial interface, or, more commonly, a PC.

Step 2: Connect the console cable.

Power off the H3C SecPath F100-C and the console terminal, and then connect the RS232 serial interface on the console terminal to the console port on the H3C SecPath F100-C using the console cable.

Verify the connection and power on the H3C SecPath F100-C. In normal cases, the startup information is displayed on the terminal screen. For details, refer to section 4.1.3  Startup Process”.

3.6  Connecting the H3C SecPath F100-C to LAN

I. Ethernet interface

The H3C SecPath F100-C provides a 10/100BASE-T FE interface for connection to LAN. For more details, refer to section 1.2.1  IV. Interface attributes”.

 

&  Note:

The interfaces LAN0, LAN1, LAN2 and LAN3 on H3C SecPath F100-C correspond to interface E1/0, and WAN interface corresponds to interface E2/0 in the command line respectively.

 

II. Ethernet cable

A 10/100Base-TX Ethernet interface is usually connected to an Ethernet using a category 5 twisted pair cable, as shown in Figure 3-6:

Figure 3-6 Ethernet cable assembly

Ethernet cables fit into two categories:

l           Straight-through cable. At both ends, the twisted pairs are crimped in the RJ-45 connectors in the same sequence. The cable is used for connecting different types of devices, such as connecting a terminal device (PC for example) or H3C SecPath F100-C to a Hub or LAN Switch. The straight-through cable is shipped in company with the H3C SecPath F100-C.

l           Crossover cable. At both ends, the twisted pairs are crimped in the RJ-45 connectors in different sequence. The cable is used for connecting devices of the same type, such as connecting two PCs, two H3C SecPath F100-Cs or a PC to a H3C SecPath F100-C. You can make the crossover cable by yourself.

 

  Caution:

In preparing network cables, shielded cables are preferred for its electromagnetic compatibility.

 

III. Connecting an Ethernet cable

 

  Caution:

Read the mark above the interface carefully before making connection to make sure it is the right interface.

 

Connect the Ethernet cable as follows:

The 10/100BASE-T interface on the H3C SecPath F100-C firewall supports MDI/MDIX auto-sensing. Therefore, you can connect your PC, security gateway, HUB, or LAN Switch to another device using either straight-through cable or crossover cable without considering whether the two devices are of the same type.

3.7  Connecting the H3C SecPath F100-C to WAN

The H3C SecPath F100-C firewall provides a 10 Mbps WAN interface. For its connection, refer to section 3.6  Connecting the H3C SecPath F100-C to LAN”.

3.8  Verifying Installation

Every time you power on the device during the installation, verify that:

l           The device has enough space around it for heat dissipation and the table is stable.

l           The proper power supply is used.

l           The grounding wire is correctly connected.

l           The device is correctly connected to other devices, such as a console terminal.

 

  Caution:

Installation verification is extremely important, because the operations of the H3C SecPath F100-C depend on its stability, grounding, and power supply.

 


Chapter 4  Starting and Configuring the H3C SecPath F100-C

4.1  Starting the H3C SecPath F100-C

4.1.1  Setting Up a Configuration Environment

I. Connecting the H3C SecPath F100-C to a console terminal

Connect the RJ-45 connector of the console cable to the console port on the H3C SecPath F100-C, and the DB9 connector to the serial interface on a PC, as shown in Figure 4-1.

Figure 4-1 Local configuration through the console port

II. Setting terminal parameters

Step 1: Start the Console terminal and make a new connection

When you perform the configuration on a PC, the terminal emulations, such as the Windows3.1 Terminal, the HyperTerminal of Windows95/Windows98/Windows NT, is needed for a connection. Enter the name of the new connection and click <OK>. See Figure 4-2.

Figure 4-2 Create a new connection

Step 2: Setting the terminal parameter

Setting the HyperTerminal parameter of Windows98 as follows:

1)         Select serial interface

Select the serial interface to be used from the Connect Using drop-down list as shown in Figure 4-3. The serial interface selected here must be the one connected to the console cable.

Figure 4-3 Select serial interface

2)         Set the serial interface

The [Settings] tab appears as shown in Figure 4-4, and set the serial interface parameters as follows:

l           Bits per second = 9600

l           Data bits = 8

l           Parity = None

l           Stop bits = 1

l           Flow control = None

Click <OK> and the HyperTerminal dialog box appears.

Figure 4-4 Set communication parameter

3)         Select emulation type

Choose [Properties/Settings] to enter the corresponding page and select the emulation as VT100 or Auto detect. Click <OK> and HyperTerminal window appears.

Figure 4-5 Select emulation type

4.1.2  Powering On the H3C SecPath F100-C

I. Connection check before power-on

Before powering on the H3C SecPath F100-C, check that:

l           Both the power cord and the PGND wire are correctly connected.

l           Proper power supply is used.

l           The console cable is correctly connected. The console terminal or PC has been started and the related parameters have been set on it.

 

  Caution:

Locate the power switch of the power supply in the equipment room before powering on the H3C SecPath F100-C. Then, if an accident occurs, you can quickly shut off the power.

 

II. Powering on the H3C SecPath F100-C

Turn on the H3C SecPath F100-C.

III. Check after power-on

After powering on the H3C SecPath F100-C, check that:

l           The LEDs on the front panel of the H3C SecPath F100-C are in normal status.

Refer to section 1.2.1  III. LEDs” for more information about the LEDs status after power-on.

l           The console terminal display is correct.

After powering on the H3C SecPath F100-C, you can see the startup interface on the console terminal (see section 4.1.3  Startup Process”).

After the system passes power-on self-test (POST), press <Enter> as prompted. When “<H3C>” is displayed, you can proceed to configure the H3C SecPath F100-C.

4.1.3  Startup Process

      ********************************************

      *                                          *

      *         H3C Boot Rom, V7.60              *

      *                                          *

      ********************************************

  Compiled at 14:45:38 , Nov  6 2004.

 

   Testing memory...OK!

   64M    bytes  SDRAM

   8192k  bytes  flash memory

   Hardware Version is MTR 3.0

   CPLD Version is CPLD 1.0

 

  Press Ctrl-B to enter Boot Menu

System is self-decompressing........................OK!

System is starting...

Starting at 0x10000...

 

User interface Con 0 is available.

 

Press ENTER to get started

Press <Enter>. The system displays (if login authentication is not enabled):

<H3C>

This prompt indicates that the H3C SecPath F100-C enters user view, and is ready for your configuration.

4.2  Configuration Fundamentals

4.2.1  Basic Configuration Procedure

Follow the steps below to configure the H3C SecPath F100-C:

Step 1: Figure out detailed networking requirements, including networking objectives, the role of the H3C SecPath F100-C in the network, the subnetting scheme, transmission medium, security policy, and network reliability.

Step 2: Draw a network diagram based on the requirements.

Step 3: Configure the Ethernet interface on the H3C SecPath F100-C. Set its physical communication parameter and protocol of the interface based on the router information.

Step 4: Allocate the IP address and IPX network number to all the interfaces of the H3C SecPath F100-C on a subnet division base.

Step 5: Configure routes, and if a dynamic routing protocol is enabled, configure the parameters related to the protocol.

Step 6: Configure security settings as required.

Step 7: Configure reliability settings as required.

For more information about the protocols and function of H3C SecPath F100-C, refer to Operation Manual and Command Manual of this product.

4.2.2  Command Line Interface

I. Features of the CLI

The command line interface (CLI) of the H3C SecPath F100-C firewall offers series of configuration commands for you to configure and manage the H3C SecPath F100-C. The CLI allows you to:

l           Configure the device through console port at the local.

l           Telnet to access and manage the local and remote devices.

l           Configure the H3C SecPath F100-C through a dumb terminal by asynchronous serial interface and AUX port.

l           Define hierarchical user authority so that only authorized users can configure and manage the H3C SecPath F100-C.

l           Get online help whenever you enter <?>.

l           Test network connectivity quickly with network diagnostic tools, such as tracert and ping.

l           Have detailed debugging information for troubleshooting your network.

l           Enter a command by only entering the conflict-free keyword portion, because the CLI interpreter supports fuzzy matching of command keywords. For example, you simply need to enter dis for the display command.

II. CLI

The CLI of H3C SecPath F100-C firewall offers you various commands and allows you to adopt hierarchical user access to block the unauthorized users. In system view, all the commands are put into several groups for the convenience of management, each being associated to a view. You can switch between the views by executing the proper commands. Usually, you can only execute the commands appropriate to the view that you access. However, you are allowed to execute in any view some commands in common use, such as ping and display.

 


Chapter 5  Maintaining the H3C SecPath F100-C

The files on the H3C SecPath F100-C fall in to three categories:

l           Boot ROM program file

l           Application program file (host program)

l           Configuration file

The software maintenance mainly involves upgrading/downloading Boot ROM/application program files and uploading/downloading configuration files.

 

  Caution:

During Boot ROM and application program upgrade or Boot menu parameters modification, an unexpected system power failure may cause abnormalities such as loss of programs. If the system prompts the loss of Boot ROM or application program, refer to related section in this chapter describing the upgrade of Boot ROM extended segment and application program for operation steps.

 

5.1  Boot Menu

Here is an introduction to Boot menu as you may use it in the software maintenance.

Set up the configuration environment as shown in Figure 4-1 and boot the H3C SecPath F100-C. When the information “Press Ctrl-B to enter Boot Menu” appears on the terminal screen, press <Ctrl+B>. The system displays:

Please  input Boot ROM password :

 

  Caution:

To enter the Boot Menu, you must press <Ctrl+B> within three seconds after the prompt “Press Ctrl-B to Enter Boot Menu...?” appears. Otherwise, the system starts decompressing the program.

If you want to enter the Boot menu after the system starts decompressing the program, you need to reboot the H3C SecPath F100-C.

 

Input the correct password and press <Enter>. (If no Boot ROM password is configured, just press <Enter>.) The system accesses the Boot menu.

I. Boot menu of the H3C SecPath F100-C firewall

Boot Menu:

     1:  Download application program with XMODEM

     2:  Download application program with NET

     3:  Start up and ignore configuration

     4:  Enter debugging environment

     5:  Boot Rom Operation Menu

     6:  Do not check the version of the software

     7:  Exit and reboot

Enter your choice(1-7):

Further description is given for the option 6:

If you fail to upgrade the software and the system prompts “invalid version” although you use the correct software version, you can select this option to ignore the version check during software upgrade. Note that this option works only once when you select it. The system resumes version check after you reboot the H3C SecPath F100-C.

II. Boot ROM operation menu of the H3C SecPath F100-C firewall

You can select 5 in the Boot menu to enter the Boot ROM operation menu as follows:

Boot ROM Operation Menu:

     1:  Download Boot ROM with XModem

     2:  Download Extended Segment of Boot ROM with XModem

     3:  Restore Extended Segment of Boot ROM from FLASH

     4:  Backup Extended Segment of Boot ROM to FLASH

     5:  Exit to Main Menu

     Enter your choice(1-5):

The menu provides approaches to upgrade, back up, and restore the Boot ROM program. See sections 5.3  Backing up and Restoring the Extended Segment of the Boot ROM Program”.

 

  Caution:

Upgrade the H3C SecPath F100-C software under the guide of support technicians. When upgrading, make the Boot ROM software match the application program.

 

5.2  Upgrading Application Programs and Boot ROM program Using XModem

You can use XModem to upgrade the software through the console port even without setting up a configuration environment.

I. Upgrading application program

Step 1: Enter the Boot menu and select 1 to download an application program using XModem. The following download speeds are available for the H3C SecPath F100-C:

WARNING: The operation is to update the Boot ROM.

           It may result in booting failure.

Please choose your download speed:

1: 9600 bps

2: 19200 bps

3: 38400 bps

4: 57600 bps

5: 115200 bps

6: Exit and reboot

Enter your choice(1-6):

Step 2: Select an appropriate download speed, for example, 115200 bps by entering 5. The following message appears:

Download speed is 115200 bps. Change the terminal's speed to 115200 bps, and select XModem protocol. Press ENTER key when ready.

Step 3: Change your terminal’s baud rate to the same baud rate for software downloading. After that, disconnect the terminal ([Dial-in/Disconnect]), reconnect it ([Dial-in/Dialing]), and press <Enter> to start downloading. The system displays:

Waiting ...CCCCC

 

&  Note:

The new baud rate takes effect only after you reconnect the terminal emulation program.

 

Step 4: Select [Transmit/Send file] in the terminal window. The following dialog box pops up:

Figure 5-1 Send File dialog box

Step 5: Click <Browse>. Select the application file to be downloaded and set protocol to XModem. Click <Send>. The following interface pops up:

Figure 5-2 Sending file interface

Step 6: After completing downloading, the system begins writing data to the Flash memory, and then displays the following information in the terminal interface, indicating the completion of the downloading:

Download completed.

  Writing to flash memory...

  Please wait,it needs a long time .Please wait...

########################################################

  Writing FLASH Success.

 

  Please use 9600 bps.Press <ENTER> key to reboot the system.

Restore the speed of the console terminal to 9600 bps as prompted, disconnect and reconnect the terminal. The system starts up normally.

II. Upgrading the Boot ROM program

Step 1: Enter the Boot menu, and select 5 to enter the Boot ROM operation menu.

Step 2: Select 1 in the Boot ROM operation menu to download the Boot ROM program using XModem. The subsequent operation steps are the same as those upgrading the application program.

 

  Caution:

If you fail to upgrade the entire Boot ROM program, you cannot restore it on site. Therefore, you can only upgrade the entire Boot ROM program under the direction of technical support engineers and when it is urgently necessary.

 

III. Upgrading the extended segment of the Boot ROM program

Step 1: Enter the Boot menu, and select 5 to enter the Boot ROM operation menu.

Step 2: Select 2 in the Boot ROM operation menu to download the extended segment of Boot ROM with XModem. The subsequent operation steps are the same as those for upgrading the application program.

 

  Caution:

This upgrade approach is only used to upgrade a portion of the Boot ROM program, so you can make a second attempt once errors occur.

 

5.3  Backing up and Restoring the Extended Segment of the Boot ROM Program

I. Backing up the extended segment to the Flash memory

Follow these steps to back up the extended segment of the Boot ROM:

Step 1: Enter the Boot menu, and select 5 to enter the Boot ROM operation menu.

Step 2: Select 4 in the Boot ROM operation menu to copy the current extended segment of the Boot ROM program to the Flash memory.

If the backup attempt is successful, the following message appears:

  Writing to FLASH.Please wait...####

  Backuping Boot ROM program to FLASH successed!

Step 3: When the Boot ROM operation menu appears again, select 5 to exit and reboot the H3C SecPath F100-C.

II. Restoring the extended segment from the Flash memory

If faults occur to the extended segment of the Boot ROM program or you upgrade it by mistake, you can restore the extended segment of the Boot ROM program from the Flash memory to the Boot ROM following these steps:

Step 1: Enter the Boot menu, and select 5 to enter the Boot ROM operation menu.

Step 2: Select 3 in the Boot ROM operation menu to restore the extended segment of the Boot ROM program from the Flash memory.

If the operation is successful, the system displays:

  Writing to Boot ROM.Please wait...######

  Restoring Boot ROM program successed!

Step 3: When the Boot ROM operation menu appears again, select 5 to exit and reboot the H3C SecPath F100-C.

5.4  Upgrading the Application Programs Using TFTP

You can download the application program using TFTP through the Ethernet interface. In this case, the H3C SecPath F100-C acts as the client and must be connected to the TFTP server through one of its fixed Ethernet interfaces. You can upgrade the application program in these steps:

1)         Start the TFTP server.

Start the TFTP server on the PC connected to the Ethernet interface on the H3C SecPath F100-C and set the directory to the file that is to be downloaded.

2)         Configure the H3C SecPath F100-C.

Step 1: Enter the Boot menu and select 2 to enter the Net port download menu as follows:

Net Port Download Menu:

     1:  Change Net Parameter

     2:  Download From Net

     3:  Exit to Main Menu

     Enter your choice(1-3): 1

Step 2: Configure TFTP parameters.

Select 1 in the Net port download menu to set parameters for the Ethernet interface on the H3C SecPath F100-C (including the interface in use, IP address of the interface) and parameters for the TFTP server (including IP address of the Ethernet interface on the TFTP server and the filename of the application program).

Change Download parameter

'.' = clear field;  '-' = go to previous field;  ^D = quit

boot device          : LAN0

processor number     : 0

host name            : sec

file name            : system

inet on ethernet (e) : 192.168.1.1

inet on backplane (b):

host inet (h)        : 192.168.1.20

gateway inet (g)     : 192.168.1.254

user (u)             : user

ftp password (pw) (blank = use rsh): pass  

flags (f)            : 0x80

target name (tn)     :

startup script (s)   :

other (o)            :

 

  Caution:

l      The upgrade should be performed through interface LAN0 on the firewall.

l      The host inet (h): [192.168.1.10] field must be set to the IP address of the TFTP server connected to the Ethernet interface on the firewall.

l      You are recommended to configure the IP addresses of the network interface on TFTP server and that of the LAN0 on the firewall to be on the same network segment.

 

Step 3: Confirm configuration parameters.

After you input the last parameter value and press <Enter>, the system returns to the Net port download menu:

Saving config, please wait...OK!

Net Port Download Menu:

     1:  Change Net Parameter

     2:  Download From Net

     3:  Exit to Main Menu

     Enter your choice(1-3): 2

3)         Download the application programs.

Select 2 to download the application program using TFTP. The system displays the following message:

Loading...

  NET download completed...

  read len = [06412447]

The file to be written is flash:/system!Please wait for a while!

Creating the file: flash:/system

  Write data to flash...

  Please wait, it may take a long time!

################################################################################

  Writing Cmwsoftware File Succeeds!

  Press <Enter> key to reboot the system .

It indicates the downloading is successful. Press <Enter> to reboot the system.

5.5  Uploading/Downloading Application Programs/Files Using FTP

5.5.1  Upgrading Application Programs Using FTP in Boot ROM

You can download the application program using FTP through the Ethernet interface. In this case, the H3C SecPath F100-C acts as the client and must be connected to the FTP server through one of its fixed Ethernet interfaces.

 

  Caution:

The FTP server program is not shipped with the H3C SecPath F100-C firewall. You need to purchase and install it by yourself.

 

1)         Start the FTP server.

Start the FTP server on the PC connected to the Ethernet interface on the H3C SecPath F100-C and set the directory to the file that is to be uploaded.

2)         Configure the H3C SecPath F100-C.

Step 1: Enter the Boot menu and select 2 to enter the Net port download menu as follows:

Net Port Download Menu:

     1:  Change Net Parameter

     2:  Download From Net

     3:  Exit to Main Menu

     Enter your choice(1-3): 1

Step 2: Configure FTP parameters.

Select 1 in the Net port download menu to set parameters for the Ethernet interface on the H3C SecPath F100-C (including the interface in use, IP address of the interface) and parameters for the FTP server (including IP address of the Ethernet interface on the TFTP server and the filename of the application program).

Change Download parameter

'.' = clear field;  '-' = go to previous field;  ^D = quit

boot device          : LAN0

processor number     : 0   

host name            : sec

file name            : App.arj

inet on ethernet (e) : 192.168.1.1

inet on backplane (b):

host inet (h)        : 192.168.1.20

gateway inet (g)     : 192.168.1.254

user (u)             : user

ftp password (pw) (blank = use rsh): pass  

flags (f)            : 0x0

target name (tn)     :

startup script (s)   :

other (o)            :

 

  Caution:

l      The host inet (h): [192.168.1.10] field must be set to the IP address of the FTP server connected to the Ethernet interface on the H3C SecPath F100-C.

l      You are recommended to configure the IP addresses of the network interface on the FTP server and the LAN0 on the H3C SecPath F100-C to be on the same network segment.

 

Step 3: Confirm configuration parameters.

After you input the last parameter value and press <Enter>, the system returns to the Net port download menu:

Net Port Download Menu:

     1:  Change Net Parameter

     2:  Download From Net

     3:  Exit to Main Menu

     Enter your choice(1-3): 2

3)         Download the application programs.

Select 2 to download the application program using FTP. The system displays the following message:

Loading...

  NET download completed...

  read len = [06412447]

The file to be written is flash:/system!Please wait for a while!

Creating the file: flash:/system

  Write data to flash...

  Please wait, it may take a long time!

################################################################################

  Writing Cmwsoftware File Succeeds!

  Press <Enter> key to reboot the system .

It indicates the downloading is successful. Press <Enter> to reboot the system.

5.5.2  Upgrading Application Programs Using FTP in Host Software

The H3C SecPath F100-C firewall offers FTP server function, which provides you another way of updating configuration files, and upgrading application and Boot ROM program. You only need to connect a FTP client, local or remote, to the H3C SecPath F100-C. When you pass the authentication, you can upload and download configuration files or applications.

 

&  Note:

Upload: Transfer files from PCs running FTP client to H3C SecPath F100-C, namely the put operation.

Download: Transfer files from H3C SecPath F100-C to PCs running FTP client, namely the get operation.

 

I. Setting up an upload/download environment

l           Set up a local upload/download environment using FTP

Figure 5-3 Set up a local upload/download environment using FTP

Step 1: Connect the PC to the Ethernet interface of the H3C SecPath F100-C.

Step 2: Assign an IP address, 10.110.10.10 for example, to the Ethernet interface on the H3C SecPath F100-C.

Step 3: Assign an IP address, 10.110.10.13 for example, to the Ethernet interface on the PC.

Step 4: Copy the application program/Boot ROM program/configuration file to a directory, “C:\ version” for example.

 

  Caution:

The IP address assigned to the Ethernet interfaces of the PC and H3C SecPath F100-C must be on the same network segment.

 

l           Set up a remote upload/download environment using FTP

Figure 5-4 Set up a remote upload/download environment using FTP

Step 1: Connect the PC to an interface on the H3C SecPath F100-C through WAN for remote upgrade. The PC and the H3C SecPath F100-C can be on different network segments.

Step 2: Copy the application program/Boot ROM program/configuration file to a directory, “C:\ version” for example.

II. Enabling FTP sever

Follow these steps under the direction of service engineers:

Step 1: Configure an authentication method.

 

&  Note:

You can configure AAA authentication as needed. For more information, refer to Operation Manual and Command Manual of this product.

 

Step 2: Add the username.

[VPNGateway] local-user VPNGateway

VPNGateway is the user name.

Step 3: Add the password.

[VPNGateway-luser-vpngateway] password simple 123

Step 4: Add the service type and specify the FTP directory.

[VPNGateway-luser-vpngateway] service-type ftp ftp-directory flash:

Step 5: Add authority level.

[VPNGateway-luser-vpngateway] level 3

Step 6: Enable the FTP server.

[VPNGateway] ftp-server enable

After the FTP server is enabled and the user is added onto the H3C SecPath F100-C, any FTP client program can use the username and password to log onto the FTP server.

III. Uploading/downloading an application program/configuration file and uploading Boot ROM program

Step 1: In the DOS environment, access the directory containing the application program/Boot ROM/configuration file. Execute the ftp command to set up an FTP connection with the H3C SecPath F100-C, for example:

C:\version\ftp 10.110.10.10

If the connection is set up, the following message appears (taking Windows98 for example):

Connected to 10.110.10.10

220 FTP server ready on SecPath Gateway at

User(10.110.10.10:(none)):

Step 2: Log onto the FTP server using the username and password set on the H3C SecPath F100-C.

User(10.110.10.10:(none)): SecPath Gateway     

331 Password required for ftp                      

Password:                       .              

230 User ftp logged in                         

ftp>

Appearance of the prompt “ftp>” indicates that you can begin uploading/downloading the desired file.

Step 3: Upload/Download the application program/Boot ROM/configuration file.

 

&  Note:

On the H3C SecPath F100-C, the default name of the application program is “system”; that of the configuration file is “config.cfg”; that of the extended segment of the Boot ROM is “bootrom”; that of the entire Boot ROM is “bootromfull”.

 

l           Upload the application program/Boot ROM/configuration file.

ftp>    put        

local file     

remote file    

Upon the completion of uploading, the prompt “ftp>” appears again. Enter dir to view the name and size of the uploaded file on the H3C SecPath F100-C. It has the same size as the original file on the host if the uploading is successful.

 

  Caution:

l      When using FTP to upgrade the application program, make sure that the firewall has enough flash memory. If the memory is not enough, you need to use the delete /unreserved command to permanently delete old version files or other files to save the memory space; otherwise, new files cannot be uploaded.

l      The Boot ROM upgrade is not complete after the Boot ROM program is uploaded using the put command. To complete the upgrade, use the upgrade bootrom [ full ] command to decompress the bootrom/bootromfull program from the root directory in the Flash and write it to the Boot ROM.

l      After uploading the application program into the flash memory, you need to rename the program file to “system” to make the program take effect at next startup.

l      After uploading configuration files into the flash memory, you need to rename the file to “config.cfg” to make the files take effect at next startup of the system, or use the startup saved-configuration command to set the configuration files used for next startup.

 

l           Download an application program/configuration file.

ftp> get           

remote file    

local file     

Step 4: Quit the FTP client program after the uploading/downloading.

ftp> quit          

IV. Detaching the Web file

When the downloading using FTP is completed, the Web file is included in the application program. You need to detach it from the application program using the detach command.

< VPNGateway > detach system

    System file length 7856557 bytes, http file length 834724 bytes.

< VPNGateway > dir

Directory of flash:/

   0   -rw-   8691281  Jun 16 2009 06:46:36   system

   1   -rw-      1830  Jun 17 2009 07:47:16   config.cfg

   2   -rw-    834724  Jun 18 2009 02:22:39   http.zip

If the Web file is not included, the system gives the corresponding prompt; if the Web file name is not specified, the Web file name defaults to http.zip.

5.6  Modifying Boot ROM Password

You can use the Boot menu of the firewall to change the Boot ROM password.

Start the firewall. When “System starts booting” appears on the configuration terminal, press <Ctrl+D>, and then the system prompts:

Please input Bootrom password:

 

  Caution:

l      To enter the Boot menu, you must press <Ctrl+D> within three seconds after the “System starts booting” prompt appears on the configuration terminal; otherwise, the system starts decompressing the program.

l      You need to restart the firewall if you want to enter the Loader menu after entering the Boot ROM extended segment.

 

After entering the correct password, press <Enter>to enter the Boot menu (press <Enter> directly if the password is not set), and the system displays the information as follows:

  Boot Menu:

     1:  Download Boot ROM program

     2:  Modify Boot ROM password

     3:  System booting from Flash

     4:  Exit and reboot

     Enter your choice(1-4):

Following is the description on the options of Boot menu:

l           1: Download Boot ROM program

l           2: Modify Boot ROM password

l           3: Boot the system from flash (This option requires backing up the extended segment of Boot ROM in flash, refer to 5.3  for details.)

l           4: Exit from the Loader menu and restart the firewall.

Select 2 in the Boot menu to change the Boot ROM password, and the system prompts:

  Please input new password:

  Retype the new password:

 

  Saving the password...OK

 

&  Note:

The password can contain up to 32 characters.

 

5.7  Resetting a Lost Password

Please contact support technicians if your Boot ROM password or user password of the H3C SecPath F100-C is lost. Then you can enter the H3C SecPath F100-C again with their assistance and set a new password.

 


Chapter 6  Troubleshooting

6.1  Troubleshooting the Power System

1)         Symptom:

Power LED is OFF.

2)         Solution:

Check that

l           The power switch of the H3C SecPath F100-C is turned on.

l           The switch of the power source is turned on.

l           The power cord of the H3C SecPath F100-C is properly connected.

l           The correct power source is used.

 

  Caution:

Do not hot swap the power cord. If Power LED is still OFF after you check against the items listed above, contact your agent.

 

6.2  Troubleshooting the Console Terminal

If the H3C SecPath F100-C is operating normally after it is powered on, the console terminal displays the start-up information on the screen. If the console terminal is faulty, it displays illegible characters or nothing at all.

I. Troubleshooting no display on terminal screen

1)         Symptom:

Nothing is displayed on the terminal screen after the H3C SecPath F100-C is powered on.

2)         Solution:

Step 1: Check that:

l           The PSU is operating normally.

l           The console cable is connected correctly.

Step 2: If no problem is found, examine the parameters configured at the terminal (such as HyperTerminal), or check the console cable.

II. Troubleshooting illegible characters on the terminal screen

1)         Symptom:

Illegible characters are displayed on the console terminal after the H3C SecPath F100-C is powered on.

2)         Solution:

Make sure you have set on your terminal (HyperTerminal):

Bits per second = 9600

Data bits = 8

Parity = None

Stop bits = 1

Flow control = None

Emulation = VT100/auto-detect

Reconfigure the parameters if they are not set to these values.

 

H3C reserves the right to modify its collaterals without any prior notice. For the latest information of the collaterals, please consult H3C sales or call 400 hotline.